Add generated PKITS tests relating to certificate policies.

net/third_party/nist-pkits/generate_tests.py

 # Copyright 2016 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 '''Generates a test suite from NIST PKITS test descriptions.
 
 The output is a set of Type Parameterized Tests which are included by
 pkits_unittest.h. See pkits_unittest.h for information on using the tests.
 GoogleTest has a limit of 50 tests per type parameterized testcase, so the tests
 are split up by section number (this also makes it possible to easily skip
@@ skipping 14 matching lines @@
   return s.translate(None, ' -')
 
 
 def finalize_test_case(test_case_name, sanitized_test_names, output):
   output.write('\nWRAPPED_REGISTER_TYPED_TEST_CASE_P(%s' % test_case_name)
   for name in sanitized_test_names:
     output.write(',\n    %s' % name)
   output.write(');\n')
 
 
-def generate_test(test_case_name, test_number, raw_test_name, certs, crls, should_validate,
-                     output):
+def bool_to_str(b):
+  return "true" if b else "false"
+
+
+def output_test(test_case_name, test_number, raw_test_name, subpart_number,
+                info, certs, crls, sanitized_test_names, output):
+  '''Writes a test case to |output|, and appends the test name to
+  |sanitized_test_names|.'''
   sanitized_test_name = 'Section%s%s' % (test_number.split('.')[1],
                                          sanitize_name(raw_test_name))
+
+  if subpart_number is not None:
+    sanitized_test_name += "Subpart%d" % (subpart_number)
+
+  sanitized_test_names.append(sanitized_test_name)
+
   certs_formatted = ', '.join('"%s"' % n for n in certs)
   crls_formatted = ', '.join('"%s"' % n for n in crls)
-  assert_function = 'ASSERT_TRUE' if should_validate else 'ASSERT_FALSE'
+  assert_function = 'ASSERT_TRUE' if info.should_validate else 'ASSERT_FALSE'
+
   output.write('''
 // %(test_number)s %(raw_test_name)s
 WRAPPED_TYPED_TEST_P(%(test_case_name)s, %(sanitized_test_name)s) {
   const char* const certs[] = {
     %(certs_formatted)s
   };
   const char* const crls[] = {
     %(crls_formatted)s
   };
-  %(assert_function)s(this->Verify(certs, crls));
+''' % vars())
+
+  default_settings = TestInfo(False)
+
+  settings_str = ''
+
+  # Output any non-default settings. Only settings that differ from
+  # the default settings are written, so as to keep the generated
+  # file more readable.
+  if info.initial_policy_set != default_settings.initial_policy_set:
+    settings_str += '''  settings.SetInitialPolicySet("%s");
+''' % (','.join(info.initial_policy_set))
+
+  if info.initial_explicit_policy != default_settings.initial_explicit_policy:
+    settings_str += '''  settings.initial_explicit_policy = %s;
+''' % bool_to_str(info.initial_explicit_policy)
+
+  if (info.initial_policy_mapping_inhibit !=
+          default_settings.initial_policy_mapping_inhibit):
+    settings_str += '''  settings.initial_policy_mapping_inhibit = %s;
+''' % bool_to_str(info.initial_policy_mapping_inhibit)
+
+  if (info.initial_inhibit_any_policy !=
+          default_settings.initial_inhibit_any_policy):
+    settings_str += '''settings.initial_inhibit_any_policy = %s;
+''' % bool_to_str(info.initial_inhibit_any_policy)
+
+  settings_param_str = '{}'
+
+  if settings_str != '':
+    output.write('''
+  // Custom settings
+  PkitsTestSettings settings;
+''')
+    output.write(settings_str)
+    output.write('\n')
+    settings_param_str = 'settings'
+
+  output.write('''  %(assert_function)s(this->Verify(certs, crls, %(settings_param_str)s));
 }
 ''' % vars())
 
