pkits-test.pl 33 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940
  1. # test/pkits-test.pl
  2. # Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  3. # project.
  4. #
  5. # ====================================================================
  6. # Copyright (c) 2008 The OpenSSL Project. All rights reserved.
  7. #
  8. # Redistribution and use in source and binary forms, with or without
  9. # modification, are permitted provided that the following conditions
  10. # are met:
  11. #
  12. # 1. Redistributions of source code must retain the above copyright
  13. # notice, this list of conditions and the following disclaimer.
  14. #
  15. # 2. Redistributions in binary form must reproduce the above copyright
  16. # notice, this list of conditions and the following disclaimer in
  17. # the documentation and/or other materials provided with the
  18. # distribution.
  19. #
  20. # 3. All advertising materials mentioning features or use of this
  21. # software must display the following acknowledgment:
  22. # "This product includes software developed by the OpenSSL Project
  23. # for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24. #
  25. # 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26. # endorse or promote products derived from this software without
  27. # prior written permission. For written permission, please contact
  28. # licensing@OpenSSL.org.
  29. #
  30. # 5. Products derived from this software may not be called "OpenSSL"
  31. # nor may "OpenSSL" appear in their names without prior written
  32. # permission of the OpenSSL Project.
  33. #
  34. # 6. Redistributions of any form whatsoever must retain the following
  35. # acknowledgment:
  36. # "This product includes software developed by the OpenSSL Project
  37. # for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38. #
  39. # THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40. # EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41. # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42. # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43. # ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44. # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45. # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46. # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47. # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48. # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49. # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50. # OF THE POSSIBILITY OF SUCH DAMAGE.
  51. # ====================================================================
  52. # Perl utility to run PKITS tests for RFC3280 compliance.
  53. my $ossl_path;
  54. if ( -f "../apps/openssl" ) {
  55. $ossl_path = "../util/shlib_wrap.sh ../apps/openssl";
  56. }
  57. elsif ( -f "..\\out32dll\\openssl.exe" ) {
  58. $ossl_path = "..\\out32dll\\openssl.exe";
  59. }
  60. elsif ( -f "..\\out32\\openssl.exe" ) {
  61. $ossl_path = "..\\out32\\openssl.exe";
  62. }
  63. else {
  64. die "Can't find OpenSSL executable";
  65. }
  66. my $pkitsdir = "pkits/smime";
  67. my $pkitsta = "pkits/certs/TrustAnchorRootCertificate.crt";
  68. die "Can't find PKITS test data" if !-d $pkitsdir;
  69. my $nist1 = "2.16.840.1.101.3.2.1.48.1";
  70. my $nist2 = "2.16.840.1.101.3.2.1.48.2";
  71. my $nist3 = "2.16.840.1.101.3.2.1.48.3";
  72. my $nist4 = "2.16.840.1.101.3.2.1.48.4";
  73. my $nist5 = "2.16.840.1.101.3.2.1.48.5";
  74. my $nist6 = "2.16.840.1.101.3.2.1.48.6";
  75. my $apolicy = "X509v3 Any Policy";
  76. # This table contains the chapter headings of the accompanying PKITS
  77. # document. They provide useful informational output and their names
  78. # can be converted into the filename to test.
  79. my @testlists = (
  80. [ "4.1", "Signature Verification" ],
  81. [ "4.1.1", "Valid Signatures Test1", 0 ],
  82. [ "4.1.2", "Invalid CA Signature Test2", 7 ],
  83. [ "4.1.3", "Invalid EE Signature Test3", 7 ],
  84. [ "4.1.4", "Valid DSA Signatures Test4", 0 ],
  85. [ "4.1.5", "Valid DSA Parameter Inheritance Test5", 0 ],
  86. [ "4.1.6", "Invalid DSA Signature Test6", 7 ],
  87. [ "4.2", "Validity Periods" ],
  88. [ "4.2.1", "Invalid CA notBefore Date Test1", 9 ],
  89. [ "4.2.2", "Invalid EE notBefore Date Test2", 9 ],
  90. [ "4.2.3", "Valid pre2000 UTC notBefore Date Test3", 0 ],
  91. [ "4.2.4", "Valid GeneralizedTime notBefore Date Test4", 0 ],
  92. [ "4.2.5", "Invalid CA notAfter Date Test5", 10 ],
  93. [ "4.2.6", "Invalid EE notAfter Date Test6", 10 ],
  94. [ "4.2.7", "Invalid pre2000 UTC EE notAfter Date Test7", 10 ],
  95. [ "4.2.8", "Valid GeneralizedTime notAfter Date Test8", 0 ],
  96. [ "4.3", "Verifying Name Chaining" ],
  97. [ "4.3.1", "Invalid Name Chaining EE Test1", 20 ],
  98. [ "4.3.2", "Invalid Name Chaining Order Test2", 20 ],
  99. [ "4.3.3", "Valid Name Chaining Whitespace Test3", 0 ],
  100. [ "4.3.4", "Valid Name Chaining Whitespace Test4", 0 ],
  101. [ "4.3.5", "Valid Name Chaining Capitalization Test5", 0 ],
  102. [ "4.3.6", "Valid Name Chaining UIDs Test6", 0 ],
  103. [ "4.3.7", "Valid RFC3280 Mandatory Attribute Types Test7", 0 ],
  104. [ "4.3.8", "Valid RFC3280 Optional Attribute Types Test8", 0 ],
  105. [ "4.3.9", "Valid UTF8String Encoded Names Test9", 0 ],
  106. [ "4.3.10", "Valid Rollover from PrintableString to UTF8String Test10", 0 ],
  107. [ "4.3.11", "Valid UTF8String Case Insensitive Match Test11", 0 ],
  108. [ "4.4", "Basic Certificate Revocation Tests" ],
  109. [ "4.4.1", "Missing CRL Test1", 3 ],
  110. [ "4.4.2", "Invalid Revoked CA Test2", 23 ],
  111. [ "4.4.3", "Invalid Revoked EE Test3", 23 ],
  112. [ "4.4.4", "Invalid Bad CRL Signature Test4", 8 ],
  113. [ "4.4.5", "Invalid Bad CRL Issuer Name Test5", 3 ],
  114. [ "4.4.6", "Invalid Wrong CRL Test6", 3 ],
  115. [ "4.4.7", "Valid Two CRLs Test7", 0 ],
  116. # The test document suggests these should return certificate revoked...
