Class NistCertPathTest2
- All Implemented Interfaces:
junit.framework.Test
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoid
setUp()
void
4.1.1 Valid Signatures Test1void
4.1.2 Invalid CA Signature Test2void
4.1.3 Invalid EE Signature Test3void
4.1.4 Valid DSA Signatures Test4void
4.1.5 Valid DSA Parameter Inheritance Test5void
4.1.6 Invalid DSA Signature Test6void
4.10.1 Valid Policy Mapping Test1void
4.10.10 Invalid Policy Mapping Test10void
4.10.11 Valid Policy Mapping Test11void
4.10.12 Valid Policy Mapping Test12void
4.10.13 Valid Policy Mapping Test13void
4.10.14 Valid Policy Mapping Test14void
4.10.2 Invalid Policy Mapping Test2void
4.10.3 Valid Policy Mapping Test3void
4.10.4 Invalid Policy Mapping Test4void
4.10.5 Valid Policy Mapping Test5void
4.10.6 Valid Policy Mapping Test6void
4.10.7 Invalid Mapping From anyPolicy Test7void
4.10.8 Invalid Mapping To anyPolicy Test8void
4.10.9 Valid Policy Mapping Test9void
4.11.1 Invalid inhibitPolicyMapping Test1void
4.11.10 Invalid Self-Issued inhibitPolicyMapping Test10void
4.11.11 Invalid Self-Issued inhibitPolicyMapping Test11void
4.11.2 Valid inhibitPolicyMapping Test2void
4.11.3 Invalid inhibitPolicyMapping Test3void
4.11.4 Valid inhibitPolicyMapping Test4void
4.11.5 Invalid inhibitPolicyMapping Test5void
4.11.6 Invalid inhibitPolicyMapping Test6void
4.11.7 Valid Self-Issued inhibitPolicyMapping Test7void
4.11.8 Invalid Self-Issued inhibitPolicyMapping Test8void
4.11.9 Invalid Self-Issued inhibitPolicyMapping Test9void
4.12.1 Invalid inhibitAnyPolicy Test1void
4.12.10 Invalid Self-Issued inhibitAnyPolicy Test10void
4.12.2 Valid inhibitAnyPolicy Test2void
4.12.3 inhibitAnyPolicy Test3void
4.12.4 Invalid inhibitAnyPolicy Test4void
4.12.5 Invalid inhibitAnyPolicy Test5void
4.12.6 Invalid inhibitAnyPolicy Test6void
4.12.7 Valid Self-Issued inhibitAnyPolicy Test7void
4.12.8 Invalid Self-Issued inhibitAnyPolicy Test8void
4.12.9 Valid Self-Issued inhibitAnyPolicy Test9void
4.13.1 Valid DN nameConstraints Test1void
4.13.10 Invalid DN nameConstraints Test10void
4.13.11 Valid DN nameConstraints Test11void
4.13.12 Invalid DN nameConstraints Test12void
4.13.13 Invalid DN nameConstraints Test13void
4.13.14 Valid DN nameConstraints Test14void
4.13.15 Invalid DN nameConstraints Test15void
4.13.16 Invalid DN nameConstraints Test16void
4.13.17 Invalid DN nameConstraints Test17void
4.13.18 Valid DN nameConstraints Test18void
4.13.19 Valid Self-Issued DN nameConstraints Test19void
4.13.2 Invalid DN nameConstraints Test2void
4.13.20 Invalid Self-Issued DN nameConstraints Test20void
4.13.21 Valid RFC822 nameConstraints Test21void
4.13.22 Invalid RFC822 nameConstraints Test22void
4.13.23 Valid RFC822 nameConstraints Test23void
4.13.24 Invalid RFC822 nameConstraints Test24void
4.13.25 Valid RFC822 nameConstraints Test25void
4.13.26 Invalid RFC822 nameConstraints Test26void
4.13.27 Valid DN and RFC822 nameConstraints Test27void
4.13.28 Invalid DN and RFC822 nameConstraints Test28void
4.13.29 Invalid DN and RFC822 nameConstraints Test29void
4.13.3 Invalid DN nameConstraints Test3void
4.13.30 Valid DNS nameConstraints Test30void
4.13.31 Invalid DNS nameConstraints Test31void
4.13.32 Valid DNS nameConstraints Test32void
4.13.33 Invalid DNS nameConstraints Test33void
4.13.34 Valid URI nameConstraints Test34void
4.13.35 Invalid URI nameConstraints Test35void
4.13.36 Valid URI nameConstraints Test36void
4.13.37 Invalid URI nameConstraints Test37void
4.13.38 Invalid DNS nameConstraints Test38void
4.13.4 Valid DN nameConstraints Test4void
4.13.5 Valid DN nameConstraints Test5void
4.13.6 Valid DN nameConstraints Test6void
4.13.7 Invalid DN nameConstraints Test7void
4.13.8 Invalid DN nameConstraints Test8void
4.13.9 Invalid DN nameConstraints Test9void
4.14.1 Valid distributionPoint Test1void
4.14.10 Valid No issuingDistributionPoint Test10void
4.14.11 Invalid onlyContainsUserCerts CRL Test11void
4.14.12 Invalid onlyContainsCACerts CRL Test12void
4.14.13 Valid onlyContainsCACerts CRL Test13void
4.14.14 Invalid onlyContainsAttributeCerts Test14void
4.14.15 Invalid onlySomeReasons Test15void
4.14.16 Invalid onlySomeReasons Test16void
4.14.17 Invalid onlySomeReasons Test17void
4.14.18 Valid onlySomeReasons Test18void
4.14.19 Valid onlySomeReasons Test19void
4.14.2 Invalid distributionPoint Test2void
4.14.20 Invalid onlySomeReasons Test20void
4.14.21 Invalid onlySomeReasons Test21void
4.14.22 Valid IDP with indirectCRL Test22void
4.14.23 Invalid IDP with indirectCRL Test23void
4.14.3 Invalid distributionPoint Test3void
4.14.34 Invalid cRLIssuer Test34void
4.14.35 Invalid cRLIssuer Test35void
4.14.4 Valid distributionPoint Test4void
4.14.5 Valid distributionPoint Test5void
4.14.6 Invalid distributionPoint Test6void
4.14.7 Valid distributionPoint Test7void
4.14.8 Invalid distributionPoint Test8void
4.14.9 Invalid distributionPoint Test9void
4.15.1 Invalid deltaCRLIndicator No Base Test1void
4.15.10 Invalid delta-CRL Test10void
4.15.2 Valid delta-CRL Test2void
4.15.3 Invalid delta-CRL Test3void
4.15.4 Invalid delta-CRL Test4void
4.15.5 Valid delta-CRL Test5void
4.15.6 Invalid delta-CRL Test6void
4.15.7 Valid delta-CRL Test7void
4.15.8 Valid delta-CRL Test8void
4.15.9 Invalid delta-CRL Test9void
4.16.1 Valid Unknown Not Critical Certificate Extension Test1void
4.16.2 Invalid Unknown Critical Certificate Extension Test2void
4.2.1 Invalid CA notBefore Date Test1void
4.2.2 Invalid EE notBefore Date Test2void
4.2.3 Valid pre2000 UTC notBefore Date Test3void
4.2.4 Valid GeneralizedTime notBefore Date Test4void
4.2.5 Invalid CA notAfter Date Test5void
4.2.6 Invalid EE notAfter Date Test6void
4.2.7 Invalid pre2000 UTC EE notAfter Date Test7void
4.2.8 Valid GeneralizedTime notAfter Date Test8void
4.3.1 Invalid Name Chaining EE Test1void
4.3.10 Valid Rollover from PrintableString to UTF8String Test10void
4.3.11 Valid UTF8String Case Insensitive Match Test11void
4.3.2 Invalid Name Chaining Order Test2void
4.3.3 Valid Name Chaining Whitespace Test3void
4.3.4 Valid Name Chaining Whitespace Test4void
4.3.5 Valid Name Chaining Capitalization Test5void
4.3.6 Valid Name Chaining UIDs Test6void
4.3.7 Valid RFC3280 Mandatory Attribute Types Test7void
4.3.8 Valid RFC3280 Optional Attribute Types Test8void
4.3.9 Valid UTF8String Encoded Names Test9void
4.4.1 Missing CRL Test1void
4.4.10 Invalid Unknown CRL Extension Test10void
4.4.11 Invalid Old CRL nextUpdate Test11void
4.4.12 Invalid pre2000 CRL nextUpdate Test12void
4.4.13 Valid GeneralizedTime CRL nextUpdate Test13void
4.4.14 Valid Negative Serial Number Test14void
4.4.15 Invalid Negative Serial Number Test15void
4.4.16 Valid Long Serial Number Test16void
4.4.17 Valid Long Serial Number Test17void
4.4.18 Invalid Long Serial Number Test18void
4.4.2 Invalid Revoked CA Test2void
4.4.3 Invalid Revoked EE Test3void
4.4.4 Invalid Bad CRL Signature Test4void
4.4.5 Invalid Bad CRL Issuer Name Test5void
4.4.6 Invalid Wrong CRL Test6void
4.4.7 Valid Two CRLs Test7void
4.4.8 Invalid Unknown CRL Entry Extension Test8void
4.4.9 Invalid Unknown CRL Extension Test9void
4.5.1 Valid Basic Self-Issued Old With New Test1void
4.5.2 Invalid Basic Self-Issued Old With New Test2void
4.5.3 Valid Basic Self-Issued New With Old Test3void
4.5.8 Invalid Basic Self-Issued CRL Signing Key Test8void
4.6.1 Invalid Missing basicConstraints Test1void
4.6.10 Invalid pathLenConstraint Test10void
4.6.11 Invalid pathLenConstraint Test11void
4.6.12 Invalid pathLenConstraint Test12void
4.6.13 Valid pathLenConstraint Test13void
4.6.14 Valid pathLenConstraint Test14void
4.6.15 Valid Self-Issued pathLenConstraint Test15void
4.6.16 Invalid Self-Issued pathLenConstraint Test16void
4.6.17 Valid Self-Issued pathLenConstraint Test17void
4.6.2 Invalid cA False Test2void
4.6.3 Invalid cA False Test3void
4.6.4 Valid basicConstraints Not Critical Test4void
4.6.5 Invalid pathLenConstraint Test5void
4.6.6 Invalid pathLenConstraint Test6void
4.6.7 Valid pathLenConstraint Test7void
4.6.8 Valid pathLenConstraint Test8void
4.6.9 Invalid pathLenConstraint Test9void
4.7.1 Invalid keyUsage Critical keyCertSign False Test1void
4.7.2 Invalid keyUsage Not Critical keyCertSign False Test2void
4.7.3 Valid keyUsage Not Critical Test3void
4.7.4 Invalid keyUsage Critical cRLSign False Test4void
4.7.5 Invalid keyUsage Not Critical cRLSign False Test5void
4.8.1 All Certificates Same Policy Test1void
4.8.10 All Certificates Same Policies Test10void
4.8.11 All Certificates AnyPolicy Test11void
4.8.12 Different Policies Test12void
4.8.13 All Certificates Same Policies Test13void
4.8.14 AnyPolicy Test14void
4.8.15 User Notice Qualifier Test15void
4.8.16 User Notice Qualifier Test16void
4.8.17 User Notice Qualifier Test17void
4.8.18 User Notice Qualifier Test18void
4.8.19 User Notice Qualifier Test19void
4.8.2 All Certificates No Policies Test2void
4.8.20 CPS Pointer Qualifier Test20void
4.8.3 Different Policies Test3void
4.8.4 Different Policies Test4void
4.8.5 Different Policies Test5void
4.8.6 Overlapping Policies Test6void
4.8.7 Different Policies Test7void
4.8.8 Different Policies Test8void
4.8.9 Different Policies Test9void
4.9.1 Valid RequireExplicitPolicy Test1void
4.9.2 Valid RequireExplicitPolicy Test2void
4.9.3 Invalid RequireExplicitPolicy Test3void
4.9.4 Valid RequireExplicitPolicy Test4void
4.9.5 Invalid RequireExplicitPolicy Test5void
4.9.6 Valid Self-Issued requireExplicitPolicy Test6void
4.9.7 Invalid Self-Issued requireExplicitPolicy Test7void
4.9.8 Invalid Self-Issued requireExplicitPolicy Test8void
4.14.24 Valid IDP with indirectCRL Test24void
4.14.25 Valid IDP with indirectCRL Test25void
4.14.26 Invalid IDP with indirectCRL Test26void
4.14.27 Invalid cRLIssuer Test27void
4.14.28 Valid cRLIssuer Test28void
4.14.29 Valid cRLIssuer Test29void
4.14.30 Valid cRLIssuer Test30void
4.14.31 Invalid cRLIssuer Test31void
4.14.32 Invalid cRLIssuer Test32void
4.14.33 Valid cRLIssuer Test33void
4.4.19 Valid Separate Certificate and CRL Keys Test19void
4.4.20 Invalid Separate Certificate and CRL Keys Test20void
4.4.21 Invalid Separate Certificate and CRL Keys Test21void
4.5.4 Valid Basic Self-Issued New With Old Test4void
4.5.5 Invalid Basic Self-Issued New With Old Test5void
4.5.6 Valid Basic Self-Issued CRL Signing Key Test6void
4.5.7 Invalid Basic Self-Issued CRL Signing Key Test7Methods inherited from class junit.framework.TestCase
assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertFalse, assertFalse, assertNotNull, assertNotNull, assertNotSame, assertNotSame, assertNull, assertNull, assertSame, assertSame, assertTrue, assertTrue, countTestCases, createResult, fail, fail, failNotEquals, failNotSame, failSame, format, getName, run, run, runBare, runTest, setName, tearDown, toString
-
Constructor Details
-
NistCertPathTest2
public NistCertPathTest2()
-
-
Method Details
-
setUp
public void setUp()- Overrides:
setUp
in classjunit.framework.TestCase
-
test4_1_1
4.1.1 Valid Signatures Test1The purpose of this test is to verify an application's ability to name chain, signature chain, and check validity dates, on certificates in a certification path. It also tests processing of the basic constraints and key usage extensions in intermediate certificates.
