security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-03 22:56:33 +02:00
Code Activity

Add some tests.

Browse source
This commit is contained in:
Werner Koch 2008-02-22 15:47:18 +00:00
parent 898a341f50
commit f5f14d6556
12 changed files with 467 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

11
tests/pkits/Makefile.am
View file

@ -48,7 +48,7 @@ EXTRA_DIST = inittests runtest common.sh $(testscripts)
TESTS = $(testscripts)
CLEANFILES = inittests.stamp x y y z out err *.lock .\#lk* *.log
CLEANFILES = inittests.stamp scratch.*.tmp x y z out err *.lock .\#lk* *.log
DISTCLEANFILES = pubring.kbx~ random_seed
@ -62,11 +62,14 @@ inittests.stamp: inittests
echo timestamp >./inittests.stamp
run-all-tests:
run-all-tests: inittests.stamp
@set -e; \
GNUPGHOME=`pwd`; export GNUPGHOME;\
unset GPG_AGENT_INFO; \
for test in $(testscripts); do \
./$${test} && true; \
for tst in $(testscripts); do \
if ./$${tst}; then : ; \
elif test $$? -eq 77; then echo "- SKIP $$tst"; \
fi; \
done

136
tests/pkits/common.sh
View file

@ -17,17 +17,31 @@
# along with this program; if not, see <http://www.gnu.org/licenses/>.
# reset some environment variables because we do not want to test locals
export LANG=C
export LANGUAGE=C
export LC_ALL=C
LANG=C
LANGUAGE=C
LC_ALL=C
export LANG LANGUAGE LC_ALL
pgmname=`basename $0`
[ "$VERBOSE" = yes ] && set -x
if [ "$1" = "--debug" ]; then
debug=yes
set -x
else
debug=
fi
[ -z "$srcdir" ] && srcdir="."
[ -z "$top_srcdir" ] && top_srcdir=".."
[ -z "$GPGSM" ] && GPGSM="../../sm/gpgsm"
[ -z "$silent" ] && silent=no
AWK=awk
SCRATCH="scratch.$$.tmp"
# We use this as the faked system time for certain tests.
MYTIME="20080508T120000"
if [ "$GNUPGHOME" != "`pwd`" ]; then
echo "inittests: please set GNUPGHOME to the tests/pkits directory" >&2
exit 1
@ -41,7 +55,14 @@ fi
if [ -f PKITS_data.tar.bz2 ]; then
:
else
# Exit code 77 is used by the makefile for skipping a tests.
if [ "$pgmname" = "import-all-certs" ]; then
if [ "$silent" = "yes" ]; then tmp1="Note: "; tmp2=' '
else tmp1="- ____ "; tmp2="$tmp1"
fi
echo "${tmp1}PKITS_data.tar.bz2 is not installed"
echo "${tmp2}All tests will be skipped (this is not an error)"
fi
# Exit code 77 is used by the Makefile for skipping a tests.
exit 77
fi
@ -115,7 +136,9 @@ pass () {
pass_count=`expr ${pass_count} + 1`
if [ "$silent" != "yes" ]; then
echo_n "$section_out PASS"
[ -n "$description" ] && echo_n " ($description)"
if [ -n "$1" ]; then echo_n " $1"
elif [ -n "$description" ]; then echo_n " ($description)"
fi
echo
fi
}
@ -126,7 +149,22 @@ fail () {
fail_count=`expr ${fail_count} + 1`
if [ "$silent" != "yes" ]; then
echo_n "$section_out FAIL"
[ -n "$description" ] && echo_n " ($description)"
if [ -n "$1" ]; then echo_n " $1"
elif [ -n "$description" ]; then echo_n " ($description)"
fi
echo
fi
}
skip () {
setup_output
echo "SKIP: " $* >&2
skip_count=`expr ${skip_count} + 1`
if [ "$silent" != "yes" ]; then
echo_n "$section_out SKIP"
if [ -n "$1" ]; then echo_n " $1"
elif [ -n "$description" ]; then echo_n " ($description)"
fi
echo
fi
}
@ -137,18 +175,9 @@ unresolved () {
unresolved_count=`expr ${unresolved_count} + 1`
if [ "$silent" != "yes" ]; then
echo_n "$section_out UNRESOLVED"
[ -n "$description" ] && echo_n " ($description)"
echo
fi
}
unsupported () {
setup_output
echo "UNSUPPORTED: " $* >&2
unsupported_count=`expr ${unsupported_count} + 1`
if [ "$silent" != "yes" ]; then
echo_n "$section_out UNSUPPORTED"
[ -n "$description" ] && echo_n " ($description)"
if [ -n "$1" ]; then echo_n " $1"
elif [ -n "$description" ]; then echo_n " ($description)"
fi
echo
fi
}
@ -158,8 +187,9 @@ final_result () {
section=$first_section_set
[ $pass_count = 0 ] || info "$pass_count tests passed"
[ $fail_count = 0 ] || info "$fail_count tests failed"
[ $skip_count = 0 ] || info "$unsupported_count tests skipped"
[ $unresolved_count = 0 ] || info "$unresolved_count tests unresolved"
[ $unsupported_count = 0 ] || info "$unsupported_count tests unsupported"
[ -z "$debug" -a -f "$SCRATCH" ] && rm "$SCRATCH"
if [ $fail_count = 0 ]; then
info "all tests passed"
else
@ -167,21 +197,79 @@ final_result () {
fi
}
set -e
pgmname=`basename $0`
clean_homedir () {
[ -f pubring.kbx ] && rm pubring.kbx
if [ -d private-keys-v1.d ]; then
rm private-keys-v1.d/* 2>/dev/null || true
rmdir private-keys-v1.d
fi
}
start_test () {
section="$1"
description="$2"
test_status=none
echo "BEGIN TEST $section ($description)" >&2
}
end_test () {
case "$test_status" in
none) skip "($description) - test not implemented";;
pass) pass "($description)";;
fail) fail "($description)";;
setup) fail "($description) - setup failed";;
ns) skip "($description) - not supported";;
nys) skip "($description) - not yet supported";;
*) unresolved "$(description)";;
esac
echo "END TEST $section" >&2
}
set_status () {
if [ "$test_status" = "none" ]; then
test_status=$1
fi
}
need_cert () {
if [ "$2" = "--import-anyway" ]; then
if ! ${GPGSM} -q --debug-no-chain-validation --import certs/$1.crt
then
set_status setup
fi
else
if ! ${GPGSM} -q --import certs/$1.crt; then
set_status setup
fi
fi
}
need_crl () {
# CRL are not yet implemented
#set_status setup
:
}
set -e
pass_count=0
fail_count=0
skip_count=0
unresolved_count=0
unsupported_count=0
first_section_set=""
section_out=""
test_status=none
# User settable variables
section=""
description=""
#trap cleanup SIGHUP SIGINT SIGQUIT
exec 2> ${pgmname}.log
[ -z "$debug" ] && exec 2> ${pgmname}.log
:
# end

