From f13c5a48fc092d25c6d2fb169ed018473bb24096 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 19 Feb 2008 10:33:35 +0000 Subject: [PATCH] Improve certificate chain construction. Extend PKITS framework --- NEWS | 8 +- configure.ac | 2 +- doc/gpgsm.texi | 7 + po/be.po | 2 +- po/ca.po | 2 +- po/cs.po | 2 +- po/da.po | 2 +- po/de.po | 2 +- po/el.po | 2 +- po/eo.po | 2 +- po/es.po | 2 +- po/et.po | 2 +- po/fi.po | 2 +- po/fr.po | 2 +- po/gl.po | 2 +- po/hu.po | 2 +- po/id.po | 2 +- po/it.po | 2 +- po/ja.po | 2 +- po/nb.po | 2 +- po/pl.po | 2 +- po/pt.po | 2 +- po/pt_BR.po | 2 +- po/ro.po | 2 +- po/ru.po | 2 +- po/sk.po | 2 +- po/sv.po | 2 +- po/tr.po | 2 +- po/zh_CN.po | 2 +- po/zh_TW.po | 2 +- sm/ChangeLog | 17 + sm/call-dirmngr.c | 4 +- sm/certchain.c | 99 ++- sm/gpgsm.c | 15 +- sm/gpgsm.h | 1 + tests/pkits/ChangeLog | 35 +- tests/pkits/Makefile.am | 57 +- tests/pkits/README | 25 + tests/pkits/basic-certificate-revocation | 31 + tests/pkits/certificate-policies | 31 + tests/pkits/common.sh | 64 +- tests/pkits/delta-crls | 31 + tests/pkits/distribution-points | 31 + tests/pkits/import-all-certs | 20 +- tests/pkits/import-all-certs.data | 941 ++++++++++----------- tests/pkits/inhibit-any-policy | 31 + tests/pkits/inhibit-policy-mapping | 31 + tests/pkits/inittests | 2 + tests/pkits/key-usage | 31 + tests/pkits/name-constraints | 31 + tests/pkits/policy-mappings | 31 + tests/pkits/private-certificate-extensions | 31 + tests/pkits/require-explicit-policy | 31 + tests/pkits/signature-verification | 31 + tests/pkits/validate-all-certs | 21 +- tests/pkits/validity-periods | 31 + tests/pkits/verifying-basic-constraints | 31 + tests/pkits/verifying-name-chaining | 31 + tests/pkits/verifying-paths-self-issued | 31 + tools/gpgconf-comp.c | 3 + 60 files changed, 1283 insertions(+), 588 deletions(-) create mode 100644 tests/pkits/basic-certificate-revocation create mode 100644 tests/pkits/certificate-policies create mode 100644 tests/pkits/delta-crls create mode 100644 tests/pkits/distribution-points create mode 100644 tests/pkits/inhibit-any-policy create mode 100644 tests/pkits/inhibit-policy-mapping create mode 100644 tests/pkits/key-usage create mode 100644 tests/pkits/name-constraints create mode 100644 tests/pkits/policy-mappings create mode 100644 tests/pkits/private-certificate-extensions create mode 100644 tests/pkits/require-explicit-policy create mode 100644 tests/pkits/signature-verification create mode 100644 tests/pkits/validity-periods create mode 100644 tests/pkits/verifying-basic-constraints create mode 100644 tests/pkits/verifying-name-chaining create mode 100644 tests/pkits/verifying-paths-self-issued diff --git a/NEWS b/NEWS index 764edb3aa..0a9cb4a26 100644 --- a/NEWS +++ b/NEWS @@ -4,9 +4,13 @@ Noteworthy changes in version 2.0.9 (unreleased) * Gpgsm always tries to locate missing certificates from a running Dirmngr's cache. - * Minor bug fixes. + * Tweaks for Windows. - * Tweaks for Windows + * Improved certificate chain construction. + + * Extended the PKITS framework. + + * Minor bug fixes. Noteworthy changes in version 2.0.8 (2007-12-20) diff --git a/configure.ac b/configure.ac index c630af53b..6860187a9 100644 --- a/configure.ac +++ b/configure.ac @@ -1412,10 +1412,10 @@ tools/Makefile doc/Makefile tests/Makefile tests/openpgp/Makefile +tests/pkits/Makefile ]) AC_OUTPUT -#tests/pkits/Makefile diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi index d936b3eb2..3193e852f 100644 --- a/doc/gpgsm.texi +++ b/doc/gpgsm.texi @@ -342,6 +342,9 @@ to connect to this one. Fallback to a pipe based server if this does not work. Under Windows this option is ignored because the system dirmngr is always used. +@item --disable-dirmngr +Entirely disable the use of the Dirmngr. + @item --no-secmem-warning @opindex no-secmem-warning Don't print a warning when the so called "secure memory" can't be used. @@ -673,6 +676,10 @@ Supply the passphrase @var{string} to the gpg-protect-tool. This option is only useful for the regression tests included with this package and may be revised or removed at any time without notice. +@item --no-common-certs-import +@opindex no-common-certs-import +Suppress the import of common certificates on keybox creation. + @end table All the long options may also be given in the configuration file after diff --git a/po/be.po b/po/be.po index d95b50497..260ab6c6e 100644 --- a/po/be.po +++ b/po/be.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 1.2.2\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2003-10-30 16:35+0200\n" "Last-Translator: Ales Nyakhaychyk \n" "Language-Team: Belarusian \n" diff --git a/po/ca.po b/po/ca.po index 82bd46229..e2c4d2cba 100644 --- a/po/ca.po +++ b/po/ca.po @@ -27,7 +27,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 1.4.0\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2005-02-04 02:04+0100\n" "Last-Translator: Jordi Mallach \n" "Language-Team: Catalan \n" diff --git a/po/cs.po b/po/cs.po index 09cb75c65..649ef7288 100644 --- a/po/cs.po +++ b/po/cs.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg-1.3.92\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2004-11-26 09:12+0200\n" "Last-Translator: Roman Pavlik \n" "Language-Team: Czech \n" diff --git a/po/da.po b/po/da.po index e5f20b75c..15e25a481 100644 --- a/po/da.po +++ b/po/da.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 1.0.0h\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2003-12-03 16:11+0100\n" "Last-Translator: Birger Langkjer \n" "Language-Team: Danish \n" diff --git a/po/de.po b/po/de.po index e0c98e27f..8630fc7d3 100644 --- a/po/de.po +++ b/po/de.po @@ -9,7 +9,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg-2.0.6\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2008-02-15 10:36+0100\n" "Last-Translator: Walter Koch \n" "Language-Team: German \n" diff --git a/po/el.po b/po/el.po index 750daa3f3..5bf3600e5 100644 --- a/po/el.po +++ b/po/el.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg-1.1.92\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2003-06-27 12:00+0200\n" "Last-Translator: Dokianakis Theofanis \n" "Language-Team: Greek \n" diff --git a/po/eo.po b/po/eo.po index 275cfcf7f..7491127fd 100644 --- a/po/eo.po +++ b/po/eo.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 1.0.6d\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2002-04-14 14:33+0100\n" "Last-Translator: Edmund GRIMLEY EVANS \n" "Language-Team: Esperanto \n" diff --git a/po/es.po b/po/es.po index b2da53b84..8d20dbd76 100644 --- a/po/es.po +++ b/po/es.po @@ -10,7 +10,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 1.4.1\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2007-08-16 11:35+0200\n" "Last-Translator: Jaime Suárez \n" "Language-Team: Spanish \n" diff --git a/po/et.po b/po/et.po index 890d1a6e8..9384a5c50 100644 --- a/po/et.po +++ b/po/et.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 1.2.2\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2004-06-17 11:04+0300\n" "Last-Translator: Toomas Soome \n" "Language-Team: Estonian \n" diff --git a/po/fi.po b/po/fi.po index a31d54c89..1ceb035bd 100644 --- a/po/fi.po +++ b/po/fi.po @@ -22,7 +22,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 1.2.2\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2004-06-16 22:40+0300\n" "Last-Translator: Tommi Vainikainen \n" "Language-Team: Finnish \n" diff --git a/po/fr.po b/po/fr.po index 0a4c94dbe..0c32d038d 100644 --- a/po/fr.po +++ b/po/fr.po @@ -11,7 +11,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 1.4.2rc2\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2005-06-28 00:24+0200\n" "Last-Translator: Gaël Quéri \n" "Language-Team: French \n" diff --git a/po/gl.po b/po/gl.po index 68a47879b..8cd66bfd9 100644 --- a/po/gl.po +++ b/po/gl.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 1.2.4\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2003-12-04 11:39+0100\n" "Last-Translator: Jacobo Tarrio \n" "Language-Team: Galician \n" diff --git a/po/hu.po b/po/hu.po index 75f8539e5..e8ff0cad4 100644 --- a/po/hu.po +++ b/po/hu.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 1.2.5\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2004-06-19 21:53+0200\n" "Last-Translator: Nagy Ferenc László \n" "Language-Team: Hungarian \n" diff --git a/po/id.po b/po/id.po index 2f9cfcf3e..c7fdd992c 100644 --- a/po/id.po +++ b/po/id.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg-id\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2004-06-17 16:32+0700\n" "Last-Translator: Tedi Heriyanto \n" "Language-Team: Indonesian \n" diff --git a/po/it.po b/po/it.po index cde0e309c..21e071d89 100644 --- a/po/it.po +++ b/po/it.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 1.1.92\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2004-06-16 17:01+0200\n" "Last-Translator: Marco d'Itri \n" "Language-Team: Italian \n" diff --git a/po/ja.po b/po/ja.po index e5984c459..304850df7 100644 --- a/po/ja.po +++ b/po/ja.po @@ -9,7 +9,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 1.3.92\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2004-11-23 11:14+0900\n" "Last-Translator: IIDA Yosiaki \n" "Language-Team: Japanese \n" diff --git a/po/nb.po b/po/nb.po index 4aba7b0f0..36434b7f1 100644 --- a/po/nb.po +++ b/po/nb.po @@ -10,7 +10,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 1.4.3\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2006-06-13 20:31+0200\n" "Last-Translator: Trond Endrestøl \n" "Language-Team: Norwegian Bokmål \n" diff --git a/po/pl.po b/po/pl.po index e025d1ec4..e3c842ff5 100644 --- a/po/pl.po +++ b/po/pl.po @@ -9,7 +9,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg-2.0.7\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2007-11-26 19:01+0100\n" "Last-Translator: Jakub Bogusz \n" "Language-Team: Polish \n" diff --git a/po/pt.po b/po/pt.po index 4462c4f16..eb944f7c7 100644 --- a/po/pt.po +++ b/po/pt.po @@ -9,7 +9,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2002-09-13 18:26+0100\n" "Last-Translator: Pedro Morais \n" "Language-Team: pt \n" diff --git a/po/pt_BR.po b/po/pt_BR.po index dd5b34d2b..5d499e1fb 100644 --- a/po/pt_BR.po +++ b/po/pt_BR.po @@ -13,7 +13,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 1.0\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2007-08-16 11:35+0200\n" "Last-Translator:\n" "Language-Team: ?