security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

Add some tests.

This commit is contained in:
Werner Koch 2008-02-22 15:47:18 +00:00
parent 898a341f50
commit f5f14d6556
12 changed files with 467 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
TODO
View File

@ -23,7 +23,6 @@
** mark all unimplemented commands and options.
** Implement --default-key
** support the anyPolicy semantic
** Check that we are really following the verification procedures in rfc3280.
* sm/keydb.c
@ -75,7 +74,7 @@
** No card status notifications.
** Regex support is disabled
We need to adjust the test to find the regex we have anyway in
gpg4in. Is that regex compatible to the OpenPGP requirement?
gpg4win. Is that regex compatible to the OpenPGP requirement?
* sm/
@ -137,4 +136,3 @@
gpg-agent's default locale (e.g. by the command updatestartuptty).

4
jnlib/ChangeLog
View File

@ -1,3 +1,7 @@
2008-02-22 Werner Koch <wk@g10code.com>
* argparse.c (strusage): Set copyright year to 2008.
2007-11-19 Werner Koch <wk@g10code.com>
* stringhelp.c (percent_escape): Factor code out to

4
jnlib/argparse.c
View File

@ -1,6 +1,6 @@
/* [argparse.c wk 17.06.97] Argument Parser for option handling
* Copyright (C) 1998, 1999, 2000, 2001, 2006
* 2007 Free Software Foundation, Inc.
* 2007, 2008 Free Software Foundation, Inc.
*
* This file is part of JNLIB.
*
@ -946,7 +946,7 @@ strusage( int level )
break;
case 11: p = "foo"; break;
case 13: p = "0.0"; break;
case 14: p = "Copyright (C) 2007 Free Software Foundation, Inc."; break;
case 14: p = "Copyright (C) 2008 Free Software Foundation, Inc."; break;
case 15: p =
"This is free software: you are free to change and redistribute it.\n"
"There is NO WARRANTY, to the extent permitted by law.\n";

11
tests/pkits/Makefile.am
View File

@ -48,7 +48,7 @@ EXTRA_DIST = inittests runtest common.sh $(testscripts)
TESTS = $(testscripts)
CLEANFILES = inittests.stamp x y y z out err *.lock .\#lk* *.log
CLEANFILES = inittests.stamp scratch.*.tmp x y z out err *.lock .\#lk* *.log
DISTCLEANFILES = pubring.kbx~ random_seed
@ -62,11 +62,14 @@ inittests.stamp: inittests
echo timestamp >./inittests.stamp
run-all-tests:
run-all-tests: inittests.stamp
@set -e; \
GNUPGHOME=`pwd`; export GNUPGHOME;\
unset GPG_AGENT_INFO; \
for test in $(testscripts); do \
./$${test} && true; \
for tst in $(testscripts); do \
if ./$${tst}; then : ; \
elif test $$? -eq 77; then echo "- SKIP $$tst"; \
fi; \
done

