Quelle  test_cert.c   Sprache: C

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
 * test_cert.c
 *
 * Test Cert Type
 *
 */

#include "testutil.h"
#include "testutil_nss.h"

static PKIX_PL_Cert *altNameNoneCert = NULL;
static PKIX_PL_Cert *altNameOtherCert = NULL;
static PKIX_PL_Cert *altNameOtherCert_diff = NULL;
static PKIX_PL_Cert *altNameRfc822Cert = NULL;
static PKIX_PL_Cert *altNameRfc822Cert_diff = NULL;
static PKIX_PL_Cert *altNameDnsCert = NULL;
static PKIX_PL_Cert *altNameDnsCert_diff = NULL;
static PKIX_PL_Cert *altNameX400Cert = NULL;
static PKIX_PL_Cert *altNameX400Cert_diff = NULL;
static PKIX_PL_Cert *altNameDnCert = NULL;
static PKIX_PL_Cert *altNameDnCert_diff = NULL;
static PKIX_PL_Cert *altNameEdiCert = NULL;
static PKIX_PL_Cert *altNameEdiCert_diff = NULL;
static PKIX_PL_Cert *altNameUriCert = NULL;
static PKIX_PL_Cert *altNameUriCert_diff = NULL;
static PKIX_PL_Cert *altNameIpCert = NULL;
static PKIX_PL_Cert *altNameIpCert_diff = NULL;
static PKIX_PL_Cert *altNameOidCert = NULL;
static PKIX_PL_Cert *altNameOidCert_diff = NULL;
static PKIX_PL_Cert *altNameMultipleCert = NULL;

static void *plContext = NULL;

static void
createCerts(
    char *dataCentralDir,
    char *goodInput,
    char *diffInput,
    PKIX_PL_Cert **goodObject,
    PKIX_PL_Cert **equalObject,
    PKIX_PL_Cert **diffObject)
{
    subTest("PKIX_PL_Cert_Create ");
    *goodObject = createCert(dataCentralDir, goodInput, plContext);

    subTest("PKIX_PL_Cert_Create ");
    *equalObject = createCert(dataCentralDir, goodInput, plContext);

    subTest("PKIX_PL_Cert_Create ");
    *diffObject = createCert(dataCentralDir, diffInput, plContext);
}

static void
createCertsWithSubjectAltNames(char *dataCentralDir)
{
    subTest("PKIX_PL_Cert_Create ");
    altNameDnsCert = createCert(dataCentralDir, "generalName/altNameDnsCert", plContext);

    subTest("PKIX_PL_Cert_Create ");
    altNameDnsCert_diff = createCert(dataCentralDir, "generalName/altNameDnsCert_diff", plContext);

    subTest("PKIX_PL_Cert_Create ");
    altNameRfc822Cert = createCert(dataCentralDir, "generalName/altNameRfc822Cert", plContext);

    subTest("PKIX_PL_Cert_Create ");
    altNameRfc822Cert_diff = createCert(dataCentralDir, "generalName/altNameRfc822Cert_diff", plContext);

    subTest("PKIX_PL_Cert_Create ");
    altNameX400Cert = createCert(dataCentralDir, "generalName/altNameX400Cert", plContext);

    subTest("PKIX_PL_Cert_Create ");
    altNameX400Cert_diff = createCert(dataCentralDir, "generalName/altNameX400Cert_diff", plContext);

    subTest("PKIX_PL_Cert_Create ");
    altNameDnCert = createCert(dataCentralDir, "generalName/altNameDnCert", plContext);

    subTest("PKIX_PL_Cert_Create ");
    altNameDnCert_diff = createCert(dataCentralDir, "generalName/altNameDnCert_diff", plContext);

    subTest("PKIX_PL_Cert_Create ");
    altNameEdiCert = createCert(dataCentralDir, "generalName/altNameEdiCert", plContext);

    subTest("PKIX_PL_Cert_Create ");
    altNameEdiCert_diff = createCert(dataCentralDir, "generalName/altNameEdiCert_diff", plContext);

    subTest("PKIX_PL_Cert_Create ");
    altNameUriCert = createCert(dataCentralDir, "generalName/altNameUriCert", plContext);

    subTest("PKIX_PL_Cert_Create ");
    altNameUriCert_diff = createCert(dataCentralDir, "generalName/altNameUriCert_diff", plContext);

    subTest("PKIX_PL_Cert_Create ");
    altNameIpCert = createCert(dataCentralDir, "generalName/altNameIpCert", plContext);

    subTest("PKIX_PL_Cert_Create ");
    altNameIpCert_diff = createCert(dataCentralDir, "generalName/altNameIpCert_diff", plContext);

    subTest("PKIX_PL_Cert_Create ");
    altNameOidCert = createCert(dataCentralDir, "generalName/altNameOidCert", plContext);

    subTest("PKIX_PL_Cert_Create ");
    altNameOidCert_diff = createCert(dataCentralDir, "generalName/altNameOidCert_diff", plContext);

    subTest("PKIX_PL_Cert_Create ");
    altNameOtherCert = createCert(dataCentralDir, "generalName/altNameOtherCert", plContext);

    subTest("PKIX_PL_Cert_Create ");
    altNameOtherCert_diff = createCert(dataCentralDir, "generalName/altNameOtherCert_diff", plContext);

    subTest("PKIX_PL_Cert_Create ");
    altNameNoneCert = createCert(dataCentralDir, "generalName/altNameNoneCert", plContext);

    subTest("PKIX_PL_Cert_Create ");
    altNameMultipleCert = createCert(dataCentralDir, "generalName/altNameRfc822DnsCert", plContext);
}

static void
testGetVersion(
    PKIX_PL_Cert *goodObject)
{
    PKIX_UInt32 goodVersion;

    PKIX_TEST_STD_VARS();

    subTest("PKIX_PL_Cert_GetVersion");

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetVersion(goodObject, &goodVersion, plContext));

    if (goodVersion != 2) {
        testError("unexpected mismatch");
        (void)printf("Actual value:\t%d\n", goodVersion);
        (void)printf("Expected value:\t2\n");
        goto cleanup;
    }

cleanup:

    PKIX_TEST_RETURN();
}

static void
testGetSerialNumber(
    PKIX_PL_Cert *goodObject,
    PKIX_PL_Cert *equalObject,
    PKIX_PL_Cert *diffObject)
{
    PKIX_PL_BigInt *goodSN = NULL;
    PKIX_PL_BigInt *equalSN = NULL;
    PKIX_PL_BigInt *diffSN = NULL;
    char *expectedAscii = "37bc66ec";

    PKIX_TEST_STD_VARS();

    subTest("PKIX_PL_Cert_GetSerialNumber");

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSerialNumber(goodObject, &goodSN, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSerialNumber(equalObject, &equalSN, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSerialNumber(diffObject, &diffSN, plContext));

    PKIX_TEST_EQ_HASH_TOSTR_DUP(goodSN, equalSN, diffSN, expectedAscii, BigInt, PKIX_TRUE);

cleanup:

    PKIX_TEST_DECREF_AC(goodSN);
    PKIX_TEST_DECREF_AC(equalSN);
    PKIX_TEST_DECREF_AC(diffSN);

    PKIX_TEST_RETURN();
}

static void
testGetSubject(
    PKIX_PL_Cert *goodObject,
    PKIX_PL_Cert *equalObject,
    PKIX_PL_Cert *diffObject)
{
    PKIX_PL_X500Name *goodSubject = NULL;
    PKIX_PL_X500Name *equalSubject = NULL;
    PKIX_PL_X500Name *diffSubject = NULL;
    char *expectedAscii = "OU=bcn,OU=east,O=sun,C=us";

    PKIX_TEST_STD_VARS();

    subTest("PKIX_PL_Cert_GetSubject");

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(goodObject, &goodSubject, plContext));

    if (!goodSubject) {
        testError("Certificate Subject should not be NULL");
        goto cleanup;
    }

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(equalObject, &equalSubject, plContext));

    if (!equalSubject) {
        testError("Certificate Subject should not be NULL");
        goto cleanup;
    }

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubject(diffObject, &diffSubject, plContext));

    if (!diffSubject) {
        testError("Certificate Subject should not be NULL");
        goto cleanup;
    }

    PKIX_TEST_EQ_HASH_TOSTR_DUP(goodSubject,
                                equalSubject,
                                diffSubject,
                                expectedAscii,
                                X500Name,
                                PKIX_TRUE);

cleanup:

    PKIX_TEST_DECREF_AC(goodSubject);
    PKIX_TEST_DECREF_AC(equalSubject);
    PKIX_TEST_DECREF_AC(diffSubject);

    PKIX_TEST_RETURN();
}

static void
testGetIssuer(
    PKIX_PL_Cert *goodObject,
    PKIX_PL_Cert *equalObject,
    PKIX_PL_Cert *diffObject)
{
    PKIX_PL_X500Name *goodIssuer = NULL;
    PKIX_PL_X500Name *equalIssuer = NULL;
    PKIX_PL_X500Name *diffIssuer = NULL;
    char *expectedAscii = "CN=yassir,OU=bcn,OU=east,O=sun,C=us";

