1# Copyright 2016 The Chromium Authors 2# 3# Licensed under the Apache License, Version 2.0 (the "License"); 4# you may not use this file except in compliance with the License. 5# You may obtain a copy of the License at 6# 7# https://www.apache.org/licenses/LICENSE-2.0 8# 9# Unless required by applicable law or agreed to in writing, software 10# distributed under the License is distributed on an "AS IS" BASIS, 11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12# See the License for the specific language governing permissions and 13# limitations under the License. 14 15'''Generates a test suite from NIST PKITS test descriptions. 16 17The output is a set of Type Parameterized Tests which are included by 18pkits_unittest.h. See pkits_unittest.h for information on using the tests. 19GoogleTest has a limit of 50 tests per type parameterized testcase, so the tests 20are split up by section number (this also makes it possible to easily skip 21sections that pertain to non-implemented features). 22 23Usage: 24 generate_tests.py <PKITS.pdf> <output.h> 25''' 26 27import os 28import re 29import subprocess 30import sys 31import tempfile 32 33 34def sanitize_name(s): 35 return s.translate(str.maketrans('', '', ' -')) 36 37 38def finalize_test_case(test_case_name, sanitized_test_names, output): 39 output.write('\nWRAPPED_REGISTER_TYPED_TEST_SUITE_P(%s' % test_case_name) 40 for name in sanitized_test_names: 41 output.write(',\n %s' % name) 42 output.write(');\n') 43 44 45def bool_to_str(b): 46 return "true" if b else "false" 47 48 49def make_policies_string(policies): 50 return '"' + ','.join(policies) + '"' 51 52 53def output_test(test_case_name, test_number, raw_test_name, subpart_number, 54 info, certs, crls, sanitized_test_names, output): 55 '''Writes a test case to |output|, and appends the test name to 56 |sanitized_test_names|.''' 57 sanitized_test_name = 'Section%s%s' % (test_number.split('.')[1], 58 sanitize_name(raw_test_name)) 59 60 subpart_comment = '' 61 if subpart_number is not None: 62 sanitized_test_name += "Subpart%d" % (subpart_number) 63 subpart_comment = ' (Subpart %d)' % (subpart_number) 64 65 sanitized_test_names.append(sanitized_test_name) 66 67 certs_formatted = ', '.join('"%s"' % n for n in certs) 68 crls_formatted = ', '.join('"%s"' % n for n in crls) 69 70 output.write(''' 71// %(test_number)s %(raw_test_name)s%(subpart_comment)s 72WRAPPED_TYPED_TEST_P(%(test_case_name)s, %(sanitized_test_name)s) { 73 const char* const certs[] = { 74 %(certs_formatted)s 75 }; 76 const char* const crls[] = { 77 %(crls_formatted)s 78 }; 79''' % vars()) 80 81 default_info = TestInfo(None) 82 83 if info.include_subpart_in_test_number: 84 test_number = "%s.%d" % (test_number, subpart_number) 85 86 output.write('''PkitsTestInfo info; 87 info.test_number = "%s"; 88 info.should_validate = %s; 89''' % (test_number, bool_to_str(info.should_validate))) 90 91 # Output any non-default inputs/outputs. Only properties that differ from 92 # the defaults are written, so as to keep the generated file more readable. 93 if info.initial_policy_set != default_info.initial_policy_set: 94 output.write(''' info.SetInitialPolicySet(%s); 95''' % make_policies_string(info.initial_policy_set)) 96 97 if info.initial_explicit_policy != default_info.initial_explicit_policy: 98 output.write(''' info.SetInitialExplicitPolicy(%s); 99''' % bool_to_str(info.initial_explicit_policy)) 100 101 if (info.initial_policy_mapping_inhibit != 102 default_info.initial_policy_mapping_inhibit): 103 output.write(''' info.SetInitialPolicyMappingInhibit(%s); 104''' % bool_to_str(info.initial_policy_mapping_inhibit)) 105 106 if (info.initial_inhibit_any_policy != 107 default_info.initial_inhibit_any_policy): 108 output.write(''' info.SetInitialInhibitAnyPolicy(%s); 109''' % bool_to_str(info.initial_inhibit_any_policy)) 110 111 if (info.user_constrained_policy_set != 112 default_info.user_constrained_policy_set): 113 output.write(''' info.SetUserConstrainedPolicySet(%s); 114''' % make_policies_string(info.user_constrained_policy_set)) 115 116 output.write(''' 117 this->RunTest(certs, crls, info); 118} 119''' % vars()) 120 121 122# Matches a section header, ex: "4.1 Signature Verification" 123SECTION_MATCHER = re.compile('^\s*(\d+\.\d+)\s+(.+?)\s*\ufffd?$') 124# Matches a test header, ex: "4.1.1 Valid Signatures Test1" 125TEST_MATCHER = re.compile('^\s*(\d+\.\d+.\d+)\s+(.+?)\s*\ufffd?$') 126 127# Matches the various headers in a test specification. 128EXPECTED_HEADER_MATCHER = re.compile('^\s*Expected Result:') 129PROCEDURE_HEADER_MATCHER = re.compile('^\s*Procedure:') 130PATH_HEADER_MATCHER = re.compile('^\s*Certification Path:') 131 132# Matches the Procedure text if using default settings. 133USING_DEFAULT_SETTINGS_MATCHER = re.compile( 134 '^.*using the \s*default settings.*') 135 136# Matches the description text if using custom settings. 137CUSTOM_SETTINGS_MATCHER = re.compile( 138 '.*this\s+test\s+be\s+validated\s+using\s+the\s+following\s+inputs:.*') 139 140# Match an expected test result. Note that some results in the PDF have a typo 141# "path not should validate" instead of "path should not validate". 142TEST_RESULT_MATCHER = re.compile( 143 '^.*path (should validate|should not validate|not should validate)') 144 145# Matches a line in the certification path, ex: 146# "\u2022 Good CA Cert, Good CA CRL" 147PATH_MATCHER = re.compile('^\s*\u2022\s*(.+)\s*$') 148# Matches a page number. These may appear in the middle of multi-line fields and 149# thus need to be ignored. 150PAGE_NUMBER_MATCHER = re.compile('^\s*\d+\s*$') 151# Matches if an entry in a certification path refers to a CRL, ex: 152# "onlySomeReasons CA2 CRL1". 153CRL_MATCHER = re.compile('^.*CRL\d*$') 154 155 156class TestSections(object): 157 def __init__(self): 158 self.description_lines = [] 159 self.procedure_lines = [] 160 self.expected_result_lines = [] 161 self.cert_path_lines = [] 162 163 164def parse_main_test_sections(lines, i): 165 result = TestSections() 166 167 # Read the description lines (text after test name up until 168 # "Procedure:"). 169 result.description_lines = [] 170 while i < len(lines): 171 if PROCEDURE_HEADER_MATCHER.match(lines[i]): 172 break 173 result.description_lines.append(lines[i]) 174 i += 1 175 176 # Read the procedure lines (text starting at "Procedure:" and up until 177 # "Expected Result:". 178 result.procedure_lines = [] 179 while i < len(lines): 180 if EXPECTED_HEADER_MATCHER.match(lines[i]): 181 break 182 result.procedure_lines.append(lines[i]) 183 i += 1 184 185 # Read the expected result lines (text starting at "Expected Result:" and up 186 # until "Certification Path:". 187 result.expected_result_lines = [] 188 while i < len(lines): 189 if PATH_HEADER_MATCHER.match(lines[i]): 190 break 191 result.expected_result_lines.append(lines[i]) 192 i += 1 193 194 # Read the certification path lines (text starting at "Certification Path:" 195 # and up until the next test title. 