Improve certificate chain construction.

Extend PKITS framework

60 files changed, 1287 insertions, 592 deletions

diff --git a/NEWS b/NEWS
index 764edb3aa..0a9cb4a26 100644
--- a/NEWS
+++ b/NEWS
@@ -4,9 +4,13 @@ Noteworthy changes in version 2.0.9 (unreleased)
  * Gpgsm always tries to locate missing certificates from a running
    Dirmngr's cache.
 
- * Minor bug fixes.
+ * Tweaks for Windows.
+
+ * Improved certificate chain construction.
 
- * Tweaks for Windows
+ * Extended the PKITS framework.
+
+ * Minor bug fixes.
 
 
 Noteworthy changes in version 2.0.8 (2007-12-20)
diff --git a/configure.ac b/configure.ac
index c630af53b..6860187a9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1412,10 +1412,10 @@ tools/Makefile
 doc/Makefile
 tests/Makefile
 tests/openpgp/Makefile
+tests/pkits/Makefile
 ])
 AC_OUTPUT
 
-#tests/pkits/Makefile
 
 
 
diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index d936b3eb2..3193e852f 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -342,6 +342,9 @@ to connect to this one.  Fallback to a pipe based server if this does
 not work.  Under Windows this option is ignored because the system dirmngr is
 always used.
 
+@item --disable-dirmngr
+Entirely disable the use of the Dirmngr.
+
 @item --no-secmem-warning
 @opindex no-secmem-warning
 Don't print a warning when the so called "secure memory" can't be used.
@@ -673,6 +676,10 @@ Supply the passphrase @var{string} to the gpg-protect-tool.  This
 option is only useful for the regression tests included with this
 package and may be revised or removed at any time without notice.
 
+@item --no-common-certs-import
+@opindex no-common-certs-import
+Suppress the import of common certificates on keybox creation.
+
 @end table
 
 All the long options may also be given in the configuration file after
diff --git a/po/be.po b/po/be.po
index d95b50497..260ab6c6e 100644
--- a/po/be.po
+++ b/po/be.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 1.2.2\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2003-10-30 16:35+0200\n"
 "Last-Translator: Ales Nyakhaychyk <nab@mail.by>\n"
 "Language-Team: Belarusian <i18n@mova.org>\n"
diff --git a/po/ca.po b/po/ca.po
index 82bd46229..e2c4d2cba 100644
--- a/po/ca.po
+++ b/po/ca.po
@@ -27,7 +27,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 1.4.0\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2005-02-04 02:04+0100\n"
 "Last-Translator: Jordi Mallach <jordi@gnu.org>\n"
 "Language-Team: Catalan <ca@dodds.net>\n"
diff --git a/po/cs.po b/po/cs.po
index 09cb75c65..649ef7288 100644
--- a/po/cs.po
+++ b/po/cs.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg-1.3.92\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2004-11-26 09:12+0200\n"
 "Last-Translator: Roman Pavlik <rp@tns.cz>\n"
 "Language-Team: Czech <translations.cs@gnupg.cz>\n"
diff --git a/po/da.po b/po/da.po
index e5f20b75c..15e25a481 100644
--- a/po/da.po
+++ b/po/da.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 1.0.0h\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2003-12-03 16:11+0100\n"
 "Last-Translator: Birger Langkjer <birger.langkjer@image.dk>\n"
 "Language-Team: Danish <dansk@klid.dk>\n"
diff --git a/po/de.po b/po/de.po
index e0c98e27f..8630fc7d3 100644
--- a/po/de.po
+++ b/po/de.po
@@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg-2.0.6\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2008-02-15 10:36+0100\n"
 "Last-Translator: Walter Koch <koch@u32.de>\n"
 "Language-Team: German <de@li.org>\n"
diff --git a/po/el.po b/po/el.po
index 750daa3f3..5bf3600e5 100644
--- a/po/el.po
+++ b/po/el.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg-1.1.92\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2003-06-27 12:00+0200\n"
 "Last-Translator: Dokianakis Theofanis <madf@hellug.gr>\n"
 "Language-Team: Greek <nls@tux.hellug.gr>\n"
diff --git a/po/eo.po b/po/eo.po
index 275cfcf7f..7491127fd 100644
--- a/po/eo.po
+++ b/po/eo.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 1.0.6d\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2002-04-14 14:33+0100\n"
 "Last-Translator: Edmund GRIMLEY EVANS <edmundo@rano.org>\n"
 "Language-Team: Esperanto <translation-team-eo@lists.sourceforge.net>\n"
diff --git a/po/es.po b/po/es.po
index b2da53b84..8d20dbd76 100644
--- a/po/es.po
+++ b/po/es.po
@@ -10,7 +10,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 1.4.1\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2007-08-16 11:35+0200\n"
 "Last-Translator: Jaime Suárez <jsuarez@ono.com>\n"
 "Language-Team: Spanish <es@li.org>\n"
diff --git a/po/et.po b/po/et.po
index 890d1a6e8..9384a5c50 100644
--- a/po/et.po
+++ b/po/et.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 1.2.2\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2004-06-17 11:04+0300\n"
 "Last-Translator: Toomas Soome <Toomas.Soome@microlink.ee>\n"
 "Language-Team: Estonian <et@li.org>\n"
diff --git a/po/fi.po b/po/fi.po
index a31d54c89..1ceb035bd 100644
--- a/po/fi.po
+++ b/po/fi.po
@@ -22,7 +22,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 1.2.2\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2004-06-16 22:40+0300\n"
 "Last-Translator: Tommi Vainikainen <Tommi.Vainikainen@iki.fi>\n"
 "Language-Team: Finnish <translation-team-fi@lists.sourceforge.net>\n"
diff --git a/po/fr.po b/po/fr.po
index 0a4c94dbe..0c32d038d 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 1.4.2rc2\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2005-06-28 00:24+0200\n"
 "Last-Translator: Gaël Quéri <gael@lautre.net>\n"
 "Language-Team: French <traduc@traduc.org>\n"
diff --git a/po/gl.po b/po/gl.po
index 68a47879b..8cd66bfd9 100644
--- a/po/gl.po
+++ b/po/gl.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 1.2.4\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2003-12-04 11:39+0100\n"
 "Last-Translator: Jacobo Tarrio <jtarrio@trasno.net>\n"
 "Language-Team: Galician <gpul-traduccion@ceu.fi.udc.es>\n"
diff --git a/po/hu.po b/po/hu.po
index 75f8539e5..e8ff0cad4 100644
--- a/po/hu.po
+++ b/po/hu.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 1.2.5\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2004-06-19 21:53+0200\n"
 "Last-Translator: Nagy Ferenc László <nfl@nfllab.com>\n"
 "Language-Team: Hungarian <translation-team-hu@lists.sourceforge.net>\n"
diff --git a/po/id.po b/po/id.po
index 2f9cfcf3e..c7fdd992c 100644
--- a/po/id.po
+++ b/po/id.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg-id\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2004-06-17 16:32+0700\n"
 "Last-Translator: Tedi Heriyanto <tedi_h@gmx.net>\n"
 "Language-Team: Indonesian <translation-team-id@lists.sourceforge.net>\n"
diff --git a/po/it.po b/po/it.po
index cde0e309c..21e071d89 100644
--- a/po/it.po
+++ b/po/it.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 1.1.92\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2004-06-16 17:01+0200\n"
 "Last-Translator: Marco d'Itri <md@linux.it>\n"
 "Language-Team: Italian <tp@lists.linux.it>\n"
diff --git a/po/ja.po b/po/ja.po
index e5984c459..304850df7 100644
--- a/po/ja.po
+++ b/po/ja.po
@@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 1.3.92\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2004-11-23 11:14+0900\n"
 "Last-Translator: IIDA Yosiaki <iida@gnu.org>\n"
 "Language-Team: Japanese <translation-team-ja@lists.sourceforge.net>\n"
diff --git a/po/nb.po b/po/nb.po
index 4aba7b0f0..36434b7f1 100644
--- a/po/nb.po
+++ b/po/nb.po
@@ -10,7 +10,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 1.4.3\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2006-06-13 20:31+0200\n"
 "Last-Translator: Trond Endrestøl <Trond.Endrestol@fagskolen.gjovik.no>\n"
 "Language-Team: Norwegian Bokmål <i18n-nb@lister.ping.uio.no>\n"
diff --git a/po/pl.po b/po/pl.po
index e025d1ec4..e3c842ff5 100644
--- a/po/pl.po
+++ b/po/pl.po
@@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg-2.0.7\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2007-11-26 19:01+0100\n"
 "Last-Translator: Jakub Bogusz <qboosh@pld-linux.org>\n"
 "Language-Team: Polish <translation-team-pl@lists.sourceforge.net>\n"
diff --git a/po/pt.po b/po/pt.po
index 4462c4f16..eb944f7c7 100644
--- a/po/pt.po
+++ b/po/pt.po
@@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2002-09-13 18:26+0100\n"
 "Last-Translator: Pedro Morais <morais@kde.org>\n"
 "Language-Team: pt <morais@kde.org>\n"
diff --git a/po/pt_BR.po b/po/pt_BR.po
index dd5b34d2b..5d499e1fb 100644
--- a/po/pt_BR.po
+++ b/po/pt_BR.po
@@ -13,7 +13,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 1.0\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2007-08-16 11:35+0200\n"
 "Last-Translator:\n"
 "Language-Team: ?\n"
diff --git a/po/ro.po b/po/ro.po
index 2dc565929..e75bcb1cb 100644
--- a/po/ro.po
+++ b/po/ro.po
@@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 1.4.2rc1\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2005-05-31 22:00-0500\n"
 "Last-Translator: Laurentiu Buzdugan <lbuz@rolix.org>\n"
 "Language-Team: Romanian <translation-team-ro@lists.sourceforge.net>\n"
diff --git a/po/ru.po b/po/ru.po
index 2be61ad1e..45929bb43 100644
--- a/po/ru.po
+++ b/po/ru.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: GnuPG 2.0.0\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2006-11-07 19:31+0300\n"
 "Last-Translator: Maxim Britov <maxim.britov@gmail.com>\n"
 "Language-Team: Russian <gnupg-ru@gnupg.org>\n"
diff --git a/po/sk.po b/po/sk.po
index 780b0120b..710f2f67b 100644
--- a/po/sk.po
+++ b/po/sk.po
@@ -5,7 +5,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 1.2.5\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2004-07-20 15:52+0200\n"
 "Last-Translator: Michal Majer <mmajer@econ.umb.sk>\n"
 "Language-Team: Slovak <sk-i18n@lists.linux.sk>\n"
diff --git a/po/sv.po b/po/sv.po
index aa759a7cd..8fc72efe3 100644
--- a/po/sv.po
+++ b/po/sv.po
@@ -24,7 +24,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg trunk\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2007-11-12 16:08+0100\n"
 "Last-Translator: Daniel Nylander <po@danielnylander.se>\n"
 "Language-Team: Swedish <tp-sv@listor.tp-sv.se>\n"
diff --git a/po/tr.po b/po/tr.po
index 3990a9d66..cee49cd6d 100644
--- a/po/tr.po
+++ b/po/tr.po
@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 1.9.94\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2006-11-04 03:45+0200\n"
 "Last-Translator: Nilgün Belma Bugüner <nilgun@belgeler.gen.tr>\n"
 "Language-Team: Turkish <gnu-tr-u12a@lists.sourceforge.net>\n"
diff --git a/po/zh_CN.po b/po/zh_CN.po
index 3dedca961..771a33acb 100644
--- a/po/zh_CN.po
+++ b/po/zh_CN.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 1.4.4\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2006-07-02 10:58+0800\n"
 "Last-Translator: Meng Jie <zuxyhere@eastday.com>\n"
 "Language-Team: Chinese (simplified) <i18n-translation@lists.linux.net.cn>\n"
diff --git a/po/zh_TW.po b/po/zh_TW.po
index 3660d48f9..53d7f8b13 100644
--- a/po/zh_TW.po
+++ b/po/zh_TW.po
@@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 2.0.8\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2008-02-15 10:28+0100\n"
+"POT-Creation-Date: 2008-02-15 10:39+0100\n"
 "PO-Revision-Date: 2008-01-31 23:09+0800\n"
 "Last-Translator: Jedi Lin <Jedi@Jedi.org>\n"
 "Language-Team: Chinese (traditional) <zh-l10n@linux.org.tw>\n"
diff --git a/sm/ChangeLog b/sm/ChangeLog
index 8f348a5f2..22333698b 100644
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@@ -1,3 +1,20 @@
+2008-02-18  Werner Koch  <wk@g10code.com>
+
+	* certchain.c (gpgsm_is_root_cert): Factor code out to ...
+	(is_root_cert): New.  Extend test for self-issued certificates
+	signed by other CAs.
+	(do_validate_chain, gpgsm_basic_cert_check)
+	(gpgsm_walk_cert_chain): Use it here.
+
+	* gpgsm.c: Add option --no-common-certs-import.
+	
+	* certchain.c (find_up_dirmngr, find_up, do_validate_chain)
+	(check_cert_policy): Be more silent with --quiet.
+
+	* gpgsm.c: Add option --disable-dirmngr.
+	* gpgsm.h (opt): Add field DISABLE_DIRMNGR.
+	* call-dirmngr.c (start_dirmngr): Implement option.
+
 2008-02-14  Werner Koch  <wk@g10code.com>
 
