| blob | d56032dcec83ec0f48c4b16477ca49f486fba95b |
1 This directory contains self-tests based on NIST's old X.509 test
2 vectors, downloaded (2007-02-13) from:
4 http://csrc.nist.gov/pki/testing/x509paths_old.html
6 6c42afd89f6e9ebe330bf5f361b837840c132bf5 x509tests.tgz
7 92d43f0f24b15e9e2d42af8f0c4caffc78d94ad1 certpath1.07.zip
8 3e50006351c0e7422e0d1fb0f39c3d74fd69a51a Certificate Path Validation Testing.pdf
10 Because of unclear license, they are not distributed with GnuTLS
11 currently.
13 See the PDF for information regarding the self tests. Particular
14 comments on individual tests below. The 'XXX' marks real bugs.
16 Chain 15-18: We should succeed, the reason we don't is that we use
17 memcmp for DN comparisons.
19 Chain 19: This requires advanced verification that we don't support
20 yet. It requires to check that this path contains no revocation data.
21 We shouldn't make these tests.
23 Chain 31-32: The CRL is issued by a issuer without CRLSign
24 (non-)critical keyCertSign. We don't check the CRL, so this is not a
25 real problem. This is easier to be supported now with the trust_list
26 that can verify CRLs on addition. (there is an issue there since the
27 CRLs that are being added are typically of an intermediate CA which
28 is not in the trust list to verify them)