196 result.cert_path_lines = [] 197 while i < len(lines): 198 if TEST_MATCHER.match(lines[i]) or SECTION_MATCHER.match(lines[i]): 199 break 200 result.cert_path_lines.append(lines[i]) 201 i += 1 202 203 return i, result 204 205 206def parse_cert_path_lines(lines): 207 path_lines = [] 208 crls = [] 209 certs = [] 210 211 for line in lines[1:]: 212 line = line.strip() 213 214 if "is composed of the following objects:" in line: 215 continue 216 if "See the introduction to Section 4.4 for more information." in line: 217 continue 218 219 if not line or PAGE_NUMBER_MATCHER.match(line): 220 continue 221 path_match = PATH_MATCHER.match(line) 222 if path_match: 223 path_lines.append(path_match.group(1)) 224 continue 225 # Continuation of previous path line. 226 path_lines[-1] += ' ' + line 227 228 for path_line in path_lines: 229 for path in path_line.split(','): 230 path = sanitize_name(path.strip()) 231 if CRL_MATCHER.match(path): 232 crls.append(path) 233 else: 234 certs.append(path) 235 236 return certs, crls 237 238 239ANY_POLICY = 'anyPolicy' 240TEST_POLICY_1 = 'NIST-test-policy-1' 241TEST_POLICY_2 = 'NIST-test-policy-2' 242TEST_POLICY_3 = 'NIST-test-policy-3' 243TEST_POLICY_6 = 'NIST-test-policy-6' 244 245# Note: This omits some outputs from PKITS: 246# 247# * authorities-constrained-policy-set 248# * explicit-policy-indicator 249class TestInfo(object): 250 """This structure describes a test inputs and outputs""" 251 252 def __init__(self, should_validate, 253 # These defaults come from section 3 of PKITS.pdf 254 initial_policy_set = [ANY_POLICY], 255 initial_explicit_policy = False, 256 initial_policy_mapping_inhibit = False, 257 initial_inhibit_any_policy = False, 258 # In all of the tests that are not related to policy processing, 259 # each certificate in the path asserts the certificate policy 260 # 2.16.840.1.101.3.2.1.48.1 261 user_constrained_policy_set = [TEST_POLICY_1], 262 include_subpart_in_test_number = False): 263 self.should_validate = should_validate 264 self.initial_policy_set = initial_policy_set 265 self.initial_explicit_policy = initial_explicit_policy 266 self.initial_policy_mapping_inhibit = initial_policy_mapping_inhibit 267 self.initial_inhibit_any_policy = initial_inhibit_any_policy 268 self.user_constrained_policy_set = user_constrained_policy_set 269 self.include_subpart_in_test_number = include_subpart_in_test_number 270 271 272TEST_OVERRIDES = { 273 '4.8.1': [ # All Certificates Same Policy Test1 274 # 1. default settings, but with initial-explicit-policy set. The path 275 # should validate successfully 276 TestInfo(True, initial_explicit_policy=True, 277 user_constrained_policy_set=[TEST_POLICY_1]), 278 279 # 2. default settings, but with initial-explicit-policy set and 280 # initial-policy-set = {NIST-test-policy-1}. The path should validate 281 # successfully. 282 TestInfo(True, initial_explicit_policy=True, 283 initial_policy_set=[TEST_POLICY_1], 284 user_constrained_policy_set=[TEST_POLICY_1]), 285 286 # 3. default settings, but with initial-explicit-policy set and 287 # initial-policy-set = {NIST-test-policy-2}. The path should not validate 288 # successfully. 289 TestInfo(False, initial_explicit_policy=True, 290 initial_policy_set=[TEST_POLICY_2], 291 user_constrained_policy_set=[]), 292 293 # 4. default settings, but with initial-explicit-policy set and 294 # initial-policy-set = {NIST-test-policy-1, NIST-test-policy-2}. The path 295 # should validate successfully. 296 TestInfo(True, initial_explicit_policy=True, 297 initial_policy_set=[TEST_POLICY_1, TEST_POLICY_2], 298 user_constrained_policy_set=[TEST_POLICY_1]), 299 ], 300 301 '4.8.2': [ # All Certificates No Policies Test2 302 # 1. default settings. The path should validate successfully. 303 TestInfo(True, user_constrained_policy_set=[]), 304 305 # 2. default settings, but with initial-explicit-policy set. The path 306 # should not validate successfully 307 TestInfo(False, initial_explicit_policy=True, 308 user_constrained_policy_set=[]), 309 ], 310 311 '4.8.3': [ # Different Policies Test3 312 # 1. default settings. The path should validate successfully. 313 TestInfo(True, user_constrained_policy_set=[]), 314 315 # 2. default settings, but with initial-explicit-policy set. The path 316 # should not validate successfully. 317 TestInfo(False, initial_explicit_policy=True, user_constrained_policy_set=[]), 318 319 # 3. default settings, but with initial-explicit-policy set and 320 # initial-policy-set = {NIST-test-policy-1, NIST-test-policy-2}. The path 321 # should not validate successfully. 322 TestInfo(False, initial_explicit_policy=True, 323 initial_policy_set=[TEST_POLICY_1, TEST_POLICY_2], 324 user_constrained_policy_set=[]), 325 ], 326 327 '4.8.4': [ # Different Policies Test4 328 # Procedure: Validate Different Policies Test4 EE using the default 329 # settings or open and verify Signed Test Message 6.2.2.69 using the 330 # default settings. 331 # 332 # Expected Result: The authorities-constrained-policy-set and the 333 # user-constrained-policy-set will be empty. The explicit-policy-indicator 334 # will be set if the application can process the policyConstraints 335 # extension. If the application can process the policyConstraints extension 336 # then the path should not validate successfully. If the application can 337 # not process the policyConstraints extension, then the path should 338 # validate successfully. 339 TestInfo(False, user_constrained_policy_set=[]), 340 ], 341 342 '4.8.5': [ # 4.8.5 Different Policies Test5 343 # Procedure: Validate Different Policies Test5 EE using the default 344 # settings or open and verify Signed Test Message 6.2.2.70 using the 345 # default settings. 346 # 347 # Expected Result: The authorities-constrained-policy-set and the 348 # user-constrained-policy-set will be empty. The explicit-policy-indicator 349 # will be set if the application can process the policyConstraints 350 # extension. If the application can process the policyConstraints extension 351 # then the path should not validate successfully. If the application can 352 # not process the policyConstraints extension, then the path should 353 # validate successfully 354 TestInfo(False, user_constrained_policy_set=[]), 355 ], 356 357 '4.8.6': [ # Overlapping Policies Test6 358 # 1. default settings. The path should validate successfully. 359 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 360 361 # 2. default settings, but with initial-policy-set = {NIST-test-policy-1}. 362 # The path should validate successfully. 363 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 364 user_constrained_policy_set=[TEST_POLICY_1]), 365 366 # 3. default settings, but with initial-policy-set = {NIST-test-policy-2}. 367 # The path should not validate successfully. 368 TestInfo(False, initial_policy_set=[TEST_POLICY_2], 369 user_constrained_policy_set=[]), 370 ], 371 372 '4.8.7': [ # Different Policies Test7 373 # Procedure: Validate Different Policies Test7 EE using the default 374 # settings or open and verify Signed Test Message 6.2.2.72 using the 375 # default settings. 