diff --git a/TODO b/TODO index 630e832b8..95a89dba3 100644 --- a/TODO +++ b/TODO @@ -23,7 +23,6 @@ ** mark all unimplemented commands and options. ** Implement --default-key ** support the anyPolicy semantic -** Check that we are really following the verification procedures in rfc3280. * sm/keydb.c @@ -75,7 +74,7 @@ ** No card status notifications. ** Regex support is disabled We need to adjust the test to find the regex we have anyway in - gpg4in. Is that regex compatible to the OpenPGP requirement? + gpg4win. Is that regex compatible to the OpenPGP requirement? * sm/ @@ -137,4 +136,3 @@ gpg-agent's default locale (e.g. by the command updatestartuptty). - diff --git a/jnlib/ChangeLog b/jnlib/ChangeLog index 0dc15daae..9838409c6 100644 --- a/jnlib/ChangeLog +++ b/jnlib/ChangeLog @@ -1,3 +1,7 @@ +2008-02-22 Werner Koch + + * argparse.c (strusage): Set copyright year to 2008. + 2007-11-19 Werner Koch * stringhelp.c (percent_escape): Factor code out to diff --git a/jnlib/argparse.c b/jnlib/argparse.c index 3104db40e..f9958cb89 100644 --- a/jnlib/argparse.c +++ b/jnlib/argparse.c @@ -1,6 +1,6 @@ /* [argparse.c wk 17.06.97] Argument Parser for option handling * Copyright (C) 1998, 1999, 2000, 2001, 2006 - * 2007 Free Software Foundation, Inc. + * 2007, 2008 Free Software Foundation, Inc. * * This file is part of JNLIB. * @@ -946,7 +946,7 @@ strusage( int level ) break; case 11: p = "foo"; break; case 13: p = "0.0"; break; - case 14: p = "Copyright (C) 2007 Free Software Foundation, Inc."; break; + case 14: p = "Copyright (C) 2008 Free Software Foundation, Inc."; break; case 15: p = "This is free software: you are free to change and redistribute it.\n" "There is NO WARRANTY, to the extent permitted by law.\n"; diff --git a/tests/pkits/Makefile.am b/tests/pkits/Makefile.am index c78d78617..d28ab8914 100644 --- a/tests/pkits/Makefile.am +++ b/tests/pkits/Makefile.am @@ -48,7 +48,7 @@ EXTRA_DIST = inittests runtest common.sh $(testscripts) TESTS = $(testscripts) -CLEANFILES = inittests.stamp x y y z out err *.lock .\#lk* *.log +CLEANFILES = inittests.stamp scratch.*.tmp x y z out err *.lock .\#lk* *.log DISTCLEANFILES = pubring.kbx~ random_seed @@ -62,11 +62,14 @@ inittests.stamp: inittests echo timestamp >./inittests.stamp -run-all-tests: +run-all-tests: inittests.stamp @set -e; \ GNUPGHOME=`pwd`; export GNUPGHOME;\ unset GPG_AGENT_INFO; \ - for test in $(testscripts); do \ - ./$${test} && true; \ + for tst in $(testscripts); do \ + if ./$${tst}; then : ; \ + elif test $$? -eq 77; then echo "- SKIP $$tst"; \ + fi; \ done + diff --git a/tests/pkits/common.sh b/tests/pkits/common.sh index ecf484419..e78456730 100644 --- a/tests/pkits/common.sh +++ b/tests/pkits/common.sh @@ -17,17 +17,31 @@ # along with this program; if not, see . # reset some environment variables because we do not want to test locals -export LANG=C -export LANGUAGE=C -export LC_ALL=C +LANG=C +LANGUAGE=C +LC_ALL=C +export LANG LANGUAGE LC_ALL +pgmname=`basename $0` -[ "$VERBOSE" = yes ] && set -x +if [ "$1" = "--debug" ]; then + debug=yes + set -x +else + debug= +fi [ -z "$srcdir" ] && srcdir="." [ -z "$top_srcdir" ] && top_srcdir=".." [ -z "$GPGSM" ] && GPGSM="../../sm/gpgsm" [ -z "$silent" ] && silent=no +AWK=awk +SCRATCH="scratch.