Update PKITs test data to include "user_constrained_policy_set".

net/third_party/nist-pkits/generate_tests.py

 # Copyright 2016 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 '''Generates a test suite from NIST PKITS test descriptions.
 
 The output is a set of Type Parameterized Tests which are included by
 pkits_unittest.h. See pkits_unittest.h for information on using the tests.
 GoogleTest has a limit of 50 tests per type parameterized testcase, so the tests
 are split up by section number (this also makes it possible to easily skip
@@ skipping 18 matching lines @@
   output.write('\nWRAPPED_REGISTER_TYPED_TEST_CASE_P(%s' % test_case_name)
   for name in sanitized_test_names:
     output.write(',\n    %s' % name)
   output.write(');\n')
 
 
 def bool_to_str(b):
   return "true" if b else "false"
 
 
+def make_policies_string(policies):
+  return '"' + ','.join(policies) + '"'
+
+
 def output_test(test_case_name, test_number, raw_test_name, subpart_number,
                 info, certs, crls, sanitized_test_names, output):
   '''Writes a test case to |output|, and appends the test name to
   |sanitized_test_names|.'''
   sanitized_test_name = 'Section%s%s' % (test_number.split('.')[1],
                                          sanitize_name(raw_test_name))
 
+  subpart_comment = ''
   if subpart_number is not None:
     sanitized_test_name += "Subpart%d" % (subpart_number)
+    subpart_comment = ' (Subpart %d)' % (subpart_number)
 
   sanitized_test_names.append(sanitized_test_name)
 
   certs_formatted = ', '.join('"%s"' % n for n in certs)
   crls_formatted = ', '.join('"%s"' % n for n in crls)
-  assert_function = 'ASSERT_TRUE' if info.should_validate else 'ASSERT_FALSE'
 
   output.write('''
-// %(test_number)s %(raw_test_name)s
+// %(test_number)s %(raw_test_name)s%(subpart_comment)s
 WRAPPED_TYPED_TEST_P(%(test_case_name)s, %(sanitized_test_name)s) {
   const char* const certs[] = {
     %(certs_formatted)s
   };
   const char* const crls[] = {
     %(crls_formatted)s
   };
 ''' % vars())
 
-  default_settings = TestInfo(False)
+  default_info = TestInfo(None)
 
-  settings_str = ''
+  output.write('''PkitsTestInfo info;
+  info.should_validate = %s;
+''' % (bool_to_str(info.should_validate)))
 
-  # Output any non-default settings. Only settings that differ from
-  # the default settings are written, so as to keep the generated
-  # file more readable.
-  if info.initial_policy_set != default_settings.initial_policy_set:
-    settings_str += '''  settings.SetInitialPolicySet("%s");
-''' % (','.join(info.initial_policy_set))
+  # Output any non-default inputs/outputs. Only properties that differ from
+  # the defaults are written, so as to keep the generated file more readable.
+  if info.initial_policy_set != default_info.initial_policy_set:
+    output.write('''  info.SetInitialPolicySet(%s);
+''' % make_policies_string(info.initial_policy_set))
 
-  if info.initial_explicit_policy != default_settings.initial_explicit_policy:
-    settings_str += '''  settings.initial_explicit_policy = %s;
-''' % bool_to_str(info.initial_explicit_policy)
+  if info.initial_explicit_policy != default_info.initial_explicit_policy:
+    output.write('''  info.SetInitialExplicitPolicy(%s);
+''' % bool_to_str(info.initial_explicit_policy))
 
   if (info.initial_policy_mapping_inhibit !=
-          default_settings.initial_policy_mapping_inhibit):
-    settings_str += '''  settings.initial_policy_mapping_inhibit = %s;
-''' % bool_to_str(info.initial_policy_mapping_inhibit)
+          default_info.initial_policy_mapping_inhibit):
+    output.write('''  info.SetInitialPolicyMappingInhibit(%s);
+''' % bool_to_str(info.initial_policy_mapping_inhibit))
 
   if (info.initial_inhibit_any_policy !=
-          default_settings.initial_inhibit_any_policy):
-    settings_str += '''settings.initial_inhibit_any_policy = %s;
-''' % bool_to_str(info.initial_inhibit_any_policy)
+          default_info.initial_inhibit_any_policy):
+    output.write('''  info.SetInitialInhibitAnyPolicy(%s);
+''' % bool_to_str(info.initial_inhibit_any_policy))
 
-  settings_param_str = '{}'
+  if (info.user_constrained_policy_set !=
+          default_info.user_constrained_policy_set):
+    output.write('''  info.SetUserConstrainedPolicySet(%s);
+''' % make_policies_string(info.user_constrained_policy_set))
 
-  if settings_str != '':
-    output.write('''
-  // Custom settings
-  PkitsTestSettings settings;
-''')
-    output.write(settings_str)
-    output.write('\n')
-    settings_param_str = 'settings'
-
-  output.write('''  %(assert_function)s(this->Verify(certs, crls, %(settings_param_str)s));
+  output.write('''
+  this->RunTest(certs, crls, info);
 }
 ''' % vars())
 
