1#!/bin/bash 2 3# Public Key Interoperability Test Suite (PKITS) 4# http://csrc.nist.gov/pki/testing/x509paths.html 5# http://csrc.nist.gov/groups/ST/crypto_apps_infra/documents/PKITS_data.zip 6 7if [ -z "$1" ]; then 8 echo "usage: $0 <path to root test directory>" 9 exit 1 10fi 11 12TESTS=$1 13 14if [ ! -d $TESTS ]; then 15 echo "Not a directory: $TESTS" 16 exit 1 17fi 18 19X509TEST="$PWD/test-x509v3 -v" 20TMPOUT="$PWD/test_x509v3_nist2.out" 21 22# TODO: add support for validating CRLs 23 24SUCCESS="" 25FAILURE="" 26 27function run_test 28{ 29 NUM=$1 30 RES=$2 31 shift 2 32 $X509TEST "$@" TrustAnchorRootCertificate.crt > $TMPOUT.$NUM 33 VALRES=$? 34 OK=0 35 if [ $RES -eq 0 ]; then 36 # expecting success 37 if [ $VALRES -eq 0 ]; then 38 OK=1 39 else 40 echo "$NUM failed - expected validation success" 41 OK=0 42 fi 43 else 44 # expecting failure 45 if [ $VALRES -eq 0 ]; then 46 echo "$NUM failed - expected validation failure" 47 OK=0 48 else 49 REASON=`grep "Certificate chain validation failed: " $TMPOUT.$NUM` 50 if [ $? -eq 0 ]; then 51 REASONNUM=`echo "$REASON" | colrm 1 37` 52 if [ $REASONNUM -eq $RES ]; then 53 OK=1 54 else 55 echo "$NUM failed - expected validation result $RES; result was $REASONNUM" 56 OK=0 57 fi 58 else 59 if [ $RES -eq -1 ]; then 60 if grep -q "Failed to parse X.509 certificate" $TMPOUT.$NUM; then 61 OK=1 62 else 63 echo "$NUM failed - expected parsing failure; other type of error detected" 64 OK=0 65 fi 66 else 67 echo "$NUM failed - expected validation failure; other type of error detected" 68 OK=0 69 fi 70 fi 71 fi 72 fi 73 if [ $OK -eq 1 ]; then 74 rm $TMPOUT.$NUM 75 SUCCESS="$SUCCESS $NUM" 76 else 77 FAILURE="$FAILURE $NUM" 78 fi 79} 80 81pushd $TESTS/certs 82 83run_test 4.1.1 0 ValidCertificatePathTest1EE.crt GoodCACert.crt 84run_test 4.1.2 1 InvalidCASignatureTest2EE.crt BadSignedCACert.crt 85run_test 4.1.3 1 InvalidEESignatureTest3EE.crt GoodCACert.crt 86 87run_test 4.2.1 4 InvalidCAnotBeforeDateTest1EE.crt BadnotBeforeDateCACert.crt 88run_test 4.2.2 4 InvalidEEnotBeforeDateTest2EE.crt GoodCACert.crt 89run_test 4.2.3 0 Validpre2000UTCnotBeforeDateTest3EE.crt GoodCACert.crt 90run_test 4.2.4 0 ValidGeneralizedTimenotBeforeDateTest4EE.crt GoodCACert.crt 91run_test 4.2.5 4 InvalidCAnotAfterDateTest5EE.crt BadnotAfterDateCACert.crt 92run_test 4.2.6 4 InvalidEEnotAfterDateTest6EE.crt GoodCACert.crt 93run_test 4.2.7 4 Invalidpre2000UTCEEnotAfterDateTest7EE.crt GoodCACert.crt 94run_test 4.2.8 0 ValidGeneralizedTimenotAfterDateTest8EE.crt GoodCACert.crt 95 96run_test 4.3.1 5 InvalidNameChainingTest1EE.crt GoodCACert.crt 97run_test 4.3.2 5 InvalidNameChainingOrderTest2EE.crt NameOrderingCACert.crt 98run_test 4.3.3 0 ValidNameChainingWhitespaceTest3EE.crt GoodCACert.crt 99run_test 4.3.4 0 ValidNameChainingWhitespaceTest4EE.crt GoodCACert.crt 100run_test 4.3.5 0 ValidNameChainingCapitalizationTest5EE.crt GoodCACert.crt 101run_test 4.3.6 0 ValidNameUIDsTest6EE.crt UIDCACert.crt 102run_test 4.3.7 0 ValidRFC3280MandatoryAttributeTypesTest7EE.crt RFC3280MandatoryAttributeTypesCACert.crt 103run_test 4.3.8 0 ValidRFC3280OptionalAttributeTypesTest8EE.crt RFC3280OptionalAttributeTypesCACert.crt 104run_test 4.3.9 