summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--NEWS3
-rw-r--r--TODO7
-rw-r--r--configure.ac21
-rw-r--r--doc/gpgsm.texi14
-rw-r--r--po/de.po56
-rw-r--r--scd/sc-investigate.c2
-rw-r--r--sm/ChangeLog15
-rw-r--r--sm/certchain.c16
-rw-r--r--sm/certcheck.c138
-rw-r--r--sm/gpgsm.c8
-rw-r--r--sm/gpgsm.h1
-rw-r--r--sm/import.c39
-rw-r--r--tests/ChangeLog4
-rw-r--r--tests/pkits/ChangeLog18
-rw-r--r--tests/pkits/Makefile.am69
-rw-r--r--tests/pkits/PKITS_data.tar.bz2bin0 -> 1155744 bytes
-rw-r--r--tests/pkits/README9
-rw-r--r--tests/pkits/common.sh135
-rwxr-xr-xtests/pkits/import-all-certs53
-rw-r--r--tests/pkits/import-all-certs.data490
-rwxr-xr-xtests/pkits/inittests94
-rwxr-xr-xtests/pkits/runtest4
-rwxr-xr-xtests/pkits/validate-all-certs55
24 files changed, 1158 insertions, 98 deletions
diff --git a/ChangeLog b/ChangeLog
index 7b14b7944..86bd01bff 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2004-08-16 Werner Koch <wk@g10code.de>
+
+ * configure.ac: Build Makefile for tests/pkits. New option
+ --with-pkits-tests.
+
2004-08-05 Werner Koch <wk@g10code.de>
* configure.ac: Changed tests for libusb to also suuport the
diff --git a/NEWS b/NEWS
index df35b570e..2fbf6475e 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,9 @@
Noteworthy changes in version 1.9.11
-------------------------------------------------
+ * When using --import along with --with-validation, the imported
+ certificates are validated and only imported if they are fully
+ valid.
Noteworthy changes in version 1.9.10 (2004-07-22)
-------------------------------------------------
diff --git a/TODO b/TODO
index 6e5c8cfb8..ce0db37aa 100644
--- a/TODO
+++ b/TODO
@@ -35,6 +35,8 @@ might want to have an agent context for each service request
while gpg-protect-tool wants to pop up the pinentry. Solution is
to release the connection. This is not trivial, thus we are going
to do that while changing gpgsm to allow concurrent operations.
+** support the anyPolicy semantic
+** Check that we are really following the verification procedures in rfc3280.
* sm/keydb.c
** Check file permissions
@@ -44,14 +46,15 @@ might want to have an agent context for each service request
* agent/gpg-agent.c
** A SIGHUP should also restart the scdaemon
- But do this only after all connections terminated.
- As of now we only send a RESET.
+ But do this only after all connections terminated. As of now we
+ only send a RESET.
* agent/command.c
** Make sure that secure memory is used where appropriate
* agent/pkdecrypt.c, agent/pksign.c
** Don't use stdio to return results.
+** Support DSA
* agent/divert-scd.c
Remove the agent_reset_scd kludge.
diff --git a/configure.ac b/configure.ac
index f34faf469..d04475f6b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -940,6 +940,14 @@ else
fi
AC_SUBST(ZLIBS)
+
+# See wether we want to run the long test suite.
+AC_ARG_WITH(pkits-tests,
+ AC_HELP_STRING([--with-pkits-tests],[run the PKITS based tests]),
+ [run_pkits_tests=$withval], [run_pkits_tests=no])
+AM_CONDITIONAL(RUN_PKITS_TESTS, test "$run_pkits_tests" = "yes")
+
+
# Allow users to append something to the version string without
# flagging it as development version. The user version parts is
# considered everything after a dash.
@@ -1121,6 +1129,7 @@ scd/Makefile
tools/Makefile
doc/Makefile
tests/Makefile
+tests/pkits/Makefile
])
AC_OUTPUT
@@ -1137,10 +1146,12 @@ echo "
Agent: $build_agent $build_agent_threaded
Smartcard: $build_scdaemon $build_scdaemon_extra
- Protect tool: $show_gnupg_protect_tool_pgm
- Default agent: $show_gnupg_agent_pgm
- Default pinentry: $show_gnupg_pinentry_pgm
- Default scdaemon: $show_gnupg_scdaemon_pgm
- Default dirmngr: $show_gnupg_dirmngr_pgm
+ Protect tool: $show_gnupg_protect_tool_pgm
+ Default agent: $show_gnupg_agent_pgm
+ Default pinentry: $show_gnupg_pinentry_pgm
+ Default scdaemon: $show_gnupg_scdaemon_pgm
+ Default dirmngr: $show_gnupg_dirmngr_pgm
+
+ PKITS based tests: $run_pkits_tests
"
diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index 2f1033e3f..c79622342 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -358,7 +358,13 @@ secret key.
@opindex with-validation
When doing a key listing, do a full validation check for each key and
print the result. This is usually a slow operation because it
-requires a CRL lookup and other operations.
+requires a CRL lookup and other operations.
+
+When used along with --import, a validation of the certificate to
+import is done and only imported if it succeeds the test. Note that
+this does not affect an already available cwertificate in the DB.
+This option is therefore useful to simply verify a certificate.
+
@item --with-md5-fingerprint
For standard key listings, also print the MD5 fingerprint of the
@@ -470,6 +476,12 @@ This is actually not a debugging option but only useful as such. It
lets gpgsm ignore all notAfter dates, this is used by the regresssion
tests.
+@item --fixed-passphrase @var{string}
+@opindex fixed-passphrase
+Supply the passphrase @var{string} to the gpg-protect-tool. This
+option is only useful for the regression tests included with this
+package and may be revised or removed at any time without notice.
+
@end table
All the long options may also be given in the configuration file after
diff --git a/po/de.po b/po/de.po
index 4dbe66e8a..06ae4320e 100644
--- a/po/de.po
+++ b/po/de.po
@@ -10,7 +10,7 @@ msgid ""
msgstr ""
"Project-Id-Version: gnupg2 1.9.10\n"
"Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"POT-Creation-Date: 2004-07-22 09:54+0200\n"
+"POT-Creation-Date: 2004-08-05 11:31+0200\n"
"PO-Revision-Date: 2004-07-22 10:05+0200\n"
"Last-Translator: Werner Koch <wk@gnupg.org>\n"
"Language-Team: de\n"
@@ -18,7 +18,7 @@ msgstr ""
"Content-Type: text/plain; charset=iso-8859-1\n"
"Content-Transfer-Encoding: 8bit\n"
-#: agent/gpg-agent.c:96 agent/protect-tool.c:94 scd/scdaemon.c:92
+#: agent/gpg-agent.c:96 agent/protect-tool.c:94 scd/scdaemon.c:93
msgid ""
"@Options:\n"
" "
@@ -26,28 +26,28 @@ msgstr ""
"@Optionen:\n"
" "
-#: agent/gpg-agent.c:98 scd/scdaemon.c:94
+#: agent/gpg-agent.c:98 scd/scdaemon.c:95
msgid "run in server mode (foreground)"
msgstr "Im Server Modus ausführen"
-#: agent/gpg-agent.c:99 scd/scdaemon.c:95
+#: agent/gpg-agent.c:99 scd/scdaemon.c:96
msgid "run in daemon mode (background)"
msgstr "Im Daemon Modus ausführen"
-#: agent/gpg-agent.c:100 kbx/kbxutil.c:75 scd/scdaemon.c:96 sm/gpgsm.c:313
+#: agent/gpg-agent.c:100 kbx/kbxutil.c:75 scd/scdaemon.c:97 sm/gpgsm.c:313
#: tools/gpgconf.c:62
msgid "verbose"
msgstr "ausführlich"
-#: agent/gpg-agent.c:101 kbx/kbxutil.c:76 scd/scdaemon.c:97 sm/gpgsm.c:314