136
tests/pkits/common.sh
View File

@ -17,17 +17,31 @@
# along with this program; if not, see <http://www.gnu.org/licenses/>.
# reset some environment variables because we do not want to test locals
export LANG=C
export LANGUAGE=C
export LC_ALL=C
LANG=C
LANGUAGE=C
LC_ALL=C
export LANG LANGUAGE LC_ALL
pgmname=`basename $0`
[ "$VERBOSE" = yes ] && set -x
if [ "$1" = "--debug" ]; then
debug=yes
set -x
else
debug=
fi
[ -z "$srcdir" ] && srcdir="."
[ -z "$top_srcdir" ] && top_srcdir=".."
[ -z "$GPGSM" ] && GPGSM="../../sm/gpgsm"
[ -z "$silent" ] && silent=no
AWK=awk
SCRATCH="scratch.$$.tmp"
# We use this as the faked system time for certain tests.
MYTIME="20080508T120000"
if [ "$GNUPGHOME" != "`pwd`" ]; then
echo "inittests: please set GNUPGHOME to the tests/pkits directory" >&2
exit 1
@ -41,7 +55,14 @@ fi
if [ -f PKITS_data.tar.bz2 ]; then
:
else
# Exit code 77 is used by the makefile for skipping a tests.
if [ "$pgmname" = "import-all-certs" ]; then
if [ "$silent" = "yes" ]; then tmp1="Note: "; tmp2=' '
else tmp1="- ____ "; tmp2="$tmp1"
fi
echo "${tmp1}PKITS_data.tar.bz2 is not installed"
echo "${tmp2}All tests will be skipped (this is not an error)"
fi
# Exit code 77 is used by the Makefile for skipping a tests.
exit 77
fi
@ -115,7 +136,9 @@ pass () {
pass_count=`expr ${pass_count} + 1`
if [ "$silent" != "yes" ]; then
echo_n "$section_out PASS"
[ -n "$description" ] && echo_n " ($description)"
if [ -n "$1" ]; then echo_n " $1"
elif [ -n "$description" ]; then echo_n " ($description)"
fi
echo
fi
}
@ -126,7 +149,22 @@ fail () {
fail_count=`expr ${fail_count} + 1`
if [ "$silent" != "yes" ]; then
echo_n "$section_out FAIL"
[ -n "$description" ] && echo_n " ($description)"
if [ -n "$1" ]; then echo_n " $1"
elif [ -n "$description" ]; then echo_n " ($description)"
fi
echo
fi
}
skip () {
setup_output
echo "SKIP: " $* >&2
skip_count=`expr ${skip_count} + 1`
if [ "$silent" != "yes" ]; then
echo_n "$section_out SKIP"
if [ -n "$1" ]; then echo_n " $1"
elif [ -n "$description" ]; then echo_n " ($description)"
fi
echo
fi
}
@ -137,18 +175,9 @@ unresolved () {
unresolved_count=`expr ${unresolved_count} + 1`
if [ "$silent" != "yes" ]; then
echo_n "$section_out UNRESOLVED"
[ -n "$description" ] && echo_n " ($description)"
echo
fi
}
unsupported () {
setup_output
echo "UNSUPPORTED: " $* >&2
unsupported_count=`expr ${unsupported_count} + 1`
if [ "$silent" != "yes" ]; then
echo_n "$section_out UNSUPPORTED"
[ -n "$description" ] && echo_n " ($description)"
if [ -n "$1" ]; then echo_n " $1"
elif [ -n "$description" ]; then echo_n " ($description)"
fi
echo
fi
}
@ -158,8 +187,9 @@ final_result () {
section=$first_section_set
[ $pass_count = 0 ] || info "$pass_count tests passed"
[ $fail_count = 0 ] || info "$fail_count tests failed"
[ $skip_count = 0 ] || info "$unsupported_count tests skipped"
[ $unresolved_count = 0 ] || info "$unresolved_count tests unresolved"
[ $unsupported_count = 0 ] || info "$unsupported_count tests unsupported"
[ -z "$debug" -a -f "$SCRATCH" ] && rm "$SCRATCH"
if [ $fail_count = 0 ]; then
info "all tests passed"
else
@ -167,21 +197,79 @@ final_result () {
fi
}
set -e
pgmname=`basename $0`
clean_homedir () {
[ -f pubring.kbx ] && rm pubring.kbx
if [ -d private-keys-v1.d ]; then
rm private-keys-v1.d/* 2>/dev/null || true
rmdir private-keys-v1.d
fi
}
start_test () {
section="$1"
description="$2"
test_status=none
echo "BEGIN TEST $section ($description)" >&2
}
end_test () {
case "$test_status" in
none) skip "($description) - test not implemented";;
pass) pass "($description)";;
fail) fail "($description)";;
setup) fail "($description) - setup failed";;
ns) skip "($description) - not supported";;
nys) skip "($description) - not yet supported";;
*) unresolved "$(description)";;
esac
echo "END TEST $section" >&2
}
set_status () {
if [ "$test_status" = "none" ]; then
test_status=$1
fi
}
need_cert () {
if [ "$2" = "--import-anyway" ]; then
if ! ${GPGSM} -q --debug-no-chain-validation --import certs/$1.crt
then
set_status setup
fi
else
if ! ${GPGSM} -q --import certs/$1.crt; then
set_status setup
fi
fi
}
need_crl () {
# CRL are not yet implemented
#set_status setup
:
}
set -e
pass_count=0
fail_count=0
skip_count=0
unresolved_count=0
unsupported_count=0
first_section_set=""
section_out=""
test_status=none
# User settable variables
section=""
description=""
#trap cleanup SIGHUP SIGINT SIGQUIT
exec 2> ${pgmname}.log
[ -z "$debug" ] && exec 2> ${pgmname}.log
:
# end

