Improve certificate chain construction.

Extend PKITS framework

24 files changed, 1126 insertions, 543 deletions

diff --git a/tests/pkits/ChangeLog b/tests/pkits/ChangeLog
index 084e6cec8..34ddfbfa7 100644
--- a/tests/pkits/ChangeLog
+++ b/tests/pkits/ChangeLog
@@ -1,3 +1,32 @@
+2008-02-19  Werner Koch  <wk@g10code.com>
+
+	* signature-verification: New.
+	* validity-periods: New.
+	* verifying-name-chaining: New.
+	* basic-certificate-revocation: New.
+	* verifying-paths-self-issued: New.
+	* verifying-basic-constraints: New.
+	* key-usage: New.
+	* certificate-policies: New.
+	* require-explicit-policy: New.
+	* policy-mappings: New.
+	* inhibit-policy-mapping: New.
+	* inhibit-any-policy: New.
+	* name-constraints: New.
+	* distribution-points: New.
+	* delta-crls: New.
+	* private-certificate-extensions: New.
+	* Makefile.am (testscripts): Add them.
+
+	* import-all-certs.data: Add section numbers.
+
+2008-02-18  Werner Koch  <wk@g10code.com>
+
+	* import-all-certs.data: Adjust import tests results.  Almost all
+	certificates should now be importable due to relaxed basic checks.
+
+	* inittests (clean_files): Disable all dirmngr access.
+
 2006-05-02  Werner Koch  <wk@g10code.com>
 
 	* PKITS_data.tar.bz2: Repackaged new copy becuase the old one got
@@ -7,7 +36,7 @@
 
 	Started implementing PKITS based tests.
 
-	
+
  Copyright 2004 Free Software Foundation, Inc.
 
  This file is free software; as a special exception the author gives
@@ -17,7 +46,3 @@
  This file is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
  implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
-	
-
-	
-
diff --git a/tests/pkits/Makefile.am b/tests/pkits/Makefile.am
index d53d35a25..268ad47a3 100644
--- a/tests/pkits/Makefile.am
+++ b/tests/pkits/Makefile.am
@@ -1,11 +1,11 @@
 # Makefile.am - tests using NIST's PKITS
-#     	Copyright (C) 2004 Free Software Foundation, Inc.
+#     	Copyright (C) 2004, 2008 Free Software Foundation, Inc.
 # 
 # This file is part of GnuPG.
 # 
 # GnuPG is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
+# the Free Software Foundation; either version 3 of the License, or
 # (at your option) any later version.
 # 
 # GnuPG is distributed in the hope that it will be useful,
@@ -14,40 +14,33 @@
 # GNU General Public License for more details.
 # 
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
-# USA.
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
 
 ## Process this file with automake to produce Makefile.in
 
 GPGSM = ../../sm/gpgsm
 
 TESTS_ENVIRONMENT = GNUPGHOME=`pwd` GPG_AGENT_INFO= LC_ALL=C GPGSM=$(GPGSM) \
-		    LD_LIBRARY_PATH=$$(seen=0; \
-                           for i in $(LDFLAGS) $(LIBGCRYPT_LIBS) $(PTH_LIBS); \
-                           do \
-                             if echo "$$i" | egrep '^-L' >/dev/null 2>&1; \
-                             then \
-                               if test $$seen = 0; \
-                               then \
-                                 seen=1; \
-                               else \
-                                 printf ":"; \
-                               fi; \
-                               printf "%s" "$${i}" | sed 's/^-L//'; \
-                             fi; \
-                           done; \
-                           if test $$seen != 0 \
-                              && test x$${LD_LIBRARY_PATH} != x; \
-                           then \
-                             printf ":"; \
-                           fi; \
-                           printf "%s" "$${LD_LIBRARY_PATH}") $(srcdir)/runtest
-
-
-
-testscripts = import-all-certs validate-all-certs
-
+		    silent=yes
+
+
+testscripts = import-all-certs validate-all-certs \
+	signature-verification        \
+	validity-periods              \
+	verifying-name-chaining       \
+	basic-certificate-revocation  \
+	verifying-paths-self-issued   \
+	verifying-basic-constraints   \
+	key-usage                     \
+	certificate-policies          \
+	require-explicit-policy       \
+	policy-mappings               \
+	inhibit-policy-mapping        \
+	inhibit-any-policy            \
+	name-constraints              \
+	distribution-points           \
+	delta-crls                    \
+	private-certificate-extensions
 
 
 EXTRA_DIST = PKITS_data.tar.bz2 inittests runtest $(testscripts) 
@@ -68,3 +61,11 @@ inittests.stamp: inittests
 	srcdir=$(srcdir) $(TESTS_ENVIRONMENT) $(srcdir)/inittests
 	echo timestamp >./inittests.stamp
 
+
+run-all-tests:
+	@set -e; \
+         GNUPGHOME=`pwd`; export GNUPGHOME;\
+         unset GPG_AGENT_INFO; \
+         for test in $(testscripts); do \
+           ./$${test} && true; \
+         done
diff --git a/tests/pkits/README b/tests/pkits/README
index 79678cf30..3fe238c6c 100644
--- a/tests/pkits/README
+++ b/tests/pkits/README
@@ -7,6 +7,31 @@ http://csrc.nist.gov/pki/testing/x509paths.html .
 README             - this file.
 PKITS_data.tar.bz2 - the orginal ZIP file, repackaged as a tarball.
 Makefile.am        - Part of our build system.
+import-all-certs   - Run a simple import test on all certifcates
+validate-all-certs - Run an import and validate test on all certificates
+signature-verification         - PKITS test 4.1  
+validity-periods               - PKITS test 4.2  
+verifying-name-chaining        - PKITS test 4.3  
+basic-certificate-revocation   - PKITS test 4.4  
+verifying-paths-self-issued    - PKITS test 4.5  
+verifying-basic-constraints    - PKITS test 4.6  
+key-usage                      - PKITS test 4.7  
+certificate-policies           - PKITS test 4.8  
+require-explicit-policy        - PKITS test 4.9  
+policy-mappings                - PKITS test 4.10 
+inhibit-policy-mapping         - PKITS test 4.11 
+inhibit-any-policy             - PKITS test 4.12 
+name-constraints               - PKITS test 4.13 
+distribution-points            - PKITS test 4.14 
+delta-crls                     - PKITS test 4.15 
+private-certificate-extensions - PKITS test 4.16 
 
 
 The password for the p12 files is "password".
+
+You may run the tests as usual with "make check" or after a plain make
+in this directory you may run the tests individually.  When run in
+this way they will print easy to parse output to stdout.  To run all
+tests in this mode, use "make run-all-tests".  All test scripts create
+a log file with the suffix ".log" appended to the test script's name.
+
diff --git a/tests/pkits/basic-certificate-revocation b/tests/pkits/basic-certificate-revocation
new file mode 100644
index 000000000..496a82c97
--- /dev/null
+++ b/tests/pkits/basic-certificate-revocation
@@ -0,0 +1,31 @@
+#!/bin/sh
+# basic-certificate-revocation - PKITS Test 4.4                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.4
+description="Basic Certificate Revocation"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/certificate-policies b/tests/pkits/certificate-policies
new file mode 100644
index 000000000..f4722012d
--- /dev/null
+++ b/tests/pkits/certificate-policies
@@ -0,0 +1,31 @@
+#!/bin/sh
+# certificate-policies - PKITS Test 4.8                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.8
+description="Certificate Policies"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/common.sh b/tests/pkits/common.sh
index 09fb62bc8..241a0faf7 100644
--- a/tests/pkits/common.sh
+++ b/tests/pkits/common.sh
@@ -1,12 +1,12 @@
 #!/bin/sh
 # common.sh - common defs for all tests         -*- sh -*-
-# Copyright (C) 2004 Free Software Foundation, Inc.
+# Copyright (C) 2004, 2008 Free Software Foundation, Inc.
 #
 # This file is part of GnuPG.
 # 
 # GnuPG is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
+# the Free Software Foundation; either version 3 of the License, or
 # (at your option) any later version.
 # 
 # GnuPG is distributed in the hope that it will be useful,
@@ -15,9 +15,7 @@
 # GNU General Public License for more details.
 # 
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
-# USA.
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
 
 # reset some environment variables because we do not want to test locals
 export LANG=C
@@ -29,7 +27,7 @@ export LC_ALL=C
 [ -z "$srcdir" ] && srcdir="."
 [ -z "$top_srcdir" ] && top_srcdir=".."
 [ -z "$GPGSM" ] && GPGSM="../../sm/gpgsm"
-
+[ -z "$silent" ] && silent=no
 
 if [ "$GNUPGHOME" != "`pwd`" ]; then
     echo "inittests: please set GNUPGHOME to the tests/pkits directory" >&2
@@ -42,7 +40,6 @@ if [ -n "$GPG_AGENT_INFO" ]; then
 fi
 
 
-
 #--------------------------------
 #------ utility functions -------
 #--------------------------------
@@ -68,46 +65,92 @@ echo_n () {
   echo $echo_n_n "${1}$echo_n_c"
 }
 