    PKIX_TEST_STD_VARS();

    subTest("PKIX_PL_Cert_GetIssuer");

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetIssuer(goodObject, &goodIssuer, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetIssuer(equalObject, &equalIssuer, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetIssuer(diffObject, &diffIssuer, plContext));

    PKIX_TEST_EQ_HASH_TOSTR_DUP(goodIssuer,
                                equalIssuer,
                                diffIssuer,
                                expectedAscii,
                                X500Name,
                                PKIX_TRUE);

cleanup:

    PKIX_TEST_DECREF_AC(goodIssuer);
    PKIX_TEST_DECREF_AC(equalIssuer);
    PKIX_TEST_DECREF_AC(diffIssuer);

    PKIX_TEST_RETURN();
}

static void
testAltNames(
    PKIX_PL_Cert *goodCert,
    PKIX_PL_Cert *diffCert,
    char *expectedAscii)
{
    PKIX_List *goodAltNames = NULL;
    PKIX_List *diffAltNames = NULL;
    PKIX_PL_GeneralName *goodAltName = NULL;
    PKIX_PL_GeneralName *diffAltName = NULL;

    PKIX_TEST_STD_VARS();

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectAltNames(goodCert, &goodAltNames, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(goodAltNames,
                                                0,
                                                (PKIX_PL_Object **)&goodAltName,
                                                plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectAltNames(diffCert, &diffAltNames, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(diffAltNames,
                                                0,
                                                (PKIX_PL_Object **)&diffAltName,
                                                plContext));

    PKIX_TEST_EQ_HASH_TOSTR_DUP(goodAltName, goodAltName, diffAltName,
                                expectedAscii, GeneralName, PKIX_TRUE);

cleanup:
    PKIX_TEST_DECREF_AC(goodAltNames);
    PKIX_TEST_DECREF_AC(goodAltName);
    PKIX_TEST_DECREF_AC(diffAltNames);
    PKIX_TEST_DECREF_AC(diffAltName);
    PKIX_TEST_RETURN();
}

static void
testAltNamesNone(PKIX_PL_Cert *cert)
{

    PKIX_List *altNames = NULL;

    PKIX_TEST_STD_VARS();

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectAltNames(cert, &altNames, plContext));

    if (altNames != NULL) {
        testError("unexpected mismatch");
        (void)printf("Actual value:\t%p\n", (void *)altNames);
        (void)printf("Expected value:\tNULL\n");
        goto cleanup;
    }

cleanup:

    PKIX_TEST_DECREF_AC(altNames);
    PKIX_TEST_RETURN();
}
static void
testAltNamesMultiple()
{
    PKIX_List *altNames = NULL;
    PKIX_PL_GeneralName *firstAltName = NULL;
    PKIX_Int32 firstExpectedType = PKIX_RFC822_NAME;
    PKIX_PL_GeneralName *secondAltName = NULL;
    PKIX_Int32 secondExpectedType = PKIX_DNS_NAME;

    char *expectedAscii =
        "[\n"
        "\tVersion: v3\n"
        "\tSerialNumber: 2d\n"
        "\tIssuer: OU=labs,O=sun,C=us\n"
        "\tSubject: CN=yassir,OU=labs,O=sun,C=us\n"
        "\tValidity: [From: Mon Feb 09, 2004\n"
        /*      "\tValidity: [From: Mon Feb 09 14:43:52 2004\n" */
        "\t To: Mon Feb 09, 2004]\n"
        /*      "\t           To:   Mon Feb 09 14:43:52 2004]\n" */
        "\tSubjectAltNames: (yassir@sun.com, sunray.sun.com)\n"
        "\tAuthorityKeyId: (null)\n"
        "\tSubjectKeyId: (null)\n"
        "\tSubjPubKeyAlgId: ANSI X9.57 DSA Signature\n"
        "\tCritExtOIDs: (EMPTY)\n"
        "\tExtKeyUsages: (null)\n"
        "\tBasicConstraint: (null)\n"
        "\tCertPolicyInfo: (null)\n"
        "\tPolicyMappings: (null)\n"
        "\tExplicitPolicy: -1\n"
        "\tInhibitMapping: -1\n"
        "\tInhibitAnyPolicy:-1\n"
        "\tNameConstraints: (null)\n"
        "\tAuthorityInfoAccess: (null)\n"
        "\tSubjectInfoAccess: (null)\n"
        "\tCacheFlag: 0\n"
        "]\n";

    PKIX_TEST_STD_VARS();

    testToStringHelper((PKIX_PL_Object *)altNameMultipleCert,
                       expectedAscii,
                       plContext);

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectAltNames(altNameMultipleCert, &altNames, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(altNames, 0, (PKIX_PL_Object **)&firstAltName, plContext));

    if (firstAltName->type != firstExpectedType) {
        testError("unexpected mismatch");
        (void)printf("Actual value:\t%d\n", firstAltName->type);
        (void)printf("Expected value:\t%d\n", firstExpectedType);
        goto cleanup;
    }

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(altNames, 1, (PKIX_PL_Object **)&secondAltName, plContext));

    if (secondAltName->type != secondExpectedType) {
        testError("unexpected mismatch");
        (void)printf("Actual value:\t%d\n", secondAltName->type);
        (void)printf("Expected value:\t%d\n", secondExpectedType);
        goto cleanup;
    }

cleanup:
    PKIX_TEST_DECREF_AC(altNames);
    PKIX_TEST_DECREF_AC(firstAltName);
    PKIX_TEST_DECREF_AC(secondAltName);
    PKIX_TEST_RETURN();
}

static void
testGetSubjectAltNames(char *dataCentralDir)
{

    char *expectedAscii = NULL;

    createCertsWithSubjectAltNames(dataCentralDir);

    subTest("PKIX_PL_Cert_GetSubjectAltNames ");
    expectedAscii = "east.sun.com";
    testAltNames(altNameDnsCert, altNameDnsCert_diff, expectedAscii);

    subTest("PKIX_PL_Cert_GetSubjectAltNames ");
    expectedAscii = "alice.barnes@bcn.east.sun.com";
    testAltNames(altNameRfc822Cert, altNameRfc822Cert_diff, expectedAscii);

    /*
     *this should work once bugzilla bug #233586 is fixed.
     *subTest("PKIX_PL_Cert_GetSubjectAltNames <X400Address>");
     *expectedAscii = "X400Address: <DER-encoded value>";
     *testAltNames(altNameX400Cert, altNameX400Cert_diff, expectedAscii);
     */

    subTest("PKIX_PL_Cert_GetSubjectAltNames ");
    expectedAscii = "CN=elley,OU=labs,O=sun,C=us";
    testAltNames(altNameDnCert, altNameDnCert_diff, expectedAscii);

    /*
     * this should work once bugzilla bug #233586 is fixed.
     * subTest("PKIX_PL_Cert_GetSubjectAltNames <EdiPartyName>");
     * expectedAscii = "EDIPartyName: <DER-encoded value>";
     * testAltNames(altNameEdiCert, altNameEdiCert_diff, expectedAscii);
     */

    subTest("PKIX_PL_Cert_GetSubjectAltNames ");
    expectedAscii = "http://www.sun.com";
    testAltNames(altNameUriCert, altNameUriCert_diff, expectedAscii);

    subTest("PKIX_PL_Cert_GetSubjectAltNames ");
    expectedAscii = "1.2.3.4";
    testAltNames(altNameIpCert, altNameIpCert_diff, expectedAscii);

    subTest("PKIX_PL_Cert_GetSubjectAltNames ");
    expectedAscii = "1.2.39";
    testAltNames(altNameOidCert, altNameOidCert_diff, expectedAscii);

    subTest("PKIX_PL_Cert_GetSubjectAltNames ");
    expectedAscii = "1.7.26.97";
    testAltNames(altNameOtherCert, altNameOtherCert_diff, expectedAscii);

    subTest("PKIX_PL_Cert_GetSubjectAltNames ");
    testAltNamesNone(altNameNoneCert);

    subTest("PKIX_PL_Cert_GetSubjectAltNames ");
    testAltNamesMultiple();
}

static void
testGetSubjectPublicKey(
    PKIX_PL_Cert *goodObject,
    PKIX_PL_Cert *equalObject,
    PKIX_PL_Cert *diffObject)
{
    PKIX_PL_PublicKey *goodPubKey = NULL;
    PKIX_PL_PublicKey *equalPubKey = NULL;
    PKIX_PL_PublicKey *diffPubKey = NULL;
    char *expectedAscii = "ANSI X9.57 DSA Signature";

    PKIX_TEST_STD_VARS();

    subTest("PKIX_PL_Cert_GetSubjectPublicKey");

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(goodObject, &goodPubKey, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(equalObject, &equalPubKey, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(diffObject, &diffPubKey, plContext));

