1# Copyright 2016 The Chromium Authors 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5'''Generates a test suite from NIST PKITS test descriptions. 6 7The output is a set of Type Parameterized Tests which are included by 8pkits_unittest.h. See pkits_unittest.h for information on using the tests. 9GoogleTest has a limit of 50 tests per type parameterized testcase, so the tests 10are split up by section number (this also makes it possible to easily skip 11sections that pertain to non-implemented features). 12 13Usage: 14 generate_tests.py <PKITS.pdf> <output.h> 15''' 16 17import os 18import re 19import subprocess 20import sys 21import tempfile 22 23 24def sanitize_name(s): 25 return s.translate(str.maketrans('', '', ' -')) 26 27 28def finalize_test_case(test_case_name, sanitized_test_names, output): 29 output.write('\nWRAPPED_REGISTER_TYPED_TEST_SUITE_P(%s' % test_case_name) 30 for name in sanitized_test_names: 31 output.write(',\n %s' % name) 32 output.write(');\n') 33 34 35def bool_to_str(b): 36 return "true" if b else "false" 37 38 39def make_policies_string(policies): 40 return '"' + ','.join(policies) + '"' 41 42 43def output_test(test_case_name, test_number, raw_test_name, subpart_number, 44 info, certs, crls, sanitized_test_names, output): 45 '''Writes a test case to |output|, and appends the test name to 46 |sanitized_test_names|.''' 47 sanitized_test_name = 'Section%s%s' % (test_number.split('.')[1], 48 sanitize_name(raw_test_name)) 49 50 subpart_comment = '' 51 if subpart_number is not None: 52 sanitized_test_name += "Subpart%d" % (subpart_number) 53 subpart_comment = ' (Subpart %d)' % (subpart_number) 54 55 sanitized_test_names.append(sanitized_test_name) 56 57 certs_formatted = ', '.join('"%s"' % n for n in certs) 58 crls_formatted = ', '.join('"%s"' % n for n in crls) 59 60 output.write(''' 61// %(test_number)s %(raw_test_name)s%(subpart_comment)s 62WRAPPED_TYPED_TEST_P(%(test_case_name)s, %(sanitized_test_name)s) { 63 const char* const certs[] = { 64 %(certs_formatted)s 65 }; 66 const char* const crls[] = { 67 %(crls_formatted)s 68 }; 69''' % vars()) 70 71 default_info = TestInfo(None) 72 73 if info.include_subpart_in_test_number: 74 test_number = "%s.%d" % (test_number, subpart_number) 75 76 output.write('''PkitsTestInfo info; 77 info.test_number = "%s"; 78 info.should_validate = %s; 79''' % (test_number, bool_to_str(info.should_validate))) 80 81 # Output any non-default inputs/outputs. Only properties that differ from 82 # the defaults are written, so as to keep the generated file more readable. 83 if info.initial_policy_set != default_info.initial_policy_set: 84 output.write(''' info.SetInitialPolicySet(%s); 85''' % make_policies_string(info.initial_policy_set)) 86 87 if info.initial_explicit_policy != default_info.initial_explicit_policy: 88 output.write(''' info.SetInitialExplicitPolicy(%s); 89''' % bool_to_str(info.initial_explicit_policy)) 90 91 if (info.initial_policy_mapping_inhibit != 92 default_info.initial_policy_mapping_inhibit): 93 output.write(''' info.SetInitialPolicyMappingInhibit(%s); 94''' % bool_to_str(info.initial_policy_mapping_inhibit)) 95 96 if (info.initial_inhibit_any_policy != 97 default_info.initial_inhibit_any_policy): 98 output.write(''' info.SetInitialInhibitAnyPolicy(%s); 99''' % bool_to_str(info.initial_inhibit_any_policy)) 100 101 if (info.user_constrained_policy_set != 102 default_info.user_constrained_policy_set): 103 output.write(''' info.SetUserConstrainedPolicySet(%s); 104''' % make_policies_string(info.user_constrained_policy_set)) 105 106 output.write(''' 107 this->RunTest(certs, crls, info); 108} 109''' % vars()) 110 111 112# Matches a section header, ex: "4.1 Signature Verification" 113SECTION_MATCHER = re.compile('^\s*(\d+\.\d+)\s+(.+?)\s*\ufffd?$') 114# Matches a test header, ex: "4.1.1 Valid Signatures Test1" 115TEST_MATCHER = re.compile('^\s*(\d+\.\d+.\d+)\s+(.+?)\s*\ufffd?$') 116 117# Matches the various headers in a test specification. 118EXPECTED_HEADER_MATCHER = re.compile('^\s*Expected Result:') 119PROCEDURE_HEADER_MATCHER = re.compile('^\s*Procedure:') 120PATH_HEADER_MATCHER = re.compile('^\s*Certification Path:') 121 122# Matches the Procedure text if using default settings. 123USING_DEFAULT_SETTINGS_MATCHER = re.compile( 124 '^.*using the \s*default settings.*') 125 126# Matches the description text if using custom settings. 127CUSTOM_SETTINGS_MATCHER = re.compile( 128 '.*this\s+test\s+be\s+validated\s+using\s+the\s+following\s+inputs:.*') 129 130# Match an expected test result. Note that some results in the PDF have a typo 131# "path not should validate" instead of "path should not validate". 132TEST_RESULT_MATCHER = re.compile( 133 '^.*path (should validate|should not validate|not should validate)') 134 135# Matches a line in the certification path, ex: 136# "\u2022 Good CA Cert, Good CA CRL" 137PATH_MATCHER = re.compile('^\s*\u2022\s*(.+)\s*$') 138# Matches a page number. These may appear in the middle of multi-line fields and 139# thus need to be ignored. 140PAGE_NUMBER_MATCHER = re.compile('^\s*\d+\s*$') 141# Matches if an entry in a certification path refers to a CRL, ex: 142# "onlySomeReasons CA2 CRL1". 143CRL_MATCHER = re.compile('^.*CRL\d*$') 144 145 146class TestSections(object): 147 def __init__(self): 148 self.description_lines = [] 149 self.procedure_lines = [] 150 self.expected_result_lines = [] 151 self.cert_path_lines = [] 152 153 154def parse_main_test_sections(lines, i): 155 result = TestSections() 156 157 # Read the description lines (text after test name up until 158 # "Procedure:"). 159 result.description_lines = [] 160 while i < len(lines): 161 if PROCEDURE_HEADER_MATCHER.match(lines[i]): 162 break 163 result.description_lines.append(lines[i]) 164 i += 1 165 166 # Read the procedure lines (text starting at "Procedure:" and up until 167 # "Expected Result:". 168 result.procedure_lines = [] 169 while i < len(lines): 170 if EXPECTED_HEADER_MATCHER.match(lines[i]): 171 break 172 result.procedure_lines.append(lines[i]) 173 i += 1 174 175 # Read the expected result lines (text starting at "Expected Result:" and up 176 # until "Certification Path:". 177 result.expected_result_lines = [] 178 while i < len(lines): 179 if PATH_HEADER_MATCHER.match(lines[i]): 180 break 181 result.expected_result_lines.append(lines[i]) 182 i += 1 183 184 # Read the certification path lines (text starting at "Certification Path:" 185 # and up until the next test title. 