+setup_output () {
+  if [ -z "$first_section_set" ]; then
+      first_section_set=$section
+  fi
+  section_out="$(echo $section)"
+  if [ -z "$section_out" ]; then
+      section_out="-"
+  fi
+}
+
 fatal () {
     echo "$pgmname: fatal:" $* >&2
+    if [ "$silent" != "yes" ]; then
+        echo "$section_out ERROR: $* (fatal)"
+    fi
     exit 1;
 }
 
 error () {
     echo "$pgmname:" $* >&2
+    if [ "$silent" != "yes" ]; then
+        echo "$section_out ERROR: $*"
+    fi
     exit 1
 }
 
 info () {
+    setup_output
     echo "$pgmname:" $* >&2
+    if [ "$silent" != "yes" ]; then
+        echo "$section_out ____ $*"
+    fi
 }
 
 info_n () {
-    $echo_n "$pgmname:" $* >&2
+    setup_output
+    echo_n "$pgmname:" $* >&2
 }
 
 pass () {
+    setup_output
     echo "PASS: " $* >&2
     pass_count=`expr ${pass_count} + 1`
+    if [ "$silent" != "yes" ]; then
+        echo_n "$section_out PASS"
+        [ -n "$description" ] && echo_n " ($description)"
+        echo
+    fi
 }
 
 fail () {
+    setup_output
     echo "FAIL: " $* >&2
     fail_count=`expr ${fail_count} + 1`
+    if [ "$silent" != "yes" ]; then
+        echo_n "$section_out FAIL"
+        [ -n "$description" ] && echo_n " ($description)"
+        echo
+    fi
 }
 
 unresolved () {
+    setup_output
     echo "UNRESOLVED: " $* >&2
     unresolved_count=`expr ${unresolved_count} + 1`
+    if [ "$silent" != "yes" ]; then
+        echo_n "$section_out UNRESOLVED"
+        [ -n "$description" ] && echo_n " ($description)"
+        echo
+    fi
 }
 
 unsupported () {
+    setup_output
     echo "UNSUPPORTED: " $* >&2
     unsupported_count=`expr ${unsupported_count} + 1`
+    if [ "$silent" != "yes" ]; then
+        echo_n "$section_out UNSUPPORTED"
+        [ -n "$description" ] && echo_n " ($description)"
+        echo
+    fi
 }
 
 
 final_result () {
+    section=$first_section_set
     [ $pass_count = 0 ]        || info "$pass_count tests passed"
     [ $fail_count = 0 ]        || info "$fail_count tests failed"
     [ $unresolved_count = 0 ]  || info "$unresolved_count tests unresolved"
@@ -127,7 +170,10 @@ pass_count=0
 fail_count=0
 unresolved_count=0
 unsupported_count=0
-
+first_section_set=""
+section_out=""
+section=""
+description=""
 
 #trap cleanup SIGHUP SIGINT SIGQUIT
 exec 2> ${pgmname}.log
diff --git a/tests/pkits/delta-crls b/tests/pkits/delta-crls
new file mode 100644
index 000000000..2b912887b
--- /dev/null
+++ b/tests/pkits/delta-crls
@@ -0,0 +1,31 @@
+#!/bin/sh
+# delta-crls - PKITS Test 4.15                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.15
+description="Delta-CRLs"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/distribution-points b/tests/pkits/distribution-points
new file mode 100644
index 000000000..2d59fcdb3
--- /dev/null
+++ b/tests/pkits/distribution-points
@@ -0,0 +1,31 @@
+#!/bin/sh
+# distribution-points - PKITS Test 4.14                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.14
+description="Distribution Points"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/import-all-certs b/tests/pkits/import-all-certs
index 2d70d06df..8144d97be 100755
--- a/tests/pkits/import-all-certs
+++ b/tests/pkits/import-all-certs
@@ -1,11 +1,12 @@
 #!/bin/sh
-# Copyright (C) 2004 Free Software Foundation, Inc.   -*- sh -*-
+# import-all-certs - GnuPG import test                     -*- sh -*-
+# Copyright (C) 2004, 2008 Free Software Foundation, Inc. 
 #
 # This file is part of GnuPG.
 # 
 # GnuPG is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
+# the Free Software Foundation; either version 3 of the License, or
 # (at your option) any later version.
 # 
 # GnuPG is distributed in the hope that it will be useful,
@@ -14,16 +15,19 @@
 # GNU General Public License for more details.
 # 
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
-# USA.
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
 
 . ${srcdir:-.}/common.sh || exit 2
 
-while read flag dummy name; do 
-    case $flag in \#*) continue;; esac
-    [ -z "$flag" ] && continue;
+section=6
+description="GnuPG Import"
+info "Running $description tests"
 