    PKIX_TEST_EQ_HASH_TOSTR_DUP(goodPubKey, equalPubKey, diffPubKey,
                                expectedAscii, PublicKey, PKIX_TRUE);

cleanup:

    PKIX_TEST_DECREF_AC(goodPubKey);
    PKIX_TEST_DECREF_AC(equalPubKey);
    PKIX_TEST_DECREF_AC(diffPubKey);

    PKIX_TEST_RETURN();
}

static void
testGetSubjectPublicKeyAlgId(PKIX_PL_Cert *goodObject)
{
    PKIX_PL_OID *pkixPubKeyOID = NULL;
    char *expectedAscii = "1.2.840.10040.4.1";

    PKIX_TEST_STD_VARS();

    subTest("PKIX_PL_Cert_GetSubjectPublicKeyAlgId");

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKeyAlgId(goodObject, &pkixPubKeyOID, plContext));

    testToStringHelper((PKIX_PL_Object *)pkixPubKeyOID, expectedAscii, plContext);

cleanup:

    PKIX_TEST_DECREF_AC(pkixPubKeyOID);
    PKIX_TEST_RETURN();
}

static void
testCritExtensionsPresent(PKIX_PL_Cert *cert)
{
    PKIX_List *critOIDList = NULL;
    char *firstOIDAscii = "2.5.29.15";
    PKIX_PL_OID *firstOID = NULL;
    char *secondOIDAscii = "2.5.29.19";
    PKIX_PL_OID *secondOID = NULL;

    PKIX_TEST_STD_VARS();

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetCriticalExtensionOIDs(cert, &critOIDList, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(critOIDList, 0, (PKIX_PL_Object **)&firstOID, ;plContext));
    testToStringHelper((PKIX_PL_Object *)firstOID, firstOIDAscii, plContext);

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(critOIDList, 1, (PKIX_PL_Object **)&secondOID, ;plContext));

    testToStringHelper((PKIX_PL_Object *)secondOID, secondOIDAscii, plContext);

cleanup:

    PKIX_TEST_DECREF_AC(critOIDList);
    PKIX_TEST_DECREF_AC(firstOID);
    PKIX_TEST_DECREF_AC(secondOID);

    PKIX_TEST_RETURN();
}

static void
testCritExtensionsAbsent(PKIX_PL_Cert *cert)
{
    PKIX_List *oidList = NULL;
    PKIX_Boolean empty;

    PKIX_TEST_STD_VARS();

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetCriticalExtensionOIDs(cert, &oidList, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsEmpty(oidList, &empty, plContext));

    if (!empty) {
        pkixTestErrorMsg = "unexpected mismatch";
    }

cleanup:

    PKIX_TEST_DECREF_AC(oidList);
    PKIX_TEST_RETURN();
}

static void
testAllExtensionsAbsent(char *dataCentralDir)
{
    PKIX_List *oidList = NULL;
    PKIX_PL_Cert *cert = NULL;
    PKIX_Boolean empty;

    PKIX_TEST_STD_VARS();

    subTest("PKIX_PL_Cert_Create ");
    cert = createCert(dataCentralDir, "noExtensionsCert", plContext);

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetCriticalExtensionOIDs(cert, &oidList, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsEmpty(oidList, &empty, plContext));

    if (!empty) {
        pkixTestErrorMsg = "unexpected mismatch";
    }

cleanup:
    PKIX_TEST_DECREF_AC(oidList);
    PKIX_TEST_DECREF_AC(cert);

    PKIX_TEST_RETURN();
}

static void
testGetCriticalExtensionOIDs(char *dataCentralDir, PKIX_PL_Cert *goodObject)
{
    subTest("PKIX_PL_Cert_GetCriticalExtensionOIDs "
            "");
    testCritExtensionsPresent(goodObject);

    subTest("PKIX_PL_Cert_GetCriticalExtensionOIDs "
            "");
    testCritExtensionsAbsent(altNameOidCert);

    subTest("PKIX_PL_Cert_GetCriticalExtensionOIDs "
            "");
    testAllExtensionsAbsent(dataCentralDir);
}

static void
testKeyIdentifiersMatching(char *dataCentralDir)
{
    PKIX_PL_Cert *subjKeyIDCert = NULL;
    PKIX_PL_Cert *authKeyIDCert = NULL;
    PKIX_PL_ByteArray *subjKeyID = NULL;
    PKIX_PL_ByteArray *authKeyID = NULL;
    PKIX_PL_ByteArray *subjKeyID_diff = NULL;

    char *expectedAscii =
        "[116, 021, 213, 036, 028, 189, 094, 101, 136, 031, 225,"
        " 139, 009, 126, 127, 234, 025, 072, 078, 097]";

    PKIX_TEST_STD_VARS();

    subTest("PKIX_PL_Cert_Create ");
    subjKeyIDCert = createCert(dataCentralDir, "keyIdentifier/subjKeyIDCert", plContext);

    subTest("PKIX_PL_Cert_Create ");
    authKeyIDCert = createCert(dataCentralDir, "keyIdentifier/authKeyIDCert", plContext);

    subTest("PKIX_PL_Cert_GetSubjectKeyIdentifier ");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectKeyIdentifier(subjKeyIDCert, &subjKeyID,&nbsp;plContext));

    subTest("PKIX_PL_Cert_GetAuthorityKeyIdentifier ");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityKeyIdentifier(authKeyIDCert, &authKeyID,&nbsp;plContext));

    subTest("PKIX_PL_Cert_GetSubjectKeyIdentifier ");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectKeyIdentifier(authKeyIDCert, &subjKeyID_diff,&nbsp;plContext));

    PKIX_TEST_EQ_HASH_TOSTR_DUP(subjKeyID,
                                authKeyID,
                                subjKeyID_diff,
                                expectedAscii,
                                ByteArray,
                                PKIX_TRUE);

cleanup:

    PKIX_TEST_DECREF_AC(subjKeyIDCert);
    PKIX_TEST_DECREF_AC(authKeyIDCert);
    PKIX_TEST_DECREF_AC(subjKeyID);
    PKIX_TEST_DECREF_AC(authKeyID);
    PKIX_TEST_DECREF_AC(subjKeyID_diff);

    PKIX_TEST_RETURN();
}

static void
testKeyIdentifierAbsent(PKIX_PL_Cert *cert)
{
    PKIX_PL_ByteArray *subjKeyID = NULL;
    PKIX_PL_ByteArray *authKeyID = NULL;

    PKIX_TEST_STD_VARS();

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectKeyIdentifier(cert, &subjKeyID, plContext));

    if (subjKeyID != NULL) {
        pkixTestErrorMsg = "unexpected mismatch";
    }

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetAuthorityKeyIdentifier(cert, &authKeyID, plContext));

    if (authKeyID != NULL) {
        pkixTestErrorMsg = "unexpected mismatch";
    }

cleanup:

    PKIX_TEST_DECREF_AC(subjKeyID);
    PKIX_TEST_DECREF_AC(authKeyID);

    PKIX_TEST_RETURN();
}

static void
testGetKeyIdentifiers(char *dataCentralDir, PKIX_PL_Cert *goodObject)
{
    testKeyIdentifiersMatching(dataCentralDir);
    testKeyIdentifierAbsent(goodObject);
}

static void
testVerifyKeyUsage(
    char *dataCentralDir,
    char *dataDir,
    PKIX_PL_Cert *multiKeyUsagesCert)
{
    PKIX_PL_Cert *encipherOnlyCert = NULL;
    PKIX_PL_Cert *decipherOnlyCert = NULL;
    PKIX_PL_Cert *noKeyUsagesCert = NULL;
    PKIX_TEST_STD_VARS();

    subTest("PKIX_PL_Cert_Create ");
    encipherOnlyCert = createCert(dataCentralDir, "keyUsage/encipherOnlyCert", plContext);

    subTest("PKIX_PL_Cert_Create ");
    decipherOnlyCert = createCert(dataCentralDir, "keyUsage/decipherOnlyCert", plContext);

    subTest("PKIX_PL_Cert_Create ");
    noKeyUsagesCert = createCert(dataCentralDir, "keyUsage/noKeyUsagesCert", plContext);

    subTest("PKIX_PL_Cert_VerifyKeyUsage ");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_VerifyKeyUsage(multiKeyUsagesCert, PKIX_KEY_CERT_SIGN, plContext));

    subTest("PKIX_PL_Cert_VerifyKeyUsage ");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_VerifyKeyUsage(multiKeyUsagesCert,
                                                          PKIX_KEY_CERT_SIGN |
                                                              PKIX_DIGITAL_SIGNATURE,
                                                          plContext));

    subTest("PKIX_PL_Cert_VerifyKeyUsage ");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_VerifyKeyUsage(encipherOnlyCert, PKIX_ENCIPHER_ONLY, plContext));

    subTest("PKIX_PL_Cert_VerifyKeyUsage ");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_VerifyKeyUsage(noKeyUsagesCert, PKIX_ENCIPHER_ONLY, plContext));

    subTest("PKIX_PL_Cert_VerifyKeyUsage ");
    PKIX_TEST_EXPECT_ERROR(PKIX_PL_Cert_VerifyKeyUsage(decipherOnlyCert, PKIX_DECIPHER_ONLY, plContext));

cleanup:
    PKIX_TEST_DECREF_AC(encipherOnlyCert);
    PKIX_TEST_DECREF_AC(decipherOnlyCert);
    PKIX_TEST_DECREF_AC(noKeyUsagesCert);

