OLD | NEW |
1 # Copyright 2016 The Chromium Authors. All rights reserved. | 1 # Copyright 2016 The Chromium Authors. All rights reserved. |
2 # Use of this source code is governed by a BSD-style license that can be | 2 # Use of this source code is governed by a BSD-style license that can be |
3 # found in the LICENSE file. | 3 # found in the LICENSE file. |
4 | 4 |
5 '''Generates a test suite from NIST PKITS test descriptions. | 5 '''Generates a test suite from NIST PKITS test descriptions. |
6 | 6 |
7 The output is a set of Type Parameterized Tests which are included by | 7 The output is a set of Type Parameterized Tests which are included by |
8 pkits_unittest.h. See pkits_unittest.h for information on using the tests. | 8 pkits_unittest.h. See pkits_unittest.h for information on using the tests. |
9 GoogleTest has a limit of 50 tests per type parameterized testcase, so the tests | 9 GoogleTest has a limit of 50 tests per type parameterized testcase, so the tests |
10 are split up by section number (this also makes it possible to easily skip | 10 are split up by section number (this also makes it possible to easily skip |
(...skipping 14 matching lines...) Expand all Loading... |
25 return s.translate(None, ' -') | 25 return s.translate(None, ' -') |
26 | 26 |
27 | 27 |
28 def finalize_test_case(test_case_name, sanitized_test_names, output): | 28 def finalize_test_case(test_case_name, sanitized_test_names, output): |
29 output.write('\nWRAPPED_REGISTER_TYPED_TEST_CASE_P(%s' % test_case_name) | 29 output.write('\nWRAPPED_REGISTER_TYPED_TEST_CASE_P(%s' % test_case_name) |
30 for name in sanitized_test_names: | 30 for name in sanitized_test_names: |
31 output.write(',\n %s' % name) | 31 output.write(',\n %s' % name) |
32 output.write(');\n') | 32 output.write(');\n') |
33 | 33 |
34 | 34 |
35 def generate_test(test_case_name, test_number, raw_test_name, certs, crls, shoul
d_validate, | 35 def bool_to_str(b): |
36 output): | 36 return "true" if b else "false" |
| 37 |
| 38 |
| 39 def output_test(test_case_name, test_number, raw_test_name, subpart_number, |
| 40 info, certs, crls, sanitized_test_names, output): |
| 41 '''Writes a test case to |output|, and appends the test name to |
| 42 |sanitized_test_names|.''' |
37 sanitized_test_name = 'Section%s%s' % (test_number.split('.')[1], | 43 sanitized_test_name = 'Section%s%s' % (test_number.split('.')[1], |
38 sanitize_name(raw_test_name)) | 44 sanitize_name(raw_test_name)) |
| 45 |
| 46 if subpart_number is not None: |
| 47 sanitized_test_name += "Subpart%d" % (subpart_number) |
| 48 |
| 49 sanitized_test_names.append(sanitized_test_name) |
| 50 |
39 certs_formatted = ', '.join('"%s"' % n for n in certs) | 51 certs_formatted = ', '.join('"%s"' % n for n in certs) |
40 crls_formatted = ', '.join('"%s"' % n for n in crls) | 52 crls_formatted = ', '.join('"%s"' % n for n in crls) |
41 assert_function = 'ASSERT_TRUE' if should_validate else 'ASSERT_FALSE' | 53 assert_function = 'ASSERT_TRUE' if info.should_validate else 'ASSERT_FALSE' |
| 54 |
42 output.write(''' | 55 output.write(''' |
43 // %(test_number)s %(raw_test_name)s | 56 // %(test_number)s %(raw_test_name)s |
44 WRAPPED_TYPED_TEST_P(%(test_case_name)s, %(sanitized_test_name)s) { | 57 WRAPPED_TYPED_TEST_P(%(test_case_name)s, %(sanitized_test_name)s) { |
45 const char* const certs[] = { | 58 const char* const certs[] = { |
46 %(certs_formatted)s | 59 %(certs_formatted)s |
47 }; | 60 }; |
48 const char* const crls[] = { | 61 const char* const crls[] = { |
49 %(crls_formatted)s | 62 %(crls_formatted)s |
50 }; | 63 }; |
51 %(assert_function)s(this->Verify(certs, crls)); | 64 ''' % vars()) |
| 65 |
| 66 default_settings = TestInfo(False) |
| 67 |
| 68 settings_str = '' |
| 69 |
| 70 # Output any non-default settings. Only settings that differ from |
| 71 # the default settings are written, so as to keep the generated |
| 72 # file more readable. |
| 73 if info.initial_policy_set != default_settings.initial_policy_set: |
| 74 settings_str += ''' settings.SetInitialPolicySet("%s"); |
| 75 ''' % (','.join(info.initial_policy_set)) |
| 76 |
| 77 if info.initial_explicit_policy != default_settings.initial_explicit_policy: |
| 78 settings_str += ''' settings.initial_explicit_policy = %s; |
| 79 ''' % bool_to_str(info.initial_explicit_policy) |
| 80 |
| 81 if (info.initial_policy_mapping_inhibit != |
| 82 default_settings.initial_policy_mapping_inhibit): |
| 83 settings_str += ''' settings.initial_policy_mapping_inhibit = %s; |
| 84 ''' % bool_to_str(info.initial_policy_mapping_inhibit) |
| 85 |
| 86 if (info.initial_inhibit_any_policy != |
| 87 default_settings.initial_inhibit_any_policy): |
| 88 settings_str += '''settings.initial_inhibit_any_policy = %s; |
| 89 ''' % bool_to_str(info.initial_inhibit_any_policy) |
| 90 |
| 91 settings_param_str = '{}' |
| 92 |
| 93 if settings_str != '': |
| 94 output.write(''' |
| 95 // Custom settings |
| 96 PkitsTestSettings settings; |
| 97 ''') |
| 98 output.write(settings_str) |
| 99 output.write('\n') |
| 100 settings_param_str = 'settings' |
| 101 |
| 102 output.write(''' %(assert_function)s(this->Verify(certs, crls, %(settings_par
am_str)s)); |
52 } | 103 } |
53 ''' % vars()) | 104 ''' % vars()) |
54 | 105 |
55 return sanitized_test_name | |
56 | |
57 | 106 |
58 # Matches a section header, ex: "4.1 Signature Verification" | 107 # Matches a section header, ex: "4.1 Signature Verification" |
59 SECTION_MATCHER = re.compile('^\s*(\d+\.\d+)\s+(.+)\s*$') | 108 SECTION_MATCHER = re.compile('^\s*(\d+\.\d+)\s+(.+)\s*$') |
60 # Matches a test header, ex: "4.1.1 Valid Signatures Test1" | 109 # Matches a test header, ex: "4.1.1 Valid Signatures Test1" |
61 TEST_MATCHER = re.compile('^\s*(\d+\.\d+.\d+)\s+(.+)\s*$') | 110 TEST_MATCHER = re.compile('^\s*(\d+\.\d+.\d+)\s+(.+)\s*$') |
| 111 |
| 112 # Matches the various headers in a test specification. |
| 113 EXPECTED_HEADER_MATCHER = re.compile('^\s*Expected Result:') |
| 114 PROCEDURE_HEADER_MATCHER = re.compile('^\s*Procedure:') |
| 115 PATH_HEADER_MATCHER = re.compile('^\s*Certification Path:') |
| 116 |
| 117 # Matches the Procedure text if using default settings. |
| 118 USING_DEFAULT_SETTINGS_MATCHER = re.compile( |
| 119 '^.*using the \s*default settings.*') |
| 120 |
| 121 # Matches the description text if using custom settings. |
| 122 CUSTOM_SETTINGS_MATCHER = re.compile( |
| 123 '.*this\s+test\s+be\s+validated\s+using\s+the\s+following\s+inputs:.*') |
| 124 |
62 # Match an expected test result. Note that some results in the PDF have a typo | 125 # Match an expected test result. Note that some results in the PDF have a typo |
63 # "path not should validate" instead of "path should not validate". | 126 # "path not should validate" instead of "path should not validate". |
64 TEST_RESULT_MATCHER = re.compile( | 127 TEST_RESULT_MATCHER = re.compile( |
65 '^\s*Expected Result:.*path (should validate|' | 128 '^.*path (should validate|should not validate|not should validate)') |
66 'should not validate|not should validate)') | 129 |
67 PATH_HEADER_MATCHER = re.compile('^\s*Certification Path:') | 130 # Matches a line in the certification path, ex: |
68 # Matches a line in the certification path, ex: "\u2022 Good CA Cert, Good CA CR