 	* server.c (option_handler): Add option allow-pinentry-notify.
diff --git a/sm/call-dirmngr.c b/sm/call-dirmngr.c
index 83b001b52..02a2ca8d7 100644
--- a/sm/call-dirmngr.c
+++ b/sm/call-dirmngr.c
@@ -166,6 +166,9 @@ start_dirmngr (ctrl_t ctrl)
   assuan_context_t ctx;
   int try_default = 0;
 
+  if (opt.disable_dirmngr)
+    return gpg_error (GPG_ERR_NO_DIRMNGR);
+
   if (dirmngr_ctx)
     {
       prepare_dirmngr (ctrl, dirmngr_ctx, 0);
@@ -447,7 +450,6 @@ gpgsm_dirmngr_isvalid (ctrl_t ctrl,
   struct inq_certificate_parm_s parm;
   struct isvalid_status_parm_s stparm;
 
-
   rc = start_dirmngr (ctrl);
   if (rc)
     return rc;
diff --git a/sm/certchain.c b/sm/certchain.c
index 04b7e05ff..f9751752f 100644
--- a/sm/certchain.c
+++ b/sm/certchain.c
@@ -1,6 +1,6 @@
 /* certchain.c - certificate chain validation
  * Copyright (C) 2001, 2002, 2003, 2004, 2005,
- *               2006, 2007 Free Software Foundation, Inc.
+ *               2006, 2007, 2008 Free Software Foundation, Inc.
  *
  * This file is part of GnuPG.
  *
@@ -60,6 +60,8 @@ struct chain_item_s
 typedef struct chain_item_s *chain_item_t;
 
 
+static int is_root_cert (ksba_cert_t cert,
+                         const char *issuerdn, const char *subjectdn);
 static int get_regtp_ca_info (ctrl_t ctrl, ksba_cert_t cert, int *chainlen);
 
 
@@ -331,8 +333,9 @@ check_cert_policy (ksba_cert_t cert, int listmode, estream_t fplist)
       /* With no critical policies this is only a warning */
       if (!any_critical)
         {
-          do_list (0, listmode, fplist,
-                   _("note: non-critical certificate policy not allowed"));
+          if (!opt.quiet)
+            do_list (0, listmode, fplist,
+                     _("note: non-critical certificate policy not allowed"));
           return 0;
         }
       do_list (1, listmode, fplist,
@@ -563,7 +566,7 @@ find_up_dirmngr (ctrl_t ctrl, KEYDB_HANDLE kh,
 
   if (opt.verbose)
     log_info (_("number of matching certificates: %d\n"), count);
-  if (rc) 
+  if (rc && !opt.quiet) 
     log_info (_("dirmngr cache-only key lookup failed: %s\n"),
               gpg_strerror (rc));
   return (!rc && count)? 0 : -1;
@@ -667,7 +670,9 @@ find_up (ctrl_t ctrl, KEYDB_HANDLE kh,
       /* Print a note so that the user does not feel too helpless when
          an issuer certificate was found and gpgsm prints BAD
          signature because it is not the correct one. */
-      if (rc == -1)
+      if (rc == -1 && opt.quiet)
+        ;
+      else if (rc == -1)
         {
           log_info ("%sissuer certificate ", find_next?"next ":"");
           if (keyid)
@@ -752,7 +757,7 @@ gpgsm_walk_cert_chain (ctrl_t ctrl, ksba_cert_t start, ksba_cert_t *r_next)
       goto leave;
     }
 
-  if (!strcmp (issuer, subject))
+  if (is_root_cert (start, issuer, subject))
     {
       rc = -1; /* we are at the root */
       goto leave; 
@@ -784,6 +789,75 @@ gpgsm_walk_cert_chain (ctrl_t ctrl, ksba_cert_t start, ksba_cert_t *r_next)
 }
 
 
+/* Helper for gpgsm_is_root_cert.  This one is used if the subject and
+   issuer DNs are already known.  */
+static int
+is_root_cert (ksba_cert_t cert, const char *issuerdn, const char *subjectdn)
+{
+  gpg_error_t err;
+  int result = 0;
+  ksba_sexp_t serialno;
+  ksba_sexp_t ak_keyid;
+  ksba_name_t ak_name;
+  ksba_sexp_t ak_sn;
+  const char *ak_name_str;
+  ksba_sexp_t subj_keyid = NULL;
+
+  if (!issuerdn || !subjectdn)
+    return 0;  /* No.  */
+
+  if (strcmp (issuerdn, subjectdn))
+    return 0;  /* No.  */
+
+  err = ksba_cert_get_auth_key_id (cert, &ak_keyid, &ak_name, &ak_sn);
+  if (err)
+    {
+      if (gpg_err_code (err) == GPG_ERR_NO_DATA)
+        return 1; /* Yes. Without a authorityKeyIdentifier this needs
+                     to be the Root certifcate (our trust anchor).  */
+      log_error ("error getting authorityKeyIdentifier: %s\n",
+                 gpg_strerror (err));
+      return 0; /* Well, it is broken anyway.  Return No. */
+    }
+
+  serialno = ksba_cert_get_serial (cert);
+  if (!serialno)
+    {
+      log_error ("error getting serialno: %s\n", gpg_strerror (err));
+      goto leave;
+    }
+
+  /* Check whether the auth name's matches the issuer name+sn.  If
+     that is the case this is a root certificate.  */
+  ak_name_str = ksba_name_enum (ak_name, 0);
+  if (ak_name_str
+      && !strcmp (ak_name_str, issuerdn) 
+      && !cmp_simple_canon_sexp (ak_sn, serialno))
+    {
+      result = 1;  /* Right, CERT is self-signed.  */
+      goto leave;
+    } 
+   
+  /* Similar for the ak_keyid. */
+  if (ak_keyid && !ksba_cert_get_subj_key_id (cert, NULL, &subj_keyid)
+      && !cmp_simple_canon_sexp (ak_keyid, subj_keyid))
+    {
+      result = 1;  /* Right, CERT is self-signed.  */
+      goto leave;
+    } 
+
+
+ leave:
+  ksba_free (subj_keyid);
+  ksba_free (ak_keyid);
+  ksba_name_release (ak_name);
+  ksba_free (ak_sn);
+  ksba_free (serialno);
+  return result; 
+}
+
+
+
 /* Check whether the CERT is a root certificate.  Returns True if this
    is the case. */
 int
@@ -795,7 +869,7 @@ gpgsm_is_root_cert (ksba_cert_t cert)
 
   issuer = ksba_cert_get_issuer (cert, 0);
   subject = ksba_cert_get_subject (cert, 0);
-  yes = (issuer && subject && !strcmp (issuer, subject));
+  yes = is_root_cert (cert, issuer, subject);
   xfree (issuer);
   xfree (subject);
   return yes;
@@ -1197,11 +1271,8 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
         }
 
 
-      /* Is this a self-issued certificate (i.e. the root
-         certificate)?  This is actually the same test as done by
-         gpgsm_is_root_cert but here we want to keep the issuer and
-         subject for later use.  */
-      is_root = (subject && !strcmp (issuer, subject));
+      /* Is this a self-issued certificate (i.e. the root certificate)?  */
+      is_root = is_root_cert (subject_cert, issuer, subject);
       if (is_root)
         {
           chain->is_root = 1;
@@ -1570,7 +1641,7 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
       depth++;
     } /* End chain traversal. */
 
-  if (!listmode)
+  if (!listmode && !opt.quiet)
     {
       if (opt.no_policy_check)
         log_info ("policies not checked due to %s option\n",
@@ -1771,7 +1842,7 @@ gpgsm_basic_cert_check (ctrl_t ctrl, ksba_cert_t cert)
       goto leave;
     }
 
-  if (subject && !strcmp (issuer, subject))
+  if (is_root_cert (cert, issuer, subject))
     {
       rc = gpgsm_check_cert_sig (cert, cert);
       if (rc)
diff --git a/sm/gpgsm.c b/sm/gpgsm.c
index 71f8e2cc1..615dfb8e6 100644
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@@ -1,6 +1,6 @@
 /* gpgsm.c - GnuPG for S/MIME 
  * Copyright (C) 2001, 2002, 2003, 2004, 2005,
- *               2006, 2007  Free Software Foundation, Inc.
+ *               2006, 2007, 2008  Free Software Foundation, Inc.
  *
  * This file is part of GnuPG.
  *
@@ -122,6 +122,7 @@ enum cmd_and_opt_values {
 
   oPreferSystemDirmngr,
   oDirmngrProgram,
+  oDisableDirmngr,
   oProtectToolProgram,
   oFakedSystemTime,
 
@@ -149,7 +150,6 @@ enum cmd_and_opt_values {
   oEnablePolicyChecks,
   oAutoIssuerKeyRetrieve,
   
-
   oTextmode,
   oFingerprint,
   oWithFingerprint,
@@ -231,6 +231,7 @@ enum cmd_and_opt_values {
   oIgnoreTimeConflict,
   oNoRandomSeedFile,
   oNoAutoKeyRetrieve,
+  oNoCommonCertsImport,
   oUseAgent,
   oMergeOnly,
   oTryAllSecrets,
@@ -431,10 +432,10 @@ static ARGPARSE_OPTS opts[] = {
     { oLCmessages, "lc-messages", 2, "@" },
     { oXauthority, "xauthority", 2, "@" },
     { oDirmngrProgram, "dirmngr-program", 2 , "@" },
+    { oDisableDirmngr, "disable-dirmngr", 0 , "@" },
     { oProtectToolProgram, "protect-tool-program", 2 , "@" },
     { oFakedSystemTime, "faked-system-time", 2, "@" }, /* (epoch time) */
 
-
     { oNoBatch, "no-batch", 0, "@" },
     { oWithColons, "with-colons", 0, "@"},
     { oWithKeyData,"with-key-data", 0, "@"},
@@ -462,6 +463,7 @@ static ARGPARSE_OPTS opts[] = {
     { oListOnly, "list-only", 0, "@"},
     { oIgnoreTimeConflict, "ignore-time-conflict", 0, "@" },
     { oNoRandomSeedFile,  "no-random-seed-file", 0, "@" },
+    { oNoCommonCertsImport, "no-common-certs-import", 0, "@" },
 {0} };
 
 
@@ -842,6 +844,7 @@ main ( int argc, char **argv)
   int nogreeting = 0;
   int debug_wait = 0;
   int use_random_seed = 1;
+  int no_common_certs_import = 0;
   int with_fpr = 0;
   char *def_digest_string = NULL;
   char *extra_digest_algo = NULL;
@@ -1215,6 +1218,7 @@ main ( int argc, char **argv)
         case oLCmessages: opt.lc_messages = xstrdup (pargs.r.ret_str); break;
         case oXauthority: opt.xauthority = xstrdup (pargs.r.ret_str); break;
         case oDirmngrProgram: opt.dirmngr_program = pargs.r.ret_str;  break;
+        case oDisableDirmngr: opt.disable_dirmngr = 1;  break;
         case oPreferSystemDirmngr: opt.prefer_system_dirmngr = 1; break;
         case oProtectToolProgram:
           opt.protect_tool_program = pargs.r.ret_str; 
@@ -1307,6 +1311,7 @@ main ( int argc, char **argv)
 
         case oIgnoreTimeConflict: opt.ignore_time_conflict = 1; break;
         case oNoRandomSeedFile: use_random_seed = 0; break;
+        case oNoCommonCertsImport: no_common_certs_import = 1; break;
 
         case oEnableSpecialFilenames: allow_special_filenames =1; break;
 
@@ -1476,7 +1481,7 @@ main ( int argc, char **argv)
       int created;
 
       keydb_add_resource ("pubring.kbx", 0, 0, &created);
-      if (created)
+      if (created && !no_common_certs_import)
         {
           /* Import the standard certificates for a new default keybox. */
           char *filelist[2];
@@ -1593,6 +1598,8 @@ main ( int argc, char **argv)
                 GC_OPT_FLAG_NONE );
         printf ("auto-issuer-key-retrieve:%lu:\n",
                 GC_OPT_FLAG_NONE );
+        printf ("disable-dirmngr:%lu:\n",
+                GC_OPT_FLAG_NONE );
 #ifndef HAVE_W32_SYSTEM
         printf ("prefer-system-dirmngr:%lu:\n",
                 GC_OPT_FLAG_NONE );
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index 26a191f87..73231671c 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -59,6 +59,7 @@ struct
 
   const char *dirmngr_program;
   int prefer_system_dirmngr;  /* Prefer using a system wide drimngr.  */
+  int disable_dirmngr;        /* Do not do any dirmngr calls.  */
   const char *protect_tool_program;
   char *outfile;    /* name of output file */
 
diff --git a/tests/pkits/ChangeLog b/tests/pkits/ChangeLog
index 084e6cec8..34ddfbfa7 100644
--- a/tests/pkits/ChangeLog
+++ b/tests/pkits/ChangeLog
@@ -1,3 +1,32 @@
+2008-02-19  Werner Koch  <wk@g10code.com>
+
+	* signature-verification: New.
+	* validity-periods: New.
+	* verifying-name-chaining: New.
+	* basic-certificate-revocation: New.
+	* verifying-paths-self-issued: New.
+	* verifying-basic-constraints: New.
+	* key-usage: New.
+	* certificate-policies: New.
+	* require-explicit-policy: New.
+	* policy-mappings: New.
+	* inhibit-policy-mapping: New.
+	* inhibit-any-policy: New.
+	* name-constraints: New.
+	* distribution-points: New.
+	* delta-crls: New.
+	* private-certificate-extensions: New.
+	* Makefile.am (testscripts): Add them.
+
+	* import-all-certs.data: Add section numbers.
+
+2008-02-18  Werner Koch  <wk@g10code.com>
+
+	* import-all-certs.data: Adjust import tests results.  Almost all
+	certificates should now be importable due to relaxed basic checks.
+
+	* inittests (clean_files): Disable all dirmngr access.
+
 2006-05-02  Werner Koch  <wk@g10code.com>
 
 	* PKITS_data.tar.bz2: Repackaged new copy becuase the old one got
@@ -7,7 +36,7 @@
 
 	Started implementing PKITS based tests.
 