+while read flag dummy section name; do 
+    case $flag in \#*) continue ;; esac
+    [ -z "$(echo $flag)" ] && continue;
+
+    description="import $name"
     if ${GPGSM} -q --import certs/$name ; then
         if [ "$flag" = 'p' ]; then
             pass "importing certificate \`$name' succeeded"
diff --git a/tests/pkits/import-all-certs.data b/tests/pkits/import-all-certs.data
index 18708aa61..597dbc0f9 100644
--- a/tests/pkits/import-all-certs.data
+++ b/tests/pkits/import-all-certs.data
@@ -1,490 +1,471 @@
 # The first column is for the basic import test, the second for a
-# validation test.
-
+# validation test, the third is the section number and th foruth the
+# filename of the certificate.
+   
 # Make sure that the root certificate is imported first
-p p TrustAnchorRootCertificate.crt
- 
-p p AllCertificatesNoPoliciesTest2EE.crt
-p p AllCertificatesSamePoliciesTest10EE.crt
-p p AllCertificatesSamePoliciesTest13EE.crt
-p p AllCertificatesanyPolicyTest11EE.crt
-p p AnyPolicyTest14EE.crt
-p p BadCRLIssuerNameCACert.crt
-p p BadCRLSignatureCACert.crt
-f f BadSignedCACert.crt
-p f BadnotAfterDateCACert.crt
-
-#  UTC: "470101120100Z" i.e. not before 2047-01-01
-p f BadnotBeforeDateCACert.crt
-
-p p BasicSelfIssuedCRLSigningKeyCACert.crt
- 
-#   For yet unknown reasons gpgsm claims a bad signature.
-? ? BasicSelfIssuedCRLSigningKeyCRLCert.crt
-   
-p p BasicSelfIssuedNewKeyCACert.crt
-
-#   For yet unknown reasons gpgsm claims a bad signature.
-? ? BasicSelfIssuedNewKeyOldWithNewCACert.crt
-
-p p BasicSelfIssuedOldKeyCACert.crt
-
-#   For yet unknown reasons gpgsm claims a bad signature.
-? ? BasicSelfIssuedOldKeyNewWithOldCACert.crt
-
-p p CPSPointerQualifierTest20EE.crt
-   
-u u DSACACert.crt
-u u DSAParametersInheritedCACert.crt
-   
-p p DifferentPoliciesTest12EE.crt
-p p DifferentPoliciesTest3EE.crt
-p p DifferentPoliciesTest4EE.crt
-p p DifferentPoliciesTest5EE.crt
-p p DifferentPoliciesTest7EE.crt
-p p DifferentPoliciesTest8EE.crt
-p p DifferentPoliciesTest9EE.crt
-p p GeneralizedTimeCRLnextUpdateCACert.crt
-p p GoodCACert.crt
-p p GoodsubCACert.crt
-
-# gpgsm: critical certificate extension 2.5.29.33 (policyMappings) 
-#        is not supported
-p u GoodsubCAPanyPolicyMapping1to2CACert.crt
-
-# fixme: gpgme does not fail for it.
-p f InvalidBadCRLIssuerNameTest5EE.crt
-
-p f InvalidBadCRLSignatureTest4EE.crt
-p f InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt
-
-f f InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt
-
-p f InvalidBasicSelfIssuedNewWithOldTest5EE.crt
-
-f f InvalidBasicSelfIssuedOldWithNewTest2EE.crt
-
-p f InvalidCASignatureTest2EE.crt
-
-p f InvalidCAnotAfterDateTest5EE.crt
-p f InvalidCAnotBeforeDateTest1EE.crt
-p f InvalidDNSnameConstraintsTest31EE.crt
-p f InvalidDNSnameConstraintsTest33EE.crt
-p f InvalidDNSnameConstraintsTest38EE.crt
-p f InvalidDNandRFC822nameConstraintsTest28EE.crt
-p f InvalidDNandRFC822nameConstraintsTest29EE.crt
-p f InvalidDNnameConstraintsTest10EE.crt
-p f InvalidDNnameConstraintsTest12EE.crt
-p f InvalidDNnameConstraintsTest13EE.crt
-p f InvalidDNnameConstraintsTest15EE.crt
-p f InvalidDNnameConstraintsTest16EE.crt
-p f InvalidDNnameConstraintsTest17EE.crt
-
-f f InvalidDNnameConstraintsTest20EE.crt
-
-p f InvalidDNnameConstraintsTest2EE.crt
-p f InvalidDNnameConstraintsTest3EE.crt
-p f InvalidDNnameConstraintsTest7EE.crt
-p f InvalidDNnameConstraintsTest8EE.crt
-p f InvalidDNnameConstraintsTest9EE.crt
-
-u u InvalidDSASignatureTest6EE.crt
-
-f f InvalidEESignatureTest3EE.crt
-
-p f InvalidEEnotAfterDateTest6EE.crt
-p f InvalidEEnotBeforeDateTest2EE.crt
-p f InvalidIDPwithindirectCRLTest23EE.crt
-p f InvalidIDPwithindirectCRLTest26EE.crt
-p f InvalidLongSerialNumberTest18EE.crt
-p f InvalidMappingFromanyPolicyTest7EE.crt
-p f InvalidMappingToanyPolicyTest8EE.crt
-p f InvalidMissingCRLTest1EE.crt
-p f InvalidMissingbasicConstraintsTest1EE.crt
-p f InvalidNameChainingOrderTest2EE.crt
-p f InvalidNameChainingTest1EE.crt
-p f InvalidNegativeSerialNumberTest15EE.crt
-p f InvalidOldCRLnextUpdateTest11EE.crt
-p f InvalidPolicyMappingTest10EE.crt
-p f InvalidPolicyMappingTest2EE.crt
-p f InvalidPolicyMappingTest4EE.crt
-p f InvalidRFC822nameConstraintsTest22EE.crt
-p f InvalidRFC822nameConstraintsTest24EE.crt
-p f InvalidRFC822nameConstraintsTest26EE.crt
-p f InvalidRevokedCATest2EE.crt
-p f InvalidRevokedEETest3EE.crt
-
-f f InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt
-
-p f InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt
-p f InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt
-p f InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt
-p f InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt
-p f InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt
-p f InvalidSelfIssuedpathLenConstraintTest16EE.crt
-p f InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt
-p f InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt
-
-f f InvalidSeparateCertificateandCRLKeysTest20EE.crt
-f f InvalidSeparateCertificateandCRLKeysTest21EE.crt
-
-p f InvalidURInameConstraintsTest35EE.crt
-p f InvalidURInameConstraintsTest37EE.crt
-p f InvalidUnknownCRLEntryExtensionTest8EE.crt
-p f InvalidUnknownCRLExtensionTest10EE.crt
-p f InvalidUnknownCRLExtensionTest9EE.crt
-p f InvalidUnknownCriticalCertificateExtensionTest2EE.crt
-p f InvalidWrongCRLTest6EE.crt
-p f InvalidcAFalseTest2EE.crt
-p f InvalidcAFalseTest3EE.crt
-p f InvalidcRLIssuerTest27EE.crt
-p f InvalidcRLIssuerTest31EE.crt
-p f InvalidcRLIssuerTest32EE.crt
-p f InvalidcRLIssuerTest34EE.crt
-p f InvalidcRLIssuerTest35EE.crt
-p f InvaliddeltaCRLIndicatorNoBaseTest1EE.crt
-p f InvaliddeltaCRLTest10EE.crt
-p f InvaliddeltaCRLTest3EE.crt
-p f InvaliddeltaCRLTest4EE.crt
-p f InvaliddeltaCRLTest6EE.crt
-p f InvaliddeltaCRLTest9EE.crt
-p f InvaliddistributionPointTest2EE.crt
-p f InvaliddistributionPointTest3EE.crt
-p f InvaliddistributionPointTest6EE.crt
-p f InvaliddistributionPointTest8EE.crt
-p f InvaliddistributionPointTest9EE.crt
-p f InvalidinhibitAnyPolicyTest1EE.crt
-p f InvalidinhibitAnyPolicyTest4EE.crt
-p f InvalidinhibitAnyPolicyTest5EE.crt
-p f InvalidinhibitAnyPolicyTest6EE.crt
-p f InvalidinhibitPolicyMappingTest1EE.crt
-p f InvalidinhibitPolicyMappingTest3EE.crt
-p f InvalidinhibitPolicyMappingTest5EE.crt
-p f InvalidinhibitPolicyMappingTest6EE.crt
-p f InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt
-p f InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt
-p f InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt
-p f InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt
-p f InvalidonlyContainsAttributeCertsTest14EE.crt
-p f InvalidonlyContainsCACertsTest12EE.crt
-p f InvalidonlyContainsUserCertsTest11EE.crt
-p f InvalidonlySomeReasonsTest15EE.crt
-p f InvalidonlySomeReasonsTest16EE.crt
-p f InvalidonlySomeReasonsTest17EE.crt
-p f InvalidonlySomeReasonsTest20EE.crt
-p f InvalidonlySomeReasonsTest21EE.crt
-p f InvalidpathLenConstraintTest10EE.crt
-p f InvalidpathLenConstraintTest11EE.crt
-p f InvalidpathLenConstraintTest12EE.crt
-p f InvalidpathLenConstraintTest5EE.crt
-p f InvalidpathLenConstraintTest6EE.crt
-p f InvalidpathLenConstraintTest9EE.crt
-p f Invalidpre2000CRLnextUpdateTest12EE.crt
-p f Invalidpre2000UTCEEnotAfterDateTest7EE.crt
-p f InvalidrequireExplicitPolicyTest3EE.crt
-p f InvalidrequireExplicitPolicyTest5EE.crt
-p p LongSerialNumberCACert.crt
-p p Mapping1to2CACert.crt
-p p MappingFromanyPolicyCACert.crt
-p p MappingToanyPolicyCACert.crt
-p p MissingbasicConstraintsCACert.crt
-p p NameOrderingCACert.crt
-p p NegativeSerialNumberCACert.crt
-p p NoCRLCACert.crt
-p p NoPoliciesCACert.crt
-p p NoissuingDistributionPointCACert.crt
-p p OldCRLnextUpdateCACert.crt
-p p OverlappingPoliciesTest6EE.crt
-p p P12Mapping1to3CACert.crt
-p p P12Mapping1to3subCACert.crt
-p p P12Mapping1to3subsubCACert.crt
-p p P1Mapping1to234CACert.crt
-p p P1Mapping1to234subCACert.crt
-p p P1anyPolicyMapping1to2CACert.crt
-p p PanyPolicyMapping1to2CACert.crt
-p p PoliciesP1234CACert.crt
-p p PoliciesP1234subCAP123Cert.crt
-p p PoliciesP1234subsubCAP123P12Cert.crt
-p p PoliciesP123CACert.crt
-p p PoliciesP123subCAP12Cert.crt
-p p PoliciesP123subsubCAP12P1Cert.crt
-p p PoliciesP123subsubCAP12P2Cert.crt
-p p PoliciesP123subsubsubCAP12P2P1Cert.crt
-p p PoliciesP12CACert.crt
-p p PoliciesP12subCAP1Cert.crt
-p p PoliciesP12subsubCAP1P2Cert.crt
-p p PoliciesP2subCA2Cert.crt
-p p PoliciesP2subCACert.crt
-p p PoliciesP3CACert.crt
-p p RFC3280MandatoryAttributeTypesCACert.crt
-p p RFC3280OptionalAttributeTypesCACert.crt
-p p RevokedsubCACert.crt
-p p RolloverfromPrintableStringtoUTF8StringCACert.crt
-p p SeparateCertificateandCRLKeysCA2CRLSigningCert.crt
-p p SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt
-p p SeparateCertificateandCRLKeysCRLSigningCert.crt
-p p SeparateCertificateandCRLKeysCertificateSigningCACert.crt
-p p TwoCRLsCACert.crt
-p p UIDCACert.crt
-p p UTF8StringCaseInsensitiveMatchCACert.crt
-p p UTF8StringEncodedNamesCACert.crt
-p p UnknownCRLEntryExtensionCACert.crt
-p p UnknownCRLExtensionCACert.crt
-p p UserNoticeQualifierTest15EE.crt
-p p UserNoticeQualifierTest16EE.crt
-p p UserNoticeQualifierTest17EE.crt
-p p UserNoticeQualifierTest18EE.crt
-p p UserNoticeQualifierTest19EE.crt
-p p ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? ValidBasicSelfIssuedNewWithOldTest3EE.crt
-
-p p ValidBasicSelfIssuedNewWithOldTest4EE.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? ValidBasicSelfIssuedOldWithNewTest1EE.crt
-
-p p ValidCertificatePathTest1EE.crt
-p p ValidDNSnameConstraintsTest30EE.crt
-p p ValidDNSnameConstraintsTest32EE.crt
-p p ValidDNandRFC822nameConstraintsTest27EE.crt
-p p ValidDNnameConstraintsTest11EE.crt
-
+p p 6.1.5.1 TrustAnchorRootCertificate.crt
+   
+p p 6.1.5.168 AllCertificatesNoPoliciesTest2EE.crt
+p p 6.1.5.204 AllCertificatesSamePoliciesTest10EE.crt
+p p 6.1.5.211 AllCertificatesSamePoliciesTest13EE.crt
+p p 6.1.5.207 AllCertificatesanyPolicyTest11EE.crt
+p p 6.1.5.212 AnyPolicyTest14EE.crt
+p p 6.1.5.41 BadCRLIssuerNameCACert.crt