186 result.cert_path_lines = [] 187 while i < len(lines): 188 if TEST_MATCHER.match(lines[i]) or SECTION_MATCHER.match(lines[i]): 189 break 190 result.cert_path_lines.append(lines[i]) 191 i += 1 192 193 return i, result 194 195 196def parse_cert_path_lines(lines): 197 path_lines = [] 198 crls = [] 199 certs = [] 200 201 for line in lines[1:]: 202 line = line.strip() 203 204 if "is composed of the following objects:" in line: 205 continue 206 if "See the introduction to Section 4.4 for more information." in line: 207 continue 208 209 if not line or PAGE_NUMBER_MATCHER.match(line): 210 continue 211 path_match = PATH_MATCHER.match(line) 212 if path_match: 213 path_lines.append(path_match.group(1)) 214 continue 215 # Continuation of previous path line. 216 path_lines[-1] += ' ' + line 217 218 for path_line in path_lines: 219 for path in path_line.split(','): 220 path = sanitize_name(path.strip()) 221 if CRL_MATCHER.match(path): 222 crls.append(path) 223 else: 224 certs.append(path) 225 226 return certs, crls 227 228 229ANY_POLICY = 'anyPolicy' 230TEST_POLICY_1 = 'NIST-test-policy-1' 231TEST_POLICY_2 = 'NIST-test-policy-2' 232TEST_POLICY_3 = 'NIST-test-policy-3' 233TEST_POLICY_6 = 'NIST-test-policy-6' 234 235# Note: This omits some outputs from PKITS: 236# 237# * authorities-constrained-policy-set 238# * explicit-policy-indicator 239class TestInfo(object): 240 """This structure describes a test inputs and outputs""" 241 242 def __init__(self, should_validate, 243 # These defaults come from section 3 of PKITS.pdf 244 initial_policy_set = [ANY_POLICY], 245 initial_explicit_policy = False, 246 initial_policy_mapping_inhibit = False, 247 initial_inhibit_any_policy = False, 248 # In all of the tests that are not related to policy processing, 249 # each certificate in the path asserts the certificate policy 250 # 2.16.840.1.101.3.2.1.48.1 251 user_constrained_policy_set = [TEST_POLICY_1], 252 include_subpart_in_test_number = False): 253 self.should_validate = should_validate 254 self.initial_policy_set = initial_policy_set 255 self.initial_explicit_policy = initial_explicit_policy 256 self.initial_policy_mapping_inhibit = initial_policy_mapping_inhibit 257 self.initial_inhibit_any_policy = initial_inhibit_any_policy 258 self.user_constrained_policy_set = user_constrained_policy_set 259 self.include_subpart_in_test_number = include_subpart_in_test_number 260 261 262TEST_OVERRIDES = { 263 '4.8.1': [ # All Certificates Same Policy Test1 264 # 1. default settings, but with initial-explicit-policy set. The path 265 # should validate successfully 266 TestInfo(True, initial_explicit_policy=True, 267 user_constrained_policy_set=[TEST_POLICY_1]), 268 269 # 2. default settings, but with initial-explicit-policy set and 270 # initial-policy-set = {NIST-test-policy-1}. The path should validate 271 # successfully. 272 TestInfo(True, initial_explicit_policy=True, 273 initial_policy_set=[TEST_POLICY_1], 274 user_constrained_policy_set=[TEST_POLICY_1]), 275 276 # 3. default settings, but with initial-explicit-policy set and 277 # initial-policy-set = {NIST-test-policy-2}. The path should not validate 278 # successfully. 279 TestInfo(False, initial_explicit_policy=True, 280 initial_policy_set=[TEST_POLICY_2], 281 user_constrained_policy_set=[]), 282 283 # 4. default settings, but with initial-explicit-policy set and 284 # initial-policy-set = {NIST-test-policy-1, NIST-test-policy-2}. The path 285 # should validate successfully. 286 TestInfo(True, initial_explicit_policy=True, 287 initial_policy_set=[TEST_POLICY_1, TEST_POLICY_2], 288 user_constrained_policy_set=[TEST_POLICY_1]), 289 ], 290 291 '4.8.2': [ # All Certificates No Policies Test2 292 # 1. default settings. The path should validate successfully. 293 TestInfo(True, user_constrained_policy_set=[]), 294 295 # 2. default settings, but with initial-explicit-policy set. The path 296 # should not validate successfully 297 TestInfo(False, initial_explicit_policy=True, 298 user_constrained_policy_set=[]), 299 ], 300 301 '4.8.3': [ # Different Policies Test3 302 # 1. default settings. The path should validate successfully. 303 TestInfo(True, user_constrained_policy_set=[]), 304 305 # 2. default settings, but with initial-explicit-policy set. The path 306 # should not validate successfully. 307 TestInfo(False, initial_explicit_policy=True, user_constrained_policy_set=[]), 308 309 # 3. default settings, but with initial-explicit-policy set and 310 # initial-policy-set = {NIST-test-policy-1, NIST-test-policy-2}. The path 311 # should not validate successfully. 312 TestInfo(False, initial_explicit_policy=True, 313 initial_policy_set=[TEST_POLICY_1, TEST_POLICY_2], 314 user_constrained_policy_set=[]), 315 ], 316 317 '4.8.4': [ # Different Policies Test4 318 # Procedure: Validate Different Policies Test4 EE using the default 319 # settings or open and verify Signed Test Message 6.2.2.69 using the 320 # default settings. 321 # 322 # Expected Result: The authorities-constrained-policy-set and the 323 # user-constrained-policy-set will be empty. The explicit-policy-indicator 324 # will be set if the application can process the policyConstraints 325 # extension. If the application can process the policyConstraints extension 326 # then the path should not validate successfully. If the application can 327 # not process the policyConstraints extension, then the path should 328 # validate successfully. 329 TestInfo(False, user_constrained_policy_set=[]), 330 ], 331 332 '4.8.5': [ # 4.8.5 Different Policies Test5 333 # Procedure: Validate Different Policies Test5 EE using the default 334 # settings or open and verify Signed Test Message 6.2.2.70 using the 335 # default settings. 336 # 337 # Expected Result: The authorities-constrained-policy-set and the 338 # user-constrained-policy-set will be empty. The explicit-policy-indicator 339 # will be set if the application can process the policyConstraints 340 # extension. If the application can process the policyConstraints extension 341 # then the path should not validate successfully. If the application can 342 # not process the policyConstraints extension, then the path should 343 # validate successfully 344 TestInfo(False, user_constrained_policy_set=[]), 345 ], 346 347 '4.8.6': [ # Overlapping Policies Test6 348 # 1. default settings. The path should validate successfully. 349 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 350 351 # 2. default settings, but with initial-policy-set = {NIST-test-policy-1}. 352 # The path should validate successfully. 353 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 354 user_constrained_policy_set=[TEST_POLICY_1]), 355 356 # 3. default settings, but with initial-policy-set = {NIST-test-policy-2}. 357 # The path should not validate successfully. 358 TestInfo(False, initial_policy_set=[TEST_POLICY_2], 359 user_constrained_policy_set=[]), 360 ], 361 362 '4.8.7': [ # Different Policies Test7 363 # Procedure: Validate Different Policies Test7 EE using the default 364 # settings or open and verify Signed Test Message 6.2.2.72 using the 365 # default settings. 366 # 367 # Expected Result: The authorities-constrained-policy-set and the 368 # user-constrained-policy-set will be empty. If the 369 # explicit-policy-indicator will be set if the application can process the 370 # policyConstraints extension. If the application can process the 371 # policyConstraints extension, then the path should not validate 372 # successfully. If the application can not process the policyConstraints 373 # extension, then the path should validate successfully. 