earl test suite ontology to be used by clients to generate test results.
authorHenry Story <henry.story@bblfish.net>
Mon, 13 Jun 2011 18:54:10 +0200
changeset 147 05f500843576
parent 133 18c57d7af04c
child 148 55f18239ed1a
earl test suite ontology to be used by clients to generate test results.
tests/earl/test.n3
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/earl/test.n3	Mon Jun 13 18:54:10 2011 +0200
@@ -0,0 +1,205 @@
[email protected] cert: <http://www.w3.org/ns/auth/cert#> .
[email protected] earl: <http://www.w3.org/ns/earl#> .
[email protected] zz: <http://clerezza.org/release/#> . #for the clerezza agent
[email protected] doap: <http://usefulinc.com/ns/doap#> .
[email protected] rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
[email protected] rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
[email protected] wit: <http://www.w3.org/2005/Incubator/webid/test/> . #Web Id Test
[email protected] http: <http://www.w3.org/2006/http#> .
[email protected] dct: <http://purl.org/dc/terms/> .
[email protected] skos: <http://www.w3.org/2004/02/skos/core#> .
[email protected] owl: <http://www.w3.org/2002/07/owl#> .
[email protected] : <#> .
+
+wit: a owl:Ontology .
+
+zz:r05 a earl:Software;
+   doap:repository <https://svn.apache.org/repos/asf/incubator/clerezza/trunk/parent/platform.security.foafssl/test>;
+   doap:programming-language "Scala";
+   doap:developer <http://bblfish.net/#hjs>;
+   doap:name "WebID Test suite in Clerezza" .
+
+
+<https://svn.apache.org/repos/asf/incubator/clerezza/trunk/parent/platform.security.foafssl/test> a doap:SVNRepository .
+
+###############################################
+#
+# Initial Test vocabulary to write somewhere
+#
+# todo: where should these be placed?
+#
+################################################
+
+# pure certificate tests
+
+wit:certificateProvided a earl:TestRequirement;
+  dct:title "The client provided a x509 certificate".
+
+wit:certificateProvidedSAN a earl:TestRequirement;
+  dct:title "The client certificate contains a subject alternative name".
+
+wit:certificateDateOk a earl:TestRequirement;
+  dct:title "The current timestamp is between begin and end date of the certificate".
+
+wit:certificatePubkeyRecognised a earl:TestRequirement;
+  dct:title "Public key in certificate recognised ";
+  dct:description """The public key in the certificate is recognised by the WebId code. If it is not then it is not going to be possible
+    to match it with the remote certificate. """ .  
+
+wit:certificateCriticalExtensionsOk a earl:TestRequirement;
+ dct:title "The certificate contains no unecessary critical extension";
+ dct:description "Critical Extensions are not a direct problem for WebID, but can cause many servers to reject the certificate before the WebID code gets to see the certificate. These tests should not generate errors but only warnings" .
+
+
+# profile tests
+
+wit:profileGet a earl:TestRequirement;
+ dct:title "WebId Profile is accessible and downloadable".
+
+wit:profileWellFormed a earl:TestRequirement;
+ dct:title "WebId Profile is well formed";
+ dct:description "The WebId Profile is parseable Content and transformable to RDF" .
+
+wit:profileWellFormedKey a earl:TestRequirement;
+  dct:title "WebIdProfile Contains well formed Keys";
+  dct:description "All the keys in the profile are well formed and not misleading";
+  skos:note "One does not need to test all keys in a profile, only those that are tied to the WebIDs found in the X509 cert. But to help users one could give them a deeper test of the profile." .
+
+wit:profileWellFormedPubkey a earl:TestRequirement;
+  dct:title "Public Key is well formed" ;
+  dct:description "A particular Public key is well formed" .
+
+wit:pubkeyRSAModulus a earl:TestRequirement;
+  dct:title "rsa:modulus is well formed" .