-	
+
  Copyright 2004 Free Software Foundation, Inc.
 
  This file is free software; as a special exception the author gives
@@ -17,7 +46,3 @@
  This file is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
  implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-	
-
-	
-
diff --git a/tests/pkits/Makefile.am b/tests/pkits/Makefile.am
index d53d35a25..268ad47a3 100644
--- a/tests/pkits/Makefile.am
+++ b/tests/pkits/Makefile.am
@@ -1,11 +1,11 @@
 # Makefile.am - tests using NIST's PKITS
-#     	Copyright (C) 2004 Free Software Foundation, Inc.
+#     	Copyright (C) 2004, 2008 Free Software Foundation, Inc.
 # 
 # This file is part of GnuPG.
 # 
 # GnuPG is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
+# the Free Software Foundation; either version 3 of the License, or
 # (at your option) any later version.
 # 
 # GnuPG is distributed in the hope that it will be useful,
@@ -14,40 +14,33 @@
 # GNU General Public License for more details.
 # 
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
-# USA.
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
 
 ## Process this file with automake to produce Makefile.in
 
 GPGSM = ../../sm/gpgsm
 
 TESTS_ENVIRONMENT = GNUPGHOME=`pwd` GPG_AGENT_INFO= LC_ALL=C GPGSM=$(GPGSM) \
-		    LD_LIBRARY_PATH=$$(seen=0; \
-                           for i in $(LDFLAGS) $(LIBGCRYPT_LIBS) $(PTH_LIBS); \
-                           do \
-                             if echo "$$i" | egrep '^-L' >/dev/null 2>&1; \
-                             then \
-                               if test $$seen = 0; \
-                               then \
-                                 seen=1; \
-                               else \
-                                 printf ":"; \
-                               fi; \
-                               printf "%s" "$${i}" | sed 's/^-L//'; \
-                             fi; \
-                           done; \
-                           if test $$seen != 0 \
-                              && test x$${LD_LIBRARY_PATH} != x; \
-                           then \
-                             printf ":"; \
-                           fi; \
-                           printf "%s" "$${LD_LIBRARY_PATH}") $(srcdir)/runtest
-
-
-
-testscripts = import-all-certs validate-all-certs
-
+		    silent=yes
+
+
+testscripts = import-all-certs validate-all-certs \
+	signature-verification        \
+	validity-periods              \
+	verifying-name-chaining       \
+	basic-certificate-revocation  \
+	verifying-paths-self-issued   \
+	verifying-basic-constraints   \
+	key-usage                     \
+	certificate-policies          \
+	require-explicit-policy       \
+	policy-mappings               \
+	inhibit-policy-mapping        \
+	inhibit-any-policy            \
+	name-constraints              \
+	distribution-points           \
+	delta-crls                    \
+	private-certificate-extensions
 
 
 EXTRA_DIST = PKITS_data.tar.bz2 inittests runtest $(testscripts) 
@@ -68,3 +61,11 @@ inittests.stamp: inittests
 	srcdir=$(srcdir) $(TESTS_ENVIRONMENT) $(srcdir)/inittests
 	echo timestamp >./inittests.stamp
 
+
+run-all-tests:
+	@set -e; \
+         GNUPGHOME=`pwd`; export GNUPGHOME;\
+         unset GPG_AGENT_INFO; \
+         for test in $(testscripts); do \
+           ./$${test} && true; \
+         done
diff --git a/tests/pkits/README b/tests/pkits/README
index 79678cf30..3fe238c6c 100644
--- a/tests/pkits/README
+++ b/tests/pkits/README
@@ -7,6 +7,31 @@ http://csrc.nist.gov/pki/testing/x509paths.html .
 README             - this file.
 PKITS_data.tar.bz2 - the orginal ZIP file, repackaged as a tarball.
 Makefile.am        - Part of our build system.
+import-all-certs   - Run a simple import test on all certifcates
+validate-all-certs - Run an import and validate test on all certificates
+signature-verification         - PKITS test 4.1  
+validity-periods               - PKITS test 4.2  
+verifying-name-chaining        - PKITS test 4.3  
+basic-certificate-revocation   - PKITS test 4.4  
+verifying-paths-self-issued    - PKITS test 4.5  
+verifying-basic-constraints    - PKITS test 4.6  
+key-usage                      - PKITS test 4.7  
+certificate-policies           - PKITS test 4.8  
+require-explicit-policy        - PKITS test 4.9  
+policy-mappings                - PKITS test 4.10 
+inhibit-policy-mapping         - PKITS test 4.11 
+inhibit-any-policy             - PKITS test 4.12 
+name-constraints               - PKITS test 4.13 
+distribution-points            - PKITS test 4.14 
+delta-crls                     - PKITS test 4.15 
+private-certificate-extensions - PKITS test 4.16 
 
 
 The password for the p12 files is "password".
+
+You may run the tests as usual with "make check" or after a plain make
+in this directory you may run the tests individually.  When run in
+this way they will print easy to parse output to stdout.  To run all
+tests in this mode, use "make run-all-tests".  All test scripts create
+a log file with the suffix ".log" appended to the test script's name.
+
diff --git a/tests/pkits/basic-certificate-revocation b/tests/pkits/basic-certificate-revocation
new file mode 100644
index 000000000..496a82c97
--- /dev/null
+++ b/tests/pkits/basic-certificate-revocation
@@ -0,0 +1,31 @@
+#!/bin/sh
+# basic-certificate-revocation - PKITS Test 4.4                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.4
+description="Basic Certificate Revocation"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/certificate-policies b/tests/pkits/certificate-policies
new file mode 100644
index 000000000..f4722012d
--- /dev/null
+++ b/tests/pkits/certificate-policies
@@ -0,0 +1,31 @@
+#!/bin/sh
+# certificate-policies - PKITS Test 4.8                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.8
+description="Certificate Policies"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/common.sh b/tests/pkits/common.sh
index 09fb62bc8..241a0faf7 100644
--- a/tests/pkits/common.sh
+++ b/tests/pkits/common.sh
@@ -1,12 +1,12 @@
 #!/bin/sh
 # common.sh - common defs for all tests         -*- sh -*-
-# Copyright (C) 2004 Free Software Foundation, Inc.
+# Copyright (C) 2004, 2008 Free Software Foundation, Inc.
 #
 # This file is part of GnuPG.
 # 
 # GnuPG is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
+# the Free Software Foundation; either version 3 of the License, or
 # (at your option) any later version.
 # 
 # GnuPG is distributed in the hope that it will be useful,
@@ -15,9 +15,7 @@
 # GNU General Public License for more details.
 # 
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
-# USA.
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
 
 # reset some environment variables because we do not want to test locals
 export LANG=C
@@ -29,7 +27,7 @@ export LC_ALL=C
 [ -z "$srcdir" ] && srcdir="."
 [ -z "$top_srcdir" ] && top_srcdir=".."
 [ -z "$GPGSM" ] && GPGSM="../../sm/gpgsm"
-
+[ -z "$silent" ] && silent=no
 
 if [ "$GNUPGHOME" != "`pwd`" ]; then
     echo "inittests: please set GNUPGHOME to the tests/pkits directory" >&2
@@ -42,7 +40,6 @@ if [ -n "$GPG_AGENT_INFO" ]; then
 fi
 
 
-
 #--------------------------------
 #------ utility functions -------
 #--------------------------------
@@ -68,46 +65,92 @@ echo_n () {
   echo $echo_n_n "${1}$echo_n_c"
 }
 
+setup_output () {
+  if [ -z "$first_section_set" ]; then
+      first_section_set=$section
+  fi
+  section_out="$(echo $section)"
+  if [ -z "$section_out" ]; then
+      section_out="-"
+  fi
+}
+
 fatal () {
     echo "$pgmname: fatal:" $* >&2
+    if [ "$silent" != "yes" ]; then
+        echo "$section_out ERROR: $* (fatal)"
+    fi
     exit 1;
 }
 
 error () {
     echo "$pgmname:" $* >&2
+    if [ "$silent" != "yes" ]; then
+        echo "$section_out ERROR: $*"
+    fi
     exit 1
 }
 
 info () {
+    setup_output
     echo "$pgmname:" $* >&2
+    if [ "$silent" != "yes" ]; then
+        echo "$section_out ____ $*"
+    fi
 }
 
 info_n () {
-    $echo_n "$pgmname:" $* >&2
+    setup_output
+    echo_n "$pgmname:" $* >&2
 }
 
 pass () {
+    setup_output
     echo "PASS: " $* >&2
     pass_count=`expr ${pass_count} + 1`
+    if [ "$silent" != "yes" ]; then
+        echo_n "$section_out PASS"
+        [ -n "$description" ] && echo_n " ($description)"
+        echo
+    fi
 }
 
 fail () {
+    setup_output
     echo "FAIL: " $* >&2
     fail_count=`expr ${fail_count} + 1`
+    if [ "$silent" != "yes" ]; then
+        echo_n "$section_out FAIL"
+        [ -n "$description" ] && echo_n " ($description)"
+        echo
+    fi
 }
 
 unresolved () {
+    setup_output
     echo "UNRESOLVED: " $* >&2
     unresolved_count=`expr ${unresolved_count} + 1`
+    if [ "$silent" != "yes" ]; then
+        echo_n "$section_out UNRESOLVED"
+        [ -n "$description" ] && echo_n " ($description)"
+        echo
+    fi
 }
 
 unsupported () {
+    setup_output
     echo "UNSUPPORTED: " $* >&2
     unsupported_count=`expr ${unsupported_count} + 1`
+    if [ "$silent" != "yes" ]; then
+        echo_n "$section_out UNSUPPORTED"
+        [ -n "$description" ] && echo_n " ($description)"
+        echo
+    fi
 }
 
 
 final_result () {
+    section=$first_section_set
     [ $pass_count = 0 ]        || info "$pass_count tests passed"
     [ $fail_count = 0 ]        || info "$fail_count tests failed"
     [ $unresolved_count = 0 ]  || info "$unresolved_count tests unresolved"
@@ -127,7 +170,10 @@ pass_count=0
 fail_count=0
 unresolved_count=0
 unsupported_count=0
-
+first_section_set=""
+section_out=""
+section=""
+description=""
 
 #trap cleanup SIGHUP SIGINT SIGQUIT
 exec 2> ${pgmname}.log
diff --git a/tests/pkits/delta-crls b/tests/pkits/delta-crls
new file mode 100644
index 000000000..2b912887b
--- /dev/null
+++ b/tests/pkits/delta-crls
@@ -0,0 +1,31 @@
+#!/bin/sh
+# delta-crls - PKITS Test 4.15                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.15
+description="Delta-CRLs"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/distribution-points b/tests/pkits/distribution-points
new file mode 100644
index 000000000..2d59fcdb3
--- /dev/null
+++ b/tests/pkits/distribution-points
@@ -0,0 +1,31 @@
+#!/bin/sh
+# distribution-points - PKITS Test 4.14                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.14
+description="Distribution Points"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/import-all-certs b/tests/pkits/import-all-certs
index 2d70d06df..8144d97be 100755
--- a/tests/pkits/import-all-certs
+++ b/tests/pkits/import-all-certs
@@ -1,11 +1,12 @@
 #!/bin/sh
-# Copyright (C) 2004 Free Software Foundation, Inc.   -*- sh -*-
+# import-all-certs - GnuPG import test                     -*- sh -*-
+# Copyright (C) 2004, 2008 Free Software Foundation, Inc. 
 #
 # This file is part of GnuPG.
 # 
 # GnuPG is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
+# the Free Software Foundation; either version 3 of the License, or
 # (at your option) any later version.
 # 
 # GnuPG is distributed in the hope that it will be useful,
@@ -14,16 +15,19 @@
 # GNU General Public License for more details.
 # 
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
-# USA.
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
 