+p p 6.1.5.38 BadCRLSignatureCACert.crt
+f f 6.1.5.6 BadSignedCACert.crt
+p f 6.1.5.16 BadnotAfterDateCACert.crt
+   
+# UTC: "470101120100Z" i.e. not before 2047-01-01
+p f 6.1.5.10 BadnotBeforeDateCACert.crt
+   
+p p 6.1.5.88 BasicSelfIssuedCRLSigningKeyCACert.crt
+p p 6.1.5.90 BasicSelfIssuedCRLSigningKeyCRLCert.crt
+   
+p p 6.1.5.76 BasicSelfIssuedNewKeyCACert.crt
+p p 6.1.5.78 BasicSelfIssuedNewKeyOldWithNewCACert.crt
+p p 6.1.5.81 BasicSelfIssuedOldKeyCACert.crt
+p p 6.1.5.83 BasicSelfIssuedOldKeyNewWithOldCACert.crt
+   
+p p 6.1.5.218 CPSPointerQualifierTest20EE.crt
+   
+u u 6.1.5.572 DSACACert.crt
+u u 6.1.5.575 DSAParametersInheritedCACert.crt
+   
+p p 6.1.5.210 DifferentPoliciesTest12EE.crt
+p p 6.1.5.171 DifferentPoliciesTest3EE.crt
+p p 6.1.5.174 DifferentPoliciesTest4EE.crt
+p p 6.1.5.177 DifferentPoliciesTest5EE.crt
+p p 6.1.5.191 DifferentPoliciesTest7EE.crt
+p p 6.1.5.198 DifferentPoliciesTest8EE.crt
+p p 6.1.5.203 DifferentPoliciesTest9EE.crt
+p p 6.1.5.64 GeneralizedTimeCRLnextUpdateCACert.crt
+p p 6.1.5.3 GoodCACert.crt
+p p 6.1.5.172 GoodsubCACert.crt
+   
+# gpgsm: critical certificate extension 2.5.29.33 (policyMappings)
+# is not supported
+p u 6.1.5.300 GoodsubCAPanyPolicyMapping1to2CACert.crt
+   
+p f 6.1.5.43 InvalidBadCRLIssuerNameTest5EE.crt
+   
+p f 6.1.5.40 InvalidBadCRLSignatureTest4EE.crt
+p f 6.1.5.93 InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt
+   
+p f 6.1.5.94 InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt
+   
+p f 6.1.5.87 InvalidBasicSelfIssuedNewWithOldTest5EE.crt
+   
+p f 6.1.5.80 InvalidBasicSelfIssuedOldWithNewTest2EE.crt
+   
+p f 6.1.5.8 InvalidCASignatureTest2EE.crt
+   
+p f 6.1.5.18 InvalidCAnotAfterDateTest5EE.crt
+p f 6.1.5.12 InvalidCAnotBeforeDateTest1EE.crt
+p f 6.1.5.439 InvalidDNSnameConstraintsTest31EE.crt
+p f 6.1.5.443 InvalidDNSnameConstraintsTest33EE.crt
+p f 6.1.5.562 InvalidDNSnameConstraintsTest38EE.crt
+p f 6.1.5.434 InvalidDNandRFC822nameConstraintsTest28EE.crt
+p f 6.1.5.435 InvalidDNandRFC822nameConstraintsTest29EE.crt
+p f 6.1.5.399 InvalidDNnameConstraintsTest10EE.crt
+p f 6.1.5.403 InvalidDNnameConstraintsTest12EE.crt
+p f 6.1.5.406 InvalidDNnameConstraintsTest13EE.crt
+p f 6.1.5.410 InvalidDNnameConstraintsTest15EE.crt
+p f 6.1.5.411 InvalidDNnameConstraintsTest16EE.crt
+p f 6.1.5.414 InvalidDNnameConstraintsTest17EE.crt
+   
+p f 6.1.5.418 InvalidDNnameConstraintsTest20EE.crt
+   
+p f 6.1.5.383 InvalidDNnameConstraintsTest2EE.crt
+p f 6.1.5.384 InvalidDNnameConstraintsTest3EE.crt
+p f 6.1.5.392 InvalidDNnameConstraintsTest7EE.crt
+p f 6.1.5.395 InvalidDNnameConstraintsTest8EE.crt
+p f 6.1.5.396 InvalidDNnameConstraintsTest9EE.crt
+   
+u u 6.1.5.578 InvalidDSASignatureTest6EE.crt
+   
+f f 6.1.5.9 InvalidEESignatureTest3EE.crt
+   
+p f 6.1.5.19 InvalidEEnotAfterDateTest6EE.crt
+p f 6.1.5.13 InvalidEEnotBeforeDateTest2EE.crt
+p f 6.1.5.500 InvalidIDPwithindirectCRLTest23EE.crt
+p f 6.1.5.504 InvalidIDPwithindirectCRLTest26EE.crt
+p f 6.1.5.75 InvalidLongSerialNumberTest18EE.crt
+p f 6.1.5.293 InvalidMappingFromanyPolicyTest7EE.crt
+p f 6.1.5.296 InvalidMappingToanyPolicyTest8EE.crt
+p f 6.1.5.33 InvalidMissingCRLTest1EE.crt
+p f 6.1.5.97 InvalidMissingbasicConstraintsTest1EE.crt
+p f 6.1.5.25 InvalidNameChainingOrderTest2EE.crt
+p f 6.1.5.22 InvalidNameChainingTest1EE.crt
+p f 6.1.5.70 InvalidNegativeSerialNumberTest15EE.crt
+p f 6.1.5.60 InvalidOldCRLnextUpdateTest11EE.crt
+p f 6.1.5.302 InvalidPolicyMappingTest10EE.crt
+p f 6.1.5.276 InvalidPolicyMappingTest2EE.crt
+p f 6.1.5.284 InvalidPolicyMappingTest4EE.crt
+p f 6.1.5.422 InvalidRFC822nameConstraintsTest22EE.crt
+p f 6.1.5.426 InvalidRFC822nameConstraintsTest24EE.crt
+p f 6.1.5.430 InvalidRFC822nameConstraintsTest26EE.crt
+p f 6.1.5.36 InvalidRevokedCATest2EE.crt
+p f 6.1.5.37 InvalidRevokedEETest3EE.crt
+   
+p f 6.1.5.379 InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt
+   
+p f 6.1.5.376 InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt
+p f 6.1.5.348 InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt
+p f 6.1.5.349 InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt
+p f 6.1.5.345 InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt
+p f 6.1.5.346 InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt
+p f 6.1.5.143 InvalidSelfIssuedpathLenConstraintTest16EE.crt
+p f 6.1.5.270 InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt
+p f 6.1.5.272 InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt
+   
+p f 6.1.5.567 InvalidSeparateCertificateandCRLKeysTest20EE.crt
+p f 6.1.5.571 InvalidSeparateCertificateandCRLKeysTest21EE.crt
+   
+p f 6.1.5.447 InvalidURInameConstraintsTest35EE.crt
+p f 6.1.5.451 InvalidURInameConstraintsTest37EE.crt
+p f 6.1.5.53 InvalidUnknownCRLEntryExtensionTest8EE.crt
+p f 6.1.5.57 InvalidUnknownCRLExtensionTest10EE.crt
+p f 6.1.5.56 InvalidUnknownCRLExtensionTest9EE.crt
+p f 6.1.5.546 InvalidUnknownCriticalCertificateExtensionTest2EE.crt
+p f 6.1.5.46 InvalidWrongCRLTest6EE.crt
+p f 6.1.5.100 InvalidcAFalseTest2EE.crt
+p f 6.1.5.103 InvalidcAFalseTest3EE.crt
+p f 6.1.5.505 InvalidcRLIssuerTest27EE.crt
+p f 6.1.5.519 InvalidcRLIssuerTest31EE.crt
+p f 6.1.5.520 InvalidcRLIssuerTest32EE.crt
+p f 6.1.5.522 InvalidcRLIssuerTest34EE.crt
+p f 6.1.5.523 InvalidcRLIssuerTest35EE.crt
+p f 6.1.5.526 InvaliddeltaCRLIndicatorNoBaseTest1EE.crt
+p f 6.1.5.544 InvaliddeltaCRLTest10EE.crt
+p f 6.1.5.531 InvaliddeltaCRLTest3EE.crt
+p f 6.1.5.532 InvaliddeltaCRLTest4EE.crt
+p f 6.1.5.534 InvaliddeltaCRLTest6EE.crt
+p f 6.1.5.540 InvaliddeltaCRLTest9EE.crt
+p f 6.1.5.455 InvaliddistributionPointTest2EE.crt
+p f 6.1.5.456 InvaliddistributionPointTest3EE.crt
+p f 6.1.5.461 InvaliddistributionPointTest6EE.crt
+p f 6.1.5.463 InvaliddistributionPointTest8EE.crt
+p f 6.1.5.464 InvaliddistributionPointTest9EE.crt
+p f 6.1.5.352 InvalidinhibitAnyPolicyTest1EE.crt
+p f 6.1.5.359 InvalidinhibitAnyPolicyTest4EE.crt
+p f 6.1.5.366 InvalidinhibitAnyPolicyTest5EE.crt
+p f 6.1.5.369 InvalidinhibitAnyPolicyTest6EE.crt
+p f 6.1.5.313 InvalidinhibitPolicyMappingTest1EE.crt
+p f 6.1.5.321 InvalidinhibitPolicyMappingTest3EE.crt
+p f 6.1.5.331 InvalidinhibitPolicyMappingTest5EE.crt
+p f 6.1.5.336 InvalidinhibitPolicyMappingTest6EE.crt
+p f 6.1.5.162 InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt
+p f 6.1.5.153 InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt
+p f 6.1.5.165 InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt
+p f 6.1.5.156 InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt
+p f 6.1.5.477 InvalidonlyContainsAttributeCertsTest14EE.crt
+p f 6.1.5.473 InvalidonlyContainsCACertsTest12EE.crt
+p f 6.1.5.470 InvalidonlyContainsUserCertsTest11EE.crt
+p f 6.1.5.481 InvalidonlySomeReasonsTest15EE.crt
+p f 6.1.5.482 InvalidonlySomeReasonsTest16EE.crt
+p f 6.1.5.486 InvalidonlySomeReasonsTest17EE.crt
+p f 6.1.5.495 InvalidonlySomeReasonsTest20EE.crt
+p f 6.1.5.496 InvalidonlySomeReasonsTest21EE.crt
+p f 6.1.5.122 InvalidpathLenConstraintTest10EE.crt
+p f 6.1.5.129 InvalidpathLenConstraintTest11EE.crt
+p f 6.1.5.130 InvalidpathLenConstraintTest12EE.crt
+p f 6.1.5.111 InvalidpathLenConstraintTest5EE.crt
+p f 6.1.5.112 InvalidpathLenConstraintTest6EE.crt
+p f 6.1.5.121 InvalidpathLenConstraintTest9EE.crt
+p f 6.1.5.63 Invalidpre2000CRLnextUpdateTest12EE.crt
+p f 6.1.5.20 Invalidpre2000UTCEEnotAfterDateTest7EE.crt
+p f 6.1.5.245 InvalidrequireExplicitPolicyTest3EE.crt
+p f 6.1.5.263 InvalidrequireExplicitPolicyTest5EE.crt
+p p 6.1.5.71 LongSerialNumberCACert.crt
+p p 6.1.5.273 Mapping1to2CACert.crt
+p p 6.1.5.291 MappingFromanyPolicyCACert.crt
+p p 6.1.5.294 MappingToanyPolicyCACert.crt
+p p 6.1.5.95 MissingbasicConstraintsCACert.crt
+p p 6.1.5.23 NameOrderingCACert.crt
+p p 6.1.5.67 NegativeSerialNumberCACert.crt
+p p 6.1.5.32 NoCRLCACert.crt
+p p 6.1.5.166 NoPoliciesCACert.crt
+p p 6.1.5.465 NoissuingDistributionPointCACert.crt
+p p 6.1.5.58 OldCRLnextUpdateCACert.crt
+p p 6.1.5.184 OverlappingPoliciesTest6EE.crt
+p p 6.1.5.277 P12Mapping1to3CACert.crt
+p p 6.1.5.279 P12Mapping1to3subCACert.crt
+p p 6.1.5.281 P12Mapping1to3subsubCACert.crt
+p p 6.1.5.285 P1Mapping1to234CACert.crt
+p p 6.1.5.287 P1Mapping1to234subCACert.crt
+p p 6.1.5.305 P1anyPolicyMapping1to2CACert.crt
+p p 6.1.5.297 PanyPolicyMapping1to2CACert.crt
+p p 6.1.5.178 PoliciesP1234CACert.crt
+p p 6.1.5.180 PoliciesP1234subCAP123Cert.crt
+p p 6.1.5.182 PoliciesP1234subsubCAP123P12Cert.crt
+p p 6.1.5.185 PoliciesP123CACert.crt
+p p 6.1.5.187 PoliciesP123subCAP12Cert.crt
+p p 6.1.5.189 PoliciesP123subsubCAP12P1Cert.crt
+p p 6.1.5.199 PoliciesP123subsubCAP12P2Cert.crt
+p p 6.1.5.201 PoliciesP123subsubsubCAP12P2P1Cert.crt
+p p 6.1.5.192 PoliciesP12CACert.crt
+p p 6.1.5.194 PoliciesP12subCAP1Cert.crt
+p p 6.1.5.196 PoliciesP12subsubCAP1P2Cert.crt
+p p 6.1.5.175 PoliciesP2subCA2Cert.crt
+p p 6.1.5.169 PoliciesP2subCACert.crt
+p p 6.1.5.208 PoliciesP3CACert.crt
+p p 6.1.5.547 RFC3280MandatoryAttributeTypesCACert.crt
+p p 6.1.5.550 RFC3280OptionalAttributeTypesCACert.crt
+p p 6.1.5.34 RevokedsubCACert.crt
+p p 6.1.5.556 RolloverfromPrintableStringtoUTF8StringCACert.crt
+p p 6.1.5.569 SeparateCertificateandCRLKeysCA2CRLSigningCert.crt
+p p 6.1.5.568 SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt
+p p 6.1.5.564 SeparateCertificateandCRLKeysCRLSigningCert.crt
+p p 6.1.5.563 SeparateCertificateandCRLKeysCertificateSigningCACert.crt
+p p 6.1.5.47 TwoCRLsCACert.crt
+p p 6.1.5.29 UIDCACert.crt
+p p 6.1.5.559 UTF8StringCaseInsensitiveMatchCACert.crt
+p p 6.1.5.553 UTF8StringEncodedNamesCACert.crt
+p p 6.1.5.51 UnknownCRLEntryExtensionCACert.crt
+p p 6.1.5.54 UnknownCRLExtensionCACert.crt
+p p 6.1.5.213 UserNoticeQualifierTest15EE.crt
+p p 6.1.5.214 UserNoticeQualifierTest16EE.crt
+p p 6.1.5.215 UserNoticeQualifierTest17EE.crt
+p p 6.1.5.216 UserNoticeQualifierTest18EE.crt
+p p 6.1.5.217 UserNoticeQualifierTest19EE.crt
+p p 6.1.5.92 ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt
+   
+p p 6.1.5.85 ValidBasicSelfIssuedNewWithOldTest3EE.crt
+p p 6.1.5.86 ValidBasicSelfIssuedNewWithOldTest4EE.crt