374 TestInfo(False, user_constrained_policy_set=[]), 375 ], 376 377 '4.8.8': [ # Different Policies Test8 378 # Procedure: Validate Different Policies Test8 EE using the default 379 # settings or open and verify Signed Test Message 6.2.2.73 using the 380 # default settings. 381 # 382 # Expected Result: The authorities-constrained-policy-set and the 383 # user-constrained-policy-set will be empty. The explicit-policy-indicator 384 # will be set if the application can process the policyConstraints 385 # extension. If the application can process the policyConstraints extension 386 # then the path should not validate successfully. If the application can 387 # not process the policyConstraints extension, then the path should 388 # validate successfully. 389 TestInfo(False, user_constrained_policy_set=[]), 390 ], 391 392 '4.8.9': [ # Different Policies Test9 393 # Procedure: Validate Different Policies Test9 EE using the default 394 # settings or open and verify Signed Test Message 6.2.2.74 using the 395 # default settings. 396 # 397 # Expected Result: The authorities-constrained-policy-set and the 398 # user-constrained-policy-set will be empty. The explicit-policy-indicator 399 # will be set if the application can process the policyConstraints 400 # extension. If the application can process the policyConstraints 401 # extension, then the path should not validate successfully. If the 402 # application can not process the policyConstraints extension, then the 403 # path should validate successfully. 404 TestInfo(False, user_constrained_policy_set=[]), 405 ], 406 407 '4.8.10': [ # All Certificates Same Policies Test10 408 # 1. default settings. The path should validate successfully. 409 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1, TEST_POLICY_2]), 410 411 # 2. default settings, but with initial-policy-set = {NIST-test-policy-1}. 412 # The path should validate successfully. 413 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 414 user_constrained_policy_set=[TEST_POLICY_1]), 415 416 # 3. default settings, but with initial-policy-set = {NIST-test-policy-2}. 417 # The path should validate successfully. 418 TestInfo(True, initial_policy_set=[TEST_POLICY_2], 419 user_constrained_policy_set=[TEST_POLICY_2]), 420 ], 421 422 '4.8.11': [ # All Certificates AnyPolicy Test11 423 # 1. default settings. The path should validate successfully. 424 TestInfo(True, user_constrained_policy_set=[ANY_POLICY]), 425 426 # 2. default settings, but with initial-policy-set = {NIST-test-policy-1}. 427 # The path should validate successfully. 428 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 429 user_constrained_policy_set=[TEST_POLICY_1]), 430 ], 431 432 '4.8.12': [ # Different Policies Test12 433 # Procedure: Validate Different Policies Test12 EE using the default 434 # settings or open and verify Signed Test Message 6.2.2.77 using the 435 # default settings. 436 # 437 # Expected Result: The authorities-constrained-policy-set and the 438 # user-constrained-policy-set will be empty. The explicit-policy-indicator 439 # will be set if the application can process the policyConstraints 440 # extension. If the application can process the policyConstraints 441 # extension, then the path should not validate successfully. If the 442 # application can not process the policyConstraints extension, then the 443 # path should validate successfully. 444 TestInfo(False, user_constrained_policy_set=[]), 445 ], 446 447 '4.8.13': [ # All Certificates Same Policies Test13 448 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. 449 # The path should validate successfully. 450 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 451 user_constrained_policy_set=[TEST_POLICY_1]), 452 453 # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. 454 # The path should validate successfully. 455 TestInfo(True, initial_policy_set=[TEST_POLICY_2], 456 user_constrained_policy_set=[TEST_POLICY_2]), 457 458 # 3. default settings, but with initial-policy-set = {NIST-test-policy-3}. 459 # The path should validate successfully. 460 TestInfo(True, initial_policy_set=[TEST_POLICY_3], 461 user_constrained_policy_set=[TEST_POLICY_3]), 462 ], 463 464 '4.8.14': [ # AnyPolicy Test14 465 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. 466 # The path should validate successfully. 467 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 468 user_constrained_policy_set=[TEST_POLICY_1]), 469 470 # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. 471 # The path should not validate successfully. 472 TestInfo(False, initial_policy_set=[TEST_POLICY_2], 473 user_constrained_policy_set=[]), 474 ], 475 476 '4.8.15': [ # User Notice Qualifier Test15 477 # Procedure: Validate User Notice Qualifier Test15 EE using the default 478 # settings or open and verify Signed Test Message 6.2.2.80 using the 479 # default settings. 480 # 481 # Expected Result: The authorities-constrained-policy-set will be 482 # {NIST-test-policy-1} and the explicit-policy-indicator will be the same 483 # as the initial-explicit-policy indicator. If the initial-policy-set is 484 # any-policy or otherwise includes NIST-test-policy-1, then the 485 # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the 486 # user-constrained-policy-set will be empty. If the initial-explicit-policy 487 # indicator is set and the initial-policy-set does not include 488 # NIST-test-policy-1, then the path should be rejected, otherwise it should 489 # validate successfully. If the path validates successfully, then the 490 # application should display the user notice. 491 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 492 ], 493 494 '4.8.16': [ # User Notice Qualifier Test16 495 # Procedure: Validate User Notice Qualifier Test16 EE using the default 496 # settings or open and verify Signed Test Message 6.2.2.81 using the 497 # default settings. 498 # 499 # Expected Result: The authorities-constrained-policy-set will be 500 # {NIST-test-policy-1} and the explicit-policy-indicator will be the same 501 # as the initial-explicit-policy indicator. If the initial-policy-set is 502 # any-policy or otherwise includes NIST-test-policy-1, then the 503 # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the 504 # user-constrained-policy-set will be empty. If the initial-explicit-policy 505 # indicator is set and the initial-policy-set does not include 506 # NIST-test-policy-1, then the path should be rejected, otherwise it should 507 # validate successfully. If the path validates successfully, then the 508 # application should display the user notice associated with 509 # NIST-test-policy-1. The user notice associated with NIST-test-policy-2 510 # should not be displayed. 511 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 512 ], 513 514 '4.8.17': [ # User Notice Qualifier Test17 515 # Procedure: Validate User Notice Qualifier Test17 EE using the default 516 # settings or open and verify Signed Test Message 6.2.2.82 using the 517 # default settings. 