Add generated PKITS tests relating to certificate policies.

net/third_party/nist-pkits/generate_tests.py

 # Copyright 2016 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 '''Generates a test suite from NIST PKITS test descriptions.
 
 The output is a set of Type Parameterized Tests which are included by
 pkits_unittest.h. See pkits_unittest.h for information on using the tests.
 GoogleTest has a limit of 50 tests per type parameterized testcase, so the tests
 are split up by section number (this also makes it possible to easily skip
@@ skipping 14 matching lines @@
   return s.translate(None, ' -')
 
 
 def finalize_test_case(test_case_name, sanitized_test_names, output):
   output.write('\nWRAPPED_REGISTER_TYPED_TEST_CASE_P(%s' % test_case_name)
   for name in sanitized_test_names:
     output.write(',\n    %s' % name)
   output.write(');\n')
 
 
-def generate_test(test_case_name, test_number, raw_test_name, certs, crls, should_validate,
-                     output):
+def bool_to_str(b):
+  return "true" if b else "false"
+
+
+def output_test(test_case_name, test_number, raw_test_name, subpart_number,
+                info, certs, crls, sanitized_test_names, output):
+  '''Writes a test case to |output|, and appends the test name to
+  |sanitized_test_names|.'''
   sanitized_test_name = 'Section%s%s' % (test_number.split('.')[1],
                                          sanitize_name(raw_test_name))
+
+  if subpart_number is not None:
+    sanitized_test_name += "Subpart%d" % (subpart_number)
+
+  sanitized_test_names.append(sanitized_test_name)
+
   certs_formatted = ', '.join('"%s"' % n for n in certs)
   crls_formatted = ', '.join('"%s"' % n for n in crls)
-  assert_function = 'ASSERT_TRUE' if should_validate else 'ASSERT_FALSE'
+  assert_function = 'ASSERT_TRUE' if info.should_validate else 'ASSERT_FALSE'
+
   output.write('''
 // %(test_number)s %(raw_test_name)s
 WRAPPED_TYPED_TEST_P(%(test_case_name)s, %(sanitized_test_name)s) {
   const char* const certs[] = {
     %(certs_formatted)s
   };
   const char* const crls[] = {
     %(crls_formatted)s
   };
-  %(assert_function)s(this->Verify(certs, crls));
+''' % vars())
+
+  default_settings = TestInfo(False)
+
+  settings_str = ''
+
+  # Output any non-default settings. Only settings that differ from
+  # the default settings are written, so as to keep the generated
+  # file more readable.
+  if info.initial_policy_set != default_settings.initial_policy_set:
+    settings_str += '''  settings.SetInitialPolicySet("%s");
+''' % (','.join(info.initial_policy_set))
+
+  if info.initial_explicit_policy != default_settings.initial_explicit_policy:
+    settings_str += '''  settings.initial_explicit_policy = %s;
+''' % bool_to_str(info.initial_explicit_policy)
+
+  if (info.initial_policy_mapping_inhibit !=
+          default_settings.initial_policy_mapping_inhibit):
+    settings_str += '''  settings.initial_policy_mapping_inhibit = %s;
+''' % bool_to_str(info.initial_policy_mapping_inhibit)
+
+  if (info.initial_inhibit_any_policy !=
+          default_settings.initial_inhibit_any_policy):
+    settings_str += '''settings.initial_inhibit_any_policy = %s;
+''' % bool_to_str(info.initial_inhibit_any_policy)
+
+  settings_param_str = '{}'
+
+  if settings_str != '':
+    output.write('''
+  // Custom settings
+  PkitsTestSettings settings;
+''')
+    output.write(settings_str)
+    output.write('\n')
+    settings_param_str = 'settings'
+
+  output.write('''  %(assert_function)s(this->Verify(certs, crls, %(settings_param_str)s));
 }
 ''' % vars())
 
