I decided I would ty the NIST X.509 test suite
(http://csrc.nist.gov/pki/testing/x509paths.html), and found that some
of the tests don't validate. Many of them aren't much of a surprise,
but definitely provide us with a few tasks to work on. Also, I'm
testing with 0.9.6g, so it's possible the age of that is the cause of
failure.
The tests where OpenSSL provides incorrect results (this is true for
all currently active branches) are:
15, 16, 17 and 18: these are all tests of PrintableString, where the
difference between names in the path are spaces and capitalization.
They all should succeed, but with OpenSSL, they fail. Ticket 244
in the bugs database fixes this, and I have the fix in my work
directory.
20 and 21: there are revoked certificates in the path, and this isn't
detected. This may be my fault, I simply included the CRLs together
with the CA certificates into the file that I have as argument to
-CAfile...
22: An intermediate cert is missing the basicConstraints field, and
according to the documentation, that should make the validation fail.
23 and 25: An intermediate cert has basicConstraints, set as critical
and with the value false, which should make the validation fail.
29: There's a non-critival keyUsage with the keyCertSign bit false.
31 and 32: the intermediate CA comes with a CRL, but the issuer's
certificate doesn't have the cRLSign bit set.
34 to 53: let's just forget these tests for now, since OpenSSL doesn't
handle the policy extensions...
54 to 63: These are about path length constraints, and since we don't
handle that, we can forget those tests...
64 to 66: I thought we handled CRLs, perhaps I'm wrong.
68 to 73: Hmm, have I misunderstood it, and one can't bundle up CRLs
i the CAfile when using 'openssl verify'? It looks like those CRLs
aren't looked at at all!
75: we already know that we currently don't know about delta CRLs.
76: well, if we don't even see the CRLs, we don't see the CRL
extenstions either.
The script I used to run all these tests is this:
----------8<----------
#!/bin/bash
for x in test? test??; do
(
cd $x; echo $x
(
for c in "Trust Anchor"* "Intermediate "*; do
echo -n "$c " >&2
if echo $c | grep "CRL" >/dev/null 2>&1; then
openssl crl -in "$c" -inform d
else
openssl x509 -in "$c" -inform d
fi
done
) > cas.pem
echo "End Certificate "*.crt >&2
openssl x509 -in "End Certificate "*.crt -inform d -out t.pem
openssl verify -CAfile cas.pem -verbose t.pem >&2
)
done
----------8<----------
I'll check to see what I might have gotten wrong with the CRLs.
--
Richard Levitte \ Spannv�gen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
\ SWEDEN \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