 
 # Matches a section header, ex: "4.1 Signature Verification"
 SECTION_MATCHER = re.compile('^\s*(\d+\.\d+)\s+(.+)\s*$')
 # Matches a test header, ex: "4.1.1 Valid Signatures Test1"
 TEST_MATCHER = re.compile('^\s*(\d+\.\d+.\d+)\s+(.+)\s*$')
 
 # Matches the various headers in a test specification.
@@ skipping 105 matching lines @@
 
   return certs, crls
 
 
 ANY_POLICY = 'anyPolicy'
 TEST_POLICY_1 = 'NIST-test-policy-1'
 TEST_POLICY_2 = 'NIST-test-policy-2'
 TEST_POLICY_3 = 'NIST-test-policy-3'
 TEST_POLICY_6 = 'NIST-test-policy-6'
 
-# TODO(eroman): This omits a few outputs from PKITS:
+# Note: This omits some outputs from PKITS:
 #
 #  * authorities-constrained-policy-set
-#  * user-constrained-policy-set
 #  * explicit-policy-indicator
-#
-#  Consider adding the constrained policy sets in the future, if our
-#  verification code supports outputting them.
 class TestInfo(object):
   """This structure describes a test inputs and outputs"""
 
   def __init__(self, should_validate,
                # These defaults come from section 3 of PKITS.pdf
                initial_policy_set = [ANY_POLICY],
                initial_explicit_policy = False,
                initial_policy_mapping_inhibit = False,
-               initial_inhibit_any_policy = False):
+               initial_inhibit_any_policy = False,
+               # In all of the tests that are not related to policy processing,
+               # each certificate in the path asserts the certificate policy
+               # 2.16.840.1.101.3.2.1.48.1
+               user_constrained_policy_set = [TEST_POLICY_1]):
     self.should_validate = should_validate
     self.initial_policy_set = initial_policy_set
     self.initial_explicit_policy = initial_explicit_policy
     self.initial_policy_mapping_inhibit = initial_policy_mapping_inhibit
     self.initial_inhibit_any_policy = initial_inhibit_any_policy
+    self.user_constrained_policy_set = user_constrained_policy_set
 
 
 TEST_OVERRIDES = {
   '4.8.1': [ # All Certificates Same Policy Test1
     # 1. default settings, but with initial-explicit-policy set. The path
     # should validate successfully
-    TestInfo(True, initial_explicit_policy=True),
+    TestInfo(True, initial_explicit_policy=True,
+             user_constrained_policy_set=[TEST_POLICY_1]),
 
     # 2. default settings, but with initial-explicit-policy set and
     # initial-policy-set = {NIST-test-policy-1}. The path should validate
     # successfully. 
     TestInfo(True, initial_explicit_policy=True,
-             initial_policy_set=[TEST_POLICY_1]),
+             initial_policy_set=[TEST_POLICY_1],
+             user_constrained_policy_set=[TEST_POLICY_1]),
 
     # 3. default settings, but with initial-explicit-policy set and
     # initial-policy-set = {NIST-test-policy-2}. The path should not validate
     # successfully. 
     TestInfo(False, initial_explicit_policy=True,
-             initial_policy_set=[TEST_POLICY_2]),
+             initial_policy_set=[TEST_POLICY_2],
+             user_constrained_policy_set=[]),
 
     # 4. default settings, but with initial-explicit-policy set and
     # initial-policy-set = {NIST-test-policy-1, NIST-test-policy-2}. The path
     # should validate successfully. 
     TestInfo(True, initial_explicit_policy=True,
-             initial_policy_set=[TEST_POLICY_1, TEST_POLICY_2]),
+             initial_policy_set=[TEST_POLICY_1, TEST_POLICY_2],
+             user_constrained_policy_set=[TEST_POLICY_1]),
   ],
 
   '4.8.2': [ # All Certificates No Policies Test2
     # 1. default settings. The path should validate successfully.
-    TestInfo(True),
+    TestInfo(True, user_constrained_policy_set=[]),
 
     # 2. default settings, but with initial-explicit-policy set. The path
     # should not validate successfully
-    TestInfo(False, initial_explicit_policy=True),
+    TestInfo(False, initial_explicit_policy=True,
+             user_constrained_policy_set=[]),
   ],
 
   '4.8.3': [ # Different Policies Test3
     # 1. default settings. The path should validate successfully.
-    TestInfo(True),
+    TestInfo(True, user_constrained_policy_set=[]),
 
     # 2. default settings, but with initial-explicit-policy set. The path
     # should not validate successfully.
-    TestInfo(False, initial_explicit_policy=True),
+    TestInfo(False, initial_explicit_policy=True, user_constrained_policy_set=[]),
 
     # 3. default settings, but with initial-explicit-policy set and
     # initial-policy-set = {NIST-test-policy-1, NIST-test-policy-2}. The path
     # should not validate successfully. 
     TestInfo(False, initial_explicit_policy=True,
-             initial_policy_set=[TEST_POLICY_1, TEST_POLICY_2]),
+             initial_policy_set=[TEST_POLICY_1, TEST_POLICY_2],
+             user_constrained_policy_set=[]),
   ],
 
