From 2d5acbb5df9ba1ed8e643b22da94ff82e6a39d93 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Wed, 23 Aug 2023 07:53:21 +0200 Subject: [PATCH] public_key: Verify the policy trees Closes #6198 --- lib/public_key/test/pkits_SUITE.erl | 716 ++++++++++++++++++++++------ 1 file changed, 578 insertions(+), 138 deletions(-) diff --git a/lib/public_key/test/pkits_SUITE.erl b/lib/public_key/test/pkits_SUITE.erl index 5d53dd2d1ba7..2e051baf7f07 100644 --- a/lib/public_key/test/pkits_SUITE.erl +++ b/lib/public_key/test/pkits_SUITE.erl @@ -282,10 +282,23 @@ -define(NIST5, "2.16.840.1.101.3.2.1.48.5"). -define(NIST6, "2.16.840.1.101.3.2.1.48.6"). +-define(NIST1_OID, {2,16,840,1,101,3,2,1,48,1}). +-define(NIST2_OID, {2,16,840,1,101,3,2,1,48,2}). +-define(NIST3_OID, {2,16,840,1,101,3,2,1,48,3}). +-define(NIST4_OID, {2,16,840,1,101,3,2,1,48,4}). +-define(NIST5_OID, {2,16,840,1,101,3,2,1,48,5}). +-define(NIST6_OID, {2,16,840,1,101,3,2,1,48,6}). +-define(NIST7_OID, {2,16,840,1,101,3,2,1,48,7}). +-define(NIST8_OID, {2,16,840,1,101,3,2,1,48,8}). + +-define(POLICY_ROOT, [[{expected_policy_set,[?anyPolicy]}, + {valid_policy, ?anyPolicy} + ]]). + -record(verify_state, { - crls, - crl_paths, - revoke_state}). + crls, + crl_paths, + revoke_state}). %%-------------------------------------------------------------------- %% Common Test interface functions ----------------------------------- %%-------------------------------------------------------------------- @@ -1084,7 +1097,8 @@ valid_policy_mapping_11(Config) when is_list(Config)-> valid_policy_mapping_12() -> [{doc, ""}]. valid_policy_mapping_12(Config) when is_list(Config)-> - run([{"4.10.12", "Valid Policy Mapping Test12 EE", ok} + run([{"4.10.12.1", "Valid Policy Mapping Test12 EE", ok}, + {"4.10.12.2", "Valid Policy Mapping Test12 EE", ok} ]). valid_policy_mapping_13() -> @@ -1471,12 +1485,15 @@ run(Tests) -> run({Chap, Test, Result}, TA) -> run({Chap, Test, Result, read_certs(Test)}, TA); run({Chap, Test, Result, CertsBody}, TA) -> + TestStr = lists:flatten(io_lib:format("Running ~p ~p ~n", [Chap, Test])), + ct:pal("~s", [TestStr]), CertChain = cas(Chap) ++ CertsBody, Options = path_validation_options(Chap), try public_key:pkix_path_validation(TA, CertChain, Options) of - {Result, _} -> ok; + {Result, {_, PolicyTree}} -> + validate_policy_tree(Chap, PolicyTree); {error,Result} when Result =/= ok -> - ok; + ok; {error, Error} -> ?error(" ~p ~p~n Expected ~p got ~p ~n", [Chap, Test, Result, Error]), fail; @@ -1497,20 +1514,20 @@ run(Tests,TA) when is_list(Tests) -> path_validation_options(Chap) -> Options = case needs_crl_options(Chap) of - true -> - crl_options(Chap); - false -> - Fun = - fun(_,{bad_cert, _} = Reason, _) -> - {fail, Reason}; - (_,{extension, _}, UserState) -> - {unknown, UserState}; - (_, Valid, UserState) when Valid == valid; - Valid == valid_peer -> - {valid, UserState} - end, - [{verify_fun, {Fun, []}}] - end, + true -> + crl_options(Chap); + false -> + Fun = + fun(_,{bad_cert, _} = Reason, _) -> + {fail, Reason}; + (_,{extension, _}, UserState) -> + {unknown, UserState}; + (_, Valid, UserState) when Valid == valid; + Valid == valid_peer -> + {valid, UserState} + end, + [{verify_fun, {Fun, []}}] + end, policy_options(Chap, Options). -spec