security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

* import.c (check_and_store): Do a full validation if 

--with-validation is set.

* certchain.c (gpgsm_basic_cert_check): Print more detailed error
messages.

* certcheck.c (do_encode_md): Partly support DSA.  Add new arg
PKALGO. Changed all callers to pass it.
(pk_algo_from_sexp): New.

tests/pkits: New directory
This commit is contained in:
Werner Koch 2004-08-17 15:26:22 +00:00
parent f5799d0170
commit 066352a6a5
24 changed files with 1157 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -1,3 +1,8 @@
2004-08-16 Werner Koch <wk@g10code.de>
* configure.ac: Build Makefile for tests/pkits. New option
--with-pkits-tests.
2004-08-05 Werner Koch <wk@g10code.de>
* configure.ac: Changed tests for libusb to also suuport the

3
NEWS
View File

@ -1,6 +1,9 @@
Noteworthy changes in version 1.9.11
-------------------------------------------------
* When using --import along with --with-validation, the imported
certificates are validated and only imported if they are fully
valid.
Noteworthy changes in version 1.9.10 (2004-07-22)
-------------------------------------------------

7
TODO
View File

@ -35,6 +35,8 @@ might want to have an agent context for each service request
while gpg-protect-tool wants to pop up the pinentry. Solution is
to release the connection. This is not trivial, thus we are going
to do that while changing gpgsm to allow concurrent operations.
** support the anyPolicy semantic
** Check that we are really following the verification procedures in rfc3280.
* sm/keydb.c
** Check file permissions
@ -44,14 +46,15 @@ might want to have an agent context for each service request
* agent/gpg-agent.c
** A SIGHUP should also restart the scdaemon
But do this only after all connections terminated.
As of now we only send a RESET.
But do this only after all connections terminated. As of now we
only send a RESET.
* agent/command.c
** Make sure that secure memory is used where appropriate
* agent/pkdecrypt.c, agent/pksign.c
** Don't use stdio to return results.
** Support DSA
* agent/divert-scd.c
Remove the agent_reset_scd kludge.

21
configure.ac
View File

@ -940,6 +940,14 @@ else
fi
AC_SUBST(ZLIBS)
# See wether we want to run the long test suite.
AC_ARG_WITH(pkits-tests,
AC_HELP_STRING([--with-pkits-tests],[run the PKITS based tests]),
[run_pkits_tests=$withval], [run_pkits_tests=no])
AM_CONDITIONAL(RUN_PKITS_TESTS, test "$run_pkits_tests" = "yes")
# Allow users to append something to the version string without
# flagging it as development version. The user version parts is
# considered everything after a dash.
@ -1121,6 +1129,7 @@ scd/Makefile
tools/Makefile
doc/Makefile
tests/Makefile
tests/pkits/Makefile
])
AC_OUTPUT
@ -1137,10 +1146,12 @@ echo "
Agent: $build_agent $build_agent_threaded
Smartcard: $build_scdaemon $build_scdaemon_extra
Protect tool: $show_gnupg_protect_tool_pgm
Default agent: $show_gnupg_agent_pgm
Default pinentry: $show_gnupg_pinentry_pgm
Default scdaemon: $show_gnupg_scdaemon_pgm
Default dirmngr: $show_gnupg_dirmngr_pgm
Protect tool: $show_gnupg_protect_tool_pgm
Default agent: $show_gnupg_agent_pgm
Default pinentry: $show_gnupg_pinentry_pgm
Default scdaemon: $show_gnupg_scdaemon_pgm
Default dirmngr: $show_gnupg_dirmngr_pgm
PKITS based tests: $run_pkits_tests
"

14
doc/gpgsm.texi
View File

@ -358,7 +358,13 @@ secret key.
@opindex with-validation
When doing a key listing, do a full validation check for each key and
print the result. This is usually a slow operation because it
requires a CRL lookup and other operations.
requires a CRL lookup and other operations.
When used along with --import, a validation of the certificate to
import is done and only imported if it succeeds the test. Note that
this does not affect an already available cwertificate in the DB.
This option is therefore useful to simply verify a certificate.
@item --with-md5-fingerprint
For standard key listings, also print the MD5 fingerprint of the
@ -470,6 +476,12 @@ This is actually not a debugging option but only useful as such. It
lets gpgsm ignore all notAfter dates, this is used by the regresssion
tests.
@item --fixed-passphrase @var{string}
@opindex fixed-passphrase
Supply the passphrase @var{string} to the gpg-protect-tool. This
option is only useful for the regression tests included with this
package and may be revised or removed at any time without notice.
@end table
All the long options may also be given in the configuration file after