518 # 519 # Expected Result: The authorities-constrained-policy-set will be 520 # {NIST-test-policy-1} and the explicit-policy-indicator will be the same 521 # as the initial-explicit-policy indicator. If the initial-policy-set is 522 # any-policy or otherwise includes NIST-test-policy-1, then the 523 # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the 524 # user-constrained-policy-set will be empty. If the initial-explicit-policy 525 # indicator is set and the initial-policy-set does not include 526 # NIST-test-policy-1, then the path should be rejected, otherwise it should 527 # validate successfully. If the path validates successfully, then the 528 # application should display the user notice associated with anyPolicy. 529 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 530 ], 531 532 '4.8.18': [ # User Notice Qualifier Test18 533 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. 534 # The path should validate successfully and the qualifier associated with 535 # NIST-test-policy-1 in the end entity certificate should be displayed. 536 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 537 user_constrained_policy_set=[TEST_POLICY_1]), 538 539 # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. 540 # The path should validate successfully and the qualifier associated with 541 # anyPolicy in the end entity certificate should be displayed. 542 TestInfo(True, initial_policy_set=[TEST_POLICY_2], 543 user_constrained_policy_set=[TEST_POLICY_2]), 544 ], 545 546 '4.8.19': [ # User Notice Qualifier Test19 547 # Procedure: Validate User Notice Qualifier Test19 EE using the default 548 # settings or open and verify Signed Test Message 6.2.2.84 using the 549 # default settings. 550 # 551 # Expected Result: The authorities-constrained-policy-set will be 552 # {NIST-test-policy-1} and the explicit-policy-indicator will be the same 553 # as the initial-explicit-policy indicator. If the initial-policy-set is 554 # any-policy or otherwise includes NIST-test-policy-1, then the 555 # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the 556 # user-constrained-policy-set will be empty. If the initial-explicit-policy 557 # indicator is set and the initial-policy-set does not include 558 # NIST-test-policy-1, then the path should be rejected, otherwise it should 559 # validate successfully. Since the explicitText exceeds the maximum size 560 # of 200 characters, the application may choose to reject the certificate. 561 # If the application accepts the certificate, display of the user notice is 562 # optional. 563 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 564 ], 565 566 '4.8.20': [ # CPS Pointer Qualifier Test20 567 # Procedure: Validate CPS Pointer Qualifier Test20 EE using the default 568 # settings or open and verify Signed Test Message 6.2.2.85 using the 569 # default settings. (If possible, it is recommended that this test be run 570 # with the initial-explicit-policy indicator set. If this can not be done, 571 # manually check that the authorities-constrained-policy-set and 572 # user-constrained-policy-set are correct.) 573 # 574 # Expected Result: The authorities-constrained-policy-set will be 575 # {NIST-test-policy-1} and the explicit-policy-indicator will be the same 576 # as the initial-explicit-policy indicator. If the initial-policy-set is 577 # any-policy or otherwise includes NIST-test-policy-1, then the 578 # user-constrained-policy-set will be {NIST-test-policy-1}. If not, the 579 # user-constrained-policy-set will be empty. If the initial-explicit-policy 580 # indicator is set and the initial-policy-set does not include 581 # NIST-test-policy-1, then the path should be rejected, otherwise it should 582 # validate successfully. The CPS pointer in the qualifier should be 583 # associated with NIST-testpolicy-1 in the 584 # authorities-constrained-policy-set (and in the user-constrained-policy-set 585 # if NIST-test-policy-1 is in that set). There are no processing 586 # requirements associated with the CPS pointer qualifier. 587 TestInfo(True, initial_explicit_policy=True, 588 initial_policy_set=[TEST_POLICY_1], 589 user_constrained_policy_set=[TEST_POLICY_1]), 590 ], 591 592 '4.9.1': [ # Valid RequireExplicitPolicy Test1 593 # Procedure: Validate Valid requireExplicitPolicy Test1 EE using the 594 # default settings or open and verify Signed Test Message 6.2.2.86 using 595 # the default settings. 596 # 597 # Expected Result: The path should validate successfully since the 598 # explicit-policy-indicator is not set. 599 TestInfo(True, user_constrained_policy_set=[]), 600 ], 601 602 '4.9.2': [ # Valid RequireExplicitPolicy Test2 603 # Procedure: Validate Valid requireExplicitPolicy Test2 EE using the 604 # default settings or open and verify Signed Test Message 6.2.2.87 using 605 # the default settings. 606 # 607 # Expected Result: The path should validate successfully since the 608 # explicit-policy-indicator is not set 609 TestInfo(True, user_constrained_policy_set=[]), 610 ], 611 612 '4.9.6': [ # Valid Self-Issued requireExplicitPolicy Test6 613 # Procedure: Validate Valid Self-Issued requireExplicitPolicy Test6 EE using 614 # the default settings or open and verify Signed Test Message 6.2.2.91 using 615 # the default settings. 616 # 617 # Expected Result: The path should validate successfully since the 618 # explicit-policy-indicator is not set. 619 TestInfo(True, user_constrained_policy_set=[]), 620 ], 621 622 '4.10.1': [ # Valid Policy Mapping Test1 623 # The errors in subparts 2 and 3 vary slightly, so we set 624 # include_subpart_in_test_number. 625 626 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. 627 # The path should validate successfully. 628 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 629 user_constrained_policy_set=[TEST_POLICY_1], 630 include_subpart_in_test_number=True), 631 632 # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. 633 # The path should not validate successfully. 634 TestInfo(False, initial_policy_set=[TEST_POLICY_2], 635 user_constrained_policy_set=[], 636 include_subpart_in_test_number=True), 637 638 # 3. default settings, but with initial-policy-mapping-inhibit set. The 639 # path should not validate successfully. 640 TestInfo(False, initial_policy_mapping_inhibit=True, 641 user_constrained_policy_set=[], 642 include_subpart_in_test_number=True), 643 ], 644 645 '4.10.2': [ # Invalid Policy Mapping Test2 646 # 1. default settings. The path should not validate successfully. 647 TestInfo(False, user_constrained_policy_set=[]), 648 649 # 2. default settings, but with initial-policy-mapping-inhibit set. The 650 # path should not validate successfully. 651 TestInfo(False, initial_policy_mapping_inhibit=True, 652 user_constrained_policy_set=[]), 653 ], 654 655 '4.10.3': [ # Valid Policy Mapping Test3 656 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. 657 # The path should not validate successfully. 658 TestInfo(False, initial_policy_set=[TEST_POLICY_1], 659 user_constrained_policy_set=[]), 660 661 # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. 662 # The path should validate successfully. 