summaryrefslogtreecommitdiff
path: root/src/lib/libssl/test
diff options
context:
space:
mode:
authordjm <>2010-10-01 22:54:21 +0000
committerdjm <>2010-10-01 22:54:21 +0000
commit829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2 (patch)
treee03b9f1bd051e844b971936729e9df549a209130 /src/lib/libssl/test
parente6b755d2a53d3cac7a344dfdd6bf7c951cac754c (diff)
downloadopenbsd-829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2.tar.gz
openbsd-829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2.tar.bz2
openbsd-829fd51d4f8dde4a7f3bf54754f3c1d1a502f5e2.zip
import OpenSSL-1.0.0a
Diffstat (limited to 'src/lib/libssl/test')
-rw-r--r--src/lib/libssl/test/CAss.cnf2
-rw-r--r--src/lib/libssl/test/CAtsa.cnf163
-rw-r--r--src/lib/libssl/test/Uss.cnf2
-rwxr-xr-xsrc/lib/libssl/test/asn1test.c22
-rw-r--r--src/lib/libssl/test/cms-test.pl18
-rw-r--r--src/lib/libssl/test/pkits-test.pl940
-rwxr-xr-xsrc/lib/libssl/test/test_padlock64
-rw-r--r--src/lib/libssl/test/testssl6
-rw-r--r--src/lib/libssl/test/testtsa238
-rw-r--r--src/lib/libssl/test/times16
10 files changed, 1452 insertions, 19 deletions
diff --git a/src/lib/libssl/test/CAss.cnf b/src/lib/libssl/test/CAss.cnf
index 546e660626..20f8f05e3d 100644
--- a/src/lib/libssl/test/CAss.cnf
+++ b/src/lib/libssl/test/CAss.cnf
@@ -7,7 +7,7 @@ RANDFILE = ./.rnd
7 7
8#################################################################### 8####################################################################
9[ req ] 9[ req ]
10default_bits = 1024 10default_bits = 512
11default_keyfile = keySS.pem 11default_keyfile = keySS.pem
12distinguished_name = req_distinguished_name 12distinguished_name = req_distinguished_name
13encrypt_rsa_key = no 13encrypt_rsa_key = no
diff --git a/src/lib/libssl/test/CAtsa.cnf b/src/lib/libssl/test/CAtsa.cnf
new file mode 100644
index 0000000000..f5a275bfc2
--- /dev/null
+++ b/src/lib/libssl/test/CAtsa.cnf
@@ -0,0 +1,163 @@
1
2#
3# This config is used by the Time Stamp Authority tests.
4#
5
6RANDFILE = ./.rnd
7
8# Extra OBJECT IDENTIFIER info:
9oid_section = new_oids
10
11TSDNSECT = ts_cert_dn
12INDEX = 1
13
14[ new_oids ]
15
16# Policies used by the TSA tests.
17tsa_policy1 = 1.2.3.4.1
18tsa_policy2 = 1.2.3.4.5.6
19tsa_policy3 = 1.2.3.4.5.7
20
21#----------------------------------------------------------------------
22[ ca ]
23default_ca = CA_default # The default ca section
24
25[ CA_default ]
26
27dir = ./demoCA
28certs = $dir/certs # Where the issued certs are kept
29database = $dir/index.txt # database index file.
30new_certs_dir = $dir/newcerts # default place for new certs.
31
32certificate = $dir/cacert.pem # The CA certificate
33serial = $dir/serial # The current serial number
34private_key = $dir/private/cakey.pem# The private key
35RANDFILE = $dir/private/.rand # private random number file
36
37default_days = 365 # how long to certify for
38default_md = sha1 # which md to use.
39preserve = no # keep passed DN ordering
40
41policy = policy_match
42
43# For the CA policy
44[ policy_match ]
45countryName = supplied
46stateOrProvinceName = supplied
47organizationName = supplied
48organizationalUnitName = optional
49commonName = supplied
50emailAddress = optional
51
52#----------------------------------------------------------------------
53[ req ]
54default_bits = 1024
55default_md = sha1
56distinguished_name = $ENV::TSDNSECT
57encrypt_rsa_key = no
58prompt = no
59# attributes = req_attributes
60x509_extensions = v3_ca # The extentions to add to the self signed cert
61
62string_mask = nombstr
63
64[ ts_ca_dn ]
65countryName = HU
66stateOrProvinceName = Budapest
67localityName = Budapest
68organizationName = Gov-CA Ltd.
69commonName = ca1
70
71[ ts_cert_dn ]
72countryName = HU
73stateOrProvinceName = Budapest
74localityName = Buda
75organizationName = Hun-TSA Ltd.
76commonName = tsa$ENV::INDEX
77
78[ tsa_cert ]
79
80# TSA server cert is not a CA cert.
81basicConstraints=CA:FALSE
82
83# The following key usage flags are needed for TSA server certificates.
84keyUsage = nonRepudiation, digitalSignature
85extendedKeyUsage = critical,timeStamping
86
87# PKIX recommendations harmless if included in all certificates.
88subjectKeyIdentifier=hash
89authorityKeyIdentifier=keyid,issuer:always
90
91[ non_tsa_cert ]
92
93# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
94basicConstraints=CA:FALSE
95
96# The following key usage flags are needed for TSA server certificates.
97keyUsage = nonRepudiation, digitalSignature
98# timeStamping is not supported by this certificate
99# extendedKeyUsage = critical,timeStamping
100
101# PKIX recommendations harmless if included in all certificates.
102subjectKeyIdentifier=hash
103authorityKeyIdentifier=keyid,issuer:always
104
105[ v3_req ]
106
107# Extensions to add to a certificate request
108basicConstraints = CA:FALSE
109keyUsage = nonRepudiation, digitalSignature
110
111[ v3_ca ]
112
113# Extensions for a typical CA
114
115subjectKeyIdentifier=hash
116authorityKeyIdentifier=keyid:always,issuer:always
117basicConstraints = critical,CA:true
118keyUsage = cRLSign, keyCertSign
119
120#----------------------------------------------------------------------
121[ tsa ]
122
123default_tsa = tsa_config1 # the default TSA section
124
125[ tsa_config1 ]
126
127# These are used by the TSA reply generation only.
128dir = . # TSA root directory
129serial = $dir/tsa_serial # The current serial number (mandatory)
130signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
131 # (optional)
132certs = $dir/tsaca.pem # Certificate chain to include in reply
133 # (optional)
134signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
135
136default_policy = tsa_policy1 # Policy if request did not specify it
137 # (optional)
138other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
139digests = md5, sha1 # Acceptable message digests (mandatory)
140accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
141ordering = yes # Is ordering defined for timestamps?
142 # (optional, default: no)
143tsa_name = yes # Must the TSA name be included in the reply?
144 # (optional, default: no)
145ess_cert_id_chain = yes # Must the ESS cert id chain be included?
146 # (optional, default: no)
147
148[ tsa_config2 ]
149
150# This configuration uses a certificate which doesn't have timeStamping usage.
151# These are used by the TSA reply generation only.
152dir = . # TSA root directory
153serial = $dir/tsa_serial # The current serial number (mandatory)
154signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
155 # (optional)
156certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
157 # (optional)
158signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
159
160default_policy = tsa_policy1 # Policy if request did not specify it
161 # (optional)
162other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
163digests = md5, sha1 # Acceptable message digests (mandatory)
diff --git a/src/lib/libssl/test/Uss.cnf b/src/lib/libssl/test/Uss.cnf
index 98b2e054b7..0c0ebb5f67 100644
--- a/src/lib/libssl/test/Uss.cnf
+++ b/src/lib/libssl/test/Uss.cnf
@@ -7,7 +7,7 @@ RANDFILE = ./.rnd
7 7
8#################################################################### 8####################################################################
9[ req ] 9[ req ]
10default_bits = 1024 10default_bits = 512
11default_keyfile = keySS.pem 11default_keyfile = keySS.pem
12distinguished_name = req_distinguished_name 12distinguished_name = req_distinguished_name
13encrypt_rsa_key = no 13encrypt_rsa_key = no
diff --git a/src/lib/libssl/test/asn1test.c b/src/lib/libssl/test/asn1test.c
new file mode 100755
index 0000000000..9f53d80344
--- /dev/null
+++ b/src/lib/libssl/test/asn1test.c
@@ -0,0 +1,22 @@
1#include <openssl/x509.h>
2#include <openssl/asn1_mac.h>
3
4typedef struct X
5 {
6 STACK_OF(X509_EXTENSION) *ext;
7 } X;
8
9/* This isn't meant to run particularly, it's just to test type checking */
10int main(int argc, char **argv)
11 {
12 X *x = NULL;
13 unsigned char **pp = NULL;
14
15 M_ASN1_I2D_vars(x);
16 M_ASN1_I2D_len_SEQUENCE_opt_type(X509_EXTENSION, x->ext,
17 i2d_X509_EXTENSION);
18 M_ASN1_I2D_seq_total();
19 M_ASN1_I2D_put_SEQUENCE_opt_type(X509_EXTENSION, x->ext,
20 i2d_X509_EXTENSION);
21 M_ASN1_I2D_finish();
22 }
diff --git a/src/lib/libssl/test/cms-test.pl b/src/lib/libssl/test/cms-test.pl
index a84e089ddc..9c50dff3e9 100644
--- a/src/lib/libssl/test/cms-test.pl
+++ b/src/lib/libssl/test/cms-test.pl
@@ -54,8 +54,12 @@
54# OpenSSL PKCS#7 and CMS implementations. 54# OpenSSL PKCS#7 and CMS implementations.