$$.tmp" + +# We use this as the faked system time for certain tests. +MYTIME="20080508T120000" + + if [ "$GNUPGHOME" != "`pwd`" ]; then echo "inittests: please set GNUPGHOME to the tests/pkits directory" >&2 exit 1 @@ -41,7 +55,14 @@ fi if [ -f PKITS_data.tar.bz2 ]; then : else - # Exit code 77 is used by the makefile for skipping a tests. + if [ "$pgmname" = "import-all-certs" ]; then + if [ "$silent" = "yes" ]; then tmp1="Note: "; tmp2=' ' + else tmp1="- ____ "; tmp2="$tmp1" + fi + echo "${tmp1}PKITS_data.tar.bz2 is not installed" + echo "${tmp2}All tests will be skipped (this is not an error)" + fi + # Exit code 77 is used by the Makefile for skipping a tests. exit 77 fi @@ -115,7 +136,9 @@ pass () { pass_count=`expr ${pass_count} + 1` if [ "$silent" != "yes" ]; then echo_n "$section_out PASS" - [ -n "$description" ] && echo_n " ($description)" + if [ -n "$1" ]; then echo_n " $1" + elif [ -n "$description" ]; then echo_n " ($description)" + fi echo fi } @@ -126,7 +149,22 @@ fail () { fail_count=`expr ${fail_count} + 1` if [ "$silent" != "yes" ]; then echo_n "$section_out FAIL" - [ -n "$description" ] && echo_n " ($description)" + if [ -n "$1" ]; then echo_n " $1" + elif [ -n "$description" ]; then echo_n " ($description)" + fi + echo + fi +} + +skip () { + setup_output + echo "SKIP: " $* >&2 + skip_count=`expr ${skip_count} + 1` + if [ "$silent" != "yes" ]; then + echo_n "$section_out SKIP" + if [ -n "$1" ]; then echo_n " $1" + elif [ -n "$description" ]; then echo_n " ($description)" + fi echo fi } @@ -137,18 +175,9 @@ unresolved () { unresolved_count=`expr ${unresolved_count} + 1` if [ "$silent" != "yes" ]; then echo_n "$section_out UNRESOLVED" - [ -n "$description" ] && echo_n " ($description)" - echo - fi -} - -unsupported () { - setup_output - echo "UNSUPPORTED: " $* >&2 - unsupported_count=`expr ${unsupported_count} + 1` - if [ "$silent" != "yes" ]; then - echo_n "$section_out UNSUPPORTED" - [ -n "$description" ] && echo_n " ($description)" + if [ -n "$1" ]; then echo_n " $1" + elif [ -n "$description" ]; then echo_n " ($description)" + fi echo fi } @@ -158,8 +187,9 @@ final_result () { section=$first_section_set [ $pass_count = 0 ] || info "$pass_count tests passed" [ $fail_count = 0 ] || info "$fail_count tests failed" + [ $skip_count = 0 ] || info "$unsupported_count tests skipped" [ $unresolved_count = 0 ] || info "$unresolved_count tests unresolved" - [ $unsupported_count = 0 ] || info "$unsupported_count tests unsupported" + [ -z "$debug" -a -f "$SCRATCH" ] && rm "$SCRATCH" if [ $fail_count = 0 ]; then info "all tests passed" else @@ -167,21 +197,79 @@ final_result () { fi } -set -e -pgmname=`basename $0` +clean_homedir () { + [ -f pubring.kbx ] && rm pubring.kbx + if [ -d private-keys-v1.d ]; then + rm private-keys-v1.d/* 2>/dev/null || true + rmdir private-keys-v1.d + fi +} + +start_test () { + section="$1" + description="$2" + test_status=none + echo "BEGIN TEST $section ($description)" >&2 +} + +end_test () { + case "$test_status" in + none) skip "($description) - test not implemented";; + pass) pass "($description)";; + fail) fail "($description)";; + setup) fail "($description) - setup failed";; + ns) skip "($description) - not supported";; + nys) skip "($description) - not yet supported";; + *) unresolved "$(description)";; + esac + echo "END TEST $section" >&2 +} + +set_status () { + if [ "$test_status" = "none" ]; then + test_status=$1 + fi +} + +need_cert () { + if [ "$2" = "--import-anyway" ]; then + if ! ${GPGSM} -q --debug-no-chain-validation --import certs/$1.crt + then + set_status setup + fi + else + if ! ${GPGSM} -q --import certs/$1.crt; then + set_status setup + fi + fi +} + +need_crl () { + # CRL are not yet implemented + #set_status setup + : +} + + + +set -e pass_count=0 fail_count=0 +skip_count=0 unresolved_count=0 -unsupported_count=0 first_section_set="" section_out="" +test_status=none + +# User settable variables section="" description="" + #trap cleanup SIGHUP SIGINT SIGQUIT -exec 2> ${pgmname}.log +[ -z "$debug" ] && exec 2> ${pgmname}.log : # end diff --git a/tests/pkits/import-all-certs b/tests/pkits/import-all-certs index 8144d97be..51f3253c9 100755 --- a/tests/pkits/import-all-certs +++ b/tests/pkits/import-all-certs @@ -36,7 +36,7 @@ while read flag dummy section name; do elif [ "$flag" = '?' ]; then unresolved "importing certificate \`$name' succeeded" elif [ "$flag" = 'u' ]; then - unsupported "importing certificate \`$name' succeeded" + skip "importing certificate \`$name' succeeded" else info "importing certificate \`$name' succeeded - (flag=$flag)" fi @@ -48,7 +48,7 @@ while read flag dummy section name; do elif [ "$flag" = '?' ]; then unresolved "importing certificate \`$name' failed" elif [ "$flag" = 'u' ]; then - unsupported "importing certificate \`$name' failed" + skip "importing certificate \`$name' failed" else info "importing certificate \`$name' failed - (flag=$flag)" fi diff --git a/tests/pkits/import-all-certs.data b/tests/pkits/import-all-certs.data index 597dbc0f9..e91b9f108 100644 --- a/tests/pkits/import-all-certs.data +++ b/tests/pkits/import-all-certs.data @@ -28,7 +28,7 @@ p p 6.1.5.83 BasicSelfIssuedOldKeyNewWithOldCACert.crt p p 6.1.5.218 CPSPointerQualifierTest20EE.crt -u u 6.1.5.572 DSACACert.crt +p u 6.1.5.572 DSACACert.crt u u 6.1.5.575 DSAParametersInheritedCACert.crt p p 6.1.5.210 DifferentPoliciesTest12EE.crt @@ -81,9 +81,9 @@ p f 6.1.5.392 InvalidDNnameConstraintsTest7EE.crt p f 6.1.5.395 InvalidDNnameConstraintsTest8EE.crt p f 6.1.5.396 InvalidDNnameConstraintsTest9EE.crt -u u 6.1.5.578 InvalidDSASignatureTest6EE.crt +p u 6.1.5.578 InvalidDSASignatureTest6EE.crt -f f 6.1.5.9 InvalidEESignatureTest3EE.crt +p f 6.1.5.9 InvalidEESignatureTest3EE.crt p f 6.1.5.19 InvalidEEnotAfterDateTest6EE.crt p f 6.1.5.13 InvalidEEnotBeforeDateTest2EE.crt diff --git a/tests/pkits/inittests b/tests/pkits/inittests index 71041c06b..ec3e6d8cc 100755 --- a/tests/pkits/inittests +++ b/tests/pkits/inittests @@ -80,6 +80,17 @@ agent-program ../../agent/gpg-agent no-common-certs-import EOF +# The set of NIST test policies which should be used if anyPolicy is +# not supported. +cat > policies.txt < gpg-agent.conf <$SCRATCH; then + tmp=$($AWK -F: '$1 == "crt" {any=1; print $2}; + END {if(!any) print "error"}' $SCRATCH) + [ -n "$tmp" ] && set_status fail +else + set_status fail +fi +if [ "$test_status" = "none" ]; then + if sed '1,/^.$/d' smime/SignedValidSignaturesTest1.eml \ + | $GPGSM --verify --assume-base64 --status-fd 1 \ + | grep TRUST_FULLY >/dev/null; then + set_status pass + else + set_status fail + fi +fi +end_test +start_test 4.1.2 "Invalid CA Signatures Test2" +# The purpose of this test is to verify an application's ability to +# recognize an invalid signature on an intermediate certificate in a +# certification path. +clean_homedir +need_cert TrustAnchorRootCertificate +need_crl TrustAnchorRootCRL +need_cert BadSignedCACert --import-anyway +need_crl BadSignedCACRL +need_cert InvalidCASignatureTest2EE --import-anyway +if $GPGSM --with-colons --with-validation --list-key 0xD667FE3C >$SCRATCH; then + tmp=$($AWK -F: '$1 == "crt" {any=1; print $2}; + END {if(!any) print "error"}' $SCRATCH) + [ "$tmp" = "i" ] || set_status fail +else + set_status fail +fi +if [ "$test_status" = "none" ]; then + if sed '1,/^.