663 TestInfo(True, initial_policy_set=[TEST_POLICY_2], 664 user_constrained_policy_set=[TEST_POLICY_2]), 665 ], 666 667 '4.10.4': [ # Invalid Policy Mapping Test4 668 # Procedure: Validate Invalid Policy Mapping Test4 EE using the default 669 # settings or open and verify Signed Test Message 6.2.2.97 using the 670 # default settings. 671 # 672 # Expected Result: The authorities-constrained-policy-set and the 673 # user-constrained-policy-set will be empty and the 674 # explicit-policy-indicator will be set (if the application can process the 675 # policyConstraints extension). If the application can process the 676 # policyConstraints extension, then the path should be rejected, otherwise 677 # it should validate successfully. 678 TestInfo(False, user_constrained_policy_set=[]), 679 ], 680 681 '4.10.5': [ # Valid Policy Mapping Test5 682 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. 683 # The path should validate successfully. 684 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 685 user_constrained_policy_set=[TEST_POLICY_1]), 686 687 # 2. default settings, but with initial-policy-set = {NIST-test-policy-6}. 688 # The path should not validate successfully. 689 TestInfo(False, initial_policy_set=[TEST_POLICY_6], 690 user_constrained_policy_set=[]), 691 ], 692 693 '4.10.6': [ # Valid Policy Mapping Test6 694 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. 695 # The path should validate successfully. 696 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 697 user_constrained_policy_set=[TEST_POLICY_1]), 698 699 # 2. default settings, but with initial-policy-set = {NIST-test-policy-6}. 700 # The path should not validate successfully. 701 TestInfo(False, initial_policy_set=[TEST_POLICY_6], 702 user_constrained_policy_set=[]), 703 ], 704 705 '4.10.7': [ # Invalid Mapping From anyPolicy Test7 706 # Procedure: Validate Invalid Mapping From anyPolicy Test7 EE using the 707 # default settings or open and verify Signed Test Message 6.2.2.100 using 708 # the default settings. 709 # 710 # Expected Result: The path should not validate successfully since the 711 # intermediate certificate includes a policy mapping extension in which 712 # anyPolicy appears as an issuerDomainPolicy. 713 TestInfo(False, user_constrained_policy_set=[]), 714 ], 715 716 '4.10.8': [ # Invalid Mapping To anyPolicy Test8 717 # Procedure: Validate Invalid Mapping To anyPolicy Test8 EE using the 718 # default settings or open and verify Signed Test Message 6.2.2.101 using 719 # the default settings. 720 # 721 # Expected Result: The path should not validate successfully since the 722 # intermediate certificate includes a policy mapping extension in which 723 # anyPolicy appears as an subjectDomainPolicy. 724 TestInfo(False, user_constrained_policy_set=[]), 725 ], 726 727 '4.10.9': [ # Valid Policy Mapping Test9 728 # Procedure: Validate Valid Policy Mapping Test9 EE using the default 729 # settings or open and verify Signed Test Message 6.2.2.102 using the 730 # default settings. 731 # 732 # Expected Result: The authorities-constrained-policy-set will be 733 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if 734 # the application can process the policyConstraints extension). If the 735 # initial-policy-set is any-policy or otherwise includes 736 # NIST-test-policy-1, then the user-constrained-policy-set will be 737 # {NIST-test-policy-1}. If not, the user-constrained-policy-set will be 738 # empty. If the initial-policy-set does not include NIST-test-policy-1 (and 739 # the application can process the policyConstraints extension), then the 740 # path should be rejected, otherwise it should validate successfully. 741 TestInfo(True), 742 ], 743 744 '4.10.10': [ # Invalid Policy Mapping Test10 745 # Procedure: Validate Invalid Policy Mapping Test10 EE using the default 746 # settings or open and verify Signed Test Message 6.2.2.103 using the 747 # default settings. 748 # 749 # Expected Result: The authorities-constrained-policy-set and the 750 # user-constrained-policy-set will be empty and the 751 # explicit-policy-indicator will be set (if the application can process the 752 # policyConstraints extension). If the application can process the 753 # policyConstraints extension, then the path should be rejected, otherwise 754 # it should validate successfully. 755 TestInfo(False, user_constrained_policy_set=[]), 756 ], 757 758 '4.10.11': [ # Valid Policy Mapping Test11 759 # Procedure: Validate Valid Policy Mapping Test11 EE using the default 760 # settings or open and verify Signed Test Message 6.2.2.104 using the 761 # default settings. 762 # 763 # Expected Result: The authorities-constrained-policy-set will be 764 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if 765 # the application can process the policyConstraints extension). If the 766 # initial-policy-set is any-policy or otherwise includes 767 # NIST-test-policy-1, then the user-constrained-policy-set will be 768 # {NIST-test-policy-1}. If not, the user-constrained-policy-set will be 769 # empty. If the initial-policy-set does not include NIST-test-policy-1 (and 770 # the application can process the policyConstraints extension), then the 771 # path should be rejected, otherwise it should validate successfully. 772 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 773 ], 774 775 '4.10.12': [ # Valid Policy Mapping Test12 776 # 1. default settings, but with initial-policy-set = {NIST-test-policy-1}. 777 # The path should validate successfully and the application should display 778 # the user notice associated with NIST-test-policy-3 in the end entity 779 # certificate. 780 TestInfo(True, initial_policy_set=[TEST_POLICY_1], 781 user_constrained_policy_set=[TEST_POLICY_1]), 782 783 # 2. default settings, but with initial-policy-set = {NIST-test-policy-2}. 784 # The path should validate successfully and the application should display 785 # the user notice associated with anyPolicy in the end entity certificate. 786 TestInfo(True, initial_policy_set=[TEST_POLICY_2], 787 user_constrained_policy_set=[TEST_POLICY_2]), 788 ], 789 790 '4.10.13': [ # Valid Policy Mapping Test13 791 # Procedure: Validate Valid Policy Mapping Test13 EE using the default 792 # settings or open and verify Signed Test Message 6.2.2.106 using the 793 # default settings. 794 # 795 # Expected Result: The authorities-constrained-policy-set will be 796 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if 797 # the application can process the policyConstraints extension). If the 798 # initial-policy-set is any-policy or otherwise includes 799 # NIST-test-policy-1, then the user-constrained-policy-set will be 800 # {NIST-test-policy-1}. If not, the user-constrained-policy-set will be 801 # empty. If the initial-policy-set does not include NIST-test-policy-1 (and 802 # the application can process the policyConstraints extension), then the 803 # path should be rejected, otherwise it should validate successfully. If 804 # the path is accepted, the application should display the user notice 805 # associated with NIST-testpolicy-1 in the intermediate certificate. 