55 55
56my $ossl_path; 56my $ossl_path;
57 57my $redir = " 2>cms.err 1>cms.out";
58if ( -f "../apps/openssl" ) { 58# Make MSYS work
59if ( $^O eq "MSWin32" && -f "../apps/openssl.exe" ) {
60 $ossl_path = "cmd /c ..\\apps\\openssl";
61}
62elsif ( -f "../apps/openssl$ENV{EXE_EXT}" ) {
59 $ossl_path = "../util/shlib_wrap.sh ../apps/openssl"; 63 $ossl_path = "../util/shlib_wrap.sh ../apps/openssl";
60} 64}
61elsif ( -f "..\\out32dll\\openssl.exe" ) { 65elsif ( -f "..\\out32dll\\openssl.exe" ) {
@@ -232,7 +236,7 @@ my @smime_cms_tests = (
232 [ 236 [
233 "signed content MIME format, RSA key, signed receipt request", 237 "signed content MIME format, RSA key, signed receipt request",
234 "-sign -in smcont.txt -signer $smdir/smrsa1.pem -nodetach" 238 "-sign -in smcont.txt -signer $smdir/smrsa1.pem -nodetach"
235 . " -receipt_request_to test@openssl.org -receipt_request_all" 239 . " -receipt_request_to test\@openssl.org -receipt_request_all"
236 . " -out test.cms", 240 . " -out test.cms",
237 "-verify -in test.cms " 241 "-verify -in test.cms "
238 . " -CAfile $smdir/smroot.pem -out smtst.txt" 242 . " -CAfile $smdir/smroot.pem -out smtst.txt"
@@ -333,10 +337,6 @@ my @smime_cms_comp_tests = (
333 337
334); 338);
335 339
336print "PKCS#7 <=> PKCS#7 consistency tests\n";
337
338run_smime_tests( \$badcmd, \@smime_pkcs7_tests, $pk7cmd, $pk7cmd );
339
340print "CMS => PKCS#7 compatibility tests\n"; 340print "CMS => PKCS#7 compatibility tests\n";
341 341
342run_smime_tests( \$badcmd, \@smime_pkcs7_tests, $cmscmd, $pk7cmd ); 342run_smime_tests( \$badcmd, \@smime_pkcs7_tests, $cmscmd, $pk7cmd );
@@ -386,14 +386,14 @@ sub run_smime_tests {
386 $rscmd =~ s/-stream//; 386 $rscmd =~ s/-stream//;
387 $rvcmd =~ s/-stream//; 387 $rvcmd =~ s/-stream//;
388 } 388 }
389 system("$scmd$rscmd 2>cms.err 1>cms.out"); 389 system("$scmd$rscmd$redir");
390 if ($?) { 390 if ($?) {
391 print "$tnam: generation error\n"; 391 print "$tnam: generation error\n";
392 $$rv++; 392 $$rv++;
393 exit 1 if $halt_err; 393 exit 1 if $halt_err;
394 next; 394 next;
395 } 395 }
396 system("$vcmd$rvcmd 2>cms.err 1>cms.out"); 396 system("$vcmd$rvcmd$redir");
397 if ($?) { 397 if ($?) {
398 print "$tnam: verify error\n"; 398 print "$tnam: verify error\n";
399 $$rv++; 399 $$rv++;
diff --git a/src/lib/libssl/test/pkits-test.pl b/src/lib/libssl/test/pkits-test.pl
new file mode 100644
index 0000000000..69dffa16f9
--- /dev/null
+++ b/src/lib/libssl/test/pkits-test.pl
@@ -0,0 +1,940 @@
1# test/pkits-test.pl
2# Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3# project.
4#
5# ====================================================================
6# Copyright (c) 2008 The OpenSSL Project. All rights reserved.
7#
8# Redistribution and use in source and binary forms, with or without
9# modification, are permitted provided that the following conditions
10# are met:
11#
12# 1. Redistributions of source code must retain the above copyright
13# notice, this list of conditions and the following disclaimer.
14#
15# 2. Redistributions in binary form must reproduce the above copyright
16# notice, this list of conditions and the following disclaimer in
17# the documentation and/or other materials provided with the
18# distribution.
19#
20# 3. All advertising materials mentioning features or use of this
21# software must display the following acknowledgment:
22# "This product includes software developed by the OpenSSL Project
23# for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24#
25# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26# endorse or promote products derived from this software without
27# prior written permission. For written permission, please contact
28# licensing@OpenSSL.org.
29#
30# 5. Products derived from this software may not be called "OpenSSL"
31# nor may "OpenSSL" appear in their names without prior written
32# permission of the OpenSSL Project.
33#
34# 6. Redistributions of any form whatsoever must retain the following
35# acknowledgment:
36# "This product includes software developed by the OpenSSL Project
37# for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38#
39# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50# OF THE POSSIBILITY OF SUCH DAMAGE.
51# ====================================================================
52
53# Perl utility to run PKITS tests for RFC3280 compliance.
54
55my $ossl_path;
56
57if ( -f "../apps/openssl" ) {
58 $ossl_path = "../util/shlib_wrap.sh ../apps/openssl";
59}
60elsif ( -f "..\\out32dll\\openssl.exe" ) {
61 $ossl_path = "..\\out32dll\\openssl.exe";
62}
63elsif ( -f "..\\out32\\openssl.exe" ) {
64 $ossl_path = "..\\out32\\openssl.exe";
65}
66else {
67 die "Can't find OpenSSL executable";
68}
69
70my $pkitsdir = "pkits/smime";
71my $pkitsta = "pkits/certs/TrustAnchorRootCertificate.crt";
72
73die "Can't find PKITS test data" if !-d $pkitsdir;
74
75my $nist1 = "2.16.840.1.101.3.2.1.48.1";
76my $nist2 = "2.16.840.1.101.3.2.1.48.2";
77my $nist3 = "2.16.840.1.101.3.2.1.48.3";
78my $nist4 = "2.16.840.1.101.3.2.1.48.4";
79my $nist5 = "2.16.840.1.101.3.2.1.48.5";
80my $nist6 = "2.16.840.1.101.3.2.1.48.6";
81
82my $apolicy = "X509v3 Any Policy";
83
84# This table contains the chapter headings of the accompanying PKITS
85# document. They provide useful informational output and their names
86# can be converted into the filename to test.