\n" diff --git a/po/ro.po b/po/ro.po index 2dc565929..e75bcb1cb 100644 --- a/po/ro.po +++ b/po/ro.po @@ -9,7 +9,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 1.4.2rc1\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2005-05-31 22:00-0500\n" "Last-Translator: Laurentiu Buzdugan \n" "Language-Team: Romanian \n" diff --git a/po/ru.po b/po/ru.po index 2be61ad1e..45929bb43 100644 --- a/po/ru.po +++ b/po/ru.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: GnuPG 2.0.0\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2006-11-07 19:31+0300\n" "Last-Translator: Maxim Britov \n" "Language-Team: Russian \n" diff --git a/po/sk.po b/po/sk.po index 780b0120b..710f2f67b 100644 --- a/po/sk.po +++ b/po/sk.po @@ -5,7 +5,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 1.2.5\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2004-07-20 15:52+0200\n" "Last-Translator: Michal Majer \n" "Language-Team: Slovak \n" diff --git a/po/sv.po b/po/sv.po index aa759a7cd..8fc72efe3 100644 --- a/po/sv.po +++ b/po/sv.po @@ -24,7 +24,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg trunk\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2007-11-12 16:08+0100\n" "Last-Translator: Daniel Nylander \n" "Language-Team: Swedish \n" diff --git a/po/tr.po b/po/tr.po index 3990a9d66..cee49cd6d 100644 --- a/po/tr.po +++ b/po/tr.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 1.9.94\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2006-11-04 03:45+0200\n" "Last-Translator: Nilgün Belma Bugüner \n" "Language-Team: Turkish \n" diff --git a/po/zh_CN.po b/po/zh_CN.po index 3dedca961..771a33acb 100644 --- a/po/zh_CN.po +++ b/po/zh_CN.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 1.4.4\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2006-07-02 10:58+0800\n" "Last-Translator: Meng Jie \n" "Language-Team: Chinese (simplified) \n" diff --git a/po/zh_TW.po b/po/zh_TW.po index 3660d48f9..53d7f8b13 100644 --- a/po/zh_TW.po +++ b/po/zh_TW.po @@ -9,7 +9,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 2.0.8\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2008-02-15 10:28+0100\n" +"POT-Creation-Date: 2008-02-15 10:39+0100\n" "PO-Revision-Date: 2008-01-31 23:09+0800\n" "Last-Translator: Jedi Lin \n" "Language-Team: Chinese (traditional) \n" diff --git a/sm/ChangeLog b/sm/ChangeLog index 8f348a5f2..22333698b 100644 --- a/sm/ChangeLog +++ b/sm/ChangeLog @@ -1,3 +1,20 @@ +2008-02-18 Werner Koch + + * certchain.c (gpgsm_is_root_cert): Factor code out to ... + (is_root_cert): New. Extend test for self-issued certificates + signed by other CAs. + (do_validate_chain, gpgsm_basic_cert_check) + (gpgsm_walk_cert_chain): Use it here. + + * gpgsm.c: Add option --no-common-certs-import. + + * certchain.c (find_up_dirmngr, find_up, do_validate_chain) + (check_cert_policy): Be more silent with --quiet. + + * gpgsm.c: Add option --disable-dirmngr. + * gpgsm.h (opt): Add field DISABLE_DIRMNGR. + * call-dirmngr.c (start_dirmngr): Implement option. + 2008-02-14 Werner Koch * server.c (option_handler): Add option allow-pinentry-notify. diff --git a/sm/call-dirmngr.c b/sm/call-dirmngr.c index 83b001b52..02a2ca8d7 100644 --- a/sm/call-dirmngr.c +++ b/sm/call-dirmngr.c @@ -166,6 +166,9 @@ start_dirmngr (ctrl_t ctrl) assuan_context_t ctx; int try_default = 0; + if (opt.disable_dirmngr) + return gpg_error (GPG_ERR_NO_DIRMNGR); + if (dirmngr_ctx) { prepare_dirmngr (ctrl, dirmngr_ctx, 0); @@ -447,7 +450,6 @@ gpgsm_dirmngr_isvalid (ctrl_t ctrl, struct inq_certificate_parm_s parm; struct isvalid_status_parm_s stparm; - rc = start_dirmngr (ctrl); if (rc) return rc; diff --git a/sm/certchain.c b/sm/certchain.c index 04b7e05ff..f9751752f 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -1,6 +1,6 @@ /* certchain.c - certificate chain validation * Copyright (C) 2001, 2002, 2003, 2004, 2005, - * 2006, 2007 Free Software Foundation, Inc. + * 2006, 2007, 2008 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -60,6 +60,8 @@ struct chain_item_s typedef struct chain_item_s *chain_item_t; +static int is_root_cert (ksba_cert_t cert, + const char *issuerdn, const char *subjectdn); static int get_regtp_ca_info (ctrl_t ctrl, ksba_cert_t cert, int *chainlen); @@ -331,8 +333,9 @@ check_cert_policy (ksba_cert_t cert, int listmode, estream_t fplist) /* With no critical policies this is only a warning */ if (!any_critical) { - do_list (0, listmode, fplist, - _("note: non-critical certificate policy not allowed")); + if (!opt.quiet) + do_list (0, listmode, fplist, + _("note: non-critical certificate policy not allowed")); return 0; } do_list (1, listmode, fplist, @@ -563,7 +566,7 @@ find_up_dirmngr (ctrl_t ctrl, KEYDB_HANDLE kh, if (opt.verbose) log_info (_("number of matching certificates: %d\n"), count); - if (rc) + if (rc && !opt.quiet) log_info (_("dirmngr cache-only key lookup failed: %s\n"), gpg_strerror (rc)); return (!rc && count)? 0 : -1; @@ -667,7 +670,9 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh, /* Print a note so that the user does not feel too helpless when an issuer certificate was found and gpgsm prints BAD signature because it is not the correct one. */ - if (rc == -1) + if (rc == -1 && opt.quiet) + ; + else if (rc == -1) { log_info ("%sissuer certificate ", find_next?"next ":""); if (keyid) @@ -752,7 +757,7 @@ gpgsm_walk_cert_chain (ctrl_t ctrl, ksba_cert_t start, ksba_cert_t *r_next) goto leave; } - if (!strcmp (issuer, subject)) + if (is_root_cert (start, issuer, subject)) { rc = -1; /* we are at the root */ goto leave; @@ -784,6 +789,75 @@ gpgsm_walk_cert_chain (ctrl_t ctrl, ksba_cert_t start, ksba_cert_t *r_next) } +/* Helper for gpgsm_is_root_cert. This one is used if the subject and + issuer DNs are already known. */ +static int +is_root_cert (ksba_cert_t cert, const char *issuerdn, const char *subjectdn) +{ + gpg_error_t err; + int result = 0; + ksba_sexp_t serialno; + ksba_sexp_t ak_keyid; + ksba_name_t ak_name; + ksba_sexp_t ak_sn; + const char *ak_name_str; + ksba_sexp_t subj_keyid = NULL; + + if (!issuerdn || !subjectdn) + return 0; /* No. */ + + if (strcmp (issuerdn, subjectdn)) + return 0; /* No. */ + + err = ksba_cert_get_auth_key_id (cert, &ak_keyid, &ak_name, &ak_sn); + if (err) + { + if (gpg_err_code (err) == GPG_ERR_NO_DATA) + return 1; /* Yes. Without a authorityKeyIdentifier this needs + to be the Root certifcate (our trust anchor). */ + log_error ("error getting authorityKeyIdentifier: %s\n", + gpg_strerror (err)); + return 0; /* Well, it is broken anyway. Return No. */ + } + + serialno = ksba_cert_get_serial (cert); + if (!serialno) + { + log_error ("error getting serialno: %s\n", gpg_strerror (err)); + goto leave; + } + + /* Check whether the auth name's matches the issuer name+sn. If + that is the case this is a root certificate. */ + ak_name_str = ksba_name_enum (ak_name, 0); + if (ak_name_str + && !strcmp (ak_name_str, issuerdn) + && !cmp_simple_canon_sexp (ak_sn, serialno)) + { + result = 1; /* Right, CERT is self-signed. */ + goto leave; + } + + /* Similar for the ak_keyid. */ + if (ak_keyid && !ksba_cert_get_subj_key_id (cert, NULL, &subj_keyid) + && !cmp_simple_canon_sexp (ak_keyid, subj_keyid)) + { + result = 1; /* Right, CERT is self-signed. */ + goto leave; + } + + + leave: + ksba_free (subj_keyid); + ksba_free (ak_keyid); + ksba_name_release (ak_name); + ksba_free (ak_sn); + ksba_free (serialno); + return result; +} + + + /* Check whether the CERT is a root certificate. Returns True if this is the case. */ int @@ -795,7 +869,7 @@ gpgsm_is_root_cert (ksba_cert_t cert) issuer = ksba_cert_get_issuer (cert, 0); subject = ksba_cert_get_subject (cert, 0); - yes = (issuer && subject && !strcmp (issuer, subject)); + yes = is_root_cert (cert, issuer, subject); xfree (issuer); xfree (subject); return yes; @@ -1197,11 +1271,8 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, } - /* Is this a self-issued certificate (i.e. the root - certificate)? This is actually the same test as done by - gpgsm_is_root_cert but here we want to keep the issuer and - subject for later use. */ - is_root = (subject && !strcmp (issuer, subject)); + /* Is this a self-issued certificate (i.e. the root certificate)? */ + is_root = is_root_cert (subject_cert, issuer, subject); if (is_root) { chain->is_root = 1; @@ -1570,7 +1641,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg, depth++; } /* End chain traversal. */ - if (!listmode) + if (!listmode && !opt.quiet) { if (opt.no_policy_check) log_info ("policies not checked due to %s option\n", @@ -1771,7 +1842,7 @@ gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert) goto leave; } - if (subject && !strcmp (issuer, subject)) + if (is_root_cert (cert, issuer, subject)) { rc = gpgsm_check_cert_sig (cert, cert); if (rc) diff --git a/sm/gpgsm.c b/sm/gpgsm.c index 71f8e2cc1..615dfb8e6 100644 --- a/sm/gpgsm.c +++ b/sm/gpgsm.c @@ -1,6 +1,6 @@ /* gpgsm.c - GnuPG for S/MIME * Copyright (C) 2001, 2002, 2003, 2004, 2005, - * 2006, 2007 Free Software Foundation, Inc. + * 2006, 2007, 2008 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -122,6 +122,7 @@ enum cmd_and_opt_values { oPreferSystemDirmngr, oDirmngrProgram, + oDisableDirmngr, oProtectToolProgram, oFakedSystemTime, @@ -149,7 +150,6 @@ enum cmd_and_opt_values { oEnablePolicyChecks, oAutoIssuerKeyRetrieve, - oTextmode, oFingerprint, oWithFingerprint, @@ -231,6 +231,7 @@ enum cmd_and_opt_values { oIgnoreTimeConflict, oNoRandomSeedFile, oNoAutoKeyRetrieve, + oNoCommonCertsImport, oUseAgent, oMergeOnly, oTryAllSecrets, @@ -431,10 +432,10 @@ static ARGPARSE_OPTS opts[] = { { oLCmessages, "lc-messages", 2, "@" }, { oXauthority, "xauthority", 2, "@" }, { oDirmngrProgram, "dirmngr-program", 2 , "@" }, + { oDisableDirmngr, "disable-dirmngr", 0 , "@" }, { oProtectToolProgram, "protect-tool-program", 2 , "@" }, { oFakedSystemTime, "faked-system-time", 2, "@" }, /* (epoch time) */ - { oNoBatch, "no-batch", 0, "@" }, { oWithColons, "with-colons", 