376 # 377 # Expected Result: The authorities-constrained-policy-set and the 378 # user-constrained-policy-set will be empty. If the 379 # explicit-policy-indicator will be set if the application can process the 380 # policyConstraints extension. If the application can process the 381 # policyConstraints extension, then the path should not validate 382 # successfully. If the application can not process the policyConstraints 383 # extension, then the path should validate successfully. 384 TestInfo(False, user_constrained_policy_set=[]), 385 ], 386 387 '4.8.8': [ # Different Policies Test8 388 # Procedure: Validate Different Policies Test8 EE using the default 389 # settings or open and verify Signed Test Message 6.2.2.73 using the 390 # default settings. 391 # 392 # Expected Result: The authorities-constrained-policy-set and the 393 # user-constrained-policy-set will be empty. The explicit-policy-indicator 394 # will be set if the application can process the policyConstraints 395 # extension. If the application can process the policyConstraints extension 396 # then the path should not validate successfully. If the application can 397 # not process the policyConstraints extension, then the path should 398 # validate successfully. 399 TestInfo(False, user_constrained_policy_set=[]), 400 ], 401 402 '4.8.9': [ # Different Policies Test9 403 # Procedure: Validate Different Policies Test9 EE using the default 404 # settings or open and verify Signed Test Message 6.2.2.74 using the 405 # default settings. 406 # 407 # Expected Result: The authorities-constrained-policy-set and the 408 # user-constrained-policy-set will be empty. The explicit-policy-indicator 409 # will be set if the application can process the policyConstraints 410 # extension. If the application can process the policyConstraints 411 # extension, then the path should not validate successfully. If the 412 # application can not process the policyConstraints extension, then the 413 # path should validate successfully. 414 TestInfo(False, user_constrained_policy_set=[]), 415 ], 416 417 '4.8.10': [ # All Certificates Same Policies Test10 418 # 1. default settings. The path should validate successfully. 419 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1, TEST_POLICY_2]), 420 421 # 2. default settings, but with initial-policy-set = {NIST-test-policy-1}. 422 # The path should validate successfully. 423 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 424 user_constrained_policy_set=[TEST_POLICY_1]), 425 426 # 3. default settings, but with initial-policy-set = {NIST-test-policy-2}. 427 # The path should validate successfully. 428 TestInfo(True, initial_policy_set=[TEST_POLICY_2], 429 user_constrained_policy_set=[TEST_POLICY_2]), 430 ], 431 432 '4.8.11': [ # All Certificates AnyPolicy Test11 433 # 1. default settings. The path should validate successfully. 434 TestInfo(True, user_constrained_policy_set=[ANY_POLICY]), 435 436 # 2. default settings, but with initial-policy-set = {NIST-test-policy-1}. 437 # The path should validate successfully. 438 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 439 user_constrained_policy_set=[TEST_POLICY_1]), 440 ], 441 442 '4.8.12': [ # Different Policies Test12 443 # Procedure: Validate Different Policies Test12 EE using the default 444 # settings or open and verify Signed Test Message 6.2.2.77 using the 445 # default settings. 446 # 447 # Expected Result: The authorities-constrained-policy-set and the 448 # user-constrained-policy-set will be empty. The explicit-policy-indicator 449 # will be set if the application can process the policyConstraints 450 # extension. If the application can process the policyConstraints 451 # extension, then the path should not validate successfully. If the 452 # application can not process the policyConstraints extension, then the 453 # path should validate successfully. 454 TestInfo(False, user_constrained_policy_set=[]), 455 ], 456 457 '4.8.13': [ # All Certificates Same Policies Test13 458 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. 459 # The path should validate successfully. 460 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 461 user_constrained_policy_set=[TEST_POLICY_1]), 462 463 # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. 464 # The path should validate successfully. 465 TestInfo(True, initial_policy_set=[TEST_POLICY_2], 466 user_constrained_policy_set=[TEST_POLICY_2]), 467 468 # 3. default settings, but with initial-policy-set = {NIST-test-policy-3}. 469 # The path should validate successfully. 470 TestInfo(True, initial_policy_set=[TEST_POLICY_3], 471 user_constrained_policy_set=[TEST_POLICY_3]), 472 ], 473 474 '4.8.14': [ # AnyPolicy Test14 475 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. 476 # The path should validate successfully. 477 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 478 user_constrained_policy_set=[TEST_POLICY_1]), 479 480 # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. 481 # The path should not validate successfully. 482 TestInfo(False, initial_policy_set=[TEST_POLICY_2], 483 user_constrained_policy_set=[]), 484 ], 485 486 '4.8.15': [ # User Notice Qualifier Test15 487 # Procedure: Validate User Notice Qualifier Test15 EE using the default 488 # settings or open and verify Signed Test Message 6.2.2.80 using the 489 # default settings. 490 # 491 # Expected Result: The authorities-constrained-policy-set will be 492 # {NIST-test-policy-1} and the explicit-policy-indicator will be the same 493 # as the initial-explicit-policy indicator. If the initial-policy-set is 494 # any-policy or otherwise includes NIST-test-policy-1, then the 495 # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the 496 # user-constrained-policy-set will be empty. If the initial-explicit-policy 497 # indicator is set and the initial-policy-set does not include 498 # NIST-test-policy-1, then the path should be rejected, otherwise it should 499 # validate successfully. If the path validates successfully, then the 500 # application should display the user notice. 501 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 502 ], 503 504 '4.8.16': [ # User Notice Qualifier Test16 505 # Procedure: Validate User Notice Qualifier Test16 EE using the default 506 # settings or open and verify Signed Test Message 6.2.2.81 using the 507 # default settings. 508 # 509 # Expected Result: The authorities-constrained-policy-set will be 510 # {NIST-test-policy-1} and the explicit-policy-indicator will be the same 511 # as the initial-explicit-policy indicator. If the initial-policy-set is 512 # any-policy or otherwise includes NIST-test-policy-1, then the 513 # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the 514 # user-constrained-policy-set will be empty. If the initial-explicit-policy 515 # indicator is set and the initial-policy-set does not include 516 # NIST-test-policy-1, then the path should be rejected, otherwise it should 517 # validate successfully. If the path validates successfully, then the 518 # application should display the user notice associated with 519 # NIST-test-policy-1. The user notice associated with NIST-test-policy-2 520 # should not be displayed. 