-  return sanitized_test_name
-
 
 # Matches a section header, ex: "4.1 Signature Verification"
 SECTION_MATCHER = re.compile('^\s*(\d+\.\d+)\s+(.+)\s*$')
 # Matches a test header, ex: "4.1.1 Valid Signatures Test1"
 TEST_MATCHER = re.compile('^\s*(\d+\.\d+.\d+)\s+(.+)\s*$')
+
+# Matches the various headers in a test specification.
+EXPECTED_HEADER_MATCHER = re.compile('^\s*Expected Result:')
+PROCEDURE_HEADER_MATCHER = re.compile('^\s*Procedure:')
+PATH_HEADER_MATCHER = re.compile('^\s*Certification Path:')
+
+# Matches the Procedure text if using default settings.
+USING_DEFAULT_SETTINGS_MATCHER = re.compile(
+    '^.*using the \s*default settings.*')
+
+# Matches the description text if using custom settings.
+CUSTOM_SETTINGS_MATCHER = re.compile(
+    '.*this\s+test\s+be\s+validated\s+using\s+the\s+following\s+inputs:.*')
+
 # Match an expected test result. Note that some results in the PDF have a typo
 # "path not should validate" instead of "path should not validate".
 TEST_RESULT_MATCHER = re.compile(
-    '^\s*Expected Result:.*path (should validate|'
-    'should not validate|not should validate)')
-PATH_HEADER_MATCHER = re.compile('^\s*Certification Path:')
-# Matches a line in the certification path, ex: "\u2022 Good CA Cert, Good CA CRL"
+    '^.*path (should validate|should not validate|not should validate)')
+
+# Matches a line in the certification path, ex:
+#    "\u2022 Good CA Cert, Good CA CRL"
 PATH_MATCHER = re.compile('^\s*\xe2\x80\xa2\s*(.+)\s*$')
 # Matches a page number. These may appear in the middle of multi-line fields and
 # thus need to be ignored.
 PAGE_NUMBER_MATCHER = re.compile('^\s*\d+\s*$')
 # Matches if an entry in a certification path refers to a CRL, ex:
 # "onlySomeReasons CA2 CRL1".
 CRL_MATCHER = re.compile('^.*CRL\d*$')
-def parse_test(lines, i, test_case_name, test_number, test_name, output):
-  expected_result = None
+
+
+class TestSections(object):
+  def __init__(self):
+    self.description_lines = []
+    self.procedure_lines = []
+    self.expected_result_lines = []
+    self.cert_path_lines = []
+
+
+def parse_main_test_sections(lines, i):
+  result = TestSections()
+
+  # Read the description lines (text after test name up until
+  # "Procedure:").
+  result.description_lines = []
+  while i < len(lines):
+    if PROCEDURE_HEADER_MATCHER.match(lines[i]):
+      break
+    result.description_lines.append(lines[i])
+    i += 1
+
+  # Read the procedure lines (text starting at "Procedure:" and up until
+  # "Expected Result:".
+  result.procedure_lines = []
+  while i < len(lines):
+    if EXPECTED_HEADER_MATCHER.match(lines[i]):
+      break
+    result.procedure_lines.append(lines[i])
+    i += 1
+
+  # Read the expected result lines (text starting at "Expected Result:" and up
+  # until "Certification Path:".
+  result.expected_result_lines = []
+  while i < len(lines):
+    if PATH_HEADER_MATCHER.match(lines[i]):
+      break
+    result.expected_result_lines.append(lines[i])
+    i += 1
+
+  # Read the certification path lines (text starting at "Certification Path:"
+  # and up until the next test title.
+  result.cert_path_lines = []
+  while i < len(lines):
+    if TEST_MATCHER.match(lines[i]) or SECTION_MATCHER.match(lines[i]):
+      break
+    result.cert_path_lines.append(lines[i])
+    i += 1
+
+  return i, result 
+
+
+def parse_cert_path_lines(lines):
+  path_lines = []
+  crls = []
   certs = []
-  crls = []
 
-  while i < len(lines):
-    result_match = TEST_RESULT_MATCHER.match(lines[i])
-    i += 1
-    if result_match:
-      expected_result = result_match.group(1) == 'should validate'
-      break
+  for line in lines[1:]:
+    line = line.strip()
 
-  while i < len(lines):
-    path_match = PATH_HEADER_MATCHER.match(lines[i])
-    i += 1
-    if path_match:
-      break
+    if "is composed of the following objects:" in line:
+      continue
 
-  path_lines = []
-  while i < len(lines):
-    line = lines[i].strip()
-    if TEST_MATCHER.match(line) or SECTION_MATCHER.match(line):
-      break
-    i += 1
     if not line or PAGE_NUMBER_MATCHER.match(line):
       continue
     path_match = PATH_MATCHER.match(line)
     if path_match:
       path_lines.append(path_match.group(1))
       continue
     # Continuation of previous path line.
     path_lines[-1] += ' ' + line
 
   for path_line in path_lines:
     for path in path_line.split(','):
       path = sanitize_name(path.strip())
       if CRL_MATCHER.match(path):
         crls.append(path)
       else:
         certs.append(path)
 
