Fixed range of random produced in BN_is_prime_fasttest_ex() to be 1 < rand < w-1...
[openssl.git] / test / pkits-test.pl
1 #! /usr/bin/env perl
2 # Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
3 #
4 # Licensed under the OpenSSL license (the "License").  You may not use
5 # this file except in compliance with the License.  You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
8
9 # Perl utility to run PKITS tests for RFC3280 compliance.
10
11 my $ossl_path;
12
13 if ( -f "../apps/openssl" ) {
14     $ossl_path = "../util/shlib_wrap.sh ../apps/openssl";
15 }
16 elsif ( -f "..\\out32dll\\openssl.exe" ) {
17     $ossl_path = "..\\out32dll\\openssl.exe";
18 }
19 elsif ( -f "..\\out32\\openssl.exe" ) {
20     $ossl_path = "..\\out32\\openssl.exe";
21 }
22 else {
23     die "Can't find OpenSSL executable";
24 }
25
26 my $pkitsdir = "pkits/smime";
27 my $pkitsta = "pkits/certs/TrustAnchorRootCertificate.crt";
28
29 die "Can't find PKITS test data" if !-d $pkitsdir;
30
31 my $nist1 = "2.16.840.1.101.3.2.1.48.1";
32 my $nist2 = "2.16.840.1.101.3.2.1.48.2";
33 my $nist3 = "2.16.840.1.101.3.2.1.48.3";
34 my $nist4 = "2.16.840.1.101.3.2.1.48.4";
35 my $nist5 = "2.16.840.1.101.3.2.1.48.5";
36 my $nist6 = "2.16.840.1.101.3.2.1.48.6";
37
38 my $apolicy = "X509v3 Any Policy";
39
40 # This table contains the chapter headings of the accompanying PKITS
41 # document. They provide useful informational output and their names
42 # can be converted into the filename to test.
43
44 my @testlists = (
45     [ "4.1", "Signature Verification" ],
46     [ "4.1.1", "Valid Signatures Test1",                        0 ],
47     [ "4.1.2", "Invalid CA Signature Test2",                    7 ],
48     [ "4.1.3", "Invalid EE Signature Test3",                    7 ],
49     [ "4.1.4", "Valid DSA Signatures Test4",                    0 ],
50     [ "4.1.5", "Valid DSA Parameter Inheritance Test5",         0 ],
51     [ "4.1.6", "Invalid DSA Signature Test6",                   7 ],
52     [ "4.2",   "Validity Periods" ],
53     [ "4.2.1", "Invalid CA notBefore Date Test1",               9 ],
54     [ "4.2.2", "Invalid EE notBefore Date Test2",               9 ],
55     [ "4.2.3", "Valid pre2000 UTC notBefore Date Test3",        0 ],
56     [ "4.2.4", "Valid GeneralizedTime notBefore Date Test4",    0 ],
57     [ "4.2.5", "Invalid CA notAfter Date Test5",                10 ],
58     [ "4.2.6", "Invalid EE notAfter Date Test6",                10 ],
59     [ "4.2.7", "Invalid pre2000 UTC EE notAfter Date Test7",    10 ],
60     [ "4.2.8", "Valid GeneralizedTime notAfter Date Test8",     0 ],
61     [ "4.3",   "Verifying Name Chaining" ],
62     [ "4.3.1", "Invalid Name Chaining EE Test1",                20 ],
63     [ "4.3.2", "Invalid Name Chaining Order Test2",             20 ],
64     [ "4.3.3", "Valid Name Chaining Whitespace Test3",          0 ],
65     [ "4.3.4", "Valid Name Chaining Whitespace Test4",          0 ],
66     [ "4.3.5", "Valid Name Chaining Capitalization Test5",      0 ],
67     [ "4.3.6", "Valid Name Chaining UIDs Test6",                0 ],
68     [ "4.3.7", "Valid RFC3280 Mandatory Attribute Types Test7", 0 ],
69     [ "4.3.8", "Valid RFC3280 Optional Attribute Types Test8",  0 ],
70     [ "4.3.9", "Valid UTF8String Encoded Names Test9",          0 ],
71     [ "4.3.10", "Valid Rollover from PrintableString to UTF8String Test10", 0 ],
72     [ "4.3.11", "Valid UTF8String Case Insensitive Match Test11",           0 ],
73     [ "4.4",    "Basic Certificate Revocation Tests" ],
74     [ "4.4.1",  "Missing CRL Test1",                                        3 ],
75     [ "4.4.2", "Invalid Revoked CA Test2",          23 ],
76     [ "4.4.3", "Invalid Revoked EE Test3",          23 ],
77     [ "4.4.4", "Invalid Bad CRL Signature Test4",   8 ],
78     [ "4.4.5", "Invalid Bad CRL Issuer Name Test5", 3 ],
79     [ "4.4.6", "Invalid Wrong CRL Test6",           3 ],
80     [ "4.4.7", "Valid Two CRLs Test7",              0 ],
81
82     # The test document suggests these should return certificate revoked...