4
tests/pkits/import-all-certs
View file

@ -36,7 +36,7 @@ while read flag dummy section name; do
elif [ "$flag" = '?' ]; then
unresolved "importing certificate \`$name' succeeded"
elif [ "$flag" = 'u' ]; then
unsupported "importing certificate \`$name' succeeded"
skip "importing certificate \`$name' succeeded"
else
info "importing certificate \`$name' succeeded - (flag=$flag)"
fi
@ -48,7 +48,7 @@ while read flag dummy section name; do
elif [ "$flag" = '?' ]; then
unresolved "importing certificate \`$name' failed"
elif [ "$flag" = 'u' ]; then
unsupported "importing certificate \`$name' failed"
skip "importing certificate \`$name' failed"
else
info "importing certificate \`$name' failed - (flag=$flag)"
fi

6
tests/pkits/import-all-certs.data
View file

@ -28,7 +28,7 @@ p p 6.1.5.83 BasicSelfIssuedOldKeyNewWithOldCACert.crt
p p 6.1.5.218 CPSPointerQualifierTest20EE.crt
u u 6.1.5.572 DSACACert.crt
p u 6.1.5.572 DSACACert.crt
u u 6.1.5.575 DSAParametersInheritedCACert.crt
p p 6.1.5.210 DifferentPoliciesTest12EE.crt
@ -81,9 +81,9 @@ p f 6.1.5.392 InvalidDNnameConstraintsTest7EE.crt
p f 6.1.5.395 InvalidDNnameConstraintsTest8EE.crt
p f 6.1.5.396 InvalidDNnameConstraintsTest9EE.crt
u u 6.1.5.578 InvalidDSASignatureTest6EE.crt
p u 6.1.5.578 InvalidDSASignatureTest6EE.crt
f f 6.1.5.9 InvalidEESignatureTest3EE.crt
p f 6.1.5.9 InvalidEESignatureTest3EE.crt
p f 6.1.5.19 InvalidEEnotAfterDateTest6EE.crt
p f 6.1.5.13 InvalidEEnotBeforeDateTest2EE.crt