-  return sanitized_test_name
-
 
 # Matches a section header, ex: "4.1 Signature Verification"
 SECTION_MATCHER = re.compile('^\s*(\d+\.\d+)\s+(.+)\s*$')
 # Matches a test header, ex: "4.1.1 Valid Signatures Test1"
 TEST_MATCHER = re.compile('^\s*(\d+\.\d+.\d+)\s+(.+)\s*$')
+
+# Matches the various headers in a test specification.
+EXPECTED_HEADER_MATCHER = re.compile('^\s*Expected Result:')
+PROCEDURE_HEADER_MATCHER = re.compile('^\s*Procedure:')
+PATH_HEADER_MATCHER = re.compile('^\s*Certification Path:')
+
+# Matches the Procedure text if using default settings.
+USING_DEFAULT_SETTINGS_MATCHER = re.compile(
+    '^.*using the \s*default settings.*')
+
+# Matches the description text if using custom settings.
+CUSTOM_SETTINGS_MATCHER = re.compile(
+    '.*this\s+test\s+be\s+validated\s+using\s+the\s*following\s+inputs:.*')

[mattm, 2017/05/25 22:11:16]

why \s* between "the" and "following"?

[eroman, 2017/05/25 22:42:59]

Done (bad translation on my part).

I had to generalize the expression changing space to \s+ because some of the the
policy tests have line breaks in different places (although I didn't quite need
to replace every space as I did here).

+
 # Match an expected test result. Note that some results in the PDF have a typo
 # "path not should validate" instead of "path should not validate".
 TEST_RESULT_MATCHER = re.compile(
-    '^\s*Expected Result:.*path (should validate|'
-    'should not validate|not should validate)')
-PATH_HEADER_MATCHER = re.compile('^\s*Certification Path:')
-# Matches a line in the certification path, ex: "\u2022 Good CA Cert, Good CA CRL"
+    '^.*path (should validate|should not validate|not should validate)')
+
+# Matches a line in the certification path, ex:
+#    "\u2022 Good CA Cert, Good CA CRL"
 PATH_MATCHER = re.compile('^\s*\xe2\x80\xa2\s*(.+)\s*$')
 # Matches a page number. These may appear in the middle of multi-line fields and
 # thus need to be ignored.
 PAGE_NUMBER_MATCHER = re.compile('^\s*\d+\s*$')
 # Matches if an entry in a certification path refers to a CRL, ex:
 # "onlySomeReasons CA2 CRL1".
 CRL_MATCHER = re.compile('^.*CRL\d*$')
-def parse_test(lines, i, test_case_name, test_number, test_name, output):
-  expected_result = None
+
+
+class TestSections(object):
+  def __init__(self):
+    self.description_lines = []
+    self.procedure_lines = []
+    self.expected_result_lines = []
+    self.cert_path_lines = []
+
+
+def parse_main_test_sections(lines, i):
+  result = TestSections()
+
+  # Read the description lines (text after test name up until
+  # "Procedure:").
+  result.description_lines = []
+  while i < len(lines):
+    if PROCEDURE_HEADER_MATCHER.match(lines[i]):
+      break
+    result.description_lines.append(lines[i])
+    i += 1
+
+  # Read the procedure lines (text starting at "Procedure:" and up until
+  # "Expected Result:".
+  result.procedure_lines = []
+  while i < len(lines):
+    if EXPECTED_HEADER_MATCHER.match(lines[i]):
+      break
+    result.procedure_lines.append(lines[i])
+    i += 1
+
+  # Read the expected result lines (text starting at "Expected Result:" and up
+  # until "Certification Path:".
+  result.expected_result_lines = []
+  while i < len(lines):
+    if PATH_HEADER_MATCHER.match(lines[i]):
+      break
+    result.expected_result_lines.append(lines[i])
+    i += 1
+
+  # Read the certification path lines (text starting at "Certification Path:"
+  # and up until the next test title.
+  result.cert_path_lines = []
+  while i < len(lines):
+    if TEST_MATCHER.match(lines[i]) or SECTION_MATCHER.match(lines[i]):
+      break
+    result.cert_path_lines.append(lines[i])
+    i += 1
+
+  return i, result 
+
+
+def parse_cert_path_lines(lines):
+  path_lines = []
+  crls = []
   certs = []
-  crls = []
 
-  while i < len(lines):
-    result_match = TEST_RESULT_MATCHER.match(lines[i])
-    i += 1
-    if result_match:
-      expected_result = result_match.group(1) == 'should validate'
-      break
+  for line in lines[1:]:
+    line = line.strip()
 
-  while i < len(lines):
-    path_match = PATH_HEADER_MATCHER.match(lines[i])
-    i += 1
-    if path_match:
-      break
+    if "is composed of the following objects:" in line:
+      continue
 
