26 files changed, 2674 insertions, 0 deletions
diff --git a/tests/pkits/ChangeLog-2011 b/tests/pkits/ChangeLog-2011
new file mode 100644
index 0000000..d66e474
--- /dev/null
+++ b/tests/pkits/ChangeLog-2011
@@ -0,0 +1,75 @@
+2011-12-01  Werner Koch  <wk@g10code.com>
+
+	NB: ChangeLog files are no longer manually maintained.  Starting
+	on December 1st, 2011 we put change information only in the GIT
+	commit log, and generate a top-level ChangeLog file from logs at
+	"make dist".  See doc/HACKING for details.
+
+2009-03-03  Werner Koch  <wk@g10code.com>
+
+	* inittests (clean_files): Use /bin/pwd here as well.
+
+	* Makefile.am (run-all-tests): Also use /bin/pwd here.
+
+2009-02-19  Werner Koch  <wk@g10code.com>
+
+	* Makefile.am (TESTS_ENVIRONMENT): Use /bin/pwd
+	* common.sh: Ditto.
+
+2008-02-19  Werner Koch  <wk@g10code.com>
+
+	* inittests: Unpack test data onlyu if available.
+	* common.sh: Skip tests if PKITS test data is not available.
+	* Makefile.am: Do not distribute test data.  This allows to
+	include the test suite in the distribution.
+
+	* signature-verification: New.
+	* validity-periods: New.
+	* verifying-name-chaining: New.
+	* basic-certificate-revocation: New.
+	* verifying-paths-self-issued: New.
+	* verifying-basic-constraints: New.
+	* key-usage: New.
+	* certificate-policies: New.
+	* require-explicit-policy: New.
+	* policy-mappings: New.
+	* inhibit-policy-mapping: New.
+	* inhibit-any-policy: New.
+	* name-constraints: New.
+	* distribution-points: New.
+	* delta-crls: New.
+	* private-certificate-extensions: New.
+	* Makefile.am (testscripts): Add them.
+
+	* import-all-certs.data: Add section numbers.
+
+2008-02-18  Werner Koch  <wk@g10code.com>
+
+	* import-all-certs.data: Adjust import tests results.  Almost all
+	certificates should now be importable due to relaxed basic checks.
+
+	* inittests (clean_files): Disable all dirmngr access.
+
+2006-05-02  Werner Koch  <wk@g10code.com>
+
+	* PKITS_data.tar.bz2: Repackaged new copy because the old one got
+	corrupted by the conversion from CVS to SVN.
+
+2004-08-16  Werner Koch  <wk@g10code.de>
+
+	Started implementing PKITS based tests.
+
+
+ Copyright 2004, 2008 Free Software Foundation, Inc.
+
+ This file is free software; as a special exception the author gives
+ unlimited permission to copy and/or distribute it, with or without
+ modifications, as long as this notice is preserved.
+
+ This file is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
+ implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+Local Variables:
+buffer-read-only: t
+End:
diff --git a/tests/pkits/Makefile.am b/tests/pkits/Makefile.am
new file mode 100644
index 0000000..3dc2f16
--- /dev/null
+++ b/tests/pkits/Makefile.am
@@ -0,0 +1,75 @@
+# Makefile.am - tests using NIST's PKITS
+#     	Copyright (C) 2004, 2008 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+## Process this file with automake to produce Makefile.in
+
+GPGSM = ../../sm/gpgsm
+
+TESTS_ENVIRONMENT = GNUPGHOME=`/bin/pwd` GPG_AGENT_INFO= LC_ALL=C \
+                    GPGSM=$(GPGSM) silent=yes
+
+
+testscripts = import-all-certs validate-all-certs \
+	signature-verification        \
+	validity-periods              \
+	verifying-name-chaining       \
+	basic-certificate-revocation  \
+	verifying-paths-self-issued   \
+	verifying-basic-constraints   \
+	key-usage                     \
+	certificate-policies          \
+	require-explicit-policy       \
+	policy-mappings               \
+	inhibit-policy-mapping        \
+	inhibit-any-policy            \
+	name-constraints              \
+	distribution-points           \
+	delta-crls                    \
+	private-certificate-extensions
+
+
+EXTRA_DIST = inittests runtest common.sh $(testscripts) ChangeLog-2011 \
+	     import-all-certs.data
+
+TESTS =
+
+CLEANFILES = inittests.stamp scratch.*.tmp x y z out err  *.lock .\#lk* *.log
+
+DISTCLEANFILES = pubring.kbx~ random_seed
+
+all-local: inittests.stamp
+
+clean-local:
+	srcdir=$(srcdir) $(TESTS_ENVIRONMENT) $(srcdir)/inittests --clean
+
+inittests.stamp: inittests
+	srcdir=$(srcdir) $(TESTS_ENVIRONMENT) $(srcdir)/inittests
+	echo timestamp >./inittests.stamp
+
+
+run-all-tests: inittests.stamp
+	@set -e; \
+         GNUPGHOME=`/bin/pwd`; export GNUPGHOME;\
+         unset GPG_AGENT_INFO; \
+         for tst in $(testscripts); do \
+           if ./$${tst}; then : ; \
+           elif test $$? -eq 77; then echo "- SKIP $$tst"; \
+	   fi; \
+         done
+
+
diff --git a/tests/pkits/Makefile.in b/tests/pkits/Makefile.in
new file mode 100644
index 0000000..accdff2
--- /dev/null
+++ b/tests/pkits/Makefile.in
@@ -0,0 +1,695 @@
+# Makefile.in generated by automake 1.16.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2020 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# Makefile.am - tests using NIST's PKITS
+#     	Copyright (C) 2004, 2008 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+VPATH = @srcdir@
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+TESTS =
+subdir = tests/pkits
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/autobuild.m4 \
+	$(top_srcdir)/m4/codeset.m4 $(top_srcdir)/m4/gettext.m4 \
+	$(top_srcdir)/m4/gpg-error.m4 $(top_srcdir)/m4/iconv.m4 \
+	$(top_srcdir)/m4/isc-posix.m4 $(top_srcdir)/m4/ksba.m4 \
+	$(top_srcdir)/m4/lcmessage.m4 $(top_srcdir)/m4/ldap.m4 \
+	$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+	$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libassuan.m4 \
+	$(top_srcdir)/m4/libgcrypt.m4 $(top_srcdir)/m4/nls.m4 \
+	$(top_srcdir)/m4/npth.m4 $(top_srcdir)/m4/ntbtls.m4 \
+	$(top_srcdir)/m4/pkg.m4 $(top_srcdir)/m4/po.m4 \
+	$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/m4/readline.m4 \
+	$(top_srcdir)/m4/socklen.m4 $(top_srcdir)/m4/sys_socket_h.m4 \
+	$(top_srcdir)/m4/tar-ustar.m4 $(top_srcdir)/acinclude.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
+mkinstalldirs = $(SHELL) $(top_srcdir)/build-aux/mkinstalldirs
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+SOURCES =
+DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+am__tty_colors_dummy = \
+  mgn= red= grn= lgn= blu= brg= std=; \
+  am__color_tests=no
+am__tty_colors = { \
+  $(am__tty_colors_dummy); \
+  if test "X$(AM_COLOR_TESTS)" = Xno; then \
+    am__color_tests=no; \
+  elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
+    am__color_tests=yes; \
+  elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
+    am__color_tests=yes; \
+  fi; \
+  if test $$am__color_tests = yes; then \
+    red='[0;31m'; \
+    grn='[0;32m'; \
+    lgn='[1;32m'; \
+    blu='[1;34m'; \
+    mgn='[0;35m'; \
+    brg='[1m'; \
+    std='[m'; \
+  fi; \
+}
+am__DIST_COMMON = $(srcdir)/Makefile.in \
+	$(top_srcdir)/build-aux/mkinstalldirs README
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+AWK_HEX_NUMBER_OPTION = @AWK_HEX_NUMBER_OPTION@
+BUILD_FILEVERSION = @BUILD_FILEVERSION@
+BUILD_HOSTNAME = @BUILD_HOSTNAME@
+BUILD_INCLUDED_LIBINTL = @BUILD_INCLUDED_LIBINTL@
+BUILD_REVISION = @BUILD_REVISION@
+BUILD_TIMESTAMP = @BUILD_TIMESTAMP@
+BUILD_VERSION = @BUILD_VERSION@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CC_FOR_BUILD = @CC_FOR_BUILD@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DL_LIBS = @DL_LIBS@
+DNSLIBS = @DNSLIBS@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+ENCFS = @ENCFS@
+EXEEXT = @EXEEXT@
+FUSERMOUNT = @FUSERMOUNT@
+GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
+GMSGFMT = @GMSGFMT@
+GMSGFMT_015 = @GMSGFMT_015@
+GNUPG_AGENT_PGM = @GNUPG_AGENT_PGM@
+GNUPG_DIRMNGR_LDAP_PGM = @GNUPG_DIRMNGR_LDAP_PGM@
+GNUPG_DIRMNGR_PGM = @GNUPG_DIRMNGR_PGM@
+GNUPG_PINENTRY_PGM = @GNUPG_PINENTRY_PGM@
+GNUPG_PROTECT_TOOL_PGM = @GNUPG_PROTECT_TOOL_PGM@
+GNUPG_SCDAEMON_PGM = @GNUPG_SCDAEMON_PGM@
+GPGKEYS_LDAP = @GPGKEYS_LDAP@
+GPGRT_CONFIG = @GPGRT_CONFIG@
+GPG_ERROR_CFLAGS = @GPG_ERROR_CFLAGS@
+GPG_ERROR_CONFIG = @GPG_ERROR_CONFIG@
+GPG_ERROR_LIBS = @GPG_ERROR_LIBS@
+GPG_ERROR_MT_CFLAGS = @GPG_ERROR_MT_CFLAGS@
+GPG_ERROR_MT_LIBS = @GPG_ERROR_MT_LIBS@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+INTLLIBS = @INTLLIBS@
+INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
+KSBA_CFLAGS = @KSBA_CFLAGS@
+KSBA_CONFIG = @KSBA_CONFIG@
+KSBA_LIBS = @KSBA_LIBS@
+LBER_LIBS = @LBER_LIBS@
+LDAPLIBS = @LDAPLIBS@
+LDAP_CPPFLAGS = @LDAP_CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBASSUAN_CFLAGS = @LIBASSUAN_CFLAGS@
+LIBASSUAN_CONFIG = @LIBASSUAN_CONFIG@
+LIBASSUAN_LIBS = @LIBASSUAN_LIBS@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
+LIBGNUTLS_CFLAGS = @LIBGNUTLS_CFLAGS@
+LIBGNUTLS_LIBS = @LIBGNUTLS_LIBS@
+LIBICONV = @LIBICONV@
+LIBINTL = @LIBINTL@
+LIBOBJS = @LIBOBJS@
+LIBREADLINE = @LIBREADLINE@
+LIBS = @LIBS@
+LIBUSB_CPPFLAGS = @LIBUSB_CPPFLAGS@
+LIBUSB_LIBS = @LIBUSB_LIBS@
+LIBUTIL_LIBS = @LIBUTIL_LIBS@
+LN_S = @LN_S@
+LTLIBICONV = @LTLIBICONV@
+LTLIBINTL = @LTLIBINTL@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
+MSGMERGE = @MSGMERGE@
+NETLIBS = @NETLIBS@
+NPTH_CFLAGS = @NPTH_CFLAGS@
+NPTH_CONFIG = @NPTH_CONFIG@
+NPTH_LIBS = @NPTH_LIBS@
+NTBTLS_CFLAGS = @NTBTLS_CFLAGS@
+NTBTLS_CONFIG = @NTBTLS_CONFIG@
+NTBTLS_LIBS = @NTBTLS_LIBS@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_GT = @PACKAGE_GT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+POSUB = @POSUB@
+RANLIB = @RANLIB@