read_certs(TestCase :: string()) -> [CertificateContent :: binary()]. @@ -2257,7 +2274,8 @@ intermidiate_cas(Chap) when Chap == "4.10.10"; "Good subCA PanyPolicy Mapping 1to2 CA Cert", "Good CA Cert" ]; -intermidiate_cas(Chap) when Chap == "4.10.12" -> +intermidiate_cas(Chap) when Chap == "4.10.12.1"; + Chap == "4.10.12.2" -> [ "P12 Mapping 1to3 CA Cert" ]; @@ -2267,57 +2285,57 @@ intermidiate_cas(Chap) when Chap == "4.10.13"; "P1anyPolicy Mapping 1to2 CA Cert" ]; intermidiate_cas(Chap) when Chap == "4.11.1" -> - [ - "inhibitPolicyMapping0 subCA Cert", - "inhibitPolicyMapping0 CA Cert" - ]; + [ + "inhibitPolicyMapping0 subCA Cert", + "inhibitPolicyMapping0 CA Cert" + ]; intermidiate_cas(Chap) when Chap == "4.11.2" -> - [ - "inhibitPolicyMapping1 P12 subCA Cert", - "inhibitPolicyMapping1 P12 CA Cert" - ]; + [ + "inhibitPolicyMapping1 P12 subCA Cert", + "inhibitPolicyMapping1 P12 CA Cert" + ]; intermidiate_cas(Chap) when Chap == "4.11.3"; Chap == "4.11.4" -> - [ - "inhibitPolicyMapping1 P12 subsubCA Cert", - "inhibitPolicyMapping1 P12 subCA Cert", - "inhibitPolicyMapping1 P12 CA Cert" - ]; + [ + "inhibitPolicyMapping1 P12 subsubCA Cert", + "inhibitPolicyMapping1 P12 subCA Cert", + "inhibitPolicyMapping1 P12 CA Cert" + ]; intermidiate_cas(Chap) when Chap == "4.11.5" -> - [ - "inhibitPolicyMapping5 subsubsubCA Cert", - "inhibitPolicyMapping5 subsubCA Cert", - "inhibitPolicyMapping5 subCA Cert", - "inhibitPolicyMapping5 CA Cert" - ]; + [ + "inhibitPolicyMapping5 subsubsubCA Cert", + "inhibitPolicyMapping5 subsubCA Cert", + "inhibitPolicyMapping5 subCA Cert", + "inhibitPolicyMapping5 CA Cert" + ]; intermidiate_cas(Chap) when Chap == "4.11.6" -> - [ - "inhibitPolicyMapping1 P12 subsubCAIPM5 Cert", - "inhibitPolicyMapping1 P12 subCAIPM5 Cert", - "inhibitPolicyMapping1 P12 CA Cert" - ]; + [ + "inhibitPolicyMapping1 P12 subsubCAIPM5 Cert", + "inhibitPolicyMapping1 P12 subCAIPM5 Cert", + "inhibitPolicyMapping1 P12 CA Cert" + ]; intermidiate_cas(Chap) when Chap == "4.11.7" -> - [ - "inhibitPolicyMapping1 P1 subCA Cert", - "inhibitPolicyMapping1 P1 Self-Issued CA Cert", - "inhibitPolicyMapping1 P1 CA Cert" - ]; + [ + "inhibitPolicyMapping1 P1 subCA Cert", + "inhibitPolicyMapping1 P1 Self-Issued CA Cert", + "inhibitPolicyMapping1 P1 CA Cert" + ]; intermidiate_cas(Chap) when Chap == "4.11.8"; Chap == "4.11.9" -> - [ - "inhibitPolicyMapping1 P1 subsubCA Cert", - "inhibitPolicyMapping1 P1 subCA Cert", - "inhibitPolicyMapping1 P1 Self-Issued CA Cert ", - "inhibitPolicyMapping1 P1 CA Cert" - ]; + [ + "inhibitPolicyMapping1 P1 subsubCA Cert", + "inhibitPolicyMapping1 P1 subCA Cert", + "inhibitPolicyMapping1 P1 Self-Issued CA Cert ", + "inhibitPolicyMapping1 P1 CA Cert" + ]; intermidiate_cas(Chap) when Chap == "4.11.10"; Chap == "4.11.11" -> - [ - "inhibitPolicyMapping1 P1 Self-Issued subCA Cert", - "inhibitPolicyMapping1 P1 subCA Cert", - "inhibitPolicyMapping1 P1 Self-Issued CA Cert", - "inhibitPolicyMapping1 P1 CA Cert" - ]; + [ + "inhibitPolicyMapping1 P1 Self-Issued subCA Cert", + "inhibitPolicyMapping1 P1 subCA Cert", + "inhibitPolicyMapping1 P1 Self-Issued CA Cert", + "inhibitPolicyMapping1 P1 CA Cert" + ]; intermidiate_cas(Chap) when Chap == "4.12.1"; Chap == "4.12.2" -> ["inhibitAnyPolicy0 CA Cert"]; @@ -2362,95 +2380,95 @@ crl_names("4.4.2") -> crl_names("4.4.3") -> ["Trust Anchor Root CRL", "Good CA CRL", "Revoked subCA CRL"]; crl_names("4.4.4") -> - ["Trust Anchor Root CRL", "Bad CRL Signature CA CRL"]; + ["Trust Anchor Root CRL", "Bad CRL Signature CA CRL"]; crl_names("4.4.5") -> - ["Trust Anchor Root CRL", "Bad CRL Issuer Name CA CRL"]; + ["Trust Anchor Root CRL", "Bad CRL Issuer Name CA CRL"]; crl_names("4.4.6") -> - ["Trust Anchor Root CRL", "Wrong CRL CA CRL"]; + ["Trust Anchor Root CRL", "Wrong CRL CA CRL"]; crl_names("4.4.7") -> - ["Trust Anchor Root CRL", "Two CRLs CA Good CRL", "Two CRLs CA Bad CRL"]; + ["Trust Anchor Root CRL", "Two CRLs CA Good CRL", "Two CRLs CA Bad CRL"]; crl_names("4.4.8") -> - ["Trust Anchor Root CRL", "Unknown CRL Entry Extension CA CRL"]; + ["Trust Anchor Root CRL", "Unknown CRL Entry Extension CA CRL"]; crl_names(Chap) when Chap == "4.4.9"; - Chap == "4.4.10"-> - ["Trust Anchor Root CRL", "Unknown CRL Extension CA CRL"]; + Chap == "4.4.10"-> + ["Trust Anchor Root CRL", "Unknown CRL Extension CA CRL"]; crl_names("4.4.11") -> - ["Trust Anchor Root CRL", "Old CRL nextUpdate CA CRL"]; + ["Trust Anchor Root CRL", "Old CRL nextUpdate CA CRL"]; crl_names("4.4.12") -> - ["Trust Anchor Root CRL", "pre2000 CRL nextUpdate CA CRL"]; + ["Trust Anchor Root CRL", "pre2000 CRL nextUpdate CA CRL"]; crl_names("4.4.13") -> - ["Trust Anchor Root CRL", "GeneralizedTime CRL nextUpdate CA CRL"]; + ["Trust Anchor Root CRL", "GeneralizedTime CRL nextUpdate CA CRL"]; crl_names(Chap) when Chap == "4.4.14"; - Chap == "4.4.15"-> + Chap == "4.4.15"-> ["Trust Anchor Root CRL", "Negative Serial Number CA CRL"]; crl_names(Chap) when Chap == "4.4.16"; - Chap == "4.4.17"; - Chap == "4.4.18" -> + Chap == "4.4.17"; + Chap == "4.4.18" -> ["Trust Anchor Root CRL", "Long Serial Number CA CRL"]; crl_names(Chap)when Chap == "4.4.19"; - Chap == "4.4.20" -> + Chap == "4.4.20" -> ["Trust Anchor Root CRL", "Separate Certificate and CRL Keys CRL"]; crl_names("4.4.21") -> - ["Trust Anchor Root CRL", "Separate Certificate and CRL Keys CA2 CRL"]; + ["Trust Anchor Root CRL", "Separate Certificate and CRL Keys CA2 CRL"]; crl_names(Chap) when Chap == "4.5.1"; Chap == "4.5.2"-> - ["Trust Anchor Root CRL", "Basic Self-Issued New Key CA CRL"]; + ["Trust Anchor Root CRL", "Basic Self-Issued New Key CA CRL"]; crl_names(Chap) when Chap == "4.5.3"; - Chap == "4.5.4"; - Chap == "4.5.5" -> - ["Trust Anchor Root CRL", "Basic Self-Issued Old Key Self-Issued Cert CRL", - "Basic Self-Issued Old Key CA CRL"]; + Chap == "4.5.4"; + Chap == "4.5.5" -> + ["Trust Anchor Root CRL", "Basic Self-Issued Old Key Self-Issued Cert CRL", + "Basic Self-Issued Old Key CA CRL"]; crl_names(Chap) when Chap == "4.5.6"; Chap == "4.5.7"; Chap == "4.5.8" -> - ["Trust Anchor Root CRL", "Basic Self-Issued CRL Signing Key CRL Cert CRL", - "Basic Self-Issued CRL Signing Key CA CRL" - ]; + ["Trust Anchor Root CRL", "Basic Self-Issued CRL Signing Key CRL Cert CRL", + "Basic Self-Issued CRL Signing Key CA CRL" + ]; crl_names("4.7.4") -> - ["Trust Anchor Root CRL", "keyUsage Critical cRLSign False CA CRL"]; + ["Trust Anchor Root CRL", "keyUsage Critical cRLSign False CA CRL"]; crl_names("4.7.5") -> - ["Trust