4
tests/pkits/import-all-certs
View File

@ -36,7 +36,7 @@ while read flag dummy section name; do
elif [ "$flag" = '?' ]; then
unresolved "importing certificate \`$name' succeeded"
elif [ "$flag" = 'u' ]; then
unsupported "importing certificate \`$name' succeeded"
skip "importing certificate \`$name' succeeded"
else
info "importing certificate \`$name' succeeded - (flag=$flag)"
fi
@ -48,7 +48,7 @@ while read flag dummy section name; do
elif [ "$flag" = '?' ]; then
unresolved "importing certificate \`$name' failed"
elif [ "$flag" = 'u' ]; then
unsupported "importing certificate \`$name' failed"
skip "importing certificate \`$name' failed"
else
info "importing certificate \`$name' failed - (flag=$flag)"
fi

6
tests/pkits/import-all-certs.data
View File

@ -28,7 +28,7 @@ p p 6.1.5.83 BasicSelfIssuedOldKeyNewWithOldCACert.crt
p p 6.1.5.218 CPSPointerQualifierTest20EE.crt
u u 6.1.5.572 DSACACert.crt
p u 6.1.5.572 DSACACert.crt
u u 6.1.5.575 DSAParametersInheritedCACert.crt
p p 6.1.5.210 DifferentPoliciesTest12EE.crt
@ -81,9 +81,9 @@ p f 6.1.5.392 InvalidDNnameConstraintsTest7EE.crt
p f 6.1.5.395 InvalidDNnameConstraintsTest8EE.crt
p f 6.1.5.396 InvalidDNnameConstraintsTest9EE.crt
u u 6.1.5.578 InvalidDSASignatureTest6EE.crt
p u 6.1.5.578 InvalidDSASignatureTest6EE.crt
f f 6.1.5.9 InvalidEESignatureTest3EE.crt
p f 6.1.5.9 InvalidEESignatureTest3EE.crt
p f 6.1.5.19 InvalidEEnotAfterDateTest6EE.crt
p f 6.1.5.13 InvalidEEnotBeforeDateTest2EE.crt

11
tests/pkits/inittests
View File

@ -80,6 +80,17 @@ agent-program ../../agent/gpg-agent
no-common-certs-import
EOF
# The set of NIST test policies which should be used if anyPolicy is
# not supported.
cat > policies.txt <<EOF
2.16.840.1.101.3.2.1.48.1
2.16.840.1.101.3.2.1.48.2
2.16.840.1.101.3.2.1.48.3
2.16.840.1.101.3.2.1.48.4
2.16.840.1.101.3.2.1.48.5
2.16.840.1.101.3.2.1.48.6
EOF
# Fixme: we need to write a dummy pinentry program
cat > gpg-agent.conf <<EOF
no-grab