 . ${srcdir:-.}/common.sh || exit 2
 
-while read flag dummy name; do 
-    case $flag in \#*) continue;; esac
-    [ -z "$flag" ] && continue;
+section=6
+description="GnuPG Import"
+info "Running $description tests"
 
+while read flag dummy section name; do 
+    case $flag in \#*) continue ;; esac
+    [ -z "$(echo $flag)" ] && continue;
+
+    description="import $name"
     if ${GPGSM} -q --import certs/$name ; then
         if [ "$flag" = 'p' ]; then
             pass "importing certificate \`$name' succeeded"
diff --git a/tests/pkits/import-all-certs.data b/tests/pkits/import-all-certs.data
index 18708aa61..597dbc0f9 100644
--- a/tests/pkits/import-all-certs.data
+++ b/tests/pkits/import-all-certs.data
@@ -1,490 +1,471 @@
 # The first column is for the basic import test, the second for a
-# validation test.
-
+# validation test, the third is the section number and th foruth the
+# filename of the certificate.
+   
 # Make sure that the root certificate is imported first
-p p TrustAnchorRootCertificate.crt
- 
-p p AllCertificatesNoPoliciesTest2EE.crt
-p p AllCertificatesSamePoliciesTest10EE.crt
-p p AllCertificatesSamePoliciesTest13EE.crt
-p p AllCertificatesanyPolicyTest11EE.crt
-p p AnyPolicyTest14EE.crt
-p p BadCRLIssuerNameCACert.crt
-p p BadCRLSignatureCACert.crt
-f f BadSignedCACert.crt
-p f BadnotAfterDateCACert.crt
-
-#  UTC: "470101120100Z" i.e. not before 2047-01-01
-p f BadnotBeforeDateCACert.crt
-
-p p BasicSelfIssuedCRLSigningKeyCACert.crt
- 
-#   For yet unknown reasons gpgsm claims a bad signature.
-? ? BasicSelfIssuedCRLSigningKeyCRLCert.crt
-   
-p p BasicSelfIssuedNewKeyCACert.crt
-
-#   For yet unknown reasons gpgsm claims a bad signature.
-? ? BasicSelfIssuedNewKeyOldWithNewCACert.crt
-
-p p BasicSelfIssuedOldKeyCACert.crt
-
-#   For yet unknown reasons gpgsm claims a bad signature.
-? ? BasicSelfIssuedOldKeyNewWithOldCACert.crt
-
-p p CPSPointerQualifierTest20EE.crt
-   
-u u DSACACert.crt
-u u DSAParametersInheritedCACert.crt
-   
-p p DifferentPoliciesTest12EE.crt
-p p DifferentPoliciesTest3EE.crt
-p p DifferentPoliciesTest4EE.crt
-p p DifferentPoliciesTest5EE.crt
-p p DifferentPoliciesTest7EE.crt
-p p DifferentPoliciesTest8EE.crt
-p p DifferentPoliciesTest9EE.crt
-p p GeneralizedTimeCRLnextUpdateCACert.crt
-p p GoodCACert.crt
-p p GoodsubCACert.crt
-
-# gpgsm: critical certificate extension 2.5.29.33 (policyMappings) 
-#        is not supported
-p u GoodsubCAPanyPolicyMapping1to2CACert.crt
-
-# fixme: gpgme does not fail for it.
-p f InvalidBadCRLIssuerNameTest5EE.crt
-
-p f InvalidBadCRLSignatureTest4EE.crt
-p f InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt
-
-f f InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt
-
-p f InvalidBasicSelfIssuedNewWithOldTest5EE.crt
-
-f f InvalidBasicSelfIssuedOldWithNewTest2EE.crt
-
-p f InvalidCASignatureTest2EE.crt
-
-p f InvalidCAnotAfterDateTest5EE.crt
-p f InvalidCAnotBeforeDateTest1EE.crt
-p f InvalidDNSnameConstraintsTest31EE.crt
-p f InvalidDNSnameConstraintsTest33EE.crt
-p f InvalidDNSnameConstraintsTest38EE.crt
-p f InvalidDNandRFC822nameConstraintsTest28EE.crt
-p f InvalidDNandRFC822nameConstraintsTest29EE.crt
-p f InvalidDNnameConstraintsTest10EE.crt
-p f InvalidDNnameConstraintsTest12EE.crt
-p f InvalidDNnameConstraintsTest13EE.crt
-p f InvalidDNnameConstraintsTest15EE.crt
-p f InvalidDNnameConstraintsTest16EE.crt
-p f InvalidDNnameConstraintsTest17EE.crt
-
-f f InvalidDNnameConstraintsTest20EE.crt
-
-p f InvalidDNnameConstraintsTest2EE.crt
-p f InvalidDNnameConstraintsTest3EE.crt
-p f InvalidDNnameConstraintsTest7EE.crt
-p f InvalidDNnameConstraintsTest8EE.crt
-p f InvalidDNnameConstraintsTest9EE.crt
-
-u u InvalidDSASignatureTest6EE.crt
-
-f f InvalidEESignatureTest3EE.crt
-
-p f InvalidEEnotAfterDateTest6EE.crt
-p f InvalidEEnotBeforeDateTest2EE.crt
-p f InvalidIDPwithindirectCRLTest23EE.crt
-p f InvalidIDPwithindirectCRLTest26EE.crt
-p f InvalidLongSerialNumberTest18EE.crt
-p f InvalidMappingFromanyPolicyTest7EE.crt
-p f InvalidMappingToanyPolicyTest8EE.crt
-p f InvalidMissingCRLTest1EE.crt
-p f InvalidMissingbasicConstraintsTest1EE.crt
-p f InvalidNameChainingOrderTest2EE.crt
-p f InvalidNameChainingTest1EE.crt
-p f InvalidNegativeSerialNumberTest15EE.crt
-p f InvalidOldCRLnextUpdateTest11EE.crt
-p f InvalidPolicyMappingTest10EE.crt
-p f InvalidPolicyMappingTest2EE.crt
-p f InvalidPolicyMappingTest4EE.crt
-p f InvalidRFC822nameConstraintsTest22EE.crt
-p f InvalidRFC822nameConstraintsTest24EE.crt
-p f InvalidRFC822nameConstraintsTest26EE.crt
-p f InvalidRevokedCATest2EE.crt
-p f InvalidRevokedEETest3EE.crt
-
-f f InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt
-
-p f InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt
-p f InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt
-p f InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt
-p f InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt
-p f InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt
-p f InvalidSelfIssuedpathLenConstraintTest16EE.crt
-p f InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt
-p f InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt
-
-f f InvalidSeparateCertificateandCRLKeysTest20EE.crt
-f f InvalidSeparateCertificateandCRLKeysTest21EE.crt
-
-p f InvalidURInameConstraintsTest35EE.crt
-p f InvalidURInameConstraintsTest37EE.crt
-p f InvalidUnknownCRLEntryExtensionTest8EE.crt
-p f InvalidUnknownCRLExtensionTest10EE.crt
-p f InvalidUnknownCRLExtensionTest9EE.crt
-p f InvalidUnknownCriticalCertificateExtensionTest2EE.crt
-p f InvalidWrongCRLTest6EE.crt
-p f InvalidcAFalseTest2EE.crt
-p f InvalidcAFalseTest3EE.crt
-p f InvalidcRLIssuerTest27EE.crt
-p f InvalidcRLIssuerTest31EE.crt
-p f InvalidcRLIssuerTest32EE.crt
-p f InvalidcRLIssuerTest34EE.crt
-p f InvalidcRLIssuerTest35EE.crt
-p f InvaliddeltaCRLIndicatorNoBaseTest1EE.crt
-p f InvaliddeltaCRLTest10EE.crt
-p f InvaliddeltaCRLTest3EE.crt
-p f InvaliddeltaCRLTest4EE.crt
-p f InvaliddeltaCRLTest6EE.crt
-p f InvaliddeltaCRLTest9EE.crt
-p f InvaliddistributionPointTest2EE.crt
-p f InvaliddistributionPointTest3EE.crt
-p f InvaliddistributionPointTest6EE.crt
-p f InvaliddistributionPointTest8EE.crt
-p f InvaliddistributionPointTest9EE.crt
-p f InvalidinhibitAnyPolicyTest1EE.crt
-p f InvalidinhibitAnyPolicyTest4EE.crt
-p f InvalidinhibitAnyPolicyTest5EE.crt
-p f InvalidinhibitAnyPolicyTest6EE.crt
-p f InvalidinhibitPolicyMappingTest1EE.crt
-p f InvalidinhibitPolicyMappingTest3EE.crt
-p f InvalidinhibitPolicyMappingTest5EE.crt
-p f InvalidinhibitPolicyMappingTest6EE.crt
-p f InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt
-p f InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt
-p f InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt
-p f InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt
-p f InvalidonlyContainsAttributeCertsTest14EE.crt
-p f InvalidonlyContainsCACertsTest12EE.crt
-p f InvalidonlyContainsUserCertsTest11EE.crt
-p f InvalidonlySomeReasonsTest15EE.crt
-p f InvalidonlySomeReasonsTest16EE.crt
-p f InvalidonlySomeReasonsTest17EE.crt
-p f InvalidonlySomeReasonsTest20EE.crt
-p f InvalidonlySomeReasonsTest21EE.crt
-p f InvalidpathLenConstraintTest10EE.crt
-p f InvalidpathLenConstraintTest11EE.crt
-p f InvalidpathLenConstraintTest12EE.crt
-p f InvalidpathLenConstraintTest5EE.crt
-p f InvalidpathLenConstraintTest6EE.crt
-p f InvalidpathLenConstraintTest9EE.crt
-p f Invalidpre2000CRLnextUpdateTest12EE.crt
-p f Invalidpre2000UTCEEnotAfterDateTest7EE.crt
-p f InvalidrequireExplicitPolicyTest3EE.crt
-p f InvalidrequireExplicitPolicyTest5EE.crt
-p p LongSerialNumberCACert.crt
-p p Mapping1to2CACert.crt
-p p MappingFromanyPolicyCACert.crt
-p p MappingToanyPolicyCACert.crt
-p p MissingbasicConstraintsCACert.crt
-p p NameOrderingCACert.crt
-p p NegativeSerialNumberCACert.crt
-p p NoCRLCACert.crt
-p p NoPoliciesCACert.crt
-p p NoissuingDistributionPointCACert.crt
-p p OldCRLnextUpdateCACert.crt
-p p OverlappingPoliciesTest6EE.crt
-p p P12Mapping1to3CACert.crt
-p p P12Mapping1to3subCACert.crt
-p p P12Mapping1to3subsubCACert.crt
-p p P1Mapping1to234CACert.crt
-p p P1Mapping1to234subCACert.crt
-p p P1anyPolicyMapping1to2CACert.crt
-p p PanyPolicyMapping1to2CACert.crt
-p p PoliciesP1234CACert.crt
-p p PoliciesP1234subCAP123Cert.crt
-p p PoliciesP1234subsubCAP123P12Cert.crt
-p p PoliciesP123CACert.crt
-p p PoliciesP123subCAP12Cert.crt
-p p PoliciesP123subsubCAP12P1Cert.crt
-p p PoliciesP123subsubCAP12P2Cert.crt
-p p PoliciesP123subsubsubCAP12P2P1Cert.crt
-p p PoliciesP12CACert.crt
-p p PoliciesP12subCAP1Cert.crt
-p p PoliciesP12subsubCAP1P2Cert.crt
-p p PoliciesP2subCA2Cert.crt
-p p PoliciesP2subCACert.crt
-p p PoliciesP3CACert.crt
-p p RFC3280MandatoryAttributeTypesCACert.crt
-p p RFC3280OptionalAttributeTypesCACert.crt
-p p RevokedsubCACert.crt
-p p RolloverfromPrintableStringtoUTF8StringCACert.crt
-p p SeparateCertificateandCRLKeysCA2CRLSigningCert.crt
-p p SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt
-p p SeparateCertificateandCRLKeysCRLSigningCert.crt
-p p SeparateCertificateandCRLKeysCertificateSigningCACert.crt
-p p TwoCRLsCACert.crt
-p p UIDCACert.crt
-p p UTF8StringCaseInsensitiveMatchCACert.crt
-p p UTF8StringEncodedNamesCACert.crt
-p p UnknownCRLEntryExtensionCACert.crt
-p p UnknownCRLExtensionCACert.crt
-p p UserNoticeQualifierTest15EE.crt
-p p UserNoticeQualifierTest16EE.crt
-p p UserNoticeQualifierTest17EE.crt
-p p UserNoticeQualifierTest18EE.crt
-p p UserNoticeQualifierTest19EE.crt
-p p ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? ValidBasicSelfIssuedNewWithOldTest3EE.crt
-
-p p ValidBasicSelfIssuedNewWithOldTest4EE.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? ValidBasicSelfIssuedOldWithNewTest1EE.crt
-
-p p ValidCertificatePathTest1EE.crt
-p p ValidDNSnameConstraintsTest30EE.crt
-p p ValidDNSnameConstraintsTest32EE.crt
-p p ValidDNandRFC822nameConstraintsTest27EE.crt
-p p ValidDNnameConstraintsTest11EE.crt
-
+p p 6.1.5.1 TrustAnchorRootCertificate.crt
+   
+p p 6.1.5.168 AllCertificatesNoPoliciesTest2EE.crt
+p p 6.1.5.204 AllCertificatesSamePoliciesTest10EE.crt
+p p 6.1.5.211 AllCertificatesSamePoliciesTest13EE.crt
+p p 6.1.5.207 AllCertificatesanyPolicyTest11EE.crt
+p p 6.1.5.212 AnyPolicyTest14EE.crt
+p p 6.1.5.41 BadCRLIssuerNameCACert.crt
+p p 6.1.5.38 BadCRLSignatureCACert.crt
+f f 6.1.5.6 BadSignedCACert.crt
+p f 6.1.5.16 BadnotAfterDateCACert.crt
+   
+# UTC: "470101120100Z" i.e. not before 2047-01-01
+p f 6.1.5.10 BadnotBeforeDateCACert.crt
+   
+p p 6.1.5.88 BasicSelfIssuedCRLSigningKeyCACert.crt
+p p 6.1.5.90 BasicSelfIssuedCRLSigningKeyCRLCert.crt
+   
+p p 6.1.5.76 BasicSelfIssuedNewKeyCACert.crt
+p p 6.1.5.78 BasicSelfIssuedNewKeyOldWithNewCACert.crt
+p p 6.1.5.81 BasicSelfIssuedOldKeyCACert.crt
+p p 6.1.5.83 BasicSelfIssuedOldKeyNewWithOldCACert.crt
+   
+p p 6.1.5.218 CPSPointerQualifierTest20EE.crt
+   
+u u 6.1.5.572 DSACACert.crt
+u u 6.1.5.575 DSAParametersInheritedCACert.crt
+   
+p p 6.1.5.210 DifferentPoliciesTest12EE.crt
+p p 6.1.5.171 DifferentPoliciesTest3EE.crt
+p p 6.1.5.174 DifferentPoliciesTest4EE.crt
+p p 6.1.5.177 DifferentPoliciesTest5EE.crt
+p p 6.1.5.191 DifferentPoliciesTest7EE.crt
+p p 6.1.5.198 DifferentPoliciesTest8EE.crt
+p p 6.1.5.203 DifferentPoliciesTest9EE.crt
+p p 6.1.5.64 GeneralizedTimeCRLnextUpdateCACert.crt
+p p 6.1.5.3 GoodCACert.crt
+p p 6.1.5.172 GoodsubCACert.crt
+   
+# gpgsm: critical certificate extension 2.5.29.33 (policyMappings)
+# is not supported
+p u 6.1.5.300 GoodsubCAPanyPolicyMapping1to2CACert.crt
+   
+p f 6.1.5.43 InvalidBadCRLIssuerNameTest5EE.crt
+   
+p f 6.1.5.40 InvalidBadCRLSignatureTest4EE.crt
+p f 6.1.5.93 InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt
+   
+p f 6.1.5.94 InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt
+   
+p f 6.1.5.87 InvalidBasicSelfIssuedNewWithOldTest5EE.crt
+   
+p f 6.1.5.80 InvalidBasicSelfIssuedOldWithNewTest2EE.crt
+   
+p f 6.1.5.8 InvalidCASignatureTest2EE.crt
+   
+p f 6.1.5.18 InvalidCAnotAfterDateTest5EE.crt
+p f 6.1.5.12 InvalidCAnotBeforeDateTest1EE.crt
+p f 6.1.5.439 InvalidDNSnameConstraintsTest31EE.crt
+p f 6.1.5.443 InvalidDNSnameConstraintsTest33EE.crt
+p f 6.1.5.562 InvalidDNSnameConstraintsTest38EE.crt
+p f 6.1.5.434 InvalidDNandRFC822nameConstraintsTest28EE.crt
+p f 6.1.5.435 InvalidDNandRFC822nameConstraintsTest29EE.crt
+p f 6.1.5.399 InvalidDNnameConstraintsTest10EE.crt
+p f 6.1.5.403 InvalidDNnameConstraintsTest12EE.crt
+p f 6.1.5.406 InvalidDNnameConstraintsTest13EE.crt
+p f 6.1.5.410 InvalidDNnameConstraintsTest15EE.crt
+p f 6.1.5.411 InvalidDNnameConstraintsTest16EE.crt
+p f 6.1.5.414 InvalidDNnameConstraintsTest17EE.crt
+   
+p f 6.1.5.418 InvalidDNnameConstraintsTest20EE.crt
+   
+p f 6.1.5.383 InvalidDNnameConstraintsTest2EE.crt
+p f 6.1.5.384 InvalidDNnameConstraintsTest3EE.crt
+p f 6.1.5.392 InvalidDNnameConstraintsTest7EE.crt
+p f 6.1.5.395 InvalidDNnameConstraintsTest8EE.crt
+p f 6.1.5.396 InvalidDNnameConstraintsTest9EE.crt
+   
+u u 6.1.5.578 InvalidDSASignatureTest6EE.crt
+   
+f f 6.1.5.9 InvalidEESignatureTest3EE.crt
+   
+p f 6.1.5.19 InvalidEEnotAfterDateTest6EE.crt
+p f 6.1.5.13 InvalidEEnotBeforeDateTest2EE.crt
+p f 6.1.5.500 InvalidIDPwithindirectCRLTest23EE.crt
+p f 6.1.5.504 InvalidIDPwithindirectCRLTest26EE.crt
+p f 6.1.5.75 InvalidLongSerialNumberTest18EE.crt
+p f 6.1.5.293 InvalidMappingFromanyPolicyTest7EE.crt
+p f 6.1.5.296 InvalidMappingToanyPolicyTest8EE.crt
+p f 6.1.5.33 InvalidMissingCRLTest1EE.crt
+p f 6.1.5.97 InvalidMissingbasicConstraintsTest1EE.crt