   '4.8.4': [ # Different Policies Test4 
     # Procedure: Validate Different Policies Test4 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.69 using the
     # default settings. 
     #
     # Expected Result: The authorities-constrained-policy-set and the
     # user-constrained-policy-set will be empty. The explicit-policy-indicator
     # will be set if the application can process the policyConstraints
     # extension. If the application can process the policyConstraints extension
     # then the path should not validate successfully. If the application can
     # not process the policyConstraints extension, then the path should
     # validate successfully.
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.8.5': [ # 4.8.5 Different Policies Test5
     # Procedure: Validate Different Policies Test5 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.70 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and the
     # user-constrained-policy-set will be empty. The explicit-policy-indicator
     # will be set if the application can process the policyConstraints
     # extension. If the application can process the policyConstraints extension
     # then the path should not validate successfully. If the application can
     # not process the policyConstraints extension, then the path should
     # validate successfully
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.8.6': [ # Overlapping Policies Test6
     # 1. default settings. The path should validate successfully.
-    TestInfo(True),
+    TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]),
 
     # 2. default settings, but with initial-policy-set = {NIST-test-policy-1}.
     # The path should validate successfully.
-    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1],
+             user_constrained_policy_set=[TEST_POLICY_1]),
 
     # 3. default settings, but with initial-policy-set = {NIST-test-policy-2}.
     # The path should not validate successfully. 
-    TestInfo(False, initial_policy_set=[TEST_POLICY_2]),
+    TestInfo(False, initial_policy_set=[TEST_POLICY_2],
+             user_constrained_policy_set=[]),
   ],
 
   '4.8.7': [ # Different Policies Test7
     # Procedure: Validate Different Policies Test7 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.72 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and the
     # user-constrained-policy-set will be empty. If the
     # explicit-policy-indicator will be set if the application can process the
     # policyConstraints extension. If the application can process the
     # policyConstraints extension, then the path should not validate
     # successfully. If the application can not process the policyConstraints
     # extension, then the path should validate successfully. 
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.8.8': [ # Different Policies Test8 
     # Procedure: Validate Different Policies Test8 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.73 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and the
     # user-constrained-policy-set will be empty. The explicit-policy-indicator
     # will be set if the application can process the policyConstraints
     # extension. If the application can process the policyConstraints extension
     # then the path should not validate successfully. If the application can
     # not process the policyConstraints extension, then the path should
     # validate successfully.
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.8.9': [ # Different Policies Test9
     # Procedure: Validate Different Policies Test9 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.74 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and the
     # user-constrained-policy-set will be empty. The explicit-policy-indicator
     # will be set if the application can process the policyConstraints
     # extension. If the application can process the policyConstraints
     # extension, then the path should not validate successfully. If the
     # application can not process the policyConstraints extension, then the
     # path should validate successfully. 
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.8.10': [ # All Certificates Same Policies Test10
     # 1. default settings. The path should validate successfully.
-    TestInfo(True),
+    TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1, TEST_POLICY_2]),
     
     # 2. default settings, but with initial-policy-set = {NIST-test-policy-1}.
     # The path should validate successfully.
-    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1],
+             user_constrained_policy_set=[TEST_POLICY_1]),
 
     # 3. default settings, but with initial-policy-set = {NIST-test-policy-2}.
     # The path should validate successfully.
-    TestInfo(True, initial_policy_set=[TEST_POLICY_2]),
+    TestInfo(True, initial_policy_set=[TEST_POLICY_2],
+             user_constrained_policy_set=[TEST_POLICY_2]),
   ],
 
   '4.8.11': [ # All Certificates AnyPolicy Test11
     # 1. default settings. The path should validate successfully.
-    TestInfo(True),
+    TestInfo(True, user_constrained_policy_set=[ANY_POLICY]),
 
     # 2. default settings, but with initial-policy-set = {NIST-test-policy-1}.
     # The path should validate successfully. 
-    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1],
+             user_constrained_policy_set=[TEST_POLICY_1]),
   ],
 
   '4.8.12': [ # Different Policies Test12
     # Procedure: Validate Different Policies Test12 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.77 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and the
     # user-constrained-policy-set will be empty. The explicit-policy-indicator
     # will be set if the application can process the policyConstraints
     # extension. If the application can process the policyConstraints
     # extension, then the path should not validate successfully. If the
     # application can not process the policyConstraints extension, then the
     # path should validate successfully. 
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.8.13': [ # All Certificates Same Policies Test13
     # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
     # The path should validate successfully.
-    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1],
+             user_constrained_policy_set=[TEST_POLICY_1]),
 
     # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}.
     # The path should validate successfully.
-    TestInfo(True, initial_policy_set=[TEST_POLICY_2]),
+    TestInfo(True, initial_policy_set=[TEST_POLICY_2],
+             user_constrained_policy_set=[TEST_POLICY_2]),
 
     # 3. default settings, but with initial-policy-set = {NIST-test-policy-3}.
     # The path should validate successfully. 
-    TestInfo(True, initial_policy_set=[TEST_POLICY_3]),
+    TestInfo(True, initial_policy_set=[TEST_POLICY_3],
+             user_constrained_policy_set=[TEST_POLICY_3]),
   ],
 
   '4.8.14': [ # AnyPolicy Test14
     # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
     # The path should validate successfully.
-    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1],
+             user_constrained_policy_set=[TEST_POLICY_1]),
 
     # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}.
     # The path should not validate successfully. 
-    TestInfo(False, initial_policy_set=[TEST_POLICY_2]),
+    TestInfo(False, initial_policy_set=[TEST_POLICY_2],
+             user_constrained_policy_set=[]),
   ],
 
   '4.8.15': [ # User Notice Qualifier Test15
     # Procedure: Validate User Notice Qualifier Test15 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.80 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set will be
     # {NIST-test-policy-1} and the explicit-policy-indicator will be the same
     # as the initial-explicit-policy indicator. If the initial-policy-set is
     # any-policy or otherwise includes NIST-test-policy-1, then the
     # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the
     # user-constrained-policy-set will be empty. If the initial-explicit-policy
     # indicator is set and the initial-policy-set does not include
     # NIST-test-policy-1, then the path should be rejected, otherwise it should
     # validate successfully. If the path validates successfully, then the
     # application should display the user notice.
-    TestInfo(True),
+    TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]),
   ],
 
   '4.8.16': [ # User Notice Qualifier Test16
     # Procedure: Validate User Notice Qualifier Test16 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.81 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set will be
     # {NIST-test-policy-1} and the explicit-policy-indicator will be the same
     # as the initial-explicit-policy indicator. If the initial-policy-set is
     # any-policy or otherwise includes NIST-test-policy-1, then the
     # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the
     # user-constrained-policy-set will be empty. If the initial-explicit-policy
     # indicator is set and the initial-policy-set does not include
     # NIST-test-policy-1, then the path should be rejected, otherwise it should
     # validate successfully. If the path validates successfully, then the
     # application should display the user notice associated with
     # NIST-test-policy-1. The user notice associated with NIST-test-policy-2
     # should not be displayed. 
-    TestInfo(True),
+    TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]),
   ],
 
   '4.8.17': [ # User Notice Qualifier Test17
     # Procedure: Validate User Notice Qualifier Test17 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.82 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set will be
     # {NIST-test-policy-1} and the explicit-policy-indicator will be the same
     # as the initial-explicit-policy indicator. If the initial-policy-set is
     # any-policy or otherwise includes NIST-test-policy-1, then the
     # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the
     # user-constrained-policy-set will be empty. If the initial-explicit-policy
     # indicator is set and the initial-policy-set does not include
     # NIST-test-policy-1, then the path should be rejected, otherwise it should
     # validate successfully. If the path validates successfully, then the
     # application should display the user notice associated with anyPolicy. 
-    TestInfo(True),
+    TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]),
   ],
 
   '4.8.18': [ # User Notice Qualifier Test18 
     # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
     # The path should validate successfully and the qualifier associated with
     # NIST-test-policy-1 in the end entity certificate should be displayed.
-    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1],
+             user_constrained_policy_set=[TEST_POLICY_1]),
 
     # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}.
     # The path should validate successfully and the qualifier associated with
     # anyPolicy in the end entity certificate should be displayed. 
-    TestInfo(True, initial_policy_set=[TEST_POLICY_2]),
+    TestInfo(True, initial_policy_set=[TEST_POLICY_2],
+             user_constrained_policy_set=[TEST_POLICY_2]),
   ],
 
   '4.8.19': [ # User Notice Qualifier Test19
     # Procedure: Validate User Notice Qualifier Test19 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.84 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set will be
     # {NIST-test-policy-1} and the explicit-policy-indicator will be the same
     # as the initial-explicit-policy indicator. If the initial-policy-set is
     # any-policy or otherwise includes NIST-test-policy-1, then the
     # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the
     # user-constrained-policy-set will be empty. If the initial-explicit-policy
     # indicator is set and the initial-policy-set does not include
     # NIST-test-policy-1, then the path should be rejected, otherwise it should
     # validate successfully.  Since the explicitText exceeds the maximum size
     # of 200 characters, the application may choose to reject the certificate.
     # If the application accepts the certificate, display of the user notice is
     # optional. 
-    TestInfo(True),
+    TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]),
   ],
 