  117. # Subsquent discussion has concluded they should not due to unhandle
  118. # critical CRL extensions.
  119. [ "4.4.8", "Invalid Unknown CRL Entry Extension Test8", 36 ],
  120. [ "4.4.9", "Invalid Unknown CRL Extension Test9", 36 ],
  121. [ "4.4.10", "Invalid Unknown CRL Extension Test10", 36 ],
  122. [ "4.4.11", "Invalid Old CRL nextUpdate Test11", 12 ],
  123. [ "4.4.12", "Invalid pre2000 CRL nextUpdate Test12", 12 ],
  124. [ "4.4.13", "Valid GeneralizedTime CRL nextUpdate Test13", 0 ],
  125. [ "4.4.14", "Valid Negative Serial Number Test14", 0 ],
  126. [ "4.4.15", "Invalid Negative Serial Number Test15", 23 ],
  127. [ "4.4.16", "Valid Long Serial Number Test16", 0 ],
  128. [ "4.4.17", "Valid Long Serial Number Test17", 0 ],
  129. [ "4.4.18", "Invalid Long Serial Number Test18", 23 ],
  130. [ "4.4.19", "Valid Separate Certificate and CRL Keys Test19", 0 ],
  131. [ "4.4.20", "Invalid Separate Certificate and CRL Keys Test20", 23 ],
  132. # CRL path is revoked so get a CRL path validation error
  133. [ "4.4.21", "Invalid Separate Certificate and CRL Keys Test21", 54 ],
  134. [ "4.5", "Verifying Paths with Self-Issued Certificates" ],
  135. [ "4.5.1", "Valid Basic Self-Issued Old With New Test1", 0 ],
  136. [ "4.5.2", "Invalid Basic Self-Issued Old With New Test2", 23 ],
  137. [ "4.5.3", "Valid Basic Self-Issued New With Old Test3", 0 ],
  138. [ "4.5.4", "Valid Basic Self-Issued New With Old Test4", 0 ],
  139. [ "4.5.5", "Invalid Basic Self-Issued New With Old Test5", 23 ],
  140. [ "4.5.6", "Valid Basic Self-Issued CRL Signing Key Test6", 0 ],
  141. [ "4.5.7", "Invalid Basic Self-Issued CRL Signing Key Test7", 23 ],
  142. [ "4.5.8", "Invalid Basic Self-Issued CRL Signing Key Test8", 20 ],
  143. [ "4.6", "Verifying Basic Constraints" ],
  144. [ "4.6.1", "Invalid Missing basicConstraints Test1", 24 ],
  145. [ "4.6.2", "Invalid cA False Test2", 24 ],
  146. [ "4.6.3", "Invalid cA False Test3", 24 ],
  147. [ "4.6.4", "Valid basicConstraints Not Critical Test4", 0 ],
  148. [ "4.6.5", "Invalid pathLenConstraint Test5", 25 ],
  149. [ "4.6.6", "Invalid pathLenConstraint Test6", 25 ],
  150. [ "4.6.7", "Valid pathLenConstraint Test7", 0 ],
  151. [ "4.6.8", "Valid pathLenConstraint Test8", 0 ],
  152. [ "4.6.9", "Invalid pathLenConstraint Test9", 25 ],
  153. [ "4.6.10", "Invalid pathLenConstraint Test10", 25 ],
  154. [ "4.6.11", "Invalid pathLenConstraint Test11", 25 ],
  155. [ "4.6.12", "Invalid pathLenConstraint Test12", 25 ],
  156. [ "4.6.13", "Valid pathLenConstraint Test13", 0 ],
  157. [ "4.6.14", "Valid pathLenConstraint Test14", 0 ],
  158. [ "4.6.15", "Valid Self-Issued pathLenConstraint Test15", 0 ],
  159. [ "4.6.16", "Invalid Self-Issued pathLenConstraint Test16", 25 ],
  160. [ "4.6.17", "Valid Self-Issued pathLenConstraint Test17", 0 ],
  161. [ "4.7", "Key Usage" ],
  162. [ "4.7.1", "Invalid keyUsage Critical keyCertSign False Test1", 20 ],
  163. [ "4.7.2", "Invalid keyUsage Not Critical keyCertSign False Test2", 20 ],
  164. [ "4.7.3", "Valid keyUsage Not Critical Test3", 0 ],
  165. [ "4.7.4", "Invalid keyUsage Critical cRLSign False Test4", 35 ],
  166. [ "4.7.5", "Invalid keyUsage Not Critical cRLSign False Test5", 35 ],
  167. # Certificate policy tests need special handling. They can have several
  168. # sub tests and we need to check the outputs are correct.