+#: agent/gpg-agent.c:101 kbx/kbxutil.c:76 scd/scdaemon.c:98 sm/gpgsm.c:314
msgid "be somewhat more quiet"
msgstr "etwas weniger Aussageb erzeugen"
-#: agent/gpg-agent.c:102 scd/scdaemon.c:98
+#: agent/gpg-agent.c:102 scd/scdaemon.c:99
msgid "sh-style command output"
msgstr "Ausgabe für /bin/sh"
-#: agent/gpg-agent.c:103 scd/scdaemon.c:99
+#: agent/gpg-agent.c:103 scd/scdaemon.c:100
msgid "csh-style command output"
msgstr "Ausgabe für /bin/csh"
@@ -55,7 +55,7 @@ msgstr "Ausgabe für /bin/csh"
msgid "|FILE|read options from FILE"
msgstr "|DATEI|Konfigurationsoptionen aus DATEI lesen"
-#: agent/gpg-agent.c:109 scd/scdaemon.c:106
+#: agent/gpg-agent.c:109 scd/scdaemon.c:107
msgid "do not detach from the console"
msgstr "Im Vordergrund laufen lassen"
@@ -63,7 +63,7 @@ msgstr "Im Vordergrund laufen lassen"
msgid "do not grab keyboard and mouse"
msgstr "Tastatur und Maus nicht \"grabben\""
-#: agent/gpg-agent.c:111 scd/scdaemon.c:107 sm/gpgsm.c:316
+#: agent/gpg-agent.c:111 scd/scdaemon.c:108 sm/gpgsm.c:316
msgid "use a log file for the server"
msgstr "Logausgaben in eine Datei umlenken"
@@ -99,12 +99,12 @@ msgstr "benutze PINs im Cache nicht bem Signieren"
msgid "allow clients to mark keys as \"trusted\""
msgstr "erlaube Aufrufern Schlüssel als \"vertrauenswürdig\" zu markieren"
-#: agent/gpg-agent.c:191 agent/protect-tool.c:127 scd/scdaemon.c:165
+#: agent/gpg-agent.c:191 agent/protect-tool.c:127 scd/scdaemon.c:168
#: sm/gpgsm.c:481 tools/gpgconf.c:85
msgid "Please report bugs to <"
msgstr "Fehlerberichte bitte an <"
-#: agent/gpg-agent.c:191 agent/protect-tool.c:127 scd/scdaemon.c:165
+#: agent/gpg-agent.c:191 agent/protect-tool.c:127 scd/scdaemon.c:168
#: sm/gpgsm.c:481 tools/gpgconf.c:85
msgid ">.\n"
msgstr ">.\n"
@@ -121,35 +121,35 @@ msgstr ""
"Syntax: gpg-agent [Optionen] [Kommando [Argumente]]\n"
"Verwaltung von geheimen Schlüssel für GnuPG\n"
-#: agent/gpg-agent.c:267 scd/scdaemon.c:239 sm/gpgsm.c:604
+#: agent/gpg-agent.c:267 scd/scdaemon.c:242 sm/gpgsm.c:604
#, c-format
msgid "invalid debug-level `%s' given\n"
msgstr "ungültige Debugebene `%s' angegeben\n"
#: agent/gpg-agent.c:439 agent/protect-tool.c:1040 kbx/kbxutil.c:232
-#: scd/scdaemon.c:352 sm/gpgsm.c:726
+#: scd/scdaemon.c:357 sm/gpgsm.c:726
#, c-format
msgid "libgcrypt is too old (need %s, have %s)\n"
msgstr ""
"Die Bibliothek \"libgcrypt\" is zu alt (benötigt wird %s, vorhanden ist %s)\n"
-#: agent/gpg-agent.c:512 scd/scdaemon.c:432 sm/gpgsm.c:824
+#: agent/gpg-agent.c:512 scd/scdaemon.c:437 sm/gpgsm.c:824
#, c-format
msgid "NOTE: no default option file `%s'\n"
msgstr "Notiz: Voreingestellte Konfigurationsdatei `%s' fehlt\n"
-#: agent/gpg-agent.c:517 agent/gpg-agent.c:983 scd/scdaemon.c:437
+#: agent/gpg-agent.c:517 agent/gpg-agent.c:983 scd/scdaemon.c:442
#: sm/gpgsm.c:828
#, c-format
msgid "option file `%s': %s\n"
msgstr "Konfigurationsdatei `%s': %s\n"
-#: agent/gpg-agent.c:525 scd/scdaemon.c:445 sm/gpgsm.c:835
+#: agent/gpg-agent.c:525 scd/scdaemon.c:450 sm/gpgsm.c:835
#, c-format
msgid "reading options from `%s'\n"
msgstr "Optionen werden aus `%s' gelesen\n"
-#: agent/gpg-agent.c:668 scd/scdaemon.c:619
+#: agent/gpg-agent.c:668 scd/scdaemon.c:630
msgid "please use the option `--daemon' to run the program in the background\n"
msgstr ""
"Bitte die Option `--daemon' nutzen um das Programm im Hintergund "
@@ -362,43 +362,43 @@ msgstr ""
"Syntax: kbxutil [Optionen] [Dateien]\n"
"Anlistem exportieren und Importieren von KeyBox Dateien\n"
-#: scd/scdaemon.c:100 sm/gpgsm.c:333
+#: scd/scdaemon.c:101 sm/gpgsm.c:333
msgid "read options from file"
msgstr "Konfigurationsoptionen aus Datei lesen"
-#: scd/scdaemon.c:105
+#: scd/scdaemon.c:106
msgid "|N|set OpenSC debug level to N"
msgstr "|N|Den OpenSC Debugstufe auf N setzen"
-#: scd/scdaemon.c:108
+#: scd/scdaemon.c:109
msgid "|N|connect to reader at port N"
msgstr "|N|Verbinde mit dem Leser auf Port N"
-#: scd/scdaemon.c:109
+#: scd/scdaemon.c:110
msgid "|NAME|use NAME as ct-API driver"
msgstr "|NAME|Benutze NAME als CT-API Treiber"
-#: scd/scdaemon.c:110
+#: scd/scdaemon.c:111
msgid "|NAME|use NAME as PC/SC driver"
msgstr "|NAME|Benutze NAME als PC/SC Treiber"
-#: scd/scdaemon.c:113
+#: scd/scdaemon.c:114
msgid "do not use the internal CCID driver"
msgstr "Den internen CCID Treiber nicht benutzen"
-#: scd/scdaemon.c:120
+#: scd/scdaemon.c:121
msgid "do not use the OpenSC layer"
msgstr "Den OpenSC basierten Kartenzugriff nicht nutzen"
-#: scd/scdaemon.c:125
+#: scd/scdaemon.c:126
msgid "allow the use of admin card commands"
msgstr "Erlaube die Benuztung von \"Admin\" Kommandos"
-#: scd/scdaemon.c:168
+#: scd/scdaemon.c:171
msgid "Usage: scdaemon [options] (-h for help)"
msgstr "Gebrauch: scdaemon [Optionen] (-h für Hilfe)"
-#: scd/scdaemon.c:170
+#: scd/scdaemon.c:173
msgid ""
"Syntax: scdaemon [options] [command [args]]\n"
"Smartcard daemon for GnuPG\n"
diff --git a/scd/sc-investigate.c b/scd/sc-investigate.c
index 8d34ab77e..1f1920650 100644
--- a/scd/sc-investigate.c
+++ b/scd/sc-investigate.c
@@ -76,7 +76,7 @@ static ARGPARSE_OPTS opts[] = {
{ oQuiet, "quiet", 0, "quiet" },
{ oVerbose, "verbose", 0, "verbose" },
{ oReaderPort, "reader-port", 2, "|N|connect to reader at port N"},
- { octapiDriver, "ctapi-driver", 2, "NAME|use NAME as ctAPI driver"},
+ { octapiDriver, "ctapi-driver", 2, "|NAME|use NAME as ctAPI driver"},
{ oDisableCCID, "disable-ccid", 0,
#ifdef HAVE_LIBUSB
"do not use the internal CCID driver"
diff --git a/sm/ChangeLog b/sm/ChangeLog
index 51f46c335..951c8db17 100644
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@@ -1,5 +1,20 @@
+2004-08-17 Werner Koch <wk@g10code.de>
+
+ * import.c (check_and_store): Do a full validation if
+ --with-validation is set.
+
+ * certchain.c (gpgsm_basic_cert_check): Print more detailed error
+ messages.
+
+ * certcheck.c (do_encode_md): Partly support DSA. Add new arg
+ PKALGO. Changed all callers to pass it.
+ (pk_algo_from_sexp): New.
+
2004-08-16 Werner Koch <wk@g10code.de>
+ * gpgsm.c: New option --fixed-passphrase.
+ * import.c (popen_protect_tool): Pass it to the protect-tool.
+
* server.c (cmd_encrypt): Use DEFAULT_RECPLIST and not recplist
for encrypt-to keys.
diff --git a/sm/certchain.c b/sm/certchain.c
index 8d54767f8..2ce247f65 100644
--- a/sm/certchain.c
+++ b/sm/certchain.c
@@ -39,9 +39,9 @@
#include "i18n.h"
-/* If LISTMODE is true, print FORMAT in liting mode to FP. If
+/* If LISTMODE is true, print FORMAT using LISTMODE to FP. If
LISTMODE is false, use the string to print an log_info or, if
- IS_ERROR is true, an log_error. */
+ IS_ERROR is true, and log_error. */
static void
do_list (int is_error, int listmode, FILE *fp, const char *format, ...)