L" | 131 # "\u2022 Good CA Cert, Good CA CRL" |
69 PATH_MATCHER = re.compile('^\s*\xe2\x80\xa2\s*(.+)\s*$') | 132 PATH_MATCHER = re.compile('^\s*\xe2\x80\xa2\s*(.+)\s*$') |
70 # Matches a page number. These may appear in the middle of multi-line fields and | 133 # Matches a page number. These may appear in the middle of multi-line fields and |
71 # thus need to be ignored. | 134 # thus need to be ignored. |
72 PAGE_NUMBER_MATCHER = re.compile('^\s*\d+\s*$') | 135 PAGE_NUMBER_MATCHER = re.compile('^\s*\d+\s*$') |
73 # Matches if an entry in a certification path refers to a CRL, ex: | 136 # Matches if an entry in a certification path refers to a CRL, ex: |
74 # "onlySomeReasons CA2 CRL1". | 137 # "onlySomeReasons CA2 CRL1". |
75 CRL_MATCHER = re.compile('^.*CRL\d*$') | 138 CRL_MATCHER = re.compile('^.*CRL\d*$') |
76 def parse_test(lines, i, test_case_name, test_number, test_name, output): | 139 |
77 expected_result = None | 140 |
| 141 class TestSections(object): |
| 142 def __init__(self): |
| 143 self.description_lines = [] |
| 144 self.procedure_lines = [] |
| 145 self.expected_result_lines = [] |
| 146 self.cert_path_lines = [] |
| 147 |
| 148 |
| 149 def parse_main_test_sections(lines, i): |
| 150 result = TestSections() |
| 151 |
| 152 # Read the description lines (text after test name up until |
| 153 # "Procedure:"). |
| 154 result.description_lines = [] |
| 155 while i < len(lines): |
| 156 if PROCEDURE_HEADER_MATCHER.match(lines[i]): |
| 157 break |
| 158 result.description_lines.append(lines[i]) |
| 159 i += 1 |
| 160 |
| 161 # Read the procedure lines (text starting at "Procedure:" and up until |
| 162 # "Expected Result:". |
| 163 result.procedure_lines = [] |
| 164 while i < len(lines): |
| 165 if EXPECTED_HEADER_MATCHER.match(lines[i]): |
| 166 break |
| 167 result.procedure_lines.append(lines[i]) |
| 168 i += 1 |
| 169 |
| 170 # Read the expected result lines (text starting at "Expected Result:" and up |
| 171 # until "Certification Path:". |
| 172 result.expected_result_lines = [] |
| 173 while i < len(lines): |
| 174 if PATH_HEADER_MATCHER.match(lines[i]): |
| 175 break |
| 176 result.expected_result_lines.append(lines[i]) |
| 177 i += 1 |
| 178 |
| 179 # Read the certification path lines (text starting at "Certification Path:" |
| 180 # and up until the next test title. |
| 181 result.cert_path_lines = [] |
| 182 while i < len(lines): |
| 183 if TEST_MATCHER.match(lines[i]) or SECTION_MATCHER.match(lines[i]): |
| 184 break |
| 185 result.cert_path_lines.append(lines[i]) |
| 186 i += 1 |
| 187 |
| 188 return i, result |
| 189 |
| 190 |
| 191 def parse_cert_path_lines(lines): |
| 192 path_lines = [] |
| 193 crls = [] |
78 certs = [] | 194 certs = [] |
79 crls = [] | |
80 | 195 |
81 while i < len(lines): | 196 for line in lines[1:]: |
82 result_match = TEST_RESULT_MATCHER.match(lines[i]) | 197 line = line.strip() |
83 i += 1 | |
84 if result_match: | |
85 expected_result = result_match.group(1) == 'should validate' | |
86 break | |
87 | 198 |
88 while i < len(lines): | 199 if "is composed of the following objects:" in line: |
89 path_match = PATH_HEADER_MATCHER.match(lines[i]) | 200 continue |
90 i += 1 | |
91 if path_match: | |
92 break | |
93 | 201 |
94 path_lines = [] | |
95 while i < len(lines): | |
96 line = lines[i].strip() | |
97 if TEST_MATCHER.match(line) or SECTION_MATCHER.match(line): | |
98 break | |
99 i += 1 | |
100 if not line or PAGE_NUMBER_MATCHER.match(line): | 202 if not line or PAGE_NUMBER_MATCHER.match(line): |
101 continue | 203 continue |
102 path_match = PATH_MATCHER.match(line) | 204 path_match = PATH_MATCHER.match(line) |
103 if path_match: | 205 if path_match: |
104 path_lines.append(path_match.group(1)) | 206 path_lines.append(path_match.group(1)) |
105 continue | 207 continue |
106 # Continuation of previous path line. | 208 # Continuation of previous path line. |
107 path_lines[-1] += ' ' + line | 209 path_lines[-1] += ' ' + line |
108 | 210 |
109 for path_line in path_lines: | 211 for path_line in path_lines: |
110 for path in path_line.split(','): | 212 for path in path_line.split(','): |
111 path = sanitize_name(path.strip()) | 213 path = sanitize_name(path.strip()) |
112 if CRL_MATCHER.match(path): | 214 if CRL_MATCHER.match(path): |
113 crls.append(path) | 215 crls.append(path) |
114 else: | 216 else: |
115 certs.append(path) | 217 certs.append(path) |
116 | 218 |
117 assert certs | 219 return certs, crls |
118 assert crls | 220 |
119 assert expected_result is not None | 221 |
120 sanitized_test_name = generate_test(test_case_name, test_number, test_name, | 222 ANY_POLICY = 'anyPolicy' |
121 certs, crls, expected_result, output) | 223 TEST_POLICY_1 = 'NIST-test-policy-1' |
122 | 224 TEST_POLICY_2 = 'NIST-test-policy-2' |
123 return i, sanitized_test_name | 225 TEST_POLICY_3 = 'NIST-test-policy-3' |
| 226 TEST_POLICY_6 = 'NIST-test-policy-6' |
| 227 |
| 228 # TODO(eroman): This omits a few outputs from PKITS: |
| 229 # |
| 230 # * authorities-constrained-policy-set |
| 231 # * user-constrained-policy-set |
| 232 # * explicit-policy-indicator |
| 233 # |
| 234 # Consider adding the constrained policy sets in the future, if our |
| 235 # verification code supports outputting them. |
| 236 class TestInfo(object): |
| 237 """This structure describes a test inputs and outputs""" |
| 238 |
| 239 def __init__(self, should_validate, |
| 240 # These defaults come from section 3 of PKITS.pdf |
| 241 initial_policy_set = [ANY_POLICY], |
| 242 initial_explicit_policy = False, |
| 243 initial_policy_mapping_inhibit = False, |
| 244 initial_inhibit_any_policy = False): |
| 245 self.should_validate = should_validate |
| 246 self.initial_policy_set = initial_policy_set |
| 247 self.initial_explicit_policy = initial_explicit_policy |
| 248 self.initial_policy_mapping_inhibit = initial_policy_mapping_inhibit |
| 249 self.initial_inhibit_any_policy = initial_inhibit_any_policy |
| 250 |
| 251 |
| 252 TEST_OVERRIDES = { |
| 253 '4.8.1': [ # All Certificates Same Policy Test1 |
| 254 # 1. default settings, but with initial-explicit-policy set. The path |
| 255 # should validate successfully |
| 256 TestInfo(True, initial_explicit_policy=True), |
| 257 |
| 258 # 2. default settings, but with initial-explicit-policy set and |
| 259 # initial-policy-set = {NIST-test-policy-1}. The path should validate |
| 260 # successfully. |
| 261 TestInfo(True, initial_explicit_policy=True, |
| 262 initial_policy_set=[TEST_POLICY_1]), |
| 263 |
| 264 # 3. default settings, but with initial-explicit-policy set and |
| 265 # initial-policy-set = {NIST-test-policy-2}. The path should not validate |
| 266 # successfully. |
| 267 TestInfo(False, initial_explicit_policy=True, |
| 268 initial_policy_set=[TEST_POLICY_2]), |
| 269 |
| 270 # 4. default settings, but with initial-explicit-policy set and |
| 271 # initial-policy-set = {NIST-test-policy-1, NIST-test-policy-2}. The path |
| 272 # should validate successfully. |
| 273 TestInfo(True, initial_explicit_policy=True, |
| 274 initial_policy_set=[TEST_POLICY_1, TEST_POLICY_2]), |
| 275 ], |
| 276 |
| 277 '4.8.2': [ # All Certificates No Policies Test2 |