87
88my @testlists = (
89 [ "4.1", "Signature Verification" ],
90 [ "4.1.1", "Valid Signatures Test1", 0 ],
91 [ "4.1.2", "Invalid CA Signature Test2", 7 ],
92 [ "4.1.3", "Invalid EE Signature Test3", 7 ],
93 [ "4.1.4", "Valid DSA Signatures Test4", 0 ],
94 [ "4.1.5", "Valid DSA Parameter Inheritance Test5", 0 ],
95 [ "4.1.6", "Invalid DSA Signature Test6", 7 ],
96 [ "4.2", "Validity Periods" ],
97 [ "4.2.1", "Invalid CA notBefore Date Test1", 9 ],
98 [ "4.2.2", "Invalid EE notBefore Date Test2", 9 ],
99 [ "4.2.3", "Valid pre2000 UTC notBefore Date Test3", 0 ],
100 [ "4.2.4", "Valid GeneralizedTime notBefore Date Test4", 0 ],
101 [ "4.2.5", "Invalid CA notAfter Date Test5", 10 ],
102 [ "4.2.6", "Invalid EE notAfter Date Test6", 10 ],
103 [ "4.2.7", "Invalid pre2000 UTC EE notAfter Date Test7", 10 ],
104 [ "4.2.8", "Valid GeneralizedTime notAfter Date Test8", 0 ],
105 [ "4.3", "Verifying Name Chaining" ],
106 [ "4.3.1", "Invalid Name Chaining EE Test1", 20 ],
107 [ "4.3.2", "Invalid Name Chaining Order Test2", 20 ],
108 [ "4.3.3", "Valid Name Chaining Whitespace Test3", 0 ],
109 [ "4.3.4", "Valid Name Chaining Whitespace Test4", 0 ],
110 [ "4.3.5", "Valid Name Chaining Capitalization Test5", 0 ],
111 [ "4.3.6", "Valid Name Chaining UIDs Test6", 0 ],
112 [ "4.3.7", "Valid RFC3280 Mandatory Attribute Types Test7", 0 ],
113 [ "4.3.8", "Valid RFC3280 Optional Attribute Types Test8", 0 ],
114 [ "4.3.9", "Valid UTF8String Encoded Names Test9", 0 ],
115 [ "4.3.10", "Valid Rollover from PrintableString to UTF8String Test10", 0 ],
116 [ "4.3.11", "Valid UTF8String Case Insensitive Match Test11", 0 ],
117 [ "4.4", "Basic Certificate Revocation Tests" ],
118 [ "4.4.1", "Missing CRL Test1", 3 ],
119 [ "4.4.2", "Invalid Revoked CA Test2", 23 ],
120 [ "4.4.3", "Invalid Revoked EE Test3", 23 ],
121 [ "4.4.4", "Invalid Bad CRL Signature Test4", 8 ],
122 [ "4.4.5", "Invalid Bad CRL Issuer Name Test5", 3 ],
123 [ "4.4.6", "Invalid Wrong CRL Test6", 3 ],
124 [ "4.4.7", "Valid Two CRLs Test7", 0 ],
125
126 # The test document suggests these should return certificate revoked...
127 # Subsquent discussion has concluded they should not due to unhandle
128 # critical CRL extensions.
129 [ "4.4.8", "Invalid Unknown CRL Entry Extension Test8", 36 ],
130 [ "4.4.9", "Invalid Unknown CRL Extension Test9", 36 ],
131
132 [ "4.4.10", "Invalid Unknown CRL Extension Test10", 36 ],
133 [ "4.4.11", "Invalid Old CRL nextUpdate Test11", 12 ],
134 [ "4.4.12", "Invalid pre2000 CRL nextUpdate Test12", 12 ],
135 [ "4.4.13", "Valid GeneralizedTime CRL nextUpdate Test13", 0 ],
136 [ "4.4.14", "Valid Negative Serial Number Test14", 0 ],
137 [ "4.4.15", "Invalid Negative Serial Number Test15", 23 ],
138 [ "4.4.16", "Valid Long Serial Number Test16", 0 ],
139 [ "4.4.17", "Valid Long Serial Number Test17", 0 ],
140 [ "4.4.18", "Invalid Long Serial Number Test18", 23 ],
141 [ "4.4.19", "Valid Separate Certificate and CRL Keys Test19", 0 ],
142 [ "4.4.20", "Invalid Separate Certificate and CRL Keys Test20", 23 ],
143
144 # CRL path is revoked so get a CRL path validation error
145 [ "4.4.21", "Invalid Separate Certificate and CRL Keys Test21", 54 ],
146 [ "4.5", "Verifying Paths with Self-Issued Certificates" ],
147 [ "4.5.1", "Valid Basic Self-Issued Old With New Test1", 0 ],
148 [ "4.5.2", "Invalid Basic Self-Issued Old With New Test2", 23 ],
149 [ "4.5.3", "Valid Basic Self-Issued New With Old Test3", 0 ],
150 [ "4.5.4", "Valid Basic Self-Issued New With Old Test4", 0 ],
151 [ "4.5.5", "Invalid Basic Self-Issued New With Old Test5", 23 ],
152 [ "4.5.6", "Valid Basic Self-Issued CRL Signing Key Test6", 0 ],
153 [ "4.5.7", "Invalid Basic Self-Issued CRL Signing Key Test7", 23 ],
154 [ "4.5.8", "Invalid Basic Self-Issued CRL Signing Key Test8", 20 ],
155 [ "4.6", "Verifying Basic Constraints" ],
156 [ "4.6.1", "Invalid Missing basicConstraints Test1", 24 ],
157 [ "4.6.2", "Invalid cA False Test2", 24 ],
158 [ "4.6.3", "Invalid cA False Test3", 24 ],
159 [ "4.6.4", "Valid basicConstraints Not Critical Test4", 0 ],
160 [ "4.6.5", "Invalid pathLenConstraint Test5", 25 ],
161 [ "4.6.6", "Invalid pathLenConstraint Test6", 25 ],
162 [ "4.6.7", "Valid pathLenConstraint Test7", 0 ],
163 [ "4.6.8", "Valid pathLenConstraint Test8", 0 ],
164 [ "4.6.9", "Invalid pathLenConstraint Test9", 25 ],
165 [ "4.6.10", "Invalid pathLenConstraint Test10", 25 ],
166 [ "4.6.11", "Invalid pathLenConstraint Test11", 25 ],
167 [ "4.6.12", "Invalid pathLenConstraint Test12", 25 ],
168 [ "4.6.13", "Valid pathLenConstraint Test13", 0 ],
169 [ "4.6.14", "Valid pathLenConstraint Test14", 0 ],
170 [ "4.6.15", "Valid Self-Issued pathLenConstraint Test15", 0 ],
171 [ "4.6.16", "Invalid Self-Issued pathLenConstraint Test16", 25 ],
172 [ "4.6.17", "Valid Self-Issued pathLenConstraint Test17", 0 ],
173 [ "4.7", "Key Usage" ],
174 [ "4.7.1", "Invalid keyUsage Critical keyCertSign False Test1", 20 ],
175 [ "4.7.2", "Invalid keyUsage Not Critical keyCertSign False Test2", 20 ],
176 [ "4.7.3", "Valid keyUsage Not Critical Test3", 0 ],
177 [ "4.7.4", "Invalid keyUsage Critical cRLSign False Test4", 35 ],
178 [ "4.7.5", "Invalid keyUsage Not Critical cRLSign False Test5", 35 ],
179
180 # Certificate policy tests need special handling. They can have several
181 # sub tests and we need to check the outputs are correct.