56
po/de.po
View File

@ -10,7 +10,7 @@ msgid ""
msgstr ""
"Project-Id-Version: gnupg2 1.9.10\n"
"Report-Msgid-Bugs-To: translations@gnupg.org\n"
"POT-Creation-Date: 2004-07-22 09:54+0200\n"
"POT-Creation-Date: 2004-08-05 11:31+0200\n"
"PO-Revision-Date: 2004-07-22 10:05+0200\n"
"Last-Translator: Werner Koch <wk@gnupg.org>\n"
"Language-Team: de\n"
@ -18,7 +18,7 @@ msgstr ""
"Content-Type: text/plain; charset=iso-8859-1\n"
"Content-Transfer-Encoding: 8bit\n"
#: agent/gpg-agent.c:96 agent/protect-tool.c:94 scd/scdaemon.c:92
#: agent/gpg-agent.c:96 agent/protect-tool.c:94 scd/scdaemon.c:93
msgid ""
"@Options:\n"
" "
@ -26,28 +26,28 @@ msgstr ""
"@Optionen:\n"
" "
#: agent/gpg-agent.c:98 scd/scdaemon.c:94
#: agent/gpg-agent.c:98 scd/scdaemon.c:95
msgid "run in server mode (foreground)"
msgstr "Im Server Modus ausführen"
#: agent/gpg-agent.c:99 scd/scdaemon.c:95
#: agent/gpg-agent.c:99 scd/scdaemon.c:96
msgid "run in daemon mode (background)"
msgstr "Im Daemon Modus ausführen"
#: agent/gpg-agent.c:100 kbx/kbxutil.c:75 scd/scdaemon.c:96 sm/gpgsm.c:313
#: agent/gpg-agent.c:100 kbx/kbxutil.c:75 scd/scdaemon.c:97 sm/gpgsm.c:313
#: tools/gpgconf.c:62
msgid "verbose"
msgstr "ausführlich"
#: agent/gpg-agent.c:101 kbx/kbxutil.c:76 scd/scdaemon.c:97 sm/gpgsm.c:314
#: agent/gpg-agent.c:101 kbx/kbxutil.c:76 scd/scdaemon.c:98 sm/gpgsm.c:314
msgid "be somewhat more quiet"
msgstr "etwas weniger Aussageb erzeugen"
#: agent/gpg-agent.c:102 scd/scdaemon.c:98
#: agent/gpg-agent.c:102 scd/scdaemon.c:99
msgid "sh-style command output"
msgstr "Ausgabe für /bin/sh"
#: agent/gpg-agent.c:103 scd/scdaemon.c:99
#: agent/gpg-agent.c:103 scd/scdaemon.c:100
msgid "csh-style command output"
msgstr "Ausgabe für /bin/csh"
@ -55,7 +55,7 @@ msgstr "Ausgabe f
msgid "|FILE|read options from FILE"
msgstr "|DATEI|Konfigurationsoptionen aus DATEI lesen"
#: agent/gpg-agent.c:109 scd/scdaemon.c:106
#: agent/gpg-agent.c:109 scd/scdaemon.c:107
msgid "do not detach from the console"
msgstr "Im Vordergrund laufen lassen"
@ -63,7 +63,7 @@ msgstr "Im Vordergrund laufen lassen"
msgid "do not grab keyboard and mouse"
msgstr "Tastatur und Maus nicht \"grabben\""
#: agent/gpg-agent.c:111 scd/scdaemon.c:107 sm/gpgsm.c:316
#: agent/gpg-agent.c:111 scd/scdaemon.c:108 sm/gpgsm.c:316
msgid "use a log file for the server"
msgstr "Logausgaben in eine Datei umlenken"
@ -99,12 +99,12 @@ msgstr "benutze PINs im Cache nicht bem Signieren"
msgid "allow clients to mark keys as \"trusted\""
msgstr "erlaube Aufrufern Schlüssel als \"vertrauenswürdig\" zu markieren"
#: agent/gpg-agent.c:191 agent/protect-tool.c:127 scd/scdaemon.c:165
#: agent/gpg-agent.c:191 agent/protect-tool.c:127 scd/scdaemon.c:168
#: sm/gpgsm.c:481 tools/gpgconf.c:85
msgid "Please report bugs to <"
msgstr "Fehlerberichte bitte an <"
#: agent/gpg-agent.c:191 agent/protect-tool.c:127 scd/scdaemon.c:165
#: agent/gpg-agent.c:191 agent/protect-tool.c:127 scd/scdaemon.c:168
#: sm/gpgsm.c:481 tools/gpgconf.c:85
msgid ">.\n"
msgstr ">.\n"
@ -121,35 +121,35 @@ msgstr ""
"Syntax: gpg-agent [Optionen] [Kommando [Argumente]]\n"
"Verwaltung von geheimen Schlüssel für GnuPG\n"
#: agent/gpg-agent.c:267 scd/scdaemon.c:239 sm/gpgsm.c:604
#: agent/gpg-agent.c:267 scd/scdaemon.c:242 sm/gpgsm.c:604
#, c-format
msgid "invalid debug-level `%s' given\n"
msgstr "ungültige Debugebene `%s' angegeben\n"
#: agent/gpg-agent.c:439 agent/protect-tool.c:1040 kbx/kbxutil.c:232
#: scd/scdaemon.c:352 sm/gpgsm.c:726
#: scd/scdaemon.c:357 sm/gpgsm.c:726
#, c-format
msgid "libgcrypt is too old (need %s, have %s)\n"
msgstr ""
"Die Bibliothek \"libgcrypt\" is zu alt (benötigt wird %s, vorhanden ist %s)\n"
#: agent/gpg-agent.c:512 scd/scdaemon.c:432 sm/gpgsm.c:824
#: agent/gpg-agent.c:512 scd/scdaemon.c:437 sm/gpgsm.c:824
#, c-format
msgid "NOTE: no default option file `%s'\n"
msgstr "Notiz: Voreingestellte Konfigurationsdatei `%s' fehlt\n"
#: agent/gpg-agent.c:517 agent/gpg-agent.c:983 scd/scdaemon.c:437
#: agent/gpg-agent.c:517 agent/gpg-agent.c:983 scd/scdaemon.c:442
#: sm/gpgsm.c:828
#, c-format
msgid "option file `%s': %s\n"
msgstr "Konfigurationsdatei `%s': %s\n"
#: agent/gpg-agent.c:525 scd/scdaemon.c:445 sm/gpgsm.c:835
#: agent/gpg-agent.c:525 scd/scdaemon.c:450 sm/gpgsm.c:835
#, c-format
msgid "reading options from `%s'\n"
msgstr "Optionen werden aus `%s' gelesen\n"
#: agent/gpg-agent.c:668 scd/scdaemon.c:619
#: agent/gpg-agent.c:668 scd/scdaemon.c:630
msgid "please use the option `--daemon' to run the program in the background\n"
msgstr ""
"Bitte die Option `--daemon' nutzen um das Programm im Hintergund "
@ -362,43 +362,43 @@ msgstr ""
"Syntax: kbxutil [Optionen] [Dateien]\n"
"Anlistem exportieren und Importieren von KeyBox Dateien\n"
#: scd/scdaemon.c:100 sm/gpgsm.c:333
#: scd/scdaemon.c:101 sm/gpgsm.c:333
msgid "read options from file"
msgstr "Konfigurationsoptionen aus Datei lesen"
#: scd/scdaemon.c:105
#: scd/scdaemon.c:106
msgid "|N|set OpenSC debug level to N"
msgstr "|N|Den OpenSC Debugstufe auf N setzen"
#: scd/scdaemon.c:108
#: scd/scdaemon.c:109
msgid "|N|connect to reader at port N"
msgstr "|N|Verbinde mit dem Leser auf Port N"
#: scd/scdaemon.c:109
#: scd/scdaemon.c:110
msgid "|NAME|use NAME as ct-API driver"
msgstr "|NAME|Benutze NAME als CT-API Treiber"
#: scd/scdaemon.c:110
#: scd/scdaemon.c:111
msgid "|NAME|use NAME as PC/SC driver"
msgstr "|NAME|Benutze NAME als PC/SC Treiber"
#: scd/scdaemon.c:113
#: scd/scdaemon.c:114
msgid "do not use the internal CCID driver"
msgstr "Den internen CCID Treiber nicht benutzen"
#: scd/scdaemon.c:120
#: scd/scdaemon.c:121
msgid "do not use the OpenSC layer"
msgstr "Den OpenSC basierten Kartenzugriff nicht nutzen"
#: scd/scdaemon.c:125
#: scd/scdaemon.c:126
msgid "allow the use of admin card commands"
msgstr "Erlaube die Benuztung von \"Admin\" Kommandos"
#: scd/scdaemon.c:168
#: scd/scdaemon.c:171
msgid "Usage: scdaemon [options] (-h for help)"
msgstr "Gebrauch: scdaemon [Optionen] (-h für Hilfe)"
#: scd/scdaemon.c:170
#: scd/scdaemon.c:173
msgid ""
"Syntax: scdaemon [options] [command [args]]\n"
"Smartcard daemon for GnuPG\n"

2
scd/sc-investigate.c
View File

@ -76,7 +76,7 @@ static ARGPARSE_OPTS opts[] = {
{ oQuiet, "quiet", 0, "quiet" },
{ oVerbose, "verbose", 0, "verbose" },
{ oReaderPort, "reader-port", 2, "|N|connect to reader at port N"},
{ octapiDriver, "ctapi-driver", 2, "NAME|use NAME as ctAPI driver"},
{ octapiDriver, "ctapi-driver", 2, "|NAME|use NAME as ctAPI driver"},
{ oDisableCCID, "disable-ccid", 0,
#ifdef HAVE_LIBUSB
"do not use the internal CCID driver"

15
sm/ChangeLog
View File

@ -1,5 +1,20 @@
2004-08-17 Werner Koch <wk@g10code.de>
* import.c (check_and_store): Do a full validation if
--with-validation is set.
* certchain.c (gpgsm_basic_cert_check): Print more detailed error
messages.
* certcheck.c (do_encode_md): Partly support DSA. Add new arg
PKALGO. Changed all callers to pass it.
(pk_algo_from_sexp): New.
2004-08-16 Werner Koch <wk@g10code.de>
* gpgsm.c: New option --fixed-passphrase.
* import.c (popen_protect_tool): Pass it to the protect-tool.
* server.c (cmd_encrypt): Use DEFAULT_RECPLIST and not recplist
for encrypt-to keys.