-  assert certs
-  assert crls
-  assert expected_result is not None
-  sanitized_test_name = generate_test(test_case_name, test_number, test_name,
-                                      certs, crls, expected_result, output)
-
-  return i, sanitized_test_name
+  return certs, crls
+
+
+ANY_POLICY = 'anyPolicy'
+TEST_POLICY_1 = 'NIST-test-policy-1'
+TEST_POLICY_2 = 'NIST-test-policy-2'
+TEST_POLICY_3 = 'NIST-test-policy-3'
+TEST_POLICY_6 = 'NIST-test-policy-6'
+
+# TODO(eroman): This omits a few outputs from PKITS:
+#
+#  * authorities-constrained-policy-set
+#  * user-constrained-policy-set
+#  * explicit-policy-indicator
+#
+#  Consider adding the constrained policy sets in the future, if our
+#  verification code supports outputting them.
+class TestInfo(object):
+  """This structure describes a test inputs and outputs"""
+
+  def __init__(self, should_validate,
+               # These defaults come from section 3 of PKITS.pdf
+               initial_policy_set = [ANY_POLICY],
+               initial_explicit_policy = False,
+               initial_policy_mapping_inhibit = False,
+               initial_inhibit_any_policy = False):
+    self.should_validate = should_validate
+    self.initial_policy_set = initial_policy_set
+    self.initial_explicit_policy = initial_explicit_policy
+    self.initial_policy_mapping_inhibit = initial_policy_mapping_inhibit
+    self.initial_inhibit_any_policy = initial_inhibit_any_policy
+
+
+TEST_OVERRIDES = {
+  '4.8.1': [ # All Certificates Same Policy Test1
+    # 1. default settings, but with initial-explicit-policy set. The path
+    # should validate successfully
+    TestInfo(True, initial_explicit_policy=True),
+
+    # 2. default settings, but with initial-explicit-policy set and
+    # initial-policy-set = {NIST-test-policy-1}. The path should validate
+    # successfully. 
+    TestInfo(True, initial_explicit_policy=True,
+             initial_policy_set=[TEST_POLICY_1]),
+
+    # 3. default settings, but with initial-explicit-policy set and
+    # initial-policy-set = {NIST-test-policy-2}. The path should not validate
+    # successfully. 
+    TestInfo(False, initial_explicit_policy=True,
+             initial_policy_set=[TEST_POLICY_2]),
+
+    # 4. default settings, but with initial-explicit-policy set and
+    # initial-policy-set = {NIST-test-policy-1, NIST-test-policy-2}. The path
+    # should validate successfully. 
+    TestInfo(True, initial_explicit_policy=True,
+             initial_policy_set=[TEST_POLICY_1, TEST_POLICY_2]),
+  ],
+
+  '4.8.2': [ # All Certificates No Policies Test2
+    # 1. default settings. The path should validate successfully.
+    TestInfo(True),
+
+    # 2. default settings, but with initial-explicit-policy set. The path
+    # should not validate successfully
+    TestInfo(False, initial_explicit_policy=True),
+  ],
+
+  '4.8.3': [ # Different Policies Test3
+    # 1. default settings. The path should validate successfully.
+    TestInfo(True),
+
+    # 2. default settings, but with initial-explicit-policy set. The path
+    # should not validate successfully.
+    TestInfo(False, initial_explicit_policy=True),
+
+    # 3. default settings, but with initial-explicit-policy set and
+    # initial-policy-set = {NIST-test-policy-1, NIST-test-policy-2}. The path
+    # should not validate successfully. 
+    TestInfo(False, initial_explicit_policy=True,
+             initial_policy_set=[TEST_POLICY_1, TEST_POLICY_2]),
+  ],
+
+  '4.8.4': [ # Different Policies Test4 
+    # Procedure: Validate Different Policies Test4 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.69 using the
+    # default settings. 
+    #
+    # Expected Result: The authorities-constrained-policy-set and the
+    # user-constrained-policy-set will be empty. The explicit-policy-indicator
+    # will be set if the application can process the policyConstraints
+    # extension. If the application can process the policyConstraints extension
+    # then the path should not validate successfully. If the application can
+    # not process the policyConstraints extension, then the path should
+    # validate successfully.
+    TestInfo(False),
+  ],
+
+  '4.8.5': [ # 4.8.5 Different Policies Test5
+    # Procedure: Validate Different Policies Test5 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.70 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and the
+    # user-constrained-policy-set will be empty. The explicit-policy-indicator
+    # will be set if the application can process the policyConstraints
+    # extension. If the application can process the policyConstraints extension
+    # then the path should not validate successfully. If the application can
+    # not process the policyConstraints extension, then the path should
+    # validate successfully
+    TestInfo(False),
+  ],
+
+  '4.8.6': [ # Overlapping Policies Test6
+    # 1. default settings. The path should validate successfully.
+    TestInfo(True),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+
+    # 3. default settings, but with initial-policy-set = {NIST-test-policy-2}.
+    # The path should not validate successfully. 
+    TestInfo(False, initial_policy_set=[TEST_POLICY_2]),
+  ],
+
+  '4.8.7': [ # Different Policies Test7
+    # Procedure: Validate Different Policies Test7 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.72 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and the
+    # user-constrained-policy-set will be empty. If the
+    # explicit-policy-indicator will be set if the application can process the
+    # policyConstraints extension. If the application can process the
+    # policyConstraints extension, then the path should not validate
+    # successfully. If the application can not process the policyConstraints
+    # extension, then the path should validate successfully. 
+    TestInfo(False),
+  ],
+
+  '4.8.8': [ # Different Policies Test8 
+    # Procedure: Validate Different Policies Test8 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.73 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and the
+    # user-constrained-policy-set will be empty. The explicit-policy-indicator
+    # will be set if the application can process the policyConstraints
+    # extension. If the application can process the policyConstraints extension
+    # then the path should not validate successfully. If the application can
+    # not process the policyConstraints extension, then the path should
+    # validate successfully.
+    TestInfo(False),
+  ],
+
+  '4.8.9': [ # Different Policies Test9
+    # Procedure: Validate Different Policies Test9 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.74 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and the
+    # user-constrained-policy-set will be empty. The explicit-policy-indicator
+    # will be set if the application can process the policyConstraints
+    # extension. If the application can process the policyConstraints
+    # extension, then the path should not validate successfully. If the
+    # application can not process the policyConstraints extension, then the
+    # path should validate successfully. 
+    TestInfo(False),
+  ],
+
+  '4.8.10': [ # All Certificates Same Policies Test10
+    # 1. default settings. The path should validate successfully.