521 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 522 ], 523 524 '4.8.17': [ # User Notice Qualifier Test17 525 # Procedure: Validate User Notice Qualifier Test17 EE using the default 526 # settings or open and verify Signed Test Message 6.2.2.82 using the 527 # default settings. 528 # 529 # Expected Result: The authorities-constrained-policy-set will be 530 # {NIST-test-policy-1} and the explicit-policy-indicator will be the same 531 # as the initial-explicit-policy indicator. If the initial-policy-set is 532 # any-policy or otherwise includes NIST-test-policy-1, then the 533 # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the 534 # user-constrained-policy-set will be empty. If the initial-explicit-policy 535 # indicator is set and the initial-policy-set does not include 536 # NIST-test-policy-1, then the path should be rejected, otherwise it should 537 # validate successfully. If the path validates successfully, then the 538 # application should display the user notice associated with anyPolicy. 539 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 540 ], 541 542 '4.8.18': [ # User Notice Qualifier Test18 543 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. 544 # The path should validate successfully and the qualifier associated with 545 # NIST-test-policy-1 in the end entity certificate should be displayed. 546 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 547 user_constrained_policy_set=[TEST_POLICY_1]), 548 549 # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. 550 # The path should validate successfully and the qualifier associated with 551 # anyPolicy in the end entity certificate should be displayed. 552 TestInfo(True, initial_policy_set=[TEST_POLICY_2], 553 user_constrained_policy_set=[TEST_POLICY_2]), 554 ], 555 556 '4.8.19': [ # User Notice Qualifier Test19 557 # Procedure: Validate User Notice Qualifier Test19 EE using the default 558 # settings or open and verify Signed Test Message 6.2.2.84 using the 559 # default settings. 560 # 561 # Expected Result: The authorities-constrained-policy-set will be 562 # {NIST-test-policy-1} and the explicit-policy-indicator will be the same 563 # as the initial-explicit-policy indicator. If the initial-policy-set is 564 # any-policy or otherwise includes NIST-test-policy-1, then the 565 # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the 566 # user-constrained-policy-set will be empty. If the initial-explicit-policy 567 # indicator is set and the initial-policy-set does not include 568 # NIST-test-policy-1, then the path should be rejected, otherwise it should 569 # validate successfully. Since the explicitText exceeds the maximum size 570 # of 200 characters, the application may choose to reject the certificate. 571 # If the application accepts the certificate, display of the user notice is 572 # optional. 573 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 574 ], 575 576 '4.8.20': [ # CPS Pointer Qualifier Test20 577 # Procedure: Validate CPS Pointer Qualifier Test20 EE using the default 578 # settings or open and verify Signed Test Message 6.2.2.85 using the 579 # default settings. (If possible, it is recommended that this test be run 580 # with the initial-explicit-policy indicator set. If this can not be done, 581 # manually check that the authorities-constrained-policy-set and 582 # user-constrained-policy-set are correct.) 583 # 584 # Expected Result: The authorities-constrained-policy-set will be 585 # {NIST-test-policy-1} and the explicit-policy-indicator will be the same 586 # as the initial-explicit-policy indicator. If the initial-policy-set is 587 # any-policy or otherwise includes NIST-test-policy-1, then the 588 # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the 589 # user-constrained-policy-set will be empty. If the initial-explicit-policy 590 # indicator is set and the initial-policy-set does not include 591 # NIST-test-policy-1, then the path should be rejected, otherwise it should 592 # validate successfully. The CPS pointer in the qualifier should be 593 # associated with NIST-testpolicy-1 in the 594 # authorities-constrained-policy-set (and in the user-constrained-policy-set 595 # if NIST-test-policy-1 is in that set). There are no processing 596 # requirements associated with the CPS pointer qualifier. 597 TestInfo(True, initial_explicit_policy=True, 598 initial_policy_set=[TEST_POLICY_1], 599 user_constrained_policy_set=[TEST_POLICY_1]), 600 ], 601 602 '4.9.1': [ # Valid RequireExplicitPolicy Test1 603 # Procedure: Validate Valid requireExplicitPolicy Test1 EE using the 604 # default settings or open and verify Signed Test Message 6.2.2.86 using 605 # the default settings. 606 # 607 # Expected Result: The path should validate successfully since the 608 # explicit-policy-indicator is not set. 609 TestInfo(True, user_constrained_policy_set=[]), 610 ], 611 612 '4.9.2': [ # Valid RequireExplicitPolicy Test2 613 # Procedure: Validate Valid requireExplicitPolicy Test2 EE using the 614 # default settings or open and verify Signed Test Message 6.2.2.87 using 615 # the default settings. 616 # 617 # Expected Result: The path should validate successfully since the 618 # explicit-policy-indicator is not set 619 TestInfo(True, user_constrained_policy_set=[]), 620 ], 621 622 '4.9.6': [ # Valid Self-Issued requireExplicitPolicy Test6 623 # Procedure: Validate Valid Self-Issued requireExplicitPolicy Test6 EE using 624 # the default settings or open and verify Signed Test Message 6.2.2.91 using 625 # the default settings. 626 # 627 # Expected Result: The path should validate successfully since the 628 # explicit-policy-indicator is not set. 629 TestInfo(True, user_constrained_policy_set=[]), 630 ], 631 632 '4.10.1': [ # Valid Policy Mapping Test1 633 # The errors in subparts 2 and 3 vary slightly, so we set 634 # include_subpart_in_test_number. 635 636 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. 637 # The path should validate successfully. 638 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 639 user_constrained_policy_set=[TEST_POLICY_1], 640 include_subpart_in_test_number=True), 641 642 # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. 643 # The path should not validate successfully. 644 TestInfo(False, initial_policy_set=[TEST_POLICY_2], 645 user_constrained_policy_set=[], 646 include_subpart_in_test_number=True), 647 648 # 3. default settings, but with initial-policy-mapping-inhibit set. The 649 # path should not validate successfully. 650 TestInfo(False, initial_policy_mapping_inhibit=True, 651 user_constrained_policy_set=[], 652 include_subpart_in_test_number=True), 653 ], 654 655 '4.10.2': [ # Invalid Policy Mapping Test2 656 # 1. default settings. The path should not validate successfully. 657 TestInfo(False, user_constrained_policy_set=[]), 658 659 # 2. default settings, but with initial-policy-mapping-inhibit set. The 660 # path should not validate successfully. 661 TestInfo(False, initial_policy_mapping_inhibit=True, 662 user_constrained_policy_set=[]), 663 ], 664 665 '4.10.3': [ # Valid Policy Mapping Test3 666 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. 667 # The path should not validate successfully. 