| 278 # 1. default settings. The path should validate successfully. |
| 279 TestInfo(True), |
| 280 |
| 281 # 2. default settings, but with initial-explicit-policy set. The path |
| 282 # should not validate successfully |
| 283 TestInfo(False, initial_explicit_policy=True), |
| 284 ], |
| 285 |
| 286 '4.8.3': [ # Different Policies Test3 |
| 287 # 1. default settings. The path should validate successfully. |
| 288 TestInfo(True), |
| 289 |
| 290 # 2. default settings, but with initial-explicit-policy set. The path |
| 291 # should not validate successfully. |
| 292 TestInfo(False, initial_explicit_policy=True), |
| 293 |
| 294 # 3. default settings, but with initial-explicit-policy set and |
| 295 # initial-policy-set = {NIST-test-policy-1, NIST-test-policy-2}. The path |
| 296 # should not validate successfully. |
| 297 TestInfo(False, initial_explicit_policy=True, |
| 298 initial_policy_set=[TEST_POLICY_1, TEST_POLICY_2]), |
| 299 ], |
| 300 |
| 301 '4.8.4': [ # Different Policies Test4 |
| 302 # Procedure: Validate Different Policies Test4 EE using the default |
| 303 # settings or open and verify Signed Test Message 6.2.2.69 using the |
| 304 # default settings. |
| 305 # |
| 306 # Expected Result: The authorities-constrained-policy-set and the |
| 307 # user-constrained-policy-set will be empty. The explicit-policy-indicator |
| 308 # will be set if the application can process the policyConstraints |
| 309 # extension. If the application can process the policyConstraints extension |
| 310 # then the path should not validate successfully. If the application can |
| 311 # not process the policyConstraints extension, then the path should |
| 312 # validate successfully. |
| 313 TestInfo(False), |
| 314 ], |
| 315 |
| 316 '4.8.5': [ # 4.8.5 Different Policies Test5 |
| 317 # Procedure: Validate Different Policies Test5 EE using the default |
| 318 # settings or open and verify Signed Test Message 6.2.2.70 using the |
| 319 # default settings. |
| 320 # |
| 321 # Expected Result: The authorities-constrained-policy-set and the |
| 322 # user-constrained-policy-set will be empty. The explicit-policy-indicator |
| 323 # will be set if the application can process the policyConstraints |
| 324 # extension. If the application can process the policyConstraints extension |
| 325 # then the path should not validate successfully. If the application can |
| 326 # not process the policyConstraints extension, then the path should |
| 327 # validate successfully |
| 328 TestInfo(False), |
| 329 ], |
| 330 |
| 331 '4.8.6': [ # Overlapping Policies Test6 |
| 332 # 1. default settings. The path should validate successfully. |
| 333 TestInfo(True), |
| 334 |
| 335 # 2. default settings, but with initial-policy-set = {NIST-test-policy-1}. |
| 336 # The path should validate successfully. |
| 337 TestInfo(True, initial_policy_set=[TEST_POLICY_1]), |
| 338 |
| 339 # 3. default settings, but with initial-policy-set = {NIST-test-policy-2}. |
| 340 # The path should not validate successfully. |
| 341 TestInfo(False, initial_policy_set=[TEST_POLICY_2]), |
| 342 ], |
| 343 |
| 344 '4.8.7': [ # Different Policies Test7 |
| 345 # Procedure: Validate Different Policies Test7 EE using the default |
| 346 # settings or open and verify Signed Test Message 6.2.2.72 using the |
| 347 # default settings. |
| 348 # |
| 349 # Expected Result: The authorities-constrained-policy-set and the |
| 350 # user-constrained-policy-set will be empty. If the |
| 351 # explicit-policy-indicator will be set if the application can process the |
| 352 # policyConstraints extension. If the application can process the |
| 353 # policyConstraints extension, then the path should not validate |
| 354 # successfully. If the application can not process the policyConstraints |
| 355 # extension, then the path should validate successfully. |
| 356 TestInfo(False), |
| 357 ], |
| 358 |
| 359 '4.8.8': [ # Different Policies Test8 |
| 360 # Procedure: Validate Different Policies Test8 EE using the default |
| 361 # settings or open and verify Signed Test Message 6.2.2.73 using the |
| 362 # default settings. |
| 363 # |
| 364 # Expected Result: The authorities-constrained-policy-set and the |
| 365 # user-constrained-policy-set will be empty. The explicit-policy-indicator |
| 366 # will be set if the application can process the policyConstraints |
| 367 # extension. If the application can process the policyConstraints extension |
| 368 # then the path should not validate successfully. If the application can |
| 369 # not process the policyConstraints extension, then the path should |
| 370 # validate successfully. |
| 371 TestInfo(False), |
| 372 ], |
| 373 |
| 374 '4.8.9': [ # Different Policies Test9 |
| 375 # Procedure: Validate Different Policies Test9 EE using the default |
| 376 # settings or open and verify Signed Test Message 6.2.2.74 using the |
| 377 # default settings. |
| 378 # |
| 379 # Expected Result: The authorities-constrained-policy-set and the |
| 380 # user-constrained-policy-set will be empty. The explicit-policy-indicator |
| 381 # will be set if the application can process the policyConstraints |
| 382 # extension. If the application can process the policyConstraints |
| 383 # extension, then the path should not validate successfully. If the |
| 384 # application can not process the policyConstraints extension, then the |
| 385 # path should validate successfully. |
| 386 TestInfo(False), |
| 387 ], |
| 388 |
| 389 '4.8.10': [ # All Certificates Same Policies Test10 |
| 390 # 1. default settings. The path should validate successfully. |
| 391 TestInfo(True), |
| 392 |
| 393 # 2. default settings, but with initial-policy-set = {NIST-test-policy-1}. |
| 394 # The path should validate successfully. |
| 395 TestInfo(True, initial_policy_set=[TEST_POLICY_1]), |
| 396 |
| 397 # 3. default settings, but with initial-policy-set = {NIST-test-policy-2}. |
| 398 # The path should validate successfully. |
| 399 TestInfo(True, initial_policy_set=[TEST_POLICY_2]), |
| 400 ], |
| 401 |
| 402 '4.8.11': [ # All Certificates AnyPolicy Test11 |
| 403 # 1. default settings. The path should validate successfully. |
| 404 TestInfo(True), |
| 405 |
| 406 # 2. default settings, but with initial-policy-set = {NIST-test-policy-1}. |
| 407 # The path should validate successfully. |
| 408 TestInfo(True, initial_policy_set=[TEST_POLICY_1]), |
| 409 ], |
| 410 |
| 411 '4.8.12': [ # Different Policies Test12 |
| 412 # Procedure: Validate Different Policies Test12 EE using the default |
| 413 # settings or open and verify Signed Test Message 6.2.2.77 using the |
| 414 # default settings. |
| 415 # |
| 416 # Expected Result: The authorities-constrained-policy-set and the |
| 417 # user-constrained-policy-set will be empty. The explicit-policy-indicator |
| 418 # will be set if the application can process the policyConstraints |
| 419 # extension. If the application can process the policyConstraints |
| 420 # extension, then the path should not validate successfully. If the |
| 421 # application can not process the policyConstraints extension, then the |
| 422 # path should validate successfully. |
| 423 TestInfo(False), |
| 424 ], |
| 425 |
| 426 '4.8.13': [ # All Certificates Same Policies Test13 |