3
tests/pkits/key-usage
View File

@ -25,7 +25,4 @@ info "Running $description tests"
final_result

136
tests/pkits/signature-verification
View File

@ -24,8 +24,144 @@ description="Signature Verification"
info "Running $description tests"
start_test 4.1.1 "Valid Signatures Test1"
# The purpose of this test is to verify an application's ability to
# name chain, signature chain, and check validity dates, on
# certificates in a certification path. It also tests processing of
# the basic constraints and key usage extensions in intermediate
# certificates.
clean_homedir
need_cert TrustAnchorRootCertificate
need_crl TrustAnchorRootCRL
need_cert GoodCACert
need_crl GoodCACRL
need_cert ValidCertificatePathTest1EE
if $GPGSM --with-colons --with-validation --list-key 0x126B7002 >$SCRATCH; then
tmp=$($AWK -F: '$1 == "crt" {any=1; print $2};
END {if(!any) print "error"}' $SCRATCH)
[ -n "$tmp" ] && set_status fail
else
set_status fail
fi
if [ "$test_status" = "none" ]; then
if sed '1,/^.$/d' smime/SignedValidSignaturesTest1.eml \
| $GPGSM --verify --assume-base64 --status-fd 1 \
| grep TRUST_FULLY >/dev/null; then
set_status pass
else
set_status fail
fi
fi
end_test
start_test 4.1.2 "Invalid CA Signatures Test2"
# The purpose of this test is to verify an application's ability to
# recognize an invalid signature on an intermediate certificate in a
# certification path.
clean_homedir
need_cert TrustAnchorRootCertificate
need_crl TrustAnchorRootCRL
need_cert BadSignedCACert --import-anyway
need_crl BadSignedCACRL
need_cert InvalidCASignatureTest2EE --import-anyway
if $GPGSM --with-colons --with-validation --list-key 0xD667FE3C >$SCRATCH; then
tmp=$($AWK -F: '$1 == "crt" {any=1; print $2};
END {if(!any) print "error"}' $SCRATCH)
[ "$tmp" = "i" ] || set_status fail
else
set_status fail
fi
if [ "$test_status" = "none" ]; then
if sed '1,/^.$/d' smime/SignedInvalidCASignatureTest2.eml \
| $GPGSM --verify --assume-base64 --status-fd 1 \
| grep TRUST_NEVER >/dev/null; then
set_status pass
else
set_status fail
fi
fi
end_test
start_test 4.1.3 "Invalid EE Signature Test3"
# The purpose of this test is to verify an application's ability to
# recognize an invalid signature on an end entity certificate in a
# certification path.
clean_homedir
need_cert TrustAnchorRootCertificate
need_crl TrustAnchorRootCRL
need_cert GoodCACert
need_crl GoodCACRL
need_cert InvalidEESignatureTest3EE --import-anyway
if $GPGSM --with-colons --with-validation --list-key 0x42E1AEE3 >$SCRATCH; then
tmp=$($AWK -F: '$1 == "crt" {any=1; print $2};
END {if(!any) print "error"}' $SCRATCH)
[ "$tmp" = "i" ] || set_status fail
else
set_status fail
fi
if [ "$test_status" = "none" ]; then
if sed '1,/^.$/d' smime/SignedInvalidEESignatureTest3.eml \
| $GPGSM --verify --assume-base64 --status-fd 1 \
| grep TRUST_NEVER >/dev/null; then
set_status pass
else
set_status fail
fi
fi
end_test
start_test 4.1.4 "Valid DSA Signatures Test4"
# The purpose of this test is to verify an application's ability to
# validate certificate in which DSA signatures are used. The
# intermediate CA and the end entity have DSA key pairs.
clean_homedir
need_cert TrustAnchorRootCertificate
need_crl TrustAnchorRootCRL
need_cert DSACACert
need_crl DSACACRL
need_cert ValidDSASignaturesTest4EE
if $GPGSM --with-colons --with-validation --list-key 0x820A72B8 >$SCRATCH; then
tmp=$($AWK -F: '$1 == "crt" {any=1; print $2};
END {if(!any) print "error"}' $SCRATCH)
[ -n "$tmp" ] && set_status fail
else
set_status fail
fi
if [ "$test_status" = "none" ]; then
# Note: This S/MIME file uses LF and not CR,LF. */
if sed '1,/^$/d' smime/SignedValidDSASignaturesTest4.eml \
| $GPGSM --verify --assume-base64 --status-fd 1 \
| grep TRUST_FULLY >/dev/null; then
set_status pass
else
set_status fail
fi
fi
end_test
start_test 4.1.5 "Valid DSA Parameter Inheritance Test5"
# The purpose of this test is to verify an application's ability to
# validate DSA signatures when the DSA parameters are not included in
# a certificate and need to be inherited from a previous certificate
# in the path. The intermediate CAs and the end entity have DSA key
# pairs.
set_status nys
end_test
start_test 4.1.6 "Invalid DSA Signature Test6"
# The purpose of this test is to verify an application's ability to
# determine when a DSA signature is invalid. The intermediate CA and
# the end entity have DSA key pairs.
set_status nys
end_test
final_result