+    TestInfo(True),
+    
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+
+    # 3. default settings, but with initial-policy-set = {NIST-test-policy-2}.
+    # The path should validate successfully.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_2]),
+  ],
+
+  '4.8.11': [ # All Certificates AnyPolicy Test11
+    # 1. default settings. The path should validate successfully.
+    TestInfo(True),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully. 
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+  ],
+
+  '4.8.12': [ # Different Policies Test12
+    # Procedure: Validate Different Policies Test12 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.77 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and the
+    # user-constrained-policy-set will be empty. The explicit-policy-indicator
+    # will be set if the application can process the policyConstraints
+    # extension. If the application can process the policyConstraints
+    # extension, then the path should not validate successfully. If the
+    # application can not process the policyConstraints extension, then the
+    # path should validate successfully. 
+    TestInfo(False),
+  ],
+
+  '4.8.13': [ # All Certificates Same Policies Test13
+    # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}.
+    # The path should validate successfully.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_2]),
+
+    # 3. default settings, but with initial-policy-set = {NIST-test-policy-3}.
+    # The path should validate successfully. 
+    TestInfo(True, initial_policy_set=[TEST_POLICY_3]),
+  ],
+
+  '4.8.14': [ # AnyPolicy Test14
+    # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}.
+    # The path should not validate successfully. 
+    TestInfo(False, initial_policy_set=[TEST_POLICY_2]),
+  ],
+
+  '4.8.15': [ # User Notice Qualifier Test15
+    # Procedure: Validate User Notice Qualifier Test15 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.80 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set will be
+    # {NIST-test-policy-1} and the explicit-policy-indicator will be the same
+    # as the initial-explicit-policy indicator. If the initial-policy-set is
+    # any-policy or otherwise includes NIST-test-policy-1, then the
+    # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the
+    # user-constrained-policy-set will be empty. If the initial-explicit-policy
+    # indicator is set and the initial-policy-set does not include
+    # NIST-test-policy-1, then the path should be rejected, otherwise it should
+    # validate successfully. If the path validates successfully, then the
+    # application should display the user notice.
+    TestInfo(True),
+  ],
+
+  '4.8.16': [ # User Notice Qualifier Test16
+    # Procedure: Validate User Notice Qualifier Test16 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.81 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set will be
+    # {NIST-test-policy-1} and the explicit-policy-indicator will be the same
+    # as the initial-explicit-policy indicator. If the initial-policy-set is
+    # any-policy or otherwise includes NIST-test-policy-1, then the
+    # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the
+    # user-constrained-policy-set will be empty. If the initial-explicit-policy
+    # indicator is set and the initial-policy-set does not include
+    # NIST-test-policy-1, then the path should be rejected, otherwise it should
+    # validate successfully. If the path validates successfully, then the
+    # application should display the user notice associated with
+    # NIST-test-policy-1. The user notice associated with NIST-test-policy-2
+    # should not be displayed. 
+    TestInfo(True),
+  ],
+
+  '4.8.17': [ # User Notice Qualifier Test17
+    # Procedure: Validate User Notice Qualifier Test17 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.82 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set will be
+    # {NIST-test-policy-1} and the explicit-policy-indicator will be the same
+    # as the initial-explicit-policy indicator. If the initial-policy-set is
+    # any-policy or otherwise includes NIST-test-policy-1, then the
+    # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the
+    # user-constrained-policy-set will be empty. If the initial-explicit-policy
+    # indicator is set and the initial-policy-set does not include
+    # NIST-test-policy-1, then the path should be rejected, otherwise it should
+    # validate successfully. If the path validates successfully, then the
+    # application should display the user notice associated with anyPolicy. 
+    TestInfo(True),
+  ],
+
+  '4.8.18': [ # User Notice Qualifier Test18 
+    # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully and the qualifier associated with
+    # NIST-test-policy-1 in the end entity certificate should be displayed.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}.
+    # The path should validate successfully and the qualifier associated with
+    # anyPolicy in the end entity certificate should be displayed. 
+    TestInfo(True, initial_policy_set=[TEST_POLICY_2]),
+  ],
+
+  '4.8.19': [ # User Notice Qualifier Test19
+    # Procedure: Validate User Notice Qualifier Test19 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.84 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set will be
+    # {NIST-test-policy-1} and the explicit-policy-indicator will be the same
+    # as the initial-explicit-policy indicator. If the initial-policy-set is
+    # any-policy or otherwise includes NIST-test-policy-1, then the
+    # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the
+    # user-constrained-policy-set will be empty. If the initial-explicit-policy
+    # indicator is set and the initial-policy-set does not include
+    # NIST-test-policy-1, then the path should be rejected, otherwise it should
+    # validate successfully.  Since the explicitText exceeds the maximum size
+    # of 200 characters, the application may choose to reject the certificate.
+    # If the application accepts the certificate, display of the user notice is
+    # optional. 
+    TestInfo(True),
+  ],
+
+  '4.8.20': [ # CPS Pointer Qualifier Test20
+    # Procedure: Validate CPS Pointer Qualifier Test20 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.85 using the
+    # default settings. (If possible, it is recommended that this test be run
+    # with the initial-explicit-policy indicator set. If this can not be done,
+    # manually check that the authorities-constrained-policy-set and
+    # user-constrained-policy-set are correct.)
+    #
+    # Expected Result: The authorities-constrained-policy-set will be
+    # {NIST-test-policy-1} and the explicit-policy-indicator will be the same
+    # as the initial-explicit-policy indicator. If the initial-policy-set is
+    # any-policy or otherwise includes NIST-test-policy-1, then the
+    # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the
+    # user-constrained-policy-set will be empty. If the initial-explicit-policy
+    # indicator is set and the initial-policy-set does not include
+    # NIST-test-policy-1, then the path should be rejected, otherwise it should
+    # validate successfully. The CPS pointer in the qualifier should be