| 427 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. |
| 428 # The path should validate successfully. |
| 429 TestInfo(True, initial_policy_set=[TEST_POLICY_1]), |
| 430 |
| 431 # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. |
| 432 # The path should validate successfully. |
| 433 TestInfo(True, initial_policy_set=[TEST_POLICY_2]), |
| 434 |
| 435 # 3. default settings, but with initial-policy-set = {NIST-test-policy-3}. |
| 436 # The path should validate successfully. |
| 437 TestInfo(True, initial_policy_set=[TEST_POLICY_3]), |
| 438 ], |
| 439 |
| 440 '4.8.14': [ # AnyPolicy Test14 |
| 441 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. |
| 442 # The path should validate successfully. |
| 443 TestInfo(True, initial_policy_set=[TEST_POLICY_1]), |
| 444 |
| 445 # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. |
| 446 # The path should not validate successfully. |
| 447 TestInfo(False, initial_policy_set=[TEST_POLICY_2]), |
| 448 ], |
| 449 |
| 450 '4.8.15': [ # User Notice Qualifier Test15 |
| 451 # Procedure: Validate User Notice Qualifier Test15 EE using the default |
| 452 # settings or open and verify Signed Test Message 6.2.2.80 using the |
| 453 # default settings. |
| 454 # |
| 455 # Expected Result: The authorities-constrained-policy-set will be |
| 456 # {NIST-test-policy-1} and the explicit-policy-indicator will be the same |
| 457 # as the initial-explicit-policy indicator. If the initial-policy-set is |
| 458 # any-policy or otherwise includes NIST-test-policy-1, then the |
| 459 # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the |
| 460 # user-constrained-policy-set will be empty. If the initial-explicit-policy |
| 461 # indicator is set and the initial-policy-set does not include |
| 462 # NIST-test-policy-1, then the path should be rejected, otherwise it should |
| 463 # validate successfully. If the path validates successfully, then the |
| 464 # application should display the user notice. |
| 465 TestInfo(True), |
| 466 ], |
| 467 |
| 468 '4.8.16': [ # User Notice Qualifier Test16 |
| 469 # Procedure: Validate User Notice Qualifier Test16 EE using the default |
| 470 # settings or open and verify Signed Test Message 6.2.2.81 using the |
| 471 # default settings. |
| 472 # |
| 473 # Expected Result: The authorities-constrained-policy-set will be |
| 474 # {NIST-test-policy-1} and the explicit-policy-indicator will be the same |
| 475 # as the initial-explicit-policy indicator. If the initial-policy-set is |
| 476 # any-policy or otherwise includes NIST-test-policy-1, then the |
| 477 # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the |
| 478 # user-constrained-policy-set will be empty. If the initial-explicit-policy |
| 479 # indicator is set and the initial-policy-set does not include |
| 480 # NIST-test-policy-1, then the path should be rejected, otherwise it should |
| 481 # validate successfully. If the path validates successfully, then the |
| 482 # application should display the user notice associated with |
| 483 # NIST-test-policy-1. The user notice associated with NIST-test-policy-2 |
| 484 # should not be displayed. |
| 485 TestInfo(True), |
| 486 ], |
| 487 |
| 488 '4.8.17': [ # User Notice Qualifier Test17 |
| 489 # Procedure: Validate User Notice Qualifier Test17 EE using the default |
| 490 # settings or open and verify Signed Test Message 6.2.2.82 using the |
| 491 # default settings. |
| 492 # |
| 493 # Expected Result: The authorities-constrained-policy-set will be |
| 494 # {NIST-test-policy-1} and the explicit-policy-indicator will be the same |
| 495 # as the initial-explicit-policy indicator. If the initial-policy-set is |
| 496 # any-policy or otherwise includes NIST-test-policy-1, then the |
| 497 # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the |
| 498 # user-constrained-policy-set will be empty. If the initial-explicit-policy |
| 499 # indicator is set and the initial-policy-set does not include |
| 500 # NIST-test-policy-1, then the path should be rejected, otherwise it should |
| 501 # validate successfully. If the path validates successfully, then the |
| 502 # application should display the user notice associated with anyPolicy. |
| 503 TestInfo(True), |
| 504 ], |
| 505 |
| 506 '4.8.18': [ # User Notice Qualifier Test18 |
| 507 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. |
| 508 # The path should validate successfully and the qualifier associated with |
| 509 # NIST-test-policy-1 in the end entity certificate should be displayed. |
| 510 TestInfo(True, initial_policy_set=[TEST_POLICY_1]), |
| 511 |
| 512 # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. |
| 513 # The path should validate successfully and the qualifier associated with |
| 514 # anyPolicy in the end entity certificate should be displayed. |
| 515 TestInfo(True, initial_policy_set=[TEST_POLICY_2]), |
| 516 ], |
| 517 |
| 518 '4.8.19': [ # User Notice Qualifier Test19 |
| 519 # Procedure: Validate User Notice Qualifier Test19 EE using the default |
| 520 # settings or open and verify Signed Test Message 6.2.2.84 using the |
| 521 # default settings. |
| 522 # |
| 523 # Expected Result: The authorities-constrained-policy-set will be |
| 524 # {NIST-test-policy-1} and the explicit-policy-indicator will be the same |
| 525 # as the initial-explicit-policy indicator. If the initial-policy-set is |
| 526 # any-policy or otherwise includes NIST-test-policy-1, then the |
| 527 # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the |
| 528 # user-constrained-policy-set will be empty. If the initial-explicit-policy |
| 529 # indicator is set and the initial-policy-set does not include |
| 530 # NIST-test-policy-1, then the path should be rejected, otherwise it should |
| 531 # validate successfully. Since the explicitText exceeds the maximum size |
| 532 # of 200 characters, the application may choose to reject the certificate. |
| 533 # If the application accepts the certificate, display of the user notice is |
| 534 # optional. |
| 535 TestInfo(True), |
| 536 ], |
| 537 |
| 538 '4.8.20': [ # CPS Pointer Qualifier Test20 |
| 539 # Procedure: Validate CPS Pointer Qualifier Test20 EE using the default |
| 540 # settings or open and verify Signed Test Message 6.2.2.85 using the |
| 541 # default settings. (If possible, it is recommended that this test be run |
| 542 # with the initial-explicit-policy indicator set. If this can not be done, |
| 543 # manually check that the authorities-constrained-policy-set and |
| 544 # user-constrained-policy-set are correct.) |
| 545 # |
| 546 # Expected Result: The authorities-constrained-policy-set will be |
| 547 # {NIST-test-policy-1} and the explicit-policy-indicator will be the same |
| 548 # as the initial-explicit-policy indicator. If the initial-policy-set is |
| 549 # any-policy or otherwise includes NIST-test-policy-1, then the |
| 550 # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the |
| 551 # user-constrained-policy-set will be empty. If the initial-explicit-policy |
| 552 # indicator is set and the initial-policy-set does not include |
| 553 # NIST-test-policy-1, then the path should be rejected, otherwise it should |