Anchor Root CRL", "keyUsage Not Critical cRLSign False CA CRL"]; + ["Trust Anchor Root CRL", "keyUsage Not Critical cRLSign False CA CRL"]; crl_names(Chap) when Chap == "4.14.1"; - Chap == "4.14.2"; - Chap == "4.14.3"; - Chap == "4.14.4" -> + Chap == "4.14.2"; + Chap == "4.14.3"; + Chap == "4.14.4" -> ["Trust Anchor Root CRL", "distributionPoint1 CA CRL"]; crl_names(Chap) when Chap == "4.14.5"; - Chap == "4.14.6"; - Chap == "4.14.7"; - Chap == "4.14.8"; - Chap == "4.14.9" -> + Chap == "4.14.6"; + Chap == "4.14.7"; + Chap == "4.14.8"; + Chap == "4.14.9" -> ["Trust Anchor Root CRL", "distributionPoint2 CA CRL"]; crl_names("4.14.10") -> - ["Trust Anchor Root CRL", "No issuingDistributionPoint CA CRL"]; + ["Trust Anchor Root CRL", "No issuingDistributionPoint CA CRL"]; crl_names("4.14.11") -> - ["Trust Anchor Root CRL", "onlyContainsUserCerts CA CRL"]; + ["Trust Anchor Root CRL", "onlyContainsUserCerts CA CRL"]; crl_names(Chap) when Chap == "4.14.12"; - Chap == "4.14.13" -> + Chap == "4.14.13" -> ["Trust Anchor Root CRL", "onlyContainsCACerts CA CRL"]; crl_names("4.14.14") -> ["Trust Anchor Root CRL", "onlyContainsAttributeCerts CA CRL"]; crl_names(Chap) when Chap == "4.14.15"; - Chap == "4.14.16" -> - ["Trust Anchor Root CRL", "onlySomeReasons CA1 compromise CRL", - "onlySomeReasons CA1 other reasons CRL"]; + Chap == "4.14.16" -> + ["Trust Anchor Root CRL", "onlySomeReasons CA1 compromise CRL", + "onlySomeReasons CA1 other reasons CRL"]; crl_names("4.14.17") -> - ["Trust Anchor Root CRL", - "onlySomeReasons CA2 CRL1", "onlySomeReasons CA2 CRL2"]; + ["Trust Anchor Root CRL", + "onlySomeReasons CA2 CRL1", "onlySomeReasons CA2 CRL2"]; crl_names("4.14.18") -> - ["Trust Anchor Root CRL", - "onlySomeReasons CA3 compromise CRL", "onlySomeReasons CA3 other reasons CRL"]; + ["Trust Anchor Root CRL", + "onlySomeReasons CA3 compromise CRL", "onlySomeReasons CA3 other reasons CRL"]; crl_names(Chap) when Chap == "4.14.19"; - Chap == "4.14.20"; - Chap == "4.14.21" -> - ["Trust Anchor Root CRL", "onlySomeReasons CA4 compromise CRL", - "onlySomeReasons CA4 other reasons CRL"]; + Chap == "4.14.20"; + Chap == "4.14.21" -> + ["Trust Anchor Root CRL", "onlySomeReasons CA4 compromise CRL", + "onlySomeReasons CA4 other reasons CRL"]; crl_names(Chap) when Chap == "4.14.22"; - Chap == "4.14.23"; - Chap == "4.14.24"; - Chap == "4.14.25"; - Chap == "4.14.26" -> - ["Trust Anchor Root CRL", "indirectCRL CA1 CRL"]; + Chap == "4.14.23"; + Chap == "4.14.24"; + Chap == "4.14.25"; + Chap == "4.14.26" -> + ["Trust Anchor Root CRL", "indirectCRL CA1 CRL"]; crl_names(Chap) when Chap == "4.14.27"; Chap == "4.8.1.1"; Chap == "4.8.1.2"; @@ -2464,25 +2482,25 @@ crl_names(Chap) when Chap == "4.14.28"; Chap == "4.14.29" -> ["Trust Anchor Root CRL", "indirectCRL CA3 CRL", "indirectCRL CA3 cRLIssuer CRL"]; crl_names("4.14.30") -> - ["Trust Anchor Root CRL", "indirectCRL CA4 cRLIssuer CRL"]; + ["Trust Anchor Root CRL", "indirectCRL CA4 cRLIssuer CRL"]; crl_names(Chap) when Chap == "4.14.31"; - Chap == "4.14.32"; - Chap == "4.14.33"; - Chap == "4.14.34"; - Chap == "4.14.35" -> - ["Trust Anchor Root CRL", "indirectCRL CA5 CRL"]; + Chap == "4.14.32"; + Chap == "4.14.33"; + Chap == "4.14.34"; + Chap == "4.14.35" -> + ["Trust