83     # Subsequent discussion has concluded they should not due to unhandle
84     # critical CRL extensions.
85     [ "4.4.8", "Invalid Unknown CRL Entry Extension Test8", 36 ],
86     [ "4.4.9", "Invalid Unknown CRL Extension Test9",       36 ],
87
88     [ "4.4.10", "Invalid Unknown CRL Extension Test10",             36 ],
89     [ "4.4.11", "Invalid Old CRL nextUpdate Test11",                12 ],
90     [ "4.4.12", "Invalid pre2000 CRL nextUpdate Test12",            12 ],
91     [ "4.4.13", "Valid GeneralizedTime CRL nextUpdate Test13",      0 ],
92     [ "4.4.14", "Valid Negative Serial Number Test14",              0 ],
93     [ "4.4.15", "Invalid Negative Serial Number Test15",            23 ],
94     [ "4.4.16", "Valid Long Serial Number Test16",                  0 ],
95     [ "4.4.17", "Valid Long Serial Number Test17",                  0 ],
96     [ "4.4.18", "Invalid Long Serial Number Test18",                23 ],
97     [ "4.4.19", "Valid Separate Certificate and CRL Keys Test19",   0 ],
98     [ "4.4.20", "Invalid Separate Certificate and CRL Keys Test20", 23 ],
99
100     # CRL path is revoked so get a CRL path validation error
101     [ "4.4.21", "Invalid Separate Certificate and CRL Keys Test21",      54 ],
102     [ "4.5",    "Verifying Paths with Self-Issued Certificates" ],
103     [ "4.5.1",  "Valid Basic Self-Issued Old With New Test1",            0 ],
104     [ "4.5.2",  "Invalid Basic Self-Issued Old With New Test2",          23 ],
105     [ "4.5.3",  "Valid Basic Self-Issued New With Old Test3",            0 ],
106     [ "4.5.4",  "Valid Basic Self-Issued New With Old Test4",            0 ],
107     [ "4.5.5",  "Invalid Basic Self-Issued New With Old Test5",          23 ],
108     [ "4.5.6",  "Valid Basic Self-Issued CRL Signing Key Test6",         0 ],
109     [ "4.5.7",  "Invalid Basic Self-Issued CRL Signing Key Test7",       23 ],
110     [ "4.5.8",  "Invalid Basic Self-Issued CRL Signing Key Test8",       20 ],
111     [ "4.6",    "Verifying Basic Constraints" ],
112     [ "4.6.1",  "Invalid Missing basicConstraints Test1",                24 ],
113     [ "4.6.2",  "Invalid cA False Test2",                                24 ],
114     [ "4.6.3",  "Invalid cA False Test3",                                24 ],
115     [ "4.6.4",  "Valid basicConstraints Not Critical Test4",             0 ],
116     [ "4.6.5",  "Invalid pathLenConstraint Test5",                       25 ],
117     [ "4.6.6",  "Invalid pathLenConstraint Test6",                       25 ],
118     [ "4.6.7",  "Valid pathLenConstraint Test7",                         0 ],
119     [ "4.6.8",  "Valid pathLenConstraint Test8",                         0 ],
120     [ "4.6.9",  "Invalid pathLenConstraint Test9",                       25 ],
121     [ "4.6.10", "Invalid pathLenConstraint Test10",                      25 ],
122     [ "4.6.11", "Invalid pathLenConstraint Test11",                      25 ],
123     [ "4.6.12", "Invalid pathLenConstraint Test12",                      25 ],
124     [ "4.6.13", "Valid pathLenConstraint Test13",                        0 ],
125     [ "4.6.14", "Valid pathLenConstraint Test14",                        0 ],
126     [ "4.6.15", "Valid Self-Issued pathLenConstraint Test15",            0 ],
127     [ "4.6.16", "Invalid Self-Issued pathLenConstraint Test16",          25 ],
128     [ "4.6.17", "Valid Self-Issued pathLenConstraint Test17",            0 ],
129     [ "4.7",    "Key Usage" ],
130     [ "4.7.1",  "Invalid keyUsage Critical keyCertSign False Test1",     20 ],
131     [ "4.7.2",  "Invalid keyUsage Not Critical keyCertSign False Test2", 20 ],
132     [ "4.7.3",  "Valid keyUsage Not Critical Test3",                     0 ],
133     [ "4.7.4",  "Invalid keyUsage Critical cRLSign False Test4",         35 ],
134     [ "4.7.5",  "Invalid keyUsage Not Critical cRLSign False Test5",     35 ],
135
136     # Certificate policy tests need special handling. They can have several
137     # sub tests and we need to check the outputs are correct.