- Throws:
Exception
-
test4_1_2
4.1.2 Invalid CA Signature Test2The purpose of this test is to verify an application's ability to recognize an invalid signature on an intermediate certificate in a certification path.
- Throws:
Exception
-
test4_1_3
4.1.3 Invalid EE Signature Test3The purpose of this test is to verify an application's ability to recognize an invalid signature on an end entity certificate in a certification path.
- Throws:
Exception
-
test4_1_4
4.1.4 Valid DSA Signatures Test4The purpose of this test is to verify an application's ability to validate certificate in which DSA signatures are used. The intermediate CA and the end entity have DSA key pairs.
- Throws:
Exception
-
test4_1_5
4.1.5 Valid DSA Parameter Inheritance Test5The purpose of this test is to verify an application's ability to validate DSA signatures when the DSA parameters are not included in a certificate and need to be inherited from a previous certificate in the path. The intermediate CAs and the end entity have DSA key pairs.
- Throws:
Exception
-
test4_1_6
4.1.6 Invalid DSA Signature Test6The purpose of this test is to verify an application's ability to determine when a DSA signature is invalid. The intermediate CA and the end entity have DSA key pairs.
- Throws:
Exception
-
test4_2_1
4.2.1 Invalid CA notBefore Date Test1In this test, the intermediate certificate's notBefore date is after the current date.
- Throws:
Exception
-
test4_2_2
4.2.2 Invalid EE notBefore Date Test2In this test, the end entity certificate's notBefore date is after the current date.
- Throws:
Exception
-
test4_2_3
4.2.3 Valid pre2000 UTC notBefore Date Test3In this test, the end entity certificate's notBefore date is set to 1950 and is encoded in UTCTime.
- Throws:
Exception
-
test4_2_4
4.2.4 Valid GeneralizedTime notBefore Date Test4In this test, the end entity certificate's notBefore date is specified in GeneralizedTime.
- Throws:
Exception
-
test4_2_5
4.2.5 Invalid CA notAfter Date Test5In this test, the intermediate certificate's notAfter date is before the current date. 9
- Throws:
Exception
-
test4_2_6
4.2.6 Invalid EE notAfter Date Test6In this test, the end entity certificate's notAfter date is before the current date.
- Throws:
Exception
-
test4_2_7
4.2.7 Invalid pre2000 UTC EE notAfter Date Test7In this test, the end entity certificate's notAfter date is 1999 and is encoded in UTCTime.
- Throws:
Exception
-
test4_2_8
4.2.8 Valid GeneralizedTime notAfter Date Test8In this test, the end entity certificate's notAfter date is 2050 and is encoded in GeneralizedTime.
- Throws:
Exception
-
test4_3_1
4.3.1 Invalid Name Chaining EE Test1In this test, the common name (cn=) portion of the issuer's name in the end entity certificate does not match the common name portion of the subject's name in the preceding intermediate certificate.
- Throws:
Exception
-
test4_3_2
4.3.2 Invalid Name Chaining Order Test2In this test, the issuer's name in the end entity certificate and the subject's name in the preceding intermediate certificate contain the same relative distinguished names (RDNs), but their ordering is different.
- Throws:
Exception
-
test4_3_3
4.3.3 Valid Name Chaining Whitespace Test3In this test, the issuer's name in the end entity certificate and the subject's name in the preceding intermediate certificate differ in internal whitespace, but match once the internal whitespace is compressed.
- Throws:
Exception
-
test4_3_4
4.3.4 Valid Name Chaining Whitespace Test4In this test, the issuer's name in the end entity certificate and the subject's name in the preceding intermediate certificate differ in leading and trailing whitespace, but match once all leading and trailing whitespace is removed.
- Throws:
Exception
-
test4_3_5
4.3.5 Valid Name Chaining Capitalization Test5In this test, the issuer's name in the end entity certificate and the subject's name in the preceding intermediate certificate differ in capitalization, but match when a case insensitive match is performed.
- Throws:
Exception
-
test4_3_6
4.3.6 Valid Name Chaining UIDs Test6In this test, the intermediate certificate includes a subjectUniqueID and the end entity certificate includes a matching issuerUniqueID. 12
- Throws:
Exception
-
test4_3_7
4.3.7 Valid RFC3280 Mandatory Attribute Types Test7In this test, this intermediate certificate includes a subject name that includes the attribute types distinguished name qualifier, state or province name, serial number, domain component, organization, and country.
- Throws:
Exception
-
test4_3_8
4.3.8 Valid RFC3280 Optional Attribute Types Test8In this test, this intermediate certificate includes a subject name that includes the attribute types locality, title, surname, given name, initials, pseudonym, generation qualifier, organization, and country.
- Throws:
Exception
-
test4_3_9
4.3.9 Valid UTF8String Encoded Names Test9In this test, the attribute values for the common name and organization attribute types in the subject fields of the intermediate and end certificates and the issuer fields of the end certificate and the intermediate certificate's CRL are encoded in UTF8String. 13
- Throws:
Exception
-
test4_3_10
4.3.10 Valid Rollover from PrintableString to UTF8String Test10In this test, the attribute values for the common name and organization attribute types in the issuer and subject fields of the end certificate and the issuer field of the intermediate certificate's CRL are encoded in UTF8String. However, these attribute types are encoded in PrintableString in the subject field of the intermediate certificate.
- Throws:
Exception
-
test4_3_11
4.3.11 Valid UTF8String Case Insensitive Match Test11In this test, the attribute values for the common name and organization attribute types in the subject fields of the intermediate and end certificates and the issuer fields of the end certificate and the intermediate certificate's CRL are encoded in UTF8String. The subject of the intermediate certificate and the issuer of the end certificate differ in capitalization and whitespace, but match when a case insensitive match is performed.
- Throws:
Exception
-
test4_4_1
4.4.1 Missing CRL Test1In this test, there is no revocation information available from the intermediate CA, making it impossible to determine the status of the end certificate.
- Throws:
Exception
-
test4_4_2
4.4.2 Invalid Revoked CA Test2In this test, the CRL issued by the first intermediate CA indicates that the second intermediate certificate in the path has been revoked.
- Throws:
Exception
-
test4_4_3
4.4.3 Invalid Revoked EE Test3In this test, the CRL issued by the intermediate CA indicates that the end entity certificate has been revoked.
- Throws:
Exception
-
test4_4_4
4.4.4 Invalid Bad CRL Signature Test4In this test, the signature on the CRL issued by the intermediate CA is invalid.
- Throws:
Exception
-
test4_4_5
4.4.5 Invalid Bad CRL Issuer Name Test5In this test, the issuer name in the CRL signed by the intermediate CA does not match the issuer name in the end entity's certificate.
- Throws:
Exception
-
test4_4_6
4.4.6 Invalid Wrong CRL Test6In this test, the wrong CRL is in the intermediate certificate's directory entry. There is no CRL available from the intermediate CA making it impossible to determine the status of the end entity's certificate.
- Throws:
Exception
-
test4_4_7
4.4.7 Valid Two CRLs Test7In this test, there are two CRLs in the intermediate CAs directory entry, one that is correct and one that contains the wrong issuer name. The correct CRL does not list any certificates as revoked. The incorrect CRL includes the serial number of the end entity's certificate on its list of revoked certificates.
- Throws:
Exception
-
test4_4_8
4.4.8 Invalid Unknown CRL Entry Extension Test8In this test, the end entity's certificate has been revoked. In the intermediate CA's CRL, there is a made up critical crlEntryExtension associated with the end entity certificate's serial number. [X.509 7.3] When an implementation processing a CRL encounters the serial number of the certificate of interest in a CRL entry, but does not recognize a critical extension in the crlEntryExtensions field from that CRL entry, that CRL cannot be used to determine the status of the certificate.
- Throws:
Exception
-
test4_4_9
4.4.9 Invalid Unknown CRL Extension Test9In this test, the end entity's certificate has been revoked. In the intermediate CA's CRL, there is a made up critical extension in the crlExtensions field. [X.509 7.3] When an implementation does not recognize a critical extension in the crlExtensions field, that CRL cannot be used to determine the status of the certificate, regardless of whether the serial number of the certificate of interest appears in that CRL or not.
- Throws:
Exception
-
test4_4_10
4.4.10 Invalid Unknown CRL Extension Test10In this test the intermediate CA's CRL contains a made up critical extension in the crlExtensions field. The end entity certificate's serial number is not listed on the CRL, however, due to the presence of an unknown critical CRL extension, the relying party can not be sure that the list of serial numbers on the revokedCertificates list includes all certificates that have been revoked by the intermediate CA. As a result, the relying party can not verify that the end entity's certificate has not been revoked. 18
- Throws:
Exception
-
test4_4_11
4.4.11 Invalid Old CRL nextUpdate Test11In this test the intermediate CA's CRL has a nextUpdate time that is far in the past (January 2010), indicating that the CA has already issued updated revocation information. Since the information in the CRL is out-of-date and a more up-to-date CRL (that should have already been issued) can not be obtained, the certification path should be treated as if the status of the end entity certificate can not be determined.3
- Throws:
Exception
-
test4_4_12
4.4.12 Invalid pre2000 CRL nextUpdate Test12In this test the intermediate CA's CRL has a nextUpdate time that is in 1999 indicating that the CA has already issued updated revocation information. Since the information in the CRL is outof-date and a more up-to-date CRL (that should have already been issued) can not be obtained, the certification path should be treated as if the status of the end entity certificate can not be determined.