+SENDMAIL = @SENDMAIL@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SHRED = @SHRED@
+SQLITE3_CFLAGS = @SQLITE3_CFLAGS@
+SQLITE3_LIBS = @SQLITE3_LIBS@
+STRIP = @STRIP@
+SYSROOT = @SYSROOT@
+SYS_SOCKET_H = @SYS_SOCKET_H@
+TAR = @TAR@
+USE_C99_CFLAGS = @USE_C99_CFLAGS@
+USE_INCLUDED_LIBINTL = @USE_INCLUDED_LIBINTL@
+USE_NLS = @USE_NLS@
+VERSION = @VERSION@
+W32SOCKLIBS = @W32SOCKLIBS@
+WINDRES = @WINDRES@
+XGETTEXT = @XGETTEXT@
+XGETTEXT_015 = @XGETTEXT_015@
+XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
+YAT2M = @YAT2M@
+ZLIBS = @ZLIBS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+runstatedir = @runstatedir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+GPGSM = ../../sm/gpgsm
+TESTS_ENVIRONMENT = GNUPGHOME=`/bin/pwd` GPG_AGENT_INFO= LC_ALL=C \
+                    GPGSM=$(GPGSM) silent=yes
+
+testscripts = import-all-certs validate-all-certs \
+	signature-verification        \
+	validity-periods              \
+	verifying-name-chaining       \
+	basic-certificate-revocation  \
+	verifying-paths-self-issued   \
+	verifying-basic-constraints   \
+	key-usage                     \
+	certificate-policies          \
+	require-explicit-policy       \
+	policy-mappings               \
+	inhibit-policy-mapping        \
+	inhibit-any-policy            \
+	name-constraints              \
+	distribution-points           \
+	delta-crls                    \
+	private-certificate-extensions
+
+EXTRA_DIST = inittests runtest common.sh $(testscripts) ChangeLog-2011 \
+	     import-all-certs.data
+
+CLEANFILES = inittests.stamp scratch.*.tmp x y z out err  *.lock .\#lk* *.log
+DISTCLEANFILES = pubring.kbx~ random_seed
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu tests/pkits/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu tests/pkits/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+tags TAGS:
+
+ctags CTAGS:
+
+cscope cscopelist:
+
+
+check-TESTS: $(TESTS)
+	@failed=0; all=0; xfail=0; xpass=0; skip=0; \
+	srcdir=$(srcdir); export srcdir; \
+	list=' $(TESTS) '; \
+	$(am__tty_colors); \
+	if test -n "$$list"; then \
+	  for tst in $$list; do \
+	    if test -f ./$$tst; then dir=./; \
+	    elif test -f $$tst; then dir=; \
+	    else dir="$(srcdir)/"; fi; \
+	    if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xpass=`expr $$xpass + 1`; \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=XPASS; \
+	      ;; \
+	      *) \
+		col=$$grn; res=PASS; \
+	      ;; \
+	      esac; \
+	    elif test $$? -ne 77; then \
+	      all=`expr $$all + 1`; \
+	      case " $(XFAIL_TESTS) " in \
+	      *[\ \	]$$tst[\ \	]*) \
+		xfail=`expr $$xfail + 1`; \
+		col=$$lgn; res=XFAIL; \
+	      ;; \
+	      *) \
+		failed=`expr $$failed + 1`; \
+		col=$$red; res=FAIL; \
+	      ;; \
+	      esac; \
+	    else \
+	      skip=`expr $$skip + 1`; \
+	      col=$$blu; res=SKIP; \
+	    fi; \
+	    echo "$${col}$$res$${std}: $$tst"; \
+	  done; \
+	  if test "$$all" -eq 1; then \
+	    tests="test"; \
+	    All=""; \
+	  else \
+	    tests="tests"; \
+	    All="All "; \
+	  fi; \
+	  if test "$$failed" -eq 0; then \
+	    if test "$$xfail" -eq 0; then \
+	      banner="$$All$$all $$tests passed"; \
+	    else \
+	      if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+	      banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+	    fi; \
+	  else \
+	    if test "$$xpass" -eq 0; then \
+	      banner="$$failed of $$all $$tests failed"; \
+	    else \
+	      if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+	      banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+	    fi; \
+	  fi; \
+	  dashes="$$banner"; \
+	  skipped=""; \
+	  if test "$$skip" -ne 0; then \
+	    if test "$$skip" -eq 1; then \
+	      skipped="($$skip test was not run)"; \
+	    else \
+	      skipped="($$skip tests were not run)"; \
+	    fi; \
+	    test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$skipped"; \
+	  fi; \
+	  report=""; \
+	  if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+	    report="Please report to $(PACKAGE_BUGREPORT)"; \
+	    test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+	      dashes="$$report"; \
+	  fi; \
+	  dashes=`echo "$$dashes" | sed s/./=/g`; \
+	  if test "$$failed" -eq 0; then \
+	    col="$$grn"; \
+	  else \
+	    col="$$red"; \
+	  fi; \
+	  echo "$${col}$$dashes$${std}"; \
+	  echo "$${col}$$banner$${std}"; \
+	  test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
+	  test -z "$$report" || echo "$${col}$$report$${std}"; \
+	  echo "$${col}$$dashes$${std}"; \
+	  test "$$failed" -eq 0; \
+	else :; fi
+
+distdir: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) distdir-am
+
+distdir-am: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-TESTS
+check: check-am
+all-am: Makefile all-local
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-test -z "$(DISTCLEANFILES)" || rm -f $(DISTCLEANFILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-local mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: check-am install-am install-strip
+
+.PHONY: all all-am all-local check check-TESTS check-am clean \
+	clean-generic clean-local cscopelist-am ctags-am distclean \
+	distclean-generic distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic pdf pdf-am ps ps-am tags-am uninstall \
+	uninstall-am
+
+.PRECIOUS: Makefile
+
+
+all-local: inittests.stamp
+
+clean-local:
+	srcdir=$(srcdir) $(TESTS_ENVIRONMENT) $(srcdir)/inittests --clean
+
+inittests.stamp: inittests
+	srcdir=$(srcdir) $(TESTS_ENVIRONMENT) $(srcdir)/inittests
+	echo timestamp >./inittests.stamp
+
+run-all-tests: inittests.stamp
+	@set -e; \
+         GNUPGHOME=`/bin/pwd`; export GNUPGHOME;\
+         unset GPG_AGENT_INFO; \
+         for tst in $(testscripts); do \
+           if ./$${tst}; then : ; \
+           elif test $$? -eq 77; then echo "- SKIP $$tst"; \
+	   fi; \
+         done
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/tests/pkits/README b/tests/pkits/README
new file mode 100644
index 0000000..06aa97b
--- /dev/null
+++ b/tests/pkits/README
@@ -0,0 +1,37 @@
+tests/pkits/README
+
+These are tests based on NIST's Public Key Interoperability Test Suite
+(PKITS) as downloaded on 2006-05-02 from
+http://csrc.nist.gov/pki/testing/x509paths.html .
+
+README             - this file.
+PKITS_data.tar.bz2 - the original ZIP file, repackaged as a tarball.
+Makefile.am        - Part of our build system.
+import-all-certs   - Run a simple import test on all certificates
+validate-all-certs - Run an import and validate test on all certificates
+signature-verification         - PKITS test 4.1  
+validity-periods               - PKITS test 4.2  
+verifying-name-chaining        - PKITS test 4.3  
+basic-certificate-revocation   - PKITS test 4.4  
+verifying-paths-self-issued    - PKITS test 4.5  
+verifying-basic-constraints    - PKITS test 4.6  
+key-usage                      - PKITS test 4.7  
+certificate-policies           - PKITS test 4.8  
+require-explicit-policy        - PKITS test 4.9  
+policy-mappings                - PKITS test 4.10 
+inhibit-policy-mapping         - PKITS test 4.11 
+inhibit-any-policy             - PKITS test 4.12 
+name-constraints               - PKITS test 4.13 
+distribution-points            - PKITS test 4.14 
+delta-crls                     - PKITS test 4.15 
+private-certificate-extensions - PKITS test 4.16 
+
+
+The password for the p12 files is "password".
+
+You may run the tests as usual with "make check" or after a plain make
+in this directory you may run the tests individually.  When run in
+this way they will print easy to parse output to stdout.  To run all
+tests in this mode, use "make run-all-tests".  All test scripts create
+a log file with the suffix ".log" appended to the test script's name.
+
diff --git a/tests/pkits/basic-certificate-revocation b/tests/pkits/basic-certificate-revocation
new file mode 100755
index 0000000..496a82c
--- /dev/null
+++ b/tests/pkits/basic-certificate-revocation
@@ -0,0 +1,31 @@
+#!/bin/sh
+# basic-certificate-revocation - PKITS Test 4.4                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.4
+description="Basic Certificate Revocation"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/certificate-policies b/tests/pkits/certificate-policies
new file mode 100755
index 0000000..f472201
--- /dev/null
+++ b/tests/pkits/certificate-policies
@@ -0,0 +1,31 @@
+#!/bin/sh
+# certificate-policies - PKITS Test 4.8                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.8
+description="Certificate Policies"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/common.sh b/tests/pkits/common.sh
new file mode 100644
index 0000000..697f28f
--- /dev/null
+++ b/tests/pkits/common.sh
@@ -0,0 +1,275 @@
+# common.sh - common defs for all tests         -*- sh -*-
+# Copyright (C) 2004, 2008 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+# reset some environment variables because we do not want to test locals
+LANG=C
+LANGUAGE=C
+LC_ALL=C
+export LANG LANGUAGE LC_ALL
+
+pgmname=`basename $0`
+
+if [ "$1" = "--debug" ]; then
+  debug=yes
+  set -x
+else
+  debug=
+fi
+[ -z "$srcdir" ] && srcdir="."
+[ -z "$top_srcdir" ] && top_srcdir=".."
+[ -z "$GPGSM" ] && GPGSM="../../sm/gpgsm"
+[ -z "$silent" ] && silent=no
+
+AWK=awk
+SCRATCH="scratch.$$.tmp"
+
+# We use this as the faked system time for certain tests.