{
@@ -925,9 +925,11 @@ gpgsm_basic_cert_check (ksba_cert_t cert)
if (subject && !strcmp (issuer, subject))
{
- if (gpgsm_check_cert_sig (cert, cert) )
+ rc = gpgsm_check_cert_sig (cert, cert);
+ if (rc)
{
- log_error ("selfsigned certificate has a BAD signature\n");
+ log_error ("selfsigned certificate has a BAD signature: %s\n",
+ gpg_strerror (rc));
rc = gpg_error (GPG_ERR_BAD_CERT);
goto leave;
}
@@ -960,9 +962,11 @@ gpgsm_basic_cert_check (ksba_cert_t cert)
goto leave;
}
- if (gpgsm_check_cert_sig (issuer_cert, cert) )
+ rc = gpgsm_check_cert_sig (issuer_cert, cert);
+ if (rc)
{
- log_error ("certificate has a BAD signature\n");
+ log_error ("certificate has a BAD signature: %s\n",
+ gpg_strerror (rc));
rc = gpg_error (GPG_ERR_BAD_CERT);
goto leave;
}
diff --git a/sm/certcheck.c b/sm/certcheck.c
index b5ed9914a..4f667cbbe 100644
--- a/sm/certcheck.c
+++ b/sm/certcheck.c
@@ -1,5 +1,5 @@
/* certcheck.c - check one certificate
- * Copyright (C) 2001, 2003 Free Software Foundation, Inc.
+ * Copyright (C) 2001, 2003, 2004 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
@@ -36,51 +36,71 @@
static int
-do_encode_md (gcry_md_hd_t md, int algo, unsigned int nbits,
+do_encode_md (gcry_md_hd_t md, int algo, int pkalgo, unsigned int nbits,
gcry_mpi_t *r_val)
{
- int nframe = (nbits+7) / 8;
- byte *frame;
- int i, n;
- byte asn[100];
- size_t asnlen;
- size_t len;
-
- asnlen = DIM(asn);
- if (gcry_md_algo_info (algo, GCRYCTL_GET_ASNOID, asn, &asnlen))
+ int n, nframe;
+ unsigned char *frame;
+
+ if (pkalgo == GCRY_PK_DSA)
{
- log_error ("no object identifier for algo %d\n", algo);
- return gpg_error (GPG_ERR_INTERNAL);
+ nframe = gcry_md_get_algo_dlen (algo);
+ if (nframe != 20)
+ {
+ log_error (_("DSA requires the use of a 160 bit hash algorithm\n"));
+ return gpg_error (GPG_ERR_INTERNAL);
+ }
+ frame = xtrymalloc (nframe);
+ if (!frame)
+ return OUT_OF_CORE (errno);
+ memcpy (frame, gcry_md_read (md, algo), nframe);
+ n = nframe;
}
-
- len = gcry_md_get_algo_dlen (algo);
-
- if ( len + asnlen + 4 > nframe )
+ else
{
- log_error ("can't encode a %d bit MD into a %d bits frame\n",
- (int)(len*8), (int)nbits);
- return gpg_error (GPG_ERR_INTERNAL);
+ int i;
+ unsigned char asn[100];
+ size_t asnlen;
+ size_t len;
+
+ nframe = (nbits+7) / 8;
+
+ asnlen = DIM(asn);
+ if (gcry_md_algo_info (algo, GCRYCTL_GET_ASNOID, asn, &asnlen))
+ {
+ log_error ("no object identifier for algo %d\n", algo);
+ return gpg_error (GPG_ERR_INTERNAL);
+ }
+
+ len = gcry_md_get_algo_dlen (algo);
+
+ if ( len + asnlen + 4 > nframe )
+ {
+ log_error ("can't encode a %d bit MD into a %d bits frame\n",
+ (int)(len*8), (int)nbits);
+ return gpg_error (GPG_ERR_INTERNAL);
+ }
+
+ /* We encode the MD in this way:
+ *
+ * 0 A PAD(n bytes) 0 ASN(asnlen bytes) MD(len bytes)
+ *
+ * PAD consists of FF bytes.
+ */
+ frame = xtrymalloc (nframe);
+ if (!frame)
+ return OUT_OF_CORE (errno);
+ n = 0;
+ frame[n++] = 0;
+ frame[n++] = 1; /* block type */
+ i = nframe - len - asnlen -3 ;
+ assert ( i > 1 );
+ memset ( frame+n, 0xff, i ); n += i;
+ frame[n++] = 0;
+ memcpy ( frame+n, asn, asnlen ); n += asnlen;
+ memcpy ( frame+n, gcry_md_read(md, algo), len ); n += len;
+ assert ( n == nframe );
}
-
- /* We encode the MD in this way:
- *
- * 0 A PAD(n bytes) 0 ASN(asnlen bytes) MD(len bytes)
- *
- * PAD consists of FF bytes.
- */
- frame = xtrymalloc (nframe);
- if (!frame)
- return OUT_OF_CORE (errno);
- n = 0;
- frame[n++] = 0;
- frame[n++] = 1; /* block type */
- i = nframe - len - asnlen -3 ;
- assert ( i > 1 );
- memset ( frame+n, 0xff, i ); n += i;
- frame[n++] = 0;
- memcpy ( frame+n, asn, asnlen ); n += asnlen;
- memcpy ( frame+n, gcry_md_read(md, algo), len ); n += len;
- assert ( n == nframe );
if (DBG_X509)
{
int j;
@@ -95,6 +115,38 @@ do_encode_md (gcry_md_hd_t md, int algo, unsigned int nbits,
return 0;
}
+/* Return the public key algorithm id from the S-expression PKEY.
+ FIXME: libgcrypt should provide such a function. Note that this
+ implementation uses the names as used by libksba. */
+static int
+pk_algo_from_sexp (gcry_sexp_t pkey)
+{
+ gcry_sexp_t l1, l2;
+ const char *name;
+ size_t n;
+ int algo;
+
+ l1 = gcry_sexp_find_token (pkey, "public-key", 0);
+ if (!l1)
+ return 0; /* Not found. */
+ l2 = gcry_sexp_cadr (l1);
+ gcry_sexp_release (l1);
+
+ name = gcry_sexp_nth_data (l2, 0, &n);
+ if (!name)
+ algo = 0; /* Not found. */
+ else if (n==3 && !memcmp (name, "rsa", 3))
+ algo = GCRY_PK_RSA;
+ else if (n==3 && !memcmp (name, "dsa", 3))
+ algo = GCRY_PK_DSA;
+ else if (n==13 && !memcmp (name, "ambiguous-rsa", 13))
+ algo = GCRY_PK_RSA;
+ else
+ algo = 0;
+ gcry_sexp_release (l2);
+ return algo;
+}
+
/*
Check the signature on CERT using the ISSUER-CERT. This function
@@ -182,7 +234,8 @@ gpgsm_check_cert_sig (ksba_cert_t issuer_cert, ksba_cert_t cert)
return rc;
}
- rc = do_encode_md (md, algo, gcry_pk_get_nbits (s_pkey), &frame);
+ rc = do_encode_md (md, algo, pk_algo_from_sexp (s_pkey),
+ gcry_pk_get_nbits (s_pkey), &frame);
if (rc)
{
gcry_md_close (md);
@@ -254,7 +307,8 @@ gpgsm_check_cms_signature (ksba_cert_t cert, ksba_const_sexp_t sigval,
}
- rc = do_encode_md (md, algo, gcry_pk_get_nbits (s_pkey), &frame);
+ rc = do_encode_md (md, algo, pk_algo_from_sexp (s_pkey),
+ gcry_pk_get_nbits (s_pkey), &frame);
if (rc)
{
gcry_sexp_release (s_sig);
diff --git a/sm/gpgsm.c b/sm/gpgsm.c
index 5fb80a0de..3331537b1 100644
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@@ -95,6 +95,7 @@ enum cmd_and_opt_values {
oDebugAllowCoreDump,
oDebugNoChainValidation,
oDebugIgnoreExpiration,
+ oFixedPassphrase,
oLogFile,
oEnableSpecialFilenames,
@@ -340,6 +341,7 @@ static ARGPARSE_OPTS opts[] = {
{ oDebugAllowCoreDump, "debug-allow-core-dump", 0, "@" },
{ oDebugNoChainValidation, "debug-no-chain-validation", 0, "@"},
{ oDebugIgnoreExpiration, "debug-ignore-expiration", 0, "@"},
+ { oFixedPassphrase, "fixed-passphrase", 2, "@"},
{ oStatusFD, "status-fd" ,1, N_("|FD|write status info to this FD") },
{ aDummy, "no-comment", 0, "@"},
{ aDummy, "completes-needed", 1, "@"},
@@ -706,6 +708,7 @@ main ( int argc, char **argv)
CERTLIST signerlist = NULL;
int do_not_setup_keys = 0;
+
/* trap_unaligned ();*/
set_strusage (my_strusage);
gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
@@ -802,10 +805,10 @@ main ( int argc, char **argv)
ctrl.status_fd = -1; /* not status output */
ctrl.autodetect_encoding = 1;
- /* set the default option file */
+ /* Set the default option file */
if (default_config )
configname = make_filename (opt.homedir, "gpgsm.conf", NULL);
- /* cet the default policy file */
+ /* Set the default policy file */
opt.policy_file = make_filename (opt.homedir, "policies.txt", NULL);
argc = orig_argc;
@@ -1019,6 +1022,7 @@ main ( int argc, char **argv)
break;
case oDebugNoChainValidation: opt.no_chain_validation = 1; break;
case oDebugIgnoreExpiration: opt.ignore_expiration = 1; break;
+ case oFixedPassphrase: opt.fixed_passphrase = pargs.r.ret_str; break;
case oStatusFD: ctrl.status_fd = pargs.r.ret_int; break;
case oLoggerFD: log_set_fd (pargs.r.ret_int ); break;
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index a1813462f..20a3c5ee9 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -100,6 +100,7 @@ struct {
int no_policy_check; /* ignore certificate policies */
int no_chain_validation; /* Bypass all cert chain validity tests */
int ignore_expiration; /* Ignore the notAfter validity checks. */
+ char *fixed_passphrase; /* Passphrase used by regression tests. */
int auto_issuer_key_retrieve; /* try to retrieve a missing issuer key. */
} opt;
diff --git a/sm/import.c b/sm/import.c
index c5581eb64..5d3484d92 100644
--- a/sm/import.c
+++ b/sm/import.c
@@ -172,13 +172,19 @@ check_and_store (CTRL ctrl, struct stats_s *stats, ksba_cert_t cert, int depth)
/* Some basic checks, but don't care about missing certificates;
this is so that we are able to import entire certificate chains
- w/o requirening a special order (i.e. root-CA first). This used
+ w/o requiring a special order (i.e. root-CA first). This used
to be different but because gpgsm_verify even imports
certificates without any checks, it doesn't matter much and the
code gets much cleaner. A housekeeping function to remove
- certificates w/o an anchor would be nice, though. */
+ certificates w/o an anchor would be nice, though.
+
+ Optionally we do a full validation in addition to the basic test.
+ */
rc = gpgsm_basic_cert_check (cert);
- if (!rc || gpg_err_code (rc) == GPG_ERR_MISSING_CERT)
+ if (!rc && ctrl->with_validation)
+ rc = gpgsm_validate_chain (ctrl, cert, NULL, 0, NULL, 0);
+ if (!rc || (!ctrl->with-validation
+ && gpg_err_code (rc) == GPG_ERR_MISSING_CERT) )
{
int existed;
@@ -527,14 +533,25 @@ popen_protect_tool (const char *pgmname,
setup_pinentry_env ();
- execlp (pgmname, arg0,
- "--homedir", opt.homedir,
- "--p12-import",
- "--store",
- "--no-fail-on-exist",
- "--enable-status-msg",
- "--",
- NULL);
+ if (opt.fixed_passphrase)
+ execlp (pgmname, arg0,
+ "--homedir", opt.homedir,
+ "--p12-import",
+ "--store",
+ "--no-fail-on-exist",
+ "--enable-status-msg",
+ "--passphrase", opt.fixed_passphrase,
+ "--",
+ NULL);
+ else
+ execlp (pgmname, arg0,
+ "--homedir", opt.homedir,
+ "--p12-import",
+ "--store",
+ "--no-fail-on-exist",
+ "--enable-status-msg",
+ "--",
+ NULL);
/* No way to print anything, as we have closed all streams. */
_exit (31);
}
diff --git a/tests/ChangeLog b/tests/ChangeLog
index 68f9b4e21..c012c2346 100644
--- a/tests/ChangeLog
+++ b/tests/ChangeLog
@@ -1,3 +1,7 @@
+2004-08-16 Werner Koch <wk@g10code.de>
+
+ * Makefile.am: Descend into the new pkits directory
+
2004-02-20 Werner Koch <wk@gnupg.org>
* Makefile.am: Reset GPG_AGENT_INFO here
diff --git a/tests/pkits/ChangeLog b/tests/pkits/ChangeLog
new file mode 100644
index 000000000..2f0b7ba0e
--- /dev/null
+++ b/tests/pkits/ChangeLog
@@ -0,0 +1,18 @@
+2004-08-16 Werner Koch <wk@g10code.de>
+
+ Started implementing PKITS based tests.
+
+
+ Copyright 2004 Free Software Foundation, Inc.
+
+ This file is free software; as a special exception the author gives
+ unlimited permission to copy and/or distribute it, with or without
+ modifications, as long as this notice is preserved.
+
+ This file is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
+ implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
diff --git a/tests/pkits/Makefile.am b/tests/pkits/Makefile.am
new file mode 100644
index 000000000..41fdec497
--- /dev/null
+++ b/tests/pkits/Makefile.am
@@ -0,0 +1,69 @@
+# Makefile.am - tests using NIST's PKITS
+# Copyright (C) 2004 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+
+## Process this file with automake to produce Makefile.in
+
+GPGSM = ../../sm/gpgsm
+
+TESTS_ENVIRONMENT = GNUPGHOME=`pwd` GPG_AGENT_INFO= LC_ALL=C GPGSM=$(GPGSM) \
+ LD_LIBRARY_PATH=$$(seen=0; \
+ for i in $(LDFLAGS) $(LIBGCRYPT_LIBS) $(PTH_LIBS); \
+ do \
+ if echo "$$i" | egrep '^-L' >/dev/null 2>&1; \
+ then \
+ if test $$seen = 0; \
+ then \
+ seen=1; \
+ else \
+ printf ":"; \
+ fi; \
+ printf "%s" "$${i}" | sed 's/^-L//'; \
+ fi; \
+ done; \
+ if test $$seen != 0 \
+ && test x$${LD_LIBRARY_PATH} != x; \
+ then \
+ printf ":"; \
+ fi; \
+ printf "%s" "$${LD_LIBRARY_PATH}") $(srcdir)/runtest
+
+
+
+testscripts = import-all-certs validate-all-certs
+
+
+
+EXTRA_DIST = PKITS_data.tar.bz2 inittests runtest $(testscripts)
+ import-all-certs.data
+
+TESTS = $(testscripts)
+
+CLEANFILES = inittests.stamp x y y z out err *.lock .\#lk* *.log
+
+DISTCLEANFILES = pubring.kbx~ random_seed
+
+all-local: inittests.stamp
+
+clean-local:
+ srcdir=$(srcdir) $(TESTS_ENVIRONMENT) $(srcdir)/inittests --clean
+
+inittests.stamp: inittests
+ srcdir=$(srcdir) $(TESTS_ENVIRONMENT) $(srcdir)/inittests
+ echo timestamp >./inittests.stamp
+
diff --git a/tests/pkits/PKITS_data.tar.bz2 b/tests/pkits/PKITS_data.tar.bz2
new file mode 100644
index 000000000..0604f2286
--- /dev/null
+++ b/tests/pkits/PKITS_data.tar.bz2
Binary files differ
diff --git a/tests/pkits/README b/tests/pkits/README
new file mode 100644
index 000000000..a4290fe1f
--- /dev/null
+++ b/tests/pkits/README
@@ -0,0 +1,9 @@
+tests/pkits/README
+
+These are tests based on NIST's Public Key Interoperability Test Suite
+(PKITS) as downloaded on 2004-08-16 from
+http://csrc.nist.gov/pki/testing/x509paths.html .
+
+README - this file.
+PKITS_data.tar.bz2 - the orginal ZIP file, repackaged as a tarball.