- Throws:
Exception
-
test4_4_13
4.4.13 Valid GeneralizedTime CRL nextUpdate Test13In this test the intermediate CA's CRL has a nextUpdate time that is in 2050. Since the nextUpdate time is in the future, this CRL may contain the most up-to-date certificate status information that is available from the intermediate CA and so the relying party may use this CRL to determine the status of the end entity certificate.
- Throws:
Exception
-
test4_4_14
4.4.14 Valid Negative Serial Number Test14RFC 3280 mandates that certificate serial numbers be positive integers, but states that relying parties should be prepared to gracefully handle certificates with serial numbers that are negative, or zero. In this test, the end entity's certificate has a serial number of 255 (DER encoded as "00 FF") and the corresponding CRL lists the certificate with serial number -1 (DER encoded as "FF") as revoked.
- Throws:
Exception
-
test4_4_15
4.4.15 Invalid Negative Serial Number Test15RFC 3280 mandates that certificate serial numbers be positive integers, but states that relying parties should be prepared to gracefully handle certificates with serial numbers that are negative, or zero. In this test, the end entity's certificate has a serial number of -1 (DER encoded as "FF") and the corresponding CRL lists this certificate as revoked.
- Throws:
Exception
-
test4_4_16
4.4.16 Valid Long Serial Number Test16RFC 3280 mandates that certificate users be able to handle serial number values up to 20 octets long. In this test, the end entity's certificate has a 20 octet serial number that is not listed on the corresponding CRL, but the serial number matches the serial number listed on the CRL in all but the least significant octet.
- Throws:
Exception
-
test4_4_17
4.4.17 Valid Long Serial Number Test17RFC 3280 mandates that certificate users be able to handle serial number values up to 20 octets long. In this test, the end entity's certificate has a 20 octet serial number that is not listed on the corresponding CRL, but the serial number matches the serial number listed on the CRL in all but the most significant octet.
- Throws:
Exception
-
test4_4_18
4.4.18 Invalid Long Serial Number Test18RFC 3280 mandates that certificate users be able to handle serial number values up to 20 octets long. In this test, the end entity's certificate has a 20 octet serial number and the certificate's serial number is listed on the corresponding CRL.
- Throws:
Exception
-
xtest4_4_19
4.4.19 Valid Separate Certificate and CRL Keys Test19In this test, the intermediate CA uses different keys to sign certificates and CRLs. The Trust Anchor CA has issued two certificates to the intermediate CA, one for each key. The end entity's certificate was signed using the intermediate CA's certificate signing key.
- Throws:
Exception
-
xtest4_4_20
4.4.20 Invalid Separate Certificate and CRL Keys Test20In this test, the intermediate CA uses different keys to sign certificates and CRLs. The Trust Anchor CA has issued two certificates to the intermediate CA, one for each key. The end entity's certificate was signed using the intermediate CA's certificate signing key. The CRL issued by the intermediate CA lists the end entity's certificate as revoked.
- Throws:
Exception
-
xtest4_4_21
4.4.21 Invalid Separate Certificate and CRL Keys Test21In this test, the intermediate CA uses different keys to sign certificates and CRLs. The Trust Anchor CA has issued two certificates to the intermediate CA, one for each key. The certificate issued to the intermediate CA's CRL verification key has been revoked. The end entity's certificate was signed using the intermediate CA's certificate signing key.
- Throws:
Exception
-
test4_5_1
4.5.1 Valid Basic Self-Issued Old With New Test1In this test, the Trust Anchor CA has issued a certificate to the intermediate CA that contains the intermediate CA's new public key. The end entity's certificate was signed using the intermediate CA's old private key, requiring the relying party to use the CA's old-signed-with-new self-issued certificate in order to validate the end entity's certificate. The intermediate CA issues one CRL, signed with its new private key, that covers all of the unexpired certificates that it has issued.
- Throws:
Exception
-
test4_5_2
4.5.2 Invalid Basic Self-Issued Old With New Test2In this test, the Trust Anchor CA has issued a certificate to the intermediate CA that contains the intermediate CA's new public key. The end entity's certificate was signed using the intermediate CA's old private key, requiring the relying party to use the CA's old-signed-with-new self-issued certificate in order to validate the end entity's certificate. The intermediate CA issues one CRL, signed with its new private key, that covers all of the unexpired certificates that it has issued. This CRL indicates that the end entity's certificate has been revoked.
- Throws:
Exception
-
test4_5_3
4.5.3 Valid Basic Self-Issued New With Old Test3In this test, the Trust Anchor CA has issued a certificate to the intermediate CA that contains the intermediate CA's old public key. The end entity's certificate and a CRL covering all certificates issued by the intermediate CA was signed using the intermediate CA's new private key, requiring the relying party to use the CA's new-signed-with-old self-issued certificate in order to validate both the end entity's certificate and the intermediate CA's CRL. There is a second CRL, signed using the intermediate CA's old private key that only covers the new-signed-with-old self-issued certificate.
- Throws:
Exception
-
xtest4_5_4
4.5.4 Valid Basic Self-Issued New With Old Test4In this test, the Trust Anchor CA has issued a certificate to the intermediate CA that contains the intermediate CA's old public key. The end entity's certificate was signed using the intermediate CA's old private key, so there is no need to use a self-issued certificate to create a certification path from the Trust Anchor to the end entity. However, the CRL covering all certificates issued by the intermediate CA was signed using the intermediate CA's new private key, requiring the relying party to use the CA's new-signed-with-old self-issued certificate in order to validate the intermediate CA's CRL. This CRL must be validated in order to determine the status of the end entity's certificate. There is a second CRL, signed using the intermediate CA's old private key that only covers the new-signed-with-old self-issued certificate.
- Throws:
Exception
-
xtest4_5_5
4.5.5 Invalid Basic Self-Issued New With Old Test5In this test, the Trust Anchor CA has issued a certificate to the intermediate CA that contains the intermediate CA's old public key. The end entity's certificate was signed using the intermediate CA's old private key, so there is no need to use a self-issued certificate to create a certification path from the Trust Anchor to the end entity. However, the CRL covering all certificates issued by the intermediate CA was signed using the intermediate CA's new private key, requiring the relying party to use the CA's new-signed-with-old self-issued certificate in order to validate the intermediate CA's CRL. This CRL must be validated in order to determine the status of the end entity's certificate. There is a second CRL, signed using the intermediate CA's old private key that only covers the new-signed-with-old self-issued certificate. The end entity's certificate has been revoked.
- Throws:
Exception
-
xtest4_5_6
4.5.6 Valid Basic Self-Issued CRL Signing Key Test6In this test, the intermediate CA maintains two key pairs, one for signing certificates and the other for signing CRLs. The Trust Anchor CA has issued a certificate to the intermediate CA that contains the intermediate CA's certificate verification public key, and the intermediate CA has issued a self-issued certificate that contains its CRL verification key. The intermediate CA's certificate signing private key has been used to sign a CRL that only covers the self-issued certificate.
- Throws:
Exception
-
xtest4_5_7
4.5.7 Invalid Basic Self-Issued CRL Signing Key Test7In this test, the intermediate CA maintains two key pairs, one for signing certificates and the other for signing CRLs. The Trust Anchor CA has issued a certificate to the intermediate CA that contains the intermediate CA's certificate verification public key, and the intermediate CA has issued a self-issued certificate that contains its CRL verification key. The intermediate CA's certificate signing private key has been used to sign a CRL that only covers the self-issued certificate. The end entity's certificate has been revoked.
- Throws:
Exception
-
test4_5_8
4.5.8 Invalid Basic Self-Issued CRL Signing Key Test8In this test, the intermediate CA maintains two key pairs, one for signing certificates and the other for signing CRLs. The Trust Anchor CA has issued a certificate to the intermediate CA that contains the intermediate CA's certificate verification public key, and the intermediate CA has issued a self-issued certificate that contains its CRL verification key. The intermediate CA's certificate signing private key has been used to sign a CRL that only covers the self-issued certificate. The end entity's certificate was signed using the CRL signing key.
- Throws:
Exception
-
test4_6_1
4.6.1 Invalid Missing basicConstraints Test1In this test, the intermediate certificate does not have a basicConstraints extension.
- Throws:
Exception
-
test4_6_2
4.6.2 Invalid cA False Test2In this test, the basicConstraints extension is present in the intermediate certificate and is marked critical, but the cA component is false, indicating that the subject public key may not be used to verify signatures on certificates.
- Throws:
Exception
-
test4_6_3
4.6.3 Invalid cA False Test3In this test, the basicConstraints extension is present in the intermediate certificate and is marked not critical, but the cA component is false, indicating that the subject public key may not be used to verify signatures on certificates. As specified in section 8.4.2.1 of X.509, the application must reject the path either because the application does not recognize the basicConstraints extension or because cA is set to false.
- Throws:
Exception
-
test4_6_4
4.6.4 Valid basicConstraints Not Critical Test4In this test, the basicConstraints extension is present in the intermediate certificate and the cA component is true, but the extension is marked not critical.
- Throws:
Exception
-
test4_6_5
4.6.5 Invalid pathLenConstraint Test5In this test, the first certificate in the path includes a basicConstraints extension with a pathLenConstraint of 0 (allowing 0 additional intermediate certificates in the path). This is followed by a second intermediate certificate and a end entity certificate.
- Throws:
Exception
-
test4_6_6
4.6.6 Invalid pathLenConstraint Test6In this test, the first certificate in the path includes a basicConstraints extension with a pathLenConstraint of 0 (allowing 0 additional intermediate certificates in the path). This is followed by two more CA certificates, the second of which is the end certificate in the path.
- Throws:
Exception
-
test4_6_7
4.6.7 Valid pathLenConstraint Test7In this test, the first certificate in the path includes a basicConstraints extension with a pathLenConstraint of 0 (allowing 0 additional intermediate certificates in the path). This is followed by the end entity certificate.
- Throws:
Exception
-
test4_6_8
4.6.8 Valid pathLenConstraint Test8In this test, the first certificate in the path includes a basicConstraints extension with a pathLenConstraint of 0 (allowing 0 additional intermediate certificates in the path). This is followed by the end entity certificate, which is a CA certificate.
- Throws:
Exception
-
test4_6_9
4.6.9 Invalid pathLenConstraint Test9This test consists of a certification path of length 4. The first certificate in the path includes a pathLenConstraint of 6, the second a pathLenConstraint of 0, and the third a pathLenConstraint of 0. The fourth certificate is an end entity certificate.
- Throws:
Exception
-
test4_6_10
4.6.10 Invalid pathLenConstraint Test10This test consists of a certification path of length 4. The first certificate in the path includes a pathLenConstraint of 6, the second a pathLenConstraint of 0, and the third a pathLenConstraint of 0. The end entity certificate is a CA certificate.
- Throws:
Exception
-
test4_6_11
4.6.11 Invalid pathLenConstraint Test11This test consists of a certification path of length 5. The first certificate in the path includes a pathLenConstraint of 6, the second a pathLenConstraint of 1, and the third a pathLenConstraint of 1. The fourth certificate does not include a pathLenConstraint. The fifth certificate is an end entity certificate.