16
sm/certchain.c
View File

@ -39,9 +39,9 @@
#include "i18n.h"
/* If LISTMODE is true, print FORMAT in liting mode to FP. If
/* If LISTMODE is true, print FORMAT using LISTMODE to FP. If
LISTMODE is false, use the string to print an log_info or, if
IS_ERROR is true, an log_error. */
IS_ERROR is true, and log_error. */
static void
do_list (int is_error, int listmode, FILE *fp, const char *format, ...)
{
@ -925,9 +925,11 @@ gpgsm_basic_cert_check (ksba_cert_t cert)
if (subject && !strcmp (issuer, subject))
{
if (gpgsm_check_cert_sig (cert, cert) )
rc = gpgsm_check_cert_sig (cert, cert);
if (rc)
{
log_error ("selfsigned certificate has a BAD signature\n");
log_error ("selfsigned certificate has a BAD signature: %s\n",
gpg_strerror (rc));
rc = gpg_error (GPG_ERR_BAD_CERT);
goto leave;
}
@ -960,9 +962,11 @@ gpgsm_basic_cert_check (ksba_cert_t cert)
goto leave;
}
if (gpgsm_check_cert_sig (issuer_cert, cert) )
rc = gpgsm_check_cert_sig (issuer_cert, cert);
if (rc)
{
log_error ("certificate has a BAD signature\n");
log_error ("certificate has a BAD signature: %s\n",
gpg_strerror (rc));
rc = gpg_error (GPG_ERR_BAD_CERT);
goto leave;
}

136
sm/certcheck.c
View File

@ -1,5 +1,5 @@
/* certcheck.c - check one certificate
* Copyright (C) 2001, 2003 Free Software Foundation, Inc.
* Copyright (C) 2001, 2003, 2004 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
@ -36,51 +36,71 @@
static int
do_encode_md (gcry_md_hd_t md, int algo, unsigned int nbits,
do_encode_md (gcry_md_hd_t md, int algo, int pkalgo, unsigned int nbits,
gcry_mpi_t *r_val)
{
int nframe = (nbits+7) / 8;
byte *frame;
int i, n;
byte asn[100];
size_t asnlen;
size_t len;
int n, nframe;
unsigned char *frame;
asnlen = DIM(asn);
if (gcry_md_algo_info (algo, GCRYCTL_GET_ASNOID, asn, &asnlen))
if (pkalgo == GCRY_PK_DSA)
{
log_error ("no object identifier for algo %d\n", algo);
return gpg_error (GPG_ERR_INTERNAL);
nframe = gcry_md_get_algo_dlen (algo);
if (nframe != 20)
{
log_error (_("DSA requires the use of a 160 bit hash algorithm\n"));
return gpg_error (GPG_ERR_INTERNAL);
}
frame = xtrymalloc (nframe);
if (!frame)
return OUT_OF_CORE (errno);
memcpy (frame, gcry_md_read (md, algo), nframe);
n = nframe;
}
else
{
int i;
unsigned char asn[100];
size_t asnlen;
size_t len;
len = gcry_md_get_algo_dlen (algo);
if ( len + asnlen + 4 > nframe )
{
log_error ("can't encode a %d bit MD into a %d bits frame\n",
(int)(len*8), (int)nbits);
return gpg_error (GPG_ERR_INTERNAL);
nframe = (nbits+7) / 8;
asnlen = DIM(asn);
if (gcry_md_algo_info (algo, GCRYCTL_GET_ASNOID, asn, &asnlen))
{
log_error ("no object identifier for algo %d\n", algo);
return gpg_error (GPG_ERR_INTERNAL);
}
len = gcry_md_get_algo_dlen (algo);
if ( len + asnlen + 4 > nframe )
{
log_error ("can't encode a %d bit MD into a %d bits frame\n",
(int)(len*8), (int)nbits);
return gpg_error (GPG_ERR_INTERNAL);
}
/* We encode the MD in this way:
*
* 0 A PAD(n bytes) 0 ASN(asnlen bytes) MD(len bytes)
*
* PAD consists of FF bytes.
*/
frame = xtrymalloc (nframe);
if (!frame)
return OUT_OF_CORE (errno);
n = 0;
frame[n++] = 0;
frame[n++] = 1; /* block type */
i = nframe - len - asnlen -3 ;
assert ( i > 1 );
memset ( frame+n, 0xff, i ); n += i;
frame[n++] = 0;
memcpy ( frame+n, asn, asnlen ); n += asnlen;
memcpy ( frame+n, gcry_md_read(md, algo), len ); n += len;
assert ( n == nframe );
}
/* We encode the MD in this way:
*
* 0 A PAD(n bytes) 0 ASN(asnlen bytes) MD(len bytes)
*
* PAD consists of FF bytes.
*/
frame = xtrymalloc (nframe);
if (!frame)
return OUT_OF_CORE (errno);
n = 0;
frame[n++] = 0;
frame[n++] = 1; /* block type */
i = nframe - len - asnlen -3 ;
assert ( i > 1 );
memset ( frame+n, 0xff, i ); n += i;
frame[n++] = 0;
memcpy ( frame+n, asn, asnlen ); n += asnlen;
memcpy ( frame+n, gcry_md_read(md, algo), len ); n += len;
assert ( n == nframe );
if (DBG_X509)
{
int j;
@ -95,6 +115,38 @@ do_encode_md (gcry_md_hd_t md, int algo, unsigned int nbits,
return 0;
}
/* Return the public key algorithm id from the S-expression PKEY.
FIXME: libgcrypt should provide such a function. Note that this
implementation uses the names as used by libksba. */
static int
pk_algo_from_sexp (gcry_sexp_t pkey)
{
gcry_sexp_t l1, l2;
const char *name;
size_t n;
int algo;
l1 = gcry_sexp_find_token (pkey, "public-key", 0);
if (!l1)
return 0; /* Not found. */
l2 = gcry_sexp_cadr (l1);
gcry_sexp_release (l1);
name = gcry_sexp_nth_data (l2, 0, &n);
if (!name)
algo = 0; /* Not found. */
else if (n==3 && !memcmp (name, "rsa", 3))
algo = GCRY_PK_RSA;
else if (n==3 && !memcmp (name, "dsa", 3))
algo = GCRY_PK_DSA;
else if (n==13 && !memcmp (name, "ambiguous-rsa", 13))
algo = GCRY_PK_RSA;
else
algo = 0;
gcry_sexp_release (l2);
return algo;
}
/*
Check the signature on CERT using the ISSUER-CERT. This function
@ -182,7 +234,8 @@ gpgsm_check_cert_sig (ksba_cert_t issuer_cert, ksba_cert_t cert)
return rc;
}
rc = do_encode_md (md, algo, gcry_pk_get_nbits (s_pkey), &frame);
rc = do_encode_md (md, algo, pk_algo_from_sexp (s_pkey),
gcry_pk_get_nbits (s_pkey), &frame);
if (rc)
{
gcry_md_close (md);
@ -254,7 +307,8 @@ gpgsm_check_cms_signature (ksba_cert_t cert, ksba_const_sexp_t sigval,
}
rc = do_encode_md (md, algo, gcry_pk_get_nbits (s_pkey), &frame);
rc = do_encode_md (md, algo, pk_algo_from_sexp (s_pkey),
gcry_pk_get_nbits (s_pkey), &frame);
if (rc)
{
gcry_sexp_release (s_sig);

8
sm/gpgsm.c
View File

@ -95,6 +95,7 @@ enum cmd_and_opt_values {
oDebugAllowCoreDump,
oDebugNoChainValidation,
oDebugIgnoreExpiration,
oFixedPassphrase,
oLogFile,
oEnableSpecialFilenames,
@ -340,6 +341,7 @@ static ARGPARSE_OPTS opts[] = {
{ oDebugAllowCoreDump, "debug-allow-core-dump", 0, "@" },
{ oDebugNoChainValidation, "debug-no-chain-validation", 0, "@"},
{ oDebugIgnoreExpiration, "debug-ignore-expiration", 0, "@"},
{ oFixedPassphrase, "fixed-passphrase", 2, "@"},
{ oStatusFD, "status-fd" ,1, N_("|FD|write status info to this FD") },
{ aDummy, "no-comment", 0, "@"},
{ aDummy, "completes-needed", 1, "@"},
@ -706,6 +708,7 @@ main ( int argc, char **argv)
CERTLIST signerlist = NULL;
int do_not_setup_keys = 0;
/* trap_unaligned ();*/
set_strusage (my_strusage);
gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
@ -802,10 +805,10 @@ main ( int argc, char **argv)
ctrl.status_fd = -1; /* not status output */
ctrl.autodetect_encoding = 1;
/* set the default option file */
/* Set the default option file */
if (default_config )
configname = make_filename (opt.homedir, "gpgsm.conf", NULL);
/* cet the default policy file */
/* Set the default policy file */
opt.policy_file = make_filename (opt.homedir, "policies.txt", NULL);
argc = orig_argc;
@ -1019,6 +1022,7 @@ main ( int argc, char **argv)
break;
case oDebugNoChainValidation: opt.no_chain_validation = 1; break;
case oDebugIgnoreExpiration: opt.ignore_expiration = 1; break;
case oFixedPassphrase: opt.fixed_passphrase = pargs.r.ret_str; break;
case oStatusFD: ctrl.status_fd = pargs.r.ret_int; break;
case oLoggerFD: log_set_fd (pargs.r.ret_int ); break;