182
183 [ "4.8", "Certificate Policies" ],
184 [
185 "4.8.1.1",
186 "All Certificates Same Policy Test1",
187 "-policy anyPolicy -explicit_policy",
188 "True", $nist1, $nist1, 0
189 ],
190 [
191 "4.8.1.2",
192 "All Certificates Same Policy Test1",
193 "-policy $nist1 -explicit_policy",
194 "True", $nist1, $nist1, 0
195 ],
196 [
197 "4.8.1.3",
198 "All Certificates Same Policy Test1",
199 "-policy $nist2 -explicit_policy",
200 "True", $nist1, "<empty>", 43
201 ],
202 [
203 "4.8.1.4",
204 "All Certificates Same Policy Test1",
205 "-policy $nist1 -policy $nist2 -explicit_policy",
206 "True", $nist1, $nist1, 0
207 ],
208 [
209 "4.8.2.1",
210 "All Certificates No Policies Test2",
211 "-policy anyPolicy",
212 "False", "<empty>", "<empty>", 0
213 ],
214 [
215 "4.8.2.2",
216 "All Certificates No Policies Test2",
217 "-policy anyPolicy -explicit_policy",
218 "True", "<empty>", "<empty>", 43
219 ],
220 [
221 "4.8.3.1",
222 "Different Policies Test3",
223 "-policy anyPolicy",
224 "False", "<empty>", "<empty>", 0
225 ],
226 [
227 "4.8.3.2",
228 "Different Policies Test3",
229 "-policy anyPolicy -explicit_policy",
230 "True", "<empty>", "<empty>", 43
231 ],
232 [
233 "4.8.3.3",
234 "Different Policies Test3",
235 "-policy $nist1 -policy $nist2 -explicit_policy",
236 "True", "<empty>", "<empty>", 43
237 ],
238
239 [
240 "4.8.4",
241 "Different Policies Test4",
242 "-policy anyPolicy",
243 "True", "<empty>", "<empty>", 43
244 ],
245 [
246 "4.8.5",
247 "Different Policies Test5",
248 "-policy anyPolicy",
249 "True", "<empty>", "<empty>", 43
250 ],
251 [
252 "4.8.6.1",
253 "Overlapping Policies Test6",
254 "-policy anyPolicy",
255 "True", $nist1, $nist1, 0
256 ],
257 [
258 "4.8.6.2",
259 "Overlapping Policies Test6",
260 "-policy $nist1",
261 "True", $nist1, $nist1, 0
262 ],
263 [
264 "4.8.6.3",
265 "Overlapping Policies Test6",
266 "-policy $nist2",
267 "True", $nist1, "<empty>", 43
268 ],
269 [
270 "4.8.7",
271 "Different Policies Test7",
272 "-policy anyPolicy",
273 "True", "<empty>", "<empty>", 43
274 ],
275 [
276 "4.8.8",
277 "Different Policies Test8",
278 "-policy anyPolicy",
279 "True", "<empty>", "<empty>", 43
280 ],
281 [
282 "4.8.9",
283 "Different Policies Test9",
284 "-policy anyPolicy",
285 "True", "<empty>", "<empty>", 43
286 ],
287 [
288 "4.8.10.1",
289 "All Certificates Same Policies Test10",
290 "-policy $nist1",
291 "True", "$nist1:$nist2", "$nist1", 0
292 ],
293 [
294 "4.8.10.2",
295 "All Certificates Same Policies Test10",
296 "-policy $nist2",
297 "True", "$nist1:$nist2", "$nist2", 0
298 ],
299 [
300 "4.8.10.3",
301 "All Certificates Same Policies Test10",
302 "-policy anyPolicy",
303 "True", "$nist1:$nist2", "$nist1:$nist2", 0
304 ],
305 [
306 "4.8.11.1",
307 "All Certificates AnyPolicy Test11",
308 "-policy anyPolicy",
309 "True", "$apolicy", "$apolicy", 0
310 ],
311 [
312 "4.8.11.2",
313 "All Certificates AnyPolicy Test11",
314 "-policy $nist1",
315 "True", "$apolicy", "$nist1", 0
316 ],
317 [
318 "4.8.12",
319 "Different Policies Test12",
320 "-policy anyPolicy",
321 "True", "<empty>", "<empty>", 43
322 ],
323 [
324 "4.8.13.1",
325 "All Certificates Same Policies Test13",
326 "-policy $nist1",
327 "True", "$nist1:$nist2:$nist3", "$nist1", 0
328 ],
329 [
330 "4.8.13.2",
331 "All Certificates Same Policies Test13",
332 "-policy $nist2",
333 "True", "$nist1:$nist2:$nist3", "$nist2", 0
334 ],
335 [
336 "4.8.13.3",
337 "All Certificates Same Policies Test13",
338 "-policy $nist3",
339 "True", "$nist1:$nist2:$nist3", "$nist3", 0
340 ],
341 [
342 "4.8.14.1", "AnyPolicy Test14",
343 "-policy $nist1", "True",
344 "$nist1", "$nist1",
345 0
346 ],
347 [
348 "4.8.14.2", "AnyPolicy Test14",
349 "-policy $nist2", "True",
350 "$nist1", "<empty>",
351 43
352 ],
353 [
354 "4.8.15",
355 "User Notice Qualifier Test15",
356 "-policy anyPolicy",
357 "False", "$nist1", "$nist1", 0
358 ],
359 [
360 "4.8.16",
361 "User Notice Qualifier Test16",
362 "-policy anyPolicy",
363 "False", "$nist1", "$nist1", 0
364 ],
365 [
366 "4.8.17",
367 "User Notice Qualifier Test17",
368 "-policy anyPolicy",
369 "False", "$nist1", "$nist1", 0
370 ],
371 [
372 "4.8.18.1",
373 "User Notice Qualifier Test18",
374 "-policy $nist1",
375 "True", "$nist1:$nist2", "$nist1", 0
376 ],
377 [
378 "4.8.18.2",
379 "User Notice Qualifier Test18",
380 "-policy $nist2",
381 "True", "$nist1:$nist2", "$nist2", 0
382 ],
383 [
384 "4.8.19",
385 "User Notice Qualifier Test19",
386 "-policy anyPolicy",
387 "False", "$nist1", "$nist1", 0
388 ],
389 [
390 "4.8.20",
391 "CPS Pointer Qualifier Test20",
392 "-policy anyPolicy -explicit_policy",
393 "True", "$nist1", "$nist1", 0
394 ],
395 [ "4.9", "Require Explicit Policy" ],
396 [
397 "4.9.1",
398 "Valid RequireExplicitPolicy Test1",
399 "-policy anyPolicy",
400 "False", "<empty>", "<empty>", 0
401 ],
402 [
403 "4.9.2",
404 "Valid RequireExplicitPolicy Test2",
405 "-policy anyPolicy",
406 "False", "<empty>", "<empty>", 0
407 ],
408 [
409 "4.9.3",
410 "Invalid RequireExplicitPolicy Test3",
411 "-policy anyPolicy",
412 "True", "<empty>", "<empty>", 43
413 ],
414 [
415 "4.9.4",
416 "Valid RequireExplicitPolicy Test4",
417 "-policy anyPolicy",
418 "True", "$nist1", "$nist1", 0
419 ],
420 [
421 "4.9.5",
422 "Invalid RequireExplicitPolicy Test5",
423 "-policy anyPolicy",
424 "True", "<empty>", "<empty>", 43
425 ],
426 [
427 "4.9.6",
428 "Valid Self-Issued requireExplicitPolicy Test6",
429 "-policy anyPolicy",
430 "False", "<empty>", "<empty>", 0
431 ],
432 [
433 "4.9.7",
434 "Invalid Self-Issued requireExplicitPolicy Test7",
435 "-policy anyPolicy",
436 "True", "<empty>", "<empty>", 43
437 ],
438 [
439 "4.9.8",
440 "Invalid Self-Issued requireExplicitPolicy Test8",
441 "-policy anyPolicy",
442 "True", "<empty>", "<empty>", 43
443 ],
444 [ "4.10", "Policy Mappings" ],
445 [
446 "4.10.1.1",
447 "Valid Policy Mapping Test1",
448 "-policy $nist1",
449 "True", "$nist1", "$nist1", 0
450 ],
451 [
452 "4.10.1.2",
453 "Valid Policy Mapping Test1",
454 "-policy $nist2",
455 "True", "$nist1", "<empty>", 43
456 ],
457 [
458 "4.10.1.3",
459 "Valid Policy Mapping Test1",
460 "-policy anyPolicy -inhibit_map",
461 "True", "<empty>", "<empty>", 43
462 ],
463 [
464 "4.10.2.1",
465 "Invalid Policy Mapping Test2",
466 "-policy anyPolicy",
467 "True", "<empty>", "<empty>", 43
468 ],
469 [
470 "4.10.2.2",
471 "Invalid Policy Mapping Test2",
472 "-policy anyPolicy -inhibit_map",
473 "True", "<empty>", "<empty>", 43
474 ],
475 [
476 "4.10.3.1",
477 "Valid Policy Mapping Test3",
478 "-policy $nist1",
479 "True", "$nist2", "<empty>", 43
480 ],
481 [
482 "4.10.3.2",
483 "Valid Policy Mapping Test3",
484 "-policy $nist2",
485 "True", "$nist2", "$nist2", 0