Anchor Root CRL", "indirectCRL CA5 CRL"]; crl_names("4.15.1") -> - ["Trust Anchor Root CRL", "deltaCRLIndicator No Base CA CRL"]; + ["Trust Anchor Root CRL", "deltaCRLIndicator No Base CA CRL"]; crl_names(Chap) when Chap == "4.15.2"; - Chap == "4.15.3"; - Chap == "4.15.4"; - Chap == "4.15.5"; - Chap == "4.15.6"; - Chap == "4.15.7" -> + Chap == "4.15.3"; + Chap == "4.15.4"; + Chap == "4.15.5"; + Chap == "4.15.6"; + Chap == "4.15.7" -> ["Trust Anchor Root CRL", "deltaCRL CA1 CRL", "deltaCRL CA1 deltaCRL"]; crl_names(Chap) when Chap == "4.15.8"; - Chap == "4.15.9" -> - ["Trust Anchor Root CRL", "deltaCRL CA2 CRL", "deltaCRL CA2 deltaCRL"]; + Chap == "4.15.9" -> + ["Trust Anchor Root CRL", "deltaCRL CA2 CRL", "deltaCRL CA2 deltaCRL"]; crl_names("4.15.10") -> ["Trust Anchor Root CRL", "deltaCRL CA3 CRL", "deltaCRL CA3 deltaCRL"]; crl_names(Chap) when Chap == "4.8.2.1"; @@ -2553,7 +2571,7 @@ crl_names(Chap) when Chap == "4.9.3" -> "requireExplicitPolicy4 subsubsubCA CRL" ]; crl_names(Chap) when Chap == "4.9.4" -> - ["Trust Anchor Root CRL", + ["Trust Anchor Root CRL", "requireExplicitPolicy0 CA CRL" "requireExplicitPolicy0 subCA CRL", "requireExplicitPolicy0 subsubCA CRL", @@ -2591,7 +2609,7 @@ crl_names(Chap) when Chap == "4.10.3.1"; ]; crl_names(Chap) when Chap == "4.10.5.1"; Chap == "4.10.5.2" -> - ["Trust Anchor Root CRL", + ["Trust Anchor Root CRL", "P1 Mapping 1to234 CA CRL", "P1 Mapping 1to234 subCA CRL" ]; @@ -2599,7 +2617,7 @@ crl_names(Chap) when Chap == "4.10.5.1"; Chap == "4.10.5.2"; Chap == "4.10.6.1"; Chap == "4.10.6.2" -> - ["Trust Anchor Root CRL", + ["Trust Anchor Root CRL", "P1 Mapping 1to234 CA CRL", "P1 Mapping 1to234 subCA CRL" ]; @@ -2675,8 +2693,8 @@ crl_names(Chap) when Chap == "4.11.8"; crl_names(Chap) when Chap == "4.11.10"; Chap == "4.11.11" -> ["Trust Anchor Root CRL", - "inhibitPolicyMapping1 P1 CA CRL", - "inhibitPolicyMapping1 P1 subCA CRL"]; + "inhibitPolicyMapping1 P1 CA CRL", + "inhibitPolicyMapping1 P1 subCA CRL"]; crl_names(Chap) when Chap == "4.12.1"; Chap == "4.12.2" -> ["Trust Anchor Root CRL", @@ -2708,7 +2726,7 @@ crl_names(Chap) when Chap == "4.12.8" -> "inhibitAnyPolicy1 CA CRL", "inhibitAnyPolicy1 subCA2 CRL" "inhibitAnyPolicy1 subsubCA2 CRL" -]; + ]; crl_names(Chap) when Chap == "4.12.9"; Chap == "4.12.10" -> ["Trust Anchor Root CRL" @@ -2738,7 +2756,7 @@ crl_path("Separate Certificate and CRL Keys CA2 CRL") -> crl_path("Basic Self-Issued Old Key Self-Issued Cert CRL") -> ["Basic Self-Issued Old Key CA Cert"]; crl_path("Basic Self-Issued Old Key CA CRL") -> - ["Basic Self-Issued Old Key CA Cert", "Basic Self-Issued Old Key NewWithOld CA Cert"]; + ["Basic Self-Issued Old Key CA Cert", "Basic Self-Issued Old Key NewWithOld CA Cert"]; crl_path("Basic Self-Issued CRL Signing Key CRL Cert CRL") -> ["Basic Self-Issued CRL Signing Key CA Cert"]; @@ -2775,7 +2793,7 @@ crl_path(CRL) -> [Base ++ "Cert"]. crls(CRLS) -> - lists:foldl(fun([], Acc) -> + lists:foldl(fun([], Acc) -> Acc; (CRLFile, Acc) -> [CRL] = read_crls(CRLFile), @@ -2799,12 +2817,13 @@ policy_options(Chap, Options) when Chap == "4.8.1.1"; Chap == "4.9.8"; Chap == "4.12.1"; Chap == "4.12.2"; - Chap == "4.8.10.1"-> + Chap == "4.8.10.1"; + Chap == "4.8.11.1" -> [{explicit_policy, true} | Options]; policy_options(Chap, Options) when Chap == "4.8.1.2"; Chap == "4.8.6.2"; Chap == "4.8.10.2"; - Chap == "4.8.11.1"; + Chap == "4.8.11.2"; Chap == "4.8.13.1"; Chap == "4.8.14.1"; Chap == "4.10.1.1"; @@ -2818,7 +2837,6 @@ policy_options(Chap, Options) when Chap == "4.8.1.2"; policy_options(Chap, Options) when Chap == "4.8.1.3"; Chap == "4.8.6.3"; Chap == "4.8.10.3"; - Chap == "4.8.11.2"; Chap == "4.8.13.2"; Chap == "4.8.14.2"; Chap == "4.8.18.2"; @@ -2866,3 +2884,425 @@ oidify(Oid) when is_list(Oid) -> Tokens = string:tokens(Oid, "$."), OidList = [list_to_integer(StrInt) || StrInt <- Tokens], list_to_tuple(OidList). + +validate_policy_tree(Chap, Tree) -> + case Chap of + "4.8" ++ _ -> + do_validate_policy_tree(Chap, Tree); + "4.9" ++ _ -> + do_validate_policy_tree(Chap, Tree); + "4.10" ++ _ -> + do_validate_policy_tree(Chap, Tree); + "4.11" ++ _ -> + do_validate_policy_tree(Chap, Tree); + "4.12" ++ _ -> + do_validate_policy_tree(Chap, Tree); + _ -> + true + end, + ok. + +do_validate_policy_tree(Chap, Tree) when Chap == "4.8.1.1"; + Chap == "4.8.1.2"; + Chap == "4.8.1.4" -> + validate_level([ + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy,?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}] + ], + ?POLICY_ROOT + ], + Tree); +do_validate_policy_tree(Chap, Tree) when Chap == "4.8.2.1" -> + validate_level([ + ?POLICY_ROOT + ], + Tree); +do_validate_policy_tree("4.8.3.1", [[]]) -> + ok; +do_validate_policy_tree(Chap, Tree) when Chap == "4.8.6.1"; + Chap == "4.8.6.2"; + Chap == "4.12.7" -> + validate_level([ + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy,?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.8.10.1", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}], + [{expected_policy_set,[?NIST2_OID]}, + {valid_policy, ?NIST2_OID}] + ], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}], + [{expected_policy_set,[?NIST2_OID]}, + {valid_policy, ?NIST2_OID}] + ], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree(Chap, Tree) when Chap == "4.8.10.2"; + Chap == "4.8.13.1"; + Chap == "4.8.16"-> + validate_level([ + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}] + ], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}] + ], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.8.10.3", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST2_OID]}, + {valid_policy, ?NIST2_OID}] + ], + [[{expected_policy_set, [?NIST2_OID]}, + {valid_policy, ?NIST2_OID}] + ], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.8.11.1", Tree) -> + validate_level([ + [[{expected_policy_set, [?anyPolicy]}, + {valid_policy, ?anyPolicy}]], + [[{expected_policy_set, [?anyPolicy]}, + {valid_policy, ?anyPolicy}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.8.11.2", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?anyPolicy]}, + {valid_policy, ?anyPolicy}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.8.13.1", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}] + ], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}] + ], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.8.13.2", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST2_OID]}, + {valid_policy, ?NIST2_OID}] + ], + [[{expected_policy_set, [?NIST2_OID]}, + {valid_policy, ?NIST2_OID}] + ], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.8.13.3", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST3_OID]}, + {valid_policy, ?NIST3_OID}] + ], + [[{expected_policy_set, [?NIST3_OID]}, + {valid_policy, ?NIST3_OID}] + ], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.8.14.1" , Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}] + ], + [[{expected_policy_set, [?anyPolicy]}, + {valid_policy, ?anyPolicy}] + ], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree(Chap, Tree) when Chap == "4.8.15"; + Chap == "4.8.19" -> + validate_level([ + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}] + ], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.8.17", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.8.18.1", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}], + [{expected_policy_set, [?NIST2_OID]}, + {valid_policy, ?NIST2_OID}]], + [[{expected_policy_set,[?NIST1_OID]}, + {valid_policy, ?NIST1_OID}], + [{expected_policy_set, [?NIST2_OID]}, + {valid_policy, ?NIST2_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.8.18.2", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST2_OID]}, + {valid_policy, ?NIST2_OID}]], + [[{expected_policy_set,[?NIST2_OID]}, + {valid_policy, ?NIST2_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.8.20", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}] + ], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}] + ], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree(Chap , Tree) when Chap == "4.9.1"; + Chap == "4.9.2" -> + validate_level([ + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy,?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.9.4", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy,?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.9.6", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy,?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.10.1.1", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST2_OID]}, + {valid_policy, ?NIST2_OID}]], + [[{expected_policy_set, [?NIST2_OID]}, + {valid_policy, ?NIST1_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.10.3.2", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST8_OID]}, + {valid_policy,?NIST8_OID}]], + [[{expected_policy_set, [?NIST8_OID]}, + {valid_policy, ?NIST4_OID}]], + [[{expected_policy_set, [?NIST4_OID]}, + {valid_policy, ?NIST2_OID}]], + [[{expected_policy_set, [?NIST2_OID]}, + {valid_policy, ?NIST2_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.10.5.1", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST6_OID]}, + {valid_policy, ?NIST6_OID}]], + [[{expected_policy_set,[?NIST6_OID]}, + {valid_policy, ?NIST4_OID}]], + [[{expected_policy_set, [?NIST2_OID, ?NIST3_OID, ?NIST4_OID]}, + {valid_policy, ?NIST1_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.10.6.1", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST5_OID]}, + {valid_policy, ?NIST5_OID}]], + [[{expected_policy_set,[?NIST5_OID]}, + {valid_policy, ?NIST2_OID}]], + [[{expected_policy_set, [?NIST2_OID, ?NIST3_OID, ?NIST4_OID]}, + {valid_policy, ?NIST1_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.10.9", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}] + ], + [[{expected_policy_set, [?anyPolicy]}, + {valid_policy, ?anyPolicy}] + ], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.10.11", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST2_OID]}, + {valid_policy,?NIST2_OID}]], + [[{expected_policy_set, [?NIST2_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.10.12.1", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST3_OID]}, + {valid_policy, ?NIST3_OID}], + [{expected_policy_set, [?NIST2_OID]}, + {valid_policy, ?NIST2_OID}]], + [[{expected_policy_set, [?NIST3_OID]}, + {valid_policy, ?NIST1_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.10.12.2", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST3_OID]}, + {valid_policy, ?NIST3_OID}], + [{expected_policy_set, [?NIST2_OID]}, + {valid_policy, ?NIST2_OID}] + ], + [[{expected_policy_set, [?NIST2_OID]}, + {valid_policy, ?NIST2_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.10.13", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST2_OID]}, + {valid_policy, ?NIST2_OID}], + [{expected_policy_set, [?NIST2_OID]}, + {valid_policy, ?NIST2_OID}]], + [ + [{expected_policy_set, [?NIST2_OID]}, + {valid_policy, ?NIST1_OID}], + [{expected_policy_set, [?anyPolicy]}, + {valid_policy, ?anyPolicy}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.10.14", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?anyPolicy]}, + {valid_policy, ?anyPolicy}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.11.2", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST3_OID]}, + {valid_policy,?NIST3_OID}]], + [[{expected_policy_set, [?NIST3_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.11.4", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST4_OID]}, + {valid_policy,?NIST4_OID}]], + [[{expected_policy_set, [?NIST4_OID]}, + {valid_policy, ?NIST4_OID}]], + [[{expected_policy_set, [?NIST4_OID]}, + {valid_policy, ?NIST2_OID}]], + [[{expected_policy_set, [?NIST2_OID]}, + {valid_policy, ?NIST2_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.11.7", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST2_OID]}, + {valid_policy,?NIST2_OID}]], + [[{expected_policy_set, [?NIST2_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.12.6", [[]]) -> + ok; +do_validate_policy_tree("4.12.2", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.12.3.1", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.12.7", Tree) -> + validate_level([ + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy,?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + [[{expected_policy_set, [?NIST1_OID]}, + {valid_policy, ?NIST1_OID}]], + ?POLICY_ROOT + ], Tree); +do_validate_policy_tree("4.12.9", [[]]) -> + ok. + +validate_level([], []) -> + true; +validate_level([Expected| Rest] , [[Level]| Levels]) -> + case do_validate_level(Expected, Level) of + true -> + validate_level(Rest, Levels); + false -> + ct:fail({{expected, Expected}, {got, Level}}) + end. + +do_validate_level([], []) -> + true; +do_validate_level([Expected | Rest], [Node| Branches]) -> + validate_node(Expected, Node), + do_validate_level(Rest, Branches). + +validate_node([], _) -> + true; +validate_node([{Key, Value}| Expected], Node) -> + case maps:get(Key, Node) of + Value -> + validate_node(Expected, Node); + _ -> + throw(false) + end.