- Throws:
Exception
-
test4_6_12
4.6.12 Invalid pathLenConstraint Test12This test consists of a certification path of length 5. The first certificate in the path includes a pathLenConstraint of 6, the second a pathLenConstraint of 1, and the third a pathLenConstraint of 1. The fourth certificate does not include a pathLenConstraint. The end entity certificate is a CA certificate.
- Throws:
Exception
-
test4_6_13
4.6.13 Valid pathLenConstraint Test13This test consists of a certification path of length 5. The first certificate in the path includes a pathLenConstraint of 6, the second a pathLenConstraint of 4, and the third a pathLenConstraint of 1. The fourth certificate does not include a pathLenConstraint. The fifth certificate is an end entity certificate.
- Throws:
Exception
-
test4_6_14
4.6.14 Valid pathLenConstraint Test14This test consists of a certification path of length 5. The first certificate in the path includes a pathLenConstraint of 6, the second a pathLenConstraint of 4, and the third a pathLenConstraint of 1. The fourth certificate does not include a pathLenConstraint. The end entity certificate is a CA certificate.
- Throws:
Exception
-
test4_6_15
4.6.15 Valid Self-Issued pathLenConstraint Test15In this test, the first certificate in the path includes a basicConstraints extension with a pathLenConstraint of 0 (allowing 0 additional non-self-issued intermediate certificates in the path). This is followed by a self-issued certificate and the end entity certificate. 32
- Throws:
Exception
-
test4_6_16
4.6.16 Invalid Self-Issued pathLenConstraint Test16In this test, the first certificate in the path includes a basicConstraints extension with a pathLenConstraint of 0 (allowing 0 additional non-self-issued intermediate certificates in the path). This is followed by a self-issued certificate, an non-self-issued certificate, and the end entity certificate.
- Throws:
Exception
-
test4_6_17
4.6.17 Valid Self-Issued pathLenConstraint Test17In this test, the first certificate in the path includes a basicConstraints extension with a pathLenConstraint of 1 (allowing 1 additional non-self-issued intermediate certificate in the path). This is followed by a self-issued certificate, a non-self-issued certificate, another self-issued certificate, and the end entity certificate.
- Throws:
Exception
-
test4_7_1
4.7.1 Invalid keyUsage Critical keyCertSign False Test1In this test, the intermediate certificate includes a critical keyUsage extension in which keyCertSign is false.
- Throws:
Exception
-
test4_7_2
4.7.2 Invalid keyUsage Not Critical keyCertSign False Test2In this test, the intermediate certificate includes a non-critical keyUsage extension in which keyCertSign is false.
- Throws:
Exception
-
test4_7_3
4.7.3 Valid keyUsage Not Critical Test3In this test, the intermediate certificate includes a non-critical keyUsage extension. 34
- Throws:
Exception
-
test4_7_4
4.7.4 Invalid keyUsage Critical cRLSign False Test4In this test, the intermediate certificate includes a critical keyUsage extension in which cRLSign is false.
- Throws:
Exception
-
test4_7_5
4.7.5 Invalid keyUsage Not Critical cRLSign False Test5In this test, the intermediate certificate includes a non-critical keyUsage extension in which cRLSign is false.
- Throws:
Exception
-
test4_8_1
4.8.1 All Certificates Same Policy Test1In this test, every certificate in the path asserts the same policy, NIST-test-policy-1. The certification path in this test is the same certification path as in Valid Signatures Test1. If possible, it is recommended that the certification path in this test be validated using the following inputs: 1. default settings, but with initial-explicit-policy set. The path should validate successfully. 2. default settings, but with initial-explicit-policy set and initial-policy-set = {NIST-test-policy-1}. The path should validate successfully. 3. default settings, but with initial-explicit-policy set and initial-policy-set = {NIST-test-policy-2}. The path should not validate successfully. 4. default settings, but with initial-explicit-policy set and initial-policy-set = {NIST-test-policy-1, NIST-test-policy-2}. The path should validate successfully.
- Throws:
Exception
-
test4_8_2
4.8.2 All Certificates No Policies Test2In this test, the certificatePolicies extension is omitted from every certificate in the path. If possible, it is recommended that the certification path in this test be validated using the following inputs: 1. default settings. The path should validate successfully. 2. default settings, but with initial-explicit-policy set . The path should not validate successfully.
- Throws:
Exception
-
test4_8_3
4.8.3 Different Policies Test3In this test, every certificate in the path asserts the same certificate policy except the first certificate in the path. If possible, it is recommended that the certification path in this test be validated using the following inputs: 1. default settings. The path should validate successfully. 2. default settings, but with initial-explicit-policy set . The path should not validate successfully. 3. default settings, but with initial-explicit-policy set and initial-policy-set = {NIST-test-policy-1, NIST-test-policy-2}. The path should not validate successfully.
- Throws:
Exception
-
test4_8_4
4.8.4 Different Policies Test4In this test, every certificate in the path asserts the same certificate policy except the end entity certificate.
- Throws:
Exception
-
test4_8_5
4.8.5 Different Policies Test5In this test, every certificate in the path except the second certificate asserts the same policy.
- Throws:
Exception
-
test4_8_6
4.8.6 Overlapping Policies Test6The following path is such that the intersection of certificate policies among all the certificates has exactly one policy, NIST-test-policy-1. The final certificate in the path is a CA certificate. If possible, it is recommended that the certification path in this test be validated using the following inputs: 1. default settings. The path should validate successfully. 2. default settings, but with initial-policy-set = {NIST-test-policy-1}. The path should validate successfully. 3. default settings, but with initial-policy-set = {NIST-test-policy-2}. The path should not validate successfully.
- Throws:
Exception
-
test4_8_7
4.8.7 Different Policies Test7The following path is such that the intersection of certificate policies among all the certificates is empty. The final certificate in the path is a CA certificate.
- Throws:
Exception
-
test4_8_8
4.8.8 Different Policies Test8The following path is such that the intersection of certificate policies among all the certificates is empty. The final certificate in the path is a CA certificate.
- Throws:
Exception
-
test4_8_9
4.8.9 Different Policies Test9The following path is such that the intersection of certificate policies among all the certificates is empty.
- Throws:
Exception
-
test4_8_10
4.8.10 All Certificates Same Policies Test10In this test, every certificate in the path asserts the same policies, NIST-test-policy-1 and NISTtest-policy-2. If possible, it is recommended that the certification path in this test be validated using the following inputs: 1. default settings. The path should validate successfully. 2. default settings, but with initial-policy-set = {NIST-test-policy-1}. The path should validate successfully. 3. default settings, but with initial-policy-set = {NIST-test-policy-2}. The path should validate successfully.
- Throws:
Exception
-
test4_8_11
4.8.11 All Certificates AnyPolicy Test11In this test, every certificate in the path asserts the special policy anyPolicy. If possible, it is recommended that the certification path in this test be validated using the following inputs: 1. default settings. The path should validate successfully. 2. default settings, but with initial-policy-set = {NIST-test-policy-1}. The path should validate successfully.
- Throws:
Exception
-
test4_8_12
4.8.12 Different Policies Test12In this test, the path consists of two certificates, each of which asserts a different certificate policy.
- Throws:
Exception
-
test4_8_13
4.8.13 All Certificates Same Policies Test13In this test, every certificate in the path asserts the same policies, NIST-test-policy-1, NIST-testpolicy-2, and NIST-test-policy-3. If possible, it is recommended that the certification path in this test be validated using the following inputs: 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. The path should validate successfully. 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. The path should validate successfully. 3. default settings, but with initial-policy-set = {NIST-test-policy-3}. The path should validate successfully.
- Throws:
Exception
-
test4_8_14
4.8.14 AnyPolicy Test14In this test, the intermediate certificate asserts anyPolicy and the end entity certificate asserts NIST-test-policy-1. If possible, it is recommended that the certification path in this test be validated using the following inputs: 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. The path should validate successfully. 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. The path should not validate successfully.
- Throws:
Exception
-
test4_8_15
4.8.15 User Notice Qualifier Test15In this test, the path consists of a single certificate. The certificate asserts the policy NIST-testpolicy-1 and includes a user notice policy qualifier.
Display of user notice beyond CertPath API at the moment.
- Throws:
Exception
-
test4_8_16
4.8.16 User Notice Qualifier Test16In this test, the path consists of an intermediate certificate and an end entity certificate. The intermediate certificate asserts the policy NIST-test-policy-1. The end entity certificate asserts both NIST-test-policy-1 and NIST-test-policy-2. Each policy in the end entity certificate has a different user notice qualifier associated with it.
Display of user notice beyond CertPath API at the moment.
- Throws:
Exception
-
test4_8_17
4.8.17 User Notice Qualifier Test17In this test, the path consists of an intermediate certificate and an end entity certificate. The intermediate certificate asserts the policy NIST-test-policy-1. The end entity certificate asserts anyPolicy. There is a user notice policy qualifier associated with anyPolicy in the end entity certificate.
Display of user notice beyond CertPath API at the moment.
- Throws:
Exception
-
test4_8_18
4.8.18 User Notice Qualifier Test18In this test, the intermediate certificate asserts policies NIST-test-policy-1 and NIST-test-policy-2. The end certificate asserts NIST-test-policy-1 and anyPolicy. Each of the policies in the end entity certificate asserts a different user notice policy qualifier. If possible, it is recommended that the certification path in this test be validated using the following inputs: 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. The path should validate successfully and the qualifier associated with NIST-test-policy-1 in the end entity certificate should be displayed. 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. The path should validate successfully and the qualifier associated with anyPolicy in the end entity certificate should be displayed. 45
Display of policy messages beyond CertPath API at the moment.
- Throws:
Exception
-
test4_8_19
4.8.19 User Notice Qualifier Test19In this test, the path consists of a single certificate. The certificate asserts the policy NIST-testpolicy-1 and includes a user notice policy qualifier. The user notice qualifier contains explicit text that is longer than 200 bytes. [RFC 3280 4.2.1.5] Note: While the explicitText has a maximum size of 200 characters, some non-conforming CAs exceed this limit. Therefore, certificate users SHOULD gracefully handle explicitText with more than 200 characters.
- Throws:
Exception
-
test4_8_20
4.8.20 CPS Pointer Qualifier Test20In this test, the path consists of an intermediate certificate and an end entity certificate, both of which assert the policy NIST-test-policy-1. There is a CPS pointer policy qualifier associated with NIST-test-policy-1 in the end entity certificate.
- Throws:
Exception
-
test4_9_1
4.9.1 Valid RequireExplicitPolicy Test1In this test, the first certificate in the path includes a policyConstraints extension with requireExplicitPolicy set to 10. This is followed by three more intermediate certificates and an end entity certificate. The end entity certificate does not include a certificatePolicies extension. 47
- Throws:
Exception
-
test4_9_2
4.9.2 Valid RequireExplicitPolicy Test2In this test, the first certificate in the path includes a policyConstraints extension with requireExplicitPolicy set to 5. This is followed by three more intermediate certificates and an end entity certificate. The end entity certificate does not include a certificatePolicies extension.
- Throws:
Exception
-
test4_9_3
4.9.3 Invalid RequireExplicitPolicy Test3In this test, the first certificate in the path includes a policyConstraints extension with requireExplicitPolicy set to 4. This is followed by three more intermediate certificates and an end entity certificate. The end entity certificate does not include a certificatePolicies extension.
- Throws:
Exception
-
test4_9_4
4.9.4 Valid RequireExplicitPolicy Test4In this test, the first certificate in the path includes a policyConstraints extension with requireExplicitPolicy set to 0. This is followed by three more intermediate certificates and an end entity certificate.