   '4.8.20': [ # CPS Pointer Qualifier Test20
     # Procedure: Validate CPS Pointer Qualifier Test20 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.85 using the
     # default settings. (If possible, it is recommended that this test be run
     # with the initial-explicit-policy indicator set. If this can not be done,
     # manually check that the authorities-constrained-policy-set and
     # user-constrained-policy-set are correct.)
     #
     # Expected Result: The authorities-constrained-policy-set will be
     # {NIST-test-policy-1} and the explicit-policy-indicator will be the same
     # as the initial-explicit-policy indicator. If the initial-policy-set is
     # any-policy or otherwise includes NIST-test-policy-1, then the
     # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the
     # user-constrained-policy-set will be empty. If the initial-explicit-policy
     # indicator is set and the initial-policy-set does not include
     # NIST-test-policy-1, then the path should be rejected, otherwise it should
     # validate successfully. The CPS pointer in the qualifier should be
     # associated with NIST-testpolicy-1 in the
     # authorities-constrained-policy-set (and in the user-constrained-policy-set
     # if NIST-test-policy-1 is in that set). There are no processing
     # requirements associated with the CPS pointer qualifier. 
     TestInfo(True, initial_explicit_policy=True,
-             initial_policy_set=[TEST_POLICY_1]),
+             initial_policy_set=[TEST_POLICY_1],
+             user_constrained_policy_set=[TEST_POLICY_1]),
+  ],
+
+  '4.9.1': [ # Valid RequireExplicitPolicy Test1
+    # Procedure: Validate Valid requireExplicitPolicy Test1 EE using the
+    # default settings or open and verify Signed Test Message 6.2.2.86 using
+    # the default settings.
+    #
+    # Expected Result: The path should validate successfully since the
+    # explicit-policy-indicator is not set.
+    TestInfo(True, user_constrained_policy_set=[]),
+  ],
+
+  '4.9.2': [ # Valid RequireExplicitPolicy Test2
+    # Procedure: Validate Valid requireExplicitPolicy Test2 EE using the
+    # default settings or open and verify Signed Test Message 6.2.2.87 using
+    # the default settings.
+    #
+    # Expected Result: The path should validate successfully since the
+    # explicit-policy-indicator is not set
+    TestInfo(True, user_constrained_policy_set=[]),
+  ],
+
+  '4.9.6': [ # Valid Self-Issued requireExplicitPolicy Test6
+    # Procedure: Validate Valid Self-Issued requireExplicitPolicy Test6 EE using
+    # the default settings or open and verify Signed Test Message 6.2.2.91 using
+    # the default settings.
+    #
+    # Expected Result: The path should validate successfully since the
+    # explicit-policy-indicator is not set.
+    TestInfo(True, user_constrained_policy_set=[]),
   ],
 
   '4.10.1': [ # Valid Policy Mapping Test1
     # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
     # The path should validate successfully.
-    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1],
+             user_constrained_policy_set=[TEST_POLICY_1]),
 
     # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}.
     # The path should not validate successfully. 
-    TestInfo(False, initial_policy_set=[TEST_POLICY_2]),
+    TestInfo(False, initial_policy_set=[TEST_POLICY_2],
+             user_constrained_policy_set=[]),
 
     # 3. default settings, but with initial-policy-mapping-inhibit set. The
     # path should not validate successfully.
-    TestInfo(False, initial_policy_mapping_inhibit=True),
+    TestInfo(False, initial_policy_mapping_inhibit=True,
+             user_constrained_policy_set=[]),
   ],
 
   '4.10.2': [ # Invalid Policy Mapping Test2
     # 1. default settings. The path should not validate successfully.
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
 
     # 2. default settings, but with initial-policy-mapping-inhibit set. The
     # path should not validate successfully. 
-    TestInfo(False, initial_policy_mapping_inhibit=True),
+    TestInfo(False, initial_policy_mapping_inhibit=True,
+             user_constrained_policy_set=[]),
   ],
 
   '4.10.3': [ # Valid Policy Mapping Test3
     # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
     # The path should not validate successfully.
-    TestInfo(False, initial_policy_set=[TEST_POLICY_1]),
+    TestInfo(False, initial_policy_set=[TEST_POLICY_1],
+             user_constrained_policy_set=[]),
 
     # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}.
     # The path should validate successfully. 
-    TestInfo(True, initial_policy_set=[TEST_POLICY_2]),
+    TestInfo(True, initial_policy_set=[TEST_POLICY_2],
+             user_constrained_policy_set=[TEST_POLICY_2]),
   ],
 
   '4.10.4': [ # Invalid Policy Mapping Test4
     # Procedure: Validate Invalid Policy Mapping Test4 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.97 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and the
     # user-constrained-policy-set will be empty and the
     # explicit-policy-indicator will be set (if the application can process the
     # policyConstraints extension). If the application can process the
     # policyConstraints extension, then the path should be rejected, otherwise
     # it should validate successfully. 
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.10.5': [ # Valid Policy Mapping Test5
     # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
     # The path should validate successfully.
-    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1],
+             user_constrained_policy_set=[TEST_POLICY_1]),
 
     # 2. default settings, but with initial-policy-set = {NIST-test-policy-6}.
     # The path should not validate successfully. 
-    TestInfo(False, initial_policy_set=[TEST_POLICY_6]),
+    TestInfo(False, initial_policy_set=[TEST_POLICY_6],
+             user_constrained_policy_set=[]),
   ],
 
   '4.10.6': [ # Valid Policy Mapping Test6
     # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
     # The path should validate successfully.
-    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1],
+                   user_constrained_policy_set=[TEST_POLICY_1]),
 
