Version 1.07
enabling tools for PKI client software developers
This page contains conformance tests for relying parties that validate X.509 certification paths. Each test consists of a set of X.509 certificates and CRLs. The tests are fully described in the Conformance Testing of Relying Party Client Certificate Path Processing Logic document. The goal for the first release of these tests was to address the X.509 features used in the DoD Class 3 PKI. While this test suite remains available for use, it has been superseded by the Public Key Interoperability Test Suite (PKITS), which provides for more comprehensive testing of the features of X.509.
The tests cover X.509 version 3 certificates and X.509 Version 2 CRLs. The tests cover the commonly used fields and extensions with the following caveats:
The tests are provided in two different formats:
In both cases, each folder contains all the certificates and CRLs required to perform one of the tests, as well as the end-entity private key. The tests are ordered in the same way as they are ordered in the document that describes the tests. In cases where the API for the path validation routines is not exposed, the private key may be used with applications to implement these tests. Each folder contains five types of files:
The certificates and CRLs necessary to perform the tests can also be retrieved using LDAP. The directory is on the machine seclab7.ncsl.nist.gov and can be accessed using port 389. The schema specified in RFC 2587 was used to place the certificates and CRL in the directory.
Notes: The trust anchor and CRL are included in each test. However, the same trust anchor and CRL are used for every test. It may be more convenient to establish the trust anchor and then perform the tests.
The certificates and CRLs are signed with the same Certification Authority (CA) using the same private key. Thus, the issuer Distinguished Name (DN) in the certificate and the issuer DN in the CRL will always match. Furthermore, there is no need to develop a certification path for validating signatures on the CRL. In fact, the same public key used to validate the signature on a certificate MUST be used to validate the signature on the CRL.
The X.509 2000 policy processing rules are assumed.
No test data has changed between versions 1.06 and 1.07 of this test suite. All of the tests and expected test results are the same. The only changes in version 1.07 are minor corrections in the documentation.
Security and Privacy: public key infrastructure, testing & validation