    PKIX_TEST_RETURN();
}

static void
testGetExtendedKeyUsage(char *dataCentralDir)
{

    PKIX_PL_Cert *codeSigningEKUCert = NULL;
    PKIX_PL_Cert *multiEKUCert = NULL;
    PKIX_PL_Cert *noEKUCert = NULL;
    PKIX_List *firstExtKeyUsage = NULL;
    PKIX_List *secondExtKeyUsage = NULL;
    PKIX_List *thirdExtKeyUsage = NULL;
    PKIX_PL_OID *firstOID = NULL;
    char *oidAscii = "1.3.6.1.5.5.7.3.3";
    PKIX_PL_OID *secondOID = NULL;
    char *secondOIDAscii = "1.3.6.1.5.5.7.3.1";
    PKIX_PL_OID *thirdOID = NULL;
    char *thirdOIDAscii = "1.3.6.1.5.5.7.3.2";
    PKIX_PL_OID *fourthOID = NULL;
    PKIX_UInt32 length = 0;

    PKIX_TEST_STD_VARS();

    subTest("PKIX_PL_Cert_Create ");
    codeSigningEKUCert = createCert(dataCentralDir, "extKeyUsage/codeSigningEKUCert", plContext);

    subTest("PKIX_PL_Cert_Create ");
    multiEKUCert = createCert(dataCentralDir, "extKeyUsage/multiEKUCert", plContext);

    subTest("PKIX_PL_Cert_Create ");
    noEKUCert = createCert(dataCentralDir, "extKeyUsage/noEKUCert", plContext);

    subTest("PKIX_PL_Cert_ExtendedKeyUsage ");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetExtendedKeyUsage(codeSigningEKUCert, &firstExtKeyUsage,&nbsp;plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(firstExtKeyUsage, 0, (PKIX_PL_Object **)&firstOID, plContext));
    testToStringHelper((PKIX_PL_Object *)firstOID, oidAscii, plContext);

    subTest("PKIX_PL_Cert_ExtendedKeyUsage ");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetExtendedKeyUsage(multiEKUCert, &secondExtKeyUsage, plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetLength(secondExtKeyUsage, &length, plContext));

    if (length != 3) {
        testError("unexpected mismatch");
        (void)printf("Actual value:\t%d\n", length);
        (void)printf("Expected value:\t3\n");
        goto cleanup;
    }

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(secondExtKeyUsage,
                                                0,
                                                (PKIX_PL_Object **)&secondOID,
                                                plContext));

    testToStringHelper((PKIX_PL_Object *)secondOID, oidAscii, plContext);

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(secondExtKeyUsage,
                                                1,
                                                (PKIX_PL_Object **)&thirdOID,
                                                plContext));

    testToStringHelper((PKIX_PL_Object *)thirdOID, secondOIDAscii, plContext);

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(secondExtKeyUsage,
                                                2,
                                                (PKIX_PL_Object **)&fourthOID,
                                                plContext));

    testToStringHelper((PKIX_PL_Object *)fourthOID, thirdOIDAscii, plContext);

    subTest("PKIX_PL_Cert_ExtendedKeyUsage ");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetExtendedKeyUsage(noEKUCert, &thirdExtKeyUsage, plContext));

    if (thirdExtKeyUsage != NULL) {
        testError("unexpected mismatch");
        (void)printf("Actual value:\t%p\n", (void *)thirdExtKeyUsage);
        (void)printf("Expected value:\tNULL\n");
        goto cleanup;
    }

cleanup:

    PKIX_TEST_DECREF_AC(firstOID);
    PKIX_TEST_DECREF_AC(secondOID);
    PKIX_TEST_DECREF_AC(thirdOID);
    PKIX_TEST_DECREF_AC(fourthOID);

    PKIX_TEST_DECREF_AC(firstExtKeyUsage);
    PKIX_TEST_DECREF_AC(secondExtKeyUsage);
    PKIX_TEST_DECREF_AC(thirdExtKeyUsage);

    PKIX_TEST_DECREF_AC(codeSigningEKUCert);
    PKIX_TEST_DECREF_AC(multiEKUCert);
    PKIX_TEST_DECREF_AC(noEKUCert);

    PKIX_TEST_RETURN();
}

static void
testMakeInheritedDSAPublicKey(char *dataCentralDir)
{
    PKIX_PL_PublicKey *firstKey = NULL;
    PKIX_PL_PublicKey *secondKey = NULL;
    PKIX_PL_PublicKey *resultKeyPositive = NULL;
    PKIX_PL_PublicKey *resultKeyNegative = NULL;
    PKIX_PL_Cert *firstCert = NULL;
    PKIX_PL_Cert *secondCert = NULL;

    PKIX_TEST_STD_VARS();

    subTest("PKIX_PL_Cert_Create ");
    firstCert = createCert(dataCentralDir, "publicKey/dsaWithoutParams", plContext);

    subTest("PKIX_PL_Cert_Create ");
    secondCert = createCert(dataCentralDir, "publicKey/dsaWithParams", plContext);

    subTest("PKIX_PL_Cert_GetSubjectPublicKey ");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(firstCert, &firstKey, plContext));

    subTest("PKIX_PL_Cert_GetSubjectPublicKey ");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(secondCert, &secondKey, plContext));

    subTest("PKIX_PL_PublicKey_MakeInheritedDSAPublicKey ");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey(firstKey, secondKey, &resultKeyPositive, plContext));

    if (resultKeyPositive == NULL) {
        testError("PKIX_PL_PublicKey_MakeInheritedDSAPublicKey failed");
    }

    subTest("PKIX_PL_PublicKey_MakeInheritedDSAPublicKey ");
    PKIX_TEST_EXPECT_ERROR(PKIX_PL_PublicKey_MakeInheritedDSAPublicKey(firstKey, firstKey, &resultKeyNegative, plContext));

cleanup:

    PKIX_TEST_DECREF_AC(firstCert);
    PKIX_TEST_DECREF_AC(secondCert);

    PKIX_TEST_DECREF_AC(firstKey);
    PKIX_TEST_DECREF_AC(secondKey);
    PKIX_TEST_DECREF_AC(resultKeyPositive);
    PKIX_TEST_DECREF_AC(resultKeyNegative);

    PKIX_TEST_RETURN();
}

static void
testVerifySignature(char *dataCentralDir)
{
    PKIX_PL_Cert *firstCert = NULL;
    PKIX_PL_Cert *secondCert = NULL;
    PKIX_PL_PublicKey *firstPubKey = NULL;
    PKIX_PL_PublicKey *secondPubKey = NULL;

    PKIX_TEST_STD_VARS();

    subTest("PKIX_PL_Cert_Create ");
    firstCert = createCert(dataCentralDir, "publicKey/labs2yassir", plContext);

    subTest("PKIX_PL_Cert_Create ");
    secondCert = createCert(dataCentralDir, "publicKey/yassir2labs", plContext);

    subTest("PKIX_PL_Cert_GetSubjectPublicKey ");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(firstCert, &firstPubKey, plContext));

    subTest("PKIX_PL_Cert_GetSubjectPublicKey ");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetSubjectPublicKey(secondCert, &secondPubKey, plContext));

    subTest("PKIX_PL_Cert_VerifySignature ");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_VerifySignature(secondCert, firstPubKey, plContext));

    subTest("PKIX_PL_Cert_VerifySignature ");
    PKIX_TEST_EXPECT_ERROR(PKIX_PL_Cert_VerifySignature(secondCert, secondPubKey, plContext));

cleanup:

    PKIX_TEST_DECREF_AC(firstCert);
    PKIX_TEST_DECREF_AC(secondCert);
    PKIX_TEST_DECREF_AC(firstPubKey);
    PKIX_TEST_DECREF_AC(secondPubKey);

    PKIX_TEST_RETURN();
}

static void
testCheckValidity(
    PKIX_PL_Cert *olderCert,
    PKIX_PL_Cert *newerCert)
{
    /*
     * olderCert has the following Validity:
     *  notBefore = August 19, 1999: 20:19:56 GMT
     *  notAfter  = August 18, 2000: 20:19:56 GMT
     *
     * newerCert has the following Validity:
     *  notBefore = November 13, 2003: 16:46:03 GMT
     *  notAfter  = February 13, 2009: 16:46:03 GMT
     */

    /*  olderDateAscii = March    29, 2000: 13:48:47 GMT */
    char *olderAscii = "000329134847Z";
    PKIX_PL_String *olderString = NULL;
    PKIX_PL_Date *olderDate = NULL;