+p p 6.1.5.79 ValidBasicSelfIssuedOldWithNewTest1EE.crt
+   
+p p 6.1.5.5 ValidCertificatePathTest1EE.crt
+p p 6.1.5.438 ValidDNSnameConstraintsTest30EE.crt
+p p 6.1.5.442 ValidDNSnameConstraintsTest32EE.crt
+p p 6.1.5.433 ValidDNandRFC822nameConstraintsTest27EE.crt
+p p 6.1.5.400 ValidDNnameConstraintsTest11EE.crt
+   
 # This certificate has an empty subject sequence.  Our parser does not
 # support this yet and it is unlikely that gpgsm will be able to cope
 # with it at all.
-u u ValidDNnameConstraintsTest14EE.crt
-
-p p ValidDNnameConstraintsTest18EE.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? ValidDNnameConstraintsTest19EE.crt
-
-p p ValidDNnameConstraintsTest1EE.crt
-p p ValidDNnameConstraintsTest4EE.crt
-p p ValidDNnameConstraintsTest5EE.crt
-p p ValidDNnameConstraintsTest6EE.crt
-
-u p ValidDSAParameterInheritanceTest5EE.crt
-u p ValidDSASignaturesTest4EE.crt
-
-p p ValidGeneralizedTimeCRLnextUpdateTest13EE.crt
-p p ValidGeneralizedTimenotAfterDateTest8EE.crt
-p p ValidGeneralizedTimenotBeforeDateTest4EE.crt
-p p ValidIDPwithindirectCRLTest22EE.crt
-p p ValidIDPwithindirectCRLTest24EE.crt
-p p ValidIDPwithindirectCRLTest25EE.crt
-p p ValidLongSerialNumberTest16EE.crt
-p p ValidLongSerialNumberTest17EE.crt
-p p ValidNameChainingCapitalizationTest5EE.crt
-p p ValidNameChainingWhitespaceTest3EE.crt
-p p ValidNameChainingWhitespaceTest4EE.crt
-p p ValidNameUIDsTest6EE.crt
-p p ValidNegativeSerialNumberTest14EE.crt
-p p ValidNoissuingDistributionPointTest10EE.crt
-p p ValidPolicyMappingTest11EE.crt
-p p ValidPolicyMappingTest12EE.crt
-p p ValidPolicyMappingTest13EE.crt
-p p ValidPolicyMappingTest14EE.crt
-p p ValidPolicyMappingTest1EE.crt
-p p ValidPolicyMappingTest3EE.crt
-p p ValidPolicyMappingTest5EE.crt
-p p ValidPolicyMappingTest6EE.crt
-p p ValidPolicyMappingTest9EE.crt
-p p ValidRFC3280MandatoryAttributeTypesTest7EE.crt
-p p ValidRFC3280OptionalAttributeTypesTest8EE.crt
-p p ValidRFC822nameConstraintsTest21EE.crt
-p p ValidRFC822nameConstraintsTest23EE.crt
-p p ValidRFC822nameConstraintsTest25EE.crt
-p p ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt
-p p ValidSelfIssuedinhibitAnyPolicyTest7EE.crt
-p p ValidSelfIssuedinhibitAnyPolicyTest9EE.crt
-p p ValidSelfIssuedinhibitPolicyMappingTest7EE.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? ValidSelfIssuedpathLenConstraintTest15EE.crt
-
-p p ValidSelfIssuedpathLenConstraintTest17EE.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? ValidSelfIssuedrequireExplicitPolicyTest6EE.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? ValidSeparateCertificateandCRLKeysTest19EE.crt
-
-p p ValidTwoCRLsTest7EE.crt
-p p ValidURInameConstraintsTest34EE.crt
-p p ValidURInameConstraintsTest36EE.crt
-p p ValidUTF8StringCaseInsensitiveMatchTest11EE.crt
-p p ValidUTF8StringEncodedNamesTest9EE.crt
-p p ValidUnknownNotCriticalCertificateExtensionTest1EE.crt
-p p ValidbasicConstraintsNotCriticalTest4EE.crt
-p p ValidcRLIssuerTest28EE.crt
-p p ValidcRLIssuerTest29EE.crt
-p p ValidcRLIssuerTest30EE.crt
-p p ValidcRLIssuerTest33EE.crt
-p p ValiddeltaCRLTest2EE.crt
-p p ValiddeltaCRLTest5EE.crt
-p p ValiddeltaCRLTest7EE.crt
-p p ValiddeltaCRLTest8EE.crt
-p p ValiddistributionPointTest1EE.crt
-p p ValiddistributionPointTest4EE.crt
-p p ValiddistributionPointTest5EE.crt
-p p ValiddistributionPointTest7EE.crt
-p p ValidinhibitAnyPolicyTest2EE.crt
-p p ValidinhibitPolicyMappingTest2EE.crt
-p p ValidinhibitPolicyMappingTest4EE.crt
-p p ValidkeyUsageNotCriticalTest3EE.crt
-p p ValidonlyContainsCACertsTest13EE.crt
-p p ValidonlySomeReasonsTest18EE.crt
-p p ValidonlySomeReasonsTest19EE.crt
-p p ValidpathLenConstraintTest13EE.crt
-p p ValidpathLenConstraintTest14EE.crt
-p p ValidpathLenConstraintTest7EE.crt
-p p ValidpathLenConstraintTest8EE.crt
-p p Validpre2000UTCnotBeforeDateTest3EE.crt
-p p ValidrequireExplicitPolicyTest1EE.crt
-p p ValidrequireExplicitPolicyTest2EE.crt
-p p ValidrequireExplicitPolicyTest4EE.crt
-p p WrongCRLCACert.crt
-p p anyPolicyCACert.crt
-p p basicConstraintsCriticalcAFalseCACert.crt
-p p basicConstraintsNotCriticalCACert.crt
-p p basicConstraintsNotCriticalcAFalseCACert.crt
-p p deltaCRLCA1Cert.crt
-p p deltaCRLCA2Cert.crt
-p p deltaCRLCA3Cert.crt
-p p deltaCRLIndicatorNoBaseCACert.crt
-p p distributionPoint1CACert.crt
-p p distributionPoint2CACert.crt
-p p indirectCRLCA1Cert.crt
-p p indirectCRLCA2Cert.crt
-p p indirectCRLCA3Cert.crt
-p p indirectCRLCA3cRLIssuerCert.crt
-p p indirectCRLCA4Cert.crt
-p p indirectCRLCA4cRLIssuerCert.crt
-p p indirectCRLCA5Cert.crt
-p p indirectCRLCA6Cert.crt
-p p inhibitAnyPolicy0CACert.crt
-p p inhibitAnyPolicy1CACert.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? inhibitAnyPolicy1SelfIssuedCACert.crt
-? ? inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt
-
-p p inhibitAnyPolicy1subCA1Cert.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? inhibitAnyPolicy1subCA2Cert.crt
-
-p p inhibitAnyPolicy1subCAIAP5Cert.crt
-p p inhibitAnyPolicy1subsubCA2Cert.crt
-p p inhibitAnyPolicy5CACert.crt
-p p inhibitAnyPolicy5subCACert.crt
-p p inhibitAnyPolicy5subsubCACert.crt
-p p inhibitAnyPolicyTest3EE.crt
-p p inhibitPolicyMapping0CACert.crt
-p p inhibitPolicyMapping0subCACert.crt
-p p inhibitPolicyMapping1P12CACert.crt
-p p inhibitPolicyMapping1P12subCACert.crt
-p p inhibitPolicyMapping1P12subCAIPM5Cert.crt
-p p inhibitPolicyMapping1P12subsubCACert.crt
-p p inhibitPolicyMapping1P12subsubCAIPM5Cert.crt
-p p inhibitPolicyMapping1P1CACert.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? inhibitPolicyMapping1P1SelfIssuedCACert.crt
-? ? inhibitPolicyMapping1P1SelfIssuedsubCACert.crt
-? ? inhibitPolicyMapping1P1subCACert.crt
-
-p p inhibitPolicyMapping1P1subsubCACert.crt
-p p inhibitPolicyMapping5CACert.crt
-p p inhibitPolicyMapping5subCACert.crt
-p p inhibitPolicyMapping5subsubCACert.crt
-p p inhibitPolicyMapping5subsubsubCACert.crt
-p p keyUsageCriticalcRLSignFalseCACert.crt
-p p keyUsageCriticalkeyCertSignFalseCACert.crt
-p p keyUsageNotCriticalCACert.crt
-p p keyUsageNotCriticalcRLSignFalseCACert.crt
-p p keyUsageNotCriticalkeyCertSignFalseCACert.crt
-p p nameConstraintsDN1CACert.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? nameConstraintsDN1SelfIssuedCACert.crt
-
-p p nameConstraintsDN1subCA1Cert.crt
-p p nameConstraintsDN1subCA2Cert.crt
-p p nameConstraintsDN1subCA3Cert.crt
-p p nameConstraintsDN2CACert.crt
-p p nameConstraintsDN3CACert.crt
-p p nameConstraintsDN3subCA1Cert.crt
-p p nameConstraintsDN3subCA2Cert.crt
-p p nameConstraintsDN4CACert.crt
-p p nameConstraintsDN5CACert.crt
-p p nameConstraintsDNS1CACert.crt
-p p nameConstraintsDNS2CACert.crt
-p p nameConstraintsRFC822CA1Cert.crt
-p p nameConstraintsRFC822CA2Cert.crt
-p p nameConstraintsRFC822CA3Cert.crt
-p p nameConstraintsURI1CACert.crt
-p p nameConstraintsURI2CACert.crt
-p p onlyContainsAttributeCertsCACert.crt
-p p onlyContainsCACertsCACert.crt
-p p onlyContainsUserCertsCACert.crt
-p p onlySomeReasonsCA1Cert.crt
-p p onlySomeReasonsCA2Cert.crt
-p p onlySomeReasonsCA3Cert.crt
-p p onlySomeReasonsCA4Cert.crt
-p p pathLenConstraint0CACert.crt
-
-# For yet unknown reasons gpgsm claims a bad signature.
-? ? pathLenConstraint0SelfIssuedCACert.crt
-? ? pathLenConstraint0subCA2Cert.crt
-
-p p pathLenConstraint0subCACert.crt
-p p pathLenConstraint1CACert.crt
-
+u u 6.1.5.407 ValidDNnameConstraintsTest14EE.crt
+   
+p p 6.1.5.415 ValidDNnameConstraintsTest18EE.crt
+p p 6.1.5.417 ValidDNnameConstraintsTest19EE.crt
+   
+p p 6.1.5.382 ValidDNnameConstraintsTest1EE.crt
+p p 6.1.5.385 ValidDNnameConstraintsTest4EE.crt
+p p 6.1.5.388 ValidDNnameConstraintsTest5EE.crt
+p p 6.1.5.391 ValidDNnameConstraintsTest6EE.crt
+   
+u p 6.1.5.577 ValidDSAParameterInheritanceTest5EE.crt
+u p 6.1.5.574 ValidDSASignaturesTest4EE.crt
+   
+p p 6.1.5.66 ValidGeneralizedTimeCRLnextUpdateTest13EE.crt
+p p 6.1.5.21 ValidGeneralizedTimenotAfterDateTest8EE.crt
+p p 6.1.5.15 ValidGeneralizedTimenotBeforeDateTest4EE.crt
+p p 6.1.5.499 ValidIDPwithindirectCRLTest22EE.crt
+p p 6.1.5.502 ValidIDPwithindirectCRLTest24EE.crt
+p p 6.1.5.503 ValidIDPwithindirectCRLTest25EE.crt
+p p 6.1.5.73 ValidLongSerialNumberTest16EE.crt
+p p 6.1.5.74 ValidLongSerialNumberTest17EE.crt
+p p 6.1.5.28 ValidNameChainingCapitalizationTest5EE.crt
+p p 6.1.5.26 ValidNameChainingWhitespaceTest3EE.crt
+p p 6.1.5.27 ValidNameChainingWhitespaceTest4EE.crt
+p p 6.1.5.31 ValidNameUIDsTest6EE.crt
+p p 6.1.5.69 ValidNegativeSerialNumberTest14EE.crt
+p p 6.1.5.467 ValidNoissuingDistributionPointTest10EE.crt
+p p 6.1.5.303 ValidPolicyMappingTest11EE.crt
+p p 6.1.5.304 ValidPolicyMappingTest12EE.crt
+p p 6.1.5.307 ValidPolicyMappingTest13EE.crt
+p p 6.1.5.308 ValidPolicyMappingTest14EE.crt
+p p 6.1.5.275 ValidPolicyMappingTest1EE.crt
+p p 6.1.5.283 ValidPolicyMappingTest3EE.crt
+p p 6.1.5.289 ValidPolicyMappingTest5EE.crt
+p p 6.1.5.290 ValidPolicyMappingTest6EE.crt
+p p 6.1.5.299 ValidPolicyMappingTest9EE.crt
+p p 6.1.5.549 ValidRFC3280MandatoryAttributeTypesTest7EE.crt
+p p 6.1.5.552 ValidRFC3280OptionalAttributeTypesTest8EE.crt
+p p 6.1.5.421 ValidRFC822nameConstraintsTest21EE.crt
+p p 6.1.5.425 ValidRFC822nameConstraintsTest23EE.crt
+p p 6.1.5.429 ValidRFC822nameConstraintsTest25EE.crt
+p p 6.1.5.558 ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt
+p p 6.1.5.373 ValidSelfIssuedinhibitAnyPolicyTest7EE.crt
+   
+p p 6.1.5.378 ValidSelfIssuedinhibitAnyPolicyTest9EE.crt
+   
+p p 6.1.5.342 ValidSelfIssuedinhibitPolicyMappingTest7EE.crt
+   
+p ? 6.1.5.140 ValidSelfIssuedpathLenConstraintTest15EE.crt
+   
+p p 6.1.5.150 ValidSelfIssuedpathLenConstraintTest17EE.crt
+   
+p ? 6.1.5.267 ValidSelfIssuedrequireExplicitPolicyTest6EE.crt
+   
+p ? 6.1.5.566 ValidSeparateCertificateandCRLKeysTest19EE.crt
+   
+p p 6.1.5.50 ValidTwoCRLsTest7EE.crt
+p p 6.1.5.446 ValidURInameConstraintsTest34EE.crt
+p p 6.1.5.450 ValidURInameConstraintsTest36EE.crt
+p p 6.1.5.561 ValidUTF8StringCaseInsensitiveMatchTest11EE.crt
+p p 6.1.5.555 ValidUTF8StringEncodedNamesTest9EE.crt
+p p 6.1.5.545 ValidUnknownNotCriticalCertificateExtensionTest1EE.crt