$/d' smime/SignedInvalidCASignatureTest2.eml \ + | $GPGSM --verify --assume-base64 --status-fd 1 \ + | grep TRUST_NEVER >/dev/null; then + set_status pass + else + set_status fail + fi +fi +end_test + + + +start_test 4.1.3 "Invalid EE Signature Test3" +# The purpose of this test is to verify an application's ability to +# recognize an invalid signature on an end entity certificate in a +# certification path. +clean_homedir +need_cert TrustAnchorRootCertificate +need_crl TrustAnchorRootCRL +need_cert GoodCACert +need_crl GoodCACRL +need_cert InvalidEESignatureTest3EE --import-anyway +if $GPGSM --with-colons --with-validation --list-key 0x42E1AEE3 >$SCRATCH; then + tmp=$($AWK -F: '$1 == "crt" {any=1; print $2}; + END {if(!any) print "error"}' $SCRATCH) + [ "$tmp" = "i" ] || set_status fail +else + set_status fail +fi +if [ "$test_status" = "none" ]; then + if sed '1,/^.$/d' smime/SignedInvalidEESignatureTest3.eml \ + | $GPGSM --verify --assume-base64 --status-fd 1 \ + | grep TRUST_NEVER >/dev/null; then + set_status pass + else + set_status fail + fi +fi +end_test + + +start_test 4.1.4 "Valid DSA Signatures Test4" +# The purpose of this test is to verify an application's ability to +# validate certificate in which DSA signatures are used. The +# intermediate CA and the end entity have DSA key pairs. +clean_homedir +need_cert TrustAnchorRootCertificate +need_crl TrustAnchorRootCRL +need_cert DSACACert +need_crl DSACACRL +need_cert ValidDSASignaturesTest4EE +if $GPGSM --with-colons --with-validation --list-key 0x820A72B8 >$SCRATCH; then + tmp=$($AWK -F: '$1 == "crt" {any=1; print $2}; + END {if(!any) print "error"}' $SCRATCH) + [ -n "$tmp" ] && set_status fail +else + set_status fail +fi +if [ "$test_status" = "none" ]; then + # Note: This S/MIME file uses LF and not CR,LF. */ + if sed '1,/^$/d' smime/SignedValidDSASignaturesTest4.eml \ + | $GPGSM --verify --assume-base64 --status-fd 1 \ + | grep TRUST_FULLY >/dev/null; then + set_status pass + else + set_status fail + fi +fi +end_test + + +start_test 4.1.5 "Valid DSA Parameter Inheritance Test5" +# The purpose of this test is to verify an application's ability to +# validate DSA signatures when the DSA parameters are not included in +# a certificate and need to be inherited from a previous certificate +# in the path. The intermediate CAs and the end entity have DSA key +# pairs. +set_status nys +end_test + + +start_test 4.1.6 "Invalid DSA Signature Test6" +# The purpose of this test is to verify an application's ability to +# determine when a DSA signature is invalid. The intermediate CA and +# the end entity have DSA key pairs. +set_status nys +end_test + + final_result diff --git a/tests/pkits/validate-all-certs b/tests/pkits/validate-all-certs index 1c1856c49..b9da579f0 100755 --- a/tests/pkits/validate-all-certs +++ b/tests/pkits/validate-all-certs @@ -37,7 +37,7 @@ while read dummy flag section name; do elif [ "$flag" = '?' ]; then unresolved "validating certificate \`$name' succeeded" elif [ "$flag" = 'u' ]; then - unsupported "validating certificate \`$name' succeeded" + skip "validating certificate \`$name' succeeded" else info "validating certificate \`$name' succeeded - (flag=$flag)" fi @@ -49,7 +49,7 @@ while read dummy flag section name; do elif [ "$flag" = '?' ]; then unresolved "validating certificate \`$name' failed" elif [ "$flag" = 'u' ]; then - unsupported "validating certificate \`$name' failed" + skip "validating certificate \`$name' failed" else info "validating certificate \`$name' failed - (flag=$flag)" fi diff --git a/tests/pkits/validity-periods b/tests/pkits/validity-periods index df747533c..90f17644e 100644 --- a/tests/pkits/validity-periods +++ b/tests/pkits/validity-periods @@ -23,8 +23,195 @@ section=4.2 description="Validity Periods" info "Running $description tests" +start_test 4.2.1 "Invalid CA notBefore Date Test1" +# In this test, the intermediate certificate's notBefore date is after +# the current date. +clean_homedir +need_cert TrustAnchorRootCertificate +need_crl TrustAnchorRootCRL +need_cert BadnotBeforeDateCACert +need_crl BadnotBeforeDateCACRL +need_cert InvalidCAnotBeforeDateTest1EE +if $GPGSM --faked-system-time $MYTIME \ + --with-colons --with-validation --list-key 0x459ADD33 >$SCRATCH; then + tmp=$($AWK -F: '$1 == "crt" {any=1; print $2}; + END {if(!any) print "error"}' $SCRATCH) + [ "$tmp" = "i" ] || set_status fail +else + set_status fail +fi +if [ "$test_status" = "none" ]; then + if sed '1,/^.$/d' smime/SignedInvalidCAnotBeforeDateTest1.eml \ + | $GPGSM --faked-system-time $MYTIME \ + --verify --assume-base64 --status-fd 1 --logger-fd 1 \ + | tee $SCRATCH \ + | grep TRUST_UNDEFINED >/dev/null; then + if grep 'intermediate certificate not yet valid' $SCRATCH >/dev/null \ + && grep 'invalid certification chain: Certificate too young' \ + $SCRATCH >/dev/null + then + set_status pass + fi + fi + set_status fail +fi +end_test +start_test 4.2.2 "Invalid EE notBefore Date Test2" +# In this test, the end entity certificate's notBefore date is after +# the current date. + +# Procedure: Validate Invalid EE notBefore Date Test2 EE using the +# default settings or open and verify Signed Test Message 6.2.2.5 +# using the default settings. + +# Expected Result: The path should not validate successfully as the +# notBefore date in the end entity certificate is after the current +# date. + +# Certification Path: The certification path is composed of the +# following objects: Trust Anchor Root Certificate, Trust Anchor +# Root CRL Good CA Cert, Good CA CRL Invalid EE notBefore Date +# Test2 EE + +end_test + + + +start_test 4.2.3 "Valid pre2000 UTC notBefore Date Test3" +# In this test, the end entity certificate's notBefore date is set to +# 1950 and is encoded in UTCTime. +# +# Procedure: Validate Valid pre2000 UTC notBefore Date Test3 EE +# using the default settings or open and +# verify Signed Test Message 6.2.2.6 using +# the default settings. +# +# Expected Result: The path should validate successfully as the +# notBefore date in the end entity +# certificate is before the current date. +# +# Certification Path: The certification path is composed of the +# following objects: Trust Anchor Root Certificate, +# Trust Anchor Root CRL Good CA Cert, Good CA CRL Valid +# pre2000 UTC notBefore Date Test3 EE +# +end_test + + + +start_test 4.2.4 "Valid GeneralizedTime