| 554 # validate successfully. The CPS pointer in the qualifier should be |
| 555 # associated with NIST-testpolicy-1 in the |
| 556 # authorities-constrained-policy-set (and in the user-constrained-policy-set |
| 557 # if NIST-test-policy-1 is in that set). There are no processing |
| 558 # requirements associated with the CPS pointer qualifier. |
| 559 TestInfo(True, initial_explicit_policy=True, |
| 560 initial_policy_set=[TEST_POLICY_1]), |
| 561 ], |
| 562 |
| 563 '4.10.1': [ # Valid Policy Mapping Test1 |
| 564 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. |
| 565 # The path should validate successfully. |
| 566 TestInfo(True, initial_policy_set=[TEST_POLICY_1]), |
| 567 |
| 568 # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. |
| 569 # The path should not validate successfully. |
| 570 TestInfo(False, initial_policy_set=[TEST_POLICY_2]), |
| 571 |
| 572 # 3. default settings, but with initial-policy-mapping-inhibit set. The |
| 573 # path should not validate successfully. |
| 574 TestInfo(False, initial_policy_mapping_inhibit=True), |
| 575 ], |
| 576 |
| 577 '4.10.2': [ # Invalid Policy Mapping Test2 |
| 578 # 1. default settings. The path should not validate successfully. |
| 579 TestInfo(False), |
| 580 |
| 581 # 2. default settings, but with initial-policy-mapping-inhibit set. The |
| 582 # path should not validate successfully. |
| 583 TestInfo(False, initial_policy_mapping_inhibit=True), |
| 584 ], |
| 585 |
| 586 '4.10.3': [ # Valid Policy Mapping Test3 |
| 587 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. |
| 588 # The path should not validate successfully. |
| 589 TestInfo(False, initial_policy_set=[TEST_POLICY_1]), |
| 590 |
| 591 # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. |
| 592 # The path should validate successfully. |
| 593 TestInfo(True, initial_policy_set=[TEST_POLICY_2]), |
| 594 ], |
| 595 |
| 596 '4.10.4': [ # Invalid Policy Mapping Test4 |
| 597 # Procedure: Validate Invalid Policy Mapping Test4 EE using the default |
| 598 # settings or open and verify Signed Test Message 6.2.2.97 using the |
| 599 # default settings. |
| 600 # |
| 601 # Expected Result: The authorities-constrained-policy-set and the |
| 602 # user-constrained-policy-set will be empty and the |
| 603 # explicit-policy-indicator will be set (if the application can process the |
| 604 # policyConstraints extension). If the application can process the |
| 605 # policyConstraints extension, then the path should be rejected, otherwise |
| 606 # it should validate successfully. |
| 607 TestInfo(False), |
| 608 ], |
| 609 |
| 610 '4.10.5': [ # Valid Policy Mapping Test5 |
| 611 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. |
| 612 # The path should validate successfully. |
| 613 TestInfo(True, initial_policy_set=[TEST_POLICY_1]), |
| 614 |
| 615 # 2. default settings, but with initial-policy-set = {NIST-test-policy-6}. |
| 616 # The path should not validate successfully. |
| 617 TestInfo(False, initial_policy_set=[TEST_POLICY_6]), |
| 618 ], |
| 619 |
| 620 '4.10.6': [ # Valid Policy Mapping Test6 |
| 621 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. |
| 622 # The path should validate successfully. |
| 623 TestInfo(True, initial_policy_set=[TEST_POLICY_1]), |
| 624 |
| 625 # 2. default settings, but with initial-policy-set = {NIST-test-policy-6}. |
| 626 # The path should not validate successfully. |
| 627 TestInfo(False, initial_policy_set=[TEST_POLICY_6]), |
| 628 ], |
| 629 |
| 630 '4.10.9': [ # Valid Policy Mapping Test9 |
| 631 # Procedure: Validate Valid Policy Mapping Test9 EE using the default |
| 632 # settings or open and verify Signed Test Message 6.2.2.102 using the |
| 633 # default settings. |
| 634 # |
| 635 # Expected Result: The authorities-constrained-policy-set will be |
| 636 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if |
| 637 # the application can process the policyConstraints extension). If the |
| 638 # initial-policy-set is any-policy or otherwise includes |
| 639 # NIST-test-policy-1, then the user-constrained-policy-set will be |
| 640 # {NIST-test-policy-1}. If not, the user-constrained-policy-set will be |
| 641 # empty. If the initial-policy-set does not include NIST-test-policy-1 (and |
| 642 # the application can process the policyConstraints extension), then the |
| 643 # path should be rejected, otherwise it should validate successfully. |
| 644 TestInfo(True), |
| 645 ], |
| 646 |
| 647 '4.10.10': [ # Invalid Policy Mapping Test10 |
| 648 # Procedure: Validate Invalid Policy Mapping Test10 EE using the default |
| 649 # settings or open and verify Signed Test Message 6.2.2.103 using the |
| 650 # default settings. |
| 651 # |
| 652 # Expected Result: The authorities-constrained-policy-set and the |
| 653 # user-constrained-policy-set will be empty and the |
| 654 # explicit-policy-indicator will be set (if the application can process the |
| 655 # policyConstraints extension). If the application can process the |
| 656 # policyConstraints extension, then the path should be rejected, otherwise |
| 657 # it should validate successfully. |
| 658 TestInfo(False), |
| 659 ], |
| 660 |
| 661 '4.10.11': [ # Valid Policy Mapping Test11 |
| 662 # Procedure: Validate Valid Policy Mapping Test11 EE using the default |
| 663 # settings or open and verify Signed Test Message 6.2.2.104 using the |
| 664 # default settings. |
| 665 # |
| 666 # Expected Result: The authorities-constrained-policy-set will be |
| 667 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if |
| 668 # the application can process the policyConstraints extension). If the |
| 669 # initial-policy-set is any-policy or otherwise includes |
| 670 # NIST-test-policy-1, then the user-constrained-policy-set will be |
| 671 # {NIST-test-policy-1}. If not, the user-constrained-policy-set will be |
| 672 # empty. If the initial-policy-set does not include NIST-test-policy-1 (and |
| 673 # the application can process the policyConstraints extension), then the |
| 674 # path should be rejected, otherwise it should validate successfully. |
| 675 TestInfo(True), |
| 676 ], |
| 677 |
| 678 '4.10.12': [ # Valid Policy Mapping Test12 |
| 679 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. |
| 680 # The path should validate successfully and the application should display |
| 681 # the user notice associated with NIST-test-policy-3 in the end entity |
| 682 # certificate. |
| 683 TestInfo(True, initial_policy_set=[TEST_POLICY_1]), |
| 684 |
| 685 # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. |
| 686 # The path should validate successfully and the application should display |
| 687 # the user notice associated with anyPolicy in the end entity certificate. |
| 688 TestInfo(True, initial_policy_set=[TEST_POLICY_2]), |
| 689 ], |
| 690 |
| 691 '4.10.13': [ # Valid Policy Mapping Test13 |
| 692 # Procedure: Validate Valid Policy Mapping Test13 EE using the default |
| 693 # settings or open and verify Signed Test Message 6.2.2.106 using the |
| 694 # default settings. |
| 695 # |
| 696 # Expected Result: The authorities-constrained-policy-set will be |
| 697 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if |