+p p 6.1.5.106 ValidbasicConstraintsNotCriticalTest4EE.crt
+p p 6.1.5.510 ValidcRLIssuerTest28EE.crt
+p p 6.1.5.511 ValidcRLIssuerTest29EE.crt
+p p 6.1.5.515 ValidcRLIssuerTest30EE.crt
+p p 6.1.5.521 ValidcRLIssuerTest33EE.crt
+p p 6.1.5.530 ValiddeltaCRLTest2EE.crt
+p p 6.1.5.533 ValiddeltaCRLTest5EE.crt
+p p 6.1.5.535 ValiddeltaCRLTest7EE.crt
+p p 6.1.5.539 ValiddeltaCRLTest8EE.crt
+p p 6.1.5.454 ValiddistributionPointTest1EE.crt
+p p 6.1.5.457 ValiddistributionPointTest4EE.crt
+p p 6.1.5.460 ValiddistributionPointTest5EE.crt
+p p 6.1.5.462 ValiddistributionPointTest7EE.crt
+p p 6.1.5.353 ValidinhibitAnyPolicyTest2EE.crt
+p p 6.1.5.318 ValidinhibitPolicyMappingTest2EE.crt
+p p 6.1.5.322 ValidinhibitPolicyMappingTest4EE.crt
+p p 6.1.5.159 ValidkeyUsageNotCriticalTest3EE.crt
+p p 6.1.5.474 ValidonlyContainsCACertsTest13EE.crt
+p p 6.1.5.490 ValidonlySomeReasonsTest18EE.crt
+p p 6.1.5.494 ValidonlySomeReasonsTest19EE.crt
+p p 6.1.5.137 ValidpathLenConstraintTest13EE.crt
+p p 6.1.5.138 ValidpathLenConstraintTest14EE.crt
+p p 6.1.5.113 ValidpathLenConstraintTest7EE.crt
+p p 6.1.5.114 ValidpathLenConstraintTest8EE.crt
+p p 6.1.5.14 Validpre2000UTCnotBeforeDateTest3EE.crt
+p p 6.1.5.227 ValidrequireExplicitPolicyTest1EE.crt
+p p 6.1.5.236 ValidrequireExplicitPolicyTest2EE.crt
+p p 6.1.5.254 ValidrequireExplicitPolicyTest4EE.crt
+p p 6.1.5.44 WrongCRLCACert.crt
+p p 6.1.5.205 anyPolicyCACert.crt
+p p 6.1.5.98 basicConstraintsCriticalcAFalseCACert.crt
+p p 6.1.5.104 basicConstraintsNotCriticalCACert.crt
+p p 6.1.5.101 basicConstraintsNotCriticalcAFalseCACert.crt
+p p 6.1.5.527 deltaCRLCA1Cert.crt
+p p 6.1.5.536 deltaCRLCA2Cert.crt
+p p 6.1.5.541 deltaCRLCA3Cert.crt
+p p 6.1.5.524 deltaCRLIndicatorNoBaseCACert.crt
+p p 6.1.5.452 distributionPoint1CACert.crt
+p p 6.1.5.458 distributionPoint2CACert.crt
+p p 6.1.5.497 indirectCRLCA1Cert.crt
+p p 6.1.5.501 indirectCRLCA2Cert.crt
+p p 6.1.5.506 indirectCRLCA3Cert.crt
+p p 6.1.5.508 indirectCRLCA3cRLIssuerCert.crt
+p p 6.1.5.512 indirectCRLCA4Cert.crt
+p p 6.1.5.513 indirectCRLCA4cRLIssuerCert.crt
+p p 6.1.5.516 indirectCRLCA5Cert.crt
+p p 6.1.5.518 indirectCRLCA6Cert.crt
+p p 6.1.5.350 inhibitAnyPolicy0CACert.crt
+p p 6.1.5.354 inhibitAnyPolicy1CACert.crt
+   
+p ? 6.1.5.370 inhibitAnyPolicy1SelfIssuedCACert.crt
+p ? 6.1.5.377 inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt
+   
+p p 6.1.5.356 inhibitAnyPolicy1subCA1Cert.crt
+   
+? ? 6.1.5.371 inhibitAnyPolicy1subCA2Cert.crt
+   
+p p 6.1.5.367 inhibitAnyPolicy1subCAIAP5Cert.crt
+p p 6.1.5.374 inhibitAnyPolicy1subsubCA2Cert.crt
+p p 6.1.5.360 inhibitAnyPolicy5CACert.crt
+p p 6.1.5.362 inhibitAnyPolicy5subCACert.crt
+p p 6.1.5.364 inhibitAnyPolicy5subsubCACert.crt
+p p 6.1.5.358 inhibitAnyPolicyTest3EE.crt
+p p 6.1.5.309 inhibitPolicyMapping0CACert.crt
+p p 6.1.5.311 inhibitPolicyMapping0subCACert.crt
+p p 6.1.5.314 inhibitPolicyMapping1P12CACert.crt
+p p 6.1.5.316 inhibitPolicyMapping1P12subCACert.crt
+p p 6.1.5.332 inhibitPolicyMapping1P12subCAIPM5Cert.crt
+p p 6.1.5.319 inhibitPolicyMapping1P12subsubCACert.crt
+p p 6.1.5.334 inhibitPolicyMapping1P12subsubCAIPM5Cert.crt
+p p 6.1.5.337 inhibitPolicyMapping1P1CACert.crt
+   
 # For yet unknown reasons gpgsm claims a bad signature.
-? ? pathLenConstraint1SelfIssuedCACert.crt
-? ? pathLenConstraint1SelfIssuedsubCACert.crt
-? ? pathLenConstraint1subCACert.crt
-
-p p pathLenConstraint6CACert.crt
-p p pathLenConstraint6subCA0Cert.crt
-p p pathLenConstraint6subCA1Cert.crt
-p p pathLenConstraint6subCA4Cert.crt
-p p pathLenConstraint6subsubCA00Cert.crt
-p p pathLenConstraint6subsubCA11Cert.crt
-p p pathLenConstraint6subsubCA41Cert.crt
-p p pathLenConstraint6subsubsubCA11XCert.crt
-p p pathLenConstraint6subsubsubCA41XCert.crt
-p p pre2000CRLnextUpdateCACert.crt
-p p requireExplicitPolicy0CACert.crt
-p p requireExplicitPolicy0subCACert.crt
-p p requireExplicitPolicy0subsubCACert.crt
-p p requireExplicitPolicy0subsubsubCACert.crt
-p p requireExplicitPolicy10CACert.crt
-p p requireExplicitPolicy10subCACert.crt
-p p requireExplicitPolicy10subsubCACert.crt
-p p requireExplicitPolicy10subsubsubCACert.crt
-p p requireExplicitPolicy2CACert.crt
-
+? ? 6.1.5.339 inhibitPolicyMapping1P1SelfIssuedCACert.crt
+? ? 6.1.5.347 inhibitPolicyMapping1P1SelfIssuedsubCACert.crt
+? ? 6.1.5.340 inhibitPolicyMapping1P1subCACert.crt
+   
+p p 6.1.5.343 inhibitPolicyMapping1P1subsubCACert.crt
+p p 6.1.5.323 inhibitPolicyMapping5CACert.crt
+p p 6.1.5.325 inhibitPolicyMapping5subCACert.crt
+p p 6.1.5.327 inhibitPolicyMapping5subsubCACert.crt
+p p 6.1.5.329 inhibitPolicyMapping5subsubsubCACert.crt
+p p 6.1.5.160 keyUsageCriticalcRLSignFalseCACert.crt
+p p 6.1.5.151 keyUsageCriticalkeyCertSignFalseCACert.crt
+p p 6.1.5.157 keyUsageNotCriticalCACert.crt
+p p 6.1.5.163 keyUsageNotCriticalcRLSignFalseCACert.crt
+p p 6.1.5.154 keyUsageNotCriticalkeyCertSignFalseCACert.crt
+p p 6.1.5.380 nameConstraintsDN1CACert.crt
+   
+? ? 6.1.5.416 nameConstraintsDN1SelfIssuedCACert.crt
+   
+p p 6.1.5.401 nameConstraintsDN1subCA1Cert.crt
+p p 6.1.5.404 nameConstraintsDN1subCA2Cert.crt
+p p 6.1.5.431 nameConstraintsDN1subCA3Cert.crt
+p p 6.1.5.386 nameConstraintsDN2CACert.crt
+p p 6.1.5.389 nameConstraintsDN3CACert.crt
+p p 6.1.5.408 nameConstraintsDN3subCA1Cert.crt
+p p 6.1.5.412 nameConstraintsDN3subCA2Cert.crt
+p p 6.1.5.393 nameConstraintsDN4CACert.crt
+p p 6.1.5.397 nameConstraintsDN5CACert.crt
+p p 6.1.5.436 nameConstraintsDNS1CACert.crt
+p p 6.1.5.440 nameConstraintsDNS2CACert.crt
+p p 6.1.5.419 nameConstraintsRFC822CA1Cert.crt
+p p 6.1.5.423 nameConstraintsRFC822CA2Cert.crt
+p p 6.1.5.427 nameConstraintsRFC822CA3Cert.crt
+p p 6.1.5.444 nameConstraintsURI1CACert.crt
+p p 6.1.5.448 nameConstraintsURI2CACert.crt
+p p 6.1.5.475 onlyContainsAttributeCertsCACert.crt
+p p 6.1.5.471 onlyContainsCACertsCACert.crt
+p p 6.1.5.468 onlyContainsUserCertsCACert.crt
+p p 6.1.5.478 onlySomeReasonsCA1Cert.crt
+p p 6.1.5.483 onlySomeReasonsCA2Cert.crt
+p p 6.1.5.487 onlySomeReasonsCA3Cert.crt
+p p 6.1.5.491 onlySomeReasonsCA4Cert.crt
+p p 6.1.5.107 pathLenConstraint0CACert.crt
+   
+? ? 6.1.5.139 pathLenConstraint0SelfIssuedCACert.crt
+? ? 6.1.5.141 pathLenConstraint0subCA2Cert.crt
+   
+p p 6.1.5.109 pathLenConstraint0subCACert.crt
+p p 6.1.5.144 pathLenConstraint1CACert.crt
+   
+? ? 6.1.5.146 pathLenConstraint1SelfIssuedCACert.crt
+? ? 6.1.5.149 pathLenConstraint1SelfIssuedsubCACert.crt
+? ? 6.1.5.147 pathLenConstraint1subCACert.crt
+   
+p p 6.1.5.115 pathLenConstraint6CACert.crt
+p p 6.1.5.117 pathLenConstraint6subCA0Cert.crt
+p p 6.1.5.123 pathLenConstraint6subCA1Cert.crt
+p p 6.1.5.131 pathLenConstraint6subCA4Cert.crt
+p p 6.1.5.119 pathLenConstraint6subsubCA00Cert.crt
+p p 6.1.5.125 pathLenConstraint6subsubCA11Cert.crt
+p p 6.1.5.133 pathLenConstraint6subsubCA41Cert.crt
+p p 6.1.5.127 pathLenConstraint6subsubsubCA11XCert.crt
+p p 6.1.5.135 pathLenConstraint6subsubsubCA41XCert.crt
+p p 6.1.5.61 pre2000CRLnextUpdateCACert.crt
+p p 6.1.5.246 requireExplicitPolicy0CACert.crt
+p p 6.1.5.248 requireExplicitPolicy0subCACert.crt
+p p 6.1.5.250 requireExplicitPolicy0subsubCACert.crt
+p p 6.1.5.252 requireExplicitPolicy0subsubsubCACert.crt
+p p 6.1.5.219 requireExplicitPolicy10CACert.crt
+p p 6.1.5.221 requireExplicitPolicy10subCACert.crt
+p p 6.1.5.223 requireExplicitPolicy10subsubCACert.crt
+p p 6.1.5.225 requireExplicitPolicy10subsubsubCACert.crt
+p p 6.1.5.264 requireExplicitPolicy2CACert.crt
+   
 # For yet unknown reasons gpgsm claims a bad signature.
-? ? requireExplicitPolicy2SelfIssuedCACert.crt
-? ? requireExplicitPolicy2SelfIssuedsubCACert.crt
-? ? requireExplicitPolicy2subCACert.crt
-
-p p requireExplicitPolicy4CACert.crt
-p p requireExplicitPolicy4subCACert.crt
-p p requireExplicitPolicy4subsubCACert.crt
-p p requireExplicitPolicy4subsubsubCACert.crt
-p p requireExplicitPolicy5CACert.crt
-p p requireExplicitPolicy5subCACert.crt
-p p requireExplicitPolicy5subsubCACert.crt
-p p requireExplicitPolicy5subsubsubCACert.crt
-p p requireExplicitPolicy7CACert.crt
-p p requireExplicitPolicy7subCARE2Cert.crt
-p p requireExplicitPolicy7subsubCARE2RE4Cert.crt
-p p requireExplicitPolicy7subsubsubCARE2RE4Cert.crt
-
+? ? 6.1.5.266 requireExplicitPolicy2SelfIssuedCACert.crt
+? ? 6.1.5.271 requireExplicitPolicy2SelfIssuedsubCACert.crt
+? ? 6.1.5.268 requireExplicitPolicy2subCACert.crt
+   
+p p 6.1.5.237 requireExplicitPolicy4CACert.crt
+p p 6.1.5.239 requireExplicitPolicy4subCACert.crt
+p p 6.1.5.241 requireExplicitPolicy4subsubCACert.crt
+p p 6.1.5.243 requireExplicitPolicy4subsubsubCACert.crt
+p p 6.1.5.228 requireExplicitPolicy5CACert.crt
+p p 6.1.5.230 requireExplicitPolicy5subCACert.crt
+p p 6.1.5.232 requireExplicitPolicy5subsubCACert.crt
+p p 6.1.5.234 requireExplicitPolicy5subsubsubCACert.crt
+p p 6.1.5.255 requireExplicitPolicy7CACert.crt
+p p 6.1.5.257 requireExplicitPolicy7subCARE2Cert.crt
+p p 6.1.5.259 requireExplicitPolicy7subsubCARE2RE4Cert.crt
+p p 6.1.5.261 requireExplicitPolicy7subsubsubCARE2RE4Cert.crt
+   
diff --git a/tests/pkits/inhibit-any-policy b/tests/pkits/inhibit-any-policy
new file mode 100644
index 000000000..5e625e253
--- /dev/null
+++ b/tests/pkits/inhibit-any-policy
@@ -0,0 +1,31 @@
+#!/bin/sh
+# inhibit-any-policy - PKITS Test 4.12                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.12
+description="Inhibit Any Policy"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/inhibit-policy-mapping b/tests/pkits/inhibit-policy-mapping
new file mode 100644
index 000000000..1da5f3596
--- /dev/null
+++ b/tests/pkits/inhibit-policy-mapping
@@ -0,0 +1,31 @@
+#!/bin/sh
+# inhibit-policy-mapping - PKITS Test 4.11                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.11
+description="Inhibit Policy Mapping"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/inittests b/tests/pkits/inittests
index e5d136fd9..d9b47bc6d 100755
--- a/tests/pkits/inittests
+++ b/tests/pkits/inittests
@@ -74,7 +74,9 @@ no-secmem-warning
 no-greeting
 batch
 disable-crl-checks
+disable-dirmngr
 agent-program ../../agent/gpg-agent
+no-common-certs-import
 EOF
 