notBefore Date Test4" +# In this test, the end entity certificate's notBefore date is +# specified in GeneralizedTime. +# +# Procedure: Validate Valid GeneralizedTime notBefore Date Test4 EE +# using the default settings or open and +# verify Signed Test Message 6.2.2.7 using +# the default settings. +# +# Expected Result: The path should validate successfully. +# +# Certification Path: +# The certification path is composed of the following objects: +# Trust Anchor Root Certificate, Trust Anchor Root CRL +# Good CA Cert, Good CA CRL +# Valid GeneralizedTime notBefore Date Test4 EE +# +end_test + + + +start_test 4.2.5 "Invalid CA notAfter Date Test5" +# In this test, the intermediate certificate's notAfter date is before +# the current date. + +# Procedure: Validate Invalid CA notAfter Date Test5 EE using the +# default settings or open and verify +# Signed Test Message 6.2.2.8 using the +# default settings. +# +# Expected Result: The path should not validate successfully as the +# notAfter date in the intermediate +# certificate is before the current date. +# +# Certification Path: The certification path is composed of the +# following objects: +# +# Trust Anchor Root Certificate, Trust Anchor Root CRL +# Bad notAfter Date CA Cert, Bad notAfter Date CA CRL +# Invalid CA notAfter Date Test5 EE +# +end_test + + +start_test 4.2.6 "Invalid EE notAfter Date Test6" +# In this test, the end entity certificate's notAfter date is before +# the current date. + +# Procedure: Validate Invalid EE notAfter Date Test6 EE using the +# default settings or open and verify +# Signed Test Message 6.2.2.9 using the +# default settings. +# +# Expected Result: The path should not validate successfully as the +# notAfter date in the end certificate is +# before the current date. +# +# Certification Path: The certification path is composed of the +# following objects: +# Trust Anchor Root Certificate, Trust Anchor Root CRL +# Good CA Cert, Good CA CRL +# Invalid EE notAfter Date Test6 EE + +end_test + + +start_test 4.2.7 "Invalid pre2000 UTC EE notAfter Date Test7" +# In this test, the end entity certificate's notAfter date is 1999 and +# is encoded in UTCTime. + +# Procedure: Validate Invalid pre2000 UTC EE notAfter Date Test7 EE +# using the default settings or open and +# verify Signed Test Message 6.2.2.10 using +# the default settings. +# +# Expected Result: The path should not validate successfully as the +# notAfter date in the end certificate is +# before the current date. +# +# +# Certification Path: The certification path is composed of the +# following objects: +# +# Trust Anchor Root Certificate, Trust Anchor Root CRL +# Good CA Cert, Good CA CRL +# Invalid pre2000 UTC EE notAfter Date Test7 EE + +end_test + + + +start_test 4.2.8 "Valid GeneralizedTime notAfter Date Test8" +# In this test, the end entity certificate's notAfter date is 2050 and +# is encoded in GeneralizedTime. + +# Procedure: Validate Valid GeneralizedTime notAfter Date Test8 EE +# using the default settings or open and +# verify Signed Test Message 6.2.2.11 using +# the default settings. +# +# Expected Result: The path should validate successfully as the +# notAfter date in the end certificate is +# after the current date. +# +# +# Trust Anchor Root Certificate, Trust Anchor Root CRL +# Good CA Cert, Good CA CRL +# Valid GeneralizedTime notAfter Date Test8 EE + +end_test +