138
139     [ "4.8", "Certificate Policies" ],
140     [
141         "4.8.1.1",
142         "All Certificates Same Policy Test1",
143         "-policy anyPolicy -explicit_policy",
144         "True", $nist1, $nist1, 0
145     ],
146     [
147         "4.8.1.2",
148         "All Certificates Same Policy Test1",
149         "-policy $nist1 -explicit_policy",
150         "True", $nist1, $nist1, 0
151     ],
152     [
153         "4.8.1.3",
154         "All Certificates Same Policy Test1",
155         "-policy $nist2 -explicit_policy",
156         "True", $nist1, "<empty>", 43
157     ],
158     [
159         "4.8.1.4",
160         "All Certificates Same Policy Test1",
161         "-policy $nist1 -policy $nist2 -explicit_policy",
162         "True", $nist1, $nist1, 0
163     ],
164     [
165         "4.8.2.1",
166         "All Certificates No Policies Test2",
167         "-policy anyPolicy",
168         "False", "<empty>", "<empty>", 0
169     ],
170     [
171         "4.8.2.2",
172         "All Certificates No Policies Test2",
173         "-policy anyPolicy -explicit_policy",
174         "True", "<empty>", "<empty>", 43
175     ],
176     [
177         "4.8.3.1",
178         "Different Policies Test3",
179         "-policy anyPolicy",
180         "False", "<empty>", "<empty>", 0
181     ],
182     [
183         "4.8.3.2",
184         "Different Policies Test3",
185         "-policy anyPolicy -explicit_policy",
186         "True", "<empty>", "<empty>", 43
187     ],
188     [
189         "4.8.3.3",
190         "Different Policies Test3",
191         "-policy $nist1 -policy $nist2 -explicit_policy",
192         "True", "<empty>", "<empty>", 43
193     ],
194
195     [
196         "4.8.4",
197         "Different Policies Test4",
198         "-policy anyPolicy",
199         "True", "<empty>", "<empty>", 43
200     ],
201     [
202         "4.8.5",
203         "Different Policies Test5",
204         "-policy anyPolicy",
205         "True", "<empty>", "<empty>", 43
206     ],
207     [
208         "4.8.6.1",
209         "Overlapping Policies Test6",
210         "-policy anyPolicy",
211         "True", $nist1, $nist1, 0
212     ],
213     [
214         "4.8.6.2",
215         "Overlapping Policies Test6",
216         "-policy $nist1",
217         "True", $nist1, $nist1, 0
218     ],
219     [
220         "4.8.6.3",
221         "Overlapping Policies Test6",
222         "-policy $nist2",
223         "True", $nist1, "<empty>", 43
224     ],
225     [
226         "4.8.7",
227         "Different Policies Test7",
228         "-policy anyPolicy",
229         "True", "<empty>", "<empty>", 43
230     ],
231     [
232         "4.8.8",
233         "Different Policies Test8",
234         "-policy anyPolicy",
235         "True", "<empty>", "<empty>", 43
236     ],
237     [
238         "4.8.9",
239         "Different Policies Test9",
240         "-policy anyPolicy",
241         "True", "<empty>", "<empty>", 43
242     ],
243     [
244         "4.8.10.1",
245         "All Certificates Same Policies Test10",
246         "-policy $nist1",
247         "True", "$nist1:$nist2", "$nist1", 0
248     ],
249     [
250         "4.8.10.2",
251         "All Certificates Same Policies Test10",
252         "-policy $nist2",
253         "True", "$nist1:$nist2", "$nist2", 0
254     ],
255     [
256         "4.8.10.3",
257         "All Certificates Same Policies Test10",
258         "-policy anyPolicy",
259         "True", "$nist1:$nist2", "$nist1:$nist2", 0
260     ],
261     [
262         "4.8.11.1",
263         "All Certificates AnyPolicy Test11",
264         "-policy anyPolicy",
265         "True", "$apolicy", "$apolicy", 0
266     ],
267     [
268         "4.8.11.2",
269         "All Certificates AnyPolicy Test11",
270         "-policy $nist1",
271         "True", "$apolicy", "$nist1", 0
272     ],
273     [
274         "4.8.12",
275         "Different Policies Test12",
276         "-policy anyPolicy",
277         "True", "<empty>", "<empty>", 43
278     ],
279     [
280         "4.8.13.1",
281         "All Certificates Same Policies Test13",
282         "-policy $nist1",
283         "True", "$nist1:$nist2:$nist3", "$nist1", 0
284     ],
285     [
286         "4.8.13.2",
287         "All Certificates Same Policies Test13",
288         "-policy $nist2",
289         "True", "$nist1:$nist2:$nist3", "$nist2", 0
290     ],
291     [
292         "4.8.13.3",
293         "All Certificates Same Policies Test13",
294         "-policy $nist3",
295         "True", "$nist1:$nist2:$nist3", "$nist3", 0
296     ],
297     [