    /*  newerDateAscii = March    29, 2004: 13:48:47 GMT */
    char *newerAscii = "040329134847Z";
    PKIX_PL_String *newerString = NULL;
    PKIX_PL_Date *newerDate = NULL;

    PKIX_TEST_STD_VARS();

    subTest("PKIX_PL_Cert_CheckValidity ");

    /* create newer date when newer cert is valid but older cert is not */
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, newerAscii, 0, &newerString, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Date_Create_UTCTime(newerString, &newerDate, plContext));

    /* create older date when older cert is valid but newer cert is not */
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_String_Create(PKIX_ESCASCII, olderAscii, 0, &olderString, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Date_Create_UTCTime(olderString, &olderDate, plContext));

    /* check validity of both certificates using olderDate */
    subTest("PKIX_PL_Cert_CheckValidity ");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_CheckValidity(olderCert, olderDate, plContext));

    subTest("PKIX_PL_Cert_CheckValidity ");
    PKIX_TEST_EXPECT_ERROR(PKIX_PL_Cert_CheckValidity(newerCert, olderDate, plContext));

    /* check validity of both certificates using newerDate */
    subTest("PKIX_PL_Cert_CheckValidity ");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_CheckValidity(newerCert, newerDate, plContext));

    subTest("PKIX_PL_Cert_CheckValidity ");
    PKIX_TEST_EXPECT_ERROR(PKIX_PL_Cert_CheckValidity(olderCert, newerDate, plContext));

    /*
     * check validity of both certificates using current time
     * NOTE: these "now" tests will not work when the current
     * time is after newerCert.notAfter (~ February 13, 2009)
     */
    subTest("PKIX_PL_Cert_CheckValidity ");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_CheckValidity(newerCert, NULL, plContext));

    subTest("PKIX_PL_Cert_CheckValidity ");
    PKIX_TEST_EXPECT_ERROR(PKIX_PL_Cert_CheckValidity(olderCert, NULL, plContext));

cleanup:
    PKIX_TEST_DECREF_AC(olderString);
    PKIX_TEST_DECREF_AC(newerString);
    PKIX_TEST_DECREF_AC(olderDate);
    PKIX_TEST_DECREF_AC(newerDate);

    PKIX_TEST_RETURN();
}

static void
readCertBasicConstraints(
    char *dataDir,
    char *goodCertName,
    char *diffCertName,
    PKIX_PL_CertBasicConstraints **goodBasicConstraints,
    PKIX_PL_CertBasicConstraints **equalBasicConstraints,
    PKIX_PL_CertBasicConstraints **diffBasicConstraints)
{

    PKIX_PL_Cert *goodCert = NULL;
    PKIX_PL_Cert *equalCert = NULL;
    PKIX_PL_Cert *diffCert = NULL;

    PKIX_TEST_STD_VARS();

    createCerts(dataDir, goodCertName, diffCertName,
                &goodCert, &equalCert, &diffCert);
    /*
     * Warning: pointer will be NULL if BasicConstraints
     * extension is not present in the certificate. */
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints(goodCert, goodBasicConstraints, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints(equalCert, equalBasicConstraints, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetBasicConstraints(diffCert, diffBasicConstraints, plContext));

cleanup:

    PKIX_TEST_DECREF_AC(goodCert);
    PKIX_TEST_DECREF_AC(equalCert);
    PKIX_TEST_DECREF_AC(diffCert);

    PKIX_TEST_RETURN();
}

static void
testBasicConstraintsHelper(
    char *dataDir,
    char *goodCertName,
    char *diffCertName,
    char *expectedAscii)
{
    PKIX_PL_CertBasicConstraints *goodBasicConstraints = NULL;
    PKIX_PL_CertBasicConstraints *equalBasicConstraints = NULL;
    PKIX_PL_CertBasicConstraints *diffBasicConstraints = NULL;

    PKIX_TEST_STD_VARS();

    readCertBasicConstraints(dataDir,
                             goodCertName,
                             diffCertName,
                             &goodBasicConstraints,
                             &equalBasicConstraints,
                             &diffBasicConstraints);

    /*
     * The standard test macro is applicable only
     * if BasicConstraint extension is present
     * in the certificate. Otherwise some
     * pointers will be null.
     */
    if ((goodBasicConstraints) &&
        (equalBasicConstraints) &&
        (diffBasicConstraints)) {
        PKIX_TEST_EQ_HASH_TOSTR_DUP(goodBasicConstraints,
                                    equalBasicConstraints,
                                    diffBasicConstraints,
                                    expectedAscii,
                                    BasicConstraints,
                                    PKIX_TRUE);
    } else {
        /* Test what we can */
        if (goodBasicConstraints) {
            if (!equalBasicConstraints) {
                testError("Unexpected NULL value of equalBasicConstraints");
                goto cleanup;
            }
            subTest("PKIX_PL_BasicConstraints_Equals ");
            testEqualsHelper((PKIX_PL_Object *)(goodBasicConstraints),
                             (PKIX_PL_Object *)(equalBasicConstraints),
                             PKIX_TRUE,
                             plContext);
            subTest("PKIX_PL_BasicConstraints_Hashcode ");
            testHashcodeHelper((PKIX_PL_Object *)(goodBasicConstraints),
                               (PKIX_PL_Object *)(equalBasicConstraints),
                               PKIX_TRUE,
                               plContext);
            if (diffBasicConstraints) {
                subTest("PKIX_PL_BasicConstraints_Equals ");
                testEqualsHelper((PKIX_PL_Object *)(goodBasicConstraints),
                                 (PKIX_PL_Object *)(diffBasicConstraints),
                                 PKIX_FALSE,
                                 plContext);
                subTest("PKIX_PL_BasicConstraints_Hashcode ");
                testHashcodeHelper((PKIX_PL_Object *)(goodBasicConstraints),
                                   (PKIX_PL_Object *)(diffBasicConstraints),
                                   PKIX_FALSE,
                                   plContext);
            }
            subTest("PKIX_PL_BasicConstraints_Duplicate");
            testDuplicateHelper((PKIX_PL_Object *)goodBasicConstraints, plContext);
        }
        if (expectedAscii) {
            subTest("PKIX_PL_BasicConstraints_ToString");
            testToStringHelper((PKIX_PL_Object *)(goodBasicConstraints),
                               expectedAscii,
                               plContext);
        }
    }

cleanup:

    PKIX_TEST_DECREF_AC(goodBasicConstraints);
    PKIX_TEST_DECREF_AC(equalBasicConstraints);
    PKIX_TEST_DECREF_AC(diffBasicConstraints);

    PKIX_TEST_RETURN();
}

static void
testBasicConstraints_GetCAFlag(char *dataCentralDir)
{
    /*
     * XXX  When we have a certificate with a non-null Basic
     * Constraints field and a value of FALSE for CAFlag,
     * this test should be modified to use that
     * certificate for diffCertName, and to verify that
     * GetCAFlag returns a FALSE value. But our certificates for
     * non-CAs are created with no BasicConstraints extension.
     */
    PKIX_PL_CertBasicConstraints *goodBasicConstraints = NULL;
    PKIX_PL_CertBasicConstraints *equalBasicConstraints = NULL;
    PKIX_PL_CertBasicConstraints *diffBasicConstraints = NULL;
    char *goodCertName = "yassir2yassir";
    char *diffCertName = "nss2alice";
    PKIX_Boolean goodCAFlag = PKIX_FALSE;
    PKIX_Boolean diffCAFlag = PKIX_FALSE;

    PKIX_TEST_STD_VARS();

    subTest("PKIX_PL_BasicConstraints_GetCAFlag");

    readCertBasicConstraints(dataCentralDir,
                             goodCertName,
                             diffCertName,
                             &goodBasicConstraints,
                             &equalBasicConstraints,
                             &diffBasicConstraints);

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetCAFlag(goodBasicConstraints, &goodCAFlag, plContext));
    if (!goodCAFlag) {
        testError("BasicConstraint CAFlag unexpectedly FALSE");
        goto cleanup;
    }

    if (diffBasicConstraints) {
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetCAFlag(diffBasicConstraints, &diffCAFlag, plContext));
        if (diffCAFlag) {
            testError("BasicConstraint CAFlag unexpectedly TRUE");
            goto cleanup;
        }
    }

cleanup:

    PKIX_TEST_DECREF_AC(goodBasicConstraints);
    PKIX_TEST_DECREF_AC(equalBasicConstraints);
    PKIX_TEST_DECREF_AC(diffBasicConstraints);

    PKIX_TEST_RETURN();
}

static void
testBasicConstraints_GetPathLenConstraint(char *dataCentralDir)
{
    PKIX_PL_CertBasicConstraints *goodBasicConstraints = NULL;
    PKIX_PL_CertBasicConstraints *equalBasicConstraints = NULL;
    PKIX_PL_CertBasicConstraints *diffBasicConstraints = NULL;
    char *goodCertName = "yassir2yassir";
    char *diffCertName = "sun2sun";
    PKIX_Int32 goodPathLen = 0;
    PKIX_Int32 diffPathLen = 0;