+    # associated with NIST-testpolicy-1 in the
+    # authorities-constrained-policy-set (and in the user-constrained-policy-set
+    # if NIST-test-policy-1 is in that set). There are no processing
+    # requirements associated with the CPS pointer qualifier. 
+    TestInfo(True, initial_explicit_policy=True,
+             initial_policy_set=[TEST_POLICY_1]),
+  ],
+
+  '4.10.1': [ # Valid Policy Mapping Test1
+    # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}.
+    # The path should not validate successfully. 
+    TestInfo(False, initial_policy_set=[TEST_POLICY_2]),
+
+    # 3. default settings, but with initial-policy-mapping-inhibit set. The
+    # path should not validate successfully.
+    TestInfo(False, initial_policy_mapping_inhibit=True),
+  ],
+
+  '4.10.2': [ # Invalid Policy Mapping Test2
+    # 1. default settings. The path should not validate successfully.
+    TestInfo(False),
+
+    # 2. default settings, but with initial-policy-mapping-inhibit set. The
+    # path should not validate successfully. 
+    TestInfo(False, initial_policy_mapping_inhibit=True),
+  ],
+
+  '4.10.3': [ # Valid Policy Mapping Test3
+    # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should not validate successfully.
+    TestInfo(False, initial_policy_set=[TEST_POLICY_1]),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}.
+    # The path should validate successfully. 
+    TestInfo(True, initial_policy_set=[TEST_POLICY_2]),
+  ],
+
+  '4.10.4': [ # Invalid Policy Mapping Test4
+    # Procedure: Validate Invalid Policy Mapping Test4 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.97 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and the
+    # user-constrained-policy-set will be empty and the
+    # explicit-policy-indicator will be set (if the application can process the
+    # policyConstraints extension). If the application can process the
+    # policyConstraints extension, then the path should be rejected, otherwise
+    # it should validate successfully. 
+    TestInfo(False),
+  ],
+
+  '4.10.5': [ # Valid Policy Mapping Test5
+    # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-6}.
+    # The path should not validate successfully. 
+    TestInfo(False, initial_policy_set=[TEST_POLICY_6]),
+  ],
+
+  '4.10.6': [ # Valid Policy Mapping Test6
+    # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-6}.
+    # The path should not validate successfully. 
+    TestInfo(False, initial_policy_set=[TEST_POLICY_6]),
+  ],
+
+  '4.10.9': [ # Valid Policy Mapping Test9
+    # Procedure: Validate Valid Policy Mapping Test9 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.102 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set will be
+    # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if
+    # the application can process the policyConstraints extension). If the
+    # initial-policy-set is any-policy or otherwise includes
+    # NIST-test-policy-1, then the user-constrained-policy-set will be
+    # {NIST-test-policy-1}. If not, the user-constrained-policy-set will be
+    # empty. If the initial-policy-set does not include NIST-test-policy-1 (and
+    # the application can process the policyConstraints extension), then the
+    # path should be rejected, otherwise it should validate successfully. 
+    TestInfo(True),
+  ],
+
+  '4.10.10': [ # Invalid Policy Mapping Test10
+    # Procedure: Validate Invalid Policy Mapping Test10 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.103 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and the
+    # user-constrained-policy-set will be empty and the
+    # explicit-policy-indicator will be set (if the application can process the
+    # policyConstraints extension). If the application can process the
+    # policyConstraints extension, then the path should be rejected, otherwise
+    # it should validate successfully.
+    TestInfo(False),
+  ],
+
+  '4.10.11': [ # Valid Policy Mapping Test11
+    # Procedure: Validate Valid Policy Mapping Test11 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.104 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set will be
+    # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if
+    # the application can process the policyConstraints extension). If the
+    # initial-policy-set is any-policy or otherwise includes
+    # NIST-test-policy-1, then the user-constrained-policy-set will be
+    # {NIST-test-policy-1}. If not, the user-constrained-policy-set will be
+    # empty. If the initial-policy-set does not include NIST-test-policy-1 (and
+    # the application can process the policyConstraints extension), then the
+    # path should be rejected, otherwise it should validate successfully. 
+    TestInfo(True),
+  ],
+
+  '4.10.12': [ # Valid Policy Mapping Test12
+    # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
+    # The path should validate successfully and the application should display
+    # the user notice associated with NIST-test-policy-3 in the end entity
+    # certificate.
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+
+    # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}.
+    # The path should validate successfully and the application should display
+    # the user notice associated with anyPolicy in the end entity certificate. 
+    TestInfo(True, initial_policy_set=[TEST_POLICY_2]),
+  ],
+
+  '4.10.13': [ # Valid Policy Mapping Test13
+    # Procedure: Validate Valid Policy Mapping Test13 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.106 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set will be
+    # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if
+    # the application can process the policyConstraints extension). If the
+    # initial-policy-set is any-policy or otherwise includes
+    # NIST-test-policy-1, then the user-constrained-policy-set will be
+    # {NIST-test-policy-1}. If not, the user-constrained-policy-set will be
+    # empty. If the initial-policy-set does not include NIST-test-policy-1 (and
+    # the application can process the policyConstraints extension), then the
+    # path should be rejected, otherwise it should validate successfully. If
+    # the path is accepted, the application should display the user notice
+    # associated with NIST-testpolicy-1 in the intermediate certificate. 
+    TestInfo(True),
+  ],
+
+  '4.10.14': [ # Valid Policy Mapping Test14
+    # Procedure: Validate Valid Policy Mapping Test14 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.107 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set will be
+    # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if
+    # the application can process the policyConstraints extension). If the
+    # initial-policy-set is any-policy or otherwise includes
+    # NIST-test-policy-1, then the user-constrained-policy-set will be
+    # {NIST-test-policy-1}. If not, the user-constrained-policy-set will be
+    # empty. If the initial-policy-set does not include NIST-test-policy-1 (and
+    # the application can process the policyConstraints extension), then the
+    # path should be rejected, otherwise it should validate successfully. If
+    # the path is accepted, the application should display the user notice