806 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 807 808 # While not explicitly divided into sub-parts, the above describes what 809 # should happen given various values of initial-policy-set. Test some 810 # combinations, as these cover an interesting interaction with anyPolicy. 811 # 812 # These extra tests are a regression test for https://crbug.com/1403258. 813 TestInfo(True, initial_policy_set=[TEST_POLICY_1, TEST_POLICY_2], 814 user_constrained_policy_set=[TEST_POLICY_1]), 815 TestInfo(False, initial_policy_set=[TEST_POLICY_2], 816 user_constrained_policy_set=[]), 817 ], 818 819 '4.10.14': [ # Valid Policy Mapping Test14 820 # Procedure: Validate Valid Policy Mapping Test14 EE using the default 821 # settings or open and verify Signed Test Message 6.2.2.107 using the 822 # default settings. 823 # 824 # Expected Result: The authorities-constrained-policy-set will be 825 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if 826 # the application can process the policyConstraints extension). If the 827 # initial-policy-set is any-policy or otherwise includes 828 # NIST-test-policy-1, then the user-constrained-policy-set will be 829 # {NIST-test-policy-1}. If not, the user-constrained-policy-set will be 830 # empty. If the initial-policy-set does not include NIST-test-policy-1 (and 831 # the application can process the policyConstraints extension), then the 832 # path should be rejected, otherwise it should validate successfully. If 833 # the path is accepted, the application should display the user notice 834 # associated with anyPolicy in the intermediate certificate 835 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 836 ], 837 838 '4.11.1': [ # Invalid inhibitPolicyMapping Test1 839 # Procedure: Validate Invalid inhibitPolicyMapping Test1 EE using the 840 # default settings or open and verify Signed Test Message 6.2.2.108 using 841 # the default settings. 842 # 843 # Expected Result: The authorities-constrained-policy-set and the 844 # user-constrained-policy-set will be empty. The explicit-policy-indicator 845 # will be set. The path should not validate successfully. 846 TestInfo(False, user_constrained_policy_set=[]), 847 ], 848 849 '4.11.2': [ # Valid inhibitPolicyMapping Test2 850 # Procedure: Validate Valid inhibitPolicyMapping Test2 EE using the default 851 # settings or open and verify Signed Test Message 6.2.2.109 using the 852 # default settings. 853 # 854 # Expected Result: The authorities-constrained-policy-set will be 855 # {NIST-test-policy-1} and the explicit-policy-indicator will be set. If 856 # the initial-policy-set is any-policy or otherwise includes 857 # NIST-test-policy-1, then the path should validate successfully. 858 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 859 ], 860 861 '4.11.3': [ # Invalid inhibitPolicyMapping Test3 862 # Procedure: Validate Invalid inhibitPolicyMapping Test3 EE using the 863 # default settings or open and verify Signed Test Message 6.2.2.110 using 864 # the default settings. 865 # 866 # Expected Result: The authorities-constrained-policy-set and the 867 # user-constrained-policy-set will be empty and the 868 # explicit-policy-indicator will be set. The path should not validate 869 # successfully. 870 TestInfo(False, user_constrained_policy_set=[]), 871 ], 872 873 '4.11.4': [ # Valid inhibitPolicyMapping Test4 874 # Procedure: Validate Valid inhibitPolicyMapping Test4 EE using the default 875 # settings or open and verify Signed Test Message 6.2.2.111 using the 876 # default settings. 877 # 878 # Expected Result: The authorities-constrained-policy-set will be 879 # {NIST-test-policy-2} and the explicit-policy-indicator will be set. If 880 # the initial-policy-set is any-policy or otherwise includes 881 # NIST-test-policy-2, then the path should validate successfully. 882 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_2]), 883 ], 884 885 '4.11.5': [ # Invalid inhibitPolicyMapping Test5 886 # Procedure: Validate Invalid inhibitPolicyMapping Test5 EE using the 887 # default settings or open and verify Signed Test Message 6.2.2.112 using 888 # the default settings. 889 # 890 # Expected Result: The authorities-constrained-policy-set and the 891 # user-constrained-policy-set will be empty and the 892 # explicit-policy-indicator will be set. The path should not validate 893 # successfully. 894 TestInfo(False, user_constrained_policy_set=[]), 895 ], 896 897 '4.11.6': [ # Invalid inhibitPolicyMapping Test6 898 # Procedure: Validate Invalid inhibitPolicyMapping Test6 EE using the 899 # default settings or open and verify Signed Test Message 6.2.2.113 using 900 # the default settings. 901 # 902 # Expected Result: The authorities-constrained-policy-set and the 903 # user-constrained-policy-set will be empty and the 904 # explicit-policy-indicator will be set. The path should not validate 905 # successfully. 906 TestInfo(False, user_constrained_policy_set=[]), 907 ], 908 909 '4.11.7': [ # Valid Self-Issued inhibitPolicyMapping Test7 910 # Procedure: Validate Valid Self-Issued inhibitPolicyMapping Test7 EE using 911 # the default settings or open and verify Signed Test Message 6.2.2.114 912 # using the default settings. 913 # 914 # Expected Result: The authorities-constrained-policy-set will be 915 # {NIST-test-policy-1} and the explicit-policy-indicator will be set. If 916 # the initial-policy-set is any-policy or otherwise includes 917 # NIST-test-policy-1, then the path should validate successfully. 918 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 919 ], 920 921 '4.11.8': [ # Invalid Self-Issued inhibitPolicyMapping Test8 922 # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test8 EE 923 # using the default settings or open and verify Signed Test Message 924 # 6.2.2.115 using the default settings. 925 # 926 # Expected Result: The authorities-constrained-policy-set and 927 # user-constrained-policy-set will be empty and the 928 # explicit-policy-indicator will be set. The path should not validate 929 # successfully. 930 TestInfo(False, user_constrained_policy_set=[]), 931 ], 932 933 '4.11.9': [ # Invalid Self-Issued inhibitPolicyMapping Test9 934 # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test9 EE 935 # using the default settings or open and verify Signed Test Message 936 # 6.2.2.116 using the default settings. 937 # 938 # Expected Result: The authorities-constrained-policy-set and 939 # user-constrained-policy-set will be empty and the 940 # explicit-policy-indicator will be set. The path should not validate 941 # successfully. 942 TestInfo(False, user_constrained_policy_set=[]), 943 ], 944 945 '4.11.10': [ # Invalid Self-Issued inhibitPolicyMapping Test10 946 # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test10 EE 947 # using the default settings or open and verify Signed Test Message 948 # 6.2.2.117 using the default settings. 949 # 950 # Expected Result: The authorities-constrained-policy-set and 951 # user-constrained-policy-set will be empty and the 952 # explicit-policy-indicator will be set. The path should not validate 953 # successfully. 