1 #!/bin/sh 2 3 # Public Key Interoperability Test Suite (PKITS) 4 # http://csrc.nist.gov/pki/testing/x509paths.html 5 # http://csrc.nist.gov/pki/testing/PKITS_data.zip 6 7 if [ -z "$1" ]; then 8 echo "usage: $0 <path to root test directory>" 9 exit 1 10 fi 11 12 TESTS=$1 13 14 if [ ! -d $TESTS ]; then 15 echo "Not a directory: $TESTS" 16 exit 1 17 fi 18 19 X509TEST="$PWD/test_x509v3 -v" 20 TMPOUT="$PWD/test_x509v3_nist2.out" 21 22 # TODO: add support for validating CRLs 23 24 SUCCESS="" 25 FAILURE="" 26 27 function run_test 28 { 29 NUM=$1 30 RES=$2 31 shift 2 32 $X509TEST "$@" TrustAnchorRootCertificate.crt > $TMPOUT.$NUM 33 VALRES=$? 34 OK=0 35 if [ $RES -eq 0 ]; then 36 # expecting success 37 if [ $VALRES -eq 0 ]; then 38 OK=1 39 else 40 echo "$NUM failed - expected validation success" 41 OK=0 42 fi 43 else 44 # expecting failure 45 if [ $VALRES -eq 0 ]; then 46 echo "$NUM failed - expected validation failure" 47 OK=0 48 else 49 REASON=`grep "Certificate chain validation failed: " $TMPOUT.$NUM` 50 if [ $? -eq 0 ]; then 51 REASONNUM=`echo "$REASON" | colrm 1 37` 52 if [ $REASONNUM -eq $RES ]; then 53 OK=1 54 else 55 echo "$NUM failed - expected validation result $RES; result was $REASONNUM" 56 OK=0 57 fi 58 else 59 echo "$NUM failed - expected validation failure; other type of error detected" 60 OK=0 61 fi 62 fi 63 fi 64 if [ $OK -eq 1 ]; then 65 rm $TMPOUT.$NUM 66 SUCCESS="$SUCCESS $NUM" 67 else 68 FAILURE="$FAILURE $NUM" 69 fi 70 } 71 72 pushd $TESTS/certs 73 74 run_test 4.1.1 0 ValidCertificatePathTest1EE.crt GoodCACert.crt 75 run_test 4.1.2 1 InvalidCASignatureTest2EE.crt BadSignedCACert.crt 76 run_test 4.1.3 1 InvalidEESignatureTest3EE.crt GoodCACert.crt 77 78 run_test 4.2.1 4 InvalidCAnotBeforeDateTest1EE.crt BadnotBeforeDateCACert.crt 79 run_test 4.2.2 4 InvalidEEnotBeforeDateTest2EE.crt GoodCACert.crt 80 run_test 4.2.3 0 Validpre2000UTCnotBeforeDateTest3EE.crt GoodCACert.crt 81 run_test 4.2.4 0 ValidGeneralizedTimenotBeforeDateTest4EE.crt GoodCACert.crt 82 run_test 4.2.5 4 InvalidCAnotAfterDateTest5EE.crt BadnotAfterDateCACert.crt 83 run_test 4.2.6 4 InvalidEEnotAfterDateTest6EE.crt GoodCACert.crt 84 run_test 4.2.7 4 Invalidpre2000UTCEEnotAfterDateTest7EE.crt GoodCACert.crt 85 run_test 4.2.8 0 ValidGeneralizedTimenotAfterDateTest8EE.crt GoodCACert.crt 86 87 run_test 4.3.1 5 InvalidNameChainingTest1EE.crt GoodCACert.crt 88 run_test 4.3.2 5 InvalidNameChainingOrderTest2EE.crt NameOrderingCACert.crt 89 run_test 4.3.3 0 ValidNameChainingWhitespaceTest3EE.crt GoodCACert.crt 90 run_test 4.3.4 0 ValidNameChainingWhitespaceTest4EE.crt GoodCACert.crt 91 run_test 4.3.5 0 ValidNameChainingCapitalizationTest5EE.crt GoodCACert.crt 92 run_test 4.3.6 0 ValidNameUIDsTest6EE.crt UIDCACert.crt 93 run_test 4.3.7 0 ValidRFC3280MandatoryAttributeTypesTest7EE.crt RFC3280MandatoryAttributeTypesCACert.crt 94 run_test 4.3.8 0 ValidRFC3280OptionalAttributeTypesTest8EE.crt RFC3280OptionalAttributeTypesCACert.crt 95 run_test 4.3.9 0 ValidUTF8StringEncodedNamesTest9EE.crt UTF8StringEncodedNamesCACert.crt 96 run_test 4.3.10 0 ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt RolloverfromPrintableStringtoUTF8StringCACert.crt 97 run_test 4.3.11 0 ValidUTF8StringCaseInsensitiveMatchTest11EE.crt UTF8StringCaseInsensitiveMatchCACert.crt 98 99 run_test 4.4.1 1 InvalidMissingCRLTest1EE.crt NoCRLCACert.crt 100 # skip rest of 4.4.x tests since CRLs are not yet supported 101 102 run_test 4.5.1 0 ValidBasicSelfIssuedOldWithNewTest1EE.