+
+wit:pubkeyRSAModulusFunctional a earl:TestCase;
+  dct:title "not more than one modulus";
+    dct:description "More than one modulus if they don't convert to the same number will lead to erratic behavior (one server will choose one the other server will chose the other)".
+
+wit:pubkeyRSAModulusLiteral a earl:TestCase;
+  dct:title "rsa:modulus is a literal number";
+  dct:description "In the current ontology we have moved to literals as the standard way of describing modulus and exponents".
+
+wit:pubkeyRSAExponent a earl:TestRequirement;
+  dct:title "rsa:public_exponent is well formed" .
+
+wit:pubkeyRSAExponentFunctional a earl:TestCase;
+  dct:title "not more than one public exponent per RSA public key - or else they have to be identical" ;
+  dct:description "More than one exponent if they don't convert to the same number is very likely to create erratic behavior (one server will choose one the other server will chose the other)".
+
+wit:pubkeyRSAExponentLiteral a earl:TestCase;
+  dct:title "rsa:exponent key is a literal";
+  dct:description "In the current ontology we have moved to literals as the standard way of describing modulus and exponents".
+
+wit:pubkeyRSAModulusOldFunctional a earl:TestCase;
+  dct:title "if modulus is using non literal notation, there should be only one cert:hex relation to plain literal";
+  skos:note "this should be a deprecated test sooner rather than later. Warn people to move to newer notation.".
+
+wit:pubkeyRSAExponentOldFunctional a earl:TestCase;
+  dct:title "if exponent is using non literal notation, there should be only one cert:decimal relation to plain literal" .
+
+
+# webid protocol tests: ie: tying pubkey and  Webid in certificate to remote WebID identifying description
+
+wit:webidAuthentication a earl:TestRequirement;
+  dct:title "WebID Authentication Test";
+  dct:description "At least one webid claimed in the certificate has public key that verifies. " .
+
+wit:webidClaim a earl:TestRequirement;
+  dct:title "Particular WebId Claim Test";
+  dct:description "Verification of a particular WebID claim" .
+
+
+###############################################
+#
+# Example test result to make sure the above ontology is at least partially correct
+#
+################################################
+
[email protected] : <http://test.example/> .
+
+[] a earl:Assertion;
+ earl:test wit:webid_verification;
+ earl:result [ a earl:TestResult;
+    dct:description "rsa public key has two relations for modulus";
+    earl:outcome earl:failed ];
+ earl:subject :webProfile, :x509; 
+#{ 
+# for turtle parsers
+#   [] cert:identity <http://bblfish.net/person/henry/card#me>; 
+#      cert:modulus "as123123..."^^cert:hex, "dfff32093sd..."^^cert:hex; 
+#      cert:public_exponent "65537"^^cert:int .
+#};
+ earl:assertedBy zz:0_5-SNAPSHOT .
+
+
+[] a earl:Assertion;
+ earl:test wit:pubkeyMod_func;
+ earl:result [ a earl:TestResult;
+    dct:description "webid http://user.example/#me does not have a matching public key in profile";
+    earl:outcome earl:success ]; 
+ earl:subject :webProfile, :x509;
+ earl:assertedBy zz:0_5-SNAPSHOT .
+
+[] a earl:Assertion;
+earl:test wit:certificate_provided_san;
+earl:result [ a earl:TestResult;
+    dct:description "SAN missing";
+    earl:outcome earl:failed;
+    earl:pointer :x509 ];
+earl:subject :webProfile, :x509 .
+
+[] a earl:Assertion;
+earl:test wit:webid_verification;
+earl:result [ a earl:TestResult;
+    dct:description "ok";
+    earl:outcome earl:passed ];
+earl:subject :webProfile, :x509 .
+
+[] a earl:Assertion;
+# verification also on the URI level!!!