+MYTIME="20080508T120000"
+
+
+if [ "$GNUPGHOME" != "`/bin/pwd`" ]; then
+    echo "inittests: please set GNUPGHOME to the tests/pkits directory" >&2
+    exit 1
+fi
+
+if [ -n "$GPG_AGENT_INFO" ]; then
+    echo "inittests: please unset GPG_AGENT_INFO" >&2
+    exit 1
+fi
+
+if [ -f "$srcdir/PKITS_data.tar.bz2" ]; then
+  :
+else
+    if [ "$pgmname" = "import-all-certs" ]; then
+        if [ "$silent" = "yes" ]; then tmp1="Note: "; tmp2='      '
+        else tmp1="- ____ "; tmp2="$tmp1"
+        fi
+        echo "${tmp1}PKITS_data.tar.bz2 is not installed"
+        echo "${tmp2}All tests will be skipped (this is not an error)"
+    fi
+    # Exit code 77 is used by the Makefile for skipping a tests.
+    exit 77
+fi
+
+#--------------------------------
+#------ utility functions -------
+#--------------------------------
+
+echo_n_init=no
+echo_n () {
+  if test "$echo_n_init" = "no"; then
+    if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then
+      if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then
+	echo_n_n=
+	echo_n_c='
+'
+      else
+	echo_n_n='-n'
+	echo_n_c=
+      fi
+    else
+      echo_n_n=
+      echo_n_c='\c'
+    fi
+    echo_n_init=yes
+  fi
+  echo $echo_n_n "${1}$echo_n_c"
+}
+
+setup_output () {
+  if [ -z "$first_section_set" ]; then
+      first_section_set=$section
+  fi
+  section_out="$(echo $section)"
+  if [ -z "$section_out" ]; then
+      section_out="-"
+  fi
+}
+
+fatal () {
+    echo "$pgmname: fatal:" $* >&2
+    if [ "$silent" != "yes" ]; then
+        echo "$section_out ERROR: $* (fatal)"
+    fi
+    exit 1;
+}
+
+error () {
+    echo "$pgmname:" $* >&2
+    if [ "$silent" != "yes" ]; then
+        echo "$section_out ERROR: $*"
+    fi
+    exit 1
+}
+
+info () {
+    setup_output
+    echo "$pgmname:" $* >&2
+    if [ "$silent" != "yes" ]; then
+        echo "$section_out ____ $*"
+    fi
+}
+
+info_n () {
+    setup_output
+    echo_n "$pgmname:" $* >&2
+}
+
+pass () {
+    setup_output
+    echo "PASS: " $* >&2
+    pass_count=`expr ${pass_count} + 1`
+    if [ "$silent" != "yes" ]; then
+        echo_n "$section_out PASS"
+        if [ -n "$1" ]; then echo_n " $1"
+        elif [ -n "$description" ]; then echo_n " ($description)"
+        fi
+        echo
+    fi
+}
+
+fail () {
+    setup_output
+    echo "FAIL: " $* >&2
+    fail_count=`expr ${fail_count} + 1`
+    if [ "$silent" != "yes" ]; then
+        echo_n "$section_out FAIL"
+        if [ -n "$1" ]; then echo_n " $1"
+        elif [ -n "$description" ]; then echo_n " ($description)"
+        fi
+        echo
+    fi
+}
+
+skip () {
+    setup_output
+    echo "SKIP: " $* >&2
+    skip_count=`expr ${skip_count} + 1`
+    if [ "$silent" != "yes" ]; then
+        echo_n "$section_out SKIP"
+        if [ -n "$1" ]; then echo_n " $1"
+        elif [ -n "$description" ]; then echo_n " ($description)"
+        fi
+        echo
+    fi
+}
+
+unresolved () {
+    setup_output
+    echo "UNRESOLVED: " $* >&2
+    unresolved_count=`expr ${unresolved_count} + 1`
+    if [ "$silent" != "yes" ]; then
+        echo_n "$section_out UNRESOLVED"
+        if [ -n "$1" ]; then echo_n " $1"
+        elif [ -n "$description" ]; then echo_n " ($description)"
+        fi
+        echo
+    fi
+}
+
+
+final_result () {
+    section=$first_section_set
+    [ $pass_count = 0 ]        || info "$pass_count tests passed"
+    [ $fail_count = 0 ]        || info "$fail_count tests failed"
+    [ $skip_count = 0 ]        || info "$unsupported_count tests skipped"
+    [ $unresolved_count = 0 ]  || info "$unresolved_count tests unresolved"
+    [ -z "$debug" -a -f "$SCRATCH" ] && rm "$SCRATCH"
+    if [ $fail_count = 0 ]; then
+        info "all tests passed"
+    else
+        exit 1
+    fi
+}
+
+
+clean_homedir () {
+    [ -f pubring.kbx ] && rm pubring.kbx
+    if [ -d private-keys-v1.d ]; then
+        rm private-keys-v1.d/* 2>/dev/null || true
+        rmdir private-keys-v1.d
+    fi
+}
+
+start_test () {
+    section="$1"
+    description="$2"
+    test_status=none
+    echo "BEGIN TEST $section ($description)" >&2
+}
+
+end_test () {
+   case "$test_status" in
+      none) skip "($description) - test not implemented";;
+      pass) pass "($description)";;
+      fail) fail "($description)";;
+     setup) fail "($description) - setup failed";;
+        ns) skip "($description) - not supported";;
+       nys) skip "($description) - not yet supported";;
+         *) unresolved "$(description)";; 
+   esac
+   echo "END TEST $section" >&2
+}
+
+set_status () {
+    if [ "$test_status" = "none" ]; then
+        test_status=$1
+    fi
+}
+
+need_cert () {
+    if [ "$2" = "--import-anyway" ]; then
+        if ! ${GPGSM} -q --debug-no-chain-validation --import certs/$1.crt
+          then 
+            set_status setup
+        fi
+    else
+        if ! ${GPGSM} -q --import certs/$1.crt; then 
+            set_status setup
+        fi
+    fi
+}
+
+need_crl () {
+    # CRL are not yet implemented
+    #set_status setup
+    :
+}
+
+
+
+set -e
+
+pass_count=0
+fail_count=0
+skip_count=0
+unresolved_count=0
+first_section_set=""
+section_out=""
+test_status=none
+
+# User settable variables
+section=""
+description=""
+
+
+#trap cleanup SIGHUP SIGINT SIGQUIT
+[ -z "$debug" ] && exec 2> ${pgmname}.log
+
+:
+# end
diff --git a/tests/pkits/delta-crls b/tests/pkits/delta-crls
new file mode 100755
index 0000000..2b91288
--- /dev/null
+++ b/tests/pkits/delta-crls
@@ -0,0 +1,31 @@
+#!/bin/sh
+# delta-crls - PKITS Test 4.15                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.15
+description="Delta-CRLs"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/distribution-points b/tests/pkits/distribution-points
new file mode 100755
index 0000000..2d59fcd
--- /dev/null
+++ b/tests/pkits/distribution-points
@@ -0,0 +1,31 @@
+#!/bin/sh
+# distribution-points - PKITS Test 4.14                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.14
+description="Distribution Points"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/import-all-certs b/tests/pkits/import-all-certs
new file mode 100755
index 0000000..51f3253
--- /dev/null
+++ b/tests/pkits/import-all-certs
@@ -0,0 +1,58 @@
+#!/bin/sh
+# import-all-certs - GnuPG import test                     -*- sh -*-
+# Copyright (C) 2004, 2008 Free Software Foundation, Inc. 
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=6
+description="GnuPG Import"
+info "Running $description tests"
+
+while read flag dummy section name; do 
+    case $flag in \#*) continue ;; esac
+    [ -z "$(echo $flag)" ] && continue;
+
+    description="import $name"
+    if ${GPGSM} -q --import certs/$name ; then
+        if [ "$flag" = 'p' ]; then
+            pass "importing certificate \`$name' succeeded"
+        elif [ "$flag" = 'f' ]; then
+            fail "importing certificate \`$name' succeeded"
+        elif [ "$flag" = '?' ]; then
+            unresolved "importing certificate \`$name' succeeded"
+        elif [ "$flag" = 'u' ]; then
+            skip "importing certificate \`$name' succeeded"
+        else
+            info "importing certificate \`$name' succeeded - (flag=$flag)"
+        fi
+    else
+        if [ "$flag" = 'p' ]; then
+            fail "importing certificate \`$name' failed"
+        elif [ "$flag" = 'f' ]; then
+            pass "importing certificate \`$name' failed"
+        elif [ "$flag" = '?' ]; then
+            unresolved "importing certificate \`$name' failed"
+        elif [ "$flag" = 'u' ]; then
+            skip "importing certificate \`$name' failed"
+        else
+            info "importing certificate \`$name' failed - (flag=$flag)"
+        fi
+    fi
+done < $srcdir/import-all-certs.data
+
+final_result
diff --git a/tests/pkits/import-all-certs.data b/tests/pkits/import-all-certs.data
new file mode 100644
index 0000000..e91b9f1
--- /dev/null
+++ b/tests/pkits/import-all-certs.data
@@ -0,0 +1,471 @@
+# The first column is for the basic import test, the second for a
+# validation test, the third is the section number and th foruth the
+# filename of the certificate.