     # 2. default settings, but with initial-policy-set = {NIST-test-policy-6}.
     # The path should not validate successfully. 
-    TestInfo(False, initial_policy_set=[TEST_POLICY_6]),
+    TestInfo(False, initial_policy_set=[TEST_POLICY_6],
+             user_constrained_policy_set=[]),
+  ],
+
+  '4.10.8': [ # Invalid Mapping To anyPolicy Test8
+    # Procedure: Validate Invalid Mapping To anyPolicy Test8 EE using the
+    # default settings or open and verify Signed Test Message 6.2.2.101 using
+    # the default settings.
+    #
+    # Expected Result: The path should not validate successfully since the
+    # intermediate certificate includes a policy mapping extension in which
+    # anyPolicy appears as an subjectDomainPolicy.
+    #
+    # TODO(eroman): What should user_constrained_policy_set be?
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.10.9': [ # Valid Policy Mapping Test9
     # Procedure: Validate Valid Policy Mapping Test9 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.102 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set will be
     # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if
     # the application can process the policyConstraints extension). If the
@@ skipping 10 matching lines @@
     # Procedure: Validate Invalid Policy Mapping Test10 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.103 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and the
     # user-constrained-policy-set will be empty and the
     # explicit-policy-indicator will be set (if the application can process the
     # policyConstraints extension). If the application can process the
     # policyConstraints extension, then the path should be rejected, otherwise
     # it should validate successfully.
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.10.11': [ # Valid Policy Mapping Test11
     # Procedure: Validate Valid Policy Mapping Test11 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.104 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set will be
     # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if
     # the application can process the policyConstraints extension). If the
     # initial-policy-set is any-policy or otherwise includes
     # NIST-test-policy-1, then the user-constrained-policy-set will be
     # {NIST-test-policy-1}. If not, the user-constrained-policy-set will be
     # empty. If the initial-policy-set does not include NIST-test-policy-1 (and
     # the application can process the policyConstraints extension), then the
     # path should be rejected, otherwise it should validate successfully. 
-    TestInfo(True),
+    TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]),
   ],
 
   '4.10.12': [ # Valid Policy Mapping Test12
     # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}.
     # The path should validate successfully and the application should display
     # the user notice associated with NIST-test-policy-3 in the end entity
     # certificate.
-    TestInfo(True, initial_policy_set=[TEST_POLICY_1]),
+    TestInfo(True, initial_policy_set=[TEST_POLICY_1],
+             user_constrained_policy_set=[TEST_POLICY_1]),
 
     # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}.
     # The path should validate successfully and the application should display
     # the user notice associated with anyPolicy in the end entity certificate. 
-    TestInfo(True, initial_policy_set=[TEST_POLICY_2]),
+    TestInfo(True, initial_policy_set=[TEST_POLICY_2],
+             user_constrained_policy_set=[TEST_POLICY_2]),
   ],
 
   '4.10.13': [ # Valid Policy Mapping Test13
     # Procedure: Validate Valid Policy Mapping Test13 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.106 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set will be
     # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if
     # the application can process the policyConstraints extension). If the
     # initial-policy-set is any-policy or otherwise includes
     # NIST-test-policy-1, then the user-constrained-policy-set will be
     # {NIST-test-policy-1}. If not, the user-constrained-policy-set will be
     # empty. If the initial-policy-set does not include NIST-test-policy-1 (and
     # the application can process the policyConstraints extension), then the
     # path should be rejected, otherwise it should validate successfully. If
     # the path is accepted, the application should display the user notice
     # associated with NIST-testpolicy-1 in the intermediate certificate. 
-    TestInfo(True),
+    TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]),
   ],
 
   '4.10.14': [ # Valid Policy Mapping Test14
     # Procedure: Validate Valid Policy Mapping Test14 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.107 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set will be
     # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if
     # the application can process the policyConstraints extension). If the
     # initial-policy-set is any-policy or otherwise includes
     # NIST-test-policy-1, then the user-constrained-policy-set will be
     # {NIST-test-policy-1}. If not, the user-constrained-policy-set will be
     # empty. If the initial-policy-set does not include NIST-test-policy-1 (and
     # the application can process the policyConstraints extension), then the
     # path should be rejected, otherwise it should validate successfully. If
     # the path is accepted, the application should display the user notice
     # associated with anyPolicy in the intermediate certificate
-    TestInfo(True),
+    TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]),
   ],
 
   '4.11.1': [ # Invalid inhibitPolicyMapping Test1 
     # Procedure: Validate Invalid inhibitPolicyMapping Test1 EE using the
     # default settings or open and verify Signed Test Message 6.2.2.108 using
     # the default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and the
     # user-constrained-policy-set will be empty. The explicit-policy-indicator
     # will be set.  The path should not validate successfully. 
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.11.2': [ # Valid inhibitPolicyMapping Test2
     # Procedure: Validate Valid inhibitPolicyMapping Test2 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.109 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set will be
     # {NIST-test-policy-1} and the explicit-policy-indicator will be set. If
     # the initial-policy-set is any-policy or otherwise includes
     # NIST-test-policy-1, then the path should validate successfully. 
-    TestInfo(True),
+    TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]),
   ],
 
   '4.11.3': [ # Invalid inhibitPolicyMapping Test3 
     # Procedure: Validate Invalid inhibitPolicyMapping Test3 EE using the
     # default settings or open and verify Signed Test Message 6.2.2.110 using
     # the default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and the
     # user-constrained-policy-set will be empty and the
     # explicit-policy-indicator will be set.  The path should not validate
     # successfully. 
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.11.4': [ # Valid inhibitPolicyMapping Test4
     # Procedure: Validate Valid inhibitPolicyMapping Test4 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.111 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set will be
     # {NIST-test-policy-2} and the explicit-policy-indicator will be set. If
     # the initial-policy-set is any-policy or otherwise includes
     # NIST-test-policy-2, then the path should validate successfully. 
-    TestInfo(True),
+    TestInfo(True, user_constrained_policy_set=[TEST_POLICY_2]),
   ],
 