+    # associated with anyPolicy in the intermediate certificate
+    TestInfo(True),
+  ],
+
+  '4.11.1': [ # Invalid inhibitPolicyMapping Test1 
+    # Procedure: Validate Invalid inhibitPolicyMapping Test1 EE using the
+    # default settings or open and verify Signed Test Message 6.2.2.108 using
+    # the default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and the
+    # user-constrained-policy-set will be empty. The explicit-policy-indicator
+    # will be set.  The path should not validate successfully. 
+    TestInfo(False),
+  ],
+
+  '4.11.2': [ # Valid inhibitPolicyMapping Test2
+    # Procedure: Validate Valid inhibitPolicyMapping Test2 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.109 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set will be
+    # {NIST-test-policy-1} and the explicit-policy-indicator will be set. If
+    # the initial-policy-set is any-policy or otherwise includes
+    # NIST-test-policy-1, then the path should validate successfully. 
+    TestInfo(True),
+  ],
+
+  '4.11.3': [ # Invalid inhibitPolicyMapping Test3 
+    # Procedure: Validate Invalid inhibitPolicyMapping Test3 EE using the
+    # default settings or open and verify Signed Test Message 6.2.2.110 using
+    # the default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and the
+    # user-constrained-policy-set will be empty and the
+    # explicit-policy-indicator will be set.  The path should not validate
+    # successfully. 
+    TestInfo(False),
+  ],
+
+  '4.11.4': [ # Valid inhibitPolicyMapping Test4
+    # Procedure: Validate Valid inhibitPolicyMapping Test4 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.111 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set will be
+    # {NIST-test-policy-2} and the explicit-policy-indicator will be set. If
+    # the initial-policy-set is any-policy or otherwise includes
+    # NIST-test-policy-2, then the path should validate successfully. 
+    TestInfo(True),
+  ],
+
+  '4.11.5': [ # Invalid inhibitPolicyMapping Test5
+    # Procedure: Validate Invalid inhibitPolicyMapping Test5 EE using the
+    # default settings or open and verify Signed Test Message 6.2.2.112 using
+    # the default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and the
+    # user-constrained-policy-set will be empty and the
+    # explicit-policy-indicator will be set.  The path should not validate
+    # successfully. 
+    TestInfo(False),
+  ],
+
+  '4.11.6': [ # Invalid inhibitPolicyMapping Test6
+    # Procedure: Validate Invalid inhibitPolicyMapping Test6 EE using the
+    # default settings or open and verify Signed Test Message 6.2.2.113 using
+    # the default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and the
+    # user-constrained-policy-set will be empty and the
+    # explicit-policy-indicator will be set. The path should not validate
+    # successfully. 
+    TestInfo(False),
+  ],
+
+  '4.11.7': [ # Valid Self-Issued inhibitPolicyMapping Test7
+    # Procedure: Validate Valid Self-Issued inhibitPolicyMapping Test7 EE using
+    # the default settings or open and verify Signed Test Message 6.2.2.114
+    # using the default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set will be
+    # {NIST-test-policy-1} and the explicit-policy-indicator will be set. If
+    # the initial-policy-set is any-policy or otherwise includes
+    # NIST-test-policy-1, then the path should validate successfully. 
+    TestInfo(True),
+  ],
+
+  '4.11.8': [ # Invalid Self-Issued inhibitPolicyMapping Test8
+    # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test8 EE
+    # using the default settings or open and verify Signed Test Message
+    # 6.2.2.115 using the default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and
+    # user-constrained-policy-set will be empty and the
+    # explicit-policy-indicator will be set. The path should not validate
+    # successfully. 
+    TestInfo(False),
+  ],
+
+  '4.11.9': [ # Invalid Self-Issued inhibitPolicyMapping Test9
+    # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test9 EE
+    # using the default settings or open and verify Signed Test Message
+    # 6.2.2.116 using the default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and
+    # user-constrained-policy-set will be empty and the
+    # explicit-policy-indicator will be set. The path should not validate
+    # successfully. 
+    TestInfo(False),
+  ],
+
+  '4.11.10': [ # Invalid Self-Issued inhibitPolicyMapping Test10
+    # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test10 EE
+    # using the default settings or open and verify Signed Test Message
+    # 6.2.2.117 using the default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and
+    # user-constrained-policy-set will be empty and the
+    # explicit-policy-indicator will be set. The path should not validate
+    # successfully. 
+    TestInfo(False),
+  ],
+
+  '4.11.11': [ # Invalid Self-Issued inhibitPolicyMapping Test11
+    # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test11 EE
+    # using the default settings or open and verify Signed Test Message
+    # 6.2.2.118 using the default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and
+    # user-constrained-policy-set will be empty and the
+    # explicit-policy-indicator will be set. The path should not validate
+    # successfully. 
+    TestInfo(False),
+  ],
+
+  '4.12.1': [ # Invalid inhibitAnyPolicy Test1
+    # Procedure: Validate Invalid inhibitAnyPolicy Test1 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.119 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and
+    # user-constrained-policy-set will be empty and the
+    # explicit-policy-indicator will be set (if the application can process the
+    # policyConstraints extension). If the application can process the
+    # policyConstraints extension, then the path should not validate
+    # successfully. 
+    TestInfo(False),
+  ],
+
+  '4.12.2': [ # Valid inhibitAnyPolicy Test2
+    # Procedure: Validate Valid inhibitAnyPolicy Test2 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.120 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set will be
+    # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if
+    # the application can process the policyConstraints extension). If the
+    # initial-policy-set is any-policy or otherwise includes
+    # NIST-test-policy-1, then the user-constrained-policy-set will be
+    # {NIST-test-policy-1} and the path should validate successfully. If not,
+    # then the user-constrained-policy-set will be empty. If the
+    # user-constrained-policy-set is empty and the application can process the
+    # policyConstraints extension, then the path should not validate
+    # successfully. 
+
+    TestInfo(True),
+  ],
+
+  '4.12.3': [ # inhibitAnyPolicy Test3 
+     # 1. default settings. The path should validate successfully.
+    TestInfo(True),
+
+     # 2. default settings, but with initial-inhibit-any-policy set. The path
+     # should not validate successfully. 
+    TestInfo(False, initial_inhibit_any_policy=True),
+  ],
+
+  '4.12.4': [ # Invalid inhibitAnyPolicy Test4
+    # Procedure: Validate Invalid inhibitAnyPolicy Test4 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.122 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and