+   
+# Make sure that the root certificate is imported first
+p p 6.1.5.1 TrustAnchorRootCertificate.crt
+   
+p p 6.1.5.168 AllCertificatesNoPoliciesTest2EE.crt
+p p 6.1.5.204 AllCertificatesSamePoliciesTest10EE.crt
+p p 6.1.5.211 AllCertificatesSamePoliciesTest13EE.crt
+p p 6.1.5.207 AllCertificatesanyPolicyTest11EE.crt
+p p 6.1.5.212 AnyPolicyTest14EE.crt
+p p 6.1.5.41 BadCRLIssuerNameCACert.crt
+p p 6.1.5.38 BadCRLSignatureCACert.crt
+f f 6.1.5.6 BadSignedCACert.crt
+p f 6.1.5.16 BadnotAfterDateCACert.crt
+   
+# UTC: "470101120100Z" i.e. not before 2047-01-01
+p f 6.1.5.10 BadnotBeforeDateCACert.crt
+   
+p p 6.1.5.88 BasicSelfIssuedCRLSigningKeyCACert.crt
+p p 6.1.5.90 BasicSelfIssuedCRLSigningKeyCRLCert.crt
+   
+p p 6.1.5.76 BasicSelfIssuedNewKeyCACert.crt
+p p 6.1.5.78 BasicSelfIssuedNewKeyOldWithNewCACert.crt
+p p 6.1.5.81 BasicSelfIssuedOldKeyCACert.crt
+p p 6.1.5.83 BasicSelfIssuedOldKeyNewWithOldCACert.crt
+   
+p p 6.1.5.218 CPSPointerQualifierTest20EE.crt
+   
+p u 6.1.5.572 DSACACert.crt
+u u 6.1.5.575 DSAParametersInheritedCACert.crt
+   
+p p 6.1.5.210 DifferentPoliciesTest12EE.crt
+p p 6.1.5.171 DifferentPoliciesTest3EE.crt
+p p 6.1.5.174 DifferentPoliciesTest4EE.crt
+p p 6.1.5.177 DifferentPoliciesTest5EE.crt
+p p 6.1.5.191 DifferentPoliciesTest7EE.crt
+p p 6.1.5.198 DifferentPoliciesTest8EE.crt
+p p 6.1.5.203 DifferentPoliciesTest9EE.crt
+p p 6.1.5.64 GeneralizedTimeCRLnextUpdateCACert.crt
+p p 6.1.5.3 GoodCACert.crt
+p p 6.1.5.172 GoodsubCACert.crt
+   
+# gpgsm: critical certificate extension 2.5.29.33 (policyMappings)
+# is not supported
+p u 6.1.5.300 GoodsubCAPanyPolicyMapping1to2CACert.crt
+   
+p f 6.1.5.43 InvalidBadCRLIssuerNameTest5EE.crt
+   
+p f 6.1.5.40 InvalidBadCRLSignatureTest4EE.crt
+p f 6.1.5.93 InvalidBasicSelfIssuedCRLSigningKeyTest7EE.crt
+   
+p f 6.1.5.94 InvalidBasicSelfIssuedCRLSigningKeyTest8EE.crt
+   
+p f 6.1.5.87 InvalidBasicSelfIssuedNewWithOldTest5EE.crt
+   
+p f 6.1.5.80 InvalidBasicSelfIssuedOldWithNewTest2EE.crt
+   
+p f 6.1.5.8 InvalidCASignatureTest2EE.crt
+   
+p f 6.1.5.18 InvalidCAnotAfterDateTest5EE.crt
+p f 6.1.5.12 InvalidCAnotBeforeDateTest1EE.crt
+p f 6.1.5.439 InvalidDNSnameConstraintsTest31EE.crt
+p f 6.1.5.443 InvalidDNSnameConstraintsTest33EE.crt
+p f 6.1.5.562 InvalidDNSnameConstraintsTest38EE.crt
+p f 6.1.5.434 InvalidDNandRFC822nameConstraintsTest28EE.crt
+p f 6.1.5.435 InvalidDNandRFC822nameConstraintsTest29EE.crt
+p f 6.1.5.399 InvalidDNnameConstraintsTest10EE.crt
+p f 6.1.5.403 InvalidDNnameConstraintsTest12EE.crt
+p f 6.1.5.406 InvalidDNnameConstraintsTest13EE.crt
+p f 6.1.5.410 InvalidDNnameConstraintsTest15EE.crt
+p f 6.1.5.411 InvalidDNnameConstraintsTest16EE.crt
+p f 6.1.5.414 InvalidDNnameConstraintsTest17EE.crt
+   
+p f 6.1.5.418 InvalidDNnameConstraintsTest20EE.crt
+   
+p f 6.1.5.383 InvalidDNnameConstraintsTest2EE.crt
+p f 6.1.5.384 InvalidDNnameConstraintsTest3EE.crt
+p f 6.1.5.392 InvalidDNnameConstraintsTest7EE.crt
+p f 6.1.5.395 InvalidDNnameConstraintsTest8EE.crt
+p f 6.1.5.396 InvalidDNnameConstraintsTest9EE.crt
+   
+p u 6.1.5.578 InvalidDSASignatureTest6EE.crt
+   
+p f 6.1.5.9 InvalidEESignatureTest3EE.crt
+   
+p f 6.1.5.19 InvalidEEnotAfterDateTest6EE.crt
+p f 6.1.5.13 InvalidEEnotBeforeDateTest2EE.crt
+p f 6.1.5.500 InvalidIDPwithindirectCRLTest23EE.crt
+p f 6.1.5.504 InvalidIDPwithindirectCRLTest26EE.crt
+p f 6.1.5.75 InvalidLongSerialNumberTest18EE.crt
+p f 6.1.5.293 InvalidMappingFromanyPolicyTest7EE.crt
+p f 6.1.5.296 InvalidMappingToanyPolicyTest8EE.crt
+p f 6.1.5.33 InvalidMissingCRLTest1EE.crt
+p f 6.1.5.97 InvalidMissingbasicConstraintsTest1EE.crt
+p f 6.1.5.25 InvalidNameChainingOrderTest2EE.crt
+p f 6.1.5.22 InvalidNameChainingTest1EE.crt
+p f 6.1.5.70 InvalidNegativeSerialNumberTest15EE.crt
+p f 6.1.5.60 InvalidOldCRLnextUpdateTest11EE.crt
+p f 6.1.5.302 InvalidPolicyMappingTest10EE.crt
+p f 6.1.5.276 InvalidPolicyMappingTest2EE.crt
+p f 6.1.5.284 InvalidPolicyMappingTest4EE.crt
+p f 6.1.5.422 InvalidRFC822nameConstraintsTest22EE.crt
+p f 6.1.5.426 InvalidRFC822nameConstraintsTest24EE.crt
+p f 6.1.5.430 InvalidRFC822nameConstraintsTest26EE.crt
+p f 6.1.5.36 InvalidRevokedCATest2EE.crt
+p f 6.1.5.37 InvalidRevokedEETest3EE.crt
+   
+p f 6.1.5.379 InvalidSelfIssuedinhibitAnyPolicyTest10EE.crt
+   
+p f 6.1.5.376 InvalidSelfIssuedinhibitAnyPolicyTest8EE.crt
+p f 6.1.5.348 InvalidSelfIssuedinhibitPolicyMappingTest10EE.crt
+p f 6.1.5.349 InvalidSelfIssuedinhibitPolicyMappingTest11EE.crt
+p f 6.1.5.345 InvalidSelfIssuedinhibitPolicyMappingTest8EE.crt
+p f 6.1.5.346 InvalidSelfIssuedinhibitPolicyMappingTest9EE.crt
+p f 6.1.5.143 InvalidSelfIssuedpathLenConstraintTest16EE.crt
+p f 6.1.5.270 InvalidSelfIssuedrequireExplicitPolicyTest7EE.crt
+p f 6.1.5.272 InvalidSelfIssuedrequireExplicitPolicyTest8EE.crt
+   
+p f 6.1.5.567 InvalidSeparateCertificateandCRLKeysTest20EE.crt
+p f 6.1.5.571 InvalidSeparateCertificateandCRLKeysTest21EE.crt
+   
+p f 6.1.5.447 InvalidURInameConstraintsTest35EE.crt
+p f 6.1.5.451 InvalidURInameConstraintsTest37EE.crt
+p f 6.1.5.53 InvalidUnknownCRLEntryExtensionTest8EE.crt
+p f 6.1.5.57 InvalidUnknownCRLExtensionTest10EE.crt
+p f 6.1.5.56 InvalidUnknownCRLExtensionTest9EE.crt
+p f 6.1.5.546 InvalidUnknownCriticalCertificateExtensionTest2EE.crt
+p f 6.1.5.46 InvalidWrongCRLTest6EE.crt
+p f 6.1.5.100 InvalidcAFalseTest2EE.crt
+p f 6.1.5.103 InvalidcAFalseTest3EE.crt
+p f 6.1.5.505 InvalidcRLIssuerTest27EE.crt
+p f 6.1.5.519 InvalidcRLIssuerTest31EE.crt
+p f 6.1.5.520 InvalidcRLIssuerTest32EE.crt
+p f 6.1.5.522 InvalidcRLIssuerTest34EE.crt
+p f 6.1.5.523 InvalidcRLIssuerTest35EE.crt
+p f 6.1.5.526 InvaliddeltaCRLIndicatorNoBaseTest1EE.crt
+p f 6.1.5.544 InvaliddeltaCRLTest10EE.crt
+p f 6.1.5.531 InvaliddeltaCRLTest3EE.crt
+p f 6.1.5.532 InvaliddeltaCRLTest4EE.crt
+p f 6.1.5.534 InvaliddeltaCRLTest6EE.crt
+p f 6.1.5.540 InvaliddeltaCRLTest9EE.crt
+p f 6.1.5.455 InvaliddistributionPointTest2EE.crt
+p f 6.1.5.456 InvaliddistributionPointTest3EE.crt
+p f 6.1.5.461 InvaliddistributionPointTest6EE.crt
+p f 6.1.5.463 InvaliddistributionPointTest8EE.crt
+p f 6.1.5.464 InvaliddistributionPointTest9EE.crt
+p f 6.1.5.352 InvalidinhibitAnyPolicyTest1EE.crt
+p f 6.1.5.359 InvalidinhibitAnyPolicyTest4EE.crt
+p f 6.1.5.366 InvalidinhibitAnyPolicyTest5EE.crt
+p f 6.1.5.369 InvalidinhibitAnyPolicyTest6EE.crt
+p f 6.1.5.313 InvalidinhibitPolicyMappingTest1EE.crt
+p f 6.1.5.321 InvalidinhibitPolicyMappingTest3EE.crt
+p f 6.1.5.331 InvalidinhibitPolicyMappingTest5EE.crt
+p f 6.1.5.336 InvalidinhibitPolicyMappingTest6EE.crt
+p f 6.1.5.162 InvalidkeyUsageCriticalcRLSignFalseTest4EE.crt
+p f 6.1.5.153 InvalidkeyUsageCriticalkeyCertSignFalseTest1EE.crt
+p f 6.1.5.165 InvalidkeyUsageNotCriticalcRLSignFalseTest5EE.crt
+p f 6.1.5.156 InvalidkeyUsageNotCriticalkeyCertSignFalseTest2EE.crt
+p f 6.1.5.477 InvalidonlyContainsAttributeCertsTest14EE.crt
+p f 6.1.5.473 InvalidonlyContainsCACertsTest12EE.crt
+p f 6.1.5.470 InvalidonlyContainsUserCertsTest11EE.crt
+p f 6.1.5.481 InvalidonlySomeReasonsTest15EE.crt
+p f 6.1.5.482 InvalidonlySomeReasonsTest16EE.crt
+p f 6.1.5.486 InvalidonlySomeReasonsTest17EE.crt
+p f 6.1.5.495 InvalidonlySomeReasonsTest20EE.crt
+p f 6.1.5.496 InvalidonlySomeReasonsTest21EE.crt
+p f 6.1.5.122 InvalidpathLenConstraintTest10EE.crt
+p f 6.1.5.129 InvalidpathLenConstraintTest11EE.crt
+p f 6.1.5.130 InvalidpathLenConstraintTest12EE.crt
+p f 6.1.5.111 InvalidpathLenConstraintTest5EE.crt