0, "@"}, { oWithKeyData,"with-key-data", 0, "@"}, @@ -462,6 +463,7 @@ static ARGPARSE_OPTS opts[] = { { oListOnly, "list-only", 0, "@"}, { oIgnoreTimeConflict, "ignore-time-conflict", 0, "@" }, { oNoRandomSeedFile, "no-random-seed-file", 0, "@" }, + { oNoCommonCertsImport, "no-common-certs-import", 0, "@" }, {0} }; @@ -842,6 +844,7 @@ main ( int argc, char **argv) int nogreeting = 0; int debug_wait = 0; int use_random_seed = 1; + int no_common_certs_import = 0; int with_fpr = 0; char *def_digest_string = NULL; char *extra_digest_algo = NULL; @@ -1215,6 +1218,7 @@ main ( int argc, char **argv) case oLCmessages: opt.lc_messages = xstrdup (pargs.r.ret_str); break; case oXauthority: opt.xauthority = xstrdup (pargs.r.ret_str); break; case oDirmngrProgram: opt.dirmngr_program = pargs.r.ret_str; break; + case oDisableDirmngr: opt.disable_dirmngr = 1; break; case oPreferSystemDirmngr: opt.prefer_system_dirmngr = 1; break; case oProtectToolProgram: opt.protect_tool_program = pargs.r.ret_str; @@ -1307,6 +1311,7 @@ main ( int argc, char **argv) case oIgnoreTimeConflict: opt.ignore_time_conflict = 1; break; case oNoRandomSeedFile: use_random_seed = 0; break; + case oNoCommonCertsImport: no_common_certs_import = 1; break; case oEnableSpecialFilenames: allow_special_filenames =1; break; @@ -1476,7 +1481,7 @@ main ( int argc, char **argv) int created; keydb_add_resource ("pubring.kbx", 0, 0, &created); - if (created) + if (created && !no_common_certs_import) { /* Import the standard certificates for a new default keybox. */ char *filelist[2]; @@ -1593,6 +1598,8 @@ main ( int argc, char **argv) GC_OPT_FLAG_NONE ); printf ("auto-issuer-key-retrieve:%lu:\n", GC_OPT_FLAG_NONE ); + printf ("disable-dirmngr:%lu:\n", + GC_OPT_FLAG_NONE ); #ifndef HAVE_W32_SYSTEM printf ("prefer-system-dirmngr:%lu:\n", GC_OPT_FLAG_NONE ); diff --git a/sm/gpgsm.h b/sm/gpgsm.h index 26a191f87..73231671c 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -59,6 +59,7 @@ struct const char *dirmngr_program; int prefer_system_dirmngr; /* Prefer using a system wide drimngr. */ + int disable_dirmngr; /* Do not do any dirmngr calls. */ const char *protect_tool_program; char *outfile; /* name of output file */ diff --git a/tests/pkits/ChangeLog b/tests/pkits/ChangeLog index 084e6cec8..34ddfbfa7 100644 --- a/tests/pkits/ChangeLog +++ b/tests/pkits/ChangeLog @@ -1,3 +1,32 @@ +2008-02-19 Werner Koch + + * signature-verification: New. + * validity-periods: New. + * verifying-name-chaining: New. + * basic-certificate-revocation: New. + * verifying-paths-self-issued: New. + * verifying-basic-constraints: New. + * key-usage: New. + * certificate-policies: New. + * require-explicit-policy: New. + * policy-mappings: New. + * inhibit-policy-mapping: New. + * inhibit-any-policy: New. + * name-constraints: New. + * distribution-points: New. + * delta-crls: New. + * private-certificate-extensions: New. + * Makefile.am (testscripts): Add them. + + * import-all-certs.data: Add section numbers. + +2008-02-18 Werner Koch + + * import-all-certs.data: Adjust import tests results. Almost all + certificates should now be importable due to relaxed basic checks. + + * inittests (clean_files): Disable all dirmngr access. + 2006-05-02 Werner Koch * PKITS_data.tar.bz2: Repackaged new copy becuase the old one got @@ -7,7 +36,7 @@ Started implementing PKITS based tests. - + Copyright 2004 Free Software Foundation, Inc. This file is free software; as a special exception the author gives @@ -17,7 +46,3 @@ This file is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY, to the extent permitted by law; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. - - - - diff --git a/tests/pkits/Makefile.am b/tests/pkits/Makefile.am index d53d35a25..268ad47a3 100644 --- a/tests/pkits/Makefile.am +++ b/tests/pkits/Makefile.am @@ -1,11 +1,11 @@ # Makefile.am - tests using NIST's PKITS -# Copyright (C) 2004 Free Software Foundation, Inc. +# Copyright (C) 2004, 2008 Free Software Foundation, Inc. # # This file is part of GnuPG. # # GnuPG is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or +# the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # GnuPG is distributed in the hope that it will be useful, @@ -14,40 +14,33 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, -# USA. +# along with this program; if not, see . ## Process this file with automake to produce Makefile.in GPGSM = ../../sm/gpgsm TESTS_ENVIRONMENT = GNUPGHOME=`pwd` GPG_AGENT_INFO= LC_ALL=C GPGSM=$(GPGSM) \ - LD_LIBRARY_PATH=$$(seen=0; \ - for i in $(LDFLAGS) $(LIBGCRYPT_LIBS) $(PTH_LIBS); \ - do \ - if echo "$$i" | egrep '^-L' >/dev/null 2>&1; \ - then \ - if test $$seen = 0; \ - then \ - seen=1; \ - else \ - printf ":"; \ - fi; \ - printf "%s" "$${i}" | sed 's/^-L//'; \ - fi; \ - done; \ - if test $$seen != 0 \ - && test x$${LD_LIBRARY_PATH} != x; \ - then \ - printf ":"; \ - fi; \ - printf "%s" "$${LD_LIBRARY_PATH}") $(srcdir)/runtest + silent=yes - -testscripts = import-all-certs validate-all-certs - +testscripts = import-all-certs validate-all-certs \ + signature-verification \ + validity-periods \ + verifying-name-chaining \ + basic-certificate-revocation \ + verifying-paths-self-issued \ + verifying-basic-constraints \ + key-usage \ + certificate-policies \ + require-explicit-policy \ + policy-mappings \ + inhibit-policy-mapping \ + inhibit-any-policy \ + name-constraints \ + distribution-points \ + delta-crls \ + private-certificate-extensions EXTRA_DIST = PKITS_data.tar.bz2 inittests runtest $(testscripts) @@ -68,3 +61,11 @@ inittests.stamp: inittests srcdir=$(srcdir) $(TESTS_ENVIRONMENT) $(srcdir)/inittests echo timestamp >./inittests.stamp + +run-all-tests: + @set -e; \ + GNUPGHOME=`pwd`; export GNUPGHOME;\ + unset GPG_AGENT_INFO; \ + for test in $(testscripts); do \ + ./$${test} && true; \ + done diff --git a/tests/pkits/README b/tests/pkits/README index 79678cf30..3fe238c6c 100644 --- a/tests/pkits/README +++ b/tests/pkits/README @@ -7,6 +7,31 @@ http://csrc.nist.gov/pki/testing/x509paths.html . README - this file. PKITS_data.tar.bz2 - the orginal ZIP file, repackaged as a tarball. Makefile.am - Part of our build system. +import-all-certs - Run a simple import test on all certifcates +validate-all-certs - Run an import and validate test on all certificates +signature-verification - PKITS test 4.1 +validity-periods - PKITS test 4.2 +verifying-name-chaining - PKITS test 4.3 +basic-certificate-revocation - PKITS test 4.4 +verifying-paths-self-issued - PKITS test 4.5 +verifying-basic-constraints - PKITS test 4.6 +key-usage - PKITS test 4.7 +certificate-policies - PKITS test 4.8 +require-explicit-policy - PKITS test 4.9 +policy-mappings - PKITS test 4.10 +inhibit-policy-mapping - PKITS test 4.11 +inhibit-any-policy - PKITS test 4.12 +name-constraints - PKITS test 4.13 +distribution-points - PKITS test 4.14 +delta-crls - PKITS test 4.15 +private-certificate-extensions - PKITS test 4.16 The password for the p12 files is "password". + +You may run the tests as usual with "make check" or after a plain make +in this directory you may run the tests individually. When run in +this way they will print easy to parse output to stdout. To run all +tests in this mode, use "make run-all-tests". All test scripts create +a log file with the suffix ".log" appended to the test script's name. + diff --git a/tests/pkits/basic-certificate-revocation b/tests/pkits/basic-certificate-revocation new file mode 100644 index 000000000..496a82c97 --- /dev/null +++ b/tests/pkits/basic-certificate-revocation @@ -0,0 +1,31 @@ +#!/bin/sh +# basic-certificate-revocation - PKITS Test 4.4 -*- sh -*- +# Copyright (C) 2008 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . + +. ${srcdir:-.}/common.sh || exit 2 + +section=4.4 +description="Basic Certificate Revocation" +info "Running $description tests" + + + + + + +final_result diff --git a/tests/pkits/certificate-policies b/tests/pkits/certificate-policies new file mode 100644 index 000000000..f4722012d --- /dev/null +++ b/tests/pkits/certificate-policies @@ -0,0 +1,31 @@ +#!/bin/sh +# certificate-policies - PKITS Test 4.8 -*- sh -*- +# Copyright (C) 2008 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . + +. ${srcdir:-.}/common.sh || exit 2 + +section=4.8 +description="Certificate Policies" +info "Running $description tests" + + + + + + +final_result diff --git a/tests/pkits/common.sh b/tests/pkits/common.sh index 09fb62bc8..241a0faf7 100644 --- a/tests/pkits/common.sh +++ b/tests/pkits/common.sh @@ -1,12 +1,12 @@ #!/bin/sh # common.sh - common defs for all tests -*- sh -*- -# Copyright (C) 2004 Free Software Foundation, Inc. +# Copyright (C) 2004, 2008 Free Software Foundation, Inc. # # This file is part of GnuPG. # # GnuPG is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or +# the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # GnuPG is distributed in the hope that it will be useful, @@ -15,9 +15,7 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, -# USA. +# along with this program; if not, see . # reset some environment variables because we do not want to test locals export LANG=C @@ -29,7 +27,7 @@ export LC_ALL=C [ -z "$srcdir" ] && srcdir="." [ -z "$top_srcdir" ] && top_srcdir=".." [ -z "$GPGSM" ] && GPGSM="../../sm/gpgsm" - +[ -z "$silent" ] && silent=no if [ "$GNUPGHOME" != "`pwd`" ]; then echo "inittests: please set GNUPGHOME to the tests/pkits directory" >&2 @@ -42,7 +40,6 @@ if [ -n "$GPG_AGENT_INFO" ]; then fi - #-------------------------------- #------ utility functions ------- #-------------------------------- @@ -68,46 +65,92 @@ echo_n () { echo $echo_n_n "${1}$echo_n_c" } +setup_output () { + if [ -z "$first_section_set" ]; then + first_section_set=$section + fi + section_out="$(echo $section)" + if [ -z "$section_out" ]; then + section_out="-" + fi +} + fatal () { echo "$pgmname: fatal:" $* >&2 + if [ "$silent" != "yes" ]; then + echo "$section_out ERROR: $* (fatal)" + fi exit 1; } error () { echo "$pgmname:" $* >&2 + if [ "$silent" != "yes" ]; then + echo "$section_out ERROR: $*" + fi exit 1 } info () { + setup_output echo "$pgmname:" $* >&2 + if [ "$silent" != "yes" ]; then + echo "$section_out ____ $*" + fi } info_n () { - $echo_n "$pgmname:" $* >&2 + setup_output + echo_n "$pgmname:" $* >&2 } pass () { + setup_output echo "PASS: " $* >&2 pass_count=`expr ${pass_count} + 1` + if [ "$silent" != "yes" ]; then + echo_n "$section_out PASS" + [ -n "$description" ] && echo_n " ($description)" + echo + fi } fail () { + setup_output echo "FAIL: " $* >&2 fail_count=`expr ${fail_count} + 1` + if [ "$silent" != "yes" ]; then + echo_n "$section_out FAIL" + [ -n "$description" ] && echo_n " ($description)" + echo + fi } unresolved () { + setup_output echo "UNRESOLVED: " $* >&2 unresolved_count=`expr ${unresolved_count} + 1` + if [ "$silent" != "yes" ]; then + echo_n "$section_out UNRESOLVED" + [ -n "$description" ] && echo_n " ($description)" + echo + fi } unsupported () { + setup_output echo "UNSUPPORTED: " $* >&2 unsupported_count=`expr ${unsupported_count} + 1` + if [ "$silent" != "yes" ]; then + echo_n "$section_out UNSUPPORTED" + [ -n "$description" ] && echo_n " ($description)" + echo + fi } final_result () { + section=$first_section_set [ $pass_count = 0 ] || info "$pass_count tests passed" [ $fail_count = 0 ] || info "$fail_count tests failed" [ $unresolved_count = 0 ] || info "$unresolved_count tests unresolved" @@ -127,7 +170,10 @@ pass_count=0 fail_count=0 unresolved_count=0 unsupported_count=0 - +first_section_set="" +section_out="" +section="" +description="" #trap cleanup SIGHUP SIGINT SIGQUIT exec 2> ${pgmname}.log diff --git a/tests/pkits/delta-crls b/tests/pkits/delta-crls new file mode 100644 index 000000000..2b912887b --- /dev/null +++ b/tests/pkits/delta-crls @@ -0,0 +1,31 @@ +#!/bin/sh +# delta-crls - PKITS Test 4.15 -*- sh -*- +# Copyright (C) 2008 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . + +. ${srcdir:-.}/common.sh || exit 2 + +section=4.15 +description="Delta-CRLs" +info "Running $description tests" + + + + + + +final_result diff --git a/tests/pkits/distribution-points b/tests/pkits/distribution-points new file mode 100644 index 000000000..2d59fcdb3 --- /dev/null +++ b/tests/pkits/distribution-points @@ -0,0 +1,31 @@ +#!/bin/sh +# distribution-points - PKITS Test 4.14 -*- sh -*- +# Copyright (C) 2008 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . + +. ${srcdir:-.}/common.sh || exit 2 + +section=4.14 +description="Distribution Points" +info "Running $description tests" + + + + + + +final_result diff --git a/tests/pkits/import-all-certs b/tests/pkits/import-all-certs index 2d70d06df..8144d97be 100755 --- a/tests/pkits/import-all-certs +++ b/tests/pkits/import-all-certs @@ -1,11 +1,12 @@ #!/bin/sh -# Copyright (C) 2004 Free Software Foundation, Inc. -*- sh -*- +# import-all-certs - GnuPG import test -*- sh -*- +# Copyright (C) 2004, 2008 Free Software Foundation, Inc. # # This file is part of GnuPG. # # GnuPG is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or +# the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # GnuPG is distributed in the hope that it will be useful, @@ -14,16 +15,19 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, -# USA. +# along with this program; if not, see . . ${srcdir:-.}/common.sh || exit 2 -while read flag dummy name; do - case $flag in \#*) continue;; esac - [ -z "$flag" ] && continue; +section=6 +description="GnuPG Import" +info "Running $description tests" +while read flag dummy section name; do + case $flag in \#*) continue ;; esac + [ -z "$(echo $flag)" ] && continue; + + description="import $name" if ${GPGSM} -q --import certs/$name ; then if [ "$flag" = 'p' ]; then pass "importing certificate \`$name' succeeded" diff --git a/tests/pkits/import-all-certs.data b/tests/pkits/import-all-certs.data index 18708aa61..597dbc0f9 100644 --- a/tests/pkits/import-all-certs.data +++ b/tests/pkits/import-all-certs.data @@ -1,490 +1,471 @@ # The first column is for the basic import test, the second for a -# validation test. - +# validation test, the third is the section number and th foruth the +# filename of the certificate. + # Make sure that the root certificate is imported first -p p TrustAnchorRootCertificate.crt - -p p AllCertificatesNoPoliciesTest2EE.crt -p p AllCertificatesSamePoliciesTest10EE.crt -p p AllCertificatesSamePoliciesTest13EE.crt -p p AllCertificatesanyPolicyTest11EE.crt -p p AnyPolicyTest14EE.crt -p p BadCRLIssuerNameCACert.crt -p p BadCRLSignatureCACert.crt -f f BadSignedCACert.crt -p f BadnotAfterDateCACert.crt - -# UTC: "470101120100Z" i.e. not before 2047-01-01 -p f BadnotBeforeDateCACert.crt - -p p BasicSelfIssuedCRLSigningKeyCACert.crt - -# For yet unknown reasons gpgsm claims a bad signature. -? ? BasicSelfIssuedCRLSigningKeyCRLCert.crt +p p 6.1.5.1 TrustAnchorRootCertificate.crt -p p BasicSelfIssuedNewKeyCACert.crt - -# For yet unknown reasons gpgsm claims a bad signature. -? ? BasicSelfIssuedNewKeyOldWithNewCACert.crt - -p p BasicSelfIssuedOldKeyCACert.crt - -# For yet unknown reasons gpgsm claims a bad signature. -? ? BasicSelfIssuedOldKeyNewWithOldCACert.crt - -p p CPSPointerQualifierTest20EE.crt +p p 6.1.5.168 AllCertificatesNoPoliciesTest2EE.crt +p p 6.1.5.204 AllCertificatesSamePoliciesTest10EE.crt +p p 6.1.5.211 AllCertificatesSamePoliciesTest13EE.crt +p p 6.1.5.207 AllCertificatesanyPolicyTest11EE.crt +p p 6.1.5.212 AnyPolicyTest14EE.crt +p p 6.1.5.41 BadCRLIssuerNameCACert.crt +p p 6.1.5.38 BadCRLSignatureCACert.crt +f f 6.1.5.6 BadSignedCACert.crt +p f 6.1.5.16 BadnotAfterDateCACert.crt -u u DSACACert.crt -u u DSAParametersInheritedCACert.crt +# UTC: "470101120100Z" i.e. not before 2047-01-01 +p f 6.1.5.10 BadnotBeforeDateCACert.crt + +p p 6.1.5.88 BasicSelfIssuedCRLSigningKeyCACert.crt +p p 6.1.5.90 BasicSelfIssuedCRLSigningKeyCRLCert.crt + +p p 6.1.5.76 BasicSelfIssuedNewKeyCACert.crt +p p 6.1.5.78 BasicSelfIssuedNewKeyOldWithNewCACert.crt +p p 6.1.5.81 BasicSelfIssuedOldKeyCACert.crt +p p 6.1.5.83 BasicSelfIssuedOldKeyNewWithOldCACert.crt + +p p 6.1.5.218 CPSPointerQualifierTest20EE.crt + +u u 6.1.5.572 DSACACert.crt +u u 6.1.5.575 DSAParametersInheritedCACert.crt + +p p 6.1.5.210 DifferentPoliciesTest12EE.crt +p p 6.1.5.171 DifferentPoliciesTest3EE.crt +p p 6.1.5.174 DifferentPoliciesTest4EE.crt +p p 6.1.5.177 DifferentPoliciesTest5EE.crt +p p 6.1.5.191 DifferentPoliciesTest7EE.crt +p p 6.1.5.198 DifferentPoliciesTest8EE.crt +p p 6.1.5.203 DifferentPoliciesTest9EE.crt +p p 6.1.5.64 GeneralizedTimeCRLnextUpdateCACert.crt +p p 6.1.5.3 GoodCACert.crt +p p 6.1.5.172 GoodsubCACert.crt + +# gpgsm: critical certificate extension 2.5.29.33 (policyMappings) +# is not supported +p u 6.1.5.300 GoodsubCAPanyPolicyMapping1to2CACert.crt + +p f 6.1.5.43 InvalidBadCRLIssuerNameTest5EE.crt + +p f 6.1.5.40 InvalidBadCRLSignatureTest4EE.crt +p f 6.1.5.93 InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt + +p f 6.1.5.94 InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt + +p f 6.1.5.87 InvalidBasicSelfIssuedNewWithOldTest5EE.crt + +p f 6.1.5.80 InvalidBasicSelfIssuedOldWithNewTest2EE.crt + +p f 6.1.5.8 InvalidCASignatureTest2EE.crt + +p f 6.1.5.18 InvalidCAnotAfterDateTest5EE.crt +p f 6.1.5.12 InvalidCAnotBeforeDateTest1EE.crt +p f 6.1.5.439 InvalidDNSnameConstraintsTest31EE.crt +p f 6.1.5.443 InvalidDNSnameConstraintsTest33EE.crt +p f 6.1.5.562 InvalidDNSnameConstraintsTest38EE.crt +p f 6.1.5.434 InvalidDNandRFC822nameConstraintsTest28EE.crt +p f 6.1.5.435 InvalidDNandRFC822nameConstraintsTest29EE.crt +p f 6.1.5.399 InvalidDNnameConstraintsTest10EE.crt +p f 6.1.5.403 InvalidDNnameConstraintsTest12EE.crt +p f 6.1.5.406 InvalidDNnameConstraintsTest13EE.crt +p f 6.1.5.410 InvalidDNnameConstraintsTest15EE.crt +p f 6.1.5.411 InvalidDNnameConstraintsTest16EE.crt +p f 6.1.5.414 InvalidDNnameConstraintsTest17EE.crt + +p f 6.1.5.418 InvalidDNnameConstraintsTest20EE.crt + +p f 6.1.5.383 InvalidDNnameConstraintsTest2EE.crt +p f 6.1.5.384 InvalidDNnameConstraintsTest3EE.crt +p f 6.1.5.392 InvalidDNnameConstraintsTest7EE.crt +p f 6.1.5.395 InvalidDNnameConstraintsTest8EE.crt +p f 6.1.5.396 InvalidDNnameConstraintsTest9EE.crt + +u u 6.1.5.578 InvalidDSASignatureTest6EE.crt + +f f 6.1.5.9 InvalidEESignatureTest3EE.crt + +p f 6.1.5.19 InvalidEEnotAfterDateTest6EE.crt +p f 6.1.5.13 InvalidEEnotBeforeDateTest2EE.crt +p f 6.1.5.500 InvalidIDPwithindirectCRLTest23EE.crt +p f 6.1.5.504 InvalidIDPwithindirectCRLTest26EE.crt +p f 6.1.5.75 InvalidLongSerialNumberTest18EE.crt +p f 6.1.5.293 InvalidMappingFromanyPolicyTest7EE.crt +p f 6.1.5.296 InvalidMappingToanyPolicyTest8EE.crt +p f 6.1.5.33 InvalidMissingCRLTest1EE.crt +p f 6.1.5.97 InvalidMissingbasicConstraintsTest1EE.crt +p f 6.1.5.25 InvalidNameChainingOrderTest2EE.crt +p f 6.1.5.22 InvalidNameChainingTest1EE.crt +p f 6.1.5.70 InvalidNegativeSerialNumberTest15EE.crt +p f 6.1.5.60 InvalidOldCRLnextUpdateTest11EE.crt +p f 6.1.5.302 InvalidPolicyMappingTest10EE.crt +p f 6.1.5.276 InvalidPolicyMappingTest2EE.crt +p f 6.1.5.284 InvalidPolicyMappingTest4EE.crt +p f 6.1.5.422 InvalidRFC822nameConstraintsTest22EE.crt +p f 6.1.5.426 InvalidRFC822nameConstraintsTest24EE.crt +p f 6.1.5.430 InvalidRFC822nameConstraintsTest26EE.crt +p f 6.1.5.36 InvalidRevokedCATest2EE.crt +p f 6.1.5.37 InvalidRevokedEETest3EE.crt + +p f 6.1.5.379 InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt + +p f 6.1.5.376 InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt +p f 6.1.5.348 InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt +p f 6.1.5.349 InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt +p f 6.1.5.345 InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt +p f 6.1.5.346 InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt +p f 6.1.5.143 InvalidSelfIssuedpathLenConstraintTest16EE.crt +p f 6.1.5.270 InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt +p f 6.1.5.272 InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt + +p f 6.1.5.567 InvalidSeparateCertificateandCRLKeysTest20EE.crt +p f 6.1.5.571 InvalidSeparateCertificateandCRLKeysTest21EE.crt + +p f 6.1.5.447 InvalidURInameConstraintsTest35EE.crt +p f 6.1.5.451 InvalidURInameConstraintsTest37EE.crt +p f 6.1.5.53 InvalidUnknownCRLEntryExtensionTest8EE.crt +p f 6.1.5.57 InvalidUnknownCRLExtensionTest10EE.crt +p f 6.1.5.56 InvalidUnknownCRLExtensionTest9EE.crt +p f 6.1.5.546 InvalidUnknownCriticalCertificateExtensionTest2EE.crt +p f 6.1.5.46 InvalidWrongCRLTest6EE.crt +p f 6.1.5.100 InvalidcAFalseTest2EE.crt +p f 6.1.5.103 InvalidcAFalseTest3EE.crt +p f 6.1.5.505 InvalidcRLIssuerTest27EE.crt +p f 6.1.5.519 InvalidcRLIssuerTest31EE.crt +p f 6.1.5.520 InvalidcRLIssuerTest32EE.crt +p f 6.1.5.522 InvalidcRLIssuerTest34EE.crt +p f 6.1.5.523 InvalidcRLIssuerTest35EE.crt +p f 6.1.5.526 InvaliddeltaCRLIndicatorNoBaseTest1EE.crt +p f 6.1.5.544 InvaliddeltaCRLTest10EE.crt +p f 6.1.5.531 InvaliddeltaCRLTest3EE.crt +p f 6.1.5.532 InvaliddeltaCRLTest4EE.crt +p f 6.1.5.534 InvaliddeltaCRLTest6EE.crt +p f 6.1.5.540 InvaliddeltaCRLTest9EE.crt +p f 6.1.5.455 InvaliddistributionPointTest2EE.crt +p f 6.1.5.456 InvaliddistributionPointTest3EE.crt +p f 6.1.5.461 InvaliddistributionPointTest6EE.crt +p f 6.1.5.463 InvaliddistributionPointTest8EE.crt +p f 6.1.5.464 InvaliddistributionPointTest9EE.crt +p f 6.1.5.352 InvalidinhibitAnyPolicyTest1EE.crt +p f 6.1.5.359 InvalidinhibitAnyPolicyTest4EE.crt +p f 6.1.5.366 InvalidinhibitAnyPolicyTest5EE.crt +p f 6.1.5.369 InvalidinhibitAnyPolicyTest6EE.crt +p f 6.1.5.313 InvalidinhibitPolicyMappingTest1EE.crt +p f 6.1.5.321 InvalidinhibitPolicyMappingTest3EE.crt +p f 6.1.5.331 InvalidinhibitPolicyMappingTest5EE.crt +p f 6.1.5.336 InvalidinhibitPolicyMappingTest6EE.crt +p f 6.1.5.162 InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt +p f 6.1.5.153 InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt +p f 6.1.5.165 InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt +p f 6.1.5.156 InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt +p f 6.1.5.477 InvalidonlyContainsAttributeCertsTest14EE.crt +p f 6.1.5.473 InvalidonlyContainsCACertsTest12EE.crt +p f 6.1.5.470 InvalidonlyContainsUserCertsTest11EE.crt +p f 6.1.5.481 InvalidonlySomeReasonsTest15EE.crt +p f 6.1.5.482 InvalidonlySomeReasonsTest16EE.crt +p f 6.1.5.486 InvalidonlySomeReasonsTest17EE.crt +p f 6.1.5.495 InvalidonlySomeReasonsTest20EE.crt +p f 6.1.5.496 InvalidonlySomeReasonsTest21EE.crt +p f 6.1.5.122 InvalidpathLenConstraintTest10EE.crt +p f 6.1.5.129 InvalidpathLenConstraintTest11EE.crt +p f 6.1.5.130 InvalidpathLenConstraintTest12EE.crt +p f 6.1.5.111 InvalidpathLenConstraintTest5EE.crt +p f 6.1.5.112 InvalidpathLenConstraintTest6EE.crt +p f 6.1.5.121 InvalidpathLenConstraintTest9EE.crt +p f 6.1.5.63 Invalidpre2000CRLnextUpdateTest12EE.crt +p f 6.1.5.20 Invalidpre2000UTCEEnotAfterDateTest7EE.crt +p f 6.1.5.245 InvalidrequireExplicitPolicyTest3EE.crt +p f 6.1.5.263 InvalidrequireExplicitPolicyTest5EE.crt +p p 6.1.5.71 LongSerialNumberCACert.crt +p p 6.1.5.273 Mapping1to2CACert.crt +p p 6.1.5.291 MappingFromanyPolicyCACert.crt +p p 6.1.5.294 MappingToanyPolicyCACert.crt +p p 6.1.5.95 MissingbasicConstraintsCACert.crt +p p 6.1.5.23 NameOrderingCACert.crt +p p 6.1.5.67 NegativeSerialNumberCACert.crt +p p 6.1.5.32 NoCRLCACert.crt +p p 6.1.5.166 NoPoliciesCACert.crt +p p 6.1.5.465 NoissuingDistributionPointCACert.crt +p p 6.1.5.58 OldCRLnextUpdateCACert.crt +p p 6.1.5.184 OverlappingPoliciesTest6EE.crt +p p 6.1.5.277 P12Mapping1to3CACert.crt +p p 6.1.5.279 P12Mapping1to3subCACert.crt +p p 6.1.5.281 P12Mapping1to3subsubCACert.crt +p p 6.1.5.285 P1Mapping1to234CACert.crt +p p 6.1.5.287 P1Mapping1to234subCACert.crt +p p 6.1.5.305 P1anyPolicyMapping1to2CACert.crt +p p 6.1.5.297 PanyPolicyMapping1to2CACert.crt +p p 6.1.5.178 PoliciesP1234CACert.crt +p p 6.1.5.180 PoliciesP1234subCAP123Cert.crt +p p 6.1.5.182 PoliciesP1234subsubCAP123P12Cert.crt +p p 6.1.5.185 PoliciesP123CACert.crt +p p 6.1.5.187 PoliciesP123subCAP12Cert.crt +p p 6.1.5.189 PoliciesP123subsubCAP12P1Cert.crt +p p 6.1.5.199 PoliciesP123subsubCAP12P2Cert.crt +p p 6.1.5.201 PoliciesP123subsubsubCAP12P2P1Cert.crt +p p 6.1.5.192 PoliciesP12CACert.crt +p p 6.1.5.194 PoliciesP12subCAP1Cert.crt +p p 6.1.5.196 PoliciesP12subsubCAP1P2Cert.crt +p p 6.1.5.175 PoliciesP2subCA2Cert.crt +p p 6.1.5.169 PoliciesP2subCACert.crt +p p 6.1.5.208 PoliciesP3CACert.crt +p p 6.1.5.547 RFC3280MandatoryAttributeTypesCACert.crt +p p 6.1.5.550 RFC3280OptionalAttributeTypesCACert.crt +p p 6.1.5.34 RevokedsubCACert.crt +p p 6.1.5.556 RolloverfromPrintableStringtoUTF8StringCACert.crt +p p 6.1.5.569 SeparateCertificateandCRLKeysCA2CRLSigningCert.crt +p p 6.1.5.568 SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt +p p 6.1.5.564 SeparateCertificateandCRLKeysCRLSigningCert.crt +p p 6.1.5.563 SeparateCertificateandCRLKeysCertificateSigningCACert.crt +p p 6.1.5.47 TwoCRLsCACert.crt +p p 6.1.5.29 UIDCACert.crt +p p 6.1.5.559 UTF8StringCaseInsensitiveMatchCACert.crt +p p 6.1.5.553 UTF8StringEncodedNamesCACert.crt +p p 6.1.5.51 UnknownCRLEntryExtensionCACert.crt +p p 6.1.5.54 UnknownCRLExtensionCACert.crt +p p 6.1.5.213 UserNoticeQualifierTest15EE.crt +p p 6.1.5.214 UserNoticeQualifierTest16EE.crt +p p 6.1.5.215 UserNoticeQualifierTest17EE.crt +p p 6.1.5.216 UserNoticeQualifierTest18EE.crt +p p 6.1.5.217 UserNoticeQualifierTest19EE.crt +p p 6.1.5.92 ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt + +p p 6.1.5.85 ValidBasicSelfIssuedNewWithOldTest3EE.crt +p p 6.1.5.86 ValidBasicSelfIssuedNewWithOldTest4EE.crt +p p 6.1.5.79 ValidBasicSelfIssuedOldWithNewTest1EE.crt + +p p 6.1.5.5 ValidCertificatePathTest1EE.crt +p p 6.1.5.438 ValidDNSnameConstraintsTest30EE.crt +p p 6.1.5.442 ValidDNSnameConstraintsTest32EE.crt +p p 6.1.5.433 ValidDNandRFC822nameConstraintsTest27EE.crt +p p 6.1.5.400 ValidDNnameConstraintsTest11EE.crt -p p DifferentPoliciesTest12EE.crt -p p DifferentPoliciesTest3EE.crt -p p DifferentPoliciesTest4EE.crt -p p DifferentPoliciesTest5EE.crt -p p DifferentPoliciesTest7EE.crt -p p DifferentPoliciesTest8EE.crt -p p DifferentPoliciesTest9EE.crt -p p GeneralizedTimeCRLnextUpdateCACert.crt -p p GoodCACert.crt -p p GoodsubCACert.crt - -# gpgsm: critical certificate extension 2.5.29.33 (policyMappings) -# is not supported -p u GoodsubCAPanyPolicyMapping1to2CACert.crt - -# fixme: gpgme does not fail for it. -p f InvalidBadCRLIssuerNameTest5EE.crt - -p f InvalidBadCRLSignatureTest4EE.crt -p f InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt - -f f InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt - -p f InvalidBasicSelfIssuedNewWithOldTest5EE.crt - -f f InvalidBasicSelfIssuedOldWithNewTest2EE.crt - -p f InvalidCASignatureTest2EE.crt - -p f InvalidCAnotAfterDateTest5EE.crt -p f InvalidCAnotBeforeDateTest1EE.crt -p f InvalidDNSnameConstraintsTest31EE.crt -p f InvalidDNSnameConstraintsTest33EE.crt -p f InvalidDNSnameConstraintsTest38EE.crt -p f InvalidDNandRFC822nameConstraintsTest28EE.crt -p f InvalidDNandRFC822nameConstraintsTest29EE.crt -p f InvalidDNnameConstraintsTest10EE.crt -p f InvalidDNnameConstraintsTest12EE.crt -p f InvalidDNnameConstraintsTest13EE.crt -p f InvalidDNnameConstraintsTest15EE.crt -p f InvalidDNnameConstraintsTest16EE.crt -p f InvalidDNnameConstraintsTest17EE.crt - -f f InvalidDNnameConstraintsTest20EE.crt - -p f InvalidDNnameConstraintsTest2EE.crt -p f InvalidDNnameConstraintsTest3EE.crt -p f InvalidDNnameConstraintsTest7EE.crt -p f InvalidDNnameConstraintsTest8EE.crt -p f InvalidDNnameConstraintsTest9EE.crt - -u u InvalidDSASignatureTest6EE.crt - -f f InvalidEESignatureTest3EE.crt - -p f InvalidEEnotAfterDateTest6EE.crt -p f InvalidEEnotBeforeDateTest2EE.crt -p f InvalidIDPwithindirectCRLTest23EE.crt -p f InvalidIDPwithindirectCRLTest26EE.crt -p f InvalidLongSerialNumberTest18EE.crt -p f InvalidMappingFromanyPolicyTest7EE.crt -p f InvalidMappingToanyPolicyTest8EE.crt -p f InvalidMissingCRLTest1EE.crt -p f InvalidMissingbasicConstraintsTest1EE.crt -p f InvalidNameChainingOrderTest2EE.crt -p f InvalidNameChainingTest1EE.crt -p f InvalidNegativeSerialNumberTest15EE.crt -p f InvalidOldCRLnextUpdateTest11EE.crt -p f InvalidPolicyMappingTest10EE.crt -p f InvalidPolicyMappingTest2EE.crt -p f InvalidPolicyMappingTest4EE.crt -p f InvalidRFC822nameConstraintsTest22EE.crt -p f InvalidRFC822nameConstraintsTest24EE.crt -p f InvalidRFC822nameConstraintsTest26EE.crt -p f InvalidRevokedCATest2EE.crt -p f InvalidRevokedEETest3EE.crt - -f f InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt - -p f InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt -p f InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt -p f InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt -p f InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt -p f InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt -p f InvalidSelfIssuedpathLenConstraintTest16EE.crt -p f InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt -p f InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt - -f f InvalidSeparateCertificateandCRLKeysTest20EE.crt -f f InvalidSeparateCertificateandCRLKeysTest21EE.crt - -p f InvalidURInameConstraintsTest35EE.crt -p f InvalidURInameConstraintsTest37EE.crt -p f InvalidUnknownCRLEntryExtensionTest8EE.crt -p f InvalidUnknownCRLExtensionTest10EE.crt -p f InvalidUnknownCRLExtensionTest9EE.crt -p f InvalidUnknownCriticalCertificateExtensionTest2EE.crt -p f InvalidWrongCRLTest6EE.crt -p f InvalidcAFalseTest2EE.crt -p f InvalidcAFalseTest3EE.crt -p f InvalidcRLIssuerTest27EE.crt -p f InvalidcRLIssuerTest31EE.crt -p f InvalidcRLIssuerTest32EE.crt -p f InvalidcRLIssuerTest34EE.crt -p f InvalidcRLIssuerTest35EE.crt -p f InvaliddeltaCRLIndicatorNoBaseTest1EE.crt -p f InvaliddeltaCRLTest10EE.crt -p f InvaliddeltaCRLTest3EE.crt -p f InvaliddeltaCRLTest4EE.crt -p f InvaliddeltaCRLTest6EE.crt -p f InvaliddeltaCRLTest9EE.crt -p f InvaliddistributionPointTest2EE.crt -p f InvaliddistributionPointTest3EE.crt -p f InvaliddistributionPointTest6EE.crt -p f InvaliddistributionPointTest8EE.crt -p f InvaliddistributionPointTest9EE.crt -p f InvalidinhibitAnyPolicyTest1EE.crt -p f InvalidinhibitAnyPolicyTest4EE.crt -p f InvalidinhibitAnyPolicyTest5EE.crt -p f InvalidinhibitAnyPolicyTest6EE.crt -p f InvalidinhibitPolicyMappingTest1EE.crt -p f InvalidinhibitPolicyMappingTest3EE.crt -p f InvalidinhibitPolicyMappingTest5EE.crt -p f InvalidinhibitPolicyMappingTest6EE.crt -p f InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt -p f InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt -p f InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt -p f InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt -p f InvalidonlyContainsAttributeCertsTest14EE.crt -p f InvalidonlyContainsCACertsTest12EE.crt -p f InvalidonlyContainsUserCertsTest11EE.crt -p f InvalidonlySomeReasonsTest15EE.crt -p f InvalidonlySomeReasonsTest16EE.crt -p f InvalidonlySomeReasonsTest17EE.crt -p f InvalidonlySomeReasonsTest20EE.crt -p f InvalidonlySomeReasonsTest21EE.crt -p f InvalidpathLenConstraintTest10EE.crt -p f InvalidpathLenConstraintTest11EE.crt -p f InvalidpathLenConstraintTest12EE.crt -p f InvalidpathLenConstraintTest5EE.crt -p f InvalidpathLenConstraintTest6EE.crt -p f InvalidpathLenConstraintTest9EE.crt -p f Invalidpre2000CRLnextUpdateTest12EE.crt -p f Invalidpre2000UTCEEnotAfterDateTest7EE.crt -p f InvalidrequireExplicitPolicyTest3EE.crt -p f InvalidrequireExplicitPolicyTest5EE.crt -p p LongSerialNumberCACert.crt -p p Mapping1to2CACert.crt -p p MappingFromanyPolicyCACert.crt -p p MappingToanyPolicyCACert.crt -p p MissingbasicConstraintsCACert.crt -p p NameOrderingCACert.crt -p p NegativeSerialNumberCACert.crt -p p NoCRLCACert.crt -p p NoPoliciesCACert.crt -p p NoissuingDistributionPointCACert.crt -p p OldCRLnextUpdateCACert.crt -p p OverlappingPoliciesTest6EE.crt -p p P12Mapping1to3CACert.crt -p p P12Mapping1to3subCACert.crt -p p P12Mapping1to3subsubCACert.crt -p p P1Mapping1to234CACert.crt -p p P1Mapping1to234subCACert.crt -p p P1anyPolicyMapping1to2CACert.crt -p p PanyPolicyMapping1to2CACert.crt -p p PoliciesP1234CACert.crt -p p PoliciesP1234subCAP123Cert.crt -p p PoliciesP1234subsubCAP123P12Cert.crt -p p PoliciesP123CACert.crt -p p PoliciesP123subCAP12Cert.crt -p p PoliciesP123subsubCAP12P1Cert.crt -p p PoliciesP123subsubCAP12P2Cert.crt -p p PoliciesP123subsubsubCAP12P2P1Cert.crt -p p PoliciesP12CACert.crt -p p PoliciesP12subCAP1Cert.crt -p p PoliciesP12subsubCAP1P2Cert.crt -p p PoliciesP2subCA2Cert.crt -p p PoliciesP2subCACert.crt -p p PoliciesP3CACert.crt -p p RFC3280MandatoryAttributeTypesCACert.crt -p p RFC3280OptionalAttributeTypesCACert.crt -p p RevokedsubCACert.crt -p p RolloverfromPrintableStringtoUTF8StringCACert.crt -p p SeparateCertificateandCRLKeysCA2CRLSigningCert.crt -p p SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt -p p SeparateCertificateandCRLKeysCRLSigningCert.crt -p p SeparateCertificateandCRLKeysCertificateSigningCACert.crt -p p TwoCRLsCACert.crt -p p UIDCACert.crt -p p UTF8StringCaseInsensitiveMatchCACert.crt -p p UTF8StringEncodedNamesCACert.crt -p p UnknownCRLEntryExtensionCACert.crt -p p UnknownCRLExtensionCACert.crt -p p UserNoticeQualifierTest15EE.crt -p p UserNoticeQualifierTest16EE.crt -p p UserNoticeQualifierTest17EE.crt -p p UserNoticeQualifierTest18EE.crt -p p UserNoticeQualifierTest19EE.crt -p p ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt - -# For yet unknown reasons gpgsm claims a bad signature. -? ? ValidBasicSelfIssuedNewWithOldTest3EE.crt - -p p ValidBasicSelfIssuedNewWithOldTest4EE.crt - -# For yet unknown reasons gpgsm claims a bad signature. -? ? ValidBasicSelfIssuedOldWithNewTest1EE.crt - -p p ValidCertificatePathTest1EE.crt -p p ValidDNSnameConstraintsTest30EE.crt -p p ValidDNSnameConstraintsTest32EE.crt -p p ValidDNandRFC822nameConstraintsTest27EE.crt -p p ValidDNnameConstraintsTest11EE.crt - # This certificate has an empty subject sequence. Our parser does not # support this yet and it is unlikely that gpgsm will be able to cope # with it at all. -u u ValidDNnameConstraintsTest14EE.crt - -p p ValidDNnameConstraintsTest18EE.crt - +u u 6.1.5.407 ValidDNnameConstraintsTest14EE.crt + +p p 6.1.5.415 ValidDNnameConstraintsTest18EE.crt +p p 6.1.5.417 ValidDNnameConstraintsTest19EE.crt + +p p 6.1.5.382 ValidDNnameConstraintsTest1EE.crt +p p 6.1.5.385 ValidDNnameConstraintsTest4EE.crt +p p 6.1.5.388 ValidDNnameConstraintsTest5EE.crt +p p 6.1.5.391 ValidDNnameConstraintsTest6EE.crt + +u p 6.1.5.577 ValidDSAParameterInheritanceTest5EE.crt +u p 6.1.5.574 ValidDSASignaturesTest4EE.crt + +p p 6.1.5.66 ValidGeneralizedTimeCRLnextUpdateTest13EE.crt +p p 6.1.5.21 ValidGeneralizedTimenotAfterDateTest8EE.crt +p p 6.1.5.15 ValidGeneralizedTimenotBeforeDateTest4EE.crt +p p 6.1.5.499 ValidIDPwithindirectCRLTest22EE.crt +p p 6.1.5.502 ValidIDPwithindirectCRLTest24EE.crt +p p 6.1.5.503 ValidIDPwithindirectCRLTest25EE.crt +p p 6.1.5.73 ValidLongSerialNumberTest16EE.crt +p p 6.1.5.74 ValidLongSerialNumberTest17EE.crt +p p 6.1.5.28 ValidNameChainingCapitalizationTest5EE.crt +p p 6.1.5.26 ValidNameChainingWhitespaceTest3EE.crt +p p 6.1.5.27 ValidNameChainingWhitespaceTest4EE.crt +p p 6.1.5.31 ValidNameUIDsTest6EE.crt +p p 6.1.5.69 ValidNegativeSerialNumberTest14EE.crt +p p 6.1.5.467 ValidNoissuingDistributionPointTest10EE.crt +p p 6.1.5.303 ValidPolicyMappingTest11EE.crt +p p 6.1.5.304 ValidPolicyMappingTest12EE.crt +p p 6.1.5.307 ValidPolicyMappingTest13EE.crt +p p 6.1.5.308 ValidPolicyMappingTest14EE.crt +p p 6.1.5.275 ValidPolicyMappingTest1EE.crt +p p 6.1.5.283 ValidPolicyMappingTest3EE.crt +p p 6.1.5.289 ValidPolicyMappingTest5EE.crt +p p 6.1.5.290 ValidPolicyMappingTest6EE.crt +p p 6.1.5.299 ValidPolicyMappingTest9EE.crt +p p 6.1.5.549 ValidRFC3280MandatoryAttributeTypesTest7EE.crt +p p 6.1.5.552 ValidRFC3280OptionalAttributeTypesTest8EE.crt +p p 6.1.5.421 ValidRFC822nameConstraintsTest21EE.crt +p p 6.1.5.425 ValidRFC822nameConstraintsTest23EE.crt +p p 6.1.5.429 ValidRFC822nameConstraintsTest25EE.crt +p p 6.1.5.558 ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt +p p 6.1.5.373 ValidSelfIssuedinhibitAnyPolicyTest7EE.crt + +p p 6.1.5.378 ValidSelfIssuedinhibitAnyPolicyTest9EE.crt + +p p 6.1.5.342 ValidSelfIssuedinhibitPolicyMappingTest7EE.crt + +p ? 6.1.5.140 ValidSelfIssuedpathLenConstraintTest15EE.crt + +p p 6.1.5.150 ValidSelfIssuedpathLenConstraintTest17EE.crt + +p ? 6.1.5.267 ValidSelfIssuedrequireExplicitPolicyTest6EE.crt + +p ? 6.1.5.566 ValidSeparateCertificateandCRLKeysTest19EE.crt + +p p 6.1.5.50 ValidTwoCRLsTest7EE.crt +p p 6.1.5.446 ValidURInameConstraintsTest34EE.crt +p p 6.1.5.450 ValidURInameConstraintsTest36EE.crt +p p 6.1.5.561 ValidUTF8StringCaseInsensitiveMatchTest11EE.crt +p p 6.1.5.555 ValidUTF8StringEncodedNamesTest9EE.crt +p p 6.1.5.545 ValidUnknownNotCriticalCertificateExtensionTest1EE.crt +p p 6.1.5.106 ValidbasicConstraintsNotCriticalTest4EE.crt +p p 6.1.5.510 ValidcRLIssuerTest28EE.crt +p p 6.1.5.511 ValidcRLIssuerTest29EE.crt +p p 6.1.5.515 ValidcRLIssuerTest30EE.crt +p p 6.1.5.521 ValidcRLIssuerTest33EE.crt +p p 6.1.5.530 ValiddeltaCRLTest2EE.crt +p p 6.1.5.533 ValiddeltaCRLTest5EE.crt +p p 6.1.5.535 ValiddeltaCRLTest7EE.crt +p p 6.1.5.539 ValiddeltaCRLTest8EE.crt +p p 6.1.5.454 ValiddistributionPointTest1EE.crt +p p 6.1.5.457 ValiddistributionPointTest4EE.crt +p p 6.1.5.460 ValiddistributionPointTest5EE.crt +p p 6.1.5.462 ValiddistributionPointTest7EE.crt +p p 6.1.5.353 ValidinhibitAnyPolicyTest2EE.crt +p p 6.1.5.318 ValidinhibitPolicyMappingTest2EE.crt +p p 6.1.5.322 ValidinhibitPolicyMappingTest4EE.crt +p p 6.1.5.159 ValidkeyUsageNotCriticalTest3EE.crt +p p 6.1.5.474 ValidonlyContainsCACertsTest13EE.crt +p p 6.1.5.490 ValidonlySomeReasonsTest18EE.crt +p p 6.1.5.494 ValidonlySomeReasonsTest19EE.crt +p p 6.1.5.137 ValidpathLenConstraintTest13EE.crt +p p 6.1.5.138 ValidpathLenConstraintTest14EE.crt +p p 6.1.5.113 ValidpathLenConstraintTest7EE.crt +p p 6.1.5.114 ValidpathLenConstraintTest8EE.crt +p p 6.1.5.14 Validpre2000UTCnotBeforeDateTest3EE.crt +p p 6.1.5.227 ValidrequireExplicitPolicyTest1EE.crt +p p 6.1.5.236 ValidrequireExplicitPolicyTest2EE.crt +p p 6.1.5.254 ValidrequireExplicitPolicyTest4EE.crt +p p 6.1.5.44 WrongCRLCACert.crt +p p 6.1.5.205 anyPolicyCACert.crt +p p 6.1.5.98 basicConstraintsCriticalcAFalseCACert.crt +p p 6.1.5.104 basicConstraintsNotCriticalCACert.crt +p p 6.1.5.101 basicConstraintsNotCriticalcAFalseCACert.crt +p p 6.1.5.527 deltaCRLCA1Cert.crt +p p 6.1.5.536 deltaCRLCA2Cert.crt +p p 6.1.5.541 deltaCRLCA3Cert.crt +p p 6.1.5.524 deltaCRLIndicatorNoBaseCACert.crt +p p 6.1.5.452 distributionPoint1CACert.crt +p p 6.1.5.458 distributionPoint2CACert.crt +p p 6.1.5.497 indirectCRLCA1Cert.crt +p p 6.1.5.501 indirectCRLCA2Cert.crt +p p 6.1.5.506 indirectCRLCA3Cert.crt +p p 6.1.5.508 indirectCRLCA3cRLIssuerCert.crt +p p 6.1.5.512 indirectCRLCA4Cert.crt +p p 6.1.5.513 indirectCRLCA4cRLIssuerCert.crt +p p 6.1.5.516 indirectCRLCA5Cert.crt +p p 6.1.5.518 indirectCRLCA6Cert.crt +p p 6.1.5.350 inhibitAnyPolicy0CACert.crt +p p 6.1.5.354 inhibitAnyPolicy1CACert.crt + +p ? 6.1.5.370 inhibitAnyPolicy1SelfIssuedCACert.crt +p ? 6.1.5.377 inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt + +p p 6.1.5.356 inhibitAnyPolicy1subCA1Cert.crt + +? ? 6.1.5.371 inhibitAnyPolicy1subCA2Cert.crt + +p p 6.1.5.367 inhibitAnyPolicy1subCAIAP5Cert.crt +p p 6.1.5.374 inhibitAnyPolicy1subsubCA2Cert.crt +p p 6.1.5.360 inhibitAnyPolicy5CACert.crt +p p 6.1.5.362 inhibitAnyPolicy5subCACert.crt +p p 6.1.5.364 inhibitAnyPolicy5subsubCACert.crt +p p 6.1.5.358 inhibitAnyPolicyTest3EE.crt +p p 6.1.5.309 inhibitPolicyMapping0CACert.crt +p p 6.1.5.311 inhibitPolicyMapping0subCACert.crt +p p 6.1.5.314 inhibitPolicyMapping1P12CACert.crt +p p 6.1.5.316 inhibitPolicyMapping1P12subCACert.crt +p p 6.1.5.332 inhibitPolicyMapping1P12subCAIPM5Cert.crt +p p 6.1.5.319 inhibitPolicyMapping1P12subsubCACert.crt +p p 6.1.5.334 inhibitPolicyMapping1P12subsubCAIPM5Cert.crt +p p 6.1.5.337 inhibitPolicyMapping1P1CACert.crt + # For yet unknown reasons gpgsm claims a bad signature. -? ? ValidDNnameConstraintsTest19EE.crt - -p p ValidDNnameConstraintsTest1EE.crt -p p ValidDNnameConstraintsTest4EE.crt -p p ValidDNnameConstraintsTest5EE.crt -p p ValidDNnameConstraintsTest6EE.crt - -u p ValidDSAParameterInheritanceTest5EE.crt -u p ValidDSASignaturesTest4EE.crt - -p p ValidGeneralizedTimeCRLnextUpdateTest13EE.crt -p p ValidGeneralizedTimenotAfterDateTest8EE.crt -p p ValidGeneralizedTimenotBeforeDateTest4EE.crt -p p ValidIDPwithindirectCRLTest22EE.crt -p p ValidIDPwithindirectCRLTest24EE.crt -p p ValidIDPwithindirectCRLTest25EE.crt -p p ValidLongSerialNumberTest16EE.crt -p p ValidLongSerialNumberTest17EE.crt -p p ValidNameChainingCapitalizationTest5EE.crt -p p ValidNameChainingWhitespaceTest3EE.crt -p p ValidNameChainingWhitespaceTest4EE.crt -p p ValidNameUIDsTest6EE.crt -p p ValidNegativeSerialNumberTest14EE.crt -p p ValidNoissuingDistributionPointTest10EE.crt -p p ValidPolicyMappingTest11EE.crt -p p ValidPolicyMappingTest12EE.crt -p p ValidPolicyMappingTest13EE.crt -p p ValidPolicyMappingTest14EE.crt -p p ValidPolicyMappingTest1EE.crt -p p ValidPolicyMappingTest3EE.crt -p p ValidPolicyMappingTest5EE.crt -p p ValidPolicyMappingTest6EE.crt -p p ValidPolicyMappingTest9EE.crt -p p ValidRFC3280MandatoryAttributeTypesTest7EE.crt -p p ValidRFC3280OptionalAttributeTypesTest8EE.crt -p p ValidRFC822nameConstraintsTest21EE.crt -p p ValidRFC822nameConstraintsTest23EE.crt -p p ValidRFC822nameConstraintsTest25EE.crt -p p ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt -p p ValidSelfIssuedinhibitAnyPolicyTest7EE.crt -p p ValidSelfIssuedinhibitAnyPolicyTest9EE.crt -p p ValidSelfIssuedinhibitPolicyMappingTest7EE.crt - +? ? 