954 TestInfo(False, user_constrained_policy_set=[]), 955 ], 956 957 '4.11.11': [ # Invalid Self-Issued inhibitPolicyMapping Test11 958 # Procedure: Validate Invalid Self-Issued inhibitPolicyMapping Test11 EE 959 # using the default settings or open and verify Signed Test Message 960 # 6.2.2.118 using the default settings. 961 # 962 # Expected Result: The authorities-constrained-policy-set and 963 # user-constrained-policy-set will be empty and the 964 # explicit-policy-indicator will be set. The path should not validate 965 # successfully. 966 TestInfo(False, user_constrained_policy_set=[]), 967 ], 968 969 '4.12.1': [ # Invalid inhibitAnyPolicy Test1 970 # Procedure: Validate Invalid inhibitAnyPolicy Test1 EE using the default 971 # settings or open and verify Signed Test Message 6.2.2.119 using the 972 # default settings. 973 # 974 # Expected Result: The authorities-constrained-policy-set and 975 # user-constrained-policy-set will be empty and the 976 # explicit-policy-indicator will be set (if the application can process the 977 # policyConstraints extension). If the application can process the 978 # policyConstraints extension, then the path should not validate 979 # successfully. 980 TestInfo(False, user_constrained_policy_set=[]), 981 ], 982 983 '4.12.2': [ # Valid inhibitAnyPolicy Test2 984 # Procedure: Validate Valid inhibitAnyPolicy Test2 EE using the default 985 # settings or open and verify Signed Test Message 6.2.2.120 using the 986 # default settings. 987 # 988 # Expected Result: The authorities-constrained-policy-set will be 989 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if 990 # the application can process the policyConstraints extension). If the 991 # initial-policy-set is any-policy or otherwise includes 992 # NIST-test-policy-1, then the user-constrained-policy-set will be 993 # {NIST-test-policy-1} and the path should validate successfully. If not, 994 # then the user-constrained-policy-set will be empty. If the 995 # user-constrained-policy-set is empty and the application can process the 996 # policyConstraints extension, then the path should not validate 997 # successfully. 998 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 999 ], 1000 1001 '4.12.3': [ # inhibitAnyPolicy Test3 1002 # 1. default settings. The path should validate successfully. 1003 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 1004 1005 # 2. default settings, but with initial-inhibit-any-policy set. The path 1006 # should not validate successfully. 1007 TestInfo(False, initial_inhibit_any_policy=True, 1008 user_constrained_policy_set=[]), 1009 ], 1010 1011 '4.12.4': [ # Invalid inhibitAnyPolicy Test4 1012 # Procedure: Validate Invalid inhibitAnyPolicy Test4 EE using the default 1013 # settings or open and verify Signed Test Message 6.2.2.122 using the 1014 # default settings. 1015 # 1016 # Expected Result: The authorities-constrained-policy-set and 1017 # user-constrained-policy-set will be empty and the 1018 # explicit-policy-indicator will be set (if the application can process the 1019 # policyConstraints extension). If the application can process the 1020 # policyConstraints extension, then the path should not validate 1021 # successfully. 1022 TestInfo(False, user_constrained_policy_set=[]), 1023 ], 1024 1025 '4.12.5': [ # Invalid inhibitAnyPolicy Test5 1026 # Procedure: Validate Invalid inhibitAnyPolicy Test5 EE using the default 1027 # settings or open and verify Signed Test Message 6.2.2.123 using the 1028 # default settings. 1029 # 1030 # Expected Result: The authorities-constrained-policy-set and 1031 # user-constrained-policy-set will be empty and the 1032 # explicit-policy-indicator will be set (if the application can process the 1033 # policyConstraints extension). If the application can process the 1034 # policyConstraints extension, then the path should not validate 1035 # successfully. 1036 TestInfo(False, user_constrained_policy_set=[]), 1037 ], 1038 1039 '4.12.6': [ # Invalid inhibitAnyPolicy Test6 1040 # Procedure: Validate Invalid inhibitAnyPolicy Test6 EE using the default 1041 # settings or open and verify Signed Test Message 6.2.2.124 using the 1042 # default settings. 1043 # 1044 # Expected Result: The authorities-constrained-policy-set and 1045 # user-constrained-policy-set will be empty and the 1046 # explicit-policy-indicator will be set (if the application can process the 1047 # policyConstraints extension). If the application can process the 1048 # policyConstraints extension, then the path should not validate 1049 # successfully. 1050 TestInfo(False, user_constrained_policy_set=[]), 1051 ], 1052 1053 '4.12.7': [ # Valid Self-Issued inhibitAnyPolicy Test7 1054 # Procedure: Validate Valid Self-Issued inhibitAnyPolicy Test7 EE using the 1055 # default settings or open and verify Signed Test Message 6.2.2.125 using 1056 # the default settings. 1057 # 1058 # Expected Result: The authorities-constrained-policy-set will be 1059 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if 1060 # the application can process the policyConstraints extension). If the 1061 # initial-policy-set is any-policy or otherwise includes 1062 # NIST-test-policy-1, then the user-constrained-policy-set will be 1063 # {NIST-test-policy-1} and the path should validate successfully. If not, 1064 # then the user-constrained-policy-set will be empty. If the 1065 # user-constrained-policy-set is empty and the application can process the 1066 # policyConstraints extension, then the path should not validate 1067 # successfully. 1068 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 1069 ], 1070 1071 '4.12.8': [ # Invalid Self-Issued inhibitAnyPolicy Test8 1072 # Procedure: Validate Invalid Self-Issued inhibitAnyPolicy Test8 EE using 1073 # the default settings or open and verify Signed Test Message 6.2.2.126 1074 # using the default settings. 1075 # 1076 # Expected Result: The authorities-constrained-policy-set and 1077 # user-constrained-policy-set will be empty and the 1078 # explicit-policy-indicator will be set (if the application can process the 1079 # policyConstraints extension). If the application can process the 1080 # policyConstraints extension, then the path should not validate 1081 # successfully. 1082 TestInfo(False, user_constrained_policy_set=[]), 1083 ], 1084 1085 '4.12.9': [ # Valid Self-Issued inhibitAnyPolicy Test9 1086 # Procedure: Validate Valid Self-Issued inhibitAnyPolicy Test9 EE using the 1087 # default settings or open and verify Signed Test Message 6.2.2.127 using 1088 # the default settings. 1089 # 1090 # Expected Result: The authorities-constrained-policy-set will be 1091 # {NIST-test-policy-1} and the explicit-policy-indicator will be set (if 1092 # the application can process the policyConstraints extension). If the 1093 # initial-policy-set is any-policy or otherwise includes 1094 # NIST-test-policy-1, then the user-constrained-policy-set will be 1095 # {NIST-test-policy-1} and the path should validate successfully. If not, 1096 # then the user-constrained-policy-set will be empty. If the 1097 # user-constrained-policy-set is empty and the application can process the 1098 # policyConstraints extension, then the path should not validate 1099 # successfully. 