4
tests/pkits/validate-all-certs
View File

@ -37,7 +37,7 @@ while read dummy flag section name; do
elif [ "$flag" = '?' ]; then
unresolved "validating certificate \`$name' succeeded"
elif [ "$flag" = 'u' ]; then
unsupported "validating certificate \`$name' succeeded"
skip "validating certificate \`$name' succeeded"
else
info "validating certificate \`$name' succeeded - (flag=$flag)"
fi
@ -49,7 +49,7 @@ while read dummy flag section name; do
elif [ "$flag" = '?' ]; then
unresolved "validating certificate \`$name' failed"
elif [ "$flag" = 'u' ]; then
unsupported "validating certificate \`$name' failed"
skip "validating certificate \`$name' failed"
else
info "validating certificate \`$name' failed - (flag=$flag)"
fi

187
tests/pkits/validity-periods
View File

@ -23,8 +23,195 @@ section=4.2
description="Validity Periods"
info "Running $description tests"
start_test 4.2.1 "Invalid CA notBefore Date Test1"
# In this test, the intermediate certificate's notBefore date is after
# the current date.
clean_homedir
need_cert TrustAnchorRootCertificate
need_crl TrustAnchorRootCRL
need_cert BadnotBeforeDateCACert
need_crl BadnotBeforeDateCACRL
need_cert InvalidCAnotBeforeDateTest1EE
if $GPGSM --faked-system-time $MYTIME \
--with-colons --with-validation --list-key 0x459ADD33 >$SCRATCH; then
tmp=$($AWK -F: '$1 == "crt" {any=1; print $2};
END {if(!any) print "error"}' $SCRATCH)
[ "$tmp" = "i" ] || set_status fail
else
set_status fail
fi
if [ "$test_status" = "none" ]; then
if sed '1,/^.$/d' smime/SignedInvalidCAnotBeforeDateTest1.eml \
| $GPGSM --faked-system-time $MYTIME \
--verify --assume-base64 --status-fd 1 --logger-fd 1 \
| tee $SCRATCH \
| grep TRUST_UNDEFINED >/dev/null; then
if grep 'intermediate certificate not yet valid' $SCRATCH >/dev/null \
&& grep 'invalid certification chain: Certificate too young' \
$SCRATCH >/dev/null
then
set_status pass
fi
fi
set_status fail
fi
end_test
start_test 4.2.2 "Invalid EE notBefore Date Test2"
# In this test, the end entity certificate's notBefore date is after
# the current date.
# Procedure: Validate Invalid EE notBefore Date Test2 EE using the
# default settings or open and verify Signed Test Message 6.2.2.5
# using the default settings.
# Expected Result: The path should not validate successfully as the
# notBefore date in the end entity certificate is after the current
# date.
# Certification Path: The certification path is composed of the
# following objects: Trust Anchor Root Certificate, Trust Anchor
# Root CRL Good CA Cert, Good CA CRL Invalid EE notBefore Date
# Test2 EE
end_test
start_test 4.2.3 "Valid pre2000 UTC notBefore Date Test3"
# In this test, the end entity certificate's notBefore date is set to
# 1950 and is encoded in UTCTime.
#
# Procedure: Validate Valid pre2000 UTC notBefore Date Test3 EE
# using the default settings or open and
# verify Signed Test Message 6.2.2.6 using
# the default settings.
#
# Expected Result: The path should validate successfully as the
# notBefore date in the end entity
# certificate is before the current date.
#
# Certification Path: The certification path is composed of the
# following objects: Trust Anchor Root Certificate,
# Trust Anchor Root CRL Good CA Cert, Good CA CRL Valid
# pre2000 UTC notBefore Date Test3 EE
#
end_test