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt BasicSelfIssuedNewKeyCACert.crt 103 run_test 4.5.2 3 InvalidBasicSelfIssuedOldWithNewTest2EE.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt BasicSelfIssuedNewKeyCACert.crt 104 run_test 4.5.3 0 ValidBasicSelfIssuedNewWithOldTest3EE.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt BasicSelfIssuedOldKeyCACert.crt 105 run_test 4.5.4 0 ValidBasicSelfIssuedNewWithOldTest4EE.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt BasicSelfIssuedOldKeyCACert.crt 106 run_test 4.5.5 3 InvalidBasicSelfIssuedNewWithOldTest5EE.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt BasicSelfIssuedOldKeyCACert.crt 107 run_test 4.5.6 0 ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt BasicSelfIssuedCRLSigningKeyCACert.crt 108 run_test 4.5.7 3 InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt BasicSelfIssuedCRLSigningKeyCACert.crt 109 run_test 4.5.8 1 InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt BasicSelfIssuedCRLSigningKeyCACert.crt 110 111 run_test 4.6.1 1 InvalidMissingbasicConstraintsTest1EE.crt MissingbasicConstraintsCACert.crt 112 run_test 4.6.2 1 InvalidcAFalseTest2EE.crt basicConstraintsCriticalcAFalseCACert.crt 113 run_test 4.6.3 1 InvalidcAFalseTest3EE.crt basicConstraintsNotCriticalcAFalseCACert.crt 114 run_test 4.6.4 0 ValidbasicConstraintsNotCriticalTest4EE.crt basicConstraintsNotCriticalCACert.crt 115 run_test 4.6.5 1 InvalidpathLenConstraintTest5EE.crt pathLenConstraint0subCACert.crt pathLenConstraint0CACert.crt 116 run_test 4.6.6 1 InvalidpathLenConstraintTest6EE.crt pathLenConstraint0subCACert.crt pathLenConstraint0CACert.crt 117 run_test 4.6.7 0 ValidpathLenConstraintTest7EE.crt pathLenConstraint0CACert.crt 118 run_test 4.6.8 0 ValidpathLenConstraintTest8EE.crt pathLenConstraint0CACert.crt 119 run_test 4.6.9 1 InvalidpathLenConstraintTest9EE.crt pathLenConstraint6subsubCA00Cert.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6CACert.crt 120 run_test 4.6.10 1 InvalidpathLenConstraintTest10EE.crt pathLenConstraint6subsubCA00Cert.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6CACert.crt 121 run_test 4.6.11 1 InvalidpathLenConstraintTest11EE.crt pathLenConstraint6subsubsubCA11XCert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6CACert.crt 122 run_test 4.6.12 1 InvalidpathLenConstraintTest12EE.crt pathLenConstraint6subsubsubCA11XCert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6CACert.crt 123 run_test 4.6.13 0 ValidpathLenConstraintTest13EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt 124 run_test 4.6.14 0 ValidpathLenConstraintTest14EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt 125 run_test 4.6.15 0 