 # Fixme: we need to write a dummy pinentry program
diff --git a/tests/pkits/key-usage b/tests/pkits/key-usage
new file mode 100644
index 000000000..b830cc5ea
--- /dev/null
+++ b/tests/pkits/key-usage
@@ -0,0 +1,31 @@
+#!/bin/sh
+# key-usage - PKITS Test 4.7                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.7
+description="Key Usage"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/name-constraints b/tests/pkits/name-constraints
new file mode 100644
index 000000000..8e36c28d2
--- /dev/null
+++ b/tests/pkits/name-constraints
@@ -0,0 +1,31 @@
+#!/bin/sh
+# name-constraints - PKITS Test 4.13                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.13
+description="Name Constraints"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/policy-mappings b/tests/pkits/policy-mappings
new file mode 100644
index 000000000..8ce9ee871
--- /dev/null
+++ b/tests/pkits/policy-mappings
@@ -0,0 +1,31 @@
+#!/bin/sh
+# policy-mappings - PKITS Test 4.10                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.10
+description="Policy Mappings"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/private-certificate-extensions b/tests/pkits/private-certificate-extensions
new file mode 100644
index 000000000..43f342504
--- /dev/null
+++ b/tests/pkits/private-certificate-extensions
@@ -0,0 +1,31 @@
+#!/bin/sh
+# private-certificate-extensions - PKITS Test 4.16                 -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.16
+description="Private Certificate Extensions"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/require-explicit-policy b/tests/pkits/require-explicit-policy
new file mode 100644
index 000000000..ceb87bdb7
--- /dev/null
+++ b/tests/pkits/require-explicit-policy
@@ -0,0 +1,31 @@
+#!/bin/sh
+# require-explicit-policy - PKITS Test 4.9                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.9
+description="Require Explicit Policy"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/signature-verification b/tests/pkits/signature-verification
new file mode 100644
index 000000000..45bdcf7f2
--- /dev/null
+++ b/tests/pkits/signature-verification
@@ -0,0 +1,31 @@
+#!/bin/sh
+# signature-verification - PKITS Test 4.1                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.1
+description="Signature Verification"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/validate-all-certs b/tests/pkits/validate-all-certs
index 08f72af71..1c1856c49 100755
--- a/tests/pkits/validate-all-certs
+++ b/tests/pkits/validate-all-certs
@@ -1,12 +1,12 @@
 #!/bin/sh
-# validate-all-certs                                    -*- sh -*-
-# Copyright (C) 2004 Free Software Foundation, Inc.  
+# validate-all-certs - GnuPG import and validate tests       -*- sh -*-
+# Copyright (C) 2004, 2008 Free Software Foundation, Inc.  
 #
 # This file is part of GnuPG.
 # 
 # GnuPG is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
+# the Free Software Foundation; either version 3 of the License, or
 # (at your option) any later version.
 # 
 # GnuPG is distributed in the hope that it will be useful,
@@ -15,16 +15,19 @@
 # GNU General Public License for more details.
 # 
 # You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
-# USA.
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
 