+earl:test wit:webid_verification_uri;
+earl:result [ a earl:TestResult;
+    dct:description "ok";
+    earl:outcome earl:passed;
+    earl:pointer <http://bblfish.net/person/henry/card#me> ]; 
+earl:subject :webProfile, :x509 .
+
+[] a earl:Assertion;
+earl:test wit:pubkey_rsa_modulus;   
+earl:result [ a earl:TestResult;
+    dct:description "modulus missing";
+    earl:outcome earl:failed;
+    earl:pointer <http://bblfish.net/person/henry/card#me2> ];
+earl:subject :webProfile, :x509 .
+
+:x509 a cert:X509Certificate;
+    cert:base64der """
+MIIDgzCCAuygAwIBAgIQZ84ABvhjj7hqFoWqSsvBFjANBgkqhkiG9w0BAQUFADBj
+MREwDwYDVQQKDAhGT0FGK1NTTDEmMCQGA1UECwwdVGhlIENvbW11bml0eSBvZiBT
+ZWxmIFNpZ25lcnMxJjAkBgNVBAMMHU5vdCBhIENlcnRpZmljYXRpb24gQXV0aG9y
+aXR5MB4XDTExMDMyODE0MDY1MFoXDTEyMDMxODE2MDY1MFowgYsxETAPBgNVBAoM
+CEZPQUYrU1NMMSYwJAYDVQQLDB1UaGUgQ29tbXVuaXR5IE9mIFNlbGYgU2lnbmVy
+czE3MDUGCgmSJomT8ixkAQEMJ2h0dHA6Ly9iYmxmaXNoLm5ldC9wZW9wbGUvaGVu
+cnkvY2FyZCNtZTEVMBMGA1UEAwwMYmJsZmlzaCBjYXJkMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA5+kuueCGksuOuQciIrf7hjSRiahB8c3hd8hPjTH/
+6k+NBKN+H0MRHPiSVCVwvvhstF2zmE6Ms0NwzSDWHuSOqjEwu6+CKE8tvL0Y0OHk
+bkhVDhenLPQagKIWjXe0k4CDIcizyNj1L8zRwsN0TaxrYZZPlaTx2/VpMI3ApaVK
+yb/4+mJ4UZDBol9TMkTfyBbPq3iISMz6rt3vsNgksXar0DCftGag2V2E1L/t8Hvu
+De0UaqKajsIlVtu/iUMSYKu41dZJCVCYm/DrqcX0m1aUwHAYWKtSap9Z5p7PnJVo
+wqp2/3jnsf7h6WlUN9yQtm/FeEeMp+3Mx7DokAYYTElTaQIDAQABo4GKMIGHMAwG
+A1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgLsMBEGCWCGSAGG+EIBAQQEAwIFoDAd
+BgNVHQ4EFgQUzoQy71OnKyW8qE7boOHpLrjN2aQwNQYDVR0RAQH/BCswKYYnaHR0
+cDovL2JibGZpc2gubmV0L3Blb3BsZS9oZW5yeS9jYXJkI21lMA0GCSqGSIb3DQEB
+BQUAA4GBAH0kxSBDYGAMah4cloznjsnglGNMCTd2zPtxnWDFUjuD2YWhc8QXd/k7
+T1GlVZdLfT175/D7jYpXEVH7UyO8DTnttlAePmDqbspT+vcpV1orUrWlMTJ7hAzP
+Ev9aBOHrZPyKDeUJO0JgwAWxOU/ND347Ssg3lTbFt0jrZxDLHLxC""";
+ # should we also have a relation to the openssl type text format? Is that a standard?
+ cert:subjectAlternativeName <http://bblfish.net/people/henry/card#me>;
+ cert:IssuerDistinguishedName "O=FOAF+SSL, OU=The Community of Self Signers, CN=Not a Certification Authority".
+
+:webProfile a http:Response;
+         http:httpVersion "1.1";
+         http:headers [];
+         http:body "#the rdf file used. could be n3, or something. This could also point to the content?..." .
+