   '4.11.5': [ # Invalid inhibitPolicyMapping Test5
     # Procedure: Validate Invalid inhibitPolicyMapping Test5 EE using the
     # default settings or open and verify Signed Test Message 6.2.2.112 using
     # the default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and the
     # user-constrained-policy-set will be empty and the
     # explicit-policy-indicator will be set.  The path should not validate
     # successfully. 
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.11.6': [ # Invalid inhibitPolicyMapping Test6
     # Procedure: Validate Invalid inhibitPolicyMapping Test6 EE using the
     # default settings or open and verify Signed Test Message 6.2.2.113 using
     # the default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and the
     # user-constrained-policy-set will be empty and the
     # explicit-policy-indicator will be set. The path should not validate
     # successfully. 
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.11.7': [ # Valid Self-Issued inhibitPolicyMapping Test7
     # Procedure: Validate Valid Self-Issued inhibitPolicyMapping Test7 EE using
     # the default settings or open and verify Signed Test Message 6.2.2.114
     # using the default settings.
     #
     # Expected Result: The authorities-constrained-policy-set will be
     # {NIST-test-policy-1} and the explicit-policy-indicator will be set. If
     # the initial-policy-set is any-policy or otherwise includes
     # NIST-test-policy-1, then the path should validate successfully. 
-    TestInfo(True),
+    TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]),
   ],
 
   '4.11.8': [ # Invalid Self-Issued inhibitPolicyMapping Test8
     # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test8 EE
     # using the default settings or open and verify Signed Test Message
     # 6.2.2.115 using the default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and
     # user-constrained-policy-set will be empty and the
     # explicit-policy-indicator will be set. The path should not validate
     # successfully. 
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.11.9': [ # Invalid Self-Issued inhibitPolicyMapping Test9
     # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test9 EE
     # using the default settings or open and verify Signed Test Message
     # 6.2.2.116 using the default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and
     # user-constrained-policy-set will be empty and the
     # explicit-policy-indicator will be set. The path should not validate
     # successfully. 
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.11.10': [ # Invalid Self-Issued inhibitPolicyMapping Test10
     # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test10 EE
     # using the default settings or open and verify Signed Test Message
     # 6.2.2.117 using the default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and
     # user-constrained-policy-set will be empty and the
     # explicit-policy-indicator will be set. The path should not validate
     # successfully. 
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.11.11': [ # Invalid Self-Issued inhibitPolicyMapping Test11
     # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test11 EE
     # using the default settings or open and verify Signed Test Message
     # 6.2.2.118 using the default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and
     # user-constrained-policy-set will be empty and the
     # explicit-policy-indicator will be set. The path should not validate
     # successfully. 
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.12.1': [ # Invalid inhibitAnyPolicy Test1
     # Procedure: Validate Invalid inhibitAnyPolicy Test1 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.119 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and
     # user-constrained-policy-set will be empty and the
     # explicit-policy-indicator will be set (if the application can process the
     # policyConstraints extension). If the application can process the
     # policyConstraints extension, then the path should not validate
     # successfully. 
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.12.2': [ # Valid inhibitAnyPolicy Test2
     # Procedure: Validate Valid inhibitAnyPolicy Test2 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.120 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set will be
     # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if
     # the application can process the policyConstraints extension). If the
     # initial-policy-set is any-policy or otherwise includes
     # NIST-test-policy-1, then the user-constrained-policy-set will be
     # {NIST-test-policy-1} and the path should validate successfully. If not,
     # then the user-constrained-policy-set will be empty. If the
     # user-constrained-policy-set is empty and the application can process the
     # policyConstraints extension, then the path should not validate
     # successfully. 
-
-    TestInfo(True),
+    TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]),
   ],
 
   '4.12.3': [ # inhibitAnyPolicy Test3 
      # 1. default settings. The path should validate successfully.
-    TestInfo(True),
+    TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]),
 
      # 2. default settings, but with initial-inhibit-any-policy set. The path
      # should not validate successfully. 
-    TestInfo(False, initial_inhibit_any_policy=True),
+    TestInfo(False, initial_inhibit_any_policy=True,
+             user_constrained_policy_set=[]),
   ],
 
   '4.12.4': [ # Invalid inhibitAnyPolicy Test4
     # Procedure: Validate Invalid inhibitAnyPolicy Test4 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.122 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and
     # user-constrained-policy-set will be empty and the
     # explicit-policy-indicator will be set (if the application can process the
     # policyConstraints extension). If the application can process the
     # policyConstraints extension, then the path should not validate
     # successfully. 
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.12.5': [ # Invalid inhibitAnyPolicy Test5 
     # Procedure: Validate Invalid inhibitAnyPolicy Test5 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.123 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and
     # user-constrained-policy-set will be empty and the
     # explicit-policy-indicator will be set (if the application can process the
     # policyConstraints extension). If the application can process the
     # policyConstraints extension, then the path should not validate
     # successfully.
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.12.6': [ # Invalid inhibitAnyPolicy Test6
     # Procedure: Validate Invalid inhibitAnyPolicy Test6 EE using the default
     # settings or open and verify Signed Test Message 6.2.2.124 using the
     # default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and
     # user-constrained-policy-set will be empty and the
     # explicit-policy-indicator will be set (if the application can process the
     # policyConstraints extension). If the application can process the
     # policyConstraints extension, then the path should not validate
     # successfully. 
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.12.7': [ # Valid Self-Issued inhibitAnyPolicy Test7
     # Procedure: Validate Valid Self-Issued inhibitAnyPolicy Test7 EE using the
     # default settings or open and verify Signed Test Message 6.2.2.125 using
     # the default settings.
     #
     # Expected Result: The authorities-constrained-policy-set will be
     # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if
     # the application can process the policyConstraints extension). If the
     # initial-policy-set is any-policy or otherwise includes
     # NIST-test-policy-1, then the user-constrained-policy-set will be
     # {NIST-test-policy-1} and the path should validate successfully. If not,
     # then the user-constrained-policy-set will be empty. If the
     # user-constrained-policy-set is empty and the application can process the
     # policyConstraints extension, then the path should not validate
     # successfully. 
-    TestInfo(True),
+    TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]),
   ],
 