- Throws:
Exception
-
test4_9_5
4.9.5 Invalid RequireExplicitPolicy Test5In this test, the first certificate in the path includes a policyConstraints extension with requireExplicitPolicy set to 7. The second certificate in the path includes a policyConstraints extension with requireExplicitPolicy set to 2. The third certificate in the path includes a policyConstraints extension with requireExplicitPolicy set to 4. This is followed by one more intermediate certificate and an end entity certificate. The end entity certificate does not include a certificatePolicies extension.
- Throws:
Exception
-
test4_9_6
4.9.6 Valid Self-Issued requireExplicitPolicy Test6In this test, the first certificate in the path includes a policyConstraints extension with requireExplicitPolicy set to 2. This is followed by a self-issued intermediate certificate and an end entity certificate. The end entity certificate does not include a certificatePolicies extension.
- Throws:
Exception
-
test4_9_7
4.9.7 Invalid Self-Issued requireExplicitPolicy Test7In this test, the first certificate in the path includes a policyConstraints extension with requireExplicitPolicy set to 2. This is followed by a self-issued intermediate certificate, a nonself-issued intermediate certificate, and an end entity certificate. The end entity certificate does not include a certificatePolicies extension.
- Throws:
Exception
-
test4_9_8
4.9.8 Invalid Self-Issued requireExplicitPolicy Test8In this test, the first certificate in the path includes a policyConstraints extension with requireExplicitPolicy set to 2. This is followed by a self-issued intermediate certificate, a nonself-issued intermediate certificate, a self-issued intermediate certificate, and an end entity certificate. The end entity certificate does not include a certificatePolicies extension. 50
- Throws:
Exception
-
test4_10_1
4.10.1 Valid Policy Mapping Test1In this test, the intermediate certificate asserts NIST-test-policy-1 and maps NIST-test-policy-1 to NIST-test-policy-2. The end entity certificate asserts NIST-test-policy-2. If possible, it is recommended that the certification path in this test be validated using the following inputs: 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. The path should validate successfully. 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. The path should not validate successfully. 3. default settings, but with initial-policy-mapping-inhibit set. The path should not validate successfully.
- Throws:
Exception
-
test4_10_2
4.10.2 Invalid Policy Mapping Test2In this test, the intermediate certificate asserts NIST-test-policy-1 and maps NIST-test-policy-1 to NIST-test-policy-2. The end entity certificate asserts NIST-test-policy-1. If possible, it is recommended that the certification path in this test be validated using the following inputs: 1. default settings. The path should not validate successfully. 2. default settings, but with initial-policy-mapping-inhibit set. The path should not validate successfully.
- Throws:
Exception
-
test4_10_3
4.10.3 Valid Policy Mapping Test3In this test, the path is valid under NIST-test-policy-2 as a result of policy mappings. If possible, it is recommended that the certification path in this test be validated using the following inputs: 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. The path should not validate successfully. 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. The path should validate successfully.
- Throws:
Exception
-
test4_10_4
4.10.4 Invalid Policy Mapping Test4In this test, the policy asserted in the end entity certificate is not in the authorities-constrainedpolicy-set.
- Throws:
Exception
-
test4_10_5
4.10.5 Valid Policy Mapping Test5In this test, the path is valid under NIST-test-policy-1 as a result of policy mappings. If possible, it is recommended that the certification path in this test be validated using the following inputs: 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. The path should validate successfully. 2. default settings, but with initial-policy-set = {NIST-test-policy-6}. The path should not validate successfully.
- Throws:
Exception
-
test4_10_6
4.10.6 Valid Policy Mapping Test6In this test, the path is valid under NIST-test-policy-1 as a result of policy mappings. If possible, it is recommended that the certification path in this test be validated using the following inputs: 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. The path should validate successfully. 2. default settings, but with initial-policy-set = {NIST-test-policy-6}. The path should not validate successfully.
- Throws:
Exception
-
test4_10_7
4.10.7 Invalid Mapping From anyPolicy Test7In this test, the intermediate certificate includes a policyMappings extension that includes a mapping in which the issuerDomainPolicy is anyPolicy. The intermediate certificate also includes a critical policyConstraints extension with requireExplicitPolicy set to 0. [RFC 3280 6.1.4] (a) If a policy mapping extension is present, verify that the special value anyPolicy does not appear as an issuerDomainPolicy or a subjectDomainPolicy.
- Throws:
Exception
-
test4_10_8
4.10.8 Invalid Mapping To anyPolicy Test8In this test, the intermediate certificate includes a policyMappings extension that includes a mapping in which the subjectDomainPolicy is anyPolicy. The intermediate certificate also includes a critical policyConstraints extension with requireExplicitPolicy set to 0. [RFC 3280 6.1.4] (a) If a policy mapping extension is present, verify that the special value anyPolicy does not appear as an issuerDomainPolicy or a subjectDomainPolicy.
- Throws:
Exception
-
test4_10_9
4.10.9 Valid Policy Mapping Test9In this test, the intermediate certificate asserts anyPolicy and maps NIST-test-policy-1 to NISTtest-policy-2. The end entity certificate asserts NIST-test-policy-1. 55
- Throws:
Exception
-
test4_10_10
4.10.10 Invalid Policy Mapping Test10In this test, the first intermediate certificate asserts NIST-test-policy-1. The second intermediate certificate asserts anyPolicy and maps NIST-test-policy-1 to NIST-test-policy-2. The end entity certificate asserts NIST-test-policy-1.
- Throws:
Exception
-
test4_10_11
4.10.11 Valid Policy Mapping Test11In this test, the first intermediate certificate asserts NIST-test-policy-1. The second intermediate certificate asserts anyPolicy and maps NIST-test-policy-1 to NIST-test-policy-2. The end entity certificate asserts NIST-test-policy-2.
- Throws:
Exception
-
test4_10_12
4.10.12 Valid Policy Mapping Test12In this test, the intermediate certificate asserts NIST-test-policy-1 and NIST-test-policy-2 and maps NIST-test-policy-1 to NIST-test-policy-3. The end entity certificate asserts anyPolicy and NIST-test-policy-3, each with a different user notice policy qualifier. If possible, it is recommended that the certification path in this test be validated using the following inputs: 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. The path should validate successfully and the application should display the user notice associated with NIST-test-policy-3 in the end entity certificate. 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. The path should validate successfully and the application should display the user notice associated with anyPolicy in the end entity certificate.
- Throws:
Exception
-
test4_10_13
4.10.13 Valid Policy Mapping Test13In this test, the intermediate certificate asserts NIST-test-policy-1 and anyPolicy and maps NISTtest-policy-1 to NIST-test-policy-2. There is a user notice policy qualifier associated with each of 57 the policies. The end entity certificate asserts NIST-test-policy-2.
- Throws:
Exception
-
test4_10_14
4.10.14 Valid Policy Mapping Test14In this test, the intermediate certificate asserts NIST-test-policy-1 and anyPolicy and maps NISTtest-policy-1 to NIST-test-policy-2. There is a user notice policy qualifier associated with each of the policies. The end entity certificate asserts NIST-test-policy-1.
- Throws:
Exception
-
test4_11_1
4.11.1 Invalid inhibitPolicyMapping Test1In this test, the first intermediate certificate asserts NIST-test-policy-1 and includes a policyConstraints extension with inhibitPolicyMapping set to 0. The second intermediate certificate asserts NIST-test-policy-1 and maps NIST-test-policy-1 to NIST-test-policy-2. The end entity certificate asserts NIST-test-policy-1 and NIST-test-policy-2.
- Throws:
Exception
-
test4_11_2
4.11.2 Valid inhibitPolicyMapping Test2In this test, the first intermediate certificate asserts NIST-test-policy-1 and NIST-test-policy-2 and includes a policyConstraints extension with inhibitPolicyMapping set to 1. The second intermediate certificate asserts NIST-test-policy-1 and NIST-test-policy-2 and maps NIST-testpolicy-1 to NIST-test-policy-3 and NIST-test-policy-2 to NIST-test-policy-4. The end entity certificate asserts NIST-test-policy-3. 59
- Throws:
Exception
-
test4_11_3
4.11.3 Invalid inhibitPolicyMapping Test3In this test, the first intermediate certificate asserts NIST-test-policy-1 and NIST-test-policy-2 and includes a policyConstraints extension with inhibitPolicyMapping set to 1. The second intermediate certificate asserts NIST-test-policy-1 and NIST-test-policy-2 and maps NIST-testpolicy-1 to NIST-test-policy-3 and NIST-test-policy-2 to NIST-test-policy-4. The third intermediate certificate asserts NIST-test-policy-3 and NIST-test-policy-4 and maps NIST-testpolicy-3 to NIST-test-policy-5. The end entity certificate asserts NIST-test-policy-5.
- Throws:
Exception
-
test4_11_4
4.11.4 Valid inhibitPolicyMapping Test4In this test, the first intermediate certificate asserts NIST-test-policy-1 and NIST-test-policy-2 and includes a policyConstraints extension with inhibitPolicyMapping set to 1. The second intermediate certificate asserts NIST-test-policy-1 and NIST-test-policy-2 and maps NIST-testpolicy-1 to NIST-test-policy-3 and NIST-test-policy-2 to NIST-test-policy-4. The third intermediate certificate asserts NIST-test-policy-3 and NIST-test-policy-4 and maps NIST-testpolicy-3 to NIST-test-policy-5. The end entity certificate asserts NIST-test-policy-4. 60
- Throws:
Exception
-
test4_11_5
4.11.5 Invalid inhibitPolicyMapping Test5In this test, the first intermediate certificate asserts NIST-test-policy-1 and includes a policyConstraints extension with inhibitPolicyMapping set to 5. The second intermediate certificate asserts NIST-test-policy-1 and includes a policyConstraints extension with inhibitPolicyMapping set to 1. The third intermediate certificate asserts NIST-test-policy-1. The fourth intermediate certificate asserts NIST-test-policy-1 and maps NIST-test-policy-1 to NISTtest-policy-2. The end entity certificate asserts NIST-test-policy-2.
- Throws:
Exception
-
test4_11_6
4.11.6 Invalid inhibitPolicyMapping Test6In this test, the first intermediate certificate asserts NIST-test-policy-1 and NIST-test-policy-2 and includes a policyConstraints extension with inhibitPolicyMapping set to 1. The second intermediate certificate asserts NIST-test-policy-1 and NIST-test-policy-2 and includes a policyConstraints extension with inhibitPolicyMapping set to 5. The third intermediate certificate asserts NIST-test-policy-1 and NIST-test-policy-2 and maps NIST-test-policy-1 to NIST-test-policy-3. The end entity certificate asserts NIST-test-policy-3. 61
- Throws:
Exception
-
test4_11_7
4.11.7 Valid Self-Issued inhibitPolicyMapping Test7In this test, the first intermediate certificate asserts NIST-test-policy-1 and includes a policyConstraints extension with inhibitPolicyMapping set to 1. The second intermediate certificate is a self-issued certificate that asserts NIST-test-policy-1. The third intermediate certificate asserts NIST-test-policy-1 and maps NIST-test-policy-1 to NIST-test-policy-2. The end entity certificate asserts NIST-test-policy-2.