668 TestInfo(False, initial_policy_set=[TEST_POLICY_1], 669 user_constrained_policy_set=[]), 670 671 # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. 672 # The path should validate successfully. 673 TestInfo(True, initial_policy_set=[TEST_POLICY_2], 674 user_constrained_policy_set=[TEST_POLICY_2]), 675 ], 676 677 '4.10.4': [ # Invalid Policy Mapping Test4 678 # Procedure: Validate Invalid Policy Mapping Test4 EE using the default 679 # settings or open and verify Signed Test Message 6.2.2.97 using the 680 # default settings. 681 # 682 # Expected Result: The authorities-constrained-policy-set and the 683 # user-constrained-policy-set will be empty and the 684 # explicit-policy-indicator will be set (if the application can process the 685 # policyConstraints extension). If the application can process the 686 # policyConstraints extension, then the path should be rejected, otherwise 687 # it should validate successfully. 688 TestInfo(False, user_constrained_policy_set=[]), 689 ], 690 691 '4.10.5': [ # Valid Policy Mapping Test5 692 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. 693 # The path should validate successfully. 694 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 695 user_constrained_policy_set=[TEST_POLICY_1]), 696 697 # 2. default settings, but with initial-policy-set = {NIST-test-policy-6}. 698 # The path should not validate successfully. 699 TestInfo(False, initial_policy_set=[TEST_POLICY_6], 700 user_constrained_policy_set=[]), 701 ], 702 703 '4.10.6': [ # Valid Policy Mapping Test6 704 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. 705 # The path should validate successfully. 706 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 707 user_constrained_policy_set=[TEST_POLICY_1]), 708 709 # 2. default settings, but with initial-policy-set = {NIST-test-policy-6}. 710 # The path should not validate successfully. 711 TestInfo(False, initial_policy_set=[TEST_POLICY_6], 712 user_constrained_policy_set=[]), 713 ], 714 715 '4.10.7': [ # Invalid Mapping From anyPolicy Test7 716 # Procedure: Validate Invalid Mapping From anyPolicy Test7 EE using the 717 # default settings or open and verify Signed Test Message 6.2.2.100 using 718 # the default settings. 719 # 720 # Expected Result: The path should not validate successfully since the 721 # intermediate certificate includes a policy mapping extension in which 722 # anyPolicy appears as an issuerDomainPolicy. 723 TestInfo(False, user_constrained_policy_set=[]), 724 ], 725 726 '4.10.8': [ # Invalid Mapping To anyPolicy Test8 727 # Procedure: Validate Invalid Mapping To anyPolicy Test8 EE using the 728 # default settings or open and verify Signed Test Message 6.2.2.101 using 729 # the default settings. 730 # 731 # Expected Result: The path should not validate successfully since the 732 # intermediate certificate includes a policy mapping extension in which 733 # anyPolicy appears as an subjectDomainPolicy. 734 TestInfo(False, user_constrained_policy_set=[]), 735 ], 736 737 '4.10.9': [ # Valid Policy Mapping Test9 738 # Procedure: Validate Valid Policy Mapping Test9 EE using the default 739 # settings or open and verify Signed Test Message 6.2.2.102 using the 740 # default settings. 741 # 742 # Expected Result: The authorities-constrained-policy-set will be 743 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if 744 # the application can process the policyConstraints extension). If the 745 # initial-policy-set is any-policy or otherwise includes 746 # NIST-test-policy-1, then the user-constrained-policy-set will be 747 # {NIST-test-policy-1}. If not, the user-constrained-policy-set will be 748 # empty. If the initial-policy-set does not include NIST-test-policy-1 (and 749 # the application can process the policyConstraints extension), then the 750 # path should be rejected, otherwise it should validate successfully. 751 TestInfo(True), 752 ], 753 754 '4.10.10': [ # Invalid Policy Mapping Test10 755 # Procedure: Validate Invalid Policy Mapping Test10 EE using the default 756 # settings or open and verify Signed Test Message 6.2.2.103 using the 757 # default settings. 758 # 759 # Expected Result: The authorities-constrained-policy-set and the 760 # user-constrained-policy-set will be empty and the 761 # explicit-policy-indicator will be set (if the application can process the 762 # policyConstraints extension). If the application can process the 763 # policyConstraints extension, then the path should be rejected, otherwise 764 # it should validate successfully. 765 TestInfo(False, user_constrained_policy_set=[]), 766 ], 767 768 '4.10.11': [ # Valid Policy Mapping Test11 769 # Procedure: Validate Valid Policy Mapping Test11 EE using the default 770 # settings or open and verify Signed Test Message 6.2.2.104 using the 771 # default settings. 772 # 773 # Expected Result: The authorities-constrained-policy-set will be 774 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if 775 # the application can process the policyConstraints extension). If the 776 # initial-policy-set is any-policy or otherwise includes 777 # NIST-test-policy-1, then the user-constrained-policy-set will be 778 # {NIST-test-policy-1}. If not, the user-constrained-policy-set will be 779 # empty. If the initial-policy-set does not include NIST-test-policy-1 (and 780 # the application can process the policyConstraints extension), then the 781 # path should be rejected, otherwise it should validate successfully. 782 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 783 ], 784 785 '4.10.12': [ # Valid Policy Mapping Test12 786 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. 787 # The path should validate successfully and the application should display 788 # the user notice associated with NIST-test-policy-3 in the end entity 789 # certificate. 790 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 791 user_constrained_policy_set=[TEST_POLICY_1]), 792 793 # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. 794 # The path should validate successfully and the application should display 795 # the user notice associated with anyPolicy in the end entity certificate. 796 TestInfo(True, initial_policy_set=[TEST_POLICY_2], 797 user_constrained_policy_set=[TEST_POLICY_2]), 798 ], 799 800 '4.10.13': [ # Valid Policy Mapping Test13 801 # Procedure: Validate Valid Policy Mapping Test13 EE using the default 802 # settings or open and verify Signed Test Message 6.2.2.106 using the 803 # default settings. 804 # 805 # Expected Result: The authorities-constrained-policy-set will be 806 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if 807 # the application can process the policyConstraints extension). If the 808 # initial-policy-set is any-policy or otherwise includes 809 # NIST-test-policy-1, then the user-constrained-policy-set will be 810 # {NIST-test-policy-1}. If not, the user-constrained-policy-set will be 811 # empty. If the initial-policy-set does not include NIST-test-policy-1 (and 812 # the application can process the policyConstraints extension), then the 813 # path should be rejected, otherwise it should validate successfully. If 814 # the path is accepted, the application should display the user notice 815 # associated with NIST-testpolicy-1 in the intermediate certificate. 