  169. [ "4.8", "Certificate Policies" ],
  170. [
  171. "4.8.1.1",
  172. "All Certificates Same Policy Test1",
  173. "-policy anyPolicy -explicit_policy",
  174. "True", $nist1, $nist1, 0
  175. ],
  176. [
  177. "4.8.1.2",
  178. "All Certificates Same Policy Test1",
  179. "-policy $nist1 -explicit_policy",
  180. "True", $nist1, $nist1, 0
  181. ],
  182. [
  183. "4.8.1.3",
  184. "All Certificates Same Policy Test1",
  185. "-policy $nist2 -explicit_policy",
  186. "True", $nist1, "<empty>", 43
  187. ],
  188. [
  189. "4.8.1.4",
  190. "All Certificates Same Policy Test1",
  191. "-policy $nist1 -policy $nist2 -explicit_policy",
  192. "True", $nist1, $nist1, 0
  193. ],
  194. [
  195. "4.8.2.1",
  196. "All Certificates No Policies Test2",
  197. "-policy anyPolicy",
  198. "False", "<empty>", "<empty>", 0
  199. ],
  200. [
  201. "4.8.2.2",
  202. "All Certificates No Policies Test2",
  203. "-policy anyPolicy -explicit_policy",
  204. "True", "<empty>", "<empty>", 43
  205. ],
  206. [
  207. "4.8.3.1",
  208. "Different Policies Test3",
  209. "-policy anyPolicy",
  210. "False", "<empty>", "<empty>", 0
  211. ],
  212. [
  213. "4.8.3.2",
  214. "Different Policies Test3",
  215. "-policy anyPolicy -explicit_policy",
  216. "True", "<empty>", "<empty>", 43
  217. ],
  218. [
  219. "4.8.3.3",
  220. "Different Policies Test3",
  221. "-policy $nist1 -policy $nist2 -explicit_policy",
  222. "True", "<empty>", "<empty>", 43
  223. ],
  224. [
  225. "4.8.4",
  226. "Different Policies Test4",
  227. "-policy anyPolicy",
  228. "True", "<empty>", "<empty>", 43
  229. ],
  230. [
  231. "4.8.5",
  232. "Different Policies Test5",
  233. "-policy anyPolicy",
  234. "True", "<empty>", "<empty>", 43
  235. ],
  236. [
  237. "4.8.6.1",
  238. "Overlapping Policies Test6",
  239. "-policy anyPolicy",
  240. "True", $nist1, $nist1, 0
  241. ],
  242. [
  243. "4.8.6.2",
  244. "Overlapping Policies Test6",
  245. "-policy $nist1",
  246. "True", $nist1, $nist1, 0
  247. ],
  248. [
  249. "4.8.6.3",
  250. "Overlapping Policies Test6",
  251. "-policy $nist2",
  252. "True", $nist1, "<empty>", 43
  253. ],
  254. [
  255. "4.8.7",
  256. "Different Policies Test7",
  257. "-policy anyPolicy",
  258. "True", "<empty>", "<empty>", 43
  259. ],
  260. [
  261. "4.8.8",
  262. "Different Policies Test8",
  263. "-policy anyPolicy",
  264. "True", "<empty>", "<empty>", 43
  265. ],
  266. [
  267. "4.8.9",
  268. "Different Policies Test9",
  269. "-policy anyPolicy",
  270. "True", "<empty>", "<empty>", 43
  271. ],
  272. [
  273. "4.8.10.1",
  274. "All Certificates Same Policies Test10",
  275. "-policy $nist1",
  276. "True", "$nist1:$nist2", "$nist1", 0
  277. ],
  278. [
  279. "4.8.10.2",
  280. "All Certificates Same Policies Test10",
  281. "-policy $nist2",
  282. "True", "$nist1:$nist2", "$nist2", 0
  283. ],
  284. [
  285. "4.8.10.3",
  286. "All Certificates Same Policies Test10",
  287. "-policy anyPolicy",
  288. "True", "$nist1:$nist2", "$nist1:$nist2", 0
  289. ],
  290. [
  291. "4.8.11.1",
  292. "All Certificates AnyPolicy Test11",
  293. "-policy anyPolicy",
  294. "True", "$apolicy", "$apolicy", 0
  295. ],
  296. [
  297. "4.8.11.2",
  298. "All Certificates AnyPolicy Test11",
  299. "-policy $nist1",
  300. "True", "$apolicy", "$nist1", 0
  301. ],
  302. [
  303. "4.8.12",
  304. "Different Policies Test12",
  305. "-policy anyPolicy",
  306. "True", "<empty>", "<empty>", 43
  307. ],
  308. [
  309. "4.8.13.1",
  310. "All Certificates Same Policies Test13",
  311. "-policy $nist1",
  312. "True", "$nist1:$nist2:$nist3", "$nist1", 0
  313. ],
  314. [
  315. "4.8.13.2",
  316. "All Certificates Same Policies Test13",