6.1.5.339 inhibitPolicyMapping1P1SelfIssuedCACert.crt +? ? 6.1.5.347 inhibitPolicyMapping1P1SelfIssuedsubCACert.crt +? ? 6.1.5.340 inhibitPolicyMapping1P1subCACert.crt + +p p 6.1.5.343 inhibitPolicyMapping1P1subsubCACert.crt +p p 6.1.5.323 inhibitPolicyMapping5CACert.crt +p p 6.1.5.325 inhibitPolicyMapping5subCACert.crt +p p 6.1.5.327 inhibitPolicyMapping5subsubCACert.crt +p p 6.1.5.329 inhibitPolicyMapping5subsubsubCACert.crt +p p 6.1.5.160 keyUsageCriticalcRLSignFalseCACert.crt +p p 6.1.5.151 keyUsageCriticalkeyCertSignFalseCACert.crt +p p 6.1.5.157 keyUsageNotCriticalCACert.crt +p p 6.1.5.163 keyUsageNotCriticalcRLSignFalseCACert.crt +p p 6.1.5.154 keyUsageNotCriticalkeyCertSignFalseCACert.crt +p p 6.1.5.380 nameConstraintsDN1CACert.crt + +? ? 6.1.5.416 nameConstraintsDN1SelfIssuedCACert.crt + +p p 6.1.5.401 nameConstraintsDN1subCA1Cert.crt +p p 6.1.5.404 nameConstraintsDN1subCA2Cert.crt +p p 6.1.5.431 nameConstraintsDN1subCA3Cert.crt +p p 6.1.5.386 nameConstraintsDN2CACert.crt +p p 6.1.5.389 nameConstraintsDN3CACert.crt +p p 6.1.5.408 nameConstraintsDN3subCA1Cert.crt +p p 6.1.5.412 nameConstraintsDN3subCA2Cert.crt +p p 6.1.5.393 nameConstraintsDN4CACert.crt +p p 6.1.5.397 nameConstraintsDN5CACert.crt +p p 6.1.5.436 nameConstraintsDNS1CACert.crt +p p 6.1.5.440 nameConstraintsDNS2CACert.crt +p p 6.1.5.419 nameConstraintsRFC822CA1Cert.crt +p p 6.1.5.423 nameConstraintsRFC822CA2Cert.crt +p p 6.1.5.427 nameConstraintsRFC822CA3Cert.crt +p p 6.1.5.444 nameConstraintsURI1CACert.crt +p p 6.1.5.448 nameConstraintsURI2CACert.crt +p p 6.1.5.475 onlyContainsAttributeCertsCACert.crt +p p 6.1.5.471 onlyContainsCACertsCACert.crt +p p 6.1.5.468 onlyContainsUserCertsCACert.crt +p p 6.1.5.478 onlySomeReasonsCA1Cert.crt +p p 6.1.5.483 onlySomeReasonsCA2Cert.crt +p p 6.1.5.487 onlySomeReasonsCA3Cert.crt +p p 6.1.5.491 onlySomeReasonsCA4Cert.crt +p p 6.1.5.107 pathLenConstraint0CACert.crt + +? ? 6.1.5.139 pathLenConstraint0SelfIssuedCACert.crt +? ? 6.1.5.141 pathLenConstraint0subCA2Cert.crt + +p p 6.1.5.109 pathLenConstraint0subCACert.crt +p p 6.1.5.144 pathLenConstraint1CACert.crt + +? ? 6.1.5.146 pathLenConstraint1SelfIssuedCACert.crt +? ? 6.1.5.149 pathLenConstraint1SelfIssuedsubCACert.crt +? ? 6.1.5.147 pathLenConstraint1subCACert.crt + +p p 6.1.5.115 pathLenConstraint6CACert.crt +p p 6.1.5.117 pathLenConstraint6subCA0Cert.crt +p p 6.1.5.123 pathLenConstraint6subCA1Cert.crt +p p 6.1.5.131 pathLenConstraint6subCA4Cert.crt +p p 6.1.5.119 pathLenConstraint6subsubCA00Cert.crt +p p 6.1.5.125 pathLenConstraint6subsubCA11Cert.crt +p p 6.1.5.133 pathLenConstraint6subsubCA41Cert.crt +p p 6.1.5.127 pathLenConstraint6subsubsubCA11XCert.crt +p p 6.1.5.135 pathLenConstraint6subsubsubCA41XCert.crt +p p 6.1.5.61 pre2000CRLnextUpdateCACert.crt +p p 6.1.5.246 requireExplicitPolicy0CACert.crt +p p 6.1.5.248 requireExplicitPolicy0subCACert.crt +p p 6.1.5.250 requireExplicitPolicy0subsubCACert.crt +p p 6.1.5.252 requireExplicitPolicy0subsubsubCACert.crt +p p 6.1.5.219 requireExplicitPolicy10CACert.crt +p p 6.1.5.221 requireExplicitPolicy10subCACert.crt +p p 6.1.5.223 requireExplicitPolicy10subsubCACert.crt +p p 6.1.5.225 requireExplicitPolicy10subsubsubCACert.crt +p p 6.1.5.264 requireExplicitPolicy2CACert.crt + # For yet unknown reasons gpgsm claims a bad signature. -? ? ValidSelfIssuedpathLenConstraintTest15EE.crt - -p p ValidSelfIssuedpathLenConstraintTest17EE.crt - -# For yet unknown reasons gpgsm claims a bad signature. -? ? ValidSelfIssuedrequireExplicitPolicyTest6EE.crt - -# For yet unknown reasons gpgsm claims a bad signature. -? ? ValidSeparateCertificateandCRLKeysTest19EE.crt - -p p ValidTwoCRLsTest7EE.crt -p p ValidURInameConstraintsTest34EE.crt -p p ValidURInameConstraintsTest36EE.crt -p p ValidUTF8StringCaseInsensitiveMatchTest11EE.crt -p p ValidUTF8StringEncodedNamesTest9EE.crt -p p ValidUnknownNotCriticalCertificateExtensionTest1EE.crt -p p ValidbasicConstraintsNotCriticalTest4EE.crt -p p ValidcRLIssuerTest28EE.crt -p p ValidcRLIssuerTest29EE.crt -p p ValidcRLIssuerTest30EE.crt -p p ValidcRLIssuerTest33EE.crt -p p ValiddeltaCRLTest2EE.crt -p p ValiddeltaCRLTest5EE.crt -p p ValiddeltaCRLTest7EE.crt -p p ValiddeltaCRLTest8EE.crt -p p ValiddistributionPointTest1EE.crt -p p ValiddistributionPointTest4EE.crt -p p ValiddistributionPointTest5EE.crt -p p ValiddistributionPointTest7EE.crt -p p ValidinhibitAnyPolicyTest2EE.crt -p p ValidinhibitPolicyMappingTest2EE.crt -p p ValidinhibitPolicyMappingTest4EE.crt -p p ValidkeyUsageNotCriticalTest3EE.crt -p p ValidonlyContainsCACertsTest13EE.crt -p p ValidonlySomeReasonsTest18EE.crt -p p ValidonlySomeReasonsTest19EE.crt -p p ValidpathLenConstraintTest13EE.crt -p p ValidpathLenConstraintTest14EE.crt -p p ValidpathLenConstraintTest7EE.crt -p p ValidpathLenConstraintTest8EE.crt -p p Validpre2000UTCnotBeforeDateTest3EE.crt -p p ValidrequireExplicitPolicyTest1EE.crt -p p ValidrequireExplicitPolicyTest2EE.crt -p p ValidrequireExplicitPolicyTest4EE.crt -p p WrongCRLCACert.crt -p p anyPolicyCACert.crt -p p basicConstraintsCriticalcAFalseCACert.crt -p p basicConstraintsNotCriticalCACert.crt -p p basicConstraintsNotCriticalcAFalseCACert.crt -p p deltaCRLCA1Cert.crt -p p deltaCRLCA2Cert.crt -p p deltaCRLCA3Cert.crt -p p deltaCRLIndicatorNoBaseCACert.crt -p p distributionPoint1CACert.crt -p p distributionPoint2CACert.crt -p p indirectCRLCA1Cert.crt -p p indirectCRLCA2Cert.crt -p p indirectCRLCA3Cert.crt -p p indirectCRLCA3cRLIssuerCert.crt -p p indirectCRLCA4Cert.crt -p p indirectCRLCA4cRLIssuerCert.crt -p p indirectCRLCA5Cert.crt -p p indirectCRLCA6Cert.crt -p p inhibitAnyPolicy0CACert.crt -p p inhibitAnyPolicy1CACert.crt - -# For yet unknown reasons gpgsm claims a bad signature. -? ? inhibitAnyPolicy1SelfIssuedCACert.crt -? ? inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt - -p p inhibitAnyPolicy1subCA1Cert.crt - -# For yet unknown reasons gpgsm claims a bad signature. -? ? inhibitAnyPolicy1subCA2Cert.crt - -p p inhibitAnyPolicy1subCAIAP5Cert.crt -p p inhibitAnyPolicy1subsubCA2Cert.crt -p p inhibitAnyPolicy5CACert.crt -p p inhibitAnyPolicy5subCACert.crt -p p inhibitAnyPolicy5subsubCACert.crt -p p inhibitAnyPolicyTest3EE.crt -p p inhibitPolicyMapping0CACert.crt -p p inhibitPolicyMapping0subCACert.crt -p p inhibitPolicyMapping1P12CACert.crt -p p inhibitPolicyMapping1P12subCACert.crt -p p inhibitPolicyMapping1P12subCAIPM5Cert.crt -p p inhibitPolicyMapping1P12subsubCACert.crt -p p inhibitPolicyMapping1P12subsubCAIPM5Cert.crt -p p inhibitPolicyMapping1P1CACert.crt - -# For yet unknown reasons gpgsm claims a bad signature. -? ? inhibitPolicyMapping1P1SelfIssuedCACert.crt -? ? inhibitPolicyMapping1P1SelfIssuedsubCACert.crt -? ? inhibitPolicyMapping1P1subCACert.crt - -p p inhibitPolicyMapping1P1subsubCACert.crt -p p inhibitPolicyMapping5CACert.crt -p p inhibitPolicyMapping5subCACert.crt -p p inhibitPolicyMapping5subsubCACert.crt -p p inhibitPolicyMapping5subsubsubCACert.crt -p p keyUsageCriticalcRLSignFalseCACert.crt -p p keyUsageCriticalkeyCertSignFalseCACert.crt -p p keyUsageNotCriticalCACert.crt -p p keyUsageNotCriticalcRLSignFalseCACert.crt -p p keyUsageNotCriticalkeyCertSignFalseCACert.crt -p p nameConstraintsDN1CACert.crt - -# For yet unknown reasons gpgsm claims a bad signature. -? ? nameConstraintsDN1SelfIssuedCACert.crt - -p p nameConstraintsDN1subCA1Cert.crt -p p nameConstraintsDN1subCA2Cert.crt -p p nameConstraintsDN1subCA3Cert.crt -p p nameConstraintsDN2CACert.crt -p p nameConstraintsDN3CACert.crt -p p nameConstraintsDN3subCA1Cert.crt -p p nameConstraintsDN3subCA2Cert.crt -p p nameConstraintsDN4CACert.crt -p p nameConstraintsDN5CACert.crt -p p nameConstraintsDNS1CACert.crt -p p nameConstraintsDNS2CACert.crt -p p nameConstraintsRFC822CA1Cert.crt -p p nameConstraintsRFC822CA2Cert.crt -p p nameConstraintsRFC822CA3Cert.crt -p p nameConstraintsURI1CACert.crt -p p nameConstraintsURI2CACert.crt -p p onlyContainsAttributeCertsCACert.crt -p p onlyContainsCACertsCACert.crt -p p onlyContainsUserCertsCACert.crt -p p onlySomeReasonsCA1Cert.crt -p p onlySomeReasonsCA2Cert.crt -p p onlySomeReasonsCA3Cert.crt -p p onlySomeReasonsCA4Cert.crt -p p pathLenConstraint0CACert.crt - -# For yet unknown reasons gpgsm claims a bad signature. -? ? pathLenConstraint0SelfIssuedCACert.crt -? ? pathLenConstraint0subCA2Cert.crt - -p p pathLenConstraint0subCACert.crt -p p pathLenConstraint1CACert.crt - -# For yet unknown reasons gpgsm claims a bad signature. -? ? pathLenConstraint1SelfIssuedCACert.crt -? ? pathLenConstraint1SelfIssuedsubCACert.crt -? ? pathLenConstraint1subCACert.crt - -p p pathLenConstraint6CACert.crt -p p pathLenConstraint6subCA0Cert.crt -p p pathLenConstraint6subCA1Cert.crt -p p pathLenConstraint6subCA4Cert.crt -p p pathLenConstraint6subsubCA00Cert.crt -p p pathLenConstraint6subsubCA11Cert.crt -p p pathLenConstraint6subsubCA41Cert.crt -p p pathLenConstraint6subsubsubCA11XCert.crt -p p pathLenConstraint6subsubsubCA41XCert.crt -p p pre2000CRLnextUpdateCACert.crt -p p requireExplicitPolicy0CACert.crt -p p requireExplicitPolicy0subCACert.crt -p p requireExplicitPolicy0subsubCACert.crt -p p requireExplicitPolicy0subsubsubCACert.crt -p p requireExplicitPolicy10CACert.crt -p p requireExplicitPolicy10subCACert.crt -p p requireExplicitPolicy10subsubCACert.crt -p p requireExplicitPolicy10subsubsubCACert.crt -p p requireExplicitPolicy2CACert.crt - -# For yet unknown reasons gpgsm claims a bad signature. -? ? requireExplicitPolicy2SelfIssuedCACert.crt -? ? requireExplicitPolicy2SelfIssuedsubCACert.crt -? ? requireExplicitPolicy2subCACert.crt - -p p requireExplicitPolicy4CACert.crt -p p requireExplicitPolicy4subCACert.crt -p p requireExplicitPolicy4subsubCACert.crt -p p requireExplicitPolicy4subsubsubCACert.crt -p p requireExplicitPolicy5CACert.crt -p p requireExplicitPolicy5subCACert.crt -p p requireExplicitPolicy5subsubCACert.crt -p p requireExplicitPolicy5subsubsubCACert.crt -p p requireExplicitPolicy7CACert.crt -p p requireExplicitPolicy7subCARE2Cert.crt -p p requireExplicitPolicy7subsubCARE2RE4Cert.crt -p p requireExplicitPolicy7subsubsubCARE2RE4Cert.crt - +? ? 