+p f 6.1.5.25 InvalidNameChainingOrderTest2EE.crt
+p f 6.1.5.22 InvalidNameChainingTest1EE.crt
+p f 6.1.5.70 InvalidNegativeSerialNumberTest15EE.crt
+p f 6.1.5.60 InvalidOldCRLnextUpdateTest11EE.crt
+p f 6.1.5.302 InvalidPolicyMappingTest10EE.crt
+p f 6.1.5.276 InvalidPolicyMappingTest2EE.crt
+p f 6.1.5.284 InvalidPolicyMappingTest4EE.crt
+p f 6.1.5.422 InvalidRFC822nameConstraintsTest22EE.crt
+p f 6.1.5.426 InvalidRFC822nameConstraintsTest24EE.crt
+p f 6.1.5.430 InvalidRFC822nameConstraintsTest26EE.crt
+p f 6.1.5.36 InvalidRevokedCATest2EE.crt
+p f 6.1.5.37 InvalidRevokedEETest3EE.crt
+   
+p f 6.1.5.379 InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt
+   
+p f 6.1.5.376 InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt
+p f 6.1.5.348 InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt
+p f 6.1.5.349 InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt
+p f 6.1.5.345 InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt
+p f 6.1.5.346 InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt
+p f 6.1.5.143 InvalidSelfIssuedpathLenConstraintTest16EE.crt
+p f 6.1.5.270 InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt
+p f 6.1.5.272 InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt
+   
+p f 6.1.5.567 InvalidSeparateCertificateandCRLKeysTest20EE.crt
+p f 6.1.5.571 InvalidSeparateCertificateandCRLKeysTest21EE.crt
+   
+p f 6.1.5.447 InvalidURInameConstraintsTest35EE.crt
+p f 6.1.5.451 InvalidURInameConstraintsTest37EE.crt
+p f 6.1.5.53 InvalidUnknownCRLEntryExtensionTest8EE.crt
+p f 6.1.5.57 InvalidUnknownCRLExtensionTest10EE.crt
+p f 6.1.5.56 InvalidUnknownCRLExtensionTest9EE.crt
+p f 6.1.5.546 InvalidUnknownCriticalCertificateExtensionTest2EE.crt
+p f 6.1.5.46 InvalidWrongCRLTest6EE.crt
+p f 6.1.5.100 InvalidcAFalseTest2EE.crt
+p f 6.1.5.103 InvalidcAFalseTest3EE.crt
+p f 6.1.5.505 InvalidcRLIssuerTest27EE.crt
+p f 6.1.5.519 InvalidcRLIssuerTest31EE.crt
+p f 6.1.5.520 InvalidcRLIssuerTest32EE.crt
+p f 6.1.5.522 InvalidcRLIssuerTest34EE.crt
+p f 6.1.5.523 InvalidcRLIssuerTest35EE.crt
+p f 6.1.5.526 InvaliddeltaCRLIndicatorNoBaseTest1EE.crt
+p f 6.1.5.544 InvaliddeltaCRLTest10EE.crt
+p f 6.1.5.531 InvaliddeltaCRLTest3EE.crt
+p f 6.1.5.532 InvaliddeltaCRLTest4EE.crt
+p f 6.1.5.534 InvaliddeltaCRLTest6EE.crt
+p f 6.1.5.540 InvaliddeltaCRLTest9EE.crt
+p f 6.1.5.455 InvaliddistributionPointTest2EE.crt
+p f 6.1.5.456 InvaliddistributionPointTest3EE.crt
+p f 6.1.5.461 InvaliddistributionPointTest6EE.crt
+p f 6.1.5.463 InvaliddistributionPointTest8EE.crt
+p f 6.1.5.464 InvaliddistributionPointTest9EE.crt
+p f 6.1.5.352 InvalidinhibitAnyPolicyTest1EE.crt
+p f 6.1.5.359 InvalidinhibitAnyPolicyTest4EE.crt
+p f 6.1.5.366 InvalidinhibitAnyPolicyTest5EE.crt
+p f 6.1.5.369 InvalidinhibitAnyPolicyTest6EE.crt
+p f 6.1.5.313 InvalidinhibitPolicyMappingTest1EE.crt
+p f 6.1.5.321 InvalidinhibitPolicyMappingTest3EE.crt
+p f 6.1.5.331 InvalidinhibitPolicyMappingTest5EE.crt
+p f 6.1.5.336 InvalidinhibitPolicyMappingTest6EE.crt
+p f 6.1.5.162 InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt
+p f 6.1.5.153 InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt
+p f 6.1.5.165 InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt
+p f 6.1.5.156 InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt
+p f 6.1.5.477 InvalidonlyContainsAttributeCertsTest14EE.crt
+p f 6.1.5.473 InvalidonlyContainsCACertsTest12EE.crt
+p f 6.1.5.470 InvalidonlyContainsUserCertsTest11EE.crt
+p f 6.1.5.481 InvalidonlySomeReasonsTest15EE.crt
+p f 6.1.5.482 InvalidonlySomeReasonsTest16EE.crt
+p f 6.1.5.486 InvalidonlySomeReasonsTest17EE.crt
+p f 6.1.5.495 InvalidonlySomeReasonsTest20EE.crt
+p f 6.1.5.496 InvalidonlySomeReasonsTest21EE.crt
+p f 6.1.5.122 InvalidpathLenConstraintTest10EE.crt
+p f 6.1.5.129 InvalidpathLenConstraintTest11EE.crt
+p f 6.1.5.130 InvalidpathLenConstraintTest12EE.crt
+p f 6.1.5.111 InvalidpathLenConstraintTest5EE.crt
+p f 6.1.5.112 InvalidpathLenConstraintTest6EE.crt
+p f 6.1.5.121 InvalidpathLenConstraintTest9EE.crt
+p f 6.1.5.63 Invalidpre2000CRLnextUpdateTest12EE.crt
+p f 6.1.5.20 Invalidpre2000UTCEEnotAfterDateTest7EE.crt
+p f 6.1.5.245 InvalidrequireExplicitPolicyTest3EE.crt
+p f 6.1.5.263 InvalidrequireExplicitPolicyTest5EE.crt
+p p 6.1.5.71 LongSerialNumberCACert.crt
+p p 6.1.5.273 Mapping1to2CACert.crt
+p p 6.1.5.291 MappingFromanyPolicyCACert.crt
+p p 6.1.5.294 MappingToanyPolicyCACert.crt
+p p 6.1.5.95 MissingbasicConstraintsCACert.crt
+p p 6.1.5.23 NameOrderingCACert.crt
+p p 6.1.5.67 NegativeSerialNumberCACert.crt
+p p 6.1.5.32 NoCRLCACert.crt
+p p 6.1.5.166 NoPoliciesCACert.crt
+p p 6.1.5.465 NoissuingDistributionPointCACert.crt
+p p 6.1.5.58 OldCRLnextUpdateCACert.crt
+p p 6.1.5.184 OverlappingPoliciesTest6EE.crt
+p p 6.1.5.277 P12Mapping1to3CACert.crt
+p p 6.1.5.279 P12Mapping1to3subCACert.crt
+p p 6.1.5.281 P12Mapping1to3subsubCACert.crt
+p p 6.1.5.285 P1Mapping1to234CACert.crt
+p p 6.1.5.287 P1Mapping1to234subCACert.crt
+p p 6.1.5.305 P1anyPolicyMapping1to2CACert.crt
+p p 6.1.5.297 PanyPolicyMapping1to2CACert.crt
+p p 6.1.5.178 PoliciesP1234CACert.crt
+p p 6.1.5.180 PoliciesP1234subCAP123Cert.crt
+p p 6.1.5.182 PoliciesP1234subsubCAP123P12Cert.crt
+p p 6.1.5.185 PoliciesP123CACert.crt
+p p 6.1.5.187 PoliciesP123subCAP12Cert.crt
+p p 6.1.5.189 PoliciesP123subsubCAP12P1Cert.crt
+p p 6.1.5.199 PoliciesP123subsubCAP12P2Cert.crt
+p p 6.1.5.201 PoliciesP123subsubsubCAP12P2P1Cert.crt
+p p 6.1.5.192 PoliciesP12CACert.crt
+p p 6.1.5.194 PoliciesP12subCAP1Cert.crt
+p p 6.1.5.196 PoliciesP12subsubCAP1P2Cert.crt
+p p 6.1.5.175 PoliciesP2subCA2Cert.crt
+p p 6.1.5.169 PoliciesP2subCACert.crt
+p p 6.1.5.208 PoliciesP3CACert.crt
+p p 6.1.5.547 RFC3280MandatoryAttributeTypesCACert.crt
+p p 6.1.5.550 RFC3280OptionalAttributeTypesCACert.crt
+p p 6.1.5.34 RevokedsubCACert.crt
+p p 6.1.5.556 RolloverfromPrintableStringtoUTF8StringCACert.crt
+p p 6.1.5.569 SeparateCertificateandCRLKeysCA2CRLSigningCert.crt
+p p 6.1.5.568 SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt
+p p 6.1.5.564 SeparateCertificateandCRLKeysCRLSigningCert.crt
+p p 6.1.5.563 SeparateCertificateandCRLKeysCertificateSigningCACert.crt
+p p 6.1.5.47 TwoCRLsCACert.crt
+p p 6.1.5.29 UIDCACert.crt
+p p 6.1.5.559 UTF8StringCaseInsensitiveMatchCACert.crt
+p p 6.1.5.553 UTF8StringEncodedNamesCACert.crt
+p p 6.1.5.51 UnknownCRLEntryExtensionCACert.crt
+p p 6.1.5.54 UnknownCRLExtensionCACert.crt
+p p 6.1.5.213 UserNoticeQualifierTest15EE.crt
+p p 6.1.5.214 UserNoticeQualifierTest16EE.crt
+p p 6.1.5.215 UserNoticeQualifierTest17EE.crt
+p p 6.1.5.216 UserNoticeQualifierTest18EE.crt
+p p 6.1.5.217 UserNoticeQualifierTest19EE.crt
+p p 6.1.5.92 ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt
+   
+p p 6.1.5.85 ValidBasicSelfIssuedNewWithOldTest3EE.crt
+p p 6.1.5.86 ValidBasicSelfIssuedNewWithOldTest4EE.crt
+p p 6.1.5.79 ValidBasicSelfIssuedOldWithNewTest1EE.crt
+   
+p p 6.1.5.5 ValidCertificatePathTest1EE.crt
+p p 6.1.5.438 ValidDNSnameConstraintsTest30EE.crt
+p p 6.1.5.442 ValidDNSnameConstraintsTest32EE.crt
+p p 6.1.5.433 ValidDNandRFC822nameConstraintsTest27EE.crt
+p p 6.1.5.400 ValidDNnameConstraintsTest11EE.crt
+   
 # This certificate has an empty subject sequence.  Our parser does not
 # support this yet and it is unlikely that gpgsm will be able to cope
 # with it at all.
-u u ValidDNnameConstraintsTest14EE.crt
-
-p p ValidDNnameConstraintsTest18EE.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? ValidDNnameConstraintsTest19EE.crt
-
-p p ValidDNnameConstraintsTest1EE.crt
-p p ValidDNnameConstraintsTest4EE.crt
-p p ValidDNnameConstraintsTest5EE.crt
-p p ValidDNnameConstraintsTest6EE.crt
-
-u p ValidDSAParameterInheritanceTest5EE.crt
-u p ValidDSASignaturesTest4EE.crt
-
-p p ValidGeneralizedTimeCRLnextUpdateTest13EE.crt
-p p ValidGeneralizedTimenotAfterDateTest8EE.crt
-p p ValidGeneralizedTimenotBeforeDateTest4EE.crt
-p p ValidIDPwithindirectCRLTest22EE.crt
-p p ValidIDPwithindirectCRLTest24EE.crt
-p p ValidIDPwithindirectCRLTest25EE.crt
-p p ValidLongSerialNumberTest16EE.crt
-p p ValidLongSerialNumberTest17EE.crt
-p p ValidNameChainingCapitalizationTest5EE.crt
-p p ValidNameChainingWhitespaceTest3EE.crt
-p p ValidNameChainingWhitespaceTest4EE.crt
-p p ValidNameUIDsTest6EE.crt
-p p ValidNegativeSerialNumberTest14EE.crt
-p p ValidNoissuingDistributionPointTest10EE.crt
-p p ValidPolicyMappingTest11EE.crt
-p p ValidPolicyMappingTest12EE.crt
-p p ValidPolicyMappingTest13EE.crt
-p p ValidPolicyMappingTest14EE.crt
-p p ValidPolicyMappingTest1EE.crt
-p p ValidPolicyMappingTest3EE.crt
-p p ValidPolicyMappingTest5EE.crt
-p p ValidPolicyMappingTest6EE.crt
-p p ValidPolicyMappingTest9EE.crt
-p p ValidRFC3280MandatoryAttributeTypesTest7EE.crt
-p p ValidRFC3280OptionalAttributeTypesTest8EE.crt
-p p ValidRFC822nameConstraintsTest21EE.crt
-p p ValidRFC822nameConstraintsTest23EE.crt
-p p ValidRFC822nameConstraintsTest25EE.crt
-p p ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt
-p p ValidSelfIssuedinhibitAnyPolicyTest7EE.crt
-p p ValidSelfIssuedinhibitAnyPolicyTest9EE.crt
-p p ValidSelfIssuedinhibitPolicyMappingTest7EE.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? ValidSelfIssuedpathLenConstraintTest15EE.crt
-
-p p ValidSelfIssuedpathLenConstraintTest17EE.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? ValidSelfIssuedrequireExplicitPolicyTest6EE.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? ValidSeparateCertificateandCRLKeysTest19EE.crt
-
-p p ValidTwoCRLsTest7EE.crt
-p p ValidURInameConstraintsTest34EE.crt
-p p ValidURInameConstraintsTest36EE.crt
-p p ValidUTF8StringCaseInsensitiveMatchTest11EE.crt
-p p ValidUTF8StringEncodedNamesTest9EE.crt
-p p ValidUnknownNotCriticalCertificateExtensionTest1EE.crt
-p p ValidbasicConstraintsNotCriticalTest4EE.crt
-p p ValidcRLIssuerTest28EE.crt
-p p ValidcRLIssuerTest29EE.crt
-p p ValidcRLIssuerTest30EE.crt
-p p ValidcRLIssuerTest33EE.crt
-p p ValiddeltaCRLTest2EE.crt
-p p ValiddeltaCRLTest5EE.crt
-p p ValiddeltaCRLTest7EE.crt
-p p ValiddeltaCRLTest8EE.crt
-p p ValiddistributionPointTest1EE.crt
-p p ValiddistributionPointTest4EE.crt
-p p ValiddistributionPointTest5EE.crt
-p p ValiddistributionPointTest7EE.crt
-p p ValidinhibitAnyPolicyTest2EE.crt
-p p ValidinhibitPolicyMappingTest2EE.crt
-p p ValidinhibitPolicyMappingTest4EE.crt
-p p ValidkeyUsageNotCriticalTest3EE.crt
-p p ValidonlyContainsCACertsTest13EE.crt
-p p ValidonlySomeReasonsTest18EE.crt
-p p ValidonlySomeReasonsTest19EE.crt
-p p ValidpathLenConstraintTest13EE.crt
-p p ValidpathLenConstraintTest14EE.crt
-p p ValidpathLenConstraintTest7EE.crt
-p p ValidpathLenConstraintTest8EE.crt
-p p Validpre2000UTCnotBeforeDateTest3EE.crt
-p p ValidrequireExplicitPolicyTest1EE.crt
-p p ValidrequireExplicitPolicyTest2EE.crt
-p p ValidrequireExplicitPolicyTest4EE.crt
-p p WrongCRLCACert.crt
-p p anyPolicyCACert.crt
-p p basicConstraintsCriticalcAFalseCACert.crt
-p p basicConstraintsNotCriticalCACert.crt
-p p basicConstraintsNotCriticalcAFalseCACert.crt
-p p deltaCRLCA1Cert.crt
-p p deltaCRLCA2Cert.crt
-p p deltaCRLCA3Cert.crt
-p p deltaCRLIndicatorNoBaseCACert.crt
-p p distributionPoint1CACert.crt
-p p distributionPoint2CACert.crt
-p p indirectCRLCA1Cert.crt
-p p indirectCRLCA2Cert.crt
-p p indirectCRLCA3Cert.crt
-p p indirectCRLCA3cRLIssuerCert.crt
-p p indirectCRLCA4Cert.crt
-p p indirectCRLCA4cRLIssuerCert.crt
-p p indirectCRLCA5Cert.crt
-p p indirectCRLCA6Cert.crt
-p p inhibitAnyPolicy0CACert.crt
-p p inhibitAnyPolicy1CACert.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? inhibitAnyPolicy1SelfIssuedCACert.crt
-? ? inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt
-
-p p inhibitAnyPolicy1subCA1Cert.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? inhibitAnyPolicy1subCA2Cert.crt
-
-p p inhibitAnyPolicy1subCAIAP5Cert.crt
-p p inhibitAnyPolicy1subsubCA2Cert.crt
-p p inhibitAnyPolicy5CACert.crt
-p p inhibitAnyPolicy5subCACert.crt
-p p inhibitAnyPolicy5subsubCACert.crt
-p p inhibitAnyPolicyTest3EE.crt
-p p inhibitPolicyMapping0CACert.crt
-p p inhibitPolicyMapping0subCACert.crt
-p p inhibitPolicyMapping1P12CACert.crt
-p p inhibitPolicyMapping1P12subCACert.crt
-p p inhibitPolicyMapping1P12subCAIPM5Cert.crt
-p p inhibitPolicyMapping1P12subsubCACert.crt
-p p inhibitPolicyMapping1P12subsubCAIPM5Cert.crt
-p p inhibitPolicyMapping1P1CACert.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? inhibitPolicyMapping1P1SelfIssuedCACert.crt
-? ? inhibitPolicyMapping1P1SelfIssuedsubCACert.crt
-? ? inhibitPolicyMapping1P1subCACert.crt
-
-p p inhibitPolicyMapping1P1subsubCACert.crt
-p p inhibitPolicyMapping5CACert.crt
-p p inhibitPolicyMapping5subCACert.crt
-p p inhibitPolicyMapping5subsubCACert.crt
-p p inhibitPolicyMapping5subsubsubCACert.crt
-p p keyUsageCriticalcRLSignFalseCACert.crt
-p p keyUsageCriticalkeyCertSignFalseCACert.crt
-p p keyUsageNotCriticalCACert.crt
-p p keyUsageNotCriticalcRLSignFalseCACert.crt
-p p keyUsageNotCriticalkeyCertSignFalseCACert.crt
-p p nameConstraintsDN1CACert.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? nameConstraintsDN1SelfIssuedCACert.crt
-
-p p nameConstraintsDN1subCA1Cert.crt
-p p nameConstraintsDN1subCA2Cert.crt
-p p nameConstraintsDN1subCA3Cert.crt
-p p nameConstraintsDN2CACert.crt
-p p nameConstraintsDN3CACert.crt
-p p nameConstraintsDN3subCA1Cert.crt
-p p nameConstraintsDN3subCA2Cert.crt
-p p nameConstraintsDN4CACert.crt
-p p nameConstraintsDN5CACert.crt
-p p nameConstraintsDNS1CACert.crt
-p p nameConstraintsDNS2CACert.crt