  317. "-policy $nist2",
  318. "True", "$nist1:$nist2:$nist3", "$nist2", 0
  319. ],
  320. [
  321. "4.8.13.3",
  322. "All Certificates Same Policies Test13",
  323. "-policy $nist3",
  324. "True", "$nist1:$nist2:$nist3", "$nist3", 0
  325. ],
  326. [
  327. "4.8.14.1", "AnyPolicy Test14",
  328. "-policy $nist1", "True",
  329. "$nist1", "$nist1",
  330. 0
  331. ],
  332. [
  333. "4.8.14.2", "AnyPolicy Test14",
  334. "-policy $nist2", "True",
  335. "$nist1", "<empty>",
  336. 43
  337. ],
  338. [
  339. "4.8.15",
  340. "User Notice Qualifier Test15",
  341. "-policy anyPolicy",
  342. "False", "$nist1", "$nist1", 0
  343. ],
  344. [
  345. "4.8.16",
  346. "User Notice Qualifier Test16",
  347. "-policy anyPolicy",
  348. "False", "$nist1", "$nist1", 0
  349. ],
  350. [
  351. "4.8.17",
  352. "User Notice Qualifier Test17",
  353. "-policy anyPolicy",
  354. "False", "$nist1", "$nist1", 0
  355. ],
  356. [
  357. "4.8.18.1",
  358. "User Notice Qualifier Test18",
  359. "-policy $nist1",
  360. "True", "$nist1:$nist2", "$nist1", 0
  361. ],
  362. [
  363. "4.8.18.2",
  364. "User Notice Qualifier Test18",
  365. "-policy $nist2",
  366. "True", "$nist1:$nist2", "$nist2", 0
  367. ],
  368. [
  369. "4.8.19",
  370. "User Notice Qualifier Test19",
  371. "-policy anyPolicy",
  372. "False", "$nist1", "$nist1", 0
  373. ],
  374. [
  375. "4.8.20",
  376. "CPS Pointer Qualifier Test20",
  377. "-policy anyPolicy -explicit_policy",
  378. "True", "$nist1", "$nist1", 0
  379. ],
  380. [ "4.9", "Require Explicit Policy" ],
  381. [
  382. "4.9.1",
  383. "Valid RequireExplicitPolicy Test1",
  384. "-policy anyPolicy",
  385. "False", "<empty>", "<empty>", 0
  386. ],
  387. [
  388. "4.9.2",
  389. "Valid RequireExplicitPolicy Test2",
  390. "-policy anyPolicy",
  391. "False", "<empty>", "<empty>", 0
  392. ],
  393. [
  394. "4.9.3",
  395. "Invalid RequireExplicitPolicy Test3",
  396. "-policy anyPolicy",
  397. "True", "<empty>", "<empty>", 43
  398. ],
  399. [
  400. "4.9.4",
  401. "Valid RequireExplicitPolicy Test4",
  402. "-policy anyPolicy",
  403. "True", "$nist1", "$nist1", 0
  404. ],
  405. [
  406. "4.9.5",
  407. "Invalid RequireExplicitPolicy Test5",
  408. "-policy anyPolicy",
  409. "True", "<empty>", "<empty>", 43
  410. ],
  411. [
  412. "4.9.6",
  413. "Valid Self-Issued requireExplicitPolicy Test6",
  414. "-policy anyPolicy",
  415. "False", "<empty>", "<empty>", 0
  416. ],
  417. [
  418. "4.9.7",
  419. "Invalid Self-Issued requireExplicitPolicy Test7",
  420. "-policy anyPolicy",
  421. "True", "<empty>", "<empty>", 43
  422. ],
  423. [
  424. "4.9.8",
  425. "Invalid Self-Issued requireExplicitPolicy Test8",
  426. "-policy anyPolicy",
  427. "True", "<empty>", "<empty>", 43
  428. ],
  429. [ "4.10", "Policy Mappings" ],
  430. [
  431. "4.10.1.1",
  432. "Valid Policy Mapping Test1",
  433. "-policy $nist1",
  434. "True", "$nist1", "$nist1", 0
  435. ],
  436. [
  437. "4.10.1.2",
  438. "Valid Policy Mapping Test1",
  439. "-policy $nist2",
  440. "True", "$nist1", "<empty>", 43
  441. ],
  442. [
  443. "4.10.1.3",
  444. "Valid Policy Mapping Test1",
  445. "-policy anyPolicy -inhibit_map",
  446. "True", "<empty>", "<empty>", 43
  447. ],
  448. [
  449. "4.10.2.1",
  450. "Invalid Policy Mapping Test2",
  451. "-policy anyPolicy",
  452. "True", "<empty>", "<empty>", 43
  453. ],
  454. [
  455. "4.10.2.2",
  456. "Invalid Policy Mapping Test2",
  457. "-policy anyPolicy -inhibit_map",
  458. "True", "<empty>", "<empty>", 43
  459. ],
  460. [
  461. "4.10.3.1",
  462. "Valid Policy Mapping Test3",
  463. "-policy $nist1",
  464. "True", "$nist2", "<empty>", 43
  465. ],
  466. [
  467. "4.10.3.2",
  468. "Valid Policy Mapping Test3",