1100 TestInfo(True, user_constrained_policy_set=[TEST_POLICY_1]), 1101 ], 1102 1103 '4.12.10': [ # Invalid Self-Issued inhibitAnyPolicy Test10 1104 # Procedure: Validate Invalid Self-Issued inhibitAnyPolicy Test10 EE using 1105 # the default settings or open and verify Signed Test Message 6.2.2.128 1106 # using the default settings. 1107 # 1108 # Expected Result: The authorities-constrained-policy-set and 1109 # user-constrained-policy-set will be empty and the 1110 # explicit-policy-indicator will be set (if the application can process the 1111 # policyConstraints extension). If the application can process the 1112 # policyConstraints extension, then the path should not validate 1113 # successfully. 1114 TestInfo(False, user_constrained_policy_set=[]), 1115 ], 1116} 1117 1118 1119def parse_test(lines, i, test_case_name, test_number, test_name, 1120 sanitized_test_names, output): 1121 # Start by doing a coarse level of parsing that separates out the lines for 1122 # the main sections. 1123 i, test_sections = parse_main_test_sections(lines, i) 1124 1125 certs, crls = parse_cert_path_lines(test_sections.cert_path_lines) 1126 1127 # Most tests have a formulaic specification: they use the default 1128 # settings, and have one expectation. These are easily parsed and are handled 1129 # programmatically. In contrast, many of the policies tests have a more 1130 # complicated specification which involves multiple subtests having various 1131 # settings, as well as expectations described in terms of supported 1132 # extensions. Rather than try to handle all the nuanced language, these are 1133 # handled manually via "overrides". 1134 overrides = TEST_OVERRIDES.get(test_number, None) 1135 1136 if overrides is None: 1137 # Verify that the test description doesn't include numbered subparts (those 1138 # are not handled here). 1139 if CUSTOM_SETTINGS_MATCHER.match(" ".join(test_sections.description_lines)): 1140 sys.stderr.write('Unexpected custom settings for %s\n' % test_number) 1141 sys.exit(1) 1142 1143 # Verify that the test is using only default settings. 1144 if not USING_DEFAULT_SETTINGS_MATCHER.match( 1145 " ".join(test_sections.procedure_lines)): 1146 sys.stderr.write('Unexpected procedure for %s: %s\n' % 1147 (test_number, " ".join(test_section.procedure_lines))) 1148 sys.exit(1) 1149 1150 # Check whether expected result is validation success or failure. 1151 result_match = TEST_RESULT_MATCHER.match( 1152 test_sections.expected_result_lines[0]) 1153 if not result_match: 1154 sys.stderr.write('Unknown expectation for %s:\n%s\n' % ( 1155 test_number, " ".join(test_sections.expected_result_lines))) 1156 sys.exit(1) 1157 # Initializes with default settings. 1158 info = TestInfo(result_match.group(1) == 'should validate') 1159 1160 # Special case the 4.9 test failures (require explicit policy) to set 1161 # user_constrained_policy_set to empty. This is only done for the 4.9 1162 # tests, because the other policy tests are special cased as overrides and 1163 # hence set this manually on a per-test basis. 1164 # 1165 # user_constrained_policy_set enumerates the subset of the initial policy 1166 # set (anyPolicy in the default case) that were valid for the path. For 1167 # non-policy tests the expectation for user_constrained_policy_set is 1168 # [TEST_POLICY_1] since each policy asserts that. However for these tests, 1169 # the expectation is an empty user_constrained_policy_set since there was 1170 # no valid policy for the path (in fact, that is why the path validation is 1171 # expected to fail). 1172 if test_number.startswith('4.9.') and not info.should_validate: 1173 info.user_constrained_policy_set = [] 1174 1175 output_test(test_case_name, test_number, test_name, None, info, certs, 1176 crls, sanitized_test_names, output) 1177 else: 1178 # The overrides may have a series of inputs (settings) and outputs 1179 # (success/failure) for this test. Output each as a separate test case. 1180 for subpart_i in range(len(overrides)): 1181 info = overrides[subpart_i] 1182 # If the test has only 1 subpart, don't number it. 1183 subpart_number = subpart_i + 1 if len(overrides) > 1 else None 1184 output_test(test_case_name, test_number, test_name, subpart_number, info, 1185 certs, crls, sanitized_test_names, output) 1186 1187 return i 1188 1189 1190def main(): 1191 pkits_pdf_path, output_path = sys.argv[1:] 1192 1193 pkits_txt_file = tempfile.NamedTemporaryFile() 1194 1195 subprocess.check_call(['pdftotext', '-layout', '-nopgbrk', '-eol', 'unix', 1196 pkits_pdf_path, pkits_txt_file.name]) 1197 1198 test_descriptions = pkits_txt_file.read().decode('utf-8') 1199 1200 # Extract section 4 of the text, which is the part that contains the tests. 1201 test_descriptions = test_descriptions.split( 1202 '4 Certification Path Validation Tests')[-1] 1203 test_descriptions = test_descriptions.split( 1204 '5 Relationship to Previous Test Suite', 1)[0] 1205 1206 output = open(output_path, 'w') 1207 output.write('// Autogenerated by %s, do not edit\n\n' % sys.argv[0]) 1208 output.write(""" 1209// This file intentionally does not have header guards, it's intended to 1210// be inlined in another header file. The following line silences a 1211// presubmit warning that would otherwise be triggered by this: 1212// no-include-guard-because-multiply-included 1213// NOLINT(build/header_guard)\n\n""") 1214 output.write('// Hack to allow disabling type parameterized test cases.\n' 1215 '// See https://github.com/google/googletest/issues/389\n') 1216 output.write('#define WRAPPED_TYPED_TEST_P(CaseName, TestName) ' 1217 'TYPED_TEST_P(CaseName, TestName)\n') 1218 output.write('#define WRAPPED_REGISTER_TYPED_TEST_SUITE_P(CaseName, ...) ' 1219 'REGISTER_TYPED_TEST_SUITE_P(CaseName, __VA_ARGS__)\n\n') 1220 1221 test_case_name = None 1222 sanitized_test_names = [] 1223 1224 lines = test_descriptions.splitlines() 1225 1226 i = 0 1227 while i < len(lines): 1228 section_match = SECTION_MATCHER.match(lines[i]) 1229 match = TEST_MATCHER.match(lines[i]) 1230 i += 1 1231 1232 if section_match: 1233 if test_case_name: 1234 finalize_test_case(test_case_name, sanitized_test_names, output) 1235 sanitized_test_names = [] 1236 1237 test_case_name = 'PkitsTest%02d%s' % ( 1238 int(section_match.group(1).split('.')[-1]), 1239 sanitize_name(section_match.group(2))) 1240 output.write('\ntemplate <typename PkitsTestDelegate>\n') 1241 output.write('class %s : public PkitsTest<PkitsTestDelegate> {};\n' % 1242 test_case_name) 1243 output.write('TYPED_TEST_SUITE_P(%s);\n' % test_case_name) 1244 1245 if match: 1246 test_number = match.group(1) 1247 test_name = match.group(2) 1248 if not test_case_name: 1249 output.write('// Skipped %s %s\n' % (test_number, test_name)) 1250 continue 1251 i, parse_test(lines, i, test_case_name, test_number, 1252 test_name, sanitized_test_names, output) 1253 1254 if test_case_name: 1255 finalize_test_case(test_case_name, sanitized_test_names, output) 1256 1257 1258if __name__ == '__main__': 1259 main() 1260