    PKIX_TEST_STD_VARS();

    subTest("PKIX_PL_BasicConstraints_GetPathLenConstraint");

    readCertBasicConstraints(dataCentralDir,
                             goodCertName,
                             diffCertName,
                             &goodBasicConstraints,
                             &equalBasicConstraints,
                             &diffBasicConstraints);

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetPathLenConstraint(goodBasicConstraints, &goodPathLen, plContext));
    if (0 != goodPathLen) {
        testError("unexpected basicConstraint pathLen");
        (void)printf("Actual value:\t%d\n", goodPathLen);
        (void)printf("Expected value:\t0\n");
        goto cleanup;
    }

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_BasicConstraints_GetPathLenConstraint(diffBasicConstraints, &diffPathLen, plContext));
    if (1 != diffPathLen) {
        testError("unexpected basicConstraint pathLen");
        (void)printf("Actual value:\t%d\n", diffPathLen);
        (void)printf("Expected value:\t1\n");
        goto cleanup;
    }

cleanup:

    PKIX_TEST_DECREF_AC(goodBasicConstraints);
    PKIX_TEST_DECREF_AC(equalBasicConstraints);
    PKIX_TEST_DECREF_AC(diffBasicConstraints);

    PKIX_TEST_RETURN();
}

static void
testGetBasicConstraints(char *dataCentralDir)
{
    char *goodCertName = NULL;
    char *diffCertName = NULL;

    PKIX_TEST_STD_VARS();

    subTest("PKIX_PL_Cert_GetBasicConstraints ");
    goodCertName = "yassir2yassir";
    diffCertName = "nss2alice";
    testBasicConstraintsHelper(dataCentralDir, goodCertName, diffCertName, "CA(0)");

    subTest("PKIX_PL_Cert_GetBasicConstraints ");
    goodCertName = "nss2alice";
    diffCertName = "sun2sun";
    testBasicConstraintsHelper(dataCentralDir, goodCertName, diffCertName, NULL);

    subTest("PKIX_PL_Cert_GetBasicConstraints ");
    goodCertName = "yassir2bcn";
    diffCertName = "sun2sun";
    testBasicConstraintsHelper(dataCentralDir, goodCertName, diffCertName, "CA(0)");

    subTest("PKIX_PL_Cert_GetBasicConstraints ");
    goodCertName = "anchor2dsa";
    diffCertName = "sun2sun";
    testBasicConstraintsHelper(dataCentralDir, goodCertName, diffCertName, "CA(-1)");

    PKIX_TEST_RETURN();
}

static void
testGetPolicyInformation(char *dataDir)
{

    char *goodCertName =
        "UserNoticeQualifierTest15EE.crt";
    char *equalCertName =
        "UserNoticeQualifierTest15EE.crt";
    char *diffCertName =
        "UserNoticeQualifierTest17EE.crt";
    PKIX_Boolean isImmutable = PKIX_FALSE;
    PKIX_PL_Cert *goodCert = NULL;
    PKIX_PL_Cert *equalCert = NULL;
    PKIX_PL_Cert *diffCert = NULL;
    PKIX_List *goodPolicyInfo = NULL;
    PKIX_List *equalPolicyInfo = NULL;
    PKIX_List *diffPolicyInfo = NULL;
    PKIX_PL_CertPolicyInfo *goodPolicy = NULL;
    PKIX_PL_CertPolicyInfo *equalPolicy = NULL;
    PKIX_PL_CertPolicyInfo *diffPolicy = NULL;

    PKIX_TEST_STD_VARS();
    subTest("PKIX_PL_Cert_GetPolicyInformation");

    /*
     * Get the cert, then the list of policyInfos.
     * Take the first policyInfo from the list.
     */

    /* Get the PolicyInfo objects */
    goodCert = createCert(dataDir, goodCertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(goodCert, &goodPolicyInfo, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy,&nbsp;plContext));

    equalCert = createCert(dataDir, equalCertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(equalCert, &equalPolicyInfo, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(equalPolicyInfo,
                                                0,
                                                (PKIX_PL_Object **)&equalPolicy,
                                                plContext));

    diffCert = createCert(dataDir, diffCertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(diffCert, &diffPolicyInfo, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy,&nbsp;plContext));

    PKIX_TEST_EQ_HASH_TOSTR_DUP(goodPolicy,
                                equalPolicy,
                                diffPolicy,
                                NULL,
                                CertPolicyInfo,
                                PKIX_FALSE);

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsImmutable(goodPolicyInfo, &isImmutable, plContext));

    if (isImmutable != PKIX_TRUE) {
        testError("PolicyInfo List is not immutable");
    }

cleanup:

    PKIX_TEST_DECREF_AC(goodPolicy);
    PKIX_TEST_DECREF_AC(equalPolicy);
    PKIX_TEST_DECREF_AC(diffPolicy);
    PKIX_TEST_DECREF_AC(goodPolicyInfo);
    PKIX_TEST_DECREF_AC(equalPolicyInfo);
    PKIX_TEST_DECREF_AC(diffPolicyInfo);
    PKIX_TEST_DECREF_AC(goodCert);
    PKIX_TEST_DECREF_AC(equalCert);
    PKIX_TEST_DECREF_AC(diffCert);
    PKIX_TEST_RETURN();
}

static void
testCertPolicy_GetPolicyId(char *dataDir)
{
    char *goodCertName =
        "UserNoticeQualifierTest15EE.crt";
    char *equalCertName =
        "UserNoticeQualifierTest16EE.crt";
    char *diffCertName =
        "UserNoticeQualifierTest17EE.crt";
    PKIX_PL_Cert *goodCert = NULL;
    PKIX_PL_Cert *equalCert = NULL;
    PKIX_PL_Cert *diffCert = NULL;
    PKIX_List *goodPolicyInfo = NULL;
    PKIX_List *equalPolicyInfo = NULL;
    PKIX_List *diffPolicyInfo = NULL;
    PKIX_PL_CertPolicyInfo *goodPolicy = NULL;
    PKIX_PL_CertPolicyInfo *equalPolicy = NULL;
    PKIX_PL_CertPolicyInfo *diffPolicy = NULL;
    PKIX_PL_OID *goodID = NULL;
    PKIX_PL_OID *equalID = NULL;
    PKIX_PL_OID *diffID = NULL;

    PKIX_TEST_STD_VARS();
    subTest("PKIX_PL_CertPolicyInfo_GetPolicyId");

    /*
     * Get the cert, then the list of policyInfos.
     * Take the first policyInfo from the list.
     * Finally, get the policyInfo's ID.
     */

    /* Get the PolicyInfo objects */
    goodCert = createCert(dataDir, goodCertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(goodCert, &goodPolicyInfo, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy,&nbsp;plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId(goodPolicy, &goodID, plContext));

    equalCert = createCert(dataDir, equalCertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(equalCert, &equalPolicyInfo, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(equalPolicyInfo,
                                                0,
                                                (PKIX_PL_Object **)&equalPolicy,
                                                plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId(equalPolicy, &equalID, plContext));

    diffCert = createCert(dataDir, diffCertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(diffCert, &diffPolicyInfo, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy,&nbsp;plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolicyId(diffPolicy, &diffID, plContext));

    PKIX_TEST_EQ_HASH_TOSTR_DUP(goodID, equalID, diffID, NULL, OID, PKIX_FALSE);

cleanup:

    PKIX_TEST_DECREF_AC(goodID);
    PKIX_TEST_DECREF_AC(equalID);
    PKIX_TEST_DECREF_AC(diffID);
    PKIX_TEST_DECREF_AC(goodPolicy);
    PKIX_TEST_DECREF_AC(equalPolicy);
    PKIX_TEST_DECREF_AC(diffPolicy);
    PKIX_TEST_DECREF_AC(goodPolicyInfo);
    PKIX_TEST_DECREF_AC(equalPolicyInfo);
    PKIX_TEST_DECREF_AC(diffPolicyInfo);
    PKIX_TEST_DECREF_AC(goodCert);
    PKIX_TEST_DECREF_AC(equalCert);
    PKIX_TEST_DECREF_AC(diffCert);
    PKIX_TEST_RETURN();
}

static void
testCertPolicy_GetPolQualifiers(char *dataDir)
{
    char *goodCertName =
        "UserNoticeQualifierTest15EE.crt";
    char *equalCertName =
        "UserNoticeQualifierTest16EE.crt";
    char *diffCertName =
        "UserNoticeQualifierTest18EE.crt";
    PKIX_Boolean isImmutable = PKIX_FALSE;
    PKIX_PL_Cert *goodCert = NULL;
    PKIX_PL_Cert *equalCert = NULL;
    PKIX_PL_Cert *diffCert = NULL;
    PKIX_List *goodPolicyInfo = NULL;
    PKIX_List *equalPolicyInfo = NULL;
    PKIX_List *diffPolicyInfo = NULL;
    PKIX_PL_CertPolicyInfo *goodPolicy = NULL;
    PKIX_PL_CertPolicyInfo *equalPolicy = NULL;
    PKIX_PL_CertPolicyInfo *diffPolicy = NULL;
    PKIX_List *goodQuals = NULL;
    PKIX_List *equalQuals = NULL;
    PKIX_List *diffQuals = NULL;