  469. "-policy $nist2",
  470. "True", "$nist2", "$nist2", 0
  471. ],
  472. [
  473. "4.10.4",
  474. "Invalid Policy Mapping Test4",
  475. "-policy anyPolicy",
  476. "True", "<empty>", "<empty>", 43
  477. ],
  478. [
  479. "4.10.5.1",
  480. "Valid Policy Mapping Test5",
  481. "-policy $nist1",
  482. "True", "$nist1", "$nist1", 0
  483. ],
  484. [
  485. "4.10.5.2",
  486. "Valid Policy Mapping Test5",
  487. "-policy $nist6",
  488. "True", "$nist1", "<empty>", 43
  489. ],
  490. [
  491. "4.10.6.1",
  492. "Valid Policy Mapping Test6",
  493. "-policy $nist1",
  494. "True", "$nist1", "$nist1", 0
  495. ],
  496. [
  497. "4.10.6.2",
  498. "Valid Policy Mapping Test6",
  499. "-policy $nist6",
  500. "True", "$nist1", "<empty>", 43
  501. ],
  502. [ "4.10.7", "Invalid Mapping From anyPolicy Test7", 42 ],
  503. [ "4.10.8", "Invalid Mapping To anyPolicy Test8", 42 ],
  504. [
  505. "4.10.9",
  506. "Valid Policy Mapping Test9",
  507. "-policy anyPolicy",
  508. "True", "$nist1", "$nist1", 0
  509. ],
  510. [
  511. "4.10.10",
  512. "Invalid Policy Mapping Test10",
  513. "-policy anyPolicy",
  514. "True", "<empty>", "<empty>", 43
  515. ],
  516. [
  517. "4.10.11",
  518. "Valid Policy Mapping Test11",
  519. "-policy anyPolicy",
  520. "True", "$nist1", "$nist1", 0
  521. ],
  522. # TODO: check notice display
  523. [
  524. "4.10.12.1",
  525. "Valid Policy Mapping Test12",
  526. "-policy $nist1",
  527. "True", "$nist1:$nist2", "$nist1", 0
  528. ],
  529. # TODO: check notice display
  530. [
  531. "4.10.12.2",
  532. "Valid Policy Mapping Test12",
  533. "-policy $nist2",
  534. "True", "$nist1:$nist2", "$nist2", 0
  535. ],
  536. [
  537. "4.10.13",
  538. "Valid Policy Mapping Test13",
  539. "-policy anyPolicy",
  540. "True", "$nist1", "$nist1", 0
  541. ],
  542. # TODO: check notice display
  543. [
  544. "4.10.14",
  545. "Valid Policy Mapping Test14",
  546. "-policy anyPolicy",
  547. "True", "$nist1", "$nist1", 0
  548. ],
  549. [ "4.11", "Inhibit Policy Mapping" ],
  550. [
  551. "4.11.1",
  552. "Invalid inhibitPolicyMapping Test1",
  553. "-policy anyPolicy",
  554. "True", "<empty>", "<empty>", 43
  555. ],
  556. [
  557. "4.11.2",
  558. "Valid inhibitPolicyMapping Test2",
  559. "-policy anyPolicy",
  560. "True", "$nist1", "$nist1", 0
  561. ],
  562. [
  563. "4.11.3",
  564. "Invalid inhibitPolicyMapping Test3",
  565. "-policy anyPolicy",
  566. "True", "<empty>", "<empty>", 43
  567. ],
  568. [
  569. "4.11.4",
  570. "Valid inhibitPolicyMapping Test4",
  571. "-policy anyPolicy",
  572. "True", "$nist2", "$nist2", 0
  573. ],
  574. [
  575. "4.11.5",
  576. "Invalid inhibitPolicyMapping Test5",
  577. "-policy anyPolicy",
  578. "True", "<empty>", "<empty>", 43
  579. ],
  580. [
  581. "4.11.6",
  582. "Invalid inhibitPolicyMapping Test6",
  583. "-policy anyPolicy",
  584. "True", "<empty>", "<empty>", 43
  585. ],
  586. [
  587. "4.11.7",
  588. "Valid Self-Issued inhibitPolicyMapping Test7",
  589. "-policy anyPolicy",
  590. "True", "$nist1", "$nist1", 0
  591. ],
  592. [
  593. "4.11.8",
  594. "Invalid Self-Issued inhibitPolicyMapping Test8",
  595. "-policy anyPolicy",
  596. "True", "<empty>", "<empty>", 43
  597. ],
  598. [
  599. "4.11.9",
  600. "Invalid Self-Issued inhibitPolicyMapping Test9",
  601. "-policy anyPolicy",
  602. "True", "<empty>", "<empty>", 43
  603. ],
  604. [
  605. "4.11.10",
  606. "Invalid Self-Issued inhibitPolicyMapping Test10",
  607. "-policy anyPolicy",
  608. "True", "<empty>", "<empty>", 43
  609. ],
  610. [
  611. "4.11.11",
  612. "Invalid Self-Issued inhibitPolicyMapping Test11",
  613. "-policy anyPolicy",
  614. "True", "<empty>", "<empty>", 43