-  path_lines = []
-  while i < len(lines):
-    line = lines[i].strip()
-    if TEST_MATCHER.match(line) or SECTION_MATCHER.match(line):
-      break
-    i += 1
     if not line or PAGE_NUMBER_MATCHER.match(line):
       continue
     path_match = PATH_MATCHER.match(line)
     if path_match:
       path_lines.append(path_match.group(1))
       continue
     # Continuation of previous path line.
     path_lines[-1] += ' ' + line
 
   for path_line in path_lines:
     for path in path_line.split(','):
       path = sanitize_name(path.strip())
       if CRL_MATCHER.match(path):
         crls.append(path)
       else:
         certs.append(path)
 
-  assert certs
-  assert crls
-  assert expected_result is not None
-  sanitized_test_name = generate_test(test_case_name, test_number, test_name,
-                                      certs, crls, expected_result, output)
-
-  return i, sanitized_test_name
+  return certs, crls
+
+
+ANY_POLICY = 'anyPolicy'
+TEST_POLICY_1 = 'NIST-test-policy-1'
+TEST_POLICY_2 = 'NIST-test-policy-2'
+TEST_POLICY_3 = 'NIST-test-policy-3'
+TEST_POLICY_6 = 'NIST-test-policy-6'
+
+class TestInfo(object):
+  """This structure describes a test inputs and outputs"""

[mattm, 2017/05/25 22:11:16]

add a todo for testing user-constrained-policy-set? (and maybe
authorities-constrained-policy-set?)

[eroman, 2017/05/25 22:42:58]

Done.

I don't think those are too important as far as the test coverage goes
(success/failure covers the interesting cases, and makes liberal use of
policyConstraints to aid with this).

But authorities-constrained-policy-set could be handy to support in the future.

[mattm, 2017/05/25 23:28:22]

sgtm.  (I think user-constrained-policy-set is actually the important one since
it's basically computed from the final valid_policy_tree, while
authorities-constrained-policy-set is the valid_policy_tree before its
intersection with user-initial-policy-set (which would probably not be feasible
to get with the way the policies are being implemented))

+  def __init__(self, should_validate,
+               # These defaults come from section 3 of PKITS.pdf
+               initial_policy_set = [ANY_POLICY],
+               initial_explicit_policy = False,
+               initial_policy_mapping_inhibit = False,
+               initial_inhibit_any_policy = False):
+    self.should_validate = should_validate
+    self.initial_policy_set = initial_policy_set
+    self.initial_explicit_policy = initial_explicit_policy
+    self.initial_policy_mapping_inhibit = initial_policy_mapping_inhibit
+    self.initial_inhibit_any_policy = initial_inhibit_any_policy
+
+
+TEST_OVERRIDES = {
+  '4.8.1': [
+    # 1. default settings, but with initial-explicit-policy set. The path
+    # should validate successfully
+    TestInfo(True, initial_explicit_policy=True),
+
+    # 2. default settings, but with initial-explicit-policy set and
+    # initial-policy-set = {NIST-test-policy-1}. The path should validate
+    # successfully. 
+    TestInfo(True, initial_explicit_policy=True,
+             initial_policy_set=[TEST_POLICY_1]),
+
+    # 3. default settings, but with initial-explicit-policy set and
+    # initial-policy-set = {NIST-test-policy-2}. The path should not validate
+    # successfully. 
+    TestInfo(False, initial_explicit_policy=True,
+             initial_policy_set=[TEST_POLICY_2]),

[mattm, 2017/05/25 22:11:16]

what about 4.8.1 "4. default settings, but with initial-explicit-policy set and
initial-policy-set = {NIST-test-policy-1, NIST-test-policy-2}. The path should
validate successfully."?

[eroman, 2017/05/25 22:42:59]

Done.

Wow, not sure how that got missed! Thanks for spotting.

I will do another review pass of all the others in case I missed anything else
in the translation :(

[eroman, 2017/05/26 00:01:46]

FTR: I reviewed all of the manual expectations, and also added the full text as
comments to make it a bit easier to check the subsequent translation.

I did not find any other omissions or errors, but did remove a few overrides
that could be handled through normal flow.