- Throws:
Exception
-
test4_11_8
4.11.8 Invalid Self-Issued inhibitPolicyMapping Test8In this test, the first intermediate certificate asserts NIST-test-policy-1 and includes a policyConstraints extension with inhibitPolicyMapping set to 1. The second intermediate certificate is a self-issued certificate that asserts NIST-test-policy-1. The third intermediate certificate asserts NIST-test-policy-1 and maps NIST-test-policy-1 to NIST-test-policy-2. The fourth intermediate certificate asserts NIST-test-policy-2 and maps NIST-test-policy-2 to NISTtest-policy-3. The end entity certificate asserts NIST-test-policy-3. 62
- Throws:
Exception
-
test4_11_9
4.11.9 Invalid Self-Issued inhibitPolicyMapping Test9In this test, the first intermediate certificate asserts NIST-test-policy-1 and includes a policyConstraints extension with inhibitPolicyMapping set to 1. The second intermediate certificate is a self-issued certificate that asserts NIST-test-policy-1. The third intermediate certificate asserts NIST-test-policy-1 and maps NIST-test-policy-1 to NIST-test-policy-2. The fourth intermediate certificate asserts NIST-test-policy-2 and maps NIST-test-policy-2 to NISTtest-policy-3. The end entity certificate asserts NIST-test-policy-2.
- Throws:
Exception
-
test4_11_10
4.11.10 Invalid Self-Issued inhibitPolicyMapping Test10In this test, the first intermediate certificate asserts NIST-test-policy-1 and includes a policyConstraints extension with inhibitPolicyMapping set to 1. The second intermediate certificate is a self-issued certificate that asserts NIST-test-policy-1. The third intermediate certificate asserts NIST-test-policy-1 and maps NIST-test-policy-1 to NIST-test-policy-2. The fourth intermediate certificate is a self-issued certificate that asserts NIST-test-policy-2 and maps NIST-test-policy-2 to NIST-test-policy-3. The end entity certificate asserts NIST-test-policy-3. 63
- Throws:
Exception
-
test4_11_11
4.11.11 Invalid Self-Issued inhibitPolicyMapping Test11In this test, the first intermediate certificate asserts NIST-test-policy-1 and includes a policyConstraints extension with inhibitPolicyMapping set to 1. The second intermediate certificate is a self-issued certificate that asserts NIST-test-policy-1. The third intermediate certificate asserts NIST-test-policy-1 and maps NIST-test-policy-1 to NIST-test-policy-2. The fourth intermediate certificate is a self-issued certificate that asserts NIST-test-policy-2 and maps NIST-test-policy-2 to NIST-test-policy-3. The end entity certificate asserts NIST-test-policy-2.
- Throws:
Exception
-
test4_12_1
4.12.1 Invalid inhibitAnyPolicy Test1In this test, the intermediate certificate asserts NIST-test-policy-1 and includes an inhibitAnyPolicy extension set to 0. The end entity certificate asserts anyPolicy.
- Throws:
Exception
-
test4_12_2
4.12.2 Valid inhibitAnyPolicy Test2In this test, the intermediate certificate asserts NIST-test-policy-1 and includes an inhibitAnyPolicy extension set to 0. The end entity certificate asserts anyPolicy and NIST-testpolicy-1.
- Throws:
Exception
-
test4_12_3
4.12.3 inhibitAnyPolicy Test3In this test, the first intermediate certificate asserts NIST-test-policy-1 and includes an inhibitAnyPolicy extension set to 1. The second intermediate certificate asserts anyPolicy. The end entity certificate asserts NIST-test-policy-1. If possible, it is recommended that the certification path in this test be validated using the following inputs: 1. default settings. The path should validate successfully. 2. default settings, but with initial-inhibit-any-policy set. The path should not validate successfully.
- Throws:
Exception
-
test4_12_4
4.12.4 Invalid inhibitAnyPolicy Test4In this test, the first intermediate certificate asserts NIST-test-policy-1 and includes an inhibitAnyPolicy extension set to 1. The second intermediate certificate asserts anyPolicy. The end entity certificate asserts anyPolicy. 66
- Throws:
Exception
-
test4_12_5
4.12.5 Invalid inhibitAnyPolicy Test5In this test, the first intermediate certificate asserts NIST-test-policy-1 and includes an inhibitAnyPolicy extension set to 5. The second intermediate certificate asserts NIST-test-policy1 and includes an inhibitAnyPolicy extension set to 1. The third intermediate certificate asserts NIST-test-policy-1 and the end entity certificate asserts anyPolicy.
- Throws:
Exception
-
test4_12_6
4.12.6 Invalid inhibitAnyPolicy Test6In this test, the first intermediate certificate asserts NIST-test-policy-1 and includes an inhibitAnyPolicy extension set to 1. The second intermediate certificate asserts NIST-test-policy1 and includes an inhibitAnyPolicy extension set to 5. The end entity certificate asserts anyPolicy.
- Throws:
Exception
-
test4_12_7
4.12.7 Valid Self-Issued inhibitAnyPolicy Test7In this test, the first intermediate certificate asserts NIST-test-policy-1 and includes an inhibitAnyPolicy extension set to 1. The second intermediate certificate is a self-issued certificate that asserts NIST-test-policy-1. The third intermediate certificate asserts anyPolicy and the end entity certificate asserts NIST-test-policy-1.
- Throws:
Exception
-
test4_12_8
4.12.8 Invalid Self-Issued inhibitAnyPolicy Test8In this test, the first intermediate certificate asserts NIST-test-policy-1 and includes an inhibitAnyPolicy extension set to 1. The second intermediate certificate is a self-issued certificate that asserts NIST-test-policy-1. The third and fourth intermediate certificates assert anyPolicy and the end entity certificate asserts NIST-test-policy-1. 68
- Throws:
Exception
-
test4_12_9
4.12.9 Valid Self-Issued inhibitAnyPolicy Test9In this test, the first intermediate certificate asserts NIST-test-policy-1 and includes an inhibitAnyPolicy extension set to 1. The second intermediate certificate is a self-issued certificate that asserts NIST-test-policy-1. The third intermediate certificate asserts anyPolicy. The fourth intermediate certificate is a self-issued certificate that asserts anyPolicy. The end entity certificate asserts NIST-test-policy-1.
- Throws:
Exception
-
test4_12_10
4.12.10 Invalid Self-Issued inhibitAnyPolicy Test10In this test, the first intermediate certificate asserts NIST-test-policy-1 and includes an inhibitAnyPolicy extension set to 1. The second intermediate certificate is a self-issued certificate that asserts NIST-test-policy-1. The third intermediate certificate asserts anyPolicy. The end entity certificate is a self-issued CA certificate that asserts anyPolicy.
- Throws:
Exception
-
test4_13_1
4.13.1 Valid DN nameConstraints Test1In this test, the intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree. The end entity certificate includes a subject name that falls within that subtree. 70
- Throws:
Exception
-
test4_13_2
4.13.2 Invalid DN nameConstraints Test2In this test, the intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree. The end entity certificate includes a subject name that falls outside that subtree.
- Throws:
Exception
-
test4_13_3
4.13.3 Invalid DN nameConstraints Test3In this test, the intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree. The end entity certificate includes a subject name that falls within that subtree and a subjectAltName extension with a DN that falls outside the subtree.
- Throws:
Exception
-
test4_13_4
4.13.4 Valid DN nameConstraints Test4In this test, the intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree. The end entity certificate includes a subject name that falls within that subtree and a subjectAltName extension with an e-mail address. 71
- Throws:
Exception
-
test4_13_5
4.13.5 Valid DN nameConstraints Test5In this test, the intermediate certificate includes a nameConstraints extension that specifies two permitted subtrees. The end entity certificate includes a subject name that falls within one of the subtrees and a subjectAltName extension with a DN that falls within the other subtree.
- Throws:
Exception
-
test4_13_6
4.13.6 Valid DN nameConstraints Test6In this test, the intermediate certificate includes a nameConstraints extension that specifies a single excluded subtree. The end entity certificate includes a subject name that falls outside that subtree.
- Throws:
Exception
-
test4_13_7
4.13.7 Invalid DN nameConstraints Test7In this test, the intermediate certificate includes a nameConstraints extension that specifies a single excluded subtree. The end entity certificate includes a subject name that falls within that subtree. 72
- Throws:
Exception
-
test4_13_8
4.13.8 Invalid DN nameConstraints Test8In this test, the intermediate certificate includes a nameConstraints extension that specifies two excluded subtrees. The end entity certificate includes a subject name that falls within the first subtree.
- Throws:
Exception
-
test4_13_9
4.13.9 Invalid DN nameConstraints Test9In this test, the intermediate certificate includes a nameConstraints extension that specifies two excluded subtrees. The end entity certificate includes a subject name that falls within the second subtree.
- Throws:
Exception
-
test4_13_10
4.13.10 Invalid DN nameConstraints Test10In this test, the intermediate certificate includes a nameConstraints extension that specifies a permitted subtree and an excluded subtree. The excluded subtree specifies a subset of the name space specified by the permitted subtree. The end entity certificate includes a subject name that falls within both the permitted and excluded subtrees. 73
- Throws:
Exception
-
test4_13_11
4.13.11 Valid DN nameConstraints Test11In this test, the intermediate certificate includes a nameConstraints extension that specifies a permitted subtree and an excluded subtree. The excluded subtree specifies a subset of the name space specified by the permitted subtree. The end entity certificate includes a subject name that falls within the permitted subtree but falls outside the excluded subtree.
- Throws:
Exception
-
test4_13_12
4.13.12 Invalid DN nameConstraints Test12In this test, the first intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree. The second intermediate certificate includes a subject name that falls within that subtree and a nameConstraints extension that specifies a permitted subtree that is a subtree of the constraint specified in the first intermediate certificate. The end entity certificate includes a subject name that falls within the subtree specified by the first intermediate certificate but outside the subtree specified by the second intermediate certificate.
- Throws:
Exception
-
test4_13_13
4.13.13 Invalid DN nameConstraints Test13In this test, the first intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree. The second intermediate certificate includes a subject name that falls within that subtree and a nameConstraints extension that specifies a permitted subtree that does not overlap with the permitted subtree specified in the first intermediate certificate. The end entity certificate includes a subject name that falls within the subtree specified by the first intermediate certificate.
- Throws:
Exception
-
test4_13_14
4.13.14 Valid DN nameConstraints Test14In this test, the first intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree. The second intermediate certificate includes a subject name that falls within that subtree and a nameConstraints extension that specifies a permitted subtree that does not overlap with the permitted subtree specified in the first intermediate certificate. The end entity certificate has a null subject name (i.e., the subject name is a sequence of zero relative distinguished names) and a critical subjectAltName extension with an e-mail address.
- Throws:
Exception
-
test4_13_15
4.13.15 Invalid DN nameConstraints Test15In this test, the first intermediate certificate includes a nameConstraints extension that specifies a single excluded subtree. The second intermediate certificate has a subject name that falls outside that subtree and includes a nameConstraints extension that specifies an excluded subtree that does not overlap with the subtree specified in the first intermediate certificate. The end entity certificate includes a subject name that falls within the subtree specified in the first intermediate certificate.
- Throws:
Exception
-
test4_13_16
4.13.16 Invalid DN nameConstraints Test16In this test, the first intermediate certificate includes a nameConstraints extension that specifies a single excluded subtree. The second intermediate certificate has a subject name that falls outside that subtree and includes a nameConstraints extension that specifies an excluded subtree that does not overlap with the subtree specified in the first intermediate certificate. The end entity certificate includes a subject name that falls within the subtree specified in the second intermediate certificate.
- Throws:
Exception
-
test4_13_17
4.13.17 Invalid DN nameConstraints Test17In this test, the first intermediate certificate includes a nameConstraints extension that specifies a single excluded subtree. The second intermediate certificate has a subject name that falls outside that subtree and includes a nameConstraints extension that specifies a permitted subtree that is a superset of the subtree specified in the first intermediate certificate. The end entity certificate includes a subject name that falls within the excluded subtree specified in the first intermediate certificate.