816 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 817 818 # While not explicitly divided into sub-parts, the above describes what 819 # should happen given various values of initial-policy-set. Test some 820 # combinations, as these cover an interesting interaction with anyPolicy. 821 # 822 # These extra tests are a regression test for https://crbug.com/1403258. 823 TestInfo(True, initial_policy_set=[TEST_POLICY_1, TEST_POLICY_2], 824 user_constrained_policy_set=[TEST_POLICY_1]), 825 TestInfo(False, initial_policy_set=[TEST_POLICY_2], 826 user_constrained_policy_set=[]), 827 ], 828 829 '4.10.14': [ # Valid Policy Mapping Test14 830 # Procedure: Validate Valid Policy Mapping Test14 EE using the default 831 # settings or open and verify Signed Test Message 6.2.2.107 using the 832 # default settings. 833 # 834 # Expected Result: The authorities-constrained-policy-set will be 835 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if 836 # the application can process the policyConstraints extension). If the 837 # initial-policy-set is any-policy or otherwise includes 838 # NIST-test-policy-1, then the user-constrained-policy-set will be 839 # {NIST-test-policy-1}. If not, the user-constrained-policy-set will be 840 # empty. If the initial-policy-set does not include NIST-test-policy-1 (and 841 # the application can process the policyConstraints extension), then the 842 # path should be rejected, otherwise it should validate successfully. If 843 # the path is accepted, the application should display the user notice 844 # associated with anyPolicy in the intermediate certificate 845 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 846 ], 847 848 '4.11.1': [ # Invalid inhibitPolicyMapping Test1 849 # Procedure: Validate Invalid inhibitPolicyMapping Test1 EE using the 850 # default settings or open and verify Signed Test Message 6.2.2.108 using 851 # the default settings. 852 # 853 # Expected Result: The authorities-constrained-policy-set and the 854 # user-constrained-policy-set will be empty. The explicit-policy-indicator 855 # will be set. The path should not validate successfully. 856 TestInfo(False, user_constrained_policy_set=[]), 857 ], 858 859 '4.11.2': [ # Valid inhibitPolicyMapping Test2 860 # Procedure: Validate Valid inhibitPolicyMapping Test2 EE using the default 861 # settings or open and verify Signed Test Message 6.2.2.109 using the 862 # default settings. 863 # 864 # Expected Result: The authorities-constrained-policy-set will be 865 # {NIST-test-policy-1} and the explicit-policy-indicator will be set. If 866 # the initial-policy-set is any-policy or otherwise includes 867 # NIST-test-policy-1, then the path should validate successfully. 868 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 869 ], 870 871 '4.11.3': [ # Invalid inhibitPolicyMapping Test3 872 # Procedure: Validate Invalid inhibitPolicyMapping Test3 EE using the 873 # default settings or open and verify Signed Test Message 6.2.2.110 using 874 # the default settings. 875 # 876 # Expected Result: The authorities-constrained-policy-set and the 877 # user-constrained-policy-set will be empty and the 878 # explicit-policy-indicator will be set. The path should not validate 879 # successfully. 880 TestInfo(False, user_constrained_policy_set=[]), 881 ], 882 883 '4.11.4': [ # Valid inhibitPolicyMapping Test4 884 # Procedure: Validate Valid inhibitPolicyMapping Test4 EE using the default 885 # settings or open and verify Signed Test Message 6.2.2.111 using the 886 # default settings. 887 # 888 # Expected Result: The authorities-constrained-policy-set will be 889 # {NIST-test-policy-2} and the explicit-policy-indicator will be set. If 890 # the initial-policy-set is any-policy or otherwise includes 891 # NIST-test-policy-2, then the path should validate successfully. 892 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_2]), 893 ], 894 895 '4.11.5': [ # Invalid inhibitPolicyMapping Test5 896 # Procedure: Validate Invalid inhibitPolicyMapping Test5 EE using the 897 # default settings or open and verify Signed Test Message 6.2.2.112 using 898 # the default settings. 899 # 900 # Expected Result: The authorities-constrained-policy-set and the 901 # user-constrained-policy-set will be empty and the 902 # explicit-policy-indicator will be set. The path should not validate 903 # successfully. 904 TestInfo(False, user_constrained_policy_set=[]), 905 ], 906 907 '4.11.6': [ # Invalid inhibitPolicyMapping Test6 908 # Procedure: Validate Invalid inhibitPolicyMapping Test6 EE using the 909 # default settings or open and verify Signed Test Message 6.2.2.113 using 910 # the default settings. 911 # 912 # Expected Result: The authorities-constrained-policy-set and the 913 # user-constrained-policy-set will be empty and the 914 # explicit-policy-indicator will be set. The path should not validate 915 # successfully. 916 TestInfo(False, user_constrained_policy_set=[]), 917 ], 918 919 '4.11.7': [ # Valid Self-Issued inhibitPolicyMapping Test7 920 # Procedure: Validate Valid Self-Issued inhibitPolicyMapping Test7 EE using 921 # the default settings or open and verify Signed Test Message 6.2.2.114 922 # using the default settings. 923 # 924 # Expected Result: The authorities-constrained-policy-set will be 925 # {NIST-test-policy-1} and the explicit-policy-indicator will be set. If 926 # the initial-policy-set is any-policy or otherwise includes 927 # NIST-test-policy-1, then the path should validate successfully. 928 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 929 ], 930 931 '4.11.8': [ # Invalid Self-Issued inhibitPolicyMapping Test8 932 # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test8 EE 933 # using the default settings or open and verify Signed Test Message 934 # 6.2.2.115 using the default settings. 935 # 936 # Expected Result: The authorities-constrained-policy-set and 937 # user-constrained-policy-set will be empty and the 938 # explicit-policy-indicator will be set. The path should not validate 939 # successfully. 940 TestInfo(False, user_constrained_policy_set=[]), 941 ], 942 943 '4.11.9': [ # Invalid Self-Issued inhibitPolicyMapping Test9 944 # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test9 EE 945 # using the default settings or open and verify Signed Test Message 946 # 6.2.2.116 using the default settings. 947 # 948 # Expected Result: The authorities-constrained-policy-set and 949 # user-constrained-policy-set will be empty and the 950 # explicit-policy-indicator will be set. The path should not validate 951 # successfully. 952 TestInfo(False, user_constrained_policy_set=[]), 953 ], 954 955 '4.11.10': [ # Invalid Self-Issued inhibitPolicyMapping Test10 956 # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test10 EE 957 # using the default settings or open and verify Signed Test Message 958 # 6.2.2.117 using the default settings. 959 # 960 # Expected Result: The authorities-constrained-policy-set and 961 # user-constrained-policy-set will be empty and the 962 # explicit-policy-indicator will be set. The path should not validate 963 # successfully. 