+p f 6.1.5.112 InvalidpathLenConstraintTest6EE.crt
+p f 6.1.5.121 InvalidpathLenConstraintTest9EE.crt
+p f 6.1.5.63 Invalidpre2000CRLnextUpdateTest12EE.crt
+p f 6.1.5.20 Invalidpre2000UTCEEnotAfterDateTest7EE.crt
+p f 6.1.5.245 InvalidrequireExplicitPolicyTest3EE.crt
+p f 6.1.5.263 InvalidrequireExplicitPolicyTest5EE.crt
+p p 6.1.5.71 LongSerialNumberCACert.crt
+p p 6.1.5.273 Mapping1to2CACert.crt
+p p 6.1.5.291 MappingFromanyPolicyCACert.crt
+p p 6.1.5.294 MappingToanyPolicyCACert.crt
+p p 6.1.5.95 MissingbasicConstraintsCACert.crt
+p p 6.1.5.23 NameOrderingCACert.crt
+p p 6.1.5.67 NegativeSerialNumberCACert.crt
+p p 6.1.5.32 NoCRLCACert.crt
+p p 6.1.5.166 NoPoliciesCACert.crt
+p p 6.1.5.465 NoissuingDistributionPointCACert.crt
+p p 6.1.5.58 OldCRLnextUpdateCACert.crt
+p p 6.1.5.184 OverlappingPoliciesTest6EE.crt
+p p 6.1.5.277 P12Mapping1to3CACert.crt
+p p 6.1.5.279 P12Mapping1to3subCACert.crt
+p p 6.1.5.281 P12Mapping1to3subsubCACert.crt
+p p 6.1.5.285 P1Mapping1to234CACert.crt
+p p 6.1.5.287 P1Mapping1to234subCACert.crt
+p p 6.1.5.305 P1anyPolicyMapping1to2CACert.crt
+p p 6.1.5.297 PanyPolicyMapping1to2CACert.crt
+p p 6.1.5.178 PoliciesP1234CACert.crt
+p p 6.1.5.180 PoliciesP1234subCAP123Cert.crt
+p p 6.1.5.182 PoliciesP1234subsubCAP123P12Cert.crt
+p p 6.1.5.185 PoliciesP123CACert.crt
+p p 6.1.5.187 PoliciesP123subCAP12Cert.crt
+p p 6.1.5.189 PoliciesP123subsubCAP12P1Cert.crt
+p p 6.1.5.199 PoliciesP123subsubCAP12P2Cert.crt
+p p 6.1.5.201 PoliciesP123subsubsubCAP12P2P1Cert.crt
+p p 6.1.5.192 PoliciesP12CACert.crt
+p p 6.1.5.194 PoliciesP12subCAP1Cert.crt
+p p 6.1.5.196 PoliciesP12subsubCAP1P2Cert.crt
+p p 6.1.5.175 PoliciesP2subCA2Cert.crt
+p p 6.1.5.169 PoliciesP2subCACert.crt
+p p 6.1.5.208 PoliciesP3CACert.crt
+p p 6.1.5.547 RFC3280MandatoryAttributeTypesCACert.crt
+p p 6.1.5.550 RFC3280OptionalAttributeTypesCACert.crt
+p p 6.1.5.34 RevokedsubCACert.crt
+p p 6.1.5.556 RolloverfromPrintableStringtoUTF8StringCACert.crt
+p p 6.1.5.569 SeparateCertificateandCRLKeysCA2CRLSigningCert.crt
+p p 6.1.5.568 SeparateCertificateandCRLKeysCA2CertificateSigningCACert.crt
+p p 6.1.5.564 SeparateCertificateandCRLKeysCRLSigningCert.crt
+p p 6.1.5.563 SeparateCertificateandCRLKeysCertificateSigningCACert.crt
+p p 6.1.5.47 TwoCRLsCACert.crt
+p p 6.1.5.29 UIDCACert.crt
+p p 6.1.5.559 UTF8StringCaseInsensitiveMatchCACert.crt
+p p 6.1.5.553 UTF8StringEncodedNamesCACert.crt
+p p 6.1.5.51 UnknownCRLEntryExtensionCACert.crt
+p p 6.1.5.54 UnknownCRLExtensionCACert.crt
+p p 6.1.5.213 UserNoticeQualifierTest15EE.crt
+p p 6.1.5.214 UserNoticeQualifierTest16EE.crt
+p p 6.1.5.215 UserNoticeQualifierTest17EE.crt
+p p 6.1.5.216 UserNoticeQualifierTest18EE.crt
+p p 6.1.5.217 UserNoticeQualifierTest19EE.crt
+p p 6.1.5.92 ValidBasicSelfIssuedCRLSigningKeyTest6EE.crt
+   
+p p 6.1.5.85 ValidBasicSelfIssuedNewWithOldTest3EE.crt
+p p 6.1.5.86 ValidBasicSelfIssuedNewWithOldTest4EE.crt
+p p 6.1.5.79 ValidBasicSelfIssuedOldWithNewTest1EE.crt
+   
+p p 6.1.5.5 ValidCertificatePathTest1EE.crt
+p p 6.1.5.438 ValidDNSnameConstraintsTest30EE.crt
+p p 6.1.5.442 ValidDNSnameConstraintsTest32EE.crt
+p p 6.1.5.433 ValidDNandRFC822nameConstraintsTest27EE.crt
+p p 6.1.5.400 ValidDNnameConstraintsTest11EE.crt
+   
+# This certificate has an empty subject sequence.  Our parser does not
+# support this yet and it is unlikely that gpgsm will be able to cope
+# with it at all.
+u u 6.1.5.407 ValidDNnameConstraintsTest14EE.crt
+   
+p p 6.1.5.415 ValidDNnameConstraintsTest18EE.crt
+p p 6.1.5.417 ValidDNnameConstraintsTest19EE.crt
+   
+p p 6.1.5.382 ValidDNnameConstraintsTest1EE.crt
+p p 6.1.5.385 ValidDNnameConstraintsTest4EE.crt
+p p 6.1.5.388 ValidDNnameConstraintsTest5EE.crt
+p p 6.1.5.391 ValidDNnameConstraintsTest6EE.crt
+   
+u p 6.1.5.577 ValidDSAParameterInheritanceTest5EE.crt
+u p 6.1.5.574 ValidDSASignaturesTest4EE.crt
+   
+p p 6.1.5.66 ValidGeneralizedTimeCRLnextUpdateTest13EE.crt
+p p 6.1.5.21 ValidGeneralizedTimenotAfterDateTest8EE.crt
+p p 6.1.5.15 ValidGeneralizedTimenotBeforeDateTest4EE.crt
+p p 6.1.5.499 ValidIDPwithindirectCRLTest22EE.crt
+p p 6.1.5.502 ValidIDPwithindirectCRLTest24EE.crt
+p p 6.1.5.503 ValidIDPwithindirectCRLTest25EE.crt
+p p 6.1.5.73 ValidLongSerialNumberTest16EE.crt
+p p 6.1.5.74 ValidLongSerialNumberTest17EE.crt
+p p 6.1.5.28 ValidNameChainingCapitalizationTest5EE.crt
+p p 6.1.5.26 ValidNameChainingWhitespaceTest3EE.crt
+p p 6.1.5.27 ValidNameChainingWhitespaceTest4EE.crt
+p p 6.1.5.31 ValidNameUIDsTest6EE.crt
+p p 6.1.5.69 ValidNegativeSerialNumberTest14EE.crt
+p p 6.1.5.467 ValidNoissuingDistributionPointTest10EE.crt
+p p 6.1.5.303 ValidPolicyMappingTest11EE.crt
+p p 6.1.5.304 ValidPolicyMappingTest12EE.crt
+p p 6.1.5.307 ValidPolicyMappingTest13EE.crt
+p p 6.1.5.308 ValidPolicyMappingTest14EE.crt
+p p 6.1.5.275 ValidPolicyMappingTest1EE.crt
+p p 6.1.5.283 ValidPolicyMappingTest3EE.crt
+p p 6.1.5.289 ValidPolicyMappingTest5EE.crt
+p p 6.1.5.290 ValidPolicyMappingTest6EE.crt
+p p 6.1.5.299 ValidPolicyMappingTest9EE.crt
+p p 6.1.5.549 ValidRFC3280MandatoryAttributeTypesTest7EE.crt
+p p 6.1.5.552 ValidRFC3280OptionalAttributeTypesTest8EE.crt
+p p 6.1.5.421 ValidRFC822nameConstraintsTest21EE.crt
+p p 6.1.5.425 ValidRFC822nameConstraintsTest23EE.crt
+p p 6.1.5.429 ValidRFC822nameConstraintsTest25EE.crt
+p p 6.1.5.558 ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt
+p p 6.1.5.373 ValidSelfIssuedinhibitAnyPolicyTest7EE.crt
+   
+p p 6.1.5.378 ValidSelfIssuedinhibitAnyPolicyTest9EE.crt
+   
+p p 6.1.5.342 ValidSelfIssuedinhibitPolicyMappingTest7EE.crt
+   
+p ? 6.1.5.140 ValidSelfIssuedpathLenConstraintTest15EE.crt
+   
+p p 6.1.5.150 ValidSelfIssuedpathLenConstraintTest17EE.crt
+   
+p ? 6.1.5.267 ValidSelfIssuedrequireExplicitPolicyTest6EE.crt
+   
+p ? 6.1.5.566 ValidSeparateCertificateandCRLKeysTest19EE.crt
+   
+p p 6.1.5.50 ValidTwoCRLsTest7EE.crt
+p p 6.1.5.446 ValidURInameConstraintsTest34EE.crt
+p p 6.1.5.450 ValidURInameConstraintsTest36EE.crt
+p p 6.1.5.561 ValidUTF8StringCaseInsensitiveMatchTest11EE.crt
+p p 6.1.5.555 ValidUTF8StringEncodedNamesTest9EE.crt
+p p 6.1.5.545 ValidUnknownNotCriticalCertificateExtensionTest1EE.crt
+p p 6.1.5.106 ValidbasicConstraintsNotCriticalTest4EE.crt
+p p 6.1.5.510 ValidcRLIssuerTest28EE.crt
+p p 6.1.5.511 ValidcRLIssuerTest29EE.crt
+p p 6.1.5.515 ValidcRLIssuerTest30EE.crt
+p p 6.1.5.521 ValidcRLIssuerTest33EE.crt
+p p 6.1.5.530 ValiddeltaCRLTest2EE.crt
+p p 6.1.5.533 ValiddeltaCRLTest5EE.crt
+p p 6.1.5.535 ValiddeltaCRLTest7EE.crt
+p p 6.1.5.539 ValiddeltaCRLTest8EE.crt
+p p 6.1.5.454 ValiddistributionPointTest1EE.crt
+p p 6.1.5.457 ValiddistributionPointTest4EE.crt
+p p 6.1.5.460 ValiddistributionPointTest5EE.crt
+p p 6.1.5.462 ValiddistributionPointTest7EE.crt
+p p 6.1.5.353 ValidinhibitAnyPolicyTest2EE.crt
+p p 6.1.5.318 ValidinhibitPolicyMappingTest2EE.crt
+p p 6.1.5.322 ValidinhibitPolicyMappingTest4EE.crt
+p p 6.1.5.159 ValidkeyUsageNotCriticalTest3EE.crt
+p p 6.1.5.474 ValidonlyContainsCACertsTest13EE.crt
+p p 6.1.5.490 ValidonlySomeReasonsTest18EE.crt
+p p 6.1.5.494 ValidonlySomeReasonsTest19EE.crt
+p p 6.1.5.137 ValidpathLenConstraintTest13EE.crt
+p p 6.1.5.138 ValidpathLenConstraintTest14EE.crt
+p p 6.1.5.113 ValidpathLenConstraintTest7EE.crt
+p p 6.1.5.114 ValidpathLenConstraintTest8EE.crt
+p p 6.1.5.14 Validpre2000UTCnotBeforeDateTest3EE.crt
+p p 6.1.5.227 ValidrequireExplicitPolicyTest1EE.crt
+p p 6.1.5.236 ValidrequireExplicitPolicyTest2EE.crt
+p p 6.1.5.254 ValidrequireExplicitPolicyTest4EE.crt