486 ],
487 [
488 "4.10.4",
489 "Invalid Policy Mapping Test4",
490 "-policy anyPolicy",
491 "True", "<empty>", "<empty>", 43
492 ],
493 [
494 "4.10.5.1",
495 "Valid Policy Mapping Test5",
496 "-policy $nist1",
497 "True", "$nist1", "$nist1", 0
498 ],
499 [
500 "4.10.5.2",
501 "Valid Policy Mapping Test5",
502 "-policy $nist6",
503 "True", "$nist1", "<empty>", 43
504 ],
505 [
506 "4.10.6.1",
507 "Valid Policy Mapping Test6",
508 "-policy $nist1",
509 "True", "$nist1", "$nist1", 0
510 ],
511 [
512 "4.10.6.2",
513 "Valid Policy Mapping Test6",
514 "-policy $nist6",
515 "True", "$nist1", "<empty>", 43
516 ],
517 [ "4.10.7", "Invalid Mapping From anyPolicy Test7", 42 ],
518 [ "4.10.8", "Invalid Mapping To anyPolicy Test8", 42 ],
519 [
520 "4.10.9",
521 "Valid Policy Mapping Test9",
522 "-policy anyPolicy",
523 "True", "$nist1", "$nist1", 0
524 ],
525 [
526 "4.10.10",
527 "Invalid Policy Mapping Test10",
528 "-policy anyPolicy",
529 "True", "<empty>", "<empty>", 43
530 ],
531 [
532 "4.10.11",
533 "Valid Policy Mapping Test11",
534 "-policy anyPolicy",
535 "True", "$nist1", "$nist1", 0
536 ],
537
538 # TODO: check notice display
539 [
540 "4.10.12.1",
541 "Valid Policy Mapping Test12",
542 "-policy $nist1",
543 "True", "$nist1:$nist2", "$nist1", 0
544 ],
545
546 # TODO: check notice display
547 [
548 "4.10.12.2",
549 "Valid Policy Mapping Test12",
550 "-policy $nist2",
551 "True", "$nist1:$nist2", "$nist2", 0
552 ],
553 [
554 "4.10.13",
555 "Valid Policy Mapping Test13",
556 "-policy anyPolicy",
557 "True", "$nist1", "$nist1", 0
558 ],
559
560 # TODO: check notice display
561 [
562 "4.10.14",
563 "Valid Policy Mapping Test14",
564 "-policy anyPolicy",
565 "True", "$nist1", "$nist1", 0
566 ],
567 [ "4.11", "Inhibit Policy Mapping" ],
568 [
569 "4.11.1",
570 "Invalid inhibitPolicyMapping Test1",
571 "-policy anyPolicy",
572 "True", "<empty>", "<empty>", 43
573 ],
574 [
575 "4.11.2",
576 "Valid inhibitPolicyMapping Test2",
577 "-policy anyPolicy",
578 "True", "$nist1", "$nist1", 0
579 ],
580 [
581 "4.11.3",
582 "Invalid inhibitPolicyMapping Test3",
583 "-policy anyPolicy",
584 "True", "<empty>", "<empty>", 43
585 ],
586 [
587 "4.11.4",
588 "Valid inhibitPolicyMapping Test4",
589 "-policy anyPolicy",
590 "True", "$nist2", "$nist2", 0
591 ],
592 [
593 "4.11.5",
594 "Invalid inhibitPolicyMapping Test5",
595 "-policy anyPolicy",
596 "True", "<empty>", "<empty>", 43
597 ],
598 [
599 "4.11.6",
600 "Invalid inhibitPolicyMapping Test6",
601 "-policy anyPolicy",
602 "True", "<empty>", "<empty>", 43
603 ],
604 [
605 "4.11.7",
606 "Valid Self-Issued inhibitPolicyMapping Test7",
607 "-policy anyPolicy",
608 "True", "$nist1", "$nist1", 0
609 ],
610 [
611 "4.11.8",
612 "Invalid Self-Issued inhibitPolicyMapping Test8",
613 "-policy anyPolicy",
614 "True", "<empty>", "<empty>", 43
615 ],
616 [
617 "4.11.9",
618 "Invalid Self-Issued inhibitPolicyMapping Test9",
619 "-policy anyPolicy",
620 "True", "<empty>", "<empty>", 43
621 ],
622 [
623 "4.11.10",
624 "Invalid Self-Issued inhibitPolicyMapping Test10",
625 "-policy anyPolicy",
626 "True", "<empty>", "<empty>", 43
627 ],
628 [
629 "4.11.11",
630 "Invalid Self-Issued inhibitPolicyMapping Test11",
631 "-policy anyPolicy",
632 "True", "<empty>", "<empty>", 43
633 ],
634 [ "4.12", "Inhibit Any Policy" ],
635 [
636 "4.12.1",
637 "Invalid inhibitAnyPolicy Test1",
638 "-policy anyPolicy",
639 "True", "<empty>", "<empty>", 43
640 ],
641 [
642 "4.12.2",
643 "Valid inhibitAnyPolicy Test2",
644 "-policy anyPolicy",
645 "True", "$nist1", "$nist1", 0
646 ],
647 [
648 "4.12.3.1",
649 "inhibitAnyPolicy Test3",
650 "-policy anyPolicy",
651 "True", "$nist1", "$nist1", 0
652 ],
653 [
654 "4.12.3.2",
655 "inhibitAnyPolicy Test3",
656 "-policy anyPolicy -inhibit_any",
657 "True", "<empty>", "<empty>", 43
658 ],
659 [
660 "4.12.4",
661 "Invalid inhibitAnyPolicy Test4",
662 "-policy anyPolicy",
663 "True", "<empty>", "<empty>", 43
664 ],
665 [
666 "4.12.5",
667 "Invalid inhibitAnyPolicy Test5",
668 "-policy anyPolicy",
669 "True", "<empty>", "<empty>", 43
670 ],
671 [
672 "4.12.6",
673 "Invalid inhibitAnyPolicy Test6",
674 "-policy anyPolicy",
675 "True", "<empty>", "<empty>", 43
676 ],
677 [ "4.12.7", "Valid Self-Issued inhibitAnyPolicy Test7", 0 ],
678 [ "4.12.8", "Invalid Self-Issued inhibitAnyPolicy Test8", 43 ],
679 [ "4.12.9", "Valid Self-Issued inhibitAnyPolicy Test9", 0 ],
680 [ "4.12.10", "Invalid Self-Issued inhibitAnyPolicy Test10", 43 ],
681 [ "4.13", "Name Constraints" ],
682 [ "4.13.1", "Valid DN nameConstraints Test1", 0 ],
683 [ "4.13.2", "Invalid DN nameConstraints Test2", 47 ],
684 [ "4.13.3", "Invalid DN nameConstraints Test3", 47 ],
685 [ "4.13.4", "Valid DN nameConstraints Test4", 0 ],
686 [ "4.13.5", "Valid DN nameConstraints Test5", 0 ],
687 [ "4.13.6", "Valid DN nameConstraints Test6", 0 ],
688 [ "4.13.7", "Invalid DN nameConstraints Test7", 48 ],
689 [ "4.13.8", "Invalid DN nameConstraints Test8", 48 ],
690 [ "4.13.9", "Invalid DN nameConstraints Test9", 48 ],
691 [ "4.13.10", "Invalid DN nameConstraints Test10", 48 ],
692 [ "4.13.11", "Valid DN nameConstraints Test11", 0 ],
693 [ "4.13.12", "Invalid DN nameConstraints Test12", 47 ],
694 [ "4.13.13", "Invalid DN nameConstraints Test13", 47 ],
695 [ "4.13.14", "Valid DN nameConstraints Test14", 0 ],
696 [ "4.13.15", "Invalid DN nameConstraints Test15", 48 ],
697 [ "4.13.16", "Invalid DN nameConstraints Test16", 48 ],
698 [ "4.13.17", "Invalid DN nameConstraints Test17", 48 ],
699 [ "4.13.18", "Valid DN nameConstraints Test18", 0 ],
700 [ "4.13.19", "Valid Self-Issued DN nameConstraints Test19", 0 ],
701 [ "4.13.20", "Invalid Self-Issued DN nameConstraints Test20", 47 ],
702 [ "4.13.21", "Valid RFC822 nameConstraints Test21", 0 ],
703 [ "4.13.22", "Invalid RFC822 nameConstraints Test22", 47 ],
704 [ "4.13.23", "Valid RFC822 nameConstraints Test23", 0 ],
705 [ "4.13.24", "Invalid RFC822 nameConstraints Test24", 47 ],
706 [ "4.13.25", "Valid RFC822 nameConstraints Test25", 0 ],
707 [ "4.13.26", "Invalid RFC822 nameConstraints Test26", 48 ],
708 [ "4.13.27", "Valid DN and RFC822 nameConstraints Test27", 0 ],
709 [ "4.13.28", "Invalid DN and RFC822 nameConstraints Test28", 47 ],
710 [ "4.13.29", "Invalid DN and RFC822 nameConstraints Test29", 47 ],
711 [ "4.13.30", "Valid DNS nameConstraints Test30", 0 ],
712 [ "4.13.31", "Invalid DNS nameConstraints Test31", 47 ],
713 [ "4.13.32", "Valid DNS nameConstraints Test32", 0 ],
714 [ "4.13.33", "Invalid DNS nameConstraints Test33", 48 ],
715 [ "4.13.34", "Valid URI nameConstraints Test34", 0 ],
716 [ "4.13.35", "Invalid URI nameConstraints Test35", 47 ],
717 [ "4.13.36", "Valid URI nameConstraints Test36", 0 ],