+Makefile.am - Part of our build system.
diff --git a/tests/pkits/common.sh b/tests/pkits/common.sh
new file mode 100644
index 000000000..5e773ea5d
--- /dev/null
+++ b/tests/pkits/common.sh
@@ -0,0 +1,135 @@
+#!/bin/sh
+# common.sh - common defs for all tests -*- sh -*-
+# Copyright (C) 2004 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+
+# reset some environment variables because we do not want to test locals
+export LANG=C
+export LANGUAGE=C
+export LC_ALL=C
+
+
+[ "$VERBOSE" = yes ] && set -x
+[ -z "$srcdir" ] && srcdir="."
+[ -z "$top_srcdir" ] && top_srcdir=".."
+[ -z "$GPGSM" ] && GPGSM="../../sm/gpgsm"
+
+
+if [ "$GNUPGHOME" != "`pwd`" ]; then
+ echo "inittests: please set GNUPGHOME to the tests/pkits directory" >&2
+ exit 1
+fi
+
+if [ -n "$GPG_AGENT_INFO" ]; then
+ echo "inittests: please unset GPG_AGENT_INFO" >&2
+ exit 1
+fi
+
+
+
+#--------------------------------
+#------ utility functions -------
+#--------------------------------
+
+echo_n_init=no
+echo_n () {
+ if test "$echo_n_init" = "no"; then
+ if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then
+ if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then
+ echo_n_n=
+ echo_n_c='
+'
+ else
+ echo_n_n='-n'
+ echo_n_c=
+ fi
+ else
+ echo_n_n=
+ echo_n_c='\c'
+ fi
+ echo_n_init=yes
+ fi
+ echo $echo_n_n "${1}$echo_n_c"
+}
+
+fatal () {
+ echo "$pgmname: fatal:" $* >&2
+ exit 1;
+}
+
+error () {
+ echo "$pgmname:" $* >&2
+ exit 1
+}
+
+info () {
+ echo "$pgmname:" $* >&2
+}
+
+info_n () {
+ $echo_n "$pgmname:" $* >&2
+}
+
+pass () {
+ echo "PASS: " $* >&2
+ pass_count=`expr ${pass_count} + 1`
+}
+
+fail () {
+ echo "FAIL: " $* >&2
+ fail_count=`expr ${fail_count} + 1`
+}
+
+unresolved () {
+ echo "UNRESOLVED: " $* >&2
+ unresolved_count=`expr ${unresolved_count} + 1`
+}
+
+unsupported () {
+ echo "UNSUPPORTED: " $* >&2
+ unsupported_count=`expr ${unsupported_count} + 1`
+}
+
+
+final_result () {
+ [ $pass_count = 0 ] || info "$pass_count tests passed"
+ [ $fail_count = 0 ] || info "$fail_count tests failed"
+ [ $unresolved_count = 0 ] || info "$unresolved_count tests unresolved"
+ [ $unsupported_count = 0 ] || info "$unsupported_count tests unsupported"
+ if [ $fail_count = 0 ]; then
+ info "all tests passed"
+ else
+ exit 1
+ fi
+}
+
+set -e
+
+pgmname=`basename $0`
+
+pass_count=0
+fail_count=0
+unresolved_count=0
+unsupported_count=0
+
+
+#trap cleanup SIGHUP SIGINT SIGQUIT
+exec 2> ${pgmname}.log
+
+:
+# end
diff --git a/tests/pkits/import-all-certs b/tests/pkits/import-all-certs
new file mode 100755
index 000000000..d1af5fb03
--- /dev/null
+++ b/tests/pkits/import-all-certs
@@ -0,0 +1,53 @@
+#!/bin/sh
+# Copyright (C) 2004 Free Software Foundation, Inc. -*- sh -*-
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+
+. ${srcdir:-.}/common.sh || exit 2
+
+while read flag dummy name; do
+ case $flag in \#*) continue;; esac
+ [ -z "$flag" ] && continue;
+
+ if ${GPGSM} -q --import certs/$name ; then
+ if [ "$flag" = 'p' ]; then
+ pass "importing certificate \`$name' succeeded"
+ elif [ "$flag" = 'f' ]; then
+ fail "importing certificate \`$name' succeeded"
+ elif [ "$flag" = '?' ]; then
+ unresolved "importing certificate \`$name' succeeded"
+ elif [ "$flag" = 'u' ]; then
+ unsupported "importing certificate \`$name' succeeded"
+ else
+ info "importing certificate \`$name' succeeded - (flag=$flag)"
+ fi
+ else
+ if [ "$flag" = 'p' ]; then
+ fail "importing certificate \`$name' failed"
+ elif [ "$flag" = 'f' ]; then
+ pass "importing certificate \`$name' failed"
+ elif [ "$flag" = '?' ]; then
+ unresolved "importing certificate \`$name' failed"
+ elif [ "$flag" = 'u' ]; then
+ unsupported "importing certificate \`$name' failed"
+ else
+ info "importing certificate \`$name' failed - (flag=$flag)"
+ fi
+ fi
+done < $srcdir/import-all-certs.data
+
+final_result
diff --git a/tests/pkits/import-all-certs.data b/tests/pkits/import-all-certs.data
new file mode 100644
index 000000000..18708aa61
--- /dev/null
+++ b/tests/pkits/import-all-certs.data
@@ -0,0 +1,490 @@
+# The first column is for the basic import test, the second for a
+# validation test.
+
+# Make sure that the root certificate is imported first
+p p TrustAnchorRootCertificate.crt
+
+p p AllCertificatesNoPoliciesTest2EE.crt
+p p AllCertificatesSamePoliciesTest10EE.crt
+p p AllCertificatesSamePoliciesTest13EE.crt
+p p AllCertificatesanyPolicyTest11EE.crt
+p p AnyPolicyTest14EE.crt
+p p BadCRLIssuerNameCACert.crt
+p p BadCRLSignatureCACert.crt
+f f BadSignedCACert.crt
+p f BadnotAfterDateCACert.crt
+
+# UTC: "470101120100Z" i.e. not before 2047-01-01
+p f BadnotBeforeDateCACert.crt
+
+p p BasicSelfIssuedCRLSigningKeyCACert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? BasicSelfIssuedCRLSigningKeyCRLCert.crt
+
+p p BasicSelfIssuedNewKeyCACert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? BasicSelfIssuedNewKeyOldWithNewCACert.crt
+
+p p BasicSelfIssuedOldKeyCACert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? BasicSelfIssuedOldKeyNewWithOldCACert.crt
+
+p p CPSPointerQualifierTest20EE.crt
+
+u u DSACACert.crt
+u u DSAParametersInheritedCACert.crt
+
+p p DifferentPoliciesTest12EE.crt
+p p DifferentPoliciesTest3EE.crt
+p p DifferentPoliciesTest4EE.crt
+p p DifferentPoliciesTest5EE.crt
+p p DifferentPoliciesTest7EE.crt
+p p DifferentPoliciesTest8EE.crt
+p p DifferentPoliciesTest9EE.crt
+p p GeneralizedTimeCRLnextUpdateCACert.crt
+p p GoodCACert.crt
+p p GoodsubCACert.crt
+
+# gpgsm: critical certificate extension 2.5.29.33 (policyMappings)
+# is not supported
+p u GoodsubCAPanyPolicyMapping1to2CACert.crt
+
+# fixme: gpgme does not fail for it.