11
tests/pkits/inittests
View file

@ -80,6 +80,17 @@ agent-program ../../agent/gpg-agent
no-common-certs-import
EOF
# The set of NIST test policies which should be used if anyPolicy is
# not supported.
cat > policies.txt <<EOF
2.16.840.1.101.3.2.1.48.1
2.16.840.1.101.3.2.1.48.2
2.16.840.1.101.3.2.1.48.3
2.16.840.1.101.3.2.1.48.4
2.16.840.1.101.3.2.1.48.5
2.16.840.1.101.3.2.1.48.6
EOF
# Fixme: we need to write a dummy pinentry program
cat > gpg-agent.conf <<EOF
no-grab

3
tests/pkits/key-usage
View file

@ -25,7 +25,4 @@ info "Running $description tests"
final_result

136
tests/pkits/signature-verification
View file

@ -24,8 +24,144 @@ description="Signature Verification"
info "Running $description tests"
start_test 4.1.1 "Valid Signatures Test1"
# The purpose of this test is to verify an application's ability to
# name chain, signature chain, and check validity dates, on
# certificates in a certification path. It also tests processing of
# the basic constraints and key usage extensions in intermediate
# certificates.
clean_homedir
need_cert TrustAnchorRootCertificate
need_crl TrustAnchorRootCRL
need_cert GoodCACert
need_crl GoodCACRL
need_cert ValidCertificatePathTest1EE
if $GPGSM --with-colons --with-validation --list-key 0x126B7002 >$SCRATCH; then
tmp=$($AWK -F: '$1 == "crt" {any=1; print $2};
END {if(!any) print "error"}' $SCRATCH)
[ -n "$tmp" ] && set_status fail
else
set_status fail
fi
if [ "$test_status" = "none" ]; then
if sed '1,/^.$/d' smime/SignedValidSignaturesTest1.eml \
| $GPGSM --verify --assume-base64 --status-fd 1 \
| grep TRUST_FULLY >/dev/null; then
set_status pass
else
set_status fail
fi
fi
end_test
start_test 4.1.2 "Invalid CA Signatures Test2"
# The purpose of this test is to verify an application's ability to
# recognize an invalid signature on an intermediate certificate in a
# certification path.
clean_homedir
need_cert TrustAnchorRootCertificate
need_crl TrustAnchorRootCRL
need_cert BadSignedCACert --import-anyway
need_crl BadSignedCACRL
need_cert InvalidCASignatureTest2EE --import-anyway
if $GPGSM --with-colons --with-validation --list-key 0xD667FE3C >$SCRATCH; then
tmp=$($AWK -F: '$1 == "crt" {any=1; print $2};
END {if(!any) print "error"}' $SCRATCH)
[ "$tmp" = "i" ] || set_status fail
else
set_status fail
fi
if [ "$test_status" = "none" ]; then
if sed '1,/^.$/d' smime/SignedInvalidCASignatureTest2.eml \
| $GPGSM --verify --assume-base64 --status-fd 1 \
| grep TRUST_NEVER >/dev/null; then
set_status pass
else
set_status fail
fi
fi
end_test
start_test 4.1.3 "Invalid EE Signature Test3"
# The purpose of this test is to verify an application's ability to
# recognize an invalid signature on an end entity certificate in a
# certification path.
clean_homedir
need_cert TrustAnchorRootCertificate
need_crl TrustAnchorRootCRL
need_cert GoodCACert
need_crl GoodCACRL
need_cert InvalidEESignatureTest3EE --import-anyway
if $GPGSM --with-colons --with-validation --list-key 0x42E1AEE3 >$SCRATCH; then
tmp=$($AWK -F: '$1 == "crt" {any=1; print $2};
END {if(!any) print "error"}' $SCRATCH)
[ "$tmp" = "i" ] || set_status fail
else
set_status fail
fi
if [ "$test_status" = "none" ]; then
if sed '1,/^.$/d' smime/SignedInvalidEESignatureTest3.eml \
| $GPGSM --verify --assume-base64 --status-fd 1 \
| grep TRUST_NEVER >/dev/null; then
set_status pass
else
set_status fail
fi
fi
end_test
start_test 4.1.4 "Valid DSA Signatures Test4"
# The purpose of this test is to verify an application's ability to
# validate certificate in which DSA signatures are used. The
# intermediate CA and the end entity have DSA key pairs.
clean_homedir
need_cert TrustAnchorRootCertificate
need_crl TrustAnchorRootCRL
need_cert DSACACert
need_crl DSACACRL
need_cert ValidDSASignaturesTest4EE
if $GPGSM --with-colons --with-validation --list-key 0x820A72B8 >$SCRATCH; then
tmp=$($AWK -F: '$1 == "crt" {any=1; print $2};
END {if(!any) print "error"}' $SCRATCH)
[ -n "$tmp" ] && set_status fail
else
set_status fail
fi
if [ "$test_status" = "none" ]; then
# Note: This S/MIME file uses LF and not CR,LF. */
if sed '1,/^$/d' smime/SignedValidDSASignaturesTest4.eml \
| $GPGSM --verify --assume-base64 --status-fd 1 \
| grep TRUST_FULLY >/dev/null; then
set_status pass
else
set_status fail
fi
fi
end_test
start_test 4.1.5 "Valid DSA Parameter Inheritance Test5"
# The purpose of this test is to verify an application's ability to
# validate DSA signatures when the DSA parameters are not included in
# a certificate and need to be inherited from a previous certificate
# in the path. The intermediate CAs and the end entity have DSA key
# pairs.
set_status nys
end_test
start_test 4.1.6 "Invalid DSA Signature Test6"
# The purpose of this test is to verify an application's ability to
# determine when a DSA signature is invalid. The intermediate CA and
# the end entity have DSA key pairs.
set_status nys
end_test
final_result