718 [ "4.13.37", "Invalid URI nameConstraints Test37", 48 ],
719 [ "4.13.38", "Invalid DNS nameConstraints Test38", 47 ],
720 [ "4.14", "Distribution Points" ],
721 [ "4.14.1", "Valid distributionPoint Test1", 0 ],
722 [ "4.14.2", "Invalid distributionPoint Test2", 23 ],
723 [ "4.14.3", "Invalid distributionPoint Test3", 44 ],
724 [ "4.14.4", "Valid distributionPoint Test4", 0 ],
725 [ "4.14.5", "Valid distributionPoint Test5", 0 ],
726 [ "4.14.6", "Invalid distributionPoint Test6", 23 ],
727 [ "4.14.7", "Valid distributionPoint Test7", 0 ],
728 [ "4.14.8", "Invalid distributionPoint Test8", 44 ],
729 [ "4.14.9", "Invalid distributionPoint Test9", 44 ],
730 [ "4.14.10", "Valid No issuingDistributionPoint Test10", 0 ],
731 [ "4.14.11", "Invalid onlyContainsUserCerts CRL Test11", 44 ],
732 [ "4.14.12", "Invalid onlyContainsCACerts CRL Test12", 44 ],
733 [ "4.14.13", "Valid onlyContainsCACerts CRL Test13", 0 ],
734 [ "4.14.14", "Invalid onlyContainsAttributeCerts Test14", 44 ],
735 [ "4.14.15", "Invalid onlySomeReasons Test15", 23 ],
736 [ "4.14.16", "Invalid onlySomeReasons Test16", 23 ],
737 [ "4.14.17", "Invalid onlySomeReasons Test17", 3 ],
738 [ "4.14.18", "Valid onlySomeReasons Test18", 0 ],
739 [ "4.14.19", "Valid onlySomeReasons Test19", 0 ],
740 [ "4.14.20", "Invalid onlySomeReasons Test20", 23 ],
741 [ "4.14.21", "Invalid onlySomeReasons Test21", 23 ],
742 [ "4.14.22", "Valid IDP with indirectCRL Test22", 0 ],
743 [ "4.14.23", "Invalid IDP with indirectCRL Test23", 23 ],
744 [ "4.14.24", "Valid IDP with indirectCRL Test24", 0 ],
745 [ "4.14.25", "Valid IDP with indirectCRL Test25", 0 ],
746 [ "4.14.26", "Invalid IDP with indirectCRL Test26", 44 ],
747 [ "4.14.27", "Invalid cRLIssuer Test27", 3 ],
748 [ "4.14.28", "Valid cRLIssuer Test28", 0 ],
749 [ "4.14.29", "Valid cRLIssuer Test29", 0 ],
750
751 # Although this test is valid it has a circular dependency. As a result
752 # an attempt is made to reursively checks a CRL path and rejected due to
753 # a CRL path validation error. PKITS notes suggest this test does not
754 # need to be run due to this issue.
755 [ "4.14.30", "Valid cRLIssuer Test30", 54 ],
756 [ "4.14.31", "Invalid cRLIssuer Test31", 23 ],
757 [ "4.14.32", "Invalid cRLIssuer Test32", 23 ],
758 [ "4.14.33", "Valid cRLIssuer Test33", 0 ],
759 [ "4.14.34", "Invalid cRLIssuer Test34", 23 ],
760 [ "4.14.35", "Invalid cRLIssuer Test35", 44 ],
761 [ "4.15", "Delta-CRLs" ],
762 [ "4.15.1", "Invalid deltaCRLIndicator No Base Test1", 3 ],
763 [ "4.15.2", "Valid delta-CRL Test2", 0 ],
764 [ "4.15.3", "Invalid delta-CRL Test3", 23 ],
765 [ "4.15.4", "Invalid delta-CRL Test4", 23 ],
766 [ "4.15.5", "Valid delta-CRL Test5", 0 ],
767 [ "4.15.6", "Invalid delta-CRL Test6", 23 ],
768 [ "4.15.7", "Valid delta-CRL Test7", 0 ],
769 [ "4.15.8", "Valid delta-CRL Test8", 0 ],
770 [ "4.15.9", "Invalid delta-CRL Test9", 23 ],
771 [ "4.15.10", "Invalid delta-CRL Test10", 12 ],
772 [ "4.16", "Private Certificate Extensions" ],
773 [ "4.16.1", "Valid Unknown Not Critical Certificate Extension Test1", 0 ],
774 [ "4.16.2", "Invalid Unknown Critical Certificate Extension Test2", 34 ],
775);
776
777
778my $verbose = 1;
779
780my $numtest = 0;
781my $numfail = 0;
782
783my $ossl = "ossl/apps/openssl";
784
785my $ossl_cmd = "$ossl_path cms -verify -verify_retcode ";
786$ossl_cmd .= "-CAfile pkitsta.pem -crl_check_all -x509_strict ";
787$ossl_cmd .= "-policy_check -extended_crl -use_deltas -out /dev/null 2>&1 ";
788
789system "$ossl_path x509 -inform DER -in $pkitsta -out pkitsta.pem";
790
791die "Can't create trust anchor file" if $?;
792
793print "Running PKITS tests:\n" if $verbose;
794
795foreach (@testlists) {
796 my $argnum = @$_;
797 if ( $argnum == 2 ) {
798 my ( $tnum, $title ) = @$_;
799 print "$tnum $title\n" if $verbose;
800 }
801 elsif ( $argnum == 3 ) {
802 my ( $tnum, $title, $exp_ret ) = @$_;
803 my $filename = $title;
804 $exp_ret += 32 if $exp_ret;
805 $filename =~ tr/ -//d;
806 $filename = "Signed${filename}.eml";
807 if ( !-f "$pkitsdir/$filename" ) {
808 print "\"$filename\" not found\n";
809 }
810 else {
811 my $ret;
812 my $test_fail = 0;
813 my $errmsg = "";
814 my $cmd = $ossl_cmd;
815 $cmd .= "-in $pkitsdir/$filename -policy anyPolicy";
816 my $cmdout = `$cmd`;
817 $ret = $? >> 8;
818 if ( $? & 0xff ) {
819 $errmsg .= "Abnormal OpenSSL termination\n";
820 $test_fail = 1;
821 }
822 if ( $exp_ret != $ret ) {
823 $errmsg .= "Return code:$ret, ";
824 $errmsg .= "expected $exp_ret\n";
825 $test_fail = 1;
826 }
827 if ($test_fail) {
828 print "$tnum $title : Failed!\n";
829 print "Filename: $pkitsdir/$filename\n";
830 print $errmsg;
831 print "Command output:\n$cmdout\n";
832 $numfail++;
833 }
834 $numtest++;
835 }
836 }
837 elsif ( $argnum == 7 ) {
838 my ( $tnum, $title, $exargs, $exp_epol, $exp_aset, $exp_uset, $exp_ret )
839 = @$_;
840 my $filename = $title;
841 $exp_ret += 32 if $exp_ret;
842 $filename =~ tr/ -//d;
843 $filename = "Signed${filename}.eml";
844 if ( !-f "$pkitsdir/$filename" ) {
845 print "\"$filename\" not found\n";
846 }
847 else {
848 my $ret;
849 my $cmdout = "";
850 my $errmsg = "";
851 my $epol = "";
852 my $aset = "";
853 my $uset = "";
854 my $pol = -1;
855 my $test_fail = 0;
856 my $cmd = $ossl_cmd;
857 $cmd .= "-in $pkitsdir/$filename $exargs -policy_print";
858 @oparr = `$cmd`;
859 $ret = $? >> 8;
860
861 if ( $? & 0xff ) {
862 $errmsg .= "Abnormal OpenSSL termination\n";
863 $test_fail = 1;
864 }
865 foreach (@oparr) {
866 my $test_failed = 0;
867 $cmdout .= $_;
868 if (/^Require explicit Policy: (.*)$/) {
869 $epol = $1;
870 }
871 if (/^Authority Policies/) {
872 if (/empty/) {
873 $aset = "<empty>";
874 }
875 else {
876 $pol = 1;
877 }
878 }
879 $test_fail = 1 if (/leak/i);
880 if (/^User Policies/) {
881 if (/empty/) {
882 $uset = "<empty>";
883 }
884 else {
885 $pol = 2;
886 }
887 }
888 if (/\s+Policy: (.*)$/) {
889 if ( $pol == 1 ) {
890 $aset .= ":" if $aset ne "";
891 $aset .= $1;
892 }
893 elsif ( $pol == 2 ) {
894 $uset .= ":" if $uset ne "";
895 $uset .= $1;
896 }
897 }
898 }
899
900 if ( $epol ne $exp_epol ) {
901 $errmsg .= "Explicit policy:$epol, ";
902 $errmsg .= "expected $exp_epol\n";
903 $test_fail = 1;
904 }
905 if ( $aset ne $exp_aset ) {
906 $errmsg .= "Authority policy set :$aset, ";
907 $errmsg .= "expected $exp_aset\n";
908 $test_fail = 1;
909 }
910 if ( $uset ne $exp_uset ) {
911 $errmsg .= "User policy set :$uset, ";
912 $errmsg .= "expected $exp_uset\n";
913 $test_fail = 1;
914 }
915
916 if ( $exp_ret != $ret ) {
917 print "Return code:$ret, expected $exp_ret\n";
918 $test_fail = 1;
919 }
920
921 if ($test_fail) {
