[openssl-dev] Certificate torture test
David Woodhouse
dwmw2 at infradead.org
Fri Sep 2 19:36:52 UTC 2016
I've started collecting a certificate torture test suite at
http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/tests/Makefile.am
It has RSA, DSA and EC keys in various forms (PKCS#1, PKCS#8, PKCS#12
with varying encryptions), and PKCS#11.
I'm vaguely thinking about separating it from OpenConnect and making it
available as a generic test suite — and then perhaps trying to set
expectations that any application that can use SSL client certs/keys
should pass it.
Currently, every application you encounter on a Linux system will
support a *different* subset of the keys here. It would be nice to have
a bit of consistency.
Does that seem reasonable? Is there anything I'm missing from the tests
above? I know I need to add some non-ASCII password tests, and I need a
PKCS#11 test case where the certificate isn't visible until you log in
to the token. What else? Should I add PKCS#12 in PEM form for
completeness?
FWIW I hate all crypto libraries... there isn't *one* which simply has
a function that'll do the right thing and load a certificate given a
string which identifies it (by filename or PKCS#11 URI). GnuTLS comes
closest, I think, but we still have to jump through hoops in the
*application* to work out what kind of file we're looking at and ask
for it to be loaded. The library *really* ought to make that simple.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160902/9cbfd17d/attachment-0001.bin>
More information about the openssl-dev
mailing list