+  ],
+
+  '4.8.2': [
+    # 1. default settings. The path should validate successfully.
+    TestInfo(True),
+
+    # 2. default settings, but with initial-explicit-policy set. The path
+    # should not validate successfully
+    TestInfo(False, initial_explicit_policy=True),
+  ],
+
+  '4.8.3': [
+    # 1. default settings. The path should validate successfully.
+    TestInfo(True),
+
+    # 2. default settings, but with initial-explicit-policy set. The path
+    # should not validate successfully.
+    TestInfo(False, initial_explicit_policy=True),
+
+    # 3. default settings, but with initial-explicit-policy set and
+    # initial-policy-set = {NIST-test-policy-1, NIST-test-policy-2}. The path
+    # should not validate successfully. 
+    TestInfo(False, initial_explicit_policy=True,
+             initial_policy_set=[TEST_POLICY_1, TEST_POLICY_2]),
+  ],
+
+  '4.8.4': [
+    # If the application can process the policyConstraints extension then the
+    # path should not validate successfully. If the application can not process
+    # the policyConstraints extension, then the path should validate
+    # successfully
+    TestInfo(False),
+  ],
+
+  '4.8.5': [
+    # If the application can process the policyConstraints extension then the
+    # path should not validate successfully. If the application can not process
+    # the policyConstraints extension, then the path should validate
+    # successfully. 
+    TestInfo(False),
+  ],
+
+  '4.8.6': [
+    # 1. default settings. The path should validate successfully.
+    TestInfo(True),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+
+    # 3. default settings, but with initial-policy-set = {NIST-test-policy-2}.
+    # The path should not validate successfully. 
+    TestInfo(False, initial_policy_set=[TEST_POLICY_2]),
+  ],
+
+  '4.8.7': [
+    # If the application can process the policyConstraints extension, then the
+    # path should not validate successfully. If the application can not
+    # process the policyConstraints extension, then the path should
+    # validate successfully. 
+    TestInfo(False),
+  ],
+
+  '4.8.8': [
+    # If the application can process the policyConstraints extension then the
+    # path should not validate successfully. If the application can not process
+    # the policyConstraints extension, then the path should validate
+    # successfully.
+    TestInfo(False),
+  ],
+
+  '4.8.9': [
+    # If the application can process the policyConstraints extension, then the
+    # path should not validate successfully. If the application can not
+    # process the policyConstraints extension, then the path should validate
+    # successfully. 
+    TestInfo(False),
+  ],
+
+  '4.8.10': [
+    # 1. default settings. The path should validate successfully.
+    TestInfo(True),
+    
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+
+    # 3. default settings, but with initial-policy-set = {NIST-test-policy-2}.
+    # The path should validate successfully.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_2]),
+  ],
+
+  '4.8.11': [
+    # 1. default settings. The path should validate successfully.
+    TestInfo(True),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully. 
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+  ],
+
+  '4.8.12': [
+    # If the application can process the policyConstraints extension, then the
+    # path should not validate successfully. If the application can not
+    # process the policyConstraints extension, then the path should
+    # validate successfully.
+    TestInfo(False),
+  ],
+
+  '4.8.13': [
+    # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}.
+    # The path should validate successfully.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_2]),
+
+    # 3. default settings, but with initial-policy-set = {NIST-test-policy-3}.
+    # The path should validate successfully. 
+    TestInfo(True, initial_policy_set=[TEST_POLICY_3]),
+  ],
+
+  '4.8.14': [
+    # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}.
+    # The path should not validate successfully. 
+    TestInfo(False, initial_policy_set=[TEST_POLICY_2]),
+  ],
+
+  '4.8.15': [
+    # If the path validates successfully, then the application should display
+    # the user notice.
+    TestInfo(True),
+  ],
+
+  '4.8.16': [
+    # If the path validates successfully, then the application should display
+    # the user notice associated with NIST-test-policy-1.
+    TestInfo(True),
+  ],
+
+  '4.8.17': [
+    # If the path validates successfully, then the application should display
+    # the user notice associated with anyPolicy
+    TestInfo(True),
+  ],
+
+  '4.8.18': [
+    # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully and the qualifier associated with
+    # NIST-test-policy-1 in the end entity certificate should be displayed.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}.
+    # The path should validate successfully and the qualifier associated with
+    # anyPolicy in the end entity certificate should be displayed. 
+    TestInfo(True, initial_policy_set=[TEST_POLICY_2]),
+  ],
+
+  '4.8.19': [
+    # Since the explicitText exceeds the maximum size of 200 characters,
+    # the application may choose to reject the certificate. If the application
+    # accepts the certificate, display of the user notice is optional. 