922 print "$tnum $title : Failed!\n";
923 print "Filename: $pkitsdir/$filename\n";
924 print "Command output:\n$cmdout\n";
925 $numfail++;
926 }
927 $numtest++;
928 }
929 }
930}
931
932if ($numfail) {
933 print "$numfail tests failed out of $numtest\n";
934}
935else {
936 print "All Tests Successful.\n";
937}
938
939unlink "pkitsta.pem";
940
diff --git a/src/lib/libssl/test/test_padlock b/src/lib/libssl/test/test_padlock
new file mode 100755
index 0000000000..5c0f21043c
--- /dev/null
+++ b/src/lib/libssl/test/test_padlock
@@ -0,0 +1,64 @@
1#!/bin/sh
2
3PROG=$1
4
5if [ -x $PROG ]; then
6 if expr "x`$PROG version`" : "xOpenSSL" > /dev/null; then
7 :
8 else
9 echo "$PROG is not OpenSSL executable"
10 exit 1
11 fi
12else
13 echo "$PROG is not executable"
14 exit 1;
15fi
16
17if $PROG engine padlock | grep -v no-ACE; then
18
19 HASH=`cat $PROG | $PROG dgst -hex`
20
21 ACE_ALGS=" aes-128-ecb aes-192-ecb aes-256-ecb \
22 aes-128-cbc aes-192-cbc aes-256-cbc \
23 aes-128-cfb aes-192-cfb aes-256-cfb \
24 aes-128-ofb aes-192-ofb aes-256-ofb"
25
26 nerr=0
27
28 for alg in $ACE_ALGS; do
29 echo $alg
30 TEST=`( cat $PROG | \
31 $PROG enc -e -k "$HASH" -$alg -bufsize 999 -engine padlock | \
32 $PROG enc -d -k "$HASH" -$alg | \
33 $PROG dgst -hex ) 2>/dev/null`
34 if [ "$TEST" != "$HASH" ]; then
35 echo "-$alg encrypt test failed"
36 nerr=`expr $nerr + 1`
37 fi
38 TEST=`( cat $PROG | \
39 $PROG enc -e -k "$HASH" -$alg | \
40 $PROG enc -d -k "$HASH" -$alg -bufsize 999 -engine padlock | \
41 $PROG dgst -hex ) 2>/dev/null`
42 if [ "$TEST" != "$HASH" ]; then
43 echo "-$alg decrypt test failed"
44 nerr=`expr $nerr + 1`
45 fi
46 TEST=`( cat $PROG | \
47 $PROG enc -e -k "$HASH" -$alg -engine padlock | \
48 $PROG enc -d -k "$HASH" -$alg -engine padlock | \
49 $PROG dgst -hex ) 2>/dev/null`
50 if [ "$TEST" != "$HASH" ]; then
51 echo "-$alg en/decrypt test failed"
52 nerr=`expr $nerr + 1`
53 fi
54 done
55
56 if [ $nerr -gt 0 ]; then
57 echo "PadLock ACE test failed."
58 exit 1;
59 fi
60else
61 echo "PadLock ACE is not available"
62fi
63
64exit 0
diff --git a/src/lib/libssl/test/testssl b/src/lib/libssl/test/testssl
index 8ac90ae5ee..f9d7c5d65f 100644
--- a/src/lib/libssl/test/testssl
+++ b/src/lib/libssl/test/testssl
@@ -142,4 +142,10 @@ else
142 fi 142 fi
143fi 143fi
144 144
145echo test tls1 with PSK
146$ssltest -tls1 -cipher PSK -psk abc123 $extra || exit 1
147
148echo test tls1 with PSK via BIO pair
149$ssltest -bio_pair -tls1 -cipher PSK -psk abc123 $extra || exit 1
150
145exit 0 151exit 0
diff --git a/src/lib/libssl/test/testtsa b/src/lib/libssl/test/testtsa
new file mode 100644
index 0000000000..bb653b5f73
--- /dev/null
+++ b/src/lib/libssl/test/testtsa
@@ -0,0 +1,238 @@
1#!/bin/sh
2
3#
4# A few very basic tests for the 'ts' time stamping authority command.
5#
6
7SH="/bin/sh"
8if test "$OSTYPE" = msdosdjgpp; then
9 PATH="../apps\;$PATH"
10else
11 PATH="../apps:$PATH"
12fi
13export SH PATH
14
15OPENSSL_CONF="../CAtsa.cnf"
16export OPENSSL_CONF
17# Because that's what ../apps/CA.sh really looks at
18SSLEAY_CONFIG="-config $OPENSSL_CONF"
19export SSLEAY_CONFIG
20
21OPENSSL="`pwd`/../util/opensslwrap.sh"
22export OPENSSL
23
24error () {
25
26 echo "TSA test failed!" >&2
27 exit 1
28}
29
30setup_dir () {
31
32 rm -rf tsa 2>/dev/null
33 mkdir tsa
34 cd ./tsa
35}
36
37clean_up_dir () {
38
39 cd ..
40 rm -rf tsa
41}
42
43create_ca () {
44
45 echo "Creating a new CA for the TSA tests..."
46 TSDNSECT=ts_ca_dn
47 export TSDNSECT
48 ../../util/shlib_wrap.sh ../../apps/openssl req -new -x509 -nodes \
49 -out tsaca.pem -keyout tsacakey.pem
50 test $? != 0 && error
51}
52
53create_tsa_cert () {
54
55 INDEX=$1
56 export INDEX
57 EXT=$2
58 TSDNSECT=ts_cert_dn
59 export TSDNSECT
60
61 ../../util/shlib_wrap.sh ../../apps/openssl req -new \
62 -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem
63 test $? != 0 && error
64echo Using extension $EXT
65 ../../util/shlib_wrap.sh ../../apps/openssl x509 -req \
66 -in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \
67 -CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \
68 -extfile $OPENSSL_CONF -extensions $EXT
69 test $? != 0 && error
70}
71
72print_request () {
73
74 ../../util/shlib_wrap.sh ../../apps/openssl ts -query -in $1 -text
75}
76
77create_time_stamp_request1 () {
78
79 ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq
80 test $? != 0 && error
81}
82
83create_time_stamp_request2 () {
84
85 ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy2 -no_nonce \
86 -out req2.tsq
87 test $? != 0 && error
88}
89
90create_time_stamp_request3 () {
91
92 ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../CAtsa.cnf -no_nonce -out req3.tsq
93 test $? != 0 && error
94}
95
96print_response () {
97
98 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $1 -text
99 test $? != 0 && error
100}
101
102create_time_stamp_response () {
103
104 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -section $3 -queryfile $1 -out $2
105 test $? != 0 && error
106}
107
108time_stamp_response_token_test () {
109
110 RESPONSE2=$2.copy.tsr
111 TOKEN_DER=$2.token.der
112 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $TOKEN_DER -token_out
113 test $? != 0 && error
114 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -out $RESPONSE2
115 test $? != 0 && error
116 cmp $RESPONSE2 $2
117 test $? != 0 && error
118 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -text -token_out
119 test $? != 0 && error
120 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -text -token_out
121 test $? != 0 && error
122 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -queryfile $1 -text -token_out
123 test $? != 0 && error
124}
125
126verify_time_stamp_response () {
127
128 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \
129 -untrusted tsa_cert1.pem
130 test $? != 0 && error
131 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2 -CAfile tsaca.pem \
132 -untrusted tsa_cert1.pem
133 test $? != 0 && error
134}
135
136verify_time_stamp_token () {
137
138 # create the token from the response first
139 ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $2.token -token_out
140 test $? != 0 && error
141 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2.token -token_in \
142 -CAfile tsaca.pem -untrusted tsa_cert1.pem
143 test $? != 0 && error
144 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2.token -token_in \
145 -CAfile tsaca.pem -untrusted tsa_cert1.pem
146 test $? != 0 && error
147}
148
149verify_time_stamp_response_fail () {
150
151 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \
152 -untrusted tsa_cert1.pem
153 # Checks if the verification failed, as it should have.