298         "4.8.14.1",       "AnyPolicy Test14",
299         "-policy $nist1", "True",
300         "$nist1",         "$nist1",
301         0
302     ],
303     [
304         "4.8.14.2",       "AnyPolicy Test14",
305         "-policy $nist2", "True",
306         "$nist1",         "<empty>",
307         43
308     ],
309     [
310         "4.8.15",
311         "User Notice Qualifier Test15",
312         "-policy anyPolicy",
313         "False", "$nist1", "$nist1", 0
314     ],
315     [
316         "4.8.16",
317         "User Notice Qualifier Test16",
318         "-policy anyPolicy",
319         "False", "$nist1", "$nist1", 0
320     ],
321     [
322         "4.8.17",
323         "User Notice Qualifier Test17",
324         "-policy anyPolicy",
325         "False", "$nist1", "$nist1", 0
326     ],
327     [
328         "4.8.18.1",
329         "User Notice Qualifier Test18",
330         "-policy $nist1",
331         "True", "$nist1:$nist2", "$nist1", 0
332     ],
333     [
334         "4.8.18.2",
335         "User Notice Qualifier Test18",
336         "-policy $nist2",
337         "True", "$nist1:$nist2", "$nist2", 0
338     ],
339     [
340         "4.8.19",
341         "User Notice Qualifier Test19",
342         "-policy anyPolicy",
343         "False", "$nist1", "$nist1", 0
344     ],
345     [
346         "4.8.20",
347         "CPS Pointer Qualifier Test20",
348         "-policy anyPolicy -explicit_policy",
349         "True", "$nist1", "$nist1", 0
350     ],
351     [ "4.9", "Require Explicit Policy" ],
352     [
353         "4.9.1",
354         "Valid RequireExplicitPolicy Test1",
355         "-policy anyPolicy",
356         "False", "<empty>", "<empty>", 0
357     ],
358     [
359         "4.9.2",
360         "Valid RequireExplicitPolicy Test2",
361         "-policy anyPolicy",
362         "False", "<empty>", "<empty>", 0
363     ],
364     [
365         "4.9.3",
366         "Invalid RequireExplicitPolicy Test3",
367         "-policy anyPolicy",
368         "True", "<empty>", "<empty>", 43
369     ],
370     [
371         "4.9.4",
372         "Valid RequireExplicitPolicy Test4",
373         "-policy anyPolicy",
374         "True", "$nist1", "$nist1", 0
375     ],
376     [
377         "4.9.5",
378         "Invalid RequireExplicitPolicy Test5",
379         "-policy anyPolicy",
380         "True", "<empty>", "<empty>", 43
381     ],
382     [
383         "4.9.6",
384         "Valid Self-Issued requireExplicitPolicy Test6",
385         "-policy anyPolicy",
386         "False", "<empty>", "<empty>", 0
387     ],
388     [
389         "4.9.7",
390         "Invalid Self-Issued requireExplicitPolicy Test7",
391         "-policy anyPolicy",
392         "True", "<empty>", "<empty>", 43
393     ],
394     [
395         "4.9.8",
396         "Invalid Self-Issued requireExplicitPolicy Test8",
397         "-policy anyPolicy",
398         "True", "<empty>", "<empty>", 43
399     ],
400     [ "4.10", "Policy Mappings" ],
401     [
402         "4.10.1.1",
403         "Valid Policy Mapping Test1",
404         "-policy $nist1",
405         "True", "$nist1", "$nist1", 0
406     ],
407     [
408         "4.10.1.2",
409         "Valid Policy Mapping Test1",
410         "-policy $nist2",
411         "True", "$nist1", "<empty>", 43
412     ],
413     [
414         "4.10.1.3",
415         "Valid Policy Mapping Test1",
416         "-policy anyPolicy -inhibit_map",
417         "True", "<empty>", "<empty>", 43
418     ],
419     [
420         "4.10.2.1",
421         "Invalid Policy Mapping Test2",
422         "-policy anyPolicy",
423         "True", "<empty>", "<empty>", 43
424     ],
425     [
426         "4.10.2.2",
427         "Invalid Policy Mapping Test2",
428         "-policy anyPolicy -inhibit_map",
429         "True", "<empty>", "<empty>", 43
430     ],
431     [
432         "4.10.3.1",
433         "Valid Policy Mapping Test3",
434         "-policy $nist1",
435         "True", "$nist2", "<empty>", 43
436     ],
437     [
438         "4.10.3.2",
439         "Valid Policy Mapping Test3",
440         "-policy $nist2",
441         "True", "$nist2", "$nist2", 0
442     ],
443     [
444         "4.10.4",
445         "Invalid Policy Mapping Test4",
446         "-policy anyPolicy",
447         "True", "<empty>", "<empty>", 43
448     ],
449     [
450         "4.10.5.1",
451         "Valid Policy Mapping Test5",
452         "-policy $nist1",
453         "True", "$nist1", "$nist1", 0
454     ],
455     [
456         "4.10.5.2",
457         "Valid Policy Mapping Test5",
458         "-policy $nist6",