+p f InvalidBadCRLIssuerNameTest5EE.crt
+
+p f InvalidBadCRLSignatureTest4EE.crt
+p f InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt
+
+f f InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt
+
+p f InvalidBasicSelfIssuedNewWithOldTest5EE.crt
+
+f f InvalidBasicSelfIssuedOldWithNewTest2EE.crt
+
+p f InvalidCASignatureTest2EE.crt
+
+p f InvalidCAnotAfterDateTest5EE.crt
+p f InvalidCAnotBeforeDateTest1EE.crt
+p f InvalidDNSnameConstraintsTest31EE.crt
+p f InvalidDNSnameConstraintsTest33EE.crt
+p f InvalidDNSnameConstraintsTest38EE.crt
+p f InvalidDNandRFC822nameConstraintsTest28EE.crt
+p f InvalidDNandRFC822nameConstraintsTest29EE.crt
+p f InvalidDNnameConstraintsTest10EE.crt
+p f InvalidDNnameConstraintsTest12EE.crt
+p f InvalidDNnameConstraintsTest13EE.crt
+p f InvalidDNnameConstraintsTest15EE.crt
+p f InvalidDNnameConstraintsTest16EE.crt
+p f InvalidDNnameConstraintsTest17EE.crt
+
+f f InvalidDNnameConstraintsTest20EE.crt
+
+p f InvalidDNnameConstraintsTest2EE.crt
+p f InvalidDNnameConstraintsTest3EE.crt
+p f InvalidDNnameConstraintsTest7EE.crt
+p f InvalidDNnameConstraintsTest8EE.crt
+p f InvalidDNnameConstraintsTest9EE.crt
+
+u u InvalidDSASignatureTest6EE.crt
+
+f f InvalidEESignatureTest3EE.crt
+
+p f InvalidEEnotAfterDateTest6EE.crt
+p f InvalidEEnotBeforeDateTest2EE.crt
+p f InvalidIDPwithindirectCRLTest23EE.crt
+p f InvalidIDPwithindirectCRLTest26EE.crt
+p f InvalidLongSerialNumberTest18EE.crt
+p f InvalidMappingFromanyPolicyTest7EE.crt
+p f InvalidMappingToanyPolicyTest8EE.crt
+p f InvalidMissingCRLTest1EE.crt
+p f InvalidMissingbasicConstraintsTest1EE.crt
+p f InvalidNameChainingOrderTest2EE.crt
+p f InvalidNameChainingTest1EE.crt
+p f InvalidNegativeSerialNumberTest15EE.crt
+p f InvalidOldCRLnextUpdateTest11EE.crt
+p f InvalidPolicyMappingTest10EE.crt
+p f InvalidPolicyMappingTest2EE.crt
+p f InvalidPolicyMappingTest4EE.crt
+p f InvalidRFC822nameConstraintsTest22EE.crt
+p f InvalidRFC822nameConstraintsTest24EE.crt
+p f InvalidRFC822nameConstraintsTest26EE.crt
+p f InvalidRevokedCATest2EE.crt
+p f InvalidRevokedEETest3EE.crt
+
+f f InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt
+
+p f InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt
+p f InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt
+p f InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt
+p f InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt
+p f InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt
+p f InvalidSelfIssuedpathLenConstraintTest16EE.crt
+p f InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt
+p f InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt
+
+f f InvalidSeparateCertificateandCRLKeysTest20EE.crt
+f f InvalidSeparateCertificateandCRLKeysTest21EE.crt
+
+p f InvalidURInameConstraintsTest35EE.crt
+p f InvalidURInameConstraintsTest37EE.crt
+p f InvalidUnknownCRLEntryExtensionTest8EE.crt
+p f InvalidUnknownCRLExtensionTest10EE.crt
+p f InvalidUnknownCRLExtensionTest9EE.crt
+p f InvalidUnknownCriticalCertificateExtensionTest2EE.crt
+p f InvalidWrongCRLTest6EE.crt
+p f InvalidcAFalseTest2EE.crt
+p f InvalidcAFalseTest3EE.crt
+p f InvalidcRLIssuerTest27EE.crt
+p f InvalidcRLIssuerTest31EE.crt
+p f InvalidcRLIssuerTest32EE.crt
+p f InvalidcRLIssuerTest34EE.crt
+p f InvalidcRLIssuerTest35EE.crt
+p f InvaliddeltaCRLIndicatorNoBaseTest1EE.crt
+p f InvaliddeltaCRLTest10EE.crt
+p f InvaliddeltaCRLTest3EE.crt
+p f InvaliddeltaCRLTest4EE.crt
+p f InvaliddeltaCRLTest6EE.crt
+p f InvaliddeltaCRLTest9EE.crt
+p f InvaliddistributionPointTest2EE.crt
+p f InvaliddistributionPointTest3EE.crt
+p f InvaliddistributionPointTest6EE.crt
+p f InvaliddistributionPointTest8EE.crt
+p f InvaliddistributionPointTest9EE.crt
+p f InvalidinhibitAnyPolicyTest1EE.crt
+p f InvalidinhibitAnyPolicyTest4EE.crt
+p f InvalidinhibitAnyPolicyTest5EE.crt
+p f InvalidinhibitAnyPolicyTest6EE.crt
+p f InvalidinhibitPolicyMappingTest1EE.crt
+p f InvalidinhibitPolicyMappingTest3EE.crt
+p f InvalidinhibitPolicyMappingTest5EE.crt
+p f InvalidinhibitPolicyMappingTest6EE.crt
+p f InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt
+p f InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt
+p f InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt
+p f InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt
+p f InvalidonlyContainsAttributeCertsTest14EE.crt
+p f InvalidonlyContainsCACertsTest12EE.crt
+p f InvalidonlyContainsUserCertsTest11EE.crt
+p f InvalidonlySomeReasonsTest15EE.crt
+p f InvalidonlySomeReasonsTest16EE.crt
+p f InvalidonlySomeReasonsTest17EE.crt
+p f InvalidonlySomeReasonsTest20EE.crt
+p f InvalidonlySomeReasonsTest21EE.crt
+p f InvalidpathLenConstraintTest10EE.crt
+p f InvalidpathLenConstraintTest11EE.crt
+p f InvalidpathLenConstraintTest12EE.crt
+p f InvalidpathLenConstraintTest5EE.crt
+p f InvalidpathLenConstraintTest6EE.crt
+p f InvalidpathLenConstraintTest9EE.crt
+p f Invalidpre2000CRLnextUpdateTest12EE.crt
+p f Invalidpre2000UTCEEnotAfterDateTest7EE.crt
+p f InvalidrequireExplicitPolicyTest3EE.crt
+p f InvalidrequireExplicitPolicyTest5EE.crt
+p p LongSerialNumberCACert.crt
+p p Mapping1to2CACert.crt
+p p MappingFromanyPolicyCACert.crt
+p p MappingToanyPolicyCACert.crt
+p p MissingbasicConstraintsCACert.crt
+p p NameOrderingCACert.crt
+p p NegativeSerialNumberCACert.crt
+p p NoCRLCACert.crt
+p p NoPoliciesCACert.crt
+p p NoissuingDistributionPointCACert.crt
+p p OldCRLnextUpdateCACert.crt
+p p OverlappingPoliciesTest6EE.crt
+p p P12Mapping1to3CACert.crt
+p p P12Mapping1to3subCACert.crt
+p p P12Mapping1to3subsubCACert.crt
+p p P1Mapping1to234CACert.crt
+p p P1Mapping1to234subCACert.crt
+p p P1anyPolicyMapping1to2CACert.crt
+p p PanyPolicyMapping1to2CACert.crt
+p p PoliciesP1234CACert.crt
+p p PoliciesP1234subCAP123Cert.crt
+p p PoliciesP1234subsubCAP123P12Cert.crt
+p p PoliciesP123CACert.crt
+p p PoliciesP123subCAP12Cert.crt
+p p PoliciesP123subsubCAP12P1Cert.crt
+p p PoliciesP123subsubCAP12P2Cert.crt
+p p PoliciesP123subsubsubCAP12P2P1Cert.crt
+p p PoliciesP12CACert.crt
+p p PoliciesP12subCAP1Cert.crt
+p p PoliciesP12subsubCAP1P2Cert.crt
+p p PoliciesP2subCA2Cert.crt
+p p PoliciesP2subCACert.crt
+p p PoliciesP3CACert.crt
+p p RFC3280MandatoryAttributeTypesCACert.crt
+p p RFC3280OptionalAttributeTypesCACert.crt
+p p RevokedsubCACert.crt
+p p RolloverfromPrintableStringtoUTF8StringCACert.crt
+p p SeparateCertificateandCRLKeysCA2CRLSigningCert.crt
+p p SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt
+p p SeparateCertificateandCRLKeysCRLSigningCert.crt
+p p SeparateCertificateandCRLKeysCertificateSigningCACert.crt
+p p TwoCRLsCACert.crt
+p p UIDCACert.crt
+p p UTF8StringCaseInsensitiveMatchCACert.crt
+p p UTF8StringEncodedNamesCACert.crt
+p p UnknownCRLEntryExtensionCACert.crt
+p p UnknownCRLExtensionCACert.crt
+p p UserNoticeQualifierTest15EE.crt
+p p UserNoticeQualifierTest16EE.crt
+p p UserNoticeQualifierTest17EE.crt
+p p UserNoticeQualifierTest18EE.crt
+p p UserNoticeQualifierTest19EE.crt
+p p ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? ValidBasicSelfIssuedNewWithOldTest3EE.crt
+
+p p ValidBasicSelfIssuedNewWithOldTest4EE.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? ValidBasicSelfIssuedOldWithNewTest1EE.crt
+
+p p ValidCertificatePathTest1EE.crt
+p p ValidDNSnameConstraintsTest30EE.crt
+p p ValidDNSnameConstraintsTest32EE.crt
+p p ValidDNandRFC822nameConstraintsTest27EE.crt
+p p ValidDNnameConstraintsTest11EE.crt
+
+# This certificate has an empty subject sequence. Our parser does not
+# support this yet and it is unlikely that gpgsm will be able to cope
+# with it at all.