6.1.5.266 requireExplicitPolicy2SelfIssuedCACert.crt +? ? 6.1.5.271 requireExplicitPolicy2SelfIssuedsubCACert.crt +? ? 6.1.5.268 requireExplicitPolicy2subCACert.crt + +p p 6.1.5.237 requireExplicitPolicy4CACert.crt +p p 6.1.5.239 requireExplicitPolicy4subCACert.crt +p p 6.1.5.241 requireExplicitPolicy4subsubCACert.crt +p p 6.1.5.243 requireExplicitPolicy4subsubsubCACert.crt +p p 6.1.5.228 requireExplicitPolicy5CACert.crt +p p 6.1.5.230 requireExplicitPolicy5subCACert.crt +p p 6.1.5.232 requireExplicitPolicy5subsubCACert.crt +p p 6.1.5.234 requireExplicitPolicy5subsubsubCACert.crt +p p 6.1.5.255 requireExplicitPolicy7CACert.crt +p p 6.1.5.257 requireExplicitPolicy7subCARE2Cert.crt +p p 6.1.5.259 requireExplicitPolicy7subsubCARE2RE4Cert.crt +p p 6.1.5.261 requireExplicitPolicy7subsubsubCARE2RE4Cert.crt + diff --git a/tests/pkits/inhibit-any-policy b/tests/pkits/inhibit-any-policy new file mode 100644 index 000000000..5e625e253 --- /dev/null +++ b/tests/pkits/inhibit-any-policy @@ -0,0 +1,31 @@ +#!/bin/sh +# inhibit-any-policy - PKITS Test 4.12 -*- sh -*- +# Copyright (C) 2008 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . + +. ${srcdir:-.}/common.sh || exit 2 + +section=4.12 +description="Inhibit Any Policy" +info "Running $description tests" + + + + + + +final_result diff --git a/tests/pkits/inhibit-policy-mapping b/tests/pkits/inhibit-policy-mapping new file mode 100644 index 000000000..1da5f3596 --- /dev/null +++ b/tests/pkits/inhibit-policy-mapping @@ -0,0 +1,31 @@ +#!/bin/sh +# inhibit-policy-mapping - PKITS Test 4.11 -*- sh -*- +# Copyright (C) 2008 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . + +. ${srcdir:-.}/common.sh || exit 2 + +section=4.11 +description="Inhibit Policy Mapping" +info "Running $description tests" + + + + + + +final_result diff --git a/tests/pkits/inittests b/tests/pkits/inittests index e5d136fd9..d9b47bc6d 100755 --- a/tests/pkits/inittests +++ b/tests/pkits/inittests @@ -74,7 +74,9 @@ no-secmem-warning no-greeting batch disable-crl-checks +disable-dirmngr agent-program ../../agent/gpg-agent +no-common-certs-import EOF # Fixme: we need to write a dummy pinentry program diff --git a/tests/pkits/key-usage b/tests/pkits/key-usage new file mode 100644 index 000000000..b830cc5ea --- /dev/null +++ b/tests/pkits/key-usage @@ -0,0 +1,31 @@ +#!/bin/sh +# key-usage - PKITS Test 4.7 -*- sh -*- +# Copyright (C) 2008 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . + +. ${srcdir:-.}/common.sh || exit 2 + +section=4.7 +description="Key Usage" +info "Running $description tests" + + + + + + +final_result diff --git a/tests/pkits/name-constraints b/tests/pkits/name-constraints new file mode 100644 index 000000000..8e36c28d2 --- /dev/null +++ b/tests/pkits/name-constraints @@ -0,0 +1,31 @@ +#!/bin/sh +# name-constraints - PKITS Test 4.13 -*- sh -*- +# Copyright (C) 2008 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . + +. ${srcdir:-.}/common.sh || exit 2 + +section=4.13 +description="Name Constraints" +info "Running $description tests" + + + + + + +final_result diff --git a/tests/pkits/policy-mappings b/tests/pkits/policy-mappings new file mode 100644 index 000000000..8ce9ee871 --- /dev/null +++ b/tests/pkits/policy-mappings @@ -0,0 +1,31 @@ +#!/bin/sh +# policy-mappings - PKITS Test 4.10 -*- sh -*- +# Copyright (C) 2008 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . + +. ${srcdir:-.}/common.sh || exit 2 + +section=4.10 +description="Policy Mappings" +info "Running $description tests" + + + + + + +final_result diff --git a/tests/pkits/private-certificate-extensions b/tests/pkits/private-certificate-extensions new file mode 100644 index 000000000..43f342504 --- /dev/null +++ b/tests/pkits/private-certificate-extensions @@ -0,0 +1,31 @@ +#!/bin/sh +# private-certificate-extensions - PKITS Test 4.16 -*- sh -*- +# Copyright (C) 2008 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . + +. ${srcdir:-.}/common.sh || exit 2 + +section=4.16 +description="Private Certificate Extensions" +info "Running $description tests" + + + + + + +final_result diff --git a/tests/pkits/require-explicit-policy b/tests/pkits/require-explicit-policy new file mode 100644 index 000000000..ceb87bdb7 --- /dev/null +++ b/tests/pkits/require-explicit-policy @@ -0,0 +1,31 @@ +#!/bin/sh +# require-explicit-policy - PKITS Test 4.9 -*- sh -*- +# Copyright (C) 2008 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . + +. ${srcdir:-.}/common.sh || exit 2 + +section=4.9 +description="Require Explicit Policy" +info "Running $description tests" + + + + + + +final_result diff --git a/tests/pkits/signature-verification b/tests/pkits/signature-verification new file mode 100644 index 000000000..45bdcf7f2 --- /dev/null +++ b/tests/pkits/signature-verification @@ -0,0 +1,31 @@ +#!/bin/sh +# signature-verification - PKITS Test 4.1 -*- sh -*- +# Copyright (C) 2008 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . + +. ${srcdir:-.}/common.sh || exit 2 + +section=4.1 +description="Signature Verification" +info "Running $description tests" + + + + + + +final_result diff --git a/tests/pkits/validate-all-certs b/tests/pkits/validate-all-certs index 08f72af71..1c1856c49 100755 --- a/tests/pkits/validate-all-certs +++ b/tests/pkits/validate-all-certs @@ -1,12 +1,12 @@ #!/bin/sh -# validate-all-certs -*- sh -*- -# Copyright (C) 2004 Free Software Foundation, Inc. +# validate-all-certs - GnuPG import and validate tests -*- sh -*- +# Copyright (C) 2004, 2008 Free Software Foundation, Inc. # # This file is part of GnuPG. # # GnuPG is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or +# the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # GnuPG is distributed in the hope that it will be useful, @@ -15,16 +15,19 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, -# USA. +# along with this program; if not, see . . ${srcdir:-.}/common.sh || exit 2 -while read dummy flag name; do - case $dummy in \#*) continue;; esac - [ -z "$dummy" ] && continue; +section=6 +description="GnuPG Import with Validation" +info "Running $description tests" +while read dummy flag section name; do + case $dummy in \#*) continue;; esac + [ -z "$(echo $dummy)" ] && continue; + + description="import and validate $name" if ${GPGSM} -q --import --with-validation --disable-crl-checks \ certs/$name ; then if [ "$flag" = 'p' ]; then diff --git a/tests/pkits/validity-periods b/tests/pkits/validity-periods new file mode 100644 index 000000000..df747533c --- /dev/null +++ b/tests/pkits/validity-periods @@ -0,0 +1,31 @@ +#!/bin/sh +# validity-periods - PKITS Test 4.2 -*- sh -*- +# Copyright (C) 2008 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . + +. ${srcdir:-.}/common.sh || exit 2 + +section=4.2 +description="Validity Periods" +info "Running $description tests" + + + + + + +final_result diff --git a/tests/pkits/verifying-basic-constraints b/tests/pkits/verifying-basic-constraints new file mode 100644 index 000000000..0e052f359 --- /dev/null +++ b/tests/pkits/verifying-basic-constraints @@ -0,0 +1,31 @@ +#!/bin/sh +# verifying-basic-constraints - PKITS Test 4.6 -*- sh -*- +# Copyright (C) 2008 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . + +. ${srcdir:-.}/common.sh || exit 2 + +section=4.6 +description="Verifying Basic Constraints" +info "Running $description tests" + + + + + + +final_result diff --git a/tests/pkits/verifying-name-chaining b/tests/pkits/verifying-name-chaining new file mode 100644 index 000000000..9bdbb5918 --- /dev/null +++ b/tests/pkits/verifying-name-chaining @@ -0,0 +1,31 @@ +#!/bin/sh +# verifying-name-chaining - PKITS Test 4.3 -*- sh -*- +# Copyright (C) 2008 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . + +. ${srcdir:-.}/common.sh || exit 2 + +section=4.3 +description="Verifying Name Chaining" +info "Running $description tests" + + + + + + +final_result diff --git a/tests/pkits/verifying-paths-self-issued b/tests/pkits/verifying-paths-self-issued new file mode 100644 index 000000000..443d7adb9 --- /dev/null +++ b/tests/pkits/verifying-paths-self-issued @@ -0,0 +1,31 @@ +#!/bin/sh +# verifying-paths-self-issued - PKITS Test 4.5 -*- sh -*- +# Copyright (C) 2008 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . + +. ${srcdir:-.}/common.sh || exit 2 + +section=4.5 +description="Verifying Paths with Self-Issued Certificates" +info "Running $description tests" + + + + + + +final_result diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c index 813b6b935..86590eed2 100644 --- a/tools/gpgconf-comp.c +++ b/tools/gpgconf-comp.c @@ -715,6 +715,9 @@ static gc_option_t gc_options_gpgsm[] = { "prefer-system-dirmngr", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED, "gnupg", "use system's dirmngr if available", GC_ARG_TYPE_NONE, GC_BACKEND_GPGSM }, + { "disable-dirmngr", GC_OPT_FLAG_NONE, GC_LEVEL_EXPERT, + "gnupg", N_("disable all access to the dirmngr"), + GC_ARG_TYPE_NONE, GC_BACKEND_GPGSM }, { "p12-charset", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED, "gnupg", N_("|NAME|use encoding NAME for PKCS#12 passphrases"), GC_ARG_TYPE_STRING, GC_BACKEND_GPGSM },