+    TestInfo(True),
+  ],
+
+  '4.8.20': [
+    # If possible, it is recommended that this test be run with the
+    # initial-explicit-policy indicator set
+    # ...
+    # If the initial-explicit-policy indicator is set
+    # and the initial-policy-set does not include NIST-test-policy-1, then the
+    # path should be rejected, otherwise it should validate successfully
+    TestInfo(True, initial_explicit_policy=True,
+             initial_policy_set=[TEST_POLICY_1]),
+  ],
+
+  '4.10.1': [
+    # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}.
+    # The path should not validate successfully. 
+    TestInfo(False, initial_policy_set=[TEST_POLICY_2]),
+
+    # 3. default settings, but with initial-policy-mapping-inhibit set. The
+    # path should not validate successfully.
+    TestInfo(False, initial_policy_mapping_inhibit=True),
+  ],
+
+  '4.10.2': [
+    # 1. default settings. The path should not validate successfully.
+    TestInfo(False),
+
+    # 2. default settings, but with initial-policy-mapping-inhibit set. The
+    # path should not validate successfully. 
+    TestInfo(False, initial_policy_mapping_inhibit=True),
+  ],
+
+  '4.10.3': [
+    # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should not validate successfully.
+    TestInfo(False, initial_policy_set=[TEST_POLICY_1]),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}.
+    # The path should validate successfully. 
+    TestInfo(True, initial_policy_set=[TEST_POLICY_2]),
+  ],
+
+  '4.10.4': [
+    # If the application can process the policyConstraints extension, then the
+    # path should be rejected, otherwise it should validate successfully
+    TestInfo(False),
+  ],
+
+  '4.10.5': [
+    # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-6}.
+    # The path should not validate successfully. 
+    TestInfo(False, initial_policy_set=[TEST_POLICY_6]),
+  ],
+
+  '4.10.6': [
+    # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-6}.
+    # The path should not validate successfully. 
+    TestInfo(False, initial_policy_set=[TEST_POLICY_6]),
+  ],
+
+  '4.10.7': [
+    # The path should not validate successfully since the intermediate
+    # certificate includes a policy mapping extension in which anyPolicy
+    # appears as an issuerDomainPolicy.
+    TestInfo(False),
+  ],
+
+  '4.10.8': [
+    # The path should not validate successfully since the intermediate
+    # certificate includes a policy mapping extension in which anyPolicy
+    # appears as an subjectDomainPolicy
+    TestInfo(False),
+  ],
+
+  '4.10.9': [
+    # If the initial-policy-set does not include NIST-test-policy-1 (and the
+    # application can process the policyConstraints extension), then the path
+    # should be rejected, otherwise it should validate successfully. 
+    TestInfo(True),
+  ],
+
+  '4.10.10': [
+    # If the application can process the policyConstraints extension, then the
+    # path should be rejected, otherwise it should validate successfully
+    TestInfo(False),
+  ],
+
+  '4.10.11': [
+    # If the initial-policy-set does not include NIST-test-policy-1 (and the
+    # application can process the policyConstraints extension), then the path
+    # should be rejected, otherwise it should validate successfully. 
+    TestInfo(True),
+  ],
+
+  '4.10.12': [
+    # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully and the application should display
+    # the user notice associated with NIST-test-policy-3 in the end entity
+    # certificate.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}.
+    # The path should validate successfully and the application should display
+    # the user notice associated with anyPolicy in the end entity certificate. 
+    TestInfo(True, initial_policy_set=[TEST_POLICY_2]),
+  ],
+
+  '4.10.13': [
+    # If the initial-policy-set does not include NIST-test-policy-1 (and the
+    # application can process the policyConstraints extension), then the path
+    # should be rejected, otherwise it should validate successfully. If the
+    # path is accepted, the application should display the user notice
+    # associated with NIST-testpolicy-1 in the intermediate certificate. 
+    TestInfo(True),
+  ],
+
+  '4.10.14': [
+    # If the initial-policy-set does not include NIST-test-policy-1 (and the
+    # application can process the policyConstraints extension), then the path
+    # should be rejected, otherwise it should validate successfully. If the
+    # path is accepted, the application should display the user notice
+    # associated with anyPolicy in the intermediate certificate. 
+    TestInfo(True),
+  ],
+
+  '4.11.1': [
+    # The path should not validate successfully.
+    TestInfo(False),
+  ],
+
+  '4.11.2': [
+    # If the initial-policy-set is any-policy or otherwise includes
+    # NIST-test-policy-1, then the path should validate successfully. 
+    TestInfo(True),
+  ],
+
+  '4.11.3': [
+    # The path should not validate successfully. 
+    TestInfo(False),
+  ],
+
+  '4.11.4': [
+    # If the initial-policy-set is any-policy or otherwise includes
+    # NIST-test-policy-2, then the path should validate successfully. 
+    TestInfo(True),
+  ],
+
+  '4.11.5': [
+    # The path should not validate successfully.
+    TestInfo(False),
+  ],
+
+  '4.11.6': [
+    # The path should not validate successfully. 