459         "True", "$nist1", "<empty>", 43
460     ],
461     [
462         "4.10.6.1",
463         "Valid Policy Mapping Test6",
464         "-policy $nist1",
465         "True", "$nist1", "$nist1", 0
466     ],
467     [
468         "4.10.6.2",
469         "Valid Policy Mapping Test6",
470         "-policy $nist6",
471         "True", "$nist1", "<empty>", 43
472     ],
473     [ "4.10.7", "Invalid Mapping From anyPolicy Test7", 42 ],
474     [ "4.10.8", "Invalid Mapping To anyPolicy Test8",   42 ],
475     [
476         "4.10.9",
477         "Valid Policy Mapping Test9",
478         "-policy anyPolicy",
479         "True", "$nist1", "$nist1", 0
480     ],
481     [
482         "4.10.10",
483         "Invalid Policy Mapping Test10",
484         "-policy anyPolicy",
485         "True", "<empty>", "<empty>", 43
486     ],
487     [
488         "4.10.11",
489         "Valid Policy Mapping Test11",
490         "-policy anyPolicy",
491         "True", "$nist1", "$nist1", 0
492     ],
493
494     # TODO: check notice display
495     [
496         "4.10.12.1",
497         "Valid Policy Mapping Test12",
498         "-policy $nist1",
499         "True", "$nist1:$nist2", "$nist1", 0
500     ],
501
502     # TODO: check notice display
503     [
504         "4.10.12.2",
505         "Valid Policy Mapping Test12",
506         "-policy $nist2",
507         "True", "$nist1:$nist2", "$nist2", 0
508     ],
509     [
510         "4.10.13",
511         "Valid Policy Mapping Test13",
512         "-policy anyPolicy",
513         "True", "$nist1", "$nist1", 0
514     ],
515
516     # TODO: check notice display
517     [
518         "4.10.14",
519         "Valid Policy Mapping Test14",
520         "-policy anyPolicy",
521         "True", "$nist1", "$nist1", 0
522     ],
523     [ "4.11", "Inhibit Policy Mapping" ],
524     [
525         "4.11.1",
526         "Invalid inhibitPolicyMapping Test1",
527         "-policy anyPolicy",
528         "True", "<empty>", "<empty>", 43
529     ],
530     [
531         "4.11.2",
532         "Valid inhibitPolicyMapping Test2",
533         "-policy anyPolicy",
534         "True", "$nist1", "$nist1", 0
535     ],
536     [
537         "4.11.3",
538         "Invalid inhibitPolicyMapping Test3",
539         "-policy anyPolicy",
540         "True", "<empty>", "<empty>", 43
541     ],
542     [
543         "4.11.4",
544         "Valid inhibitPolicyMapping Test4",
545         "-policy anyPolicy",
546         "True", "$nist2", "$nist2", 0
547     ],
548     [
549         "4.11.5",
550         "Invalid inhibitPolicyMapping Test5",
551         "-policy anyPolicy",
552         "True", "<empty>", "<empty>", 43
553     ],
554     [
555         "4.11.6",
556         "Invalid inhibitPolicyMapping Test6",
557         "-policy anyPolicy",
558         "True", "<empty>", "<empty>", 43
559     ],
560     [
561         "4.11.7",
562         "Valid Self-Issued inhibitPolicyMapping Test7",
563         "-policy anyPolicy",
564         "True", "$nist1", "$nist1", 0
565     ],
566     [
567         "4.11.8",
568         "Invalid Self-Issued inhibitPolicyMapping Test8",
569         "-policy anyPolicy",
570         "True", "<empty>", "<empty>", 43
571     ],
572     [
573         "4.11.9",
574         "Invalid Self-Issued inhibitPolicyMapping Test9",
575         "-policy anyPolicy",
576         "True", "<empty>", "<empty>", 43
577     ],
578     [
579         "4.11.10",
580         "Invalid Self-Issued inhibitPolicyMapping Test10",
581         "-policy anyPolicy",
582         "True", "<empty>", "<empty>", 43
583     ],
584     [
585         "4.11.11",
586         "Invalid Self-Issued inhibitPolicyMapping Test11",
587         "-policy anyPolicy",
588         "True", "<empty>", "<empty>", 43
589     ],
590     [ "4.12", "Inhibit Any Policy" ],
591     [
592         "4.12.1",
593         "Invalid inhibitAnyPolicy Test1",
594         "-policy anyPolicy",
595         "True", "<empty>", "<empty>", 43
596     ],
597     [
598         "4.12.2",
599         "Valid inhibitAnyPolicy Test2",
600         "-policy anyPolicy",
601         "True", "$nist1", "$nist1", 0
602     ],
603     [
604         "4.12.3.1",
605         "inhibitAnyPolicy Test3",
606         "-policy anyPolicy",
607         "True", "$nist1", "$nist1", 0
608     ],
609     [
610         "4.12.3.2",
611         "inhibitAnyPolicy Test3",
612         "-policy anyPolicy -inhibit_any",
613         "True", "<empty>", "<empty>", 43
614     ],
615     [
616         "4.12.4",
617         "Invalid inhibitAnyPolicy Test4",
618         "-policy anyPolicy",