-p p nameConstraintsRFC822CA1Cert.crt
-p p nameConstraintsRFC822CA2Cert.crt
-p p nameConstraintsRFC822CA3Cert.crt
-p p nameConstraintsURI1CACert.crt
-p p nameConstraintsURI2CACert.crt
-p p onlyContainsAttributeCertsCACert.crt
-p p onlyContainsCACertsCACert.crt
-p p onlyContainsUserCertsCACert.crt
-p p onlySomeReasonsCA1Cert.crt
-p p onlySomeReasonsCA2Cert.crt
-p p onlySomeReasonsCA3Cert.crt
-p p onlySomeReasonsCA4Cert.crt
-p p pathLenConstraint0CACert.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? pathLenConstraint0SelfIssuedCACert.crt
-? ? pathLenConstraint0subCA2Cert.crt
-
-p p pathLenConstraint0subCACert.crt
-p p pathLenConstraint1CACert.crt
-
+u u 6.1.5.407 ValidDNnameConstraintsTest14EE.crt
+   
+p p 6.1.5.415 ValidDNnameConstraintsTest18EE.crt
+p p 6.1.5.417 ValidDNnameConstraintsTest19EE.crt
+   
+p p 6.1.5.382 ValidDNnameConstraintsTest1EE.crt
+p p 6.1.5.385 ValidDNnameConstraintsTest4EE.crt
+p p 6.1.5.388 ValidDNnameConstraintsTest5EE.crt
+p p 6.1.5.391 ValidDNnameConstraintsTest6EE.crt
+   
+u p 6.1.5.577 ValidDSAParameterInheritanceTest5EE.crt
+u p 6.1.5.574 ValidDSASignaturesTest4EE.crt
+   
+p p 6.1.5.66 ValidGeneralizedTimeCRLnextUpdateTest13EE.crt
+p p 6.1.5.21 ValidGeneralizedTimenotAfterDateTest8EE.crt
+p p 6.1.5.15 ValidGeneralizedTimenotBeforeDateTest4EE.crt
+p p 6.1.5.499 ValidIDPwithindirectCRLTest22EE.crt
+p p 6.1.5.502 ValidIDPwithindirectCRLTest24EE.crt
+p p 6.1.5.503 ValidIDPwithindirectCRLTest25EE.crt
+p p 6.1.5.73 ValidLongSerialNumberTest16EE.crt
+p p 6.1.5.74 ValidLongSerialNumberTest17EE.crt
+p p 6.1.5.28 ValidNameChainingCapitalizationTest5EE.crt
+p p 6.1.5.26 ValidNameChainingWhitespaceTest3EE.crt
+p p 6.1.5.27 ValidNameChainingWhitespaceTest4EE.crt
+p p 6.1.5.31 ValidNameUIDsTest6EE.crt
+p p 6.1.5.69 ValidNegativeSerialNumberTest14EE.crt
+p p 6.1.5.467 ValidNoissuingDistributionPointTest10EE.crt
+p p 6.1.5.303 ValidPolicyMappingTest11EE.crt
+p p 6.1.5.304 ValidPolicyMappingTest12EE.crt
+p p 6.1.5.307 ValidPolicyMappingTest13EE.crt
+p p 6.1.5.308 ValidPolicyMappingTest14EE.crt
+p p 6.1.5.275 ValidPolicyMappingTest1EE.crt
+p p 6.1.5.283 ValidPolicyMappingTest3EE.crt
+p p 6.1.5.289 ValidPolicyMappingTest5EE.crt
+p p 6.1.5.290 ValidPolicyMappingTest6EE.crt
+p p 6.1.5.299 ValidPolicyMappingTest9EE.crt
+p p 6.1.5.549 ValidRFC3280MandatoryAttributeTypesTest7EE.crt
+p p 6.1.5.552 ValidRFC3280OptionalAttributeTypesTest8EE.crt
+p p 6.1.5.421 ValidRFC822nameConstraintsTest21EE.crt
+p p 6.1.5.425 ValidRFC822nameConstraintsTest23EE.crt
+p p 6.1.5.429 ValidRFC822nameConstraintsTest25EE.crt
+p p 6.1.5.558 ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt
+p p 6.1.5.373 ValidSelfIssuedinhibitAnyPolicyTest7EE.crt
+   
+p p 6.1.5.378 ValidSelfIssuedinhibitAnyPolicyTest9EE.crt
+   
+p p 6.1.5.342 ValidSelfIssuedinhibitPolicyMappingTest7EE.crt
+   
+p ? 6.1.5.140 ValidSelfIssuedpathLenConstraintTest15EE.crt
+   
+p p 6.1.5.150 ValidSelfIssuedpathLenConstraintTest17EE.crt
+   
+p ? 6.1.5.267 ValidSelfIssuedrequireExplicitPolicyTest6EE.crt
+   
+p ? 6.1.5.566 ValidSeparateCertificateandCRLKeysTest19EE.crt
+   
+p p 6.1.5.50 ValidTwoCRLsTest7EE.crt
+p p 6.1.5.446 ValidURInameConstraintsTest34EE.crt
+p p 6.1.5.450 ValidURInameConstraintsTest36EE.crt
+p p 6.1.5.561 ValidUTF8StringCaseInsensitiveMatchTest11EE.crt
+p p 6.1.5.555 ValidUTF8StringEncodedNamesTest9EE.crt
+p p 6.1.5.545 ValidUnknownNotCriticalCertificateExtensionTest1EE.crt
+p p 6.1.5.106 ValidbasicConstraintsNotCriticalTest4EE.crt
+p p 6.1.5.510 ValidcRLIssuerTest28EE.crt
+p p 6.1.5.511 ValidcRLIssuerTest29EE.crt
+p p 6.1.5.515 ValidcRLIssuerTest30EE.crt
+p p 6.1.5.521 ValidcRLIssuerTest33EE.crt
+p p 6.1.5.530 ValiddeltaCRLTest2EE.crt
+p p 6.1.5.533 ValiddeltaCRLTest5EE.crt
+p p 6.1.5.535 ValiddeltaCRLTest7EE.crt
+p p 6.1.5.539 ValiddeltaCRLTest8EE.crt
+p p 6.1.5.454 ValiddistributionPointTest1EE.crt
+p p 6.1.5.457 ValiddistributionPointTest4EE.crt
+p p 6.1.5.460 ValiddistributionPointTest5EE.crt
+p p 6.1.5.462 ValiddistributionPointTest7EE.crt
+p p 6.1.5.353 ValidinhibitAnyPolicyTest2EE.crt
+p p 6.1.5.318 ValidinhibitPolicyMappingTest2EE.crt
+p p 6.1.5.322 ValidinhibitPolicyMappingTest4EE.crt
+p p 6.1.5.159 ValidkeyUsageNotCriticalTest3EE.crt
+p p 6.1.5.474 ValidonlyContainsCACertsTest13EE.crt
+p p 6.1.5.490 ValidonlySomeReasonsTest18EE.crt
+p p 6.1.5.494 ValidonlySomeReasonsTest19EE.crt
+p p 6.1.5.137 ValidpathLenConstraintTest13EE.crt
+p p 6.1.5.138 ValidpathLenConstraintTest14EE.crt
+p p 6.1.5.113 ValidpathLenConstraintTest7EE.crt
+p p 6.1.5.114 ValidpathLenConstraintTest8EE.crt
+p p 6.1.5.14 Validpre2000UTCnotBeforeDateTest3EE.crt
+p p 6.1.5.227 ValidrequireExplicitPolicyTest1EE.crt
+p p 6.1.5.236 ValidrequireExplicitPolicyTest2EE.crt
+p p 6.1.5.254 ValidrequireExplicitPolicyTest4EE.crt
+p p 6.1.5.44 WrongCRLCACert.crt
+p p 6.1.5.205 anyPolicyCACert.crt
+p p 6.1.5.98 basicConstraintsCriticalcAFalseCACert.crt
+p p 6.1.5.104 basicConstraintsNotCriticalCACert.crt
+p p 6.1.5.101 basicConstraintsNotCriticalcAFalseCACert.crt
+p p 6.1.5.527 deltaCRLCA1Cert.crt
+p p 6.1.5.536 deltaCRLCA2Cert.crt
+p p 6.1.5.541 deltaCRLCA3Cert.crt
+p p 6.1.5.524 deltaCRLIndicatorNoBaseCACert.crt
+p p 6.1.5.452 distributionPoint1CACert.crt
+p p 6.1.5.458 distributionPoint2CACert.crt
+p p 6.1.5.497 indirectCRLCA1Cert.crt
+p p 6.1.5.501 indirectCRLCA2Cert.crt
+p p 6.1.5.506 indirectCRLCA3Cert.crt
+p p 6.1.5.508 indirectCRLCA3cRLIssuerCert.crt
+p p 6.1.5.512 indirectCRLCA4Cert.crt
+p p 6.1.5.513 indirectCRLCA4cRLIssuerCert.crt
+p p 6.1.5.516 indirectCRLCA5Cert.crt
+p p 6.1.5.518 indirectCRLCA6Cert.crt
+p p 6.1.5.350 inhibitAnyPolicy0CACert.crt
+p p 6.1.5.354 inhibitAnyPolicy1CACert.crt
+   
+p ? 6.1.5.370 inhibitAnyPolicy1SelfIssuedCACert.crt
+p ? 6.1.5.377 inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt
+   
+p p 6.1.5.356 inhibitAnyPolicy1subCA1Cert.crt
+   
+? ? 6.1.5.371 inhibitAnyPolicy1subCA2Cert.crt
+   
+p p 6.1.5.367 inhibitAnyPolicy1subCAIAP5Cert.crt
+p p 6.1.5.374 inhibitAnyPolicy1subsubCA2Cert.crt
+p p 6.1.5.360 inhibitAnyPolicy5CACert.crt
+p p 6.1.5.362 inhibitAnyPolicy5subCACert.crt
+p p 6.1.5.364 inhibitAnyPolicy5subsubCACert.crt
+p p 6.1.5.358 inhibitAnyPolicyTest3EE.crt
+p p 6.1.5.309 inhibitPolicyMapping0CACert.crt
+p p 6.1.5.311 inhibitPolicyMapping0subCACert.crt
+p p 6.1.5.314 inhibitPolicyMapping1P12CACert.crt
+p p 6.1.5.316 inhibitPolicyMapping1P12subCACert.crt
+p p 6.1.5.332 inhibitPolicyMapping1P12subCAIPM5Cert.crt
+p p 6.1.5.319 inhibitPolicyMapping1P12subsubCACert.crt
+p p 6.1.5.334 inhibitPolicyMapping1P12subsubCAIPM5Cert.crt
+p p 6.1.5.337 inhibitPolicyMapping1P1CACert.crt
+   
 # For yet unknown reasons gpgsm claims a bad signature.
-? ? pathLenConstraint1SelfIssuedCACert.crt
-? ? pathLenConstraint1SelfIssuedsubCACert.crt
-? ? pathLenConstraint1subCACert.crt
-
-p p pathLenConstraint6CACert.crt
-p p pathLenConstraint6subCA0Cert.crt
-p p pathLenConstraint6subCA1Cert.crt
-p p pathLenConstraint6subCA4Cert.crt
-p p pathLenConstraint6subsubCA00Cert.crt
-p p pathLenConstraint6subsubCA11Cert.crt
-p p pathLenConstraint6subsubCA41Cert.crt
-p p pathLenConstraint6subsubsubCA11XCert.crt
-p p pathLenConstraint6subsubsubCA41XCert.crt
-p p pre2000CRLnextUpdateCACert.crt
-p p requireExplicitPolicy0CACert.crt
-p p requireExplicitPolicy0subCACert.crt
-p p requireExplicitPolicy0subsubCACert.crt
-p p requireExplicitPolicy0subsubsubCACert.crt
-p p requireExplicitPolicy10CACert.crt
-p p requireExplicitPolicy10subCACert.crt
-p p requireExplicitPolicy10subsubCACert.crt
-p p requireExplicitPolicy10subsubsubCACert.crt
-p p requireExplicitPolicy2CACert.crt
-
+? ? 6.1.5.339 inhibitPolicyMapping1P1SelfIssuedCACert.crt
+? ? 6.1.5.347 inhibitPolicyMapping1P1SelfIssuedsubCACert.crt
+? ? 6.1.5.340 inhibitPolicyMapping1P1subCACert.crt
+   
+p p 6.1.5.343 inhibitPolicyMapping1P1subsubCACert.crt
+p p 6.1.5.323 inhibitPolicyMapping5CACert.crt
+p p 6.1.5.325 inhibitPolicyMapping5subCACert.crt
+p p 6.1.5.327 inhibitPolicyMapping5subsubCACert.crt
+p p 6.1.5.329 inhibitPolicyMapping5subsubsubCACert.crt
+p p 6.1.5.160 keyUsageCriticalcRLSignFalseCACert.crt
+p p 6.1.5.151 keyUsageCriticalkeyCertSignFalseCACert.crt
+p p 6.1.5.157 keyUsageNotCriticalCACert.crt
+p p 6.1.5.163 keyUsageNotCriticalcRLSignFalseCACert.crt
+p p 6.1.5.154 keyUsageNotCriticalkeyCertSignFalseCACert.crt
+p p 6.1.5.380 nameConstraintsDN1CACert.crt
+   
+? ? 6.1.5.416 nameConstraintsDN1SelfIssuedCACert.crt
+   
+p p 6.1.5.401 nameConstraintsDN1subCA1Cert.crt
+p p 6.1.5.404 nameConstraintsDN1subCA2Cert.crt
+p p 6.1.5.431 nameConstraintsDN1subCA3Cert.crt
+p p 6.1.5.386 nameConstraintsDN2CACert.crt
+p p 6.1.5.389 nameConstraintsDN3CACert.crt
+p p 6.1.5.408 nameConstraintsDN3subCA1Cert.crt
+p p 6.1.5.412 nameConstraintsDN3subCA2Cert.crt
+p p 6.1.5.393 nameConstraintsDN4CACert.crt
+p p 6.1.5.397 nameConstraintsDN5CACert.crt
+p p 6.1.5.436 nameConstraintsDNS1CACert.crt
+p p 6.1.5.440 nameConstraintsDNS2CACert.crt
+p p 6.1.5.419 nameConstraintsRFC822CA1Cert.crt
+p p 6.1.5.423 nameConstraintsRFC822CA2Cert.crt
+p p 6.1.5.427 nameConstraintsRFC822CA3Cert.crt
+p p 6.1.5.444 nameConstraintsURI1CACert.crt
+p p 6.1.5.448 nameConstraintsURI2CACert.crt
+p p 6.1.5.475 onlyContainsAttributeCertsCACert.crt
+p p 6.1.5.471 onlyContainsCACertsCACert.crt
+p p 6.1.5.468 onlyContainsUserCertsCACert.crt
+p p 6.1.5.478 onlySomeReasonsCA1Cert.crt
+p p 6.1.5.483 onlySomeReasonsCA2Cert.crt
+p p 6.1.5.487 onlySomeReasonsCA3Cert.crt
+p p 6.1.5.491 onlySomeReasonsCA4Cert.crt
+p p 6.1.5.107 pathLenConstraint0CACert.crt
+   
+? ? 6.1.5.139 pathLenConstraint0SelfIssuedCACert.crt
+? ? 6.1.5.141 pathLenConstraint0subCA2Cert.crt
+   
+p p 6.1.5.109 pathLenConstraint0subCACert.crt
+p p 6.1.5.144 pathLenConstraint1CACert.crt
+   
+? ? 6.1.5.146 pathLenConstraint1SelfIssuedCACert.crt
+? ? 6.1.5.149 pathLenConstraint1SelfIssuedsubCACert.crt
+? ? 6.1.5.147 pathLenConstraint1subCACert.crt
+   
+p p 6.1.5.115 pathLenConstraint6CACert.crt
+p p 6.1.5.117 pathLenConstraint6subCA0Cert.crt
+p p 6.1.5.123 pathLenConstraint6subCA1Cert.crt
+p p 6.1.5.131 pathLenConstraint6subCA4Cert.crt
+p p 6.1.5.119 pathLenConstraint6subsubCA00Cert.crt
+p p 6.1.5.125 pathLenConstraint6subsubCA11Cert.crt
+p p 6.1.5.133 pathLenConstraint6subsubCA41Cert.crt
+p p 6.1.5.127 pathLenConstraint6subsubsubCA11XCert.crt
+p p 6.1.5.135 pathLenConstraint6subsubsubCA41XCert.crt
+p p 6.1.5.61 pre2000CRLnextUpdateCACert.crt
+p p 6.1.5.246 requireExplicitPolicy0CACert.crt
+p p 6.1.5.248 requireExplicitPolicy0subCACert.crt
+p p 6.1.5.250 requireExplicitPolicy0subsubCACert.crt
+p p 6.1.5.252 requireExplicitPolicy0subsubsubCACert.crt
+p p 6.1.5.219 requireExplicitPolicy10CACert.crt
+p p 6.1.5.221 requireExplicitPolicy10subCACert.crt
+p p 6.1.5.223 requireExplicitPolicy10subsubCACert.crt
+p p 6.1.5.225 requireExplicitPolicy10subsubsubCACert.crt
+p p 6.1.5.264 requireExplicitPolicy2CACert.crt
+   
 # For yet unknown reasons gpgsm claims a bad signature.
-? ? requireExplicitPolicy2SelfIssuedCACert.crt
-? ? requireExplicitPolicy2SelfIssuedsubCACert.crt
-? ? requireExplicitPolicy2subCACert.crt
-
-p p requireExplicitPolicy4CACert.crt
-p p requireExplicitPolicy4subCACert.crt
-p p requireExplicitPolicy4subsubCACert.crt
-p p requireExplicitPolicy4subsubsubCACert.crt
-p p requireExplicitPolicy5CACert.crt
-p p requireExplicitPolicy5subCACert.crt
-p p requireExplicitPolicy5subsubCACert.crt
-p p requireExplicitPolicy5subsubsubCACert.crt
-p p requireExplicitPolicy7CACert.crt
-p p requireExplicitPolicy7subCARE2Cert.crt
-p p requireExplicitPolicy7subsubCARE2RE4Cert.crt
-p p requireExplicitPolicy7subsubsubCARE2RE4Cert.crt
-
+? ? 6.1.5.266 requireExplicitPolicy2SelfIssuedCACert.crt
+? ? 6.1.5.271 requireExplicitPolicy2SelfIssuedsubCACert.crt
+? ? 6.1.5.268 requireExplicitPolicy2subCACert.crt
+   
+p p 6.1.5.237 requireExplicitPolicy4CACert.crt
+p p 6.1.5.239 requireExplicitPolicy4subCACert.crt
+p p 6.1.5.241 requireExplicitPolicy4subsubCACert.crt
+p p 6.1.5.243 requireExplicitPolicy4subsubsubCACert.crt
+p p 6.1.5.228 requireExplicitPolicy5CACert.crt
+p p 6.1.5.230 requireExplicitPolicy5subCACert.crt
+p p 6.1.5.232 requireExplicitPolicy5subsubCACert.crt
+p p 6.1.5.234 requireExplicitPolicy5subsubsubCACert.crt
+p p 6.1.5.255 requireExplicitPolicy7CACert.crt
+p p 6.1.5.257 requireExplicitPolicy7subCARE2Cert.crt
+p p 6.1.5.259 requireExplicitPolicy7subsubCARE2RE4Cert.crt
+p p 6.1.5.261 requireExplicitPolicy7subsubsubCARE2RE4Cert.crt
+   
diff --git a/tests/pkits/inhibit-any-policy b/tests/pkits/inhibit-any-policy
new file mode 100644
index 000000000..5e625e253
--- /dev/null
+++ b/tests/pkits/inhibit-any-policy
@@ -0,0 +1,31 @@
+#!/bin/sh
+# inhibit-any-policy - PKITS Test 4.12                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.12
+description="Inhibit Any Policy"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/inhibit-policy-mapping b/tests/pkits/inhibit-policy-mapping
new file mode 100644
index 000000000..1da5f3596
--- /dev/null
+++ b/tests/pkits/inhibit-policy-mapping
@@ -0,0 +1,31 @@
+#!/bin/sh
+# inhibit-policy-mapping - PKITS Test 4.11                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.11
+description="Inhibit Policy Mapping"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/inittests b/tests/pkits/inittests
index e5d136fd9..d9b47bc6d 100755
--- a/tests/pkits/inittests
+++ b/tests/pkits/inittests
@@ -74,7 +74,9 @@ no-secmem-warning
 no-greeting
 batch
 disable-crl-checks
+disable-dirmngr
 agent-program ../../agent/gpg-agent
+no-common-certs-import
 EOF
 