+p p 6.1.5.44 WrongCRLCACert.crt
+p p 6.1.5.205 anyPolicyCACert.crt
+p p 6.1.5.98 basicConstraintsCriticalcAFalseCACert.crt
+p p 6.1.5.104 basicConstraintsNotCriticalCACert.crt
+p p 6.1.5.101 basicConstraintsNotCriticalcAFalseCACert.crt
+p p 6.1.5.527 deltaCRLCA1Cert.crt
+p p 6.1.5.536 deltaCRLCA2Cert.crt
+p p 6.1.5.541 deltaCRLCA3Cert.crt
+p p 6.1.5.524 deltaCRLIndicatorNoBaseCACert.crt
+p p 6.1.5.452 distributionPoint1CACert.crt
+p p 6.1.5.458 distributionPoint2CACert.crt
+p p 6.1.5.497 indirectCRLCA1Cert.crt
+p p 6.1.5.501 indirectCRLCA2Cert.crt
+p p 6.1.5.506 indirectCRLCA3Cert.crt
+p p 6.1.5.508 indirectCRLCA3cRLIssuerCert.crt
+p p 6.1.5.512 indirectCRLCA4Cert.crt
+p p 6.1.5.513 indirectCRLCA4cRLIssuerCert.crt
+p p 6.1.5.516 indirectCRLCA5Cert.crt
+p p 6.1.5.518 indirectCRLCA6Cert.crt
+p p 6.1.5.350 inhibitAnyPolicy0CACert.crt
+p p 6.1.5.354 inhibitAnyPolicy1CACert.crt
+   
+p ? 6.1.5.370 inhibitAnyPolicy1SelfIssuedCACert.crt
+p ? 6.1.5.377 inhibitAnyPolicy1SelfIssuedsubCA2Cert.crt
+   
+p p 6.1.5.356 inhibitAnyPolicy1subCA1Cert.crt
+   
+? ? 6.1.5.371 inhibitAnyPolicy1subCA2Cert.crt
+   
+p p 6.1.5.367 inhibitAnyPolicy1subCAIAP5Cert.crt
+p p 6.1.5.374 inhibitAnyPolicy1subsubCA2Cert.crt
+p p 6.1.5.360 inhibitAnyPolicy5CACert.crt
+p p 6.1.5.362 inhibitAnyPolicy5subCACert.crt
+p p 6.1.5.364 inhibitAnyPolicy5subsubCACert.crt
+p p 6.1.5.358 inhibitAnyPolicyTest3EE.crt
+p p 6.1.5.309 inhibitPolicyMapping0CACert.crt
+p p 6.1.5.311 inhibitPolicyMapping0subCACert.crt
+p p 6.1.5.314 inhibitPolicyMapping1P12CACert.crt
+p p 6.1.5.316 inhibitPolicyMapping1P12subCACert.crt
+p p 6.1.5.332 inhibitPolicyMapping1P12subCAIPM5Cert.crt
+p p 6.1.5.319 inhibitPolicyMapping1P12subsubCACert.crt
+p p 6.1.5.334 inhibitPolicyMapping1P12subsubCAIPM5Cert.crt
+p p 6.1.5.337 inhibitPolicyMapping1P1CACert.crt
+   
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? 6.1.5.339 inhibitPolicyMapping1P1SelfIssuedCACert.crt
+? ? 6.1.5.347 inhibitPolicyMapping1P1SelfIssuedsubCACert.crt
+? ? 6.1.5.340 inhibitPolicyMapping1P1subCACert.crt
+   
+p p 6.1.5.343 inhibitPolicyMapping1P1subsubCACert.crt
+p p 6.1.5.323 inhibitPolicyMapping5CACert.crt
+p p 6.1.5.325 inhibitPolicyMapping5subCACert.crt
+p p 6.1.5.327 inhibitPolicyMapping5subsubCACert.crt
+p p 6.1.5.329 inhibitPolicyMapping5subsubsubCACert.crt
+p p 6.1.5.160 keyUsageCriticalcRLSignFalseCACert.crt
+p p 6.1.5.151 keyUsageCriticalkeyCertSignFalseCACert.crt
+p p 6.1.5.157 keyUsageNotCriticalCACert.crt
+p p 6.1.5.163 keyUsageNotCriticalcRLSignFalseCACert.crt
+p p 6.1.5.154 keyUsageNotCriticalkeyCertSignFalseCACert.crt
+p p 6.1.5.380 nameConstraintsDN1CACert.crt
+   
+? ? 6.1.5.416 nameConstraintsDN1SelfIssuedCACert.crt
+   
+p p 6.1.5.401 nameConstraintsDN1subCA1Cert.crt
+p p 6.1.5.404 nameConstraintsDN1subCA2Cert.crt
+p p 6.1.5.431 nameConstraintsDN1subCA3Cert.crt
+p p 6.1.5.386 nameConstraintsDN2CACert.crt
+p p 6.1.5.389 nameConstraintsDN3CACert.crt
+p p 6.1.5.408 nameConstraintsDN3subCA1Cert.crt
+p p 6.1.5.412 nameConstraintsDN3subCA2Cert.crt
+p p 6.1.5.393 nameConstraintsDN4CACert.crt
+p p 6.1.5.397 nameConstraintsDN5CACert.crt
+p p 6.1.5.436 nameConstraintsDNS1CACert.crt
+p p 6.1.5.440 nameConstraintsDNS2CACert.crt
+p p 6.1.5.419 nameConstraintsRFC822CA1Cert.crt
+p p 6.1.5.423 nameConstraintsRFC822CA2Cert.crt
+p p 6.1.5.427 nameConstraintsRFC822CA3Cert.crt
+p p 6.1.5.444 nameConstraintsURI1CACert.crt
+p p 6.1.5.448 nameConstraintsURI2CACert.crt
+p p 6.1.5.475 onlyContainsAttributeCertsCACert.crt
+p p 6.1.5.471 onlyContainsCACertsCACert.crt
+p p 6.1.5.468 onlyContainsUserCertsCACert.crt
+p p 6.1.5.478 onlySomeReasonsCA1Cert.crt
+p p 6.1.5.483 onlySomeReasonsCA2Cert.crt
+p p 6.1.5.487 onlySomeReasonsCA3Cert.crt
+p p 6.1.5.491 onlySomeReasonsCA4Cert.crt
+p p 6.1.5.107 pathLenConstraint0CACert.crt
+   
+? ? 6.1.5.139 pathLenConstraint0SelfIssuedCACert.crt
+? ? 6.1.5.141 pathLenConstraint0subCA2Cert.crt
+   
+p p 6.1.5.109 pathLenConstraint0subCACert.crt
+p p 6.1.5.144 pathLenConstraint1CACert.crt
+   
+? ? 6.1.5.146 pathLenConstraint1SelfIssuedCACert.crt
+? ? 6.1.5.149 pathLenConstraint1SelfIssuedsubCACert.crt
+? ? 6.1.5.147 pathLenConstraint1subCACert.crt
+   
+p p 6.1.5.115 pathLenConstraint6CACert.crt
+p p 6.1.5.117 pathLenConstraint6subCA0Cert.crt
+p p 6.1.5.123 pathLenConstraint6subCA1Cert.crt
+p p 6.1.5.131 pathLenConstraint6subCA4Cert.crt
+p p 6.1.5.119 pathLenConstraint6subsubCA00Cert.crt
+p p 6.1.5.125 pathLenConstraint6subsubCA11Cert.crt
+p p 6.1.5.133 pathLenConstraint6subsubCA41Cert.crt
+p p 6.1.5.127 pathLenConstraint6subsubsubCA11XCert.crt
+p p 6.1.5.135 pathLenConstraint6subsubsubCA41XCert.crt
+p p 6.1.5.61 pre2000CRLnextUpdateCACert.crt
+p p 6.1.5.246 requireExplicitPolicy0CACert.crt
+p p 6.1.5.248 requireExplicitPolicy0subCACert.crt
+p p 6.1.5.250 requireExplicitPolicy0subsubCACert.crt
+p p 6.1.5.252 requireExplicitPolicy0subsubsubCACert.crt
+p p 6.1.5.219 requireExplicitPolicy10CACert.crt
+p p 6.1.5.221 requireExplicitPolicy10subCACert.crt
+p p 6.1.5.223 requireExplicitPolicy10subsubCACert.crt
+p p 6.1.5.225 requireExplicitPolicy10subsubsubCACert.crt
+p p 6.1.5.264 requireExplicitPolicy2CACert.crt
+   
+# For yet unknown reasons gpgsm claims a bad signature.
+? ? 6.1.5.266 requireExplicitPolicy2SelfIssuedCACert.crt
+? ? 6.1.5.271 requireExplicitPolicy2SelfIssuedsubCACert.crt
+? ? 6.1.5.268 requireExplicitPolicy2subCACert.crt
+   
+p p 6.1.5.237 requireExplicitPolicy4CACert.crt
+p p 6.1.5.239 requireExplicitPolicy4subCACert.crt
+p p 6.1.5.241 requireExplicitPolicy4subsubCACert.crt
+p p 6.1.5.243 requireExplicitPolicy4subsubsubCACert.crt
+p p 6.1.5.228 requireExplicitPolicy5CACert.crt
+p p 6.1.5.230 requireExplicitPolicy5subCACert.crt
+p p 6.1.5.232 requireExplicitPolicy5subsubCACert.crt
+p p 6.1.5.234 requireExplicitPolicy5subsubsubCACert.crt
+p p 6.1.5.255 requireExplicitPolicy7CACert.crt
+p p 6.1.5.257 requireExplicitPolicy7subCARE2Cert.crt
+p p 6.1.5.259 requireExplicitPolicy7subsubCARE2RE4Cert.crt
+p p 6.1.5.261 requireExplicitPolicy7subsubsubCARE2RE4Cert.crt
+   
diff --git a/tests/pkits/inhibit-any-policy b/tests/pkits/inhibit-any-policy
new file mode 100755
index 0000000..5e625e2
--- /dev/null
+++ b/tests/pkits/inhibit-any-policy
@@ -0,0 +1,31 @@
+#!/bin/sh
+# inhibit-any-policy - PKITS Test 4.12                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.12
+description="Inhibit Any Policy"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/inhibit-policy-mapping b/tests/pkits/inhibit-policy-mapping
new file mode 100755
index 0000000..1da5f35
--- /dev/null
+++ b/tests/pkits/inhibit-policy-mapping
@@ -0,0 +1,31 @@
+#!/bin/sh
+# inhibit-policy-mapping - PKITS Test 4.11                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.11
+description="Inhibit Policy Mapping"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/inittests b/tests/pkits/inittests
new file mode 100755
index 0000000..deb1854
--- /dev/null
+++ b/tests/pkits/inittests
@@ -0,0 +1,109 @@
+#!/bin/sh
+#     	Copyright (C) 2004 Free Software Foundation, Inc.  -*- sh -*-
+#
+# This file is free software; as a special exception the author gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+#
+# This file is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
+# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+set -e
+
+
+clean_files='
+ReadMe.txt pkits.ldif pkits.schema
+gpgsm.conf gpg-agent.conf trustlist.txt policies.txt pubring.kbx
+msg msg.sig msg.unsig
+'
+
+[ -z "$srcdir" ] && srcdir=.