619         "True", "<empty>", "<empty>", 43
620     ],
621     [
622         "4.12.5",
623         "Invalid inhibitAnyPolicy Test5",
624         "-policy anyPolicy",
625         "True", "<empty>", "<empty>", 43
626     ],
627     [
628         "4.12.6",
629         "Invalid inhibitAnyPolicy Test6",
630         "-policy anyPolicy",
631         "True", "<empty>", "<empty>", 43
632     ],
633     [ "4.12.7",  "Valid Self-Issued inhibitAnyPolicy Test7",      0 ],
634     [ "4.12.8",  "Invalid Self-Issued inhibitAnyPolicy Test8",    43 ],
635     [ "4.12.9",  "Valid Self-Issued inhibitAnyPolicy Test9",      0 ],
636     [ "4.12.10", "Invalid Self-Issued inhibitAnyPolicy Test10",   43 ],
637     [ "4.13",    "Name Constraints" ],
638     [ "4.13.1",  "Valid DN nameConstraints Test1",                0 ],
639     [ "4.13.2",  "Invalid DN nameConstraints Test2",              47 ],
640     [ "4.13.3",  "Invalid DN nameConstraints Test3",              47 ],
641     [ "4.13.4",  "Valid DN nameConstraints Test4",                0 ],
642     [ "4.13.5",  "Valid DN nameConstraints Test5",                0 ],
643     [ "4.13.6",  "Valid DN nameConstraints Test6",                0 ],
644     [ "4.13.7",  "Invalid DN nameConstraints Test7",              48 ],
645     [ "4.13.8",  "Invalid DN nameConstraints Test8",              48 ],
646     [ "4.13.9",  "Invalid DN nameConstraints Test9",              48 ],
647     [ "4.13.10", "Invalid DN nameConstraints Test10",             48 ],
648     [ "4.13.11", "Valid DN nameConstraints Test11",               0 ],
649     [ "4.13.12", "Invalid DN nameConstraints Test12",             47 ],
650     [ "4.13.13", "Invalid DN nameConstraints Test13",             47 ],
651     [ "4.13.14", "Valid DN nameConstraints Test14",               0 ],
652     [ "4.13.15", "Invalid DN nameConstraints Test15",             48 ],
653     [ "4.13.16", "Invalid DN nameConstraints Test16",             48 ],
654     [ "4.13.17", "Invalid DN nameConstraints Test17",             48 ],
655     [ "4.13.18", "Valid DN nameConstraints Test18",               0 ],
656     [ "4.13.19", "Valid Self-Issued DN nameConstraints Test19",   0 ],
657     [ "4.13.20", "Invalid Self-Issued DN nameConstraints Test20", 47 ],
658     [ "4.13.21", "Valid RFC822 nameConstraints Test21",           0 ],
659     [ "4.13.22", "Invalid RFC822 nameConstraints Test22",         47 ],
660     [ "4.13.23", "Valid RFC822 nameConstraints Test23",           0 ],
661     [ "4.13.24", "Invalid RFC822 nameConstraints Test24",         47 ],
662     [ "4.13.25", "Valid RFC822 nameConstraints Test25",           0 ],
663     [ "4.13.26", "Invalid RFC822 nameConstraints Test26",         48 ],
664     [ "4.13.27", "Valid DN and RFC822 nameConstraints Test27",    0 ],
665     [ "4.13.28", "Invalid DN and RFC822 nameConstraints Test28",  47 ],
666     [ "4.13.29", "Invalid DN and RFC822 nameConstraints Test29",  47 ],
667     [ "4.13.30", "Valid DNS nameConstraints Test30",              0 ],
668     [ "4.13.31", "Invalid DNS nameConstraints Test31",            47 ],
669     [ "4.13.32", "Valid DNS nameConstraints Test32",              0 ],
670     [ "4.13.33", "Invalid DNS nameConstraints Test33",            48 ],
671     [ "4.13.34", "Valid URI nameConstraints Test34",              0 ],
672     [ "4.13.35", "Invalid URI nameConstraints Test35",            47 ],
673     [ "4.13.36", "Valid URI nameConstraints Test36",              0 ],
674     [ "4.13.37", "Invalid URI nameConstraints Test37",            48 ],
675     [ "4.13.38", "Invalid DNS nameConstraints Test38",            47 ],
676     [ "4.14",    "Distribution Points" ],
677     [ "4.14.1",  "Valid distributionPoint Test1",                 0 ],
678     [ "4.14.2",  "Invalid distributionPoint Test2",               23 ],
679     [ "4.14.3",  "Invalid distributionPoint Test3",               44 ],
680     [ "4.14.4",  "Valid distributionPoint Test4",                 0 ],
681     [ "4.14.5",  "Valid distributionPoint Test5",                 0 ],
682     [ "4.14.6",  "Invalid distributionPoint Test6",               23 ],
683     [ "4.14.7",  "Valid distributionPoint Test7",                 0 ],
684     [ "4.14.8",  "Invalid distributionPoint Test8",               44 ],
685     [ "4.14.9",  "Invalid distributionPoint Test9",               44 ],
686     [ "4.14.10", "Valid No issuingDistributionPoint Test10",      0 ],
687     [ "4.14.11", "Invalid onlyContainsUserCerts CRL Test11",      44 ],
688     [ "4.14.12", "Invalid onlyContainsCACerts CRL Test12",        44 ],