 # Fixme: we need to write a dummy pinentry program
diff --git a/tests/pkits/key-usage b/tests/pkits/key-usage
new file mode 100644
index 000000000..b830cc5ea
--- /dev/null
+++ b/tests/pkits/key-usage
@@ -0,0 +1,31 @@
+#!/bin/sh
+# key-usage - PKITS Test 4.7                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.7
+description="Key Usage"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/name-constraints b/tests/pkits/name-constraints
new file mode 100644
index 000000000..8e36c28d2
--- /dev/null
+++ b/tests/pkits/name-constraints
@@ -0,0 +1,31 @@
+#!/bin/sh
+# name-constraints - PKITS Test 4.13                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.13
+description="Name Constraints"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/policy-mappings b/tests/pkits/policy-mappings
new file mode 100644
index 000000000..8ce9ee871
--- /dev/null
+++ b/tests/pkits/policy-mappings
@@ -0,0 +1,31 @@
+#!/bin/sh
+# policy-mappings - PKITS Test 4.10                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.10
+description="Policy Mappings"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/private-certificate-extensions b/tests/pkits/private-certificate-extensions
new file mode 100644
index 000000000..43f342504
--- /dev/null
+++ b/tests/pkits/private-certificate-extensions
@@ -0,0 +1,31 @@
+#!/bin/sh
+# private-certificate-extensions - PKITS Test 4.16                 -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.16
+description="Private Certificate Extensions"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/require-explicit-policy b/tests/pkits/require-explicit-policy
new file mode 100644
index 000000000..ceb87bdb7
--- /dev/null
+++ b/tests/pkits/require-explicit-policy
@@ -0,0 +1,31 @@
+#!/bin/sh
+# require-explicit-policy - PKITS Test 4.9                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.9
+description="Require Explicit Policy"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/signature-verification b/tests/pkits/signature-verification
new file mode 100644
index 000000000..45bdcf7f2
--- /dev/null
+++ b/tests/pkits/signature-verification
@@ -0,0 +1,31 @@
+#!/bin/sh
+# signature-verification - PKITS Test 4.1                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.1
+description="Signature Verification"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/validate-all-certs b/tests/pkits/validate-all-certs
index 08f72af71..1c1856c49 100755
--- a/tests/pkits/validate-all-certs
+++ b/tests/pkits/validate-all-certs
@@ -1,12 +1,12 @@
 #!/bin/sh
-# validate-all-certs                                    -*- sh -*-
-# Copyright (C) 2004 Free Software Foundation, Inc.  
+# validate-all-certs - GnuPG import and validate tests       -*- sh -*-
+# Copyright (C) 2004, 2008 Free Software Foundation, Inc.  
 #
 # This file is part of GnuPG.
 # 
 # GnuPG is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
+# the Free Software Foundation; either version 3 of the License, or
 # (at your option) any later version.
 # 
 # GnuPG is distributed in the hope that it will be useful,
@@ -15,16 +15,19 @@
 # GNU General Public License for more details.
 # 
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
-# USA.
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
 