+[ -z "$GPGSM" ] && GPGSM=../../sm/gpgsm
+
+#if [ -f $srcdir/README ] \
+#   && grep tests/pkits/README README >/dev/null 2>&1; then
+# :
+#else
+#   # During make distclean the Makefile has already been removed,
+#   # so we need this extra test.
+#   if ! grep gnupg-test-pkits-directory testdir.stamp >/dev/null 2>&1; then
+#      echo "inittests: please cd to the tests/pkits directory first" >&2
+#      exit 1
+#   fi
+#fi
+
+if [ "$1" = "--clean" ]; then
+    if [ -d private-keys-v1.d ]; then
+       rm private-keys-v1.d/* 2>/dev/null || true
+       rmdir private-keys-v1.d
+    fi
+    rm ${clean_files} testdir.stamp 2>/dev/null || true
+    for i in certs certpairs crls pkcs12 smime; do 
+        if [ -d $i ]; then
+            rm $i/* 2>/dev/null || true
+            rmdir $i
+        fi
+    done
+    exit 0
+fi
+
+if [ "$GNUPGHOME" != "`/bin/pwd`" ]; then
+    echo "inittests: please set GNUPGHOME to the tests/pkits directory" >&2
+    exit 1
+fi
+
+if [ -n "$GPG_AGENT_INFO" ]; then
+    echo "inittests: please unset GPG_AGENT_INFO" >&2
+    exit 1
+fi
+
+if test -f "$srcdir/PKITS_data.tar.bz2"; then
+  if ! bunzip2 -c "$srcdir/PKITS_data.tar.bz2" | tar xf - ; then
+    echo "inittests: failed to untar the test data" >&2
+    exit 1
+  fi    
+fi
+
+# A stamp file used with --clean
+echo gnupg-test-pkits-directory > testdir.stamp
+
+
+# Create the configuration scripts
+cat > gpgsm.conf <<EOF
+no-secmem-warning
+no-greeting
+batch
+disable-crl-checks
+disable-dirmngr
+agent-program ../../agent/gpg-agent
+no-common-certs-import
+EOF
+
+# The set of NIST test policies which should be used if anyPolicy is
+# not supported.
+cat > policies.txt <<EOF
+2.16.840.1.101.3.2.1.48.1
+2.16.840.1.101.3.2.1.48.2
+2.16.840.1.101.3.2.1.48.3
+2.16.840.1.101.3.2.1.48.4
+2.16.840.1.101.3.2.1.48.5
+2.16.840.1.101.3.2.1.48.6
+EOF
+
+# Fixme: we need to write a dummy pinentry program
+cat > gpg-agent.conf <<EOF
+no-grab
+disable-scdaemon
+EOF
+
+# Mark the root CA trusted
+cat > trustlist.txt <<EOF
+# /CN=Trust Anchor/O=Test Certificates/C=US
+66:8A:47:56:A2:DC:88:FF:DA:B8:95:E1:3C:63:37:55:5F:0A:F7:BF S
+EOF
+
+# Define the standard policies as NIST test-policy-1
+#cat >policies.txt <<EOF
+#2.16.840.1.101.3.2.1.48.1
+#EOF
diff --git a/tests/pkits/key-usage b/tests/pkits/key-usage
new file mode 100755
index 0000000..6e10bb9
--- /dev/null
+++ b/tests/pkits/key-usage
@@ -0,0 +1,28 @@
+#!/bin/sh
+# key-usage - PKITS Test 4.7                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.7
+description="Key Usage"
+info "Running $description tests"
+
+
+
+final_result
diff --git a/tests/pkits/name-constraints b/tests/pkits/name-constraints
new file mode 100755
index 0000000..8e36c28
--- /dev/null
+++ b/tests/pkits/name-constraints
@@ -0,0 +1,31 @@
+#!/bin/sh
+# name-constraints - PKITS Test 4.13                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.13
+description="Name Constraints"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/policy-mappings b/tests/pkits/policy-mappings
new file mode 100755
index 0000000..8ce9ee8
--- /dev/null
+++ b/tests/pkits/policy-mappings
@@ -0,0 +1,31 @@
+#!/bin/sh
+# policy-mappings - PKITS Test 4.10                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.10
+description="Policy Mappings"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/private-certificate-extensions b/tests/pkits/private-certificate-extensions
new file mode 100755
index 0000000..43f3425
--- /dev/null
+++ b/tests/pkits/private-certificate-extensions
@@ -0,0 +1,31 @@
+#!/bin/sh
+# private-certificate-extensions - PKITS Test 4.16                 -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.16
+description="Private Certificate Extensions"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/require-explicit-policy b/tests/pkits/require-explicit-policy
new file mode 100755
index 0000000..ceb87bd
--- /dev/null
+++ b/tests/pkits/require-explicit-policy
@@ -0,0 +1,31 @@
+#!/bin/sh
+# require-explicit-policy - PKITS Test 4.9                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.9
+description="Require Explicit Policy"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/runtest b/tests/pkits/runtest
new file mode 100755
index 0000000..f054a34
--- /dev/null
+++ b/tests/pkits/runtest
@@ -0,0 +1,4 @@
+#!/bin/sh
+[ -x "$1" ] && exec $1 $2
+exec sh $1 $2
+
diff --git a/tests/pkits/signature-verification b/tests/pkits/signature-verification
new file mode 100755
index 0000000..7765371
--- /dev/null
+++ b/tests/pkits/signature-verification
@@ -0,0 +1,167 @@
+#!/bin/sh
+# signature-verification - PKITS Test 4.1                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.1
+description="Signature Verification"
+info "Running $description tests"
+
+
+start_test 4.1.1 "Valid Signatures Test1"
+# The purpose of this test is to verify an application's ability to
+# name chain, signature chain, and check validity dates, on
+# certificates in a certification path. It also tests processing of
+# the basic constraints and key usage extensions in intermediate
+# certificates.
+clean_homedir
+need_cert TrustAnchorRootCertificate
+need_crl  TrustAnchorRootCRL
+need_cert GoodCACert
+need_crl  GoodCACRL
+need_cert ValidCertificatePathTest1EE
+if $GPGSM --with-colons --with-validation --list-key 0x126B7002 >$SCRATCH; then
+    tmp=$($AWK -F: '$1 == "crt" {any=1; print $2};
+                    END {if(!any) print "error"}' $SCRATCH)
+    [ -n "$tmp" ] && set_status fail
+else
+    set_status fail
+fi
+if [ "$test_status" = "none" ]; then
+    if sed  '1,/^.$/d'  smime/SignedValidSignaturesTest1.eml \
+        | $GPGSM --verify --assume-base64 --status-fd 1 \
+        | grep TRUST_FULLY >/dev/null; then
+        set_status pass
+    else
+        set_status fail
+    fi
+fi
+end_test
+
+
+
+start_test 4.1.2 "Invalid CA Signatures Test2"
+# The purpose of this test is to verify an application's ability to
+# recognize an invalid signature on an intermediate certificate in a
+# certification path.
+clean_homedir
+need_cert TrustAnchorRootCertificate
+need_crl  TrustAnchorRootCRL
+need_cert BadSignedCACert --import-anyway
+need_crl  BadSignedCACRL
+need_cert InvalidCASignatureTest2EE  --import-anyway
+if $GPGSM --with-colons --with-validation --list-key 0xD667FE3C >$SCRATCH; then
+    tmp=$($AWK -F: '$1 == "crt" {any=1; print $2};
+                    END {if(!any) print "error"}' $SCRATCH)
+    [ "$tmp" = "i" ] || set_status fail
+else
+    set_status fail
+fi
+if [ "$test_status" = "none" ]; then
+    if sed  '1,/^.$/d' smime/SignedInvalidCASignatureTest2.eml \
+        | $GPGSM --verify --assume-base64 --status-fd 1 \
+        | grep TRUST_NEVER >/dev/null; then
+        set_status pass
+    else
+        set_status fail
+    fi
+fi
+end_test
+
+
+
+start_test 4.1.3 "Invalid EE Signature Test3"
+# The purpose of this test is to verify an application's ability to
+# recognize an invalid signature on an end entity certificate in a
+# certification path.
+clean_homedir
+need_cert TrustAnchorRootCertificate
+need_crl  TrustAnchorRootCRL
+need_cert GoodCACert
+need_crl  GoodCACRL
+need_cert InvalidEESignatureTest3EE  --import-anyway
+if $GPGSM --with-colons --with-validation --list-key 0x42E1AEE3 >$SCRATCH; then
+    tmp=$($AWK -F: '$1 == "crt" {any=1; print $2};
+                    END {if(!any) print "error"}' $SCRATCH)
+    [ "$tmp" = "i" ] || set_status fail
+else
+    set_status fail
+fi
+if [ "$test_status" = "none" ]; then
+    if sed  '1,/^.$/d' smime/SignedInvalidEESignatureTest3.eml \
+        | $GPGSM --verify --assume-base64 --status-fd 1 \
+        | grep TRUST_NEVER >/dev/null; then
+        set_status pass
+    else
+        set_status fail
+    fi
+fi
+end_test
+
+
+start_test 4.1.4 "Valid DSA Signatures Test4"
+# The purpose of this test is to verify an application's ability to
+# validate certificate in which DSA signatures are used. The
+# intermediate CA and the end entity have DSA key pairs.
+clean_homedir
+need_cert TrustAnchorRootCertificate
+need_crl  TrustAnchorRootCRL
+need_cert DSACACert
+need_crl  DSACACRL
+need_cert ValidDSASignaturesTest4EE
+if $GPGSM --with-colons --with-validation --list-key  0x820A72B8 >$SCRATCH; then
+    tmp=$($AWK -F: '$1 == "crt" {any=1; print $2};
+                    END {if(!any) print "error"}' $SCRATCH)
+    [ -n "$tmp" ] && set_status fail
+else
+    set_status fail
+fi
+if [ "$test_status" = "none" ]; then
+    # Note: This S/MIME file uses LF and not CR,LF.  */
+    if sed  '1,/^$/d' smime/SignedValidDSASignaturesTest4.eml \
+        | $GPGSM --verify --assume-base64 --status-fd 1 \
+        | grep TRUST_FULLY >/dev/null; then
+        set_status pass
+    else
+        set_status fail
+    fi
+fi
+end_test
+
+
+start_test 4.1.5 "Valid DSA Parameter Inheritance Test5"
+# The purpose of this test is to verify an application's ability to
+# validate DSA signatures when the DSA parameters are not included in
+# a certificate and need to be inherited from a previous certificate
+# in the path. The intermediate CAs and the end entity have DSA key
+# pairs.
