Check the key usage bits during certificate verification.

[gnutls.git] / tests / suite / x509paths / README

This directory contains self-tests based on NIST's old X.509 test
vectors, downloaded (2007-02-13) from:

http://csrc.nist.gov/pki/testing/x509paths_old.html

6c42afd89f6e9ebe330bf5f361b837840c132bf5  x509tests.tgz
92d43f0f24b15e9e2d42af8f0c4caffc78d94ad1  certpath1.07.zip
3e50006351c0e7422e0d1fb0f39c3d74fd69a51a  Certificate Path Validation Testing.pdf

Because of unclear license, they are not distributed with GnuTLS
currently.

See the PDF for information regarding the self tests.  Particular
comments on individual tests below.  The 'XXX' marks real bugs.

Chain 15-18: We should succeed, the reason we don't is that we use
memcmp for DN comparisons.

Chain 19: This requires advanced verification that we don't support
yet. It requires to check that this path contains no revocation data.
We shouldn't make these tests.

Chain 31-32: The CRL is issued by a issuer without CRLSign
(non-)critical keyCertSign.  We don't check the CRL, so this is not a
real problem. This is easier to be supported now with the trust_list
that can verify CRLs on addition. (there is an issue there since the
CRLs that are being added are typically of an intermediate CA which
is not in the trust list to verify them)

Chain 54-55,58-61: We don't check path length constraints properly. XXX