test_x509v3_nist2.sh 9.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177
  1. #!/bin/bash
  2. # Public Key Interoperability Test Suite (PKITS)
  3. # http://csrc.nist.gov/pki/testing/x509paths.html
  4. # http://csrc.nist.gov/groups/ST/crypto_apps_infra/documents/PKITS_data.zip
  5. if [ -z "$1" ]; then
  6. echo "usage: $0 <path to root test directory>"
  7. exit 1
  8. fi
  9. TESTS=$1
  10. if [ ! -d $TESTS ]; then
  11. echo "Not a directory: $TESTS"
  12. exit 1
  13. fi
  14. X509TEST="$PWD/test-x509v3 -v"
  15. TMPOUT="$PWD/test_x509v3_nist2.out"
  16. # TODO: add support for validating CRLs
  17. SUCCESS=""
  18. FAILURE=""
  19. function run_test
  20. {
  21. NUM=$1
  22. RES=$2
  23. shift 2
  24. $X509TEST "$@" TrustAnchorRootCertificate.crt > $TMPOUT.$NUM
  25. VALRES=$?
  26. OK=0
  27. if [ $RES -eq 0 ]; then
  28. # expecting success
  29. if [ $VALRES -eq 0 ]; then
  30. OK=1
  31. else
  32. echo "$NUM failed - expected validation success"
  33. OK=0
  34. fi
  35. else
  36. # expecting failure
  37. if [ $VALRES -eq 0 ]; then
  38. echo "$NUM failed - expected validation failure"
  39. OK=0
  40. else
  41. REASON=`grep "Certificate chain validation failed: " $TMPOUT.$NUM`
  42. if [ $? -eq 0 ]; then
  43. REASONNUM=`echo "$REASON" | colrm 1 37`
  44. if [ $REASONNUM -eq $RES ]; then
  45. OK=1
  46. else
  47. echo "$NUM failed - expected validation result $RES; result was $REASONNUM"
  48. OK=0
  49. fi
  50. else
  51. if [ $RES -eq -1 ]; then
  52. if grep -q "Failed to parse X.509 certificate" $TMPOUT.$NUM; then
  53. OK=1
  54. else
  55. echo "$NUM failed - expected parsing failure; other type of error detected"
  56. OK=0
  57. fi
  58. else
  59. echo "$NUM failed - expected validation failure; other type of error detected"
  60. OK=0
  61. fi
  62. fi
  63. fi
  64. fi
  65. if [ $OK -eq 1 ]; then
  66. rm $TMPOUT.$NUM
  67. SUCCESS="$SUCCESS $NUM"
  68. else
  69. FAILURE="$FAILURE $NUM"
  70. fi
  71. }
  72. pushd $TESTS/certs
  73. run_test 4.1.1 0 ValidCertificatePathTest1EE.crt GoodCACert.crt
  74. run_test 4.1.2 1 InvalidCASignatureTest2EE.crt BadSignedCACert.crt
  75. run_test 4.1.3 1 InvalidEESignatureTest3EE.crt GoodCACert.crt
  76. run_test 4.2.1 4 InvalidCAnotBeforeDateTest1EE.crt BadnotBeforeDateCACert.crt
  77. run_test 4.2.2 4 InvalidEEnotBeforeDateTest2EE.crt GoodCACert.crt
  78. run_test 4.2.3 0 Validpre2000UTCnotBeforeDateTest3EE.crt GoodCACert.crt
  79. run_test 4.2.4 0 ValidGeneralizedTimenotBeforeDateTest4EE.crt GoodCACert.crt
  80. run_test 4.2.5 4 InvalidCAnotAfterDateTest5EE.crt BadnotAfterDateCACert.crt
  81. run_test 4.2.6 4 InvalidEEnotAfterDateTest6EE.crt GoodCACert.crt
  82. run_test 4.2.7 4 Invalidpre2000UTCEEnotAfterDateTest7EE.crt GoodCACert.crt
  83. run_test 4.2.8 0 ValidGeneralizedTimenotAfterDateTest8EE.crt GoodCACert.crt
  84. run_test 4.3.1 5 InvalidNameChainingTest1EE.crt GoodCACert.crt
  85. run_test 4.3.2 5 InvalidNameChainingOrderTest2EE.crt NameOrderingCACert.crt
  86. run_test 4.3.3 0 ValidNameChainingWhitespaceTest3EE.crt GoodCACert.crt
  87. run_test 4.3.4 0 ValidNameChainingWhitespaceTest4EE.crt GoodCACert.crt
  88. run_test 4.3.5 0 ValidNameChainingCapitalizationTest5EE.crt GoodCACert.crt
  89. run_test 4.3.6 0 ValidNameUIDsTest6EE.crt UIDCACert.crt
  90. run_test 4.3.7 0 ValidRFC3280MandatoryAttributeTypesTest7EE.crt RFC3280MandatoryAttributeTypesCACert.crt