+    TestInfo(False),
+  ],
+
+  '4.11.7': [
+    # If the initial-policy-set is any-policy or otherwise includes
+    # NIST-test-policy-1, then the path should validate successfully.
+    TestInfo(True),
+  ],
+
+  '4.11.8': [
+    # The path should not validate successfully. 
+    TestInfo(False),
+  ],
+
+  '4.11.9': [
+    # The path should not validate successfully. 
+    TestInfo(False),
+  ],
+
+  '4.11.10': [
+    # The path should not validate successfully.
+    TestInfo(False),
+  ],
+
+  '4.11.11': [
+    # The path should not validate successfully. 
+    TestInfo(False),
+  ],
+
+  '4.12.1': [
+    # If the application can process the policyConstraints extension, then the
+    # path should not validate successfully. 
+    TestInfo(False),
+  ],
+
+  '4.12.2': [
+    # If the initial-policy-set is any-policy or otherwise includes
+    # NIST-test-policy-1, then the userconstrained-policy-set will be
+    # {NIST-test-policy-1}and the path should validate successfully. 
+    TestInfo(True),
+  ],
+
+  '4.12.3': [
+     # 1. default settings. The path should validate successfully.
+    TestInfo(True),
+
+     # 2. default settings, but with initial-inhibit-any-policy set. The path
+     # should not validate successfully. 
+    TestInfo(False, initial_inhibit_any_policy=True),
+  ],
+
+  '4.12.4': [
+    # If the application can process the policyConstraints extension, then the
+    # path should not validate successfully. 
+    TestInfo(False),
+  ],
+
+  '4.12.5': [
+    # If the application can process the policyConstraints extension, then the
+    # path should not validate successfully. 
+    TestInfo(False),
+  ],
+
+  '4.12.6': [
+    # If the application can process the policyConstraints extension, then the
+    # path should not validate successfully. 
+    TestInfo(False),
+  ],
+
+  '4.12.7': [
+    # If the initial-policy-set is any-policy or otherwise includes
+    # NIST-test-policy-1, then the user-constrained-policy-set will be
+    # {NIST-test-policy-1} and the path should validate successfully
+    TestInfo(True),
+  ],
+
+  '4.12.8': [
+    # If the application can process the policyConstraints extension, then the
+    # path should not validate successfully. 
+    TestInfo(False),
+  ],
+
+  '4.12.9': [
+    # If the initial-policy-set is any-policy or otherwise includes
+    # NIST-test-policy-1, then the user-constrained-policy-set will be
+    # {NIST-test-policy-1}and the path should validate successfully. 
+    TestInfo(True),
+  ],
+
+  '4.12.10': [
+    # If the application can process the policyConstraints extension, then the
+    # path should not validate successfully. 
+    TestInfo(False),
+  ],
+}
+
+
+def parse_test(lines, i, test_case_name, test_number, test_name,
+               sanitized_test_names, output):
+  # Start by doing a coarse level of parsing that separates out the lines for
+  # the main sections.
+  i, test_sections = parse_main_test_sections(lines, i)
+
+  certs, crls = parse_cert_path_lines(test_sections.cert_path_lines)
+
+  # Most tests have a formulaic specification: they use the default
+  # settings, and have one expectation. These are easily parsed and are handled
+  # programmatically. In contrast, many of the policies tests have a more
+  # complicated specification which involves multiple subtests having various
+  # settings, as well as expectations described in terms of supported
+  # extensions. Rather than try to handle all the nuanced language, these are
+  # handled manually via "overrides".
+  overrides = TEST_OVERRIDES.get(test_number, None)
+
+  if overrides is None:
+    # Verify that the test description doesn't include numbered subparts (those
+    # are not handled here).
+    if CUSTOM_SETTINGS_MATCHER.match(" ".join(test_sections.description_lines)):
+      sys.stderr.write('Unexpected custom settings for %s\n' % test_number)
+      sys.exit(1)
+
+    # Verify that the test is using only default settings.
+    if not USING_DEFAULT_SETTINGS_MATCHER.match(
+        " ".join(test_sections.procedure_lines)):
+      sys.stderr.write('Unexpected procedure for %s: %s\n' %
+                       (test_number, " ".join(test_section.procedure_lines)))
+      sys.exit(1)
+
+    # Check whether expected result is validation success or failure.
+    result_match = TEST_RESULT_MATCHER.match(
+       test_sections.expected_result_lines[0])
+    if not result_match:
+      sys.stderr.write('Unknown expectation for %s:\n%s\n' % (
+          test_number, " ".join(test_sections.expected_result_lines)))
+      sys.exit(1)
+    # Initializes with default settings.
+    info = TestInfo(result_match.group(1) == 'should validate')
+
+    output_test(test_case_name, test_number, test_name, None, info, certs,
+                crls, sanitized_test_names, output)
+  else:
+    # The overrides may have a series of inputs (settings) and outputs
+    # (success/failure) for this test. Output each as a separate test case.
+    for subpart_i in range(len(overrides)):
+      info = overrides[subpart_i]
+      # If the test has only 1 subpart, don't number it.
+      subpart_number = subpart_i + 1 if len(overrides) > 1 else None
+      output_test(test_case_name, test_number, test_name, subpart_number, info,
+                  certs, crls, sanitized_test_names, output)
+
+  return i
 