689     [ "4.14.13", "Valid onlyContainsCACerts CRL Test13",          0 ],
690     [ "4.14.14", "Invalid onlyContainsAttributeCerts Test14",     44 ],
691     [ "4.14.15", "Invalid onlySomeReasons Test15",                23 ],
692     [ "4.14.16", "Invalid onlySomeReasons Test16",                23 ],
693     [ "4.14.17", "Invalid onlySomeReasons Test17",                3 ],
694     [ "4.14.18", "Valid onlySomeReasons Test18",                  0 ],
695     [ "4.14.19", "Valid onlySomeReasons Test19",                  0 ],
696     [ "4.14.20", "Invalid onlySomeReasons Test20",                23 ],
697     [ "4.14.21", "Invalid onlySomeReasons Test21",                23 ],
698     [ "4.14.22", "Valid IDP with indirectCRL Test22",             0 ],
699     [ "4.14.23", "Invalid IDP with indirectCRL Test23",           23 ],
700     [ "4.14.24", "Valid IDP with indirectCRL Test24",             0 ],
701     [ "4.14.25", "Valid IDP with indirectCRL Test25",             0 ],
702     [ "4.14.26", "Invalid IDP with indirectCRL Test26",           44 ],
703     [ "4.14.27", "Invalid cRLIssuer Test27",                      3 ],
704     [ "4.14.28", "Valid cRLIssuer Test28",                        0 ],
705     [ "4.14.29", "Valid cRLIssuer Test29",                        0 ],
706
707     # Although this test is valid it has a circular dependency. As a result
708     # an attempt is made to recursively checks a CRL path and rejected due to
709     # a CRL path validation error. PKITS notes suggest this test does not
710     # need to be run due to this issue.
711     [ "4.14.30", "Valid cRLIssuer Test30",                                 54 ],
712     [ "4.14.31", "Invalid cRLIssuer Test31",                               23 ],
713     [ "4.14.32", "Invalid cRLIssuer Test32",                               23 ],
714     [ "4.14.33", "Valid cRLIssuer Test33",                                 0 ],
715     [ "4.14.34", "Invalid cRLIssuer Test34",                               23 ],
716     [ "4.14.35", "Invalid cRLIssuer Test35",                               44 ],
717     [ "4.15",    "Delta-CRLs" ],
718     [ "4.15.1",  "Invalid deltaCRLIndicator No Base Test1",                3 ],
719     [ "4.15.2",  "Valid delta-CRL Test2",                                  0 ],
720     [ "4.15.3",  "Invalid delta-CRL Test3",                                23 ],
721     [ "4.15.4",  "Invalid delta-CRL Test4",                                23 ],
722     [ "4.15.5",  "Valid delta-CRL Test5",                                  0 ],
723     [ "4.15.6",  "Invalid delta-CRL Test6",                                23 ],
724     [ "4.15.7",  "Valid delta-CRL Test7",                                  0 ],
725     [ "4.15.8",  "Valid delta-CRL Test8",                                  0 ],
726     [ "4.15.9",  "Invalid delta-CRL Test9",                                23 ],
727     [ "4.15.10", "Invalid delta-CRL Test10",                               12 ],
728     [ "4.16",    "Private Certificate Extensions" ],
729     [ "4.16.1",  "Valid Unknown Not Critical Certificate Extension Test1", 0 ],
730     [ "4.16.2",  "Invalid Unknown Critical Certificate Extension Test2",   34 ],
731 );
732
733
734 my $verbose = 1;
735
736 my $numtest = 0;
737 my $numfail = 0;
738
739 my $ossl = "ossl/apps/openssl";
740
741 my $ossl_cmd = "$ossl_path cms -verify -verify_retcode ";
742 $ossl_cmd .= "-CAfile pkitsta.pem -crl_check_all -x509_strict ";
743
744 # Check for expiry of trust anchor
745 system "$ossl_path x509 -inform DER -in $pkitsta -checkend 0";
746 if ($? == 256)
747         {
748         print STDERR "WARNING: using older expired data\n";
749         $ossl_cmd .= "-attime 1291940972 ";
750         }
751
752 $ossl_cmd .= "-policy_check -extended_crl -use_deltas -out /dev/null 2>&1 ";
753
754 system "$ossl_path x509 -inform DER -in $pkitsta -out pkitsta.pem";
755
756 die "Can't create trust anchor file" if $?;
757
758 print "Running PKITS tests:\n" if $verbose;
759
760 foreach (@testlists) {
761     my $argnum = @$_;
762     if ( $argnum == 2 ) {
763         my ( $tnum, $title ) = @$_;
764         print "$tnum $title\n" if $verbose;
765     }
766     elsif ( $argnum == 3 ) {
767         my ( $tnum, $title, $exp_ret ) = @$_;
768         my $filename = $title;
769         $exp_ret += 32 if $exp_ret;
770         $filename =~ tr/ -//d;
771         $filename = "Signed${filename}.eml";
772         if ( !-f "$pkitsdir/$filename" ) {
773             print "\"$filename\" not found\n";
774         }
775         else {
776             my $ret;