1
sm/gpgsm.h
View File

@ -100,6 +100,7 @@ struct {
int no_policy_check; /* ignore certificate policies */
int no_chain_validation; /* Bypass all cert chain validity tests */
int ignore_expiration; /* Ignore the notAfter validity checks. */
char *fixed_passphrase; /* Passphrase used by regression tests. */
int auto_issuer_key_retrieve; /* try to retrieve a missing issuer key. */
} opt;

39
sm/import.c
View File

@ -172,13 +172,19 @@ check_and_store (CTRL ctrl, struct stats_s *stats, ksba_cert_t cert, int depth)
/* Some basic checks, but don't care about missing certificates;
this is so that we are able to import entire certificate chains
w/o requirening a special order (i.e. root-CA first). This used
w/o requiring a special order (i.e. root-CA first). This used
to be different but because gpgsm_verify even imports
certificates without any checks, it doesn't matter much and the
code gets much cleaner. A housekeeping function to remove
certificates w/o an anchor would be nice, though. */
certificates w/o an anchor would be nice, though.
Optionally we do a full validation in addition to the basic test.
*/
rc = gpgsm_basic_cert_check (cert);
if (!rc || gpg_err_code (rc) == GPG_ERR_MISSING_CERT)
if (!rc && ctrl->with_validation)
rc = gpgsm_validate_chain (ctrl, cert, NULL, 0, NULL, 0);
if (!rc || (!ctrl->with-validation
&& gpg_err_code (rc) == GPG_ERR_MISSING_CERT) )
{
int existed;
@ -527,14 +533,25 @@ popen_protect_tool (const char *pgmname,
setup_pinentry_env ();
execlp (pgmname, arg0,
"--homedir", opt.homedir,
"--p12-import",
"--store",
"--no-fail-on-exist",
"--enable-status-msg",
"--",
NULL);
if (opt.fixed_passphrase)
execlp (pgmname, arg0,
"--homedir", opt.homedir,
"--p12-import",
"--store",
"--no-fail-on-exist",
"--enable-status-msg",
"--passphrase", opt.fixed_passphrase,
"--",
NULL);
else
execlp (pgmname, arg0,
"--homedir", opt.homedir,
"--p12-import",
"--store",
"--no-fail-on-exist",
"--enable-status-msg",
"--",
NULL);
/* No way to print anything, as we have closed all streams. */
_exit (31);
}

4
tests/ChangeLog
View File

@ -1,3 +1,7 @@
2004-08-16 Werner Koch <wk@g10code.de>
* Makefile.am: Descend into the new pkits directory
2004-02-20 Werner Koch <wk@gnupg.org>
* Makefile.am: Reset GPG_AGENT_INFO here

18
tests/pkits/ChangeLog Normal file
View File

@ -0,0 +1,18 @@
2004-08-16 Werner Koch <wk@g10code.de>
Started implementing PKITS based tests.
Copyright 2004 Free Software Foundation, Inc.
This file is free software; as a special exception the author gives
unlimited permission to copy and/or distribute it, with or without
modifications, as long as this notice is preserved.
This file is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

69
tests/pkits/Makefile.am Normal file
View File

@ -0,0 +1,69 @@
# Makefile.am - tests using NIST's PKITS
# Copyright (C) 2004 Free Software Foundation, Inc.
#
# This file is part of GnuPG.
#
# GnuPG is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# GnuPG is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
## Process this file with automake to produce Makefile.in
GPGSM = ../../sm/gpgsm
TESTS_ENVIRONMENT = GNUPGHOME=`pwd` GPG_AGENT_INFO= LC_ALL=C GPGSM=$(GPGSM) \
LD_LIBRARY_PATH=$$(seen=0; \
for i in $(LDFLAGS) $(LIBGCRYPT_LIBS) $(PTH_LIBS); \
do \
if echo "$$i" | egrep '^-L' >/dev/null 2>&1; \
then \
if test $$seen = 0; \
then \
seen=1; \
else \
printf ":"; \
fi; \
printf "%s" "$${i}" | sed 's/^-L//'; \
fi; \
done; \
if test $$seen != 0 \
&& test x$${LD_LIBRARY_PATH} != x; \
then \
printf ":"; \
fi; \
printf "%s" "$${LD_LIBRARY_PATH}") $(srcdir)/runtest
testscripts = import-all-certs validate-all-certs
EXTRA_DIST = PKITS_data.tar.bz2 inittests runtest $(testscripts)
import-all-certs.data
TESTS = $(testscripts)
CLEANFILES = inittests.stamp x y y z out err *.lock .\#lk* *.log
DISTCLEANFILES = pubring.kbx~ random_seed
all-local: inittests.stamp
clean-local:
srcdir=$(srcdir) $(TESTS_ENVIRONMENT) $(srcdir)/inittests --clean
inittests.stamp: inittests
srcdir=$(srcdir) $(TESTS_ENVIRONMENT) $(srcdir)/inittests
echo timestamp >./inittests.stamp

BIN
tests/pkits/PKITS_data.tar.bz2 Normal file
View File

Binary file not shown.

9
tests/pkits/README Normal file
View File

@ -0,0 +1,9 @@
tests/pkits/README
These are tests based on NIST's Public Key Interoperability Test Suite
(PKITS) as downloaded on 2004-08-16 from
http://csrc.nist.gov/pki/testing/x509paths.html .
README - this file.
PKITS_data.tar.bz2 - the orginal ZIP file, repackaged as a tarball.
Makefile.am - Part of our build system.