  615. ],
  616. [ "4.12", "Inhibit Any Policy" ],
  617. [
  618. "4.12.1",
  619. "Invalid inhibitAnyPolicy Test1",
  620. "-policy anyPolicy",
  621. "True", "<empty>", "<empty>", 43
  622. ],
  623. [
  624. "4.12.2",
  625. "Valid inhibitAnyPolicy Test2",
  626. "-policy anyPolicy",
  627. "True", "$nist1", "$nist1", 0
  628. ],
  629. [
  630. "4.12.3.1",
  631. "inhibitAnyPolicy Test3",
  632. "-policy anyPolicy",
  633. "True", "$nist1", "$nist1", 0
  634. ],
  635. [
  636. "4.12.3.2",
  637. "inhibitAnyPolicy Test3",
  638. "-policy anyPolicy -inhibit_any",
  639. "True", "<empty>", "<empty>", 43
  640. ],
  641. [
  642. "4.12.4",
  643. "Invalid inhibitAnyPolicy Test4",
  644. "-policy anyPolicy",
  645. "True", "<empty>", "<empty>", 43
  646. ],
  647. [
  648. "4.12.5",
  649. "Invalid inhibitAnyPolicy Test5",
  650. "-policy anyPolicy",
  651. "True", "<empty>", "<empty>", 43
  652. ],
  653. [
  654. "4.12.6",
  655. "Invalid inhibitAnyPolicy Test6",
  656. "-policy anyPolicy",
  657. "True", "<empty>", "<empty>", 43
  658. ],
  659. [ "4.12.7", "Valid Self-Issued inhibitAnyPolicy Test7", 0 ],
  660. [ "4.12.8", "Invalid Self-Issued inhibitAnyPolicy Test8", 43 ],
  661. [ "4.12.9", "Valid Self-Issued inhibitAnyPolicy Test9", 0 ],
  662. [ "4.12.10", "Invalid Self-Issued inhibitAnyPolicy Test10", 43 ],
  663. [ "4.13", "Name Constraints" ],
  664. [ "4.13.1", "Valid DN nameConstraints Test1", 0 ],
  665. [ "4.13.2", "Invalid DN nameConstraints Test2", 47 ],
  666. [ "4.13.3", "Invalid DN nameConstraints Test3", 47 ],
  667. [ "4.13.4", "Valid DN nameConstraints Test4", 0 ],
  668. [ "4.13.5", "Valid DN nameConstraints Test5", 0 ],
  669. [ "4.13.6", "Valid DN nameConstraints Test6", 0 ],
  670. [ "4.13.7", "Invalid DN nameConstraints Test7", 48 ],
  671. [ "4.13.8", "Invalid DN nameConstraints Test8", 48 ],
  672. [ "4.13.9", "Invalid DN nameConstraints Test9", 48 ],
  673. [ "4.13.10", "Invalid DN nameConstraints Test10", 48 ],
  674. [ "4.13.11", "Valid DN nameConstraints Test11", 0 ],
  675. [ "4.13.12", "Invalid DN nameConstraints Test12", 47 ],
  676. [ "4.13.13", "Invalid DN nameConstraints Test13", 47 ],
  677. [ "4.13.14", "Valid DN nameConstraints Test14", 0 ],
  678. [ "4.13.15", "Invalid DN nameConstraints Test15", 48 ],
  679. [ "4.13.16", "Invalid DN nameConstraints Test16", 48 ],
  680. [ "4.13.17", "Invalid DN nameConstraints Test17", 48 ],
  681. [ "4.13.18", "Valid DN nameConstraints Test18", 0 ],
  682. [ "4.13.19", "Valid Self-Issued DN nameConstraints Test19", 0 ],
  683. [ "4.13.20", "Invalid Self-Issued DN nameConstraints Test20", 47 ],
  684. [ "4.13.21", "Valid RFC822 nameConstraints Test21", 0 ],
  685. [ "4.13.22", "Invalid RFC822 nameConstraints Test22", 47 ],
  686. [ "4.13.23", "Valid RFC822 nameConstraints Test23", 0 ],
  687. [ "4.13.24", "Invalid RFC822 nameConstraints Test24", 47 ],
  688. [ "4.13.25", "Valid RFC822 nameConstraints Test25", 0 ],
  689. [ "4.13.26", "Invalid RFC822 nameConstraints Test26", 48 ],
  690. [ "4.13.27", "Valid DN and RFC822 nameConstraints Test27", 0 ],
  691. [ "4.13.28", "Invalid DN and RFC822 nameConstraints Test28", 47 ],
  692. [ "4.13.29", "Invalid DN and RFC822 nameConstraints Test29", 47 ],
  693. [ "4.13.30", "Valid DNS nameConstraints Test30", 0 ],
  694. [ "4.13.31", "Invalid DNS nameConstraints Test31", 47 ],
  695. [ "4.13.32", "Valid DNS nameConstraints Test32", 0 ],
  696. [ "4.13.33", "Invalid DNS nameConstraints Test33", 48 ],
  697. [ "4.13.34", "Valid URI nameConstraints Test34", 0 ],
  698. [ "4.13.35", "Invalid URI nameConstraints Test35", 47 ],
  699. [ "4.13.36", "Valid URI nameConstraints Test36", 0 ],
  700. [ "4.13.37", "Invalid URI nameConstraints Test37", 48 ],