| 698 # the application can process the policyConstraints extension). If the |
| 699 # initial-policy-set is any-policy or otherwise includes |
| 700 # NIST-test-policy-1, then the user-constrained-policy-set will be |
| 701 # {NIST-test-policy-1}. If not, the user-constrained-policy-set will be |
| 702 # empty. If the initial-policy-set does not include NIST-test-policy-1 (and |
| 703 # the application can process the policyConstraints extension), then the |
| 704 # path should be rejected, otherwise it should validate successfully. If |
| 705 # the path is accepted, the application should display the user notice |
| 706 # associated with NIST-testpolicy-1 in the intermediate certificate. |
| 707 TestInfo(True), |
| 708 ], |
| 709 |
| 710 '4.10.14': [ # Valid Policy Mapping Test14 |
| 711 # Procedure: Validate Valid Policy Mapping Test14 EE using the default |
| 712 # settings or open and verify Signed Test Message 6.2.2.107 using the |
| 713 # default settings. |
| 714 # |
| 715 # Expected Result: The authorities-constrained-policy-set will be |
| 716 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if |
| 717 # the application can process the policyConstraints extension). If the |
| 718 # initial-policy-set is any-policy or otherwise includes |
| 719 # NIST-test-policy-1, then the user-constrained-policy-set will be |
| 720 # {NIST-test-policy-1}. If not, the user-constrained-policy-set will be |
| 721 # empty. If the initial-policy-set does not include NIST-test-policy-1 (and |
| 722 # the application can process the policyConstraints extension), then the |
| 723 # path should be rejected, otherwise it should validate successfully. If |
| 724 # the path is accepted, the application should display the user notice |
| 725 # associated with anyPolicy in the intermediate certificate |
| 726 TestInfo(True), |
| 727 ], |
| 728 |
| 729 '4.11.1': [ # Invalid inhibitPolicyMapping Test1 |
| 730 # Procedure: Validate Invalid inhibitPolicyMapping Test1 EE using the |
| 731 # default settings or open and verify Signed Test Message 6.2.2.108 using |
| 732 # the default settings. |
| 733 # |
| 734 # Expected Result: The authorities-constrained-policy-set and the |
| 735 # user-constrained-policy-set will be empty. The explicit-policy-indicator |
| 736 # will be set. The path should not validate successfully. |
| 737 TestInfo(False), |
| 738 ], |
| 739 |
| 740 '4.11.2': [ # Valid inhibitPolicyMapping Test2 |
| 741 # Procedure: Validate Valid inhibitPolicyMapping Test2 EE using the default |
| 742 # settings or open and verify Signed Test Message 6.2.2.109 using the |
| 743 # default settings. |
| 744 # |
| 745 # Expected Result: The authorities-constrained-policy-set will be |
| 746 # {NIST-test-policy-1} and the explicit-policy-indicator will be set. If |
| 747 # the initial-policy-set is any-policy or otherwise includes |
| 748 # NIST-test-policy-1, then the path should validate successfully. |
| 749 TestInfo(True), |
| 750 ], |
| 751 |
| 752 '4.11.3': [ # Invalid inhibitPolicyMapping Test3 |
| 753 # Procedure: Validate Invalid inhibitPolicyMapping Test3 EE using the |
| 754 # default settings or open and verify Signed Test Message 6.2.2.110 using |
| 755 # the default settings. |
| 756 # |
| 757 # Expected Result: The authorities-constrained-policy-set and the |
| 758 # user-constrained-policy-set will be empty and the |
| 759 # explicit-policy-indicator will be set. The path should not validate |
| 760 # successfully. |
| 761 TestInfo(False), |
| 762 ], |
| 763 |
| 764 '4.11.4': [ # Valid inhibitPolicyMapping Test4 |
| 765 # Procedure: Validate Valid inhibitPolicyMapping Test4 EE using the default |
| 766 # settings or open and verify Signed Test Message 6.2.2.111 using the |
| 767 # default settings. |
| 768 # |
| 769 # Expected Result: The authorities-constrained-policy-set will be |
| 770 # {NIST-test-policy-2} and the explicit-policy-indicator will be set. If |
| 771 # the initial-policy-set is any-policy or otherwise includes |
| 772 # NIST-test-policy-2, then the path should validate successfully. |
| 773 TestInfo(True), |
| 774 ], |
| 775 |
| 776 '4.11.5': [ # Invalid inhibitPolicyMapping Test5 |
| 777 # Procedure: Validate Invalid inhibitPolicyMapping Test5 EE using the |
| 778 # default settings or open and verify Signed Test Message 6.2.2.112 using |
| 779 # the default settings. |
| 780 # |
| 781 # Expected Result: The authorities-constrained-policy-set and the |
| 782 # user-constrained-policy-set will be empty and the |
| 783 # explicit-policy-indicator will be set. The path should not validate |
| 784 # successfully. |
| 785 TestInfo(False), |
| 786 ], |
| 787 |
| 788 '4.11.6': [ # Invalid inhibitPolicyMapping Test6 |
| 789 # Procedure: Validate Invalid inhibitPolicyMapping Test6 EE using the |
| 790 # default settings or open and verify Signed Test Message 6.2.2.113 using |
| 791 # the default settings. |
| 792 # |
| 793 # Expected Result: The authorities-constrained-policy-set and the |
| 794 # user-constrained-policy-set will be empty and the |
| 795 # explicit-policy-indicator will be set. The path should not validate |
| 796 # successfully. |
| 797 TestInfo(False), |
| 798 ], |
| 799 |
| 800 '4.11.7': [ # Valid Self-Issued inhibitPolicyMapping Test7 |
| 801 # Procedure: Validate Valid Self-Issued inhibitPolicyMapping Test7 EE using |
| 802 # the default settings or open and verify Signed Test Message 6.2.2.114 |
| 803 # using the default settings. |
| 804 # |
| 805 # Expected Result: The authorities-constrained-policy-set will be |
| 806 # {NIST-test-policy-1} and the explicit-policy-indicator will be set. If |
| 807 # the initial-policy-set is any-policy or otherwise includes |
| 808 # NIST-test-policy-1, then the path should validate successfully. |
| 809 TestInfo(True), |
| 810 ], |
| 811 |
| 812 '4.11.8': [ # Invalid Self-Issued inhibitPolicyMapping Test8 |
| 813 # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test8 EE |
| 814 # using the default settings or open and verify Signed Test Message |
| 815 # 6.2.2.115 using the default settings. |
| 816 # |
| 817 # Expected Result: The authorities-constrained-policy-set and |
| 818 # user-constrained-policy-set will be empty and the |
| 819 # explicit-policy-indicator will be set. The path should not validate |
| 820 # successfully. |
| 821 TestInfo(False), |
| 822 ], |
| 823 |
| 824 '4.11.9': [ # Invalid Self-Issued inhibitPolicyMapping Test9 |
| 825 # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test9 EE |
| 826 # using the default settings or open and verify Signed Test Message |
| 827 # 6.2.2.116 using the default settings. |
| 828 # |
| 829 # Expected Result: The authorities-constrained-policy-set and |
| 830 # user-constrained-policy-set will be empty and the |
| 831 # explicit-policy-indicator will be set. The path should not validate |
| 832 # successfully. |
| 833 TestInfo(False), |
| 834 ], |
| 835 |
| 836 '4.11.10': [ # Invalid Self-Issued inhibitPolicyMapping Test10 |
| 837 # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test10 EE |
| 838 # using the default settings or open and verify Signed Test Message |
| 839 # 6.2.2.117 using the default settings. |
| 840 # |