 
 def main():
   pkits_pdf_path, output_path = sys.argv[1:]
 
   pkits_txt_file = tempfile.NamedTemporaryFile()
 
   subprocess.check_call(['pdftotext', '-layout', '-nopgbrk', '-eol', 'unix',
                          pkits_pdf_path, pkits_txt_file.name])
 
@@ skipping 23 matching lines @@
   while i < len(lines):
     section_match = SECTION_MATCHER.match(lines[i])
     match = TEST_MATCHER.match(lines[i])
     i += 1
 
     if section_match:
       if test_case_name:
         finalize_test_case(test_case_name, sanitized_test_names, output)
         sanitized_test_names = []
 
-      # TODO(mattm): Handle certificate policies tests.
-      if section_match.group(1) in ('4.8', '4.9', '4.10', '4.11', '4.12'):
-        test_case_name = None
-        output.write('\n// Skipping section %s\n' % section_match.group(1))
-        continue
-
       test_case_name = 'PkitsTest%02d%s' % (
           int(section_match.group(1).split('.')[-1]),
           sanitize_name(section_match.group(2)))
       output.write('\ntemplate <typename PkitsTestDelegate>\n')
-      output.write('class %s : public PkitsTest<PkitsTestDelegate> {};\n' % test_case_name)
+      output.write('class %s : public PkitsTest<PkitsTestDelegate> {};\n' %
+                   test_case_name)
       output.write('TYPED_TEST_CASE_P(%s);\n' % test_case_name)
 
     if match:
       test_number = match.group(1)
       test_name = match.group(2)
       if not test_case_name:
         output.write('// Skipped %s %s\n' % (test_number, test_name))
         continue
-      i, sanitized_test_name = parse_test(lines, i, test_case_name, test_number,
-                                         test_name, output)
-      if sanitized_test_name:
-        sanitized_test_names.append(sanitized_test_name)
+      i, parse_test(lines, i, test_case_name, test_number,
+                    test_name, sanitized_test_names, output)
 
   if test_case_name:
     finalize_test_case(test_case_name, sanitized_test_names, output)
 
 
 if __name__ == '__main__':
   main()