EARL based WebID tests: a first example from Henry Story on 2011-04-15 (public-xg-webid@w3.org from April 2011)

From: Henry Story <henry.story@bblfish.net>
Date: Fri, 15 Apr 2011 13:36:57 +0200
To: WebID XG <public-xg-webid@w3.org>
Message-Id: <627B89E0-0772-4CA0-875D-AE6378906582@bblfish.net>
So I have been studying the "Evaluation and Report Language (EARL) 1.0 Guide"
 http://www.w3.org/TR/EARL10-Guide/
ontology, to see how we could adapt our tests to produce RDF using that ontology.

Below I have tried to sketch carefully what a tester like 
   https://auth.fcns.eu/
could end up producing so that other robots could be created to do much deeper tests on a
service, testing every part of an implementation we can think of.

The results in N3 below are in three parts:
 1. declaration of the subject
 2. List of test cases I could think of from my experience building a tester
 3. a report example in n3

We should place the test case vocabulary somewhere with the spec, so that others can build
both simple test end points, and others can produce meta test suites. This is what EARL is all
about.

Feedback welcome.

---------------------------------------------------------------------------

@prefix earl: <http://www.w3.org/ns/earl#> .
@prefix zz: ? . #for the clerezza agent
@prefix doap: <http://usefulinc.com/ns/doap#> .
@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix wit: <?> . #Web Id Test
@prefix http: <http://www.w3.org/2006/http#> .

zz:tester a earl:Software;
    doap:repository <https://