  91. run_test 4.3.8 0 ValidRFC3280OptionalAttributeTypesTest8EE.crt RFC3280OptionalAttributeTypesCACert.crt
  92. run_test 4.3.9 0 ValidUTF8StringEncodedNamesTest9EE.crt UTF8StringEncodedNamesCACert.crt
  93. run_test 4.3.10 0 ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt RolloverfromPrintableStringtoUTF8StringCACert.crt
  94. run_test 4.3.11 0 ValidUTF8StringCaseInsensitiveMatchTest11EE.crt UTF8StringCaseInsensitiveMatchCACert.crt
  95. run_test 4.4.1 1 InvalidMissingCRLTest1EE.crt NoCRLCACert.crt
  96. # skip rest of 4.4.x tests since CRLs are not yet supported
  97. run_test 4.5.1 0 ValidBasicSelfIssuedOldWithNewTest1EE.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt BasicSelfIssuedNewKeyCACert.crt
  98. run_test 4.5.2 3 InvalidBasicSelfIssuedOldWithNewTest2EE.crt BasicSelfIssuedNewKeyOldWithNewCACert.crt BasicSelfIssuedNewKeyCACert.crt
  99. run_test 4.5.3 0 ValidBasicSelfIssuedNewWithOldTest3EE.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt BasicSelfIssuedOldKeyCACert.crt
  100. run_test 4.5.4 0 ValidBasicSelfIssuedNewWithOldTest4EE.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt BasicSelfIssuedOldKeyCACert.crt
  101. run_test 4.5.5 3 InvalidBasicSelfIssuedNewWithOldTest5EE.crt BasicSelfIssuedOldKeyNewWithOldCACert.crt BasicSelfIssuedOldKeyCACert.crt
  102. run_test 4.5.6 0 ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt BasicSelfIssuedCRLSigningKeyCACert.crt
  103. run_test 4.5.7 3 InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt BasicSelfIssuedCRLSigningKeyCACert.crt
  104. run_test 4.5.8 1 InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt BasicSelfIssuedCRLSigningKeyCRLCert.crt BasicSelfIssuedCRLSigningKeyCACert.crt
  105. run_test 4.6.1 1 InvalidMissingbasicConstraintsTest1EE.crt MissingbasicConstraintsCACert.crt
  106. run_test 4.6.2 1 InvalidcAFalseTest2EE.crt basicConstraintsCriticalcAFalseCACert.crt
  107. run_test 4.6.3 1 InvalidcAFalseTest3EE.crt basicConstraintsNotCriticalcAFalseCACert.crt
  108. run_test 4.6.4 0 ValidbasicConstraintsNotCriticalTest4EE.crt basicConstraintsNotCriticalCACert.crt
  109. run_test 4.6.5 1 InvalidpathLenConstraintTest5EE.crt pathLenConstraint0subCACert.crt pathLenConstraint0CACert.crt
  110. run_test 4.6.6 1 InvalidpathLenConstraintTest6EE.crt pathLenConstraint0subCACert.crt pathLenConstraint0CACert.crt
  111. run_test 4.6.7 0 ValidpathLenConstraintTest7EE.crt pathLenConstraint0CACert.crt
  112. run_test 4.6.8 0 ValidpathLenConstraintTest8EE.crt pathLenConstraint0CACert.crt
  113. run_test 4.6.9 1 InvalidpathLenConstraintTest9EE.crt pathLenConstraint6subsubCA00Cert.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6CACert.crt
  114. run_test 4.6.10 1 InvalidpathLenConstraintTest10EE.crt pathLenConstraint6subsubCA00Cert.crt pathLenConstraint6subCA0Cert.crt pathLenConstraint6CACert.crt
  115. run_test 4.6.11 1 InvalidpathLenConstraintTest11EE.crt pathLenConstraint6subsubsubCA11XCert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6CACert.crt
  116. run_test 4.6.12 1 InvalidpathLenConstraintTest12EE.crt pathLenConstraint6subsubsubCA11XCert.crt pathLenConstraint6subsubCA11Cert.crt pathLenConstraint6subCA1Cert.crt pathLenConstraint6CACert.crt
  117. run_test 4.6.13 0 ValidpathLenConstraintTest13EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt
  118. run_test 4.6.14 0 ValidpathLenConstraintTest14EE.crt pathLenConstraint6subsubsubCA41XCert.crt pathLenConstraint6subsubCA41Cert.crt pathLenConstraint6subCA4Cert.crt pathLenConstraint6CACert.crt