| 841 # Expected Result: The authorities-constrained-policy-set and |
| 842 # user-constrained-policy-set will be empty and the |
| 843 # explicit-policy-indicator will be set. The path should not validate |
| 844 # successfully. |
| 845 TestInfo(False), |
| 846 ], |
| 847 |
| 848 '4.11.11': [ # Invalid Self-Issued inhibitPolicyMapping Test11 |
| 849 # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test11 EE |
| 850 # using the default settings or open and verify Signed Test Message |
| 851 # 6.2.2.118 using the default settings. |
| 852 # |
| 853 # Expected Result: The authorities-constrained-policy-set and |
| 854 # user-constrained-policy-set will be empty and the |
| 855 # explicit-policy-indicator will be set. The path should not validate |
| 856 # successfully. |
| 857 TestInfo(False), |
| 858 ], |
| 859 |
| 860 '4.12.1': [ # Invalid inhibitAnyPolicy Test1 |
| 861 # Procedure: Validate Invalid inhibitAnyPolicy Test1 EE using the default |
| 862 # settings or open and verify Signed Test Message 6.2.2.119 using the |
| 863 # default settings. |
| 864 # |
| 865 # Expected Result: The authorities-constrained-policy-set and |
| 866 # user-constrained-policy-set will be empty and the |
| 867 # explicit-policy-indicator will be set (if the application can process the |
| 868 # policyConstraints extension). If the application can process the |
| 869 # policyConstraints extension, then the path should not validate |
| 870 # successfully. |
| 871 TestInfo(False), |
| 872 ], |
| 873 |
| 874 '4.12.2': [ # Valid inhibitAnyPolicy Test2 |
| 875 # Procedure: Validate Valid inhibitAnyPolicy Test2 EE using the default |
| 876 # settings or open and verify Signed Test Message 6.2.2.120 using the |
| 877 # default settings. |
| 878 # |
| 879 # Expected Result: The authorities-constrained-policy-set will be |
| 880 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if |
| 881 # the application can process the policyConstraints extension). If the |
| 882 # initial-policy-set is any-policy or otherwise includes |
| 883 # NIST-test-policy-1, then the user-constrained-policy-set will be |
| 884 # {NIST-test-policy-1} and the path should validate successfully. If not, |
| 885 # then the user-constrained-policy-set will be empty. If the |
| 886 # user-constrained-policy-set is empty and the application can process the |
| 887 # policyConstraints extension, then the path should not validate |
| 888 # successfully. |
| 889 |
| 890 TestInfo(True), |
| 891 ], |
| 892 |
| 893 '4.12.3': [ # inhibitAnyPolicy Test3 |
| 894 # 1. default settings. The path should validate successfully. |
| 895 TestInfo(True), |
| 896 |
| 897 # 2. default settings, but with initial-inhibit-any-policy set. The path |
| 898 # should not validate successfully. |
| 899 TestInfo(False, initial_inhibit_any_policy=True), |
| 900 ], |
| 901 |
| 902 '4.12.4': [ # Invalid inhibitAnyPolicy Test4 |
| 903 # Procedure: Validate Invalid inhibitAnyPolicy Test4 EE using the default |
| 904 # settings or open and verify Signed Test Message 6.2.2.122 using the |
| 905 # default settings. |
| 906 # |
| 907 # Expected Result: The authorities-constrained-policy-set and |
| 908 # user-constrained-policy-set will be empty and the |
| 909 # explicit-policy-indicator will be set (if the application can process the |
| 910 # policyConstraints extension). If the application can process the |
| 911 # policyConstraints extension, then the path should not validate |
| 912 # successfully. |
| 913 TestInfo(False), |
| 914 ], |
| 915 |
| 916 '4.12.5': [ # Invalid inhibitAnyPolicy Test5 |
| 917 # Procedure: Validate Invalid inhibitAnyPolicy Test5 EE using the default |
| 918 # settings or open and verify Signed Test Message 6.2.2.123 using the |
| 919 # default settings. |
| 920 # |
| 921 # Expected Result: The authorities-constrained-policy-set and |
| 922 # user-constrained-policy-set will be empty and the |
| 923 # explicit-policy-indicator will be set (if the application can process the |
| 924 # policyConstraints extension). If the application can process the |
| 925 # policyConstraints extension, then the path should not validate |
| 926 # successfully. |
| 927 TestInfo(False), |
| 928 ], |
| 929 |
| 930 '4.12.6': [ # Invalid inhibitAnyPolicy Test6 |
| 931 # Procedure: Validate Invalid inhibitAnyPolicy Test6 EE using the default |
| 932 # settings or open and verify Signed Test Message 6.2.2.124 using the |
| 933 # default settings. |
| 934 # |
| 935 # Expected Result: The authorities-constrained-policy-set and |
| 936 # user-constrained-policy-set will be empty and the |
| 937 # explicit-policy-indicator will be set (if the application can process the |
| 938 # policyConstraints extension). If the application can process the |
| 939 # policyConstraints extension, then the path should not validate |
| 940 # successfully. |
| 941 TestInfo(False), |
| 942 ], |
| 943 |
| 944 '4.12.7': [ # Valid Self-Issued inhibitAnyPolicy Test7 |
| 945 # Procedure: Validate Valid Self-Issued inhibitAnyPolicy Test7 EE using the |
| 946 # default settings or open and verify Signed Test Message 6.2.2.125 using |
| 947 # the default settings. |
| 948 # |
| 949 # Expected Result: The authorities-constrained-policy-set will be |
| 950 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if |
| 951 # the application can process the policyConstraints extension). If the |
| 952 # initial-policy-set is any-policy or otherwise includes |
| 953 # NIST-test-policy-1, then the user-constrained-policy-set will be |
| 954 # {NIST-test-policy-1} and the path should validate successfully. If not, |
| 955 # then the user-constrained-policy-set will be empty. If the |
| 956 # user-constrained-policy-set is empty and the application can process the |
| 957 # policyConstraints extension, then the path should not validate |
| 958 # successfully. |
| 959 TestInfo(True), |
| 960 ], |
| 961 |
| 962 '4.12.8': [ # Invalid Self-Issued inhibitAnyPolicy Test8 |
| 963 # Procedure: Validate Invalid Self-Issued inhibitAnyPolicy Test8 EE using |
| 964 # the default settings or open and verify Signed Test Message 6.2.2.126 |
| 965 # using the default settings. |
| 966 # |
| 967 # Expected Result: The authorities-constrained-policy-set and |
| 968 # user-constrained-policy-set will be empty and the |
| 969 # explicit-policy-indicator will be set (if the application can process the |
| 970 # policyConstraints extension). If the application can process the |
| 971 # policyConstraints extension, then the path should not validate |
| 972 # successfully. |
| 973 TestInfo(False), |
| 974 ], |
| 975 |
| 976 '4.12.9': [ # Valid Self-Issued inhibitAnyPolicy Test9 |
| 977 # Procedure: Validate Valid Self-Issued inhibitAnyPolicy Test9 EE using the |
| 978 # default settings or open and verify Signed Test Message 6.2.2.127 using |
| 979 # the default settings. |
| 980 # |
| 981 # Expected Result: The authorities-constrained-policy-set will be |
| 982 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if |
| 983 # the application can process the policyConstraints extension). If the |
| 984 # initial-policy-set is any-policy or otherwise includes |
| 985 # NIST-test-policy-1, then the user-constrained-policy-set will be |