964 TestInfo(False, user_constrained_policy_set=[]), 965 ], 966 967 '4.11.11': [ # Invalid Self-Issued inhibitPolicyMapping Test11 968 # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test11 EE 969 # using the default settings or open and verify Signed Test Message 970 # 6.2.2.118 using the default settings. 971 # 972 # Expected Result: The authorities-constrained-policy-set and 973 # user-constrained-policy-set will be empty and the 974 # explicit-policy-indicator will be set. The path should not validate 975 # successfully. 976 TestInfo(False, user_constrained_policy_set=[]), 977 ], 978 979 '4.12.1': [ # Invalid inhibitAnyPolicy Test1 980 # Procedure: Validate Invalid inhibitAnyPolicy Test1 EE using the default 981 # settings or open and verify Signed Test Message 6.2.2.119 using the 982 # default settings. 983 # 984 # Expected Result: The authorities-constrained-policy-set and 985 # user-constrained-policy-set will be empty and the 986 # explicit-policy-indicator will be set (if the application can process the 987 # policyConstraints extension). If the application can process the 988 # policyConstraints extension, then the path should not validate 989 # successfully. 990 TestInfo(False, user_constrained_policy_set=[]), 991 ], 992 993 '4.12.2': [ # Valid inhibitAnyPolicy Test2 994 # Procedure: Validate Valid inhibitAnyPolicy Test2 EE using the default 995 # settings or open and verify Signed Test Message 6.2.2.120 using the 996 # default settings. 997 # 998 # Expected Result: The authorities-constrained-policy-set will be 999 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if 1000 # the application can process the policyConstraints extension). If the 1001 # initial-policy-set is any-policy or otherwise includes 1002 # NIST-test-policy-1, then the user-constrained-policy-set will be 1003 # {NIST-test-policy-1} and the path should validate successfully. If not, 1004 # then the user-constrained-policy-set will be empty. If the 1005 # user-constrained-policy-set is empty and the application can process the 1006 # policyConstraints extension, then the path should not validate 1007 # successfully. 1008 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 1009 ], 1010 1011 '4.12.3': [ # inhibitAnyPolicy Test3 1012 # 1. default settings. The path should validate successfully. 1013 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 1014 1015 # 2. default settings, but with initial-inhibit-any-policy set. The path 1016 # should not validate successfully. 1017 TestInfo(False, initial_inhibit_any_policy=True, 1018 user_constrained_policy_set=[]), 1019 ], 1020 1021 '4.12.4': [ # Invalid inhibitAnyPolicy Test4 1022 # Procedure: Validate Invalid inhibitAnyPolicy Test4 EE using the default 1023 # settings or open and verify Signed Test Message 6.2.2.122 using the 1024 # default settings. 1025 # 1026 # Expected Result: The authorities-constrained-policy-set and 1027 # user-constrained-policy-set will be empty and the 1028 # explicit-policy-indicator will be set (if the application can process the 1029 # policyConstraints extension). If the application can process the 1030 # policyConstraints extension, then the path should not validate 1031 # successfully. 1032 TestInfo(False, user_constrained_policy_set=[]), 1033 ], 1034 1035 '4.12.5': [ # Invalid inhibitAnyPolicy Test5 1036 # Procedure: Validate Invalid inhibitAnyPolicy Test5 EE using the default 1037 # settings or open and verify Signed Test Message 6.2.2.123 using the 1038 # default settings. 1039 # 1040 # Expected Result: The authorities-constrained-policy-set and 1041 # user-constrained-policy-set will be empty and the 1042 # explicit-policy-indicator will be set (if the application can process the 1043 # policyConstraints extension). If the application can process the 1044 # policyConstraints extension, then the path should not validate 1045 # successfully. 1046 TestInfo(False, user_constrained_policy_set=[]), 1047 ], 1048 1049 '4.12.6': [ # Invalid inhibitAnyPolicy Test6 1050 # Procedure: Validate Invalid inhibitAnyPolicy Test6 EE using the default 1051 # settings or open and verify Signed Test Message 6.2.2.124 using the 1052 # default settings. 1053 # 1054 # Expected Result: The authorities-constrained-policy-set and 1055 # user-constrained-policy-set will be empty and the 1056 # explicit-policy-indicator will be set (if the application can process the 1057 # policyConstraints extension). If the application can process the 1058 # policyConstraints extension, then the path should not validate 1059 # successfully. 1060 TestInfo(False, user_constrained_policy_set=[]), 1061 ], 1062 1063 '4.12.7': [ # Valid Self-Issued inhibitAnyPolicy Test7 1064 # Procedure: Validate Valid Self-Issued inhibitAnyPolicy Test7 EE using the 1065 # default settings or open and verify Signed Test Message 6.2.2.125 using 1066 # the default settings. 1067 # 1068 # Expected Result: The authorities-constrained-policy-set will be 1069 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if 1070 # the application can process the policyConstraints extension). If the 1071 # initial-policy-set is any-policy or otherwise includes 1072 # NIST-test-policy-1, then the user-constrained-policy-set will be 1073 # {NIST-test-policy-1} and the path should validate successfully. If not, 1074 # then the user-constrained-policy-set will be empty. If the 1075 # user-constrained-policy-set is empty and the application can process the 1076 # policyConstraints extension, then the path should not validate 1077 # successfully. 1078 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 1079 ], 1080 1081 '4.12.8': [ # Invalid Self-Issued inhibitAnyPolicy Test8 1082 # Procedure: Validate Invalid Self-Issued inhibitAnyPolicy Test8 EE using 1083 # the default settings or open and verify Signed Test Message 6.2.2.126 1084 # using the default settings. 1085 # 1086 # Expected Result: The authorities-constrained-policy-set and 1087 # user-constrained-policy-set will be empty and the 1088 # explicit-policy-indicator will be set (if the application can process the 1089 # policyConstraints extension). If the application can process the 1090 # policyConstraints extension, then the path should not validate 1091 # successfully. 1092 TestInfo(False, user_constrained_policy_set=[]), 1093 ], 1094 1095 '4.12.9': [ # Valid Self-Issued inhibitAnyPolicy Test9 1096 # Procedure: Validate Valid Self-Issued inhibitAnyPolicy Test9 EE using the 1097 # default settings or open and verify Signed Test Message 6.2.2.127 using 1098 # the default settings. 1099 # 1100 # Expected Result: The authorities-constrained-policy-set will be 1101 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if 1102 # the application can process the policyConstraints extension). If the 1103 # initial-policy-set is any-policy or otherwise includes 1104 # NIST-test-policy-1, then the user-constrained-policy-set will be 1105 # {NIST-test-policy-1} and the path should validate successfully. If not, 1106 # then the user-constrained-policy-set will be empty. If the 1107 # user-constrained-policy-set is empty and the application can process the 1108 # policyConstraints extension, then the path should not validate 1109 # successfully. 