  701. [ "4.13.38", "Invalid DNS nameConstraints Test38", 47 ],
  702. [ "4.14", "Distribution Points" ],
  703. [ "4.14.1", "Valid distributionPoint Test1", 0 ],
  704. [ "4.14.2", "Invalid distributionPoint Test2", 23 ],
  705. [ "4.14.3", "Invalid distributionPoint Test3", 44 ],
  706. [ "4.14.4", "Valid distributionPoint Test4", 0 ],
  707. [ "4.14.5", "Valid distributionPoint Test5", 0 ],
  708. [ "4.14.6", "Invalid distributionPoint Test6", 23 ],
  709. [ "4.14.7", "Valid distributionPoint Test7", 0 ],
  710. [ "4.14.8", "Invalid distributionPoint Test8", 44 ],
  711. [ "4.14.9", "Invalid distributionPoint Test9", 44 ],
  712. [ "4.14.10", "Valid No issuingDistributionPoint Test10", 0 ],
  713. [ "4.14.11", "Invalid onlyContainsUserCerts CRL Test11", 44 ],
  714. [ "4.14.12", "Invalid onlyContainsCACerts CRL Test12", 44 ],
  715. [ "4.14.13", "Valid onlyContainsCACerts CRL Test13", 0 ],
  716. [ "4.14.14", "Invalid onlyContainsAttributeCerts Test14", 44 ],
  717. [ "4.14.15", "Invalid onlySomeReasons Test15", 23 ],
  718. [ "4.14.16", "Invalid onlySomeReasons Test16", 23 ],
  719. [ "4.14.17", "Invalid onlySomeReasons Test17", 3 ],
  720. [ "4.14.18", "Valid onlySomeReasons Test18", 0 ],
  721. [ "4.14.19", "Valid onlySomeReasons Test19", 0 ],
  722. [ "4.14.20", "Invalid onlySomeReasons Test20", 23 ],
  723. [ "4.14.21", "Invalid onlySomeReasons Test21", 23 ],
  724. [ "4.14.22", "Valid IDP with indirectCRL Test22", 0 ],
  725. [ "4.14.23", "Invalid IDP with indirectCRL Test23", 23 ],
  726. [ "4.14.24", "Valid IDP with indirectCRL Test24", 0 ],
  727. [ "4.14.25", "Valid IDP with indirectCRL Test25", 0 ],
  728. [ "4.14.26", "Invalid IDP with indirectCRL Test26", 44 ],
  729. [ "4.14.27", "Invalid cRLIssuer Test27", 3 ],
  730. [ "4.14.28", "Valid cRLIssuer Test28", 0 ],
  731. [ "4.14.29", "Valid cRLIssuer Test29", 0 ],
  732. # Although this test is valid it has a circular dependency. As a result
  733. # an attempt is made to reursively checks a CRL path and rejected due to
  734. # a CRL path validation error. PKITS notes suggest this test does not
  735. # need to be run due to this issue.
  736. [ "4.14.30", "Valid cRLIssuer Test30", 54 ],
  737. [ "4.14.31", "Invalid cRLIssuer Test31", 23 ],
  738. [ "4.14.32", "Invalid cRLIssuer Test32", 23 ],
  739. [ "4.14.33", "Valid cRLIssuer Test33", 0 ],
  740. [ "4.14.34", "Invalid cRLIssuer Test34", 23 ],
  741. [ "4.14.35", "Invalid cRLIssuer Test35", 44 ],
  742. [ "4.15", "Delta-CRLs" ],
  743. [ "4.15.1", "Invalid deltaCRLIndicator No Base Test1", 3 ],
  744. [ "4.15.2", "Valid delta-CRL Test2", 0 ],
  745. [ "4.15.3", "Invalid delta-CRL Test3", 23 ],
  746. [ "4.15.4", "Invalid delta-CRL Test4", 23 ],
  747. [ "4.15.5", "Valid delta-CRL Test5", 0 ],
  748. [ "4.15.6", "Invalid delta-CRL Test6", 23 ],
  749. [ "4.15.7", "Valid delta-CRL Test7", 0 ],
  750. [ "4.15.8", "Valid delta-CRL Test8", 0 ],
  751. [ "4.15.9", "Invalid delta-CRL Test9", 23 ],
  752. [ "4.15.10", "Invalid delta-CRL Test10", 12 ],
  753. [ "4.16", "Private Certificate Extensions" ],
  754. [ "4.16.1", "Valid Unknown Not Critical Certificate Extension Test1", 0 ],
  755. [ "4.16.2", "Invalid Unknown Critical Certificate Extension Test2", 34 ],
  756. );
  757. my $verbose = 1;
  758. my $numtest = 0;
  759. my $numfail = 0;
  760. my $ossl = "ossl/apps/openssl";
  761. my $ossl_cmd = "$ossl_path cms -verify -verify_retcode ";
  762. $ossl_cmd .= "-CAfile pkitsta.pem -crl_check_all -x509_strict ";
  763. $ossl_cmd .= "-policy_check -extended_crl -use_deltas -out /dev/null 2>&1 ";
  764. system "$ossl_path x509 -inform DER -in $pkitsta -out pkitsta.pem";
  765. die "Can't create trust anchor file" if $?;