| 986 # {NIST-test-policy-1} and the path should validate successfully. If not, |
| 987 # then the user-constrained-policy-set will be empty. If the |
| 988 # user-constrained-policy-set is empty and the application can process the |
| 989 # policyConstraints extension, then the path should not validate |
| 990 # successfully. |
| 991 TestInfo(True), |
| 992 ], |
| 993 |
| 994 '4.12.10': [ # Invalid Self-Issued inhibitAnyPolicy Test10 |
| 995 # Procedure: Validate Invalid Self-Issued inhibitAnyPolicy Test10 EE using |
| 996 # the default settings or open and verify Signed Test Message 6.2.2.128 |
| 997 # using the default settings. |
| 998 # |
| 999 # Expected Result: The authorities-constrained-policy-set and |
| 1000 # user-constrained-policy-set will be empty and the |
| 1001 # explicit-policy-indicator will be set (if the application can process the |
| 1002 # policyConstraints extension). If the application can process the |
| 1003 # policyConstraints extension, then the path should not validate |
| 1004 # successfully. |
| 1005 TestInfo(False), |
| 1006 ], |
| 1007 } |
| 1008 |
| 1009 |
| 1010 def parse_test(lines, i, test_case_name, test_number, test_name, |
| 1011 sanitized_test_names, output): |
| 1012 # Start by doing a coarse level of parsing that separates out the lines for |
| 1013 # the main sections. |
| 1014 i, test_sections = parse_main_test_sections(lines, i) |
| 1015 |
| 1016 certs, crls = parse_cert_path_lines(test_sections.cert_path_lines) |
| 1017 |
| 1018 # Most tests have a formulaic specification: they use the default |
| 1019 # settings, and have one expectation. These are easily parsed and are handled |
| 1020 # programmatically. In contrast, many of the policies tests have a more |
| 1021 # complicated specification which involves multiple subtests having various |
| 1022 # settings, as well as expectations described in terms of supported |
| 1023 # extensions. Rather than try to handle all the nuanced language, these are |
| 1024 # handled manually via "overrides". |
| 1025 overrides = TEST_OVERRIDES.get(test_number, None) |
| 1026 |
| 1027 if overrides is None: |
| 1028 # Verify that the test description doesn't include numbered subparts (those |
| 1029 # are not handled here). |
| 1030 if CUSTOM_SETTINGS_MATCHER.match(" ".join(test_sections.description_lines)): |
| 1031 sys.stderr.write('Unexpected custom settings for %s\n' % test_number) |
| 1032 sys.exit(1) |
| 1033 |
| 1034 # Verify that the test is using only default settings. |
| 1035 if not USING_DEFAULT_SETTINGS_MATCHER.match( |
| 1036 " ".join(test_sections.procedure_lines)): |
| 1037 sys.stderr.write('Unexpected procedure for %s: %s\n' % |
| 1038 (test_number, " ".join(test_section.procedure_lines))) |
| 1039 sys.exit(1) |
| 1040 |
| 1041 # Check whether expected result is validation success or failure. |
| 1042 result_match = TEST_RESULT_MATCHER.match( |
| 1043 test_sections.expected_result_lines[0]) |
| 1044 if not result_match: |
| 1045 sys.stderr.write('Unknown expectation for %s:\n%s\n' % ( |
| 1046 test_number, " ".join(test_sections.expected_result_lines))) |
| 1047 sys.exit(1) |
| 1048 # Initializes with default settings. |
| 1049 info = TestInfo(result_match.group(1) == 'should validate') |
| 1050 |
| 1051 output_test(test_case_name, test_number, test_name, None, info, certs, |
| 1052 crls, sanitized_test_names, output) |
| 1053 else: |
| 1054 # The overrides may have a series of inputs (settings) and outputs |
| 1055 # (success/failure) for this test. Output each as a separate test case. |
| 1056 for subpart_i in range(len(overrides)): |
| 1057 info = overrides[subpart_i] |
| 1058 # If the test has only 1 subpart, don't number it. |
| 1059 subpart_number = subpart_i + 1 if len(overrides) > 1 else None |
| 1060 output_test(test_case_name, test_number, test_name, subpart_number, info, |
| 1061 certs, crls, sanitized_test_names, output) |
| 1062 |
| 1063 return i |
124 | 1064 |
125 | 1065 |
126 def main(): | 1066 def main(): |
127 pkits_pdf_path, output_path = sys.argv[1:] | 1067 pkits_pdf_path, output_path = sys.argv[1:] |
128 | 1068 |
129 pkits_txt_file = tempfile.NamedTemporaryFile() | 1069 pkits_txt_file = tempfile.NamedTemporaryFile() |
130 | 1070 |
131 subprocess.check_call(['pdftotext', '-layout', '-nopgbrk', '-eol', 'unix', | 1071 subprocess.check_call(['pdftotext', '-layout', '-nopgbrk', '-eol', 'unix', |
132 pkits_pdf_path, pkits_txt_file.name]) | 1072 pkits_pdf_path, pkits_txt_file.name]) |
133 | 1073 |
(...skipping 23 matching lines...) Expand all Loading... |
157 while i < len(lines): | 1097 while i < len(lines): |
158 section_match = SECTION_MATCHER.match(lines[i]) | 1098 section_match = SECTION_MATCHER.match(lines[i]) |
159 match = TEST_MATCHER.match(lines[i]) | 1099 match = TEST_MATCHER.match(lines[i]) |
160 i += 1 | 1100 i += 1 |
161 | 1101 |
162 if section_match: | 1102 if section_match: |
163 if test_case_name: | 1103 if test_case_name: |
164 finalize_test_case(test_case_name, sanitized_test_names, output) | 1104 finalize_test_case(test_case_name, sanitized_test_names, output) |
165 sanitized_test_names = [] | 1105 sanitized_test_names = [] |
166 | 1106 |
167 # TODO(mattm): Handle certificate policies tests. | |
168 if section_match.group(1) in ('4.8', '4.9', '4.10', '4.11', '4.12'): | |
169 test_case_name = None | |
170 output.write('\n// Skipping section %s\n' % section_match.group(1)) | |
171 continue | |
172 | |
173 test_case_name = 'PkitsTest%02d%s' % ( | 1107 test_case_name = 'PkitsTest%02d%s' % ( |
174 int(section_match.group(1).split('.')[-1]), | 1108 int(section_match.group(1).split('.')[-1]), |
175 sanitize_name(section_match.group(2))) | 1109 sanitize_name(section_match.group(2))) |
176 output.write('\ntemplate <typename PkitsTestDelegate>\n') | 1110 output.write('\ntemplate <typename PkitsTestDelegate>\n') |
177 output.write('class %s : public PkitsTest<PkitsTestDelegate> {};\n' % test
_case_name) | 1111 output.write('class %s : public PkitsTest<PkitsTestDelegate> {};\n' % |
| 1112 test_case_name) |
178 output.write('TYPED_TEST_CASE_P(%s);\n' % test_case_name) | 1113 output.write('TYPED_TEST_CASE_P(%s);\n' % test_case_name) |
179 | 1114 |
180 if match: | 1115 if match: |
181 test_number = match.group(1) | 1116 test_number = match.group(1) |
182 test_name = match.group(2) | 1117 test_name = match.group(2) |
183 if not test_case_name: | 1118 if not test_case_name: |
184 output.write('// Skipped %s %s\n' % (test_number, test_name)) | 1119 output.write('// Skipped %s %s\n' % (test_number, test_name)) |
185 continue | 1120 continue |
186 i, sanitized_test_name = parse_test(lines, i, test_case_name, test_number, | 1121 i, parse_test(lines, i, test_case_name, test_number, |
187 test_name, output) | 1122 test_name, sanitized_test_names, output) |
188 if sanitized_test_name: | |
189 sanitized_test_names.append(sanitized_test_name) | |
190 | 1123 |
191 if test_case_name: | 1124 if test_case_name: |
192 finalize_test_case(test_case_name, sanitized_test_names, output) | 1125 finalize_test_case(test_case_name, sanitized_test_names, output) |
193 | 1126 |
194 | 1127 |
195 if __name__ == '__main__': | 1128 if __name__ == '__main__': |
196 main() | 1129 main() |
OLD | NEW |