 . ${srcdir:-.}/common.sh || exit 2
 
-while read dummy flag name; do 
+section=6
+description="GnuPG Import with Validation"
+info "Running $description tests"
+
+while read dummy flag section name; do 
     case $dummy in \#*) continue;; esac
-    [ -z "$dummy" ] && continue;
+    [ -z "$(echo $dummy)" ] && continue;
 
+    description="import and validate $name"
     if ${GPGSM} -q --import --with-validation --disable-crl-checks \
              certs/$name ; then
         if [ "$flag" = 'p' ]; then
diff --git a/tests/pkits/validity-periods b/tests/pkits/validity-periods
new file mode 100644
index 000000000..df747533c
--- /dev/null
+++ b/tests/pkits/validity-periods
@@ -0,0 +1,31 @@
+#!/bin/sh
+# validity-periods - PKITS Test 4.2                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.2
+description="Validity Periods"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/verifying-basic-constraints b/tests/pkits/verifying-basic-constraints
new file mode 100644
index 000000000..0e052f359
--- /dev/null
+++ b/tests/pkits/verifying-basic-constraints
@@ -0,0 +1,31 @@
+#!/bin/sh
+# verifying-basic-constraints - PKITS Test 4.6                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.6
+description="Verifying Basic Constraints"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/verifying-name-chaining b/tests/pkits/verifying-name-chaining
new file mode 100644
index 000000000..9bdbb5918
--- /dev/null
+++ b/tests/pkits/verifying-name-chaining
@@ -0,0 +1,31 @@
+#!/bin/sh
+# verifying-name-chaining - PKITS Test 4.3                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.3
+description="Verifying Name Chaining"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/verifying-paths-self-issued b/tests/pkits/verifying-paths-self-issued
new file mode 100644
index 000000000..443d7adb9
--- /dev/null
+++ b/tests/pkits/verifying-paths-self-issued
@@ -0,0 +1,31 @@
+#!/bin/sh
+# verifying-paths-self-issued - PKITS Test 4.5                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.5
+description="Verifying Paths with Self-Issued Certificates"
+info "Running $description tests"
+
+
+
+
+
+
+final_result