    PKIX_TEST_STD_VARS();
    subTest("PKIX_PL_CertPolicyInfo_GetPolQualifiers");

    /*
     * Get the cert, then the list of policyInfos.
     * Take the first policyInfo from the list.
     * Get its list of PolicyQualifiers.
     */

    /* Get the PolicyInfo objects */
    goodCert = createCert(dataDir, goodCertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(goodCert, &goodPolicyInfo, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy,&nbsp;plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(goodPolicy, &goodQuals,&nbsp;plContext));

    equalCert = createCert(dataDir, equalCertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(equalCert, &equalPolicyInfo, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(equalPolicyInfo,
                                                0,
                                                (PKIX_PL_Object **)&equalPolicy,
                                                plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(equalPolicy, &equalQuals,&nbsp;plContext));

    diffCert = createCert(dataDir, diffCertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(diffCert, &diffPolicyInfo, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy,&nbsp;plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(diffPolicy, &diffQuals,&nbsp;plContext));

    PKIX_TEST_EQ_HASH_TOSTR_DUP(goodQuals,
                                equalQuals,
                                diffQuals,
                                NULL,
                                List,
                                PKIX_FALSE);

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_IsImmutable(goodQuals, &isImmutable, plContext));

    if (isImmutable != PKIX_TRUE) {
        testError("PolicyQualifier List is not immutable");
    }

cleanup:

    PKIX_TEST_DECREF_AC(goodCert);
    PKIX_TEST_DECREF_AC(goodPolicyInfo);
    PKIX_TEST_DECREF_AC(goodPolicy);
    PKIX_TEST_DECREF_AC(goodQuals);
    PKIX_TEST_DECREF_AC(equalCert);
    PKIX_TEST_DECREF_AC(equalPolicyInfo);
    PKIX_TEST_DECREF_AC(equalQuals);
    PKIX_TEST_DECREF_AC(equalPolicy);
    PKIX_TEST_DECREF_AC(diffCert);
    PKIX_TEST_DECREF_AC(diffPolicyInfo);
    PKIX_TEST_DECREF_AC(diffPolicy);
    PKIX_TEST_DECREF_AC(diffQuals);

    PKIX_TEST_RETURN();
}

static void
testPolicyQualifier_GetQualifier(char *dataDir)
{
    char *goodCertName =
        "UserNoticeQualifierTest15EE.crt";
    char *equalCertName =
        "UserNoticeQualifierTest16EE.crt";
    char *diffCertName =
        "UserNoticeQualifierTest18EE.crt";
    PKIX_PL_Cert *goodCert = NULL;
    PKIX_PL_Cert *equalCert = NULL;
    PKIX_PL_Cert *diffCert = NULL;
    PKIX_List *goodPolicyInfo = NULL;
    PKIX_List *equalPolicyInfo = NULL;
    PKIX_List *diffPolicyInfo = NULL;
    PKIX_PL_CertPolicyInfo *goodPolicy = NULL;
    PKIX_PL_CertPolicyInfo *equalPolicy = NULL;
    PKIX_PL_CertPolicyInfo *diffPolicy = NULL;
    PKIX_List *goodQuals = NULL;
    PKIX_List *equalQuals = NULL;
    PKIX_List *diffQuals = NULL;
    PKIX_PL_CertPolicyQualifier *goodPolQualifier = NULL;
    PKIX_PL_CertPolicyQualifier *equalPolQualifier = NULL;
    PKIX_PL_CertPolicyQualifier *diffPolQualifier = NULL;
    PKIX_PL_ByteArray *goodArray = NULL;
    PKIX_PL_ByteArray *equalArray = NULL;
    PKIX_PL_ByteArray *diffArray = NULL;

    PKIX_TEST_STD_VARS();
    subTest("PKIX_PL_PolicyQualifier_GetQualifier");

    /*
     * Get the cert, then the list of policyInfos.
     * Take the first policyInfo from the list.
     * Get its list of PolicyQualifiers.
     * Take the first policyQualifier from the list.
     * Finally, get the policyQualifier's ByteArray.
     */

    /* Get the PolicyInfo objects */
    goodCert = createCert(dataDir, goodCertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(goodCert, &goodPolicyInfo, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy,&nbsp;plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(goodPolicy, &goodQuals,&nbsp;plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(goodQuals,
                                                0,
                                                (PKIX_PL_Object **)&goodPolQualifier,
                                                plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetQualifier(goodPolQualifier, &goodArray,&nbsp;plContext));

    equalCert = createCert(dataDir, equalCertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(equalCert, &equalPolicyInfo, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(equalPolicyInfo,
                                                0,
                                                (PKIX_PL_Object **)&equalPolicy,
                                                plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(equalPolicy, &equalQuals,&nbsp;plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(equalQuals,
                                                0,
                                                (PKIX_PL_Object **)&equalPolQualifier,
                                                plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetQualifier(equalPolQualifier, &equalArray, plContext));

    diffCert = createCert(dataDir, diffCertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(diffCert, &diffPolicyInfo, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy,&nbsp;plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(diffPolicy, &diffQuals,&nbsp;plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(diffQuals,
                                                0,
                                                (PKIX_PL_Object **)&diffPolQualifier,
                                                plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetQualifier(diffPolQualifier, &diffArray,&nbsp;plContext));

    PKIX_TEST_EQ_HASH_TOSTR_DUP(goodArray, equalArray, diffArray, NULL, ByteArray, PKIX_FALSE);

cleanup:

    PKIX_TEST_DECREF_AC(goodArray);
    PKIX_TEST_DECREF_AC(equalArray);
    PKIX_TEST_DECREF_AC(diffArray);
    PKIX_TEST_DECREF_AC(goodPolQualifier);
    PKIX_TEST_DECREF_AC(equalPolQualifier);
    PKIX_TEST_DECREF_AC(diffPolQualifier);
    PKIX_TEST_DECREF_AC(goodQuals);
    PKIX_TEST_DECREF_AC(equalQuals);
    PKIX_TEST_DECREF_AC(diffQuals);
    PKIX_TEST_DECREF_AC(goodPolicy);
    PKIX_TEST_DECREF_AC(equalPolicy);
    PKIX_TEST_DECREF_AC(diffPolicy);
    PKIX_TEST_DECREF_AC(goodPolicyInfo);
    PKIX_TEST_DECREF_AC(equalPolicyInfo);
    PKIX_TEST_DECREF_AC(diffPolicyInfo);
    PKIX_TEST_DECREF_AC(goodCert);
    PKIX_TEST_DECREF_AC(equalCert);
    PKIX_TEST_DECREF_AC(diffCert);
    PKIX_TEST_RETURN();
}

static void
testPolicyQualifier_GetPolicyQualifierId(char *dataDir)
{
    char *goodCertName =
        "UserNoticeQualifierTest15EE.crt";
    char *equalCertName =
        "UserNoticeQualifierTest16EE.crt";
    char *diffCertName =
        "CPSPointerQualifierTest20EE.crt";
    PKIX_PL_Cert *goodCert = NULL;
    PKIX_PL_Cert *equalCert = NULL;
    PKIX_PL_Cert *diffCert = NULL;
    PKIX_List *goodPolicyInfo = NULL;
    PKIX_List *equalPolicyInfo = NULL;
    PKIX_List *diffPolicyInfo = NULL;
    PKIX_PL_CertPolicyInfo *goodPolicy = NULL;
    PKIX_PL_CertPolicyInfo *equalPolicy = NULL;
    PKIX_PL_CertPolicyInfo *diffPolicy = NULL;
    PKIX_List *goodQuals = NULL;
    PKIX_List *equalQuals = NULL;
    PKIX_List *diffQuals = NULL;
    PKIX_PL_CertPolicyQualifier *goodPolQualifier = NULL;
    PKIX_PL_CertPolicyQualifier *equalPolQualifier = NULL;
    PKIX_PL_CertPolicyQualifier *diffPolQualifier = NULL;
    PKIX_PL_OID *goodID = NULL;
    PKIX_PL_OID *equalID = NULL;
    PKIX_PL_OID *diffID = NULL;

    PKIX_TEST_STD_VARS();
    subTest("PKIX_PL_PolicyQualifier_GetPolicyQualifierId");

    /*
     * Get the cert, then the list of policyInfos.
     * Take the first policyInfo from the list.
     * Get its list of PolicyQualifiers.
     * Take the first policyQualifier from the list.
     * Finally, get the policyQualifier's ID.
     */