  119. run_test 4.6.15 0 ValidSelfIssuedpathLenConstraintTest15EE.crt pathLenConstraint0SelfIssuedCACert.crt pathLenConstraint0CACert.crt
  120. run_test 4.6.16 1 InvalidSelfIssuedpathLenConstraintTest16EE.crt pathLenConstraint0subCA2Cert.crt pathLenConstraint0SelfIssuedCACert.crt pathLenConstraint0CACert.crt
  121. run_test 4.6.17 0 ValidSelfIssuedpathLenConstraintTest17EE.crt pathLenConstraint1SelfIssuedsubCACert.crt pathLenConstraint1subCACert.crt pathLenConstraint1SelfIssuedCACert.crt pathLenConstraint1CACert.crt
  122. run_test 4.7.1 1 InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt keyUsageCriticalkeyCertSignFalseCACert.crt
  123. run_test 4.7.2 1 InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt keyUsageNotCriticalkeyCertSignFalseCACert.crt
  124. run_test 4.7.3 0 ValidkeyUsageNotCriticalTest3EE.crt keyUsageNotCriticalCACert.crt
  125. run_test 4.7.4 1 InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt keyUsageCriticalcRLSignFalseCACert.crt
  126. run_test 4.7.5 1 InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt keyUsageNotCriticalcRLSignFalseCACert.crt
  127. run_test 4.8.1 0 ValidCertificatePathTest1EE.crt GoodCACert.crt
  128. run_test 4.8.2 0 AllCertificatesNoPoliciesTest2EE.crt NoPoliciesCACert.crt
  129. run_test 4.8.3 0 DifferentPoliciesTest3EE.crt PoliciesP2subCACert.crt GoodCACert.crt
  130. run_test 4.8.4 0 DifferentPoliciesTest4EE.crt GoodsubCACert.crt GoodCACert.crt
  131. run_test 4.8.5 0 DifferentPoliciesTest5EE.crt PoliciesP2subCA2Cert.crt GoodCACert.crt
  132. run_test 4.8.6 0 OverlappingPoliciesTest6EE.crt PoliciesP1234subsubCAP123P12Cert.crt PoliciesP1234subCAP123Cert.crt PoliciesP1234CACert.crt
  133. run_test 4.8.7 0 DifferentPoliciesTest7EE.crt PoliciesP123subsubCAP12P1Cert.crt PoliciesP123subCAP12Cert.crt PoliciesP123CACert.crt
  134. run_test 4.8.8 0 DifferentPoliciesTest8EE.crt PoliciesP12subsubCAP1P2Cert.crt PoliciesP12subCAP1Cert.crt PoliciesP12CACert.crt
  135. run_test 4.8.9 0 DifferentPoliciesTest9EE.crt PoliciesP123subsubsubCAP12P2P1Cert.crt PoliciesP123subsubCAP12P2Cert.crt PoliciesP123subCAP12Cert.crt PoliciesP123CACert.crt
  136. run_test 4.8.10 0 AllCertificatesSamePoliciesTest10EE.crt PoliciesP12CACert.crt
  137. run_test 4.8.11 0 AllCertificatesanyPolicyTest11EE.crt anyPolicyCACert.crt
  138. run_test 4.8.12 0 DifferentPoliciesTest12EE.crt PoliciesP3CACert.crt
  139. run_test 4.8.13 0 AllCertificatesSamePoliciesTest13EE.crt PoliciesP123CACert.crt
  140. run_test 4.8.14 0 AnyPolicyTest14EE.crt anyPolicyCACert.crt
  141. run_test 4.8.15 0 UserNoticeQualifierTest15EE.crt
  142. run_test 4.8.16 0 UserNoticeQualifierTest16EE.crt GoodCACert.crt
  143. run_test 4.8.17 0 UserNoticeQualifierTest17EE.crt GoodCACert.crt
  144. run_test 4.8.18 0 UserNoticeQualifierTest18EE.crt PoliciesP12CACert.crt
  145. run_test 4.8.19 0 UserNoticeQualifierTest19EE.crt TrustAnchorRootCertificate.crt
  146. run_test 4.8.20 0 CPSPointerQualifierTest20EE.crt GoodCACert.crt
  147. run_test 4.16.1 0 ValidUnknownNotCriticalCertificateExtensionTest1EE.crt
  148. run_test 4.16.2 -1 InvalidUnknownCriticalCertificateExtensionTest2EE.crt
  149. if false; then
  150. # DSA tests
  151. run_test 4.1.4 0 ValidDSASignaturesTest4EE.crt DSACACert.crt
  152. fi
  153. popd
  154. echo "Successful tests:$SUCCESS"
  155. echo "Failed tests:$FAILURE"