777             my $test_fail = 0;
778             my $errmsg    = "";
779             my $cmd       = $ossl_cmd;
780             $cmd .= "-in $pkitsdir/$filename -policy anyPolicy";
781             my $cmdout = `$cmd`;
782             $ret = $? >> 8;
783             if ( $? & 0xff ) {
784                 $errmsg .= "Abnormal OpenSSL termination\n";
785                 $test_fail = 1;
786             }
787             if ( $exp_ret != $ret ) {
788                 $errmsg .= "Return code:$ret, ";
789                 $errmsg .= "expected $exp_ret\n";
790                 $test_fail = 1;
791             }
792             if ($test_fail) {
793                 print "$tnum $title : Failed!\n";
794                 print "Filename: $pkitsdir/$filename\n";
795                 print $errmsg;
796                 print "Command output:\n$cmdout\n";
797                 $numfail++;
798             }
799             $numtest++;
800         }
801     }
802     elsif ( $argnum == 7 ) {
803         my ( $tnum, $title, $exargs, $exp_epol, $exp_aset, $exp_uset, $exp_ret )
804           = @$_;
805         my $filename = $title;
806         $exp_ret += 32 if $exp_ret;
807         $filename =~ tr/ -//d;
808         $filename = "Signed${filename}.eml";
809         if ( !-f "$pkitsdir/$filename" ) {
810             print "\"$filename\" not found\n";
811         }
812         else {
813             my $ret;
814             my $cmdout    = "";
815             my $errmsg    = "";
816             my $epol      = "";
817             my $aset      = "";
818             my $uset      = "";
819             my $pol       = -1;
820             my $test_fail = 0;
821             my $cmd       = $ossl_cmd;
822             $cmd .= "-in $pkitsdir/$filename $exargs -policy_print";
823             @oparr = `$cmd`;
824             $ret   = $? >> 8;
825
826             if ( $? & 0xff ) {
827                 $errmsg .= "Abnormal OpenSSL termination\n";
828                 $test_fail = 1;
829             }
830             foreach (@oparr) {
831                 my $test_failed = 0;
832                 $cmdout .= $_;
833                 if (/^Require explicit Policy: (.*)$/) {
834                     $epol = $1;
835                 }
836                 if (/^Authority Policies/) {
837                     if (/empty/) {
838                         $aset = "<empty>";
839                     }
840                     else {
841                         $pol = 1;
842                     }
843                 }
844                 $test_fail = 1 if (/leak/i);
845                 if (/^User Policies/) {
846                     if (/empty/) {
847                         $uset = "<empty>";
848                     }
849                     else {
850                         $pol = 2;
851                     }
852                 }
853                 if (/\s+Policy: (.*)$/) {
854                     if ( $pol == 1 ) {
855                         $aset .= ":" if $aset ne "";
856                         $aset .= $1;
857                     }
858                     elsif ( $pol == 2 ) {
859                         $uset .= ":" if $uset ne "";
860                         $uset .= $1;
861                     }
862                 }
863             }
864
865             if ( $epol ne $exp_epol ) {
866                 $errmsg .= "Explicit policy:$epol, ";
867                 $errmsg .= "expected $exp_epol\n";
868                 $test_fail = 1;
869             }
870             if ( $aset ne $exp_aset ) {
871                 $errmsg .= "Authority policy set :$aset, ";
872                 $errmsg .= "expected $exp_aset\n";
873                 $test_fail = 1;
874             }
875             if ( $uset ne $exp_uset ) {
876                 $errmsg .= "User policy set :$uset, ";
877                 $errmsg .= "expected $exp_uset\n";
878                 $test_fail = 1;
879             }
880
881             if ( $exp_ret != $ret ) {
882                 print "Return code:$ret, expected $exp_ret\n";
883                 $test_fail = 1;
884             }
885
886             if ($test_fail) {
887                 print "$tnum $title : Failed!\n";
888                 print "Filename: $pkitsdir/$filename\n";
889                 print "Command output:\n$cmdout\n";
890                 $numfail++;
891             }
892             $numtest++;
893         }
894     }
895 }
896
897 if ($numfail) {
898     print "$numfail tests failed out of $numtest\n";
899 }
900 else {
901     print "All Tests Successful.\n";
902 }
903
904 unlink "pkitsta.pem";
905