+    # user-constrained-policy-set will be empty and the
+    # explicit-policy-indicator will be set (if the application can process the
+    # policyConstraints extension). If the application can process the
+    # policyConstraints extension, then the path should not validate
+    # successfully. 
+    TestInfo(False),
+  ],
+
+  '4.12.5': [ # Invalid inhibitAnyPolicy Test5 
+    # Procedure: Validate Invalid inhibitAnyPolicy Test5 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.123 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and
+    # user-constrained-policy-set will be empty and the
+    # explicit-policy-indicator will be set (if the application can process the
+    # policyConstraints extension). If the application can process the
+    # policyConstraints extension, then the path should not validate
+    # successfully.
+    TestInfo(False),
+  ],
+
+  '4.12.6': [ # Invalid inhibitAnyPolicy Test6
+    # Procedure: Validate Invalid inhibitAnyPolicy Test6 EE using the default
+    # settings or open and verify Signed Test Message 6.2.2.124 using the
+    # default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and
+    # user-constrained-policy-set will be empty and the
+    # explicit-policy-indicator will be set (if the application can process the
+    # policyConstraints extension). If the application can process the
+    # policyConstraints extension, then the path should not validate
+    # successfully. 
+    TestInfo(False),
+  ],
+
+  '4.12.7': [ # Valid Self-Issued inhibitAnyPolicy Test7
+    # Procedure: Validate Valid Self-Issued inhibitAnyPolicy Test7 EE using the
+    # default settings or open and verify Signed Test Message 6.2.2.125 using
+    # the default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set will be
+    # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if
+    # the application can process the policyConstraints extension). If the
+    # initial-policy-set is any-policy or otherwise includes
+    # NIST-test-policy-1, then the user-constrained-policy-set will be
+    # {NIST-test-policy-1} and the path should validate successfully. If not,
+    # then the user-constrained-policy-set will be empty. If the
+    # user-constrained-policy-set is empty and the application can process the
+    # policyConstraints extension, then the path should not validate
+    # successfully. 
+    TestInfo(True),
+  ],
+
+  '4.12.8': [ # Invalid Self-Issued inhibitAnyPolicy Test8 
+    # Procedure: Validate Invalid Self-Issued inhibitAnyPolicy Test8 EE using
+    # the default settings or open and verify Signed Test Message 6.2.2.126
+    # using the default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and
+    # user-constrained-policy-set will be empty and the
+    # explicit-policy-indicator will be set (if the application can process the
+    # policyConstraints extension). If the application can process the
+    # policyConstraints extension, then the path should not validate
+    # successfully. 
+    TestInfo(False),
+  ],
+
+  '4.12.9': [ # Valid Self-Issued inhibitAnyPolicy Test9
+    # Procedure: Validate Valid Self-Issued inhibitAnyPolicy Test9 EE using the
+    # default settings or open and verify Signed Test Message 6.2.2.127 using
+    # the default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set will be
+    # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if
+    # the application can process the policyConstraints extension). If the
+    # initial-policy-set is any-policy or otherwise includes
+    # NIST-test-policy-1, then the user-constrained-policy-set will be
+    # {NIST-test-policy-1} and the path should validate successfully. If not,
+    # then the user-constrained-policy-set will be empty. If the
+    # user-constrained-policy-set is empty and the application can process the
+    # policyConstraints extension, then the path should not validate
+    # successfully. 
+    TestInfo(True),
+  ],
+
+  '4.12.10': [ # Invalid Self-Issued inhibitAnyPolicy Test10
+    # Procedure: Validate Invalid Self-Issued inhibitAnyPolicy Test10 EE using
+    # the default settings or open and verify Signed Test Message 6.2.2.128
+    # using the default settings.
+    #
+    # Expected Result: The authorities-constrained-policy-set and
+    # user-constrained-policy-set will be empty and the
+    # explicit-policy-indicator will be set (if the application can process the
+    # policyConstraints extension). If the application can process the
+    # policyConstraints extension, then the path should not validate
+    # successfully. 
+    TestInfo(False),
+  ],
+}
+
+
+def parse_test(lines, i, test_case_name, test_number, test_name,
+               sanitized_test_names, output):
+  # Start by doing a coarse level of parsing that separates out the lines for
+  # the main sections.
+  i, test_sections = parse_main_test_sections(lines, i)
+
+  certs, crls = parse_cert_path_lines(test_sections.cert_path_lines)
+
+  # Most tests have a formulaic specification: they use the default
+  # settings, and have one expectation. These are easily parsed and are handled
+  # programmatically. In contrast, many of the policies tests have a more
+  # complicated specification which involves multiple subtests having various
+  # settings, as well as expectations described in terms of supported
+  # extensions. Rather than try to handle all the nuanced language, these are
+  # handled manually via "overrides".
+  overrides = TEST_OVERRIDES.get(test_number, None)
+
+  if overrides is None:
+    # Verify that the test description doesn't include numbered subparts (those
+    # are not handled here).
+    if CUSTOM_SETTINGS_MATCHER.match(" ".join(test_sections.description_lines)):
+      sys.stderr.write('Unexpected custom settings for %s\n' % test_number)
+      sys.exit(1)
+
+    # Verify that the test is using only default settings.
+    if not USING_DEFAULT_SETTINGS_MATCHER.match(
+        " ".join(test_sections.procedure_lines)):
+      sys.stderr.write('Unexpected procedure for %s: %s\n' %
+                       (test_number, " ".join(test_section.procedure_lines)))
+      sys.exit(1)
+
+    # Check whether expected result is validation success or failure.
+    result_match = TEST_RESULT_MATCHER.match(
+       test_sections.expected_result_lines[0])
+    if not result_match:
+      sys.stderr.write('Unknown expectation for %s:\n%s\n' % (
+          test_number, " ".join(test_sections.expected_result_lines)))
+      sys.exit(1)
+    # Initializes with default settings.
+    info = TestInfo(result_match.group(1) == 'should validate')
+
+    output_test(test_case_name, test_number, test_name, None, info, certs,
+                crls, sanitized_test_names, output)
+  else:
+    # The overrides may have a series of inputs (settings) and outputs
+    # (success/failure) for this test. Output each as a separate test case.
+    for subpart_i in range(len(overrides)):
+      info = overrides[subpart_i]
+      # If the test has only 1 subpart, don't number it.
+      subpart_number = subpart_i + 1 if len(overrides) > 1 else None
+      output_test(test_case_name, test_number, test_name, subpart_number, info,
+                  certs, crls, sanitized_test_names, output)
+
+  return i
 