4
tests/pkits/validate-all-certs
View file

@ -37,7 +37,7 @@ while read dummy flag section name; do
elif [ "$flag" = '?' ]; then
unresolved "validating certificate \`$name' succeeded"
elif [ "$flag" = 'u' ]; then
unsupported "validating certificate \`$name' succeeded"
skip "validating certificate \`$name' succeeded"
else
info "validating certificate \`$name' succeeded - (flag=$flag)"
fi
@ -49,7 +49,7 @@ while read dummy flag section name; do
elif [ "$flag" = '?' ]; then
unresolved "validating certificate \`$name' failed"
elif [ "$flag" = 'u' ]; then
unsupported "validating certificate \`$name' failed"
skip "validating certificate \`$name' failed"
else
info "validating certificate \`$name' failed - (flag=$flag)"
fi

187
tests/pkits/validity-periods
View file

@ -23,8 +23,195 @@ section=4.2
description="Validity Periods"
info "Running $description tests"
start_test 4.2.1 "Invalid CA notBefore Date Test1"
# In this test, the intermediate certificate's notBefore date is after
# the current date.
clean_homedir
need_cert TrustAnchorRootCertificate
need_crl TrustAnchorRootCRL
need_cert BadnotBeforeDateCACert
need_crl BadnotBeforeDateCACRL
need_cert InvalidCAnotBeforeDateTest1EE
if $GPGSM --faked-system-time $MYTIME \
--with-colons --with-validation --list-key 0x459ADD33 >$SCRATCH; then
tmp=$($AWK -F: '$1 == "crt" {any=1; print $2};
END {if(!any) print "error"}' $SCRATCH)
[ "$tmp" = "i" ] || set_status fail
else
set_status fail
fi
if [ "$test_status" = "none" ]; then
if sed '1,/^.$/d' smime/SignedInvalidCAnotBeforeDateTest1.eml \
| $GPGSM --faked-system-time $MYTIME \
--verify --assume-base64 --status-fd 1 --logger-fd 1 \
| tee $SCRATCH \
| grep TRUST_UNDEFINED >/dev/null; then
if grep 'intermediate certificate not yet valid' $SCRATCH >/dev/null \
&& grep 'invalid certification chain: Certificate too young' \
$SCRATCH >/dev/null
then
set_status pass
fi
fi
set_status fail
fi
end_test
start_test 4.2.2 "Invalid EE notBefore Date Test2"
# In this test, the end entity certificate's notBefore date is after
# the current date.
# Procedure: Validate Invalid EE notBefore Date Test2 EE using the
# default settings or open and verify Signed Test Message 6.2.2.5
# using the default settings.
# Expected Result: The path should not validate successfully as the
# notBefore date in the end entity certificate is after the current
# date.
# Certification Path: The certification path is composed of the
# following objects: Trust Anchor Root Certificate, Trust Anchor
# Root CRL Good CA Cert, Good CA CRL Invalid EE notBefore Date
# Test2 EE
end_test
start_test 4.2.3 "Valid pre2000 UTC notBefore Date Test3"
# In this test, the end entity certificate's notBefore date is set to
# 1950 and is encoded in UTCTime.
#
# Procedure: Validate Valid pre2000 UTC notBefore Date Test3 EE
# using the default settings or open and
# verify Signed Test Message 6.2.2.6 using
# the default settings.
#
# Expected Result: The path should validate successfully as the
# notBefore date in the end entity
# certificate is before the current date.
#
# Certification Path: The certification path is composed of the
# following objects: Trust Anchor Root Certificate,
# Trust Anchor Root CRL Good CA Cert, Good CA CRL Valid
# pre2000 UTC notBefore Date Test3 EE
#
end_test