 . ${srcdir:-.}/common.sh || exit 2
 
-while read dummy flag name; do 
+section=6
+description="GnuPG Import with Validation"
+info "Running $description tests"
+
+while read dummy flag section name; do 
     case $dummy in \#*) continue;; esac
-    [ -z "$dummy" ] && continue;
+    [ -z "$(echo $dummy)" ] && continue;
 
+    description="import and validate $name"
     if ${GPGSM} -q --import --with-validation --disable-crl-checks \
              certs/$name ; then
         if [ "$flag" = 'p' ]; then
diff --git a/tests/pkits/validity-periods b/tests/pkits/validity-periods
new file mode 100644
index 000000000..df747533c
--- /dev/null
+++ b/tests/pkits/validity-periods
@@ -0,0 +1,31 @@
+#!/bin/sh
+# validity-periods - PKITS Test 4.2                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.2
+description="Validity Periods"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/verifying-basic-constraints b/tests/pkits/verifying-basic-constraints
new file mode 100644
index 000000000..0e052f359
--- /dev/null
+++ b/tests/pkits/verifying-basic-constraints
@@ -0,0 +1,31 @@
+#!/bin/sh
+# verifying-basic-constraints - PKITS Test 4.6                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.6
+description="Verifying Basic Constraints"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/verifying-name-chaining b/tests/pkits/verifying-name-chaining
new file mode 100644
index 000000000..9bdbb5918
--- /dev/null
+++ b/tests/pkits/verifying-name-chaining
@@ -0,0 +1,31 @@
+#!/bin/sh
+# verifying-name-chaining - PKITS Test 4.3                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.3
+description="Verifying Name Chaining"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/verifying-paths-self-issued b/tests/pkits/verifying-paths-self-issued
new file mode 100644
index 000000000..443d7adb9
--- /dev/null
+++ b/tests/pkits/verifying-paths-self-issued
@@ -0,0 +1,31 @@
+#!/bin/sh
+# verifying-paths-self-issued - PKITS Test 4.5                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.5
+description="Verifying Paths with Self-Issued Certificates"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c
index 813b6b935..86590eed2 100644
--- a/tools/gpgconf-comp.c
+++ b/tools/gpgconf-comp.c
@@ -715,6 +715,9 @@ static gc_option_t gc_options_gpgsm[] =
    { "prefer-system-dirmngr", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED,
      "gnupg", "use system's dirmngr if available",
      GC_ARG_TYPE_NONE, GC_BACKEND_GPGSM },
+   { "disable-dirmngr", GC_OPT_FLAG_NONE, GC_LEVEL_EXPERT,
+     "gnupg", N_("disable all access to the dirmngr"),
+     GC_ARG_TYPE_NONE, GC_BACKEND_GPGSM },
    { "p12-charset", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED,
      "gnupg", N_("|NAME|use encoding NAME for PKCS#12 passphrases"),
      GC_ARG_TYPE_STRING, GC_BACKEND_GPGSM },