start_test 4.2.4 "Valid GeneralizedTime notBefore Date Test4"
# In this test, the end entity certificate's notBefore date is
# specified in GeneralizedTime.
#
# Procedure: Validate Valid GeneralizedTime notBefore Date Test4 EE
# using the default settings or open and
# verify Signed Test Message 6.2.2.7 using
# the default settings.
#
# Expected Result: The path should validate successfully.
#
# Certification Path:
# The certification path is composed of the following objects:
# Trust Anchor Root Certificate, Trust Anchor Root CRL
# Good CA Cert, Good CA CRL
# Valid GeneralizedTime notBefore Date Test4 EE
#
end_test
start_test 4.2.5 "Invalid CA notAfter Date Test5"
# In this test, the intermediate certificate's notAfter date is before
# the current date.
# Procedure: Validate Invalid CA notAfter Date Test5 EE using the
# default settings or open and verify
# Signed Test Message 6.2.2.8 using the
# default settings.
#
# Expected Result: The path should not validate successfully as the
# notAfter date in the intermediate
# certificate is before the current date.
#
# Certification Path: The certification path is composed of the
# following objects:
#
# Trust Anchor Root Certificate, Trust Anchor Root CRL
# Bad notAfter Date CA Cert, Bad notAfter Date CA CRL
# Invalid CA notAfter Date Test5 EE
#
end_test
start_test 4.2.6 "Invalid EE notAfter Date Test6"
# In this test, the end entity certificate's notAfter date is before
# the current date.
# Procedure: Validate Invalid EE notAfter Date Test6 EE using the
# default settings or open and verify
# Signed Test Message 6.2.2.9 using the
# default settings.
#
# Expected Result: The path should not validate successfully as the
# notAfter date in the end certificate is
# before the current date.
#
# Certification Path: The certification path is composed of the
# following objects:
# Trust Anchor Root Certificate, Trust Anchor Root CRL
# Good CA Cert, Good CA CRL
# Invalid EE notAfter Date Test6 EE
end_test
start_test 4.2.7 "Invalid pre2000 UTC EE notAfter Date Test7"
# In this test, the end entity certificate's notAfter date is 1999 and
# is encoded in UTCTime.
# Procedure: Validate Invalid pre2000 UTC EE notAfter Date Test7 EE
# using the default settings or open and
# verify Signed Test Message 6.2.2.10 using
# the default settings.
#
# Expected Result: The path should not validate successfully as the
# notAfter date in the end certificate is
# before the current date.
#
#
# Certification Path: The certification path is composed of the
# following objects:
#
# Trust Anchor Root Certificate, Trust Anchor Root CRL
# Good CA Cert, Good CA CRL
# Invalid pre2000 UTC EE notAfter Date Test7 EE
end_test
start_test 4.2.8 "Valid GeneralizedTime notAfter Date Test8"
# In this test, the end entity certificate's notAfter date is 2050 and
# is encoded in GeneralizedTime.
# Procedure: Validate Valid GeneralizedTime notAfter Date Test8 EE
# using the default settings or open and
# verify Signed Test Message 6.2.2.11 using
# the default settings.
#
# Expected Result: The path should validate successfully as the
# notAfter date in the end certificate is
# after the current date.
#
#
# Trust Anchor Root Certificate, Trust Anchor Root CRL
# Good CA Cert, Good CA CRL
# Valid GeneralizedTime notAfter Date Test8 EE
end_test