154 test $? = 0 && error
155 echo Ok
156}
157
158# main functions
159
160echo "Setting up TSA test directory..."
161setup_dir
162
163echo "Creating CA for TSA tests..."
164create_ca
165
166echo "Creating tsa_cert1.pem TSA server cert..."
167create_tsa_cert 1 tsa_cert
168
169echo "Creating tsa_cert2.pem non-TSA server cert..."
170create_tsa_cert 2 non_tsa_cert
171
172echo "Creating req1.req time stamp request for file testtsa..."
173create_time_stamp_request1
174
175echo "Printing req1.req..."
176print_request req1.tsq
177
178echo "Generating valid response for req1.req..."
179create_time_stamp_response req1.tsq resp1.tsr tsa_config1
180
181echo "Printing response..."
182print_response resp1.tsr
183
184echo "Verifying valid response..."
185verify_time_stamp_response req1.tsq resp1.tsr ../testtsa
186
187echo "Verifying valid token..."
188verify_time_stamp_token req1.tsq resp1.tsr ../testtsa
189
190# The tests below are commented out, because invalid signer certificates
191# can no longer be specified in the config file.
192
193# echo "Generating _invalid_ response for req1.req..."
194# create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2
195
196# echo "Printing response..."
197# print_response resp1_bad.tsr
198
199# echo "Verifying invalid response, it should fail..."
200# verify_time_stamp_response_fail req1.tsq resp1_bad.tsr
201
202echo "Creating req2.req time stamp request for file testtsa..."
203create_time_stamp_request2
204
205echo "Printing req2.req..."
206print_request req2.tsq
207
208echo "Generating valid response for req2.req..."
209create_time_stamp_response req2.tsq resp2.tsr tsa_config1
210
211echo "Checking '-token_in' and '-token_out' options with '-reply'..."
212time_stamp_response_token_test req2.tsq resp2.tsr
213
214echo "Printing response..."
215print_response resp2.tsr
216
217echo "Verifying valid response..."
218verify_time_stamp_response req2.tsq resp2.tsr ../testtsa
219
220echo "Verifying response against wrong request, it should fail..."
221verify_time_stamp_response_fail req1.tsq resp2.tsr
222
223echo "Verifying response against wrong request, it should fail..."
224verify_time_stamp_response_fail req2.tsq resp1.tsr
225
226echo "Creating req3.req time stamp request for file CAtsa.cnf..."
227create_time_stamp_request3
228
229echo "Printing req3.req..."
230print_request req3.tsq
231
232echo "Verifying response against wrong request, it should fail..."
233verify_time_stamp_response_fail req3.tsq resp1.tsr
234
235echo "Cleaning up..."
236clean_up_dir
237
238exit 0
diff --git a/src/lib/libssl/test/times b/src/lib/libssl/test/times
index 738d569b8f..6b66eb342e 100644
--- a/src/lib/libssl/test/times
+++ b/src/lib/libssl/test/times
@@ -1,7 +1,7 @@
1 1
2More number for the questions about SSL overheads.... 2More number for the questions about SSL overheads....
3 3
4The following numbers were generated on a pentium pro 200, running linux. 4The following numbers were generated on a Pentium pro 200, running Linux.
5They give an indication of the SSL protocol and encryption overheads. 5They give an indication of the SSL protocol and encryption overheads.
6 6
7The program that generated them is an unreleased version of ssl/ssltest.c 7The program that generated them is an unreleased version of ssl/ssltest.c
@@ -11,7 +11,7 @@ interface.
11 11
12How do I read this? The protocol and cipher are reasonable obvious. 12How do I read this? The protocol and cipher are reasonable obvious.
13The next number is the number of connections being made. The next is the 13The next number is the number of connections being made. The next is the
14number of bytes exchanged bewteen the client and server side of the protocol. 14number of bytes exchanged between the client and server side of the protocol.
15This is the number of bytes that the client sends to the server, and then 15This is the number of bytes that the client sends to the server, and then
16the server sends back. Because this is all happening in one process, 16the server sends back. Because this is all happening in one process,
17the data is being encrypted, decrypted, encrypted and then decrypted again. 17the data is being encrypted, decrypted, encrypted and then decrypted again.
@@ -55,10 +55,10 @@ SSLv3 DES-CBC3-SHA 1000 x 102400 336.61s 323.82s
55 55
56What does this all mean? Well for a server, with no session-id reuse, with 56What does this all mean? Well for a server, with no session-id reuse, with
57a transfer size of 10240 bytes, using RC4-MD5 and a 512bit server key, 57a transfer size of 10240 bytes, using RC4-MD5 and a 512bit server key,
58a pentium pro 200 running linux can handle the SSLv3 protocol overheads of 58a Pentium pro 200 running Linux can handle the SSLv3 protocol overheads of
59about 49 connections a second. Reality will be quite different :-). 59about 49 connections a second. Reality will be quite different :-).
60 60
61Remeber the first number is 1000 full ssl handshakes, the second is 61Remember the first number is 1000 full ssl handshakes, the second is
621 full and 999 with session-id reuse. The RSA overheads for each exchange 621 full and 999 with session-id reuse. The RSA overheads for each exchange
63would be one public and one private operation, but the protocol/MAC/cipher 63would be one public and one private operation, but the protocol/MAC/cipher
64cost would be quite similar in both the client and server. 64cost would be quite similar in both the client and server.
@@ -72,21 +72,21 @@ eric (adding numbers to speculation)
72 killer in SSL. Often delays in the TCP protocol will make session-id 72 killer in SSL. Often delays in the TCP protocol will make session-id
73 reuse look slower that new sessions, but this would not be the case on 73 reuse look slower that new sessions, but this would not be the case on
74 a loaded server. 74 a loaded server.
75- The TCP round trip latencies, while slowing indervidual connections, 75- The TCP round trip latencies, while slowing individual connections,
76 would have minimal impact on throughput. 76 would have minimal impact on throughput.
77- Instead of sending one 102400 byte buffer, one 8k buffer is sent until 77- Instead of sending one 102400 byte buffer, one 8k buffer is sent until
78- the required number of bytes are processed. 78- the required number of bytes are processed.
79- The SSLv3 connections were actually SSLv2 compatable SSLv3 headers. 79- The SSLv3 connections were actually SSLv2 compatible SSLv3 headers.
80- A 512bit server key was being used except where noted. 80- A 512bit server key was being used except where noted.
81- No server key verification was being performed on the client side of the 81- No server key verification was being performed on the client side of the
82 protocol. This would slow things down very little. 82 protocol. This would slow things down very little.
83- The library being used is SSLeay 0.8.x. 83- The library being used is SSLeay 0.8.x.
84- The normal mesauring system was commands of the form 84- The normal measuring system was commands of the form
85 time ./ssltest -num 1000 -bytes 102400 -cipher DES-CBC-SHA -reuse 85 time ./ssltest -num 1000 -bytes 102400 -cipher DES-CBC-SHA -reuse
86 This modified version of ssltest should be in the next public release of 86 This modified version of ssltest should be in the next public release of
87 SSLeay. 87 SSLeay.
88 88
89The general cipher performace number for this platform are 89The general cipher performance number for this platform are
90 90
91SSLeay 0.8.2a 04-Sep-1997 91SSLeay 0.8.2a 04-Sep-1997
92built on Fri Sep 5 17:37:05 EST 1997 92built on Fri Sep 5 17:37:05 EST 1997
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-17 21:29:38 +0000