ValidSelfIssuedpathLenConstraintTest15EE.crt pathLenConstraint0SelfIssuedCACert.crt pathLenConstraint0CACert.crt 126 run_test 4.6.16 1 InvalidSelfIssuedpathLenConstraintTest16EE.crt pathLenConstraint0subCA2Cert.crt pathLenConstraint0SelfIssuedCACert.crt pathLenConstraint0CACert.crt 127 run_test 4.6.17 0 ValidSelfIssuedpathLenConstraintTest17EE.crt pathLenConstraint1SelfIssuedsubCACert.crt pathLenConstraint1subCACert.crt pathLenConstraint1SelfIssuedCACert.crt pathLenConstraint1CACert.crt 128 129 run_test 4.7.1 1 InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt keyUsageCriticalkeyCertSignFalseCACert.crt 130 run_test 4.7.2 1 InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt keyUsageNotCriticalkeyCertSignFalseCACert.crt 131 run_test 4.7.3 0 ValidkeyUsageNotCriticalTest3EE.crt keyUsageNotCriticalCACert.crt 132 run_test 4.7.4 1 InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt keyUsageCriticalcRLSignFalseCACert.crt 133 run_test 4.7.5 1 InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt keyUsageNotCriticalcRLSignFalseCACert.crt 134 135 run_test 4.8.1 0 ValidCertificatePathTest1EE.crt GoodCACert.crt 136 run_test 4.8.2 0 AllCertificatesNoPoliciesTest2EE.crt NoPoliciesCACert.crt 137 run_test 4.8.3 0 DifferentPoliciesTest3EE.crt PoliciesP2subCACert.crt GoodCACert.crt 138 run_test 4.8.4 0 DifferentPoliciesTest4EE.crt GoodsubCACert.crt GoodCACert.crt 139 run_test 4.8.5 0 DifferentPoliciesTest5EE.crt PoliciesP2subCA2Cert.crt GoodCACert.crt 140 run_test 4.8.6 0 OverlappingPoliciesTest6EE.crt PoliciesP1234subsubCAP123P12Cert.crt PoliciesP1234subCAP123Cert.crt PoliciesP1234CACert.crt 141 run_test 4.8.7 0 DifferentPoliciesTest7EE.crt PoliciesP123subsubCAP12P1Cert.crt PoliciesP123subCAP12Cert.crt PoliciesP123CACert.crt 142 run_test 4.8.8 0 DifferentPoliciesTest8EE.crt PoliciesP12subsubCAP1P2Cert.crt PoliciesP12subCAP1Cert.crt PoliciesP12CACert.crt 143 run_test 4.8.9 0 DifferentPoliciesTest9EE.crt PoliciesP123subsubsubCAP12P2P1Cert.crt PoliciesP123subsubCAP12P2Cert.crt PoliciesP123subCAP12Cert.crt PoliciesP123CACert.crt 144 run_test 4.8.10 0 AllCertificatesSamePoliciesTest10EE.crt PoliciesP12CACert.crt 145 run_test 4.8.11 0 AllCertificatesanyPolicyTest11EE.crt anyPolicyCACert.crt 146 run_test 4.8.12 0 DifferentPoliciesTest12EE.crt PoliciesP3CACert.crt 147 run_test 4.8.13 0 AllCertificatesSamePoliciesTest13EE.crt PoliciesP123CACert.crt 148 run_test 4.8.14 0 AnyPolicyTest14EE.crt anyPolicyCACert.crt 149 run_test 4.8.15 0 UserNoticeQualifierTest15EE.crt 150 run_test 4.8.16 0 UserNoticeQualifierTest16EE.crt GoodCACert.crt 151 run_test 4.8.17 0 UserNoticeQualifierTest17EE.crt GoodCACert.crt 152 run_test 4.8.18 0 UserNoticeQualifierTest18EE.crt PoliciesP12CACert.crt 153 run_test 4.8.19 0 UserNoticeQualifierTest19EE.crt TrustAnchorRootCertificate.crt 154 run_test 4.8.20 0 CPSPointerQualifierTest20EE.crt GoodCACert.crt 155 156 if false; then 157 # DSA tests 158 run_test 4.1.4 0 ValidDSASignaturesTest4EE.crt DSACACert.crt 159 fi 160 161 popd 162 163 164 echo "Successful tests:$SUCCESS" 165 echo "Failed tests:$FAILURE" 166