    /* Get the PolicyQualifier objects */
    goodCert = createCert(dataDir, goodCertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(goodCert, &goodPolicyInfo, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(goodPolicyInfo, 0, (PKIX_PL_Object **)&goodPolicy,&nbsp;plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(goodPolicy, &goodQuals,&nbsp;plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(goodQuals,
                                                0,
                                                (PKIX_PL_Object **)&goodPolQualifier,
                                                plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetPolicyQualifierId(goodPolQualifier, &goodID, plContext));

    equalCert = createCert(dataDir, equalCertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(equalCert, &equalPolicyInfo, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(equalPolicyInfo,
                                                0,
                                                (PKIX_PL_Object **)&equalPolicy,
                                                plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(equalPolicy, &equalQuals,&nbsp;plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(equalQuals,
                                                0,
                                                (PKIX_PL_Object **)&equalPolQualifier,
                                                plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetPolicyQualifierId(equalPolQualifier, &equalID, plContext));

    diffCert = createCert(dataDir, diffCertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyInformation(diffCert, &diffPolicyInfo, plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(diffPolicyInfo, 0, (PKIX_PL_Object **)&diffPolicy,&nbsp;plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyInfo_GetPolQualifiers(diffPolicy, &diffQuals,&nbsp;plContext));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(diffQuals,
                                                0,
                                                (PKIX_PL_Object **)&diffPolQualifier,
                                                plContext));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_PolicyQualifier_GetPolicyQualifierId(diffPolQualifier, &diffID, plContext));

    PKIX_TEST_EQ_HASH_TOSTR_DUP(goodID, equalID, diffID, NULL, OID, PKIX_FALSE);

cleanup:

    PKIX_TEST_DECREF_AC(goodID);
    PKIX_TEST_DECREF_AC(equalID);
    PKIX_TEST_DECREF_AC(diffID);
    PKIX_TEST_DECREF_AC(goodPolQualifier);
    PKIX_TEST_DECREF_AC(equalPolQualifier);
    PKIX_TEST_DECREF_AC(diffPolQualifier);
    PKIX_TEST_DECREF_AC(goodQuals);
    PKIX_TEST_DECREF_AC(equalQuals);
    PKIX_TEST_DECREF_AC(diffQuals);
    PKIX_TEST_DECREF_AC(goodPolicy);
    PKIX_TEST_DECREF_AC(equalPolicy);
    PKIX_TEST_DECREF_AC(diffPolicy);
    PKIX_TEST_DECREF_AC(goodPolicyInfo);
    PKIX_TEST_DECREF_AC(equalPolicyInfo);
    PKIX_TEST_DECREF_AC(diffPolicyInfo);
    PKIX_TEST_DECREF_AC(goodCert);
    PKIX_TEST_DECREF_AC(equalCert);
    PKIX_TEST_DECREF_AC(diffCert);
    PKIX_TEST_RETURN();
}

static void
testAreCertPoliciesCritical(char *dataCentralDir, char *dataDir)
{

    char *trueCertName = "CertificatePoliciesCritical.crt";
    char *falseCertName = "UserNoticeQualifierTest15EE.crt";
    PKIX_PL_Cert *trueCert = NULL;
    PKIX_PL_Cert *falseCert = NULL;
    PKIX_Boolean trueVal = PKIX_FALSE;
    PKIX_Boolean falseVal = PKIX_FALSE;

    PKIX_TEST_STD_VARS();
    subTest("PKIX_PL_Cert_AreCertPoliciesCritical - ");

    trueCert = createCert(dataCentralDir, trueCertName, plContext);

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_AreCertPoliciesCritical(trueCert, &trueVal, plContext));

    if (trueVal != PKIX_TRUE) {
        testError("unexpected mismatch");
        (void)printf("Actual value:\t%d\n", trueVal);
        (void)printf("Expected value:\t1\n");
        goto cleanup;
    }

    subTest("PKIX_PL_Cert_AreCertPoliciesCritical - ");

    falseCert = createCert(dataDir, falseCertName, plContext);

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_AreCertPoliciesCritical(falseCert, &falseVal, plContext));

    if (falseVal != PKIX_FALSE) {
        testError("unexpected mismatch");
        (void)printf("Actual value:\t%d\n", falseVal);
        (void)printf("Expected value:\t0\n");
        goto cleanup;
    }

cleanup:

    PKIX_TEST_DECREF_AC(trueCert);
    PKIX_TEST_DECREF_AC(falseCert);

    PKIX_TEST_RETURN();
}

static void
testCertPolicyConstraints(char *dataDir)
{
    char *requireExplicitPolicy2CertName =
        "requireExplicitPolicy2CACert.crt";
    char *inhibitPolicyMapping5CertName =
        "inhibitPolicyMapping5CACert.crt";
    char *inhibitAnyPolicy5CertName =
        "inhibitAnyPolicy5CACert.crt";
    char *inhibitAnyPolicy0CertName =
        "inhibitAnyPolicy0CACert.crt";
    PKIX_PL_Cert *requireExplicitPolicy2Cert = NULL;
    PKIX_PL_Cert *inhibitPolicyMapping5Cert = NULL;
    PKIX_PL_Cert *inhibitAnyPolicy5Cert = NULL;
    PKIX_PL_Cert *inhibitAnyPolicy0Cert = NULL;
    PKIX_Int32 skipCerts = 0;

    PKIX_TEST_STD_VARS();

    subTest("PKIX_PL_Cert_GetRequireExplicitPolicy");
    requireExplicitPolicy2Cert = createCert(dataDir, requireExplicitPolicy2CertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetRequireExplicitPolicy(requireExplicitPolicy2Cert, &skipCerts, NULL));
    PR_ASSERT(skipCerts == 2);

    subTest("PKIX_PL_Cert_GetPolicyMappingInhibited");
    inhibitPolicyMapping5Cert = createCert(dataDir, inhibitPolicyMapping5CertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyMappingInhibited(inhibitPolicyMapping5Cert, &skipCerts, NULL));
    PR_ASSERT(skipCerts == 5);

    subTest("PKIX_PL_Cert_GetInhibitAnyPolicy");
    inhibitAnyPolicy5Cert = createCert(dataDir, inhibitAnyPolicy5CertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetInhibitAnyPolicy(inhibitAnyPolicy5Cert, &skipCerts, NULL));
    PR_ASSERT(skipCerts == 5);

    inhibitAnyPolicy0Cert = createCert(dataDir, inhibitAnyPolicy0CertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetInhibitAnyPolicy(inhibitAnyPolicy0Cert, &skipCerts, NULL));
    PR_ASSERT(skipCerts == 0);

cleanup:

    PKIX_TEST_DECREF_AC(requireExplicitPolicy2Cert);
    PKIX_TEST_DECREF_AC(inhibitPolicyMapping5Cert);
    PKIX_TEST_DECREF_AC(inhibitAnyPolicy5Cert);
    PKIX_TEST_DECREF_AC(inhibitAnyPolicy0Cert);

    PKIX_TEST_RETURN();
}

static void
testCertPolicyMaps(char *dataDir)
{
    char *policyMappingsCertName =
        "P1Mapping1to234CACert.crt";
    char *expectedAscii =
        "2.16.840.1.101.3.2.1.48.1=>2.16.840.1.101.3.2.1.48.2";

    PKIX_PL_Cert *policyMappingsCert = NULL;
    PKIX_List *mappings = NULL;
    PKIX_PL_CertPolicyMap *goodMap = NULL;
    PKIX_PL_CertPolicyMap *equalMap = NULL;
    PKIX_PL_CertPolicyMap *diffMap = NULL;
    PKIX_PL_OID *goodOID = NULL;
    PKIX_PL_OID *equalOID = NULL;
    PKIX_PL_OID *diffOID = NULL;

    PKIX_TEST_STD_VARS();

    subTest("PKIX_PL_Cert_GetPolicyMappings");

    policyMappingsCert = createCert(dataDir, policyMappingsCertName, plContext);
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Cert_GetPolicyMappings(policyMappingsCert, &mappings, ;NULL));

    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(mappings, 0, (PKIX_PL_Object **)&goodMap, NULL));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(mappings, 0, (PKIX_PL_Object **)&equalMap, NULL));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(mappings, 2, (PKIX_PL_Object **)&diffMap, NULL));

    PKIX_TEST_EQ_HASH_TOSTR_DUP(goodMap,
                                equalMap,
                                diffMap,
                                expectedAscii,
                                CertPolicyMap,
                                PKIX_TRUE);

    subTest("PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy(goodMap, &goodOID,&nbsp;NULL));
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyMap_GetIssuerDomainPolicy(diffMap, &equalOID,&nbsp;NULL));
    subTest("PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy");
    PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_CertPolicyMap_GetSubjectDomainPolicy(diffMap, &diffOID,&nbsp;NULL));

    PKIX_TEST_EQ_HASH_TOSTR_DUP(goodOID,
--> --------------------

--> maximum size reached

--> --------------------