0 ValidUTF8StringEncodedNamesTest9EE.crt UTF8StringEncodedNamesCACert.crt 105run_test 4.3.10 0 ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt RolloverfromPrintableStringtoUTF8StringCACert.crt 106run_test 4.3.11 0 ValidUTF8StringCaseInsensitiveMatchTest11EE.crt UTF8StringCaseInsensitiveMatchCACert.crt 107 108run_test 4.4.1 1 InvalidMissingCRLTest1EE.crt NoCRLCACert.crt 109# skip rest of 4.4.x tests since CRLs are not yet supported 110 111run_test 4.5.1 0 ValidBasicSelfIssuedOldWithNewTest1EE.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt BasicSelfIssuedNewKeyCACert.crt 112run_test 4.5.2 3 InvalidBasicSelfIssuedOldWithNewTest2EE.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt BasicSelfIssuedNewKeyCACert.crt 113run_test 4.5.3 0 ValidBasicSelfIssuedNewWithOldTest3EE.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt BasicSelfIssuedOldKeyCACert.crt 114run_test 4.5.4 0 ValidBasicSelfIssuedNewWithOldTest4EE.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt BasicSelfIssuedOldKeyCACert.crt 115run_test 4.5.5 3 InvalidBasicSelfIssuedNewWithOldTest5EE.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt BasicSelfIssuedOldKeyCACert.crt 116run_test 4.5.6 0 ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt BasicSelfIssuedCRLSigningKeyCACert.crt 117run_test 4.5.7 3 InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt BasicSelfIssuedCRLSigningKeyCACert.crt 118run_test 4.5.8 1 InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt BasicSelfIssuedCRLSigningKeyCACert.crt 119 120run_test 4.6.1 1 InvalidMissingbasicConstraintsTest1EE.crt MissingbasicConstraintsCACert.crt 121run_test 4.6.2 1 InvalidcAFalseTest2EE.crt basicConstraintsCriticalcAFalseCACert.crt 122run_test 4.6.3 1 InvalidcAFalseTest3EE.crt basicConstraintsNotCriticalcAFalseCACert.crt 123run_test 4.6.4 0 ValidbasicConstraintsNotCriticalTest4EE.crt basicConstraintsNotCriticalCACert.crt 124run_test 4.6.5 1 InvalidpathLenConstraintTest5EE.crt pathLenConstraint0subCACert.crt pathLenConstraint0CACert.crt 125run_test 4.6.6 1 InvalidpathLenConstraintTest6EE.crt pathLenConstraint0subCACert.crt pathLenConstraint0CACert.crt 126run_test 4.6.7 0 ValidpathLenConstraintTest7EE.crt pathLenConstraint0CACert.crt 127run_test 4.6.8 0 ValidpathLenConstraintTest8EE.crt pathLenConstraint0CACert.crt 128run_test 4.6.9 1 InvalidpathLenConstraintTest9EE.crt pathLenConstraint6subsubCA00Cert.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6CACert.crt 129run_test 4.6.10 1 InvalidpathLenConstraintTest10EE.crt pathLenConstraint6subsubCA00Cert.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6CACert.crt 130run_test 4.6.11 1 InvalidpathLenConstraintTest11EE.crt pathLenConstraint6subsubsubCA11XCert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6CACert.crt 131run_test 4.6.12 1 InvalidpathLenConstraintTest12EE.crt pathLenConstraint6subsubsubCA11XCert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6CACert.crt 132run_test 4.6.13 0 ValidpathLenConstraintTest13EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt 133run_test 4.6.14 0 ValidpathLenConstraintTest14EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt 134run_test 4.6.15 0 