- Throws:
Exception
-
test4_13_18
4.13.18 Valid DN nameConstraints Test18In this test, the first intermediate certificate includes a nameConstraints extension that specifies a single excluded subtree. The second intermediate certificate has a subject name that falls outside that subtree and includes a nameConstraints extension that specifies a permitted subtree that is a superset of the subtree specified in the first intermediate certificate. The end entity certificate includes a subject name that falls within the permitted subtree specified in the second intermediate certificate but outside the excluded subtree specified in the first intermediate certificate.
- Throws:
Exception
-
test4_13_19
4.13.19 Valid Self-Issued DN nameConstraints Test19In this test, the first intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree. The second intermediate certificate is a self-issued certificate. The subject name in the self-issued certificate does not fall within the permitted subtree specified in the first intermediate certificate. The end entity certificate includes a subject name that falls within the permitted subtree specified in the first intermediate certificate.
- Throws:
Exception
-
test4_13_20
4.13.20 Invalid Self-Issued DN nameConstraints Test20In this test, the intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree. The end entity certificate is a self-issued certificate. The subject name in the self-issued certificate does not fall within the permitted subtree specified in the intermediate certificate.
- Throws:
Exception
-
test4_13_21
4.13.21 Valid RFC822 nameConstraints Test21� In this test, the intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree. The end entity certificate includes a subjectAltName extension with an e-mail address that falls within that subtree.
- Throws:
Exception
-
test4_13_22
4.13.22 Invalid RFC822 nameConstraints Test22In this test, the intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree. The end entity certificate includes a subjectAltName extension with an e-mail address that falls outside that subtree.
- Throws:
Exception
-
test4_13_23
4.13.23 Valid RFC822 nameConstraints Test23In this test, the intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree. The end entity certificate includes a subjectAltName extension with an e-mail address that falls within that subtree.
- Throws:
Exception
-
test4_13_24
4.13.24 Invalid RFC822 nameConstraints Test24� In this test, the intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree. The end entity certificate includes a subjectAltName extension with an e-mail address that falls outside that subtree.
- Throws:
Exception
-
test4_13_25
4.13.25 Valid RFC822 nameConstraints Test25In this test, the intermediate certificate includes a nameConstraints extension that specifies a single excluded subtree. The end entity certificate includes a subjectAltName extension with an e-mail address that falls outside that subtree.
- Throws:
Exception
-
test4_13_26
4.13.26 Invalid RFC822 nameConstraints Test26In this test, the intermediate certificate includes a nameConstraints extension that specifies a single excluded subtree. The end entity certificate includes a subjectAltName extension with an e-mail address that falls within that subtree.
- Throws:
Exception
-
test4_13_27
4.13.27 Valid DN and RFC822 nameConstraints Test27In this test, the first intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree of type directoryName. The second intermediate certificate includes a subject name that falls within that subtree and a nameConstraints extension that specifies a permitted subtree of type rfc822Name. The end entity certificate includes a subject name that falls within the subtree specified by the first intermediate certificate and an e-mail address that falls within the permitted subtree specified by the second intermediate certificate.
- Throws:
Exception
-
test4_13_28
4.13.28 Invalid DN and RFC822 nameConstraints Test28In this test, the first intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree of type directoryName. The second intermediate certificate includes a subject name that falls within that subtree and a nameConstraints extension that specifies a permitted subtree of type rfc822Name. The end entity certificate includes a subject name that falls within the subtree specified by the first intermediate certificate and an e-mail address that falls outside the permitted subtree specified by the second intermediate certificate.
- Throws:
Exception
-
test4_13_29
4.13.29 Invalid DN and RFC822 nameConstraints Test29In this test, the first intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree of type directoryName. The second intermediate certificate includes a subject name that falls within that subtree and a nameConstraints extension that specifies a permitted subtree of type rfc822Name. The end entity certificate includes a subject name that falls within the subtree specified by the first intermediate certificate but the subject name includes an attribute of type EmailAddress whose value falls outside the permitted subtree specified in the second intermediate certificate.
- Throws:
Exception
-
test4_13_30
4.13.30 Valid DNS nameConstraints Test30In this test, the intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree. The end entity certificate includes a subjectAltName extension with a dNSName that falls within that subtree.
- Throws:
Exception
-
test4_13_31
4.13.31 Invalid DNS nameConstraints Test31In this test, the intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree. The end entity certificate includes a subjectAltName extension with a dNSName that falls outside that subtree.
- Throws:
Exception
-
test4_13_32
4.13.32 Valid DNS nameConstraints Test32In this test, the intermediate certificate includes a nameConstraints extension that specifies a single excluded subtree. The end entity certificate includes a subjectAltName extension with a dNSName that falls outside that subtree.
- Throws:
Exception
-
test4_13_33
4.13.33 Invalid DNS nameConstraints Test33In this test, the intermediate certificate includes a nameConstraints extension that specifies a single excluded subtree. The end entity certificate includes a subjectAltName extension with a dNSName that falls within that subtree.
- Throws:
Exception
-
test4_13_34
4.13.34 Valid URI nameConstraints Test34In this test, the intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree. The end entity certificate includes a subjectAltName extension with a uniformResourceIdentifier that falls within that subtree.
- Throws:
Exception
-
test4_13_35
4.13.35 Invalid URI nameConstraints Test35In this test, the intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree. The end entity certificate includes a subjectAltName extension with a uniformResourceIdentifier that falls outside that subtree.
- Throws:
Exception
-
test4_13_36
4.13.36 Valid URI nameConstraints Test36� In this test, the intermediate certificate includes a nameConstraints extension that specifies a single excluded subtree. The end entity certificate includes a subjectAltName extension with a uniformResourceIdentifier that falls outside that subtree.
- Throws:
Exception
-
test4_13_37
4.13.37 Invalid URI nameConstraints Test37In this test, the intermediate certificate includes a nameConstraints extension that specifies a single excluded subtree. The end entity certificate includes a subjectAltName extension with a uniformResourceIdentifier that falls within that subtree.
- Throws:
Exception
-
test4_13_38
4.13.38 Invalid DNS nameConstraints Test38In this test, the intermediate certificate includes a nameConstraints extension that specifies a single permitted subtree. The end entity certificate includes a subjectAltName extension with a dNSName that falls outside that subtree. The permitted subtree is “testcertificates.gov” and the subjectAltName is “mytestcertificates.gov”.
- Throws:
Exception
-
test4_14_1
4.14.1 Valid distributionPoint Test1In this test, the end entity certificate includes a cRLDistributionPoints extension with a single DistributionPoint consisting of a distributionPoint with a distinguished name. The CRL that covers the end entity certificate includes an issuingDistributionPoint extension with a matching distributionPoint.
- Throws:
Exception
-
test4_14_2
4.14.2 Invalid distributionPoint Test2In this test, the end entity certificate includes a cRLDistributionPoints extension with a single DistributionPoint consisting of a distributionPoint with a distinguished name. The CRL that covers the end entity certificate includes an issuingDistributionPoint extension with a matching distributionPoint. The CRL lists the end entity certificate as being revoked.
- Throws:
Exception
-
test4_14_3
4.14.3 Invalid distributionPoint Test3In this test, the end entity certificate includes a cRLDistributionPoints extension with a single DistributionPoint consisting of a distributionPoint with a distinguished name. The only CRL available from the issuer of the end entity certificate includes an issuingDistributionPoint extension with a distributionPoint that does not match the distributionPoint specified in the end entity certificate.
- Throws:
Exception
-
test4_14_4
4.14.4 Valid distributionPoint Test4In this test, the end entity certificate includes a cRLDistributionPoints extension with a single DistributionPoint consisting of a distributionPoint with a distinguished name. The CRL that covers the end entity certificate includes an issuingDistributionPoint extension with a matching distributionPoint. The distributionPoint in the end entity certificate is specified as a nameRelativeToCRLIssuer while the distributionPoint in the CRL is specified as a fullName.
- Throws:
Exception
-
test4_14_5
4.14.5 Valid distributionPoint Test5In this test, the end entity certificate includes a cRLDistributionPoints extension with a single DistributionPoint consisting of a distributionPoint with a distinguished name. The CRL that covers the end entity certificate includes an issuingDistributionPoint extension with a matching distributionPoint. The distributionPoint in both the end entity certificate and the CRL are specified as a nameRelativeToCRLIssuer. 85
- Throws:
Exception
-
test4_14_6
4.14.6 Invalid distributionPoint Test6In this test, the end entity certificate includes a cRLDistributionPoints extension with a single DistributionPoint consisting of a distributionPoint with a distinguished name. The CRL that covers the end entity certificate includes an issuingDistributionPoint extension with a matching distributionPoint. The distributionPoint in both the end entity certificate and the CRL are specified as a nameRelativeToCRLIssuer. The CRL lists the end entity certificate as being revoked.
- Throws:
Exception
-
test4_14_7
4.14.7 Valid distributionPoint Test7In this test, the end entity certificate includes a cRLDistributionPoints extension with a single DistributionPoint consisting of a distributionPoint with a distinguished name. The CRL that covers the end entity certificate includes an issuingDistributionPoint extension with a matching distributionPoint. The distributionPoint in the CRL is specified as a nameRelativeToCRLIssuer and the distributionPoint in the end entity certificate is specified as a fullName.
- Throws:
Exception
-
test4_14_8
4.14.8 Invalid distributionPoint Test8In this test, the end entity certificate includes a cRLDistributionPoints extension with a single DistributionPoint consisting of a distributionPoint with a distinguished name. The CRL that covers the end entity certificate includes an issuingDistributionPoint extension with a distributionPoint that does not match. The distributionPoint in the CRL is specified as a nameRelativeToCRLIssuer and the distributionPoint in the end entity certificate is specified as a fullName.
- Throws:
Exception
-
test4_14_9
4.14.9 Invalid distributionPoint Test9In this test, the CRL that covers the end entity certificate includes an issuingDistributionPoint extension with a distributionPoint. The distributionPoint does not match the CRL issuer's name. The end entity certificate does not include a cRLDistributionPoints extension
- Throws:
Exception
-
test4_14_10
4.14.10 Valid No issuingDistributionPoint Test10In this test, the CRL that covers the end entity certificate does not include an issuingDistributionPoint extension. The end entity certificate includes a cRLDistributionPoints extension with a distributionPoint name.
- Throws:
Exception
-
test4_14_11
4.14.11 Invalid onlyContainsUserCerts CRL Test11In this test, the only CRL issued by the intermediate CA includes an issuingDistributionPoint extension with onlyContainsUserCerts set to TRUE. The final certificate in the path is a CA certificate.
- Throws:
Exception
-
test4_14_12
4.14.12 Invalid onlyContainsCACerts CRL Test12In this test, the only CRL issued by the intermediate CA includes an issuingDistributionPoint extension with onlyContainsCACerts set to TRUE.
- Throws:
Exception
-
test4_14_13
4.14.13 Valid onlyContainsCACerts CRL Test13In this test, the only CRL issued by the intermediate CA includes an issuingDistributionPoint extension with onlyContainsCACerts set to TRUE. The final certificate in the path is a CA certificate.
- Throws:
Exception
-
test4_14_14
4.14.14 Invalid onlyContainsAttributeCerts Test14In this test, the only CRL issued by the intermediate CA includes an issuingDistributionPoint extension with onlyContainsAttributeCerts set to TRUE.