+set_status nys
+end_test
+
+
+start_test 4.1.6 "Invalid DSA Signature Test6"
+# The purpose of this test is to verify an application's ability to
+# determine when a DSA signature is invalid. The intermediate CA and
+# the end entity have DSA key pairs.
+set_status nys
+end_test
+
+
+
+final_result
diff --git a/tests/pkits/validate-all-certs b/tests/pkits/validate-all-certs
new file mode 100755
index 0000000..b9da579
--- /dev/null
+++ b/tests/pkits/validate-all-certs
@@ -0,0 +1,59 @@
+#!/bin/sh
+# validate-all-certs - GnuPG import and validate tests       -*- sh -*-
+# Copyright (C) 2004, 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=6
+description="GnuPG Import with Validation"
+info "Running $description tests"
+
+while read dummy flag section name; do 
+    case $dummy in \#*) continue;; esac
+    [ -z "$(echo $dummy)" ] && continue;
+
+    description="import and validate $name"
+    if ${GPGSM} -q --import --with-validation --disable-crl-checks \
+             certs/$name ; then
+        if [ "$flag" = 'p' ]; then
+            pass "validating certificate \`$name' succeeded"
+        elif [ "$flag" = 'f' ]; then
+            fail "validating certificate \`$name' succeeded"
+        elif [ "$flag" = '?' ]; then
+            unresolved "validating certificate \`$name' succeeded"
+        elif [ "$flag" = 'u' ]; then
+            skip "validating certificate \`$name' succeeded"
+        else
+            info "validating certificate \`$name' succeeded - (flag=$flag)"
+        fi
+    else
+        if [ "$flag" = 'p' ]; then
+            fail "validating certificate \`$name' failed"
+        elif [ "$flag" = 'f' ]; then
+            pass "validating certificate \`$name' failed"
+        elif [ "$flag" = '?' ]; then
+            unresolved "validating certificate \`$name' failed"
+        elif [ "$flag" = 'u' ]; then
+            skip "validating certificate \`$name' failed"
+        else
+            info "validating certificate \`$name' failed - (flag=$flag)"
+        fi
+    fi
+done < $srcdir/import-all-certs.data
+
+final_result
diff --git a/tests/pkits/validity-periods b/tests/pkits/validity-periods
new file mode 100755
index 0000000..90f1764
--- /dev/null
+++ b/tests/pkits/validity-periods
@@ -0,0 +1,218 @@
+#!/bin/sh
+# validity-periods - PKITS Test 4.2                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.2
+description="Validity Periods"
+info "Running $description tests"
+
+start_test 4.2.1 "Invalid CA notBefore Date Test1"
+# In this test, the intermediate certificate's notBefore date is after
+# the current date.
+clean_homedir
+need_cert TrustAnchorRootCertificate
+need_crl  TrustAnchorRootCRL
+need_cert BadnotBeforeDateCACert
+need_crl  BadnotBeforeDateCACRL
+need_cert InvalidCAnotBeforeDateTest1EE
+if $GPGSM --faked-system-time $MYTIME \
+          --with-colons --with-validation --list-key 0x459ADD33 >$SCRATCH; then
+    tmp=$($AWK -F: '$1 == "crt" {any=1; print $2};
+                    END {if(!any) print "error"}' $SCRATCH)
+    [ "$tmp" = "i" ] || set_status fail
+else
+    set_status fail
+fi
+if [ "$test_status" = "none" ]; then
+    if sed  '1,/^.$/d' smime/SignedInvalidCAnotBeforeDateTest1.eml \
+        | $GPGSM --faked-system-time $MYTIME \
+                 --verify --assume-base64 --status-fd 1 --logger-fd 1 \
+        | tee $SCRATCH \
+        | grep TRUST_UNDEFINED >/dev/null; then
+        if grep 'intermediate certificate not yet valid' $SCRATCH >/dev/null \
+            && grep 'invalid certification chain: Certificate too young' \
+                    $SCRATCH >/dev/null
+          then
+            set_status pass
+        fi
+    fi
+    set_status fail
+fi
+end_test
+
+
+start_test 4.2.2 "Invalid EE notBefore Date Test2"
+# In this test, the end entity certificate's notBefore date is after
+# the current date.
+
+#    Procedure: Validate Invalid EE notBefore Date Test2 EE using the
+#    default settings or open and verify Signed Test Message 6.2.2.5
+#    using the default settings.
+
+#    Expected Result: The path should not validate successfully as the
+#    notBefore date in the end entity certificate is after the current
+#    date.
+
+#    Certification Path: The certification path is composed of the
+#    following objects: Trust Anchor Root Certificate, Trust Anchor
+#    Root CRL Good CA Cert, Good CA CRL Invalid EE notBefore Date
+#    Test2 EE
+
+end_test
+
+
+
+start_test 4.2.3 "Valid pre2000 UTC notBefore Date Test3"
+# In this test, the end entity certificate's notBefore date is set to
+# 1950 and is encoded in UTCTime.
+#
+#    Procedure: Validate Valid pre2000 UTC notBefore Date Test3 EE
+#                             using the default settings or open and
+#                             verify Signed Test Message 6.2.2.6 using
+#                             the default settings.
+#
+#    Expected Result: The path should validate successfully as the
+#                             notBefore date in the end entity
+#                             certificate is before the current date.
+#
+#    Certification Path: The certification path is composed of the
+#                 following objects: Trust Anchor Root Certificate,
+#                 Trust Anchor Root CRL Good CA Cert, Good CA CRL Valid
+#                 pre2000 UTC notBefore Date Test3 EE
+#
+end_test 
+
+
+
+start_test 4.2.4 "Valid GeneralizedTime notBefore Date Test4"
+# In this test, the end entity certificate's notBefore date is
+# specified in GeneralizedTime.
+#
+#    Procedure: Validate Valid GeneralizedTime notBefore Date Test4 EE
+#                             using the default settings or open and
+#                             verify Signed Test Message 6.2.2.7 using
+#                             the default settings.
+#
+#    Expected Result:         The path should validate successfully.
+#
+#    Certification Path: 
+#     The certification path is composed of the following objects:
+#                 Trust Anchor Root Certificate, Trust Anchor Root CRL
+#                 Good CA Cert, Good CA CRL
+#                 Valid GeneralizedTime notBefore Date Test4 EE
+#
+end_test
+
+
+                
+start_test 4.2.5 "Invalid CA notAfter Date Test5"
+# In this test, the intermediate certificate's notAfter date is before
+# the current date.
+
+#    Procedure: Validate Invalid CA notAfter Date Test5 EE using the
+#                             default settings or open and verify
+#                             Signed Test Message 6.2.2.8 using the
+#                             default settings.
+#
+#    Expected Result: The path should not validate successfully as the
+#                             notAfter date in the intermediate
+#                             certificate is before the current date.
+#
+#    Certification Path: The certification path is composed of the
+#    following objects:
+#
+#                 Trust Anchor Root Certificate, Trust Anchor Root CRL
+#                 Bad notAfter Date CA Cert, Bad notAfter Date CA CRL
+#                 Invalid CA notAfter Date Test5 EE
+#
+end_test
+
+                
+start_test 4.2.6 "Invalid EE notAfter Date Test6"
+# In this test, the end entity certificate's notAfter date is before
+# the current date.
+
+#    Procedure: Validate Invalid EE notAfter Date Test6 EE using the
+#                             default settings or open and verify
+#                             Signed Test Message 6.2.2.9 using the
+#                             default settings.
+#
+#    Expected Result: The path should not validate successfully as the
+#                             notAfter date in the end certificate is
+#                             before the current date.
+#
+#    Certification Path: The certification path is composed of the
+#    following objects:
+#                 Trust Anchor Root Certificate, Trust Anchor Root CRL
+#                 Good CA Cert, Good CA CRL
+#                 Invalid EE notAfter Date Test6 EE
+
+end_test
+
+    
+start_test 4.2.7 "Invalid pre2000 UTC EE notAfter Date Test7"
+# In this test, the end entity certificate's notAfter date is 1999 and
+# is encoded in UTCTime.
+
+#    Procedure: Validate Invalid pre2000 UTC EE notAfter Date Test7 EE
+#                             using the default settings or open and
+#                             verify Signed Test Message 6.2.2.10 using
+#                             the default settings.
+#
+#    Expected Result: The path should not validate successfully as the
+#                             notAfter date in the end certificate is
+#                             before the current date.
+#
+#
+#    Certification Path: The certification path is composed of the
+#    following objects:
+#
+#                 Trust Anchor Root Certificate, Trust Anchor Root CRL
+#                 Good CA Cert, Good CA CRL
+#                 Invalid pre2000 UTC EE notAfter Date Test7 EE
+
+end_test
+
+                
+
+start_test 4.2.8 "Valid GeneralizedTime notAfter Date Test8"
+# In this test, the end entity certificate's notAfter date is 2050 and
+# is encoded in GeneralizedTime.
+
+#    Procedure: Validate Valid GeneralizedTime notAfter Date Test8 EE
+#                             using the default settings or open and
+#                             verify Signed Test Message 6.2.2.11 using
+#                             the default settings.
+#
+#    Expected Result: The path should validate successfully as the
+#                             notAfter date in the end certificate is
+#                             after the current date.
+#
+#
+#                 Trust Anchor Root Certificate, Trust Anchor Root CRL
+#                 Good CA Cert, Good CA CRL
+#                 Valid GeneralizedTime notAfter Date Test8 EE
+
+end_test
+
+
+
+
+final_result
diff --git a/tests/pkits/verifying-basic-constraints b/tests/pkits/verifying-basic-constraints
new file mode 100755
index 0000000..0e052f3
--- /dev/null
+++ b/tests/pkits/verifying-basic-constraints
@@ -0,0 +1,31 @@
+#!/bin/sh
+# verifying-basic-constraints - PKITS Test 4.6                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.6
+description="Verifying Basic Constraints"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/verifying-name-chaining b/tests/pkits/verifying-name-chaining
new file mode 100755
index 0000000..9bdbb59
--- /dev/null
+++ b/tests/pkits/verifying-name-chaining
@@ -0,0 +1,31 @@
+#!/bin/sh
+# verifying-name-chaining - PKITS Test 4.3                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.3
+description="Verifying Name Chaining"
+info "Running $description tests"
+
+
+
+
+
+
+final_result
diff --git a/tests/pkits/verifying-paths-self-issued b/tests/pkits/verifying-paths-self-issued
new file mode 100755
index 0000000..443d7ad
--- /dev/null
+++ b/tests/pkits/verifying-paths-self-issued
@@ -0,0 +1,31 @@
+#!/bin/sh
+# verifying-paths-self-issued - PKITS Test 4.5                     -*- sh -*-
+# Copyright (C) 2008 Free Software Foundation, Inc.  
+#
+# This file is part of GnuPG.
+# 
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+# 
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+. ${srcdir:-.}/common.sh || exit 2
+
+section=4.5
+description="Verifying Paths with Self-Issued Certificates"
+info "Running $description tests"
+
+
+
+
+
+
+final_result