1110 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 1111 ], 1112 1113 '4.12.10': [ # Invalid Self-Issued inhibitAnyPolicy Test10 1114 # Procedure: Validate Invalid Self-Issued inhibitAnyPolicy Test10 EE using 1115 # the default settings or open and verify Signed Test Message 6.2.2.128 1116 # using the default settings. 1117 # 1118 # Expected Result: The authorities-constrained-policy-set and 1119 # user-constrained-policy-set will be empty and the 1120 # explicit-policy-indicator will be set (if the application can process the 1121 # policyConstraints extension). If the application can process the 1122 # policyConstraints extension, then the path should not validate 1123 # successfully. 1124 TestInfo(False, user_constrained_policy_set=[]), 1125 ], 1126} 1127 1128 1129def parse_test(lines, i, test_case_name, test_number, test_name, 1130 sanitized_test_names, output): 1131 # Start by doing a coarse level of parsing that separates out the lines for 1132 # the main sections. 1133 i, test_sections = parse_main_test_sections(lines, i) 1134 1135 certs, crls = parse_cert_path_lines(test_sections.cert_path_lines) 1136 1137 # Most tests have a formulaic specification: they use the default 1138 # settings, and have one expectation. These are easily parsed and are handled 1139 # programmatically. In contrast, many of the policies tests have a more 1140 # complicated specification which involves multiple subtests having various 1141 # settings, as well as expectations described in terms of supported 1142 # extensions. Rather than try to handle all the nuanced language, these are 1143 # handled manually via "overrides". 1144 overrides = TEST_OVERRIDES.get(test_number, None) 1145 1146 if overrides is None: 1147 # Verify that the test description doesn't include numbered subparts (those 1148 # are not handled here). 1149 if CUSTOM_SETTINGS_MATCHER.match(" ".join(test_sections.description_lines)): 1150 sys.stderr.write('Unexpected custom settings for %s\n' % test_number) 1151 sys.exit(1) 1152 1153 # Verify that the test is using only default settings. 1154 if not USING_DEFAULT_SETTINGS_MATCHER.match( 1155 " ".join(test_sections.procedure_lines)): 1156 sys.stderr.write('Unexpected procedure for %s: %s\n' % 1157 (test_number, " ".join(test_section.procedure_lines))) 1158 sys.exit(1) 1159 1160 # Check whether expected result is validation success or failure. 1161 result_match = TEST_RESULT_MATCHER.match( 1162 test_sections.expected_result_lines[0]) 1163 if not result_match: 1164 sys.stderr.write('Unknown expectation for %s:\n%s\n' % ( 1165 test_number, " ".join(test_sections.expected_result_lines))) 1166 sys.exit(1) 1167 # Initializes with default settings. 1168 info = TestInfo(result_match.group(1) == 'should validate') 1169 1170 # Special case the 4.9 test failures (require explicit policy) to set 1171 # user_constrained_policy_set to empty. This is only done for the 4.9 1172 # tests, because the other policy tests are special cased as overrides and 1173 # hence set this manually on a per-test basis. 1174 # 1175 # user_constrained_policy_set enumerates the subset of the initial policy 1176 # set (anyPolicy in the default case) that were valid for the path. For 1177 # non-policy tests the expectation for user_constrained_policy_set is 1178 # [TEST_POLICY_1] since each policy asserts that. However for these tests, 1179 # the expectation is an empty user_constrained_policy_set since there was 1180 # no valid policy for the path (in fact, that is why the path validation is 1181 # expected to fail). 1182 if test_number.startswith('4.9.') and not info.should_validate: 1183 info.user_constrained_policy_set = [] 1184 1185 output_test(test_case_name, test_number, test_name, None, info, certs, 1186 crls, sanitized_test_names, output) 1187 else: 1188 # The overrides may have a series of inputs (settings) and outputs 1189 # (success/failure) for this test. Output each as a separate test case. 1190 for subpart_i in range(len(overrides)): 1191 info = overrides[subpart_i] 1192 # If the test has only 1 subpart, don't number it. 1193 subpart_number = subpart_i + 1 if len(overrides) > 1 else None 1194 output_test(test_case_name, test_number, test_name, subpart_number, info, 1195 certs, crls, sanitized_test_names, output) 1196 1197 return i 1198 1199 1200def main(): 1201 pkits_pdf_path, output_path = sys.argv[1:] 1202 1203 pkits_txt_file = tempfile.NamedTemporaryFile() 1204 1205 subprocess.check_call(['pdftotext', '-layout', '-nopgbrk', '-eol', 'unix', 1206 pkits_pdf_path, pkits_txt_file.name]) 1207 1208 test_descriptions = pkits_txt_file.read().decode('utf-8') 1209 1210 # Extract section 4 of the text, which is the part that contains the tests. 1211 test_descriptions = test_descriptions.split( 1212 '4 Certification Path Validation Tests')[-1] 1213 test_descriptions = test_descriptions.split( 1214 '5 Relationship to Previous Test Suite', 1)[0] 1215 1216 output = open(output_path, 'w') 1217 output.write('// Autogenerated by %s, do not edit\n\n' % sys.argv[0]) 1218 output.write(""" 1219// This file intentionally does not have header guards, it's intended to 1220// be inlined in another header file. The following line silences a 1221// presubmit warning that would otherwise be triggered by this: 1222// no-include-guard-because-multiply-included 1223// NOLINT(build/header_guard)\n\n""") 1224 output.write('// Hack to allow disabling type parameterized test cases.\n' 1225 '// See https://github.com/google/googletest/issues/389\n') 1226 output.write('#define WRAPPED_TYPED_TEST_P(CaseName, TestName) ' 1227 'TYPED_TEST_P(CaseName, TestName)\n') 1228 output.write('#define WRAPPED_REGISTER_TYPED_TEST_SUITE_P(CaseName, ...) ' 1229 'REGISTER_TYPED_TEST_SUITE_P(CaseName, __VA_ARGS__)\n\n') 1230 1231 test_case_name = None 1232 sanitized_test_names = [] 1233 1234 lines = test_descriptions.splitlines() 1235 1236 i = 0 1237 while i < len(lines): 1238 section_match = SECTION_MATCHER.match(lines[i]) 1239 match = TEST_MATCHER.match(lines[i]) 1240 i += 1 1241 1242 if section_match: 1243 if test_case_name: 1244 finalize_test_case(test_case_name, sanitized_test_names, output) 1245 sanitized_test_names = [] 1246 1247 test_case_name = 'PkitsTest%02d%s' % ( 1248 int(section_match.group(1).split('.')[-1]), 1249 sanitize_name(section_match.group(2))) 1250 output.write('\ntemplate <typename PkitsTestDelegate>\n') 1251 output.write('class %s : public PkitsTest<PkitsTestDelegate> {};\n' % 1252 test_case_name) 1253 output.write('TYPED_TEST_SUITE_P(%s);\n' % test_case_name) 1254 1255 if match: 1256 test_number = match.group(1) 1257 test_name = match.group(2) 1258 if not test_case_name: 1259 output.write('// Skipped %s %s\n' % (test_number, test_name)) 1260 continue 1261 i, parse_test(lines, i, test_case_name, test_number, 1262 test_name, sanitized_test_names, output) 1263 1264 if test_case_name: 1265 finalize_test_case(test_case_name, sanitized_test_names, output) 1266 1267 1268if __name__ == '__main__': 1269 main() 1270