- Throws:
Exception
-
test4_14_15
4.14.15 Invalid onlySomeReasons Test15In this test, the intermediate certificate has issued two CRLs, one covering the keyCompromise and cACompromise reason codes and the other covering the remaining reason codes. The end entity certificate has been revoked for key compromise.
- Throws:
Exception
-
test4_14_16
4.14.16 Invalid onlySomeReasons Test16In this test, the intermediate certificate has issued two CRLs, one covering the keyCompromise and cACompromise reason codes and the other covering the remaining reason codes. The end entity certificate has been placed on hold.
- Throws:
Exception
-
test4_14_17
4.14.17 Invalid onlySomeReasons Test17In this test, the intermediate certificate has issued two CRLs, one covering the affiliationChanged and superseded reason codes and the other covering the cessationOfOperation and certificateHold reason codes. The end entity certificate is not listed on either CRL.
- Throws:
Exception
-
test4_14_18
4.14.18 Valid onlySomeReasons Test18In this test, the intermediate certificate has issued two CRLs, one covering the keyCompromise and cACompromise reason codes and the other covering the remaining reason codes. Both CRLs include an issuingDistributionPoint extension with the same distributionPoint name. The end entity certificate includes a cRLDistributionPoints extension with the same distributionPoint name.
- Throws:
Exception
-
test4_14_19
4.14.19 Valid onlySomeReasons Test19In this test, the intermediate certificate has issued two CRLs, one covering the keyCompromise and cACompromise reason codes and the other covering the remaining reason codes. Both CRLs include an issuingDistributionPoint extension with a different distributionPoint name. The end entity certificate includes a cRLDistributionPoints extension with two DistributionPoints, one for each CRL.
- Throws:
Exception
-
test4_14_20
4.14.20 Invalid onlySomeReasons Test20In this test, the intermediate certificate has issued two CRLs, one covering the keyCompromise and cACompromise reason codes and the other covering the remaining reason codes. Both CRLs include an issuingDistributionPoint extension with a different distributionPoint name. The end entity certificate includes a cRLDistributionPoints extension with two DistributionPoints, one for each CRL. The end entity certificate has been revoked for key compromise.
- Throws:
Exception
-
test4_14_21
4.14.21 Invalid onlySomeReasons Test21In this test, the intermediate certificate has issued two CRLs, one covering the keyCompromise and cACompromise reason codes and the other covering the remaining reason codes. Both CRLs include an issuingDistributionPoint extension with a different distributionPoint name. The end entity certificate includes a cRLDistributionPoints extension with two DistributionPoints, one for each CRL. The end entity certificate has been revoked as a result of a change in affiliation.
- Throws:
Exception
-
test4_14_22
4.14.22 Valid IDP with indirectCRL Test22In this test, the intermediate CA has issued a CRL that contains an issuingDistributionPoint extension with the indirectCRL flag set. The end entity certificate was issued by the intermediate CA. 91
- Throws:
Exception
-
test4_14_23
4.14.23 Invalid IDP with indirectCRL Test23In this test, the intermediate CA has issued a CRL that contains an issuingDistributionPoint extension with the indirectCRL flag set. The end entity certificate was issued by the intermediate CA and is listed as revoked on the CRL.
- Throws:
Exception
-
xtest4_14_24
4.14.24 Valid IDP with indirectCRL Test24In this test, the end entity certificate includes a cRLDistributionPoints extension with a cRLIssuer field indicating that the CRL is issued by an entity other than the certificate issuer. The public key needed to validate the indirect CRL is in a certificate issued by the Trust Anchor.
- Throws:
Exception
-
xtest4_14_25
4.14.25 Valid IDP with indirectCRL Test25In this test, the end entity certificate includes a cRLDistributionPoints extension with a cRLIssuer field indicating that the CRL is issued by an entity other than the certificate issuer. The public key needed to validate the indirect CRL is in a certificate issued by the Trust Anchor. The end entity's serial number is listed on the CRL, but there is no certificateIssuer CRL entry extension, indicating that the revoked certificate was one issued by the CRL issuer. 92
- Throws:
Exception
-
xtest4_14_26
4.14.26 Invalid IDP with indirectCRL Test26In this test, the end entity certificate includes a cRLDistributionPoints extension with a cRLIssuer field indicating that the CRL is issued by an entity other than the certificate issuer. The entity specified in the cRLIssuer field does not exist.
- Throws:
Exception
-
xtest4_14_27
4.14.27 Invalid cRLIssuer Test27In this test, the end entity certificate includes a cRLDistributionPoints extension with a cRLIssuer field indicating that the CRL is issued by an entity other than the certificate issuer. The CRL issued by the entity specified in the cRLIssuer field does not include an issuingDistributionPoint extension.
- Throws:
Exception
-
xtest4_14_28
4.14.28 Valid cRLIssuer Test28In this test, the end entity certificate includes a cRLDistributionPoints extension with a
cRLIssuer field indicating that the CRL is issued by an entity other than the certificate issuer. The indirect CRL issuer has been issued a certificate by the issuer of the end entity certificate. The certificate issued to the CRL issuer is covered by a CRL issued by the issuer of the end entity certificate.
- Throws:
Exception
-
xtest4_14_29
4.14.29 Valid cRLIssuer Test29In this test, the end entity certificate includes a cRLDistributionPoints extension with a cRLIssuer field indicating that the CRL is issued by an entity other than the certificate issuer. The distributionPoint in the end entity certificate is specified as nameRelativeToCRLIssuer. The indirect CRL issuer has been issued a certificate by the issuer of the end entity certificate. The certificate issued to the CRL issuer is covered by a CRL issued by the issuer of the end entity certificate.
- Throws:
Exception
-
xtest4_14_30
4.14.30 Valid cRLIssuer Test30In this test, the end entity certificate includes a cRLDistributionPoints extension with a cRLIssuer field indicating that the CRL is issued by an entity other than the certificate issuer. The indirect CRL issuer has been issued a certificate by the issuer of the end entity certificate. Both the end entity certificate and the certificate issued to the CRL issuer are covered by the indirect CRL issued by the CRL issuer.
- Throws:
Exception
-
xtest4_14_31
4.14.31 Invalid cRLIssuer Test31In this test, the end entity certificate includes a cRLDistributionPoints extension with a cRLIssuer field indicating that the CRL is issued by an entity other than the certificate issuer. The indirect CRL contains a CRL entry listing the end entity certificate's serial number that includes a certificateIssuer extension specifying the end entity certificate's issuer.
- Throws:
Exception
-
xtest4_14_32
4.14.32 Invalid cRLIssuer Test32In this test, the end entity certificate includes a cRLDistributionPoints extension with a cRLIssuer field indicating that the CRL is issued by an entity other than the certificate issuer. The indirect CRL contains a CRL entry listing the end entity certificate's serial number and the preceding CRL entry includes a certificateIssuer extension specifying the end entity certificate's issuer.
- Throws:
Exception
-
xtest4_14_33
4.14.33 Valid cRLIssuer Test33In this test, the end entity certificate includes a cRLDistributionPoints extension with a cRLIssuer field indicating that the CRL is issued by an entity other than the certificate issuer. The indirect CRL contains a CRL entry listing the end entity certificate's serial number, but the most recent CRL entry to include a certificateIssuer extension specified a different certificate issuer.
- Throws:
Exception
-
test4_14_34
4.14.34 Invalid cRLIssuer Test34In this test, the end entity certificate is issued by the same CA that issues the corresponding CRL, but the CRL is also an indirect CRL for other CAs. The end entity certificate's serial number is listed on the CRL and the most recent CRL entry to include a certificateIssuer extension specifies the end entity certificate's issuer.
- Throws:
Exception
-
test4_14_35
4.14.35 Invalid cRLIssuer Test35In this test, the end entity certificate includes a cRLDistributionPoints extension with both a distributionPoint name and a cRLIssuer field indicating that the CRL is issued by an entity other than the certificate issuer. There is no CRL available from the entity specified in cRLIssuer, but the certificate issuer has issued a CRL with an issuingDistributionPoint extension that includes a distributionPoint that matches the distributionPoint in the certificate.
- Throws:
Exception
-
test4_15_1
4.15.1 Invalid deltaCRLIndicator No Base Test1In this test, the CRL covering the end entity certificate includes a deltaCRLIndicator extension, but no other CRLs are available for the intermediate certificate.
- Throws:
Exception
-
test4_15_2
4.15.2 Valid delta-CRL Test2In this test, the intermediate CA has issued a complete CRL and a delta-CRL. The delta-CRL refers to the complete CRL as its base CRL.
- Throws:
Exception
-
test4_15_3
4.15.3 Invalid delta-CRL Test3In this test, the intermediate CA has issued a complete CRL and a delta-CRL. The delta-CRL refers to the complete CRL as its base CRL. The end entity certificate is listed as revoked on the complete CRL. 97
- Throws:
Exception
-
test4_15_4
4.15.4 Invalid delta-CRL Test4In this test, the intermediate CA has issued a complete CRL and a delta-CRL. The delta-CRL refers to the complete CRL as its base CRL. The end entity certificate is listed as revoked on the delta-CRL.
- Throws:
Exception
-
test4_15_5
4.15.5 Valid delta-CRL Test5In this test, the intermediate CA has issued a complete CRL and a delta-CRL. The delta-CRL refers to the complete CRL as its base CRL. The end entity certificate is listed as on hold on the complete CRL, but the delta-CRL indicates that it should be removed from the CRL.
- Throws:
Exception
-
test4_15_6
4.15.6 Invalid delta-CRL Test6In this test, the intermediate CA has issued a complete CRL and a delta-CRL. The delta-CRL refers to the complete CRL as its base CRL. The end entity certificate is listed as on hold on the complete CRL and the delta-CRL indicates that it has been revoked.
- Throws:
Exception
-
test4_15_7
4.15.7 Valid delta-CRL Test7In this test, the intermediate CA has issued a complete CRL and a delta-CRL. The delta-CRL refers to the complete CRL as its base CRL. The end entity certificate is not listed on the complete CRL and is listed on the delta-CRL as removeFromCRL.
- Throws:
Exception
-
test4_15_8
4.15.8 Valid delta-CRL Test8In this test, the intermediate CA has issued a complete CRL and a delta-CRL. The delta-CRL refers to a CRL that was issued earlier than the complete CRL as its base CRL. The end entity certificate is not listed on either the complete CRL or the delta-CRL.
- Throws:
Exception
-
test4_15_9
4.15.9 Invalid delta-CRL Test9In this test, the intermediate CA has issued a complete CRL and a delta-CRL. The delta-CRL refers to a CRL that was issued earlier than the complete CRL as its base CRL. The end entity certificate is listed as revoked on both the complete CRL and the delta-CRL.
- Throws:
Exception
-
test4_15_10
4.15.10 Invalid delta-CRL Test10In this test, the intermediate CA has issued a complete CRL and a delta-CRL. The delta-CRL refers to a CRL that was issued later than the complete CRL as its base CRL. The end entity certificate is not listed as revoked on either the complete CRL or the delta-CRL, but the delta-CRL can not be used in conjunction with the provided complete CRL. The complete CRL has a nextUpdate time that is in the past.
- Throws:
Exception
-
test4_16_1
4.16.1 Valid Unknown Not Critical Certificate Extension Test1In this test, the end entity certificate contains a private, non-critical certificate extension.
- Throws:
Exception
-
test4_16_2
4.16.2 Invalid Unknown Critical Certificate Extension Test2In this test, the end entity certificate contains a private, critical certificate extension.
- Throws:
Exception
-