135
tests/pkits/common.sh Normal file
View File

@ -0,0 +1,135 @@
#!/bin/sh
# common.sh - common defs for all tests -*- sh -*-
# Copyright (C) 2004 Free Software Foundation, Inc.
#
# This file is part of GnuPG.
#
# GnuPG is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# GnuPG is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
# reset some environment variables because we do not want to test locals
export LANG=C
export LANGUAGE=C
export LC_ALL=C
[ "$VERBOSE" = yes ] && set -x
[ -z "$srcdir" ] && srcdir="."
[ -z "$top_srcdir" ] && top_srcdir=".."
[ -z "$GPGSM" ] && GPGSM="../../sm/gpgsm"
if [ "$GNUPGHOME" != "`pwd`" ]; then
echo "inittests: please set GNUPGHOME to the tests/pkits directory" >&2
exit 1
fi
if [ -n "$GPG_AGENT_INFO" ]; then
echo "inittests: please unset GPG_AGENT_INFO" >&2
exit 1
fi
#--------------------------------
#------ utility functions -------
#--------------------------------
echo_n_init=no
echo_n () {
if test "$echo_n_init" = "no"; then
if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then
if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then
echo_n_n=
echo_n_c='
'
else
echo_n_n='-n'
echo_n_c=
fi
else
echo_n_n=
echo_n_c='\c'
fi
echo_n_init=yes
fi
echo $echo_n_n "${1}$echo_n_c"
}
fatal () {
echo "$pgmname: fatal:" $* >&2
exit 1;
}
error () {
echo "$pgmname:" $* >&2
exit 1
}
info () {
echo "$pgmname:" $* >&2
}
info_n () {
$echo_n "$pgmname:" $* >&2
}
pass () {
echo "PASS: " $* >&2
pass_count=`expr ${pass_count} + 1`
}
fail () {
echo "FAIL: " $* >&2
fail_count=`expr ${fail_count} + 1`
}
unresolved () {
echo "UNRESOLVED: " $* >&2
unresolved_count=`expr ${unresolved_count} + 1`
}
unsupported () {
echo "UNSUPPORTED: " $* >&2
unsupported_count=`expr ${unsupported_count} + 1`
}
final_result () {
[ $pass_count = 0 ] || info "$pass_count tests passed"
[ $fail_count = 0 ] || info "$fail_count tests failed"
[ $unresolved_count = 0 ] || info "$unresolved_count tests unresolved"
[ $unsupported_count = 0 ] || info "$unsupported_count tests unsupported"
if [ $fail_count = 0 ]; then
info "all tests passed"
else
exit 1
fi
}
set -e
pgmname=`basename $0`
pass_count=0
fail_count=0
unresolved_count=0
unsupported_count=0
#trap cleanup SIGHUP SIGINT SIGQUIT
exec 2> ${pgmname}.log
:
# end

53
tests/pkits/import-all-certs Executable file
View File

@ -0,0 +1,53 @@
#!/bin/sh
# Copyright (C) 2004 Free Software Foundation, Inc. -*- sh -*-
#
# This file is part of GnuPG.
#
# GnuPG is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# GnuPG is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
. ${srcdir:-.}/common.sh || exit 2
while read flag dummy name; do
case $flag in \#*) continue;; esac
[ -z "$flag" ] && continue;
if ${GPGSM} -q --import certs/$name ; then
if [ "$flag" = 'p' ]; then
pass "importing certificate \`$name' succeeded"
elif [ "$flag" = 'f' ]; then
fail "importing certificate \`$name' succeeded"
elif [ "$flag" = '?' ]; then
unresolved "importing certificate \`$name' succeeded"
elif [ "$flag" = 'u' ]; then
unsupported "importing certificate \`$name' succeeded"
else
info "importing certificate \`$name' succeeded - (flag=$flag)"
fi
else
if [ "$flag" = 'p' ]; then
fail "importing certificate \`$name' failed"
elif [ "$flag" = 'f' ]; then
pass "importing certificate \`$name' failed"
elif [ "$flag" = '?' ]; then
unresolved "importing certificate \`$name' failed"
elif [ "$flag" = 'u' ]; then
unsupported "importing certificate \`$name' failed"
else
info "importing certificate \`$name' failed - (flag=$flag)"
fi
fi
done < $srcdir/import-all-certs.data
final_result