  766. print "Running PKITS tests:\n" if $verbose;
  767. foreach (@testlists) {
  768. my $argnum = @$_;
  769. if ( $argnum == 2 ) {
  770. my ( $tnum, $title ) = @$_;
  771. print "$tnum $title\n" if $verbose;
  772. }
  773. elsif ( $argnum == 3 ) {
  774. my ( $tnum, $title, $exp_ret ) = @$_;
  775. my $filename = $title;
  776. $exp_ret += 32 if $exp_ret;
  777. $filename =~ tr/ -//d;
  778. $filename = "Signed${filename}.eml";
  779. if ( !-f "$pkitsdir/$filename" ) {
  780. print "\"$filename\" not found\n";
  781. }
  782. else {
  783. my $ret;
  784. my $test_fail = 0;
  785. my $errmsg = "";
  786. my $cmd = $ossl_cmd;
  787. $cmd .= "-in $pkitsdir/$filename -policy anyPolicy";
  788. my $cmdout = `$cmd`;
  789. $ret = $? >> 8;
  790. if ( $? & 0xff ) {
  791. $errmsg .= "Abnormal OpenSSL termination\n";
  792. $test_fail = 1;
  793. }
  794. if ( $exp_ret != $ret ) {
  795. $errmsg .= "Return code:$ret, ";
  796. $errmsg .= "expected $exp_ret\n";
  797. $test_fail = 1;
  798. }
  799. if ($test_fail) {
  800. print "$tnum $title : Failed!\n";
  801. print "Filename: $pkitsdir/$filename\n";
  802. print $errmsg;
  803. print "Command output:\n$cmdout\n";
  804. $numfail++;
  805. }
  806. $numtest++;
  807. }
  808. }
  809. elsif ( $argnum == 7 ) {
  810. my ( $tnum, $title, $exargs, $exp_epol, $exp_aset, $exp_uset, $exp_ret )
  811. = @$_;
  812. my $filename = $title;
  813. $exp_ret += 32 if $exp_ret;
  814. $filename =~ tr/ -//d;
  815. $filename = "Signed${filename}.eml";
  816. if ( !-f "$pkitsdir/$filename" ) {
  817. print "\"$filename\" not found\n";
  818. }
  819. else {
  820. my $ret;
  821. my $cmdout = "";
  822. my $errmsg = "";
  823. my $epol = "";
  824. my $aset = "";
  825. my $uset = "";
  826. my $pol = -1;
  827. my $test_fail = 0;
  828. my $cmd = $ossl_cmd;
  829. $cmd .= "-in $pkitsdir/$filename $exargs -policy_print";
  830. @oparr = `$cmd`;
  831. $ret = $? >> 8;
  832. if ( $? & 0xff ) {
  833. $errmsg .= "Abnormal OpenSSL termination\n";
  834. $test_fail = 1;
  835. }
  836. foreach (@oparr) {
  837. my $test_failed = 0;
  838. $cmdout .= $_;
  839. if (/^Require explicit Policy: (.*)$/) {
  840. $epol = $1;
  841. }
  842. if (/^Authority Policies/) {
  843. if (/empty/) {
  844. $aset = "<empty>";
  845. }
  846. else {
  847. $pol = 1;
  848. }
  849. }
  850. $test_fail = 1 if (/leak/i);
  851. if (/^User Policies/) {
  852. if (/empty/) {
  853. $uset = "<empty>";
  854. }
  855. else {
  856. $pol = 2;
  857. }
  858. }
  859. if (/\s+Policy: (.*)$/) {
  860. if ( $pol == 1 ) {
  861. $aset .= ":" if $aset ne "";
  862. $aset .= $1;
  863. }
  864. elsif ( $pol == 2 ) {
  865. $uset .= ":" if $uset ne "";
  866. $uset .= $1;
  867. }
  868. }
  869. }
  870. if ( $epol ne $exp_epol ) {
  871. $errmsg .= "Explicit policy:$epol, ";
  872. $errmsg .= "expected $exp_epol\n";
  873. $test_fail = 1;
  874. }
  875. if ( $aset ne $exp_aset ) {
  876. $errmsg .= "Authority policy set :$aset, ";
  877. $errmsg .= "expected $exp_aset\n";
  878. $test_fail = 1;
  879. }
  880. if ( $uset ne $exp_uset ) {
  881. $errmsg .= "User policy set :$uset, ";
  882. $errmsg .= "expected $exp_uset\n";
  883. $test_fail = 1;
  884. }
  885. if ( $exp_ret != $ret ) {
  886. print "Return code:$ret, expected $exp_ret\n";
  887. $test_fail = 1;
  888. }
  889. if ($test_fail) {
  890. print "$tnum $title : Failed!\n";
  891. print "Filename: $pkitsdir/$filename\n";
  892. print "Command output:\n$cmdout\n";
  893. $numfail++;
  894. }
  895. $numtest++;
  896. }
  897. }
  898. }
  899. if ($numfail) {
  900. print "$numfail tests failed out of $numtest\n";
  901. }
  902. else {
  903. print "All Tests Successful.\n";
  904. }
  905. unlink "pkitsta.pem";