 
 def main():
   pkits_pdf_path, output_path = sys.argv[1:]
 
   pkits_txt_file = tempfile.NamedTemporaryFile()
 
   subprocess.check_call(['pdftotext', '-layout', '-nopgbrk', '-eol', 'unix',
                          pkits_pdf_path, pkits_txt_file.name])
 
@@ skipping 23 matching lines @@
   while i < len(lines):
     section_match = SECTION_MATCHER.match(lines[i])
     match = TEST_MATCHER.match(lines[i])
     i += 1
 
     if section_match:
       if test_case_name:
         finalize_test_case(test_case_name, sanitized_test_names, output)
         sanitized_test_names = []
 
-      # TODO(mattm): Handle certificate policies tests.
-      if section_match.group(1) in ('4.8', '4.9', '4.10', '4.11', '4.12'):
-        test_case_name = None
-        output.write('\n// Skipping section %s\n' % section_match.group(1))
-        continue
-
       test_case_name = 'PkitsTest%02d%s' % (
           int(section_match.group(1).split('.')[-1]),
           sanitize_name(section_match.group(2)))
       output.write('\ntemplate <typename PkitsTestDelegate>\n')
-      output.write('class %s : public PkitsTest<PkitsTestDelegate> {};\n' % test_case_name)
+      output.write('class %s : public PkitsTest<PkitsTestDelegate> {};\n' %
+                   test_case_name)
       output.write('TYPED_TEST_CASE_P(%s);\n' % test_case_name)
 
     if match:
       test_number = match.group(1)
       test_name = match.group(2)
       if not test_case_name:
         output.write('// Skipped %s %s\n' % (test_number, test_name))
         continue
-      i, sanitized_test_name = parse_test(lines, i, test_case_name, test_number,
-                                         test_name, output)
-      if sanitized_test_name:
-        sanitized_test_names.append(sanitized_test_name)
+      i, parse_test(lines, i, test_case_name, test_number,
+                    test_name, sanitized_test_names, output)
 
   if test_case_name:
     finalize_test_case(test_case_name, sanitized_test_names, output)
 
 
 if __name__ == '__main__':
   main()