490
tests/pkits/import-all-certs.data Normal file
View File

@ -0,0 +1,490 @@
# The first column is for the basic import test, the second for a
# validation test.
# Make sure that the root certificate is imported first
p p TrustAnchorRootCertificate.crt
p p AllCertificatesNoPoliciesTest2EE.crt
p p AllCertificatesSamePoliciesTest10EE.crt
p p AllCertificatesSamePoliciesTest13EE.crt
p p AllCertificatesanyPolicyTest11EE.crt
p p AnyPolicyTest14EE.crt
p p BadCRLIssuerNameCACert.crt
p p BadCRLSignatureCACert.crt
f f BadSignedCACert.crt
p f BadnotAfterDateCACert.crt
# UTC: "470101120100Z" i.e. not before 2047-01-01
p f BadnotBeforeDateCACert.crt
p p BasicSelfIssuedCRLSigningKeyCACert.crt
# For yet unknown reasons gpgsm claims a bad signature.
? ? BasicSelfIssuedCRLSigningKeyCRLCert.crt
p p BasicSelfIssuedNewKeyCACert.crt
# For yet unknown reasons gpgsm claims a bad signature.
? ? BasicSelfIssuedNewKeyOldWithNewCACert.crt
p p BasicSelfIssuedOldKeyCACert.crt
# For yet unknown reasons gpgsm claims a bad signature.
? ? BasicSelfIssuedOldKeyNewWithOldCACert.crt
p p CPSPointerQualifierTest20EE.crt
u u DSACACert.crt
u u DSAParametersInheritedCACert.crt
p p DifferentPoliciesTest12EE.crt
p p DifferentPoliciesTest3EE.crt
p p DifferentPoliciesTest4EE.crt
p p DifferentPoliciesTest5EE.crt
p p DifferentPoliciesTest7EE.crt
p p DifferentPoliciesTest8EE.crt
p p DifferentPoliciesTest9EE.crt
p p GeneralizedTimeCRLnextUpdateCACert.crt
p p GoodCACert.crt
p p GoodsubCACert.crt
# gpgsm: critical certificate extension 2.5.29.33 (policyMappings)
# is not supported
p u GoodsubCAPanyPolicyMapping1to2CACert.crt
# fixme: gpgme does not fail for it.
p f InvalidBadCRLIssuerNameTest5EE.crt
p f InvalidBadCRLSignatureTest4EE.crt
p f InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt
f f InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt
p f InvalidBasicSelfIssuedNewWithOldTest5EE.crt
f f InvalidBasicSelfIssuedOldWithNewTest2EE.crt
p f InvalidCASignatureTest2EE.crt
p f InvalidCAnotAfterDateTest5EE.crt
p f InvalidCAnotBeforeDateTest1EE.crt
p f InvalidDNSnameConstraintsTest31EE.crt
p f InvalidDNSnameConstraintsTest33EE.crt
p f InvalidDNSnameConstraintsTest38EE.crt
p f InvalidDNandRFC822nameConstraintsTest28EE.crt
p f InvalidDNandRFC822nameConstraintsTest29EE.crt
p f InvalidDNnameConstraintsTest10EE.crt
p f InvalidDNnameConstraintsTest12EE.crt
p f InvalidDNnameConstraintsTest13EE.crt
p f InvalidDNnameConstraintsTest15EE.crt
p f InvalidDNnameConstraintsTest16EE.crt
p f InvalidDNnameConstraintsTest17EE.crt
f f InvalidDNnameConstraintsTest20EE.crt
p f InvalidDNnameConstraintsTest2EE.crt
p f InvalidDNnameConstraintsTest3EE.crt
p f InvalidDNnameConstraintsTest7EE.crt
p f InvalidDNnameConstraintsTest8EE.crt
p f InvalidDNnameConstraintsTest9EE.crt
u u InvalidDSASignatureTest6EE.crt
f f InvalidEESignatureTest3EE.crt
p f InvalidEEnotAfterDateTest6EE.crt
p f InvalidEEnotBeforeDateTest2EE.crt
p f InvalidIDPwithindirectCRLTest23EE.crt
p f InvalidIDPwithindirectCRLTest26EE.crt
p f InvalidLongSerialNumberTest18EE.crt
p f InvalidMappingFromanyPolicyTest7EE.crt
p f InvalidMappingToanyPolicyTest8EE.crt
p f InvalidMissingCRLTest1EE.crt
p f InvalidMissingbasicConstraintsTest1EE.crt
p f InvalidNameChainingOrderTest2EE.crt
p f InvalidNameChainingTest1EE.crt
p f InvalidNegativeSerialNumberTest15EE.crt
p f InvalidOldCRLnextUpdateTest11EE.crt
p f InvalidPolicyMappingTest10EE.crt
p f InvalidPolicyMappingTest2EE.crt
p f InvalidPolicyMappingTest4EE.crt
p f InvalidRFC822nameConstraintsTest22EE.crt
p f InvalidRFC822nameConstraintsTest24EE.crt
p f InvalidRFC822nameConstraintsTest26EE.crt
p f InvalidRevokedCATest2EE.crt
p f InvalidRevokedEETest3EE.crt
f f InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt
p f InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt
p f InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt
p f InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt
p f InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt
p f InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt
p f InvalidSelfIssuedpathLenConstraintTest16EE.crt
p f InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt
p f InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt
f f InvalidSeparateCertificateandCRLKeysTest20EE.crt
f f InvalidSeparateCertificateandCRLKeysTest21EE.crt
p f InvalidURInameConstraintsTest35EE.crt
p f InvalidURInameConstraintsTest37EE.crt
p f InvalidUnknownCRLEntryExtensionTest8EE.crt
p f InvalidUnknownCRLExtensionTest10EE.crt
p f InvalidUnknownCRLExtensionTest9EE.crt
p f InvalidUnknownCriticalCertificateExtensionTest2EE.crt
p f InvalidWrongCRLTest6EE.crt
p f InvalidcAFalseTest2EE.crt
p f InvalidcAFalseTest3EE.crt
p f InvalidcRLIssuerTest27EE.crt
p f InvalidcRLIssuerTest31EE.crt
p f InvalidcRLIssuerTest32EE.crt
p f InvalidcRLIssuerTest34EE.crt
p f InvalidcRLIssuerTest35EE.crt
p f InvaliddeltaCRLIndicatorNoBaseTest1EE.crt
p f InvaliddeltaCRLTest10EE.crt
p f InvaliddeltaCRLTest3EE.crt
p f InvaliddeltaCRLTest4EE.crt
p f InvaliddeltaCRLTest6EE.crt
p f InvaliddeltaCRLTest9EE.crt
p f InvaliddistributionPointTest2EE.crt
p f InvaliddistributionPointTest3EE.crt
p f InvaliddistributionPointTest6EE.crt
p f InvaliddistributionPointTest8EE.crt
p f InvaliddistributionPointTest9EE.crt
p f InvalidinhibitAnyPolicyTest1EE.crt
p f InvalidinhibitAnyPolicyTest4EE.crt
p f InvalidinhibitAnyPolicyTest5EE.crt
p f InvalidinhibitAnyPolicyTest6EE.crt
p f InvalidinhibitPolicyMappingTest1EE.crt
p f InvalidinhibitPolicyMappingTest3EE.crt
p f InvalidinhibitPolicyMappingTest5EE.crt
p f InvalidinhibitPolicyMappingTest6EE.crt
p f InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt
p f InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt
p f InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt
p f InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt
p f InvalidonlyContainsAttributeCertsTest14EE.crt
p f InvalidonlyContainsCACertsTest12EE.crt
p f InvalidonlyContainsUserCertsTest11EE.crt
p f InvalidonlySomeReasonsTest15EE.crt
p f InvalidonlySomeReasonsTest16EE.crt
p f InvalidonlySomeReasonsTest17EE.crt
p f InvalidonlySomeReasonsTest20EE.crt
p f InvalidonlySomeReasonsTest21EE.crt
p f InvalidpathLenConstraintTest10EE.crt
p f InvalidpathLenConstraintTest11EE.crt
p f InvalidpathLenConstraintTest12EE.crt
p f InvalidpathLenConstraintTest5EE.crt
p f InvalidpathLenConstraintTest6EE.crt
p f InvalidpathLenConstraintTest9EE.crt
p f Invalidpre2000CRLnextUpdateTest12EE.crt
p f Invalidpre2000UTCEEnotAfterDateTest7EE.crt
p f InvalidrequireExplicitPolicyTest3EE.crt
p f InvalidrequireExplicitPolicyTest5EE.crt
p p LongSerialNumberCACert.crt
p p Mapping1to2CACert.crt
p p MappingFromanyPolicyCACert.crt
p p MappingToanyPolicyCACert.crt
p p MissingbasicConstraintsCACert.crt
p p NameOrderingCACert.crt
p p NegativeSerialNumberCACert.crt
p p NoCRLCACert.crt
p p NoPoliciesCACert.crt
p p NoissuingDistributionPointCACert.crt
p p OldCRLnextUpdateCACert.crt
p p OverlappingPoliciesTest6EE.crt
p p P12Mapping1to3CACert.crt
p p P12Mapping1to3subCACert.crt
p p P12Mapping1to3subsubCACert.crt
p p P1Mapping1to234CACert.crt
p p P1Mapping1to234subCACert.crt
p p P1anyPolicyMapping1to2CACert.crt
p p PanyPolicyMapping1to2CACert.crt
p p PoliciesP1234CACert.crt
p p PoliciesP1234subCAP123Cert.crt
p p PoliciesP1234subsubCAP123P12Cert.crt
p p PoliciesP123CACert.crt
p p PoliciesP123subCAP12Cert.crt
p p PoliciesP123subsubCAP12P1Cert.crt
p p PoliciesP123subsubCAP12P2Cert.crt
p p PoliciesP123subsubsubCAP12P2P1Cert.crt
p p PoliciesP12CACert.crt
p p PoliciesP12subCAP1Cert.crt
p p PoliciesP12subsubCAP1P2Cert.crt
p p PoliciesP2subCA2Cert.crt
p p PoliciesP2subCACert.crt
p p PoliciesP3CACert.crt
p p RFC3280MandatoryAttributeTypesCACert.crt
p p RFC3280OptionalAttributeTypesCACert.crt
p p RevokedsubCACert.crt
p p RolloverfromPrintableStringtoUTF8StringCACert.crt
p p SeparateCertificateandCRLKeysCA2CRLSigningCert.crt
p p SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt
p p SeparateCertificateandCRLKeysCRLSigningCert.crt
p p SeparateCertificateandCRLKeysCertificateSigningCACert.crt
p p TwoCRLsCACert.crt
p p UIDCACert.crt
p p UTF8StringCaseInsensitiveMatchCACert.crt
p p UTF8StringEncodedNamesCACert.crt
p p UnknownCRLEntryExtensionCACert.crt
p p UnknownCRLExtensionCACert.crt
p p UserNoticeQualifierTest15EE.crt
p p UserNoticeQualifierTest16EE.crt
p p UserNoticeQualifierTest17EE.crt
p p UserNoticeQualifierTest18EE.crt
p p UserNoticeQualifierTest19EE.crt
p p ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt
# For yet unknown reasons gpgsm claims a bad signature.
? ? ValidBasicSelfIssuedNewWithOldTest3EE.crt
p p ValidBasicSelfIssuedNewWithOldTest4EE.crt
# For yet unknown reasons gpgsm claims a bad signature.
? ? ValidBasicSelfIssuedOldWithNewTest1EE.crt