+u u ValidDNnameConstraintsTest14EE.crt
+
+p p ValidDNnameConstraintsTest18EE.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? ValidDNnameConstraintsTest19EE.crt
+
+p p ValidDNnameConstraintsTest1EE.crt
+p p ValidDNnameConstraintsTest4EE.crt
+p p ValidDNnameConstraintsTest5EE.crt
+p p ValidDNnameConstraintsTest6EE.crt
+
+u p ValidDSAParameterInheritanceTest5EE.crt
+u p ValidDSASignaturesTest4EE.crt
+
+p p ValidGeneralizedTimeCRLnextUpdateTest13EE.crt
+p p ValidGeneralizedTimenotAfterDateTest8EE.crt
+p p ValidGeneralizedTimenotBeforeDateTest4EE.crt
+p p ValidIDPwithindirectCRLTest22EE.crt
+p p ValidIDPwithindirectCRLTest24EE.crt
+p p ValidIDPwithindirectCRLTest25EE.crt
+p p ValidLongSerialNumberTest16EE.crt
+p p ValidLongSerialNumberTest17EE.crt
+p p ValidNameChainingCapitalizationTest5EE.crt
+p p ValidNameChainingWhitespaceTest3EE.crt
+p p ValidNameChainingWhitespaceTest4EE.crt
+p p ValidNameUIDsTest6EE.crt
+p p ValidNegativeSerialNumberTest14EE.crt
+p p ValidNoissuingDistributionPointTest10EE.crt
+p p ValidPolicyMappingTest11EE.crt
+p p ValidPolicyMappingTest12EE.crt
+p p ValidPolicyMappingTest13EE.crt
+p p ValidPolicyMappingTest14EE.crt
+p p ValidPolicyMappingTest1EE.crt
+p p ValidPolicyMappingTest3EE.crt
+p p ValidPolicyMappingTest5EE.crt
+p p ValidPolicyMappingTest6EE.crt
+p p ValidPolicyMappingTest9EE.crt
+p p ValidRFC3280MandatoryAttributeTypesTest7EE.crt
+p p ValidRFC3280OptionalAttributeTypesTest8EE.crt
+p p ValidRFC822nameConstraintsTest21EE.crt
+p p ValidRFC822nameConstraintsTest23EE.crt
+p p ValidRFC822nameConstraintsTest25EE.crt
+p p ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt
+p p ValidSelfIssuedinhibitAnyPolicyTest7EE.crt
+p p ValidSelfIssuedinhibitAnyPolicyTest9EE.crt
+p p ValidSelfIssuedinhibitPolicyMappingTest7EE.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? ValidSelfIssuedpathLenConstraintTest15EE.crt
+
+p p ValidSelfIssuedpathLenConstraintTest17EE.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? ValidSelfIssuedrequireExplicitPolicyTest6EE.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? ValidSeparateCertificateandCRLKeysTest19EE.crt
+
+p p ValidTwoCRLsTest7EE.crt
+p p ValidURInameConstraintsTest34EE.crt
+p p ValidURInameConstraintsTest36EE.crt
+p p ValidUTF8StringCaseInsensitiveMatchTest11EE.crt
+p p ValidUTF8StringEncodedNamesTest9EE.crt
+p p ValidUnknownNotCriticalCertificateExtensionTest1EE.crt
+p p ValidbasicConstraintsNotCriticalTest4EE.crt
+p p ValidcRLIssuerTest28EE.crt
+p p ValidcRLIssuerTest29EE.crt
+p p ValidcRLIssuerTest30EE.crt
+p p ValidcRLIssuerTest33EE.crt
+p p ValiddeltaCRLTest2EE.crt
+p p ValiddeltaCRLTest5EE.crt
+p p ValiddeltaCRLTest7EE.crt
+p p ValiddeltaCRLTest8EE.crt
+p p ValiddistributionPointTest1EE.crt
+p p ValiddistributionPointTest4EE.crt
+p p ValiddistributionPointTest5EE.crt
+p p ValiddistributionPointTest7EE.crt
+p p ValidinhibitAnyPolicyTest2EE.crt
+p p ValidinhibitPolicyMappingTest2EE.crt
+p p ValidinhibitPolicyMappingTest4EE.crt
+p p ValidkeyUsageNotCriticalTest3EE.crt
+p p ValidonlyContainsCACertsTest13EE.crt
+p p ValidonlySomeReasonsTest18EE.crt
+p p ValidonlySomeReasonsTest19EE.crt
+p p ValidpathLenConstraintTest13EE.crt
+p p ValidpathLenConstraintTest14EE.crt
+p p ValidpathLenConstraintTest7EE.crt
+p p ValidpathLenConstraintTest8EE.crt
+p p Validpre2000UTCnotBeforeDateTest3EE.crt
+p p ValidrequireExplicitPolicyTest1EE.crt
+p p ValidrequireExplicitPolicyTest2EE.crt
+p p ValidrequireExplicitPolicyTest4EE.crt
+p p WrongCRLCACert.crt
+p p anyPolicyCACert.crt
+p p basicConstraintsCriticalcAFalseCACert.crt
+p p basicConstraintsNotCriticalCACert.crt
+p p basicConstraintsNotCriticalcAFalseCACert.crt
+p p deltaCRLCA1Cert.crt
+p p deltaCRLCA2Cert.crt
+p p deltaCRLCA3Cert.crt
+p p deltaCRLIndicatorNoBaseCACert.crt
+p p distributionPoint1CACert.crt
+p p distributionPoint2CACert.crt
+p p indirectCRLCA1Cert.crt
+p p indirectCRLCA2Cert.crt
+p p indirectCRLCA3Cert.crt
+p p indirectCRLCA3cRLIssuerCert.crt
+p p indirectCRLCA4Cert.crt
+p p indirectCRLCA4cRLIssuerCert.crt
+p p indirectCRLCA5Cert.crt
+p p indirectCRLCA6Cert.crt
+p p inhibitAnyPolicy0CACert.crt
+p p inhibitAnyPolicy1CACert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? inhibitAnyPolicy1SelfIssuedCACert.crt
+? ? inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt
+
+p p inhibitAnyPolicy1subCA1Cert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? inhibitAnyPolicy1subCA2Cert.crt
+
+p p inhibitAnyPolicy1subCAIAP5Cert.crt
+p p inhibitAnyPolicy1subsubCA2Cert.crt
+p p inhibitAnyPolicy5CACert.crt
+p p inhibitAnyPolicy5subCACert.crt
+p p inhibitAnyPolicy5subsubCACert.crt
+p p inhibitAnyPolicyTest3EE.crt
+p p inhibitPolicyMapping0CACert.crt
+p p inhibitPolicyMapping0subCACert.crt
+p p inhibitPolicyMapping1P12CACert.crt
+p p inhibitPolicyMapping1P12subCACert.crt
+p p inhibitPolicyMapping1P12subCAIPM5Cert.crt
+p p inhibitPolicyMapping1P12subsubCACert.crt
+p p inhibitPolicyMapping1P12subsubCAIPM5Cert.crt
+p p inhibitPolicyMapping1P1CACert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? inhibitPolicyMapping1P1SelfIssuedCACert.crt
+? ? inhibitPolicyMapping1P1SelfIssuedsubCACert.crt
+? ? inhibitPolicyMapping1P1subCACert.crt
+
+p p inhibitPolicyMapping1P1subsubCACert.crt
+p p inhibitPolicyMapping5CACert.crt
+p p inhibitPolicyMapping5subCACert.crt
+p p inhibitPolicyMapping5subsubCACert.crt
+p p inhibitPolicyMapping5subsubsubCACert.crt
+p p keyUsageCriticalcRLSignFalseCACert.crt
+p p keyUsageCriticalkeyCertSignFalseCACert.crt
+p p keyUsageNotCriticalCACert.crt
+p p keyUsageNotCriticalcRLSignFalseCACert.crt
+p p keyUsageNotCriticalkeyCertSignFalseCACert.crt
+p p nameConstraintsDN1CACert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? nameConstraintsDN1SelfIssuedCACert.crt
+
+p p nameConstraintsDN1subCA1Cert.crt
+p p nameConstraintsDN1subCA2Cert.crt
+p p nameConstraintsDN1subCA3Cert.crt
+p p nameConstraintsDN2CACert.crt
+p p nameConstraintsDN3CACert.crt
+p p nameConstraintsDN3subCA1Cert.crt
+p p nameConstraintsDN3subCA2Cert.crt
+p p nameConstraintsDN4CACert.crt
+p p nameConstraintsDN5CACert.crt
+p p nameConstraintsDNS1CACert.crt
+p p nameConstraintsDNS2CACert.crt
+p p nameConstraintsRFC822CA1Cert.crt
+p p nameConstraintsRFC822CA2Cert.crt
+p p nameConstraintsRFC822CA3Cert.crt