   '4.12.8': [ # Invalid Self-Issued inhibitAnyPolicy Test8 
     # Procedure: Validate Invalid Self-Issued inhibitAnyPolicy Test8 EE using
     # the default settings or open and verify Signed Test Message 6.2.2.126
     # using the default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and
     # user-constrained-policy-set will be empty and the
     # explicit-policy-indicator will be set (if the application can process the
     # policyConstraints extension). If the application can process the
     # policyConstraints extension, then the path should not validate
     # successfully. 
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 
   '4.12.9': [ # Valid Self-Issued inhibitAnyPolicy Test9
     # Procedure: Validate Valid Self-Issued inhibitAnyPolicy Test9 EE using the
     # default settings or open and verify Signed Test Message 6.2.2.127 using
     # the default settings.
     #
     # Expected Result: The authorities-constrained-policy-set will be
     # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if
     # the application can process the policyConstraints extension). If the
     # initial-policy-set is any-policy or otherwise includes
     # NIST-test-policy-1, then the user-constrained-policy-set will be
     # {NIST-test-policy-1} and the path should validate successfully. If not,
     # then the user-constrained-policy-set will be empty. If the
     # user-constrained-policy-set is empty and the application can process the
     # policyConstraints extension, then the path should not validate
     # successfully. 
-    TestInfo(True),
+    TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]),
   ],
 
   '4.12.10': [ # Invalid Self-Issued inhibitAnyPolicy Test10
     # Procedure: Validate Invalid Self-Issued inhibitAnyPolicy Test10 EE using
     # the default settings or open and verify Signed Test Message 6.2.2.128
     # using the default settings.
     #
     # Expected Result: The authorities-constrained-policy-set and
     # user-constrained-policy-set will be empty and the
     # explicit-policy-indicator will be set (if the application can process the
     # policyConstraints extension). If the application can process the
     # policyConstraints extension, then the path should not validate
     # successfully. 
-    TestInfo(False),
+    TestInfo(False, user_constrained_policy_set=[]),
   ],
 }
 
 
 def parse_test(lines, i, test_case_name, test_number, test_name,
                sanitized_test_names, output):
   # Start by doing a coarse level of parsing that separates out the lines for
   # the main sections.
   i, test_sections = parse_main_test_sections(lines, i)
 
@@ skipping 25 matching lines @@
     # Check whether expected result is validation success or failure.
     result_match = TEST_RESULT_MATCHER.match(
        test_sections.expected_result_lines[0])
     if not result_match:
       sys.stderr.write('Unknown expectation for %s:\n%s\n' % (
           test_number, " ".join(test_sections.expected_result_lines)))
       sys.exit(1)
     # Initializes with default settings.
     info = TestInfo(result_match.group(1) == 'should validate')
 
+    # Special case the 4.9 test failures (require explicit policy) to set
+    # user_constrained_policy_set to empty. This is only done for the 4.9
+    # tests, because the other policy tests are special cased as overrides and
+    # hence set this manually on a per-test basis.
+    #
+    # user_constrained_policy_set enumerates the subset of the initial policy
+    # set (anyPolicy in the default case) that were valid for the path. For
+    # non-policy tests the expectation for user_constrained_policy_set is
+    # [TEST_POLICY_1] since each policy asserts that. However for these tests,
+    # the expectation is an empty user_constrained_policy_set since there was
+    # no valid policy for the path (in fact, that is why the path validation is
+    # expected to fail).
+    if test_number.startswith('4.9.') and not info.should_validate:
+      info.user_constrained_policy_set = []
+
     output_test(test_case_name, test_number, test_name, None, info, certs,
                 crls, sanitized_test_names, output)
   else:
     # The overrides may have a series of inputs (settings) and outputs
     # (success/failure) for this test. Output each as a separate test case.
     for subpart_i in range(len(overrides)):
       info = overrides[subpart_i]
       # If the test has only 1 subpart, don't number it.
       subpart_number = subpart_i + 1 if len(overrides) > 1 else None
       output_test(test_case_name, test_number, test_name, subpart_number, info,
@@ skipping 59 matching lines @@
         continue
       i, parse_test(lines, i, test_case_name, test_number,
                     test_name, sanitized_test_names, output)
 
   if test_case_name:
     finalize_test_case(test_case_name, sanitized_test_names, output)
 
 
 if __name__ == '__main__':
   main()