p p ValidCertificatePathTest1EE.crt
p p ValidDNSnameConstraintsTest30EE.crt
p p ValidDNSnameConstraintsTest32EE.crt
p p ValidDNandRFC822nameConstraintsTest27EE.crt
p p ValidDNnameConstraintsTest11EE.crt
# This certificate has an empty subject sequence. Our parser does not
# support this yet and it is unlikely that gpgsm will be able to cope
# with it at all.
u u ValidDNnameConstraintsTest14EE.crt
p p ValidDNnameConstraintsTest18EE.crt
# For yet unknown reasons gpgsm claims a bad signature.
? ? ValidDNnameConstraintsTest19EE.crt
p p ValidDNnameConstraintsTest1EE.crt
p p ValidDNnameConstraintsTest4EE.crt
p p ValidDNnameConstraintsTest5EE.crt
p p ValidDNnameConstraintsTest6EE.crt
u p ValidDSAParameterInheritanceTest5EE.crt
u p ValidDSASignaturesTest4EE.crt
p p ValidGeneralizedTimeCRLnextUpdateTest13EE.crt
p p ValidGeneralizedTimenotAfterDateTest8EE.crt
p p ValidGeneralizedTimenotBeforeDateTest4EE.crt
p p ValidIDPwithindirectCRLTest22EE.crt
p p ValidIDPwithindirectCRLTest24EE.crt
p p ValidIDPwithindirectCRLTest25EE.crt
p p ValidLongSerialNumberTest16EE.crt
p p ValidLongSerialNumberTest17EE.crt
p p ValidNameChainingCapitalizationTest5EE.crt
p p ValidNameChainingWhitespaceTest3EE.crt
p p ValidNameChainingWhitespaceTest4EE.crt
p p ValidNameUIDsTest6EE.crt
p p ValidNegativeSerialNumberTest14EE.crt
p p ValidNoissuingDistributionPointTest10EE.crt
p p ValidPolicyMappingTest11EE.crt
p p ValidPolicyMappingTest12EE.crt
p p ValidPolicyMappingTest13EE.crt
p p ValidPolicyMappingTest14EE.crt
p p ValidPolicyMappingTest1EE.crt
p p ValidPolicyMappingTest3EE.crt
p p ValidPolicyMappingTest5EE.crt
p p ValidPolicyMappingTest6EE.crt
p p ValidPolicyMappingTest9EE.crt
p p ValidRFC3280MandatoryAttributeTypesTest7EE.crt
p p ValidRFC3280OptionalAttributeTypesTest8EE.crt
p p ValidRFC822nameConstraintsTest21EE.crt
p p ValidRFC822nameConstraintsTest23EE.crt
p p ValidRFC822nameConstraintsTest25EE.crt
p p ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt
p p ValidSelfIssuedinhibitAnyPolicyTest7EE.crt
p p ValidSelfIssuedinhibitAnyPolicyTest9EE.crt
p p ValidSelfIssuedinhibitPolicyMappingTest7EE.crt
# For yet unknown reasons gpgsm claims a bad signature.
? ? ValidSelfIssuedpathLenConstraintTest15EE.crt
p p ValidSelfIssuedpathLenConstraintTest17EE.crt
# For yet unknown reasons gpgsm claims a bad signature.
? ? ValidSelfIssuedrequireExplicitPolicyTest6EE.crt
# For yet unknown reasons gpgsm claims a bad signature.
? ? ValidSeparateCertificateandCRLKeysTest19EE.crt
p p ValidTwoCRLsTest7EE.crt
p p ValidURInameConstraintsTest34EE.crt
p p ValidURInameConstraintsTest36EE.crt
p p ValidUTF8StringCaseInsensitiveMatchTest11EE.crt
p p ValidUTF8StringEncodedNamesTest9EE.crt
p p ValidUnknownNotCriticalCertificateExtensionTest1EE.crt
p p ValidbasicConstraintsNotCriticalTest4EE.crt
p p ValidcRLIssuerTest28EE.crt
p p ValidcRLIssuerTest29EE.crt
p p ValidcRLIssuerTest30EE.crt
p p ValidcRLIssuerTest33EE.crt
p p ValiddeltaCRLTest2EE.crt
p p ValiddeltaCRLTest5EE.crt
p p ValiddeltaCRLTest7EE.crt
p p ValiddeltaCRLTest8EE.crt
p p ValiddistributionPointTest1EE.crt
p p ValiddistributionPointTest4EE.crt
p p ValiddistributionPointTest5EE.crt
p p ValiddistributionPointTest7EE.crt
p p ValidinhibitAnyPolicyTest2EE.crt
p p ValidinhibitPolicyMappingTest2EE.crt
p p ValidinhibitPolicyMappingTest4EE.crt
p p ValidkeyUsageNotCriticalTest3EE.crt
p p ValidonlyContainsCACertsTest13EE.crt
p p ValidonlySomeReasonsTest18EE.crt
p p ValidonlySomeReasonsTest19EE.crt
p p ValidpathLenConstraintTest13EE.crt
p p ValidpathLenConstraintTest14EE.crt
p p ValidpathLenConstraintTest7EE.crt
p p ValidpathLenConstraintTest8EE.crt
p p Validpre2000UTCnotBeforeDateTest3EE.crt
p p ValidrequireExplicitPolicyTest1EE.crt
p p ValidrequireExplicitPolicyTest2EE.crt
p p ValidrequireExplicitPolicyTest4EE.crt
p p WrongCRLCACert.crt
p p anyPolicyCACert.crt
p p basicConstraintsCriticalcAFalseCACert.crt
p p basicConstraintsNotCriticalCACert.crt
p p basicConstraintsNotCriticalcAFalseCACert.crt
p p deltaCRLCA1Cert.crt
p p deltaCRLCA2Cert.crt
p p deltaCRLCA3Cert.crt
p p deltaCRLIndicatorNoBaseCACert.crt
p p distributionPoint1CACert.crt
p p distributionPoint2CACert.crt
p p indirectCRLCA1Cert.crt
p p indirectCRLCA2Cert.crt
p p indirectCRLCA3Cert.crt
p p indirectCRLCA3cRLIssuerCert.crt
p p indirectCRLCA4Cert.crt
p p indirectCRLCA4cRLIssuerCert.crt
p p indirectCRLCA5Cert.crt
p p indirectCRLCA6Cert.crt
p p inhibitAnyPolicy0CACert.crt
p p inhibitAnyPolicy1CACert.crt
# For yet unknown reasons gpgsm claims a bad signature.
? ? inhibitAnyPolicy1SelfIssuedCACert.crt
? ? inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt
p p inhibitAnyPolicy1subCA1Cert.crt
# For yet unknown reasons gpgsm claims a bad signature.
? ? inhibitAnyPolicy1subCA2Cert.crt
p p inhibitAnyPolicy1subCAIAP5Cert.crt
p p inhibitAnyPolicy1subsubCA2Cert.crt
p p inhibitAnyPolicy5CACert.crt
p p inhibitAnyPolicy5subCACert.crt
p p inhibitAnyPolicy5subsubCACert.crt
p p inhibitAnyPolicyTest3EE.crt
p p inhibitPolicyMapping0CACert.crt
p p inhibitPolicyMapping0subCACert.crt
p p inhibitPolicyMapping1P12CACert.crt
p p inhibitPolicyMapping1P12subCACert.crt
p p inhibitPolicyMapping1P12subCAIPM5Cert.crt
p p inhibitPolicyMapping1P12subsubCACert.crt
p p inhibitPolicyMapping1P12subsubCAIPM5Cert.crt
p p inhibitPolicyMapping1P1CACert.crt
# For yet unknown reasons gpgsm claims a bad signature.
? ? inhibitPolicyMapping1P1SelfIssuedCACert.crt
? ? inhibitPolicyMapping1P1SelfIssuedsubCACert.crt
? ? inhibitPolicyMapping1P1subCACert.crt
p p inhibitPolicyMapping1P1subsubCACert.crt
p p inhibitPolicyMapping5CACert.crt
p p inhibitPolicyMapping5subCACert.crt
p p inhibitPolicyMapping5subsubCACert.crt
p p inhibitPolicyMapping5subsubsubCACert.crt
p p keyUsageCriticalcRLSignFalseCACert.crt
p p keyUsageCriticalkeyCertSignFalseCACert.crt
p p keyUsageNotCriticalCACert.crt
p p keyUsageNotCriticalcRLSignFalseCACert.crt
p p keyUsageNotCriticalkeyCertSignFalseCACert.crt
p p nameConstraintsDN1CACert.crt
# For yet unknown reasons gpgsm claims a bad signature.
? ? nameConstraintsDN1SelfIssuedCACert.crt
p p nameConstraintsDN1subCA1Cert.crt
p p nameConstraintsDN1subCA2Cert.crt
p p nameConstraintsDN1subCA3Cert.crt
p p nameConstraintsDN2CACert.crt
p p nameConstraintsDN3CACert.crt
p p nameConstraintsDN3subCA1Cert.crt
p p nameConstraintsDN3subCA2Cert.crt
p p nameConstraintsDN4CACert.crt
p p nameConstraintsDN5CACert.crt
p p nameConstraintsDNS1CACert.crt
p p nameConstraintsDNS2CACert.crt
p p nameConstraintsRFC822CA1Cert.crt
p p nameConstraintsRFC822CA2Cert.crt
p p nameConstraintsRFC822CA3Cert.crt
p p nameConstraintsURI1CACert.crt
p p nameConstraintsURI2CACert.crt
p p onlyContainsAttributeCertsCACert.crt
p p onlyContainsCACertsCACert.crt
p p onlyContainsUserCertsCACert.crt
p p onlySomeReasonsCA1Cert.crt
p p onlySomeReasonsCA2Cert.crt
p p onlySomeReasonsCA3Cert.crt
p p onlySomeReasonsCA4Cert.crt
p p pathLenConstraint0CACert.crt
# For yet unknown reasons gpgsm claims a bad signature.
? ? pathLenConstraint0SelfIssuedCACert.crt
? ? pathLenConstraint0subCA2Cert.crt
p p pathLenConstraint0subCACert.crt
p p pathLenConstraint1CACert.crt
# For yet unknown reasons gpgsm claims a bad signature.
? ? pathLenConstraint1SelfIssuedCACert.crt
? ? pathLenConstraint1SelfIssuedsubCACert.crt
? ? pathLenConstraint1subCACert.crt
p p pathLenConstraint6CACert.crt
p p pathLenConstraint6subCA0Cert.crt
p p pathLenConstraint6subCA1Cert.crt
p p pathLenConstraint6subCA4Cert.crt
p p pathLenConstraint6subsubCA00Cert.crt
p p pathLenConstraint6subsubCA11Cert.crt
p p pathLenConstraint6subsubCA41Cert.crt
p p pathLenConstraint6subsubsubCA11XCert.crt
p p pathLenConstraint6subsubsubCA41XCert.crt
p p pre2000CRLnextUpdateCACert.crt
p p requireExplicitPolicy0CACert.crt
p p requireExplicitPolicy0subCACert.crt
p p requireExplicitPolicy0subsubCACert.crt
p p requireExplicitPolicy0subsubsubCACert.crt
p p requireExplicitPolicy10CACert.crt
p p requireExplicitPolicy10subCACert.crt
p p requireExplicitPolicy10subsubCACert.crt
p p requireExplicitPolicy10subsubsubCACert.crt
p p requireExplicitPolicy2CACert.crt
# For yet unknown reasons gpgsm claims a bad signature.
? ? requireExplicitPolicy2SelfIssuedCACert.crt
? ? requireExplicitPolicy2SelfIssuedsubCACert.crt
? ? requireExplicitPolicy2subCACert.crt
p p requireExplicitPolicy4CACert.crt
p p requireExplicitPolicy4subCACert.crt
p p requireExplicitPolicy4subsubCACert.crt
p p requireExplicitPolicy4subsubsubCACert.crt
p p requireExplicitPolicy5CACert.crt
p p requireExplicitPolicy5subCACert.crt
p p requireExplicitPolicy5subsubCACert.crt
p p requireExplicitPolicy5subsubsubCACert.crt
p p requireExplicitPolicy7CACert.crt
p p requireExplicitPolicy7subCARE2Cert.crt
p p requireExplicitPolicy7subsubCARE2RE4Cert.crt
p p requireExplicitPolicy7subsubsubCARE2RE4Cert.crt