+p p nameConstraintsURI1CACert.crt
+p p nameConstraintsURI2CACert.crt
+p p onlyContainsAttributeCertsCACert.crt
+p p onlyContainsCACertsCACert.crt
+p p onlyContainsUserCertsCACert.crt
+p p onlySomeReasonsCA1Cert.crt
+p p onlySomeReasonsCA2Cert.crt
+p p onlySomeReasonsCA3Cert.crt
+p p onlySomeReasonsCA4Cert.crt
+p p pathLenConstraint0CACert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? pathLenConstraint0SelfIssuedCACert.crt
+? ? pathLenConstraint0subCA2Cert.crt
+
+p p pathLenConstraint0subCACert.crt
+p p pathLenConstraint1CACert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? pathLenConstraint1SelfIssuedCACert.crt
+? ? pathLenConstraint1SelfIssuedsubCACert.crt
+? ? pathLenConstraint1subCACert.crt
+
+p p pathLenConstraint6CACert.crt
+p p pathLenConstraint6subCA0Cert.crt
+p p pathLenConstraint6subCA1Cert.crt
+p p pathLenConstraint6subCA4Cert.crt
+p p pathLenConstraint6subsubCA00Cert.crt
+p p pathLenConstraint6subsubCA11Cert.crt
+p p pathLenConstraint6subsubCA41Cert.crt
+p p pathLenConstraint6subsubsubCA11XCert.crt
+p p pathLenConstraint6subsubsubCA41XCert.crt
+p p pre2000CRLnextUpdateCACert.crt
+p p requireExplicitPolicy0CACert.crt
+p p requireExplicitPolicy0subCACert.crt
+p p requireExplicitPolicy0subsubCACert.crt
+p p requireExplicitPolicy0subsubsubCACert.crt
+p p requireExplicitPolicy10CACert.crt
+p p requireExplicitPolicy10subCACert.crt
+p p requireExplicitPolicy10subsubCACert.crt
+p p requireExplicitPolicy10subsubsubCACert.crt
+p p requireExplicitPolicy2CACert.crt
+
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? requireExplicitPolicy2SelfIssuedCACert.crt
+? ? requireExplicitPolicy2SelfIssuedsubCACert.crt
+? ? requireExplicitPolicy2subCACert.crt
+
+p p requireExplicitPolicy4CACert.crt
+p p requireExplicitPolicy4subCACert.crt
+p p requireExplicitPolicy4subsubCACert.crt
+p p requireExplicitPolicy4subsubsubCACert.crt
+p p requireExplicitPolicy5CACert.crt
+p p requireExplicitPolicy5subCACert.crt
+p p requireExplicitPolicy5subsubCACert.crt
+p p requireExplicitPolicy5subsubsubCACert.crt
+p p requireExplicitPolicy7CACert.crt
+p p requireExplicitPolicy7subCARE2Cert.crt
+p p requireExplicitPolicy7subsubCARE2RE4Cert.crt
+p p requireExplicitPolicy7subsubsubCARE2RE4Cert.crt
+
diff --git a/tests/pkits/inittests b/tests/pkits/inittests
new file mode 100755
index 000000000..6af16de03
--- /dev/null
+++ b/tests/pkits/inittests
@@ -0,0 +1,94 @@
+#!/bin/sh
+# Copyright (C) 2004 Free Software Foundation, Inc. -*- sh -*-
+#
+# This file is free software; as a special exception the author gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+#
+# This file is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
+# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+set -e
+
+
+clean_files='
+ReadMe.txt pkits.ldif
+gpgsm.conf gpg-agent.conf trustlist.txt policies.txt pubring.kbx
+msg msg.sig msg.unsig
+'
+
+[ -z "$srcdir" ] && srcdir=.
+[ -z "$GPGSM" ] && GPGSM=../../sm/gpgsm
+
+if [ -f $srcdir/README ] \
+ && grep tests/pkits/README README >/dev/null 2>&1; then
+ :
+else
+ # During make distclean the Makefile has already been removed,
+ # so we need this extra test.
+ if ! grep gnupg-test-pkits-directory testdir.stamp >/dev/null 2>&1; then
+ echo "inittests: please cd to the tests/pkits directory first" >&2
+ exit 1
+ fi
+fi
+
+if [ "$1" = "--clean" ]; then
+ if [ -d private-keys-v1.d ]; then
+ rm private-keys-v1.d/* 2>/dev/null || true
+ rmdir private-keys-v1.d
+ fi
+ rm ${clean_files} testdir.stamp 2>/dev/null || true
+ for i in certs certpairs crls pkcs12 smime; do
+ if [ -d $i ]; then
+ rm $i/* 2>/dev/null || true
+ rmdir $i
+ fi
+ done
+ exit 0
+fi
+
+if [ "$GNUPGHOME" != "`pwd`" ]; then
+ echo "inittests: please set GNUPGHOME to the tests/pkits directory" >&2
+ exit 1
+fi
+
+if [ -n "$GPG_AGENT_INFO" ]; then
+ echo "inittests: please unset GPG_AGENT_INFO" >&2
+ exit 1
+fi
+
+if ! bunzip2 -c PKITS_data.tar.bz2 | tar xf - ; then
+ echo "inittests: failed to untar the test data" >&2
+ exit 1
+fi
+
+
+# A stamp file used with --clean
+echo gnupg-test-pkits-directory > testdir.stamp
+
+
+# Create the configuration scripts
+cat > gpgsm.conf <<EOF
+no-secmem-warning
+no-greeting
+batch
+disable-crl-checks
+agent-program ../../agent/gpg-agent
+EOF
+
+# Fixme: we need to write a dummy pinentry program
+cat > gpg-agent.conf <<EOF
+no-grab
+EOF
+
+# Mark the root CA trusted
+cat > trustlist.txt <<EOF
+# /CN=Trust Anchor/O=Test Certificates/C=US
+66:8A:47:56:A2:DC:88:FF:DA:B8:95:E1:3C:63:37:55:5F:0A:F7:BF S
+EOF
+
+# Define the standard policies as NIST test-policy-1
+#cat >policies.txt <<EOF
+#2.16.840.1.101.3.2.1.48.1
+#EOF
diff --git a/tests/pkits/runtest b/tests/pkits/runtest
new file mode 100755
index 000000000..f054a3498
--- /dev/null
+++ b/tests/pkits/runtest
@@ -0,0 +1,4 @@
+#!/bin/sh
+[ -x "$1" ] && exec $1 $2
+exec sh $1 $2
+
diff --git a/tests/pkits/validate-all-certs b/tests/pkits/validate-all-certs
new file mode 100755
index 000000000..f482fdb51
--- /dev/null
+++ b/tests/pkits/validate-all-certs
@@ -0,0 +1,55 @@
+#!/bin/sh
+# validate-all-certs -*- sh -*-
+# Copyright (C) 2004 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+
+. ${srcdir:-.}/common.sh || exit 2
+
+while read dummy flag name; do
+ case $dummy in \#*) continue;; esac
+ [ -z "$dummy" ] && continue;
+
+ if ${GPGSM} -q --import --with-validation --disable-crl-checks \
+ certs/$name ; then
+ if [ "$flag" = 'p' ]; then
+ pass "validating certificate \`$name' succeeded"
+ elif [ "$flag" = 'f' ]; then
+ fail "validating certificate \`$name' succeeded"
+ elif [ "$flag" = '?' ]; then
+ unresolved "validating certificate \`$name' succeeded"
+ elif [ "$flag" = 'u' ]; then
+ unsupported "validating certificate \`$name' succeeded"
+ else
+ info "validating certificate \`$name' succeeded - (flag=$flag)"
+ fi
+ else
+ if [ "$flag" = 'p' ]; then
+ fail "validating certificate \`$name' failed"
+ elif [ "$flag" = 'f' ]; then
+ pass "validating certificate \`$name' failed"
+ elif [ "$flag" = '?' ]; then
+ unresolved "validating certificate \`$name' failed"
+ elif [ "$flag" = 'u' ]; then
+ unsupported "validating certificate \`$name' failed"
+ else
+ info "validating certificate \`$name' failed - (flag=$flag)"
+ fi
+ fi
+done < $srcdir/import-all-certs.data
+
+final_result