ValidSelfIssuedpathLenConstraintTest15EE.crt pathLenConstraint0SelfIssuedCACert.crt pathLenConstraint0CACert.crt 135run_test 4.6.16 1 InvalidSelfIssuedpathLenConstraintTest16EE.crt pathLenConstraint0subCA2Cert.crt pathLenConstraint0SelfIssuedCACert.crt pathLenConstraint0CACert.crt 136run_test 4.6.17 0 ValidSelfIssuedpathLenConstraintTest17EE.crt pathLenConstraint1SelfIssuedsubCACert.crt pathLenConstraint1subCACert.crt pathLenConstraint1SelfIssuedCACert.crt pathLenConstraint1CACert.crt 137 138run_test 4.7.1 1 InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt keyUsageCriticalkeyCertSignFalseCACert.crt 139run_test 4.7.2 1 InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt keyUsageNotCriticalkeyCertSignFalseCACert.crt 140run_test 4.7.3 0 ValidkeyUsageNotCriticalTest3EE.crt keyUsageNotCriticalCACert.crt 141run_test 4.7.4 1 InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt keyUsageCriticalcRLSignFalseCACert.crt 142run_test 4.7.5 1 InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt keyUsageNotCriticalcRLSignFalseCACert.crt 143 144run_test 4.8.1 0 ValidCertificatePathTest1EE.crt GoodCACert.crt 145run_test 4.8.2 0 AllCertificatesNoPoliciesTest2EE.crt NoPoliciesCACert.crt 146run_test 4.8.3 0 DifferentPoliciesTest3EE.crt PoliciesP2subCACert.crt GoodCACert.crt 147run_test 4.8.4 0 DifferentPoliciesTest4EE.crt GoodsubCACert.crt GoodCACert.crt 148run_test 4.8.5 0 DifferentPoliciesTest5EE.crt PoliciesP2subCA2Cert.crt GoodCACert.crt 149run_test 4.8.6 0 OverlappingPoliciesTest6EE.crt PoliciesP1234subsubCAP123P12Cert.crt PoliciesP1234subCAP123Cert.crt PoliciesP1234CACert.crt 150run_test 4.8.7 0 DifferentPoliciesTest7EE.crt PoliciesP123subsubCAP12P1Cert.crt PoliciesP123subCAP12Cert.crt PoliciesP123CACert.crt 151run_test 4.8.8 0 DifferentPoliciesTest8EE.crt PoliciesP12subsubCAP1P2Cert.crt PoliciesP12subCAP1Cert.crt PoliciesP12CACert.crt 152run_test 4.8.9 0 DifferentPoliciesTest9EE.crt PoliciesP123subsubsubCAP12P2P1Cert.crt PoliciesP123subsubCAP12P2Cert.crt PoliciesP123subCAP12Cert.crt PoliciesP123CACert.crt 153run_test 4.8.10 0 AllCertificatesSamePoliciesTest10EE.crt PoliciesP12CACert.crt 154run_test 4.8.11 0 AllCertificatesanyPolicyTest11EE.crt anyPolicyCACert.crt 155run_test 4.8.12 0 DifferentPoliciesTest12EE.crt PoliciesP3CACert.crt 156run_test 4.8.13 0 AllCertificatesSamePoliciesTest13EE.crt PoliciesP123CACert.crt 157run_test 4.8.14 0 AnyPolicyTest14EE.crt anyPolicyCACert.crt 158run_test 4.8.15 0 UserNoticeQualifierTest15EE.crt 159run_test 4.8.16 0 UserNoticeQualifierTest16EE.crt GoodCACert.crt 160run_test 4.8.17 0 UserNoticeQualifierTest17EE.crt GoodCACert.crt 161run_test 4.8.18 0 UserNoticeQualifierTest18EE.crt PoliciesP12CACert.crt 162run_test 4.8.19 0 UserNoticeQualifierTest19EE.crt TrustAnchorRootCertificate.crt 163run_test 4.8.20 0 CPSPointerQualifierTest20EE.crt GoodCACert.crt 164 165run_test 4.16.1 0 ValidUnknownNotCriticalCertificateExtensionTest1EE.crt 166run_test 4.16.2 -1 InvalidUnknownCriticalCertificateExtensionTest2EE.crt 167 168if false; then 169# DSA tests 170run_test 4.1.4 0 ValidDSASignaturesTest4EE.crt DSACACert.crt 171fi 172 173popd 174 175 176echo "Successful tests:$SUCCESS" 177echo "Failed tests:$FAILURE" 178