94
tests/pkits/inittests Executable file
View File

@ -0,0 +1,94 @@
#!/bin/sh
# Copyright (C) 2004 Free Software Foundation, Inc. -*- sh -*-
#
# This file is free software; as a special exception the author gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
#
# This file is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
set -e
clean_files='
ReadMe.txt pkits.ldif
gpgsm.conf gpg-agent.conf trustlist.txt policies.txt pubring.kbx
msg msg.sig msg.unsig
'
[ -z "$srcdir" ] && srcdir=.
[ -z "$GPGSM" ] && GPGSM=../../sm/gpgsm
if [ -f $srcdir/README ] \
&& grep tests/pkits/README README >/dev/null 2>&1; then
:
else
# During make distclean the Makefile has already been removed,
# so we need this extra test.
if ! grep gnupg-test-pkits-directory testdir.stamp >/dev/null 2>&1; then
echo "inittests: please cd to the tests/pkits directory first" >&2
exit 1
fi
fi
if [ "$1" = "--clean" ]; then
if [ -d private-keys-v1.d ]; then
rm private-keys-v1.d/* 2>/dev/null || true
rmdir private-keys-v1.d
fi
rm ${clean_files} testdir.stamp 2>/dev/null || true
for i in certs certpairs crls pkcs12 smime; do
if [ -d $i ]; then
rm $i/* 2>/dev/null || true
rmdir $i
fi
done
exit 0
fi
if [ "$GNUPGHOME" != "`pwd`" ]; then
echo "inittests: please set GNUPGHOME to the tests/pkits directory" >&2
exit 1
fi
if [ -n "$GPG_AGENT_INFO" ]; then
echo "inittests: please unset GPG_AGENT_INFO" >&2
exit 1
fi
if ! bunzip2 -c PKITS_data.tar.bz2 | tar xf - ; then
echo "inittests: failed to untar the test data" >&2
exit 1
fi
# A stamp file used with --clean
echo gnupg-test-pkits-directory > testdir.stamp
# Create the configuration scripts
cat > gpgsm.conf <<EOF
no-secmem-warning
no-greeting
batch
disable-crl-checks
agent-program ../../agent/gpg-agent
EOF
# Fixme: we need to write a dummy pinentry program
cat > gpg-agent.conf <<EOF
no-grab
EOF
# Mark the root CA trusted
cat > trustlist.txt <<EOF
# /CN=Trust Anchor/O=Test Certificates/C=US
66:8A:47:56:A2:DC:88:FF:DA:B8:95:E1:3C:63:37:55:5F:0A:F7:BF S
EOF
# Define the standard policies as NIST test-policy-1
#cat >policies.txt <<EOF
#2.16.840.1.101.3.2.1.48.1
#EOF

4
tests/pkits/runtest Executable file
View File

@ -0,0 +1,4 @@
#!/bin/sh
[ -x "$1" ] && exec $1 $2
exec sh $1 $2

55
tests/pkits/validate-all-certs Executable file
View File

@ -0,0 +1,55 @@
#!/bin/sh
# validate-all-certs -*- sh -*-
# Copyright (C) 2004 Free Software Foundation, Inc.
#
# This file is part of GnuPG.
#
# GnuPG is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# GnuPG is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
. ${srcdir:-.}/common.sh || exit 2
while read dummy flag name; do
case $dummy in \#*) continue;; esac
[ -z "$dummy" ] && continue;
if ${GPGSM} -q --import --with-validation --disable-crl-checks \
certs/$name ; then
if [ "$flag" = 'p' ]; then
pass "validating certificate \`$name' succeeded"
elif [ "$flag" = 'f' ]; then
fail "validating certificate \`$name' succeeded"
elif [ "$flag" = '?' ]; then
unresolved "validating certificate \`$name' succeeded"
elif [ "$flag" = 'u' ]; then
unsupported "validating certificate \`$name' succeeded"
else
info "validating certificate \`$name' succeeded - (flag=$flag)"
fi
else
if [ "$flag" = 'p' ]; then
fail "validating certificate \`$name' failed"
elif [ "$flag" = 'f' ]; then
pass "validating certificate \`$name' failed"
elif [ "$flag" = '?' ]; then
unresolved "validating certificate \`$name' failed"
elif [ "$flag" = 'u' ]; then
unsupported "validating certificate \`$name' failed"
else
info "validating certificate \`$name' failed - (flag=$flag)"
fi
fi
done < $srcdir/import-all-certs.data
final_result