start_test 4.2.4 "Valid GeneralizedTime notBefore Date Test4"
# In this test, the end entity certificate's notBefore date is
# specified in GeneralizedTime.
#
# Procedure: Validate Valid GeneralizedTime notBefore Date Test4 EE
# using the default settings or open and
# verify Signed Test Message 6.2.2.7 using
# the default settings.
#
# Expected Result: The path should validate successfully.
#
# Certification Path:
# The certification path is composed of the following objects:
# Trust Anchor Root Certificate, Trust Anchor Root CRL
# Good CA Cert, Good CA CRL
# Valid GeneralizedTime notBefore Date Test4 EE
#
end_test
start_test 4.2.5 "Invalid CA notAfter Date Test5"
# In this test, the intermediate certificate's notAfter date is before
# the current date.
# Procedure: Validate Invalid CA notAfter Date Test5 EE using the
# default settings or open and verify
# Signed Test Message 6.2.2.8 using the
# default settings.
#
# Expected Result: The path should not validate successfully as the
# notAfter date in the intermediate
# certificate is before the current date.
#
# Certification Path: The certification path is composed of the
# following objects:
#
# Trust Anchor Root Certificate, Trust Anchor Root CRL
# Bad notAfter Date CA Cert, Bad notAfter Date CA CRL
# Invalid CA notAfter Date Test5 EE
#
end_test
start_test 4.2.6 "Invalid EE notAfter Date Test6"
# In this test, the end entity certificate's notAfter date is before
# the current date.
# Procedure: Validate Invalid EE notAfter Date Test6 EE using the
# default settings or open and verify
# Signed Test Message 6.2.2.9 using the
# default settings.
#
# Expected Result: The path should not validate successfully as the
# notAfter date in the end certificate is
# before the current date.
#
# Certification Path: The certification path is composed of the
# following objects:
# Trust Anchor Root Certificate, Trust Anchor Root CRL
# Good CA Cert, Good CA CRL
# Invalid EE notAfter Date Test6 EE
end_test
start_test 4.2.7 "Invalid pre2000 UTC EE notAfter Date Test7"
# In this test, the end entity certificate's notAfter date is 1999 and
# is encoded in UTCTime.
# Procedure: Validate Invalid pre2000 UTC EE notAfter Date Test7 EE
# using the default settings or open and
# verify Signed Test Message 6.2.2.10 using
# the default settings.
#
# Expected Result: The path should not validate successfully as the
# notAfter date in the end certificate is
# before the current date.
#
#
# Certification Path: The certification path is composed of the
# following objects:
#
# Trust Anchor Root Certificate, Trust Anchor Root CRL
# Good CA Cert, Good CA CRL
# Invalid pre2000 UTC EE notAfter Date Test7 EE
end_test
start_test 4.2.8 "Valid GeneralizedTime notAfter Date Test8"
# In this test, the end entity certificate's notAfter date is 2050 and
# is encoded in GeneralizedTime.
# Procedure: Validate Valid GeneralizedTime notAfter Date Test8 EE
# using the default settings or open and
# verify Signed Test Message 6.2.2.11 using
# the default settings.
#
# Expected Result: The path should validate successfully as the
# notAfter date in the end certificate is
# after the current date.
#
#
# Trust Anchor Root Certificate, Trust Anchor Root CRL
# Good CA Cert, Good CA CRL
# Valid GeneralizedTime notAfter Date Test8 EE
end_test