Review and integrate NIST PKITS test cases

[jvdprng]

Context

NIST Public Key Interoperability Test Suite (PKITS), documented in RFC 4158, is a comprehensive test suite for X.509 path validation. It covers:

• Basic certificate validation
• Path length constraints
• Key usage constraints
• Name constraints
• Policy constraints
• Inhibit anyPolicy
• And many other X.509 features

PKITS has been a standard reference for testing X.509 implementations for many years.

Why this matters:

• Comprehensive coverage: PKITS contains hundreds of test cases covering edge cases
• Industry standard: widely recognized test suite
• RFC 5280 compliance: designed to test RFC 5280 (and its predecessor RFC 3280) conformance
• Gap analysis: comparing x509-limbo coverage with PKITS identifies missing test areas
• Historical value: time-tested scenarios from real-world validation issues

Task Description

Goal: Review NIST PKITS and integrate relevant test cases into x509-limbo that provide valuable coverage not already present.

Phase 1: Analysis

1. Obtain PKITS test suite

   • Available via NIST or as part of RFC 4158
   • Includes test certificates and expected results

2. Catalog PKITS test cases

   • Document what scenarios PKITS covers
   • Organize by feature area (path constraints, name constraints, policies, etc.)

3. Gap analysis

   • Compare PKITS coverage with existing x509-limbo test cases
   • Identify PKITS tests that would add value to x509-limbo
   • Priority areas likely include:
     • Policy constraints and policy mapping
     • Inhibit anyPolicy processing
     • Complex path building scenarios
     • Delta CRL handling
     • Name constraint edge cases beyond what x509-limbo has

Phase 2: Integration Planning

4. Select test cases for integration

   • Prioritize based on:
     • Coverage gaps in x509-limbo
     • Complexity and value of test case
     • Relevance to modern X.509 usage
   • Consider PKITS tests that found real bugs in implementations

5. Adaptation strategy

   • Determine how to represent PKITS tests in x509-limbo format
   • Consider whether to convert individual tests or test families
   • Plan for maintaining attribution to PKITS

Phase 3: Implementation

6. Convert selected test cases

   • Translate PKITS certificate structures to x509-limbo format
   • Ensure expected results align with x509-limbo conventions
   • Verify converted tests produce expected results

7. Documentation

   • Document which PKITS tests were integrated
   • Explain any adaptations or differences
   • Provide mapping from PKITS test numbers to x509-limbo test IDs

Implementation Requirements

Research Tools:

• Access to RFC 4158 and PKITS materials
• Tools to parse/analyze existing PKITS certificates
• Comparison tools to analyze x509-limbo vs PKITS coverage

Integration Tools:

• x509-limbo certificate builders to recreate PKITS scenarios
• Test case generation for identified gaps
• Documentation generation

References

• RFC 4158: Internet X.509 Public Key Infrastructure: Certification Path Building
• NIST PKITS: https://csrc.nist.gov/projects/pki-testing
• RFC 5280: X.509 standard that PKITS tests
• Related: x509-limbo existing test coverage documentation

Acceptance Criteria

• PKITS test suite obtained and analyzed
• Gap analysis completed documenting coverage differences
• Priority list created of PKITS tests to integrate
• Selected test cases converted to x509-limbo format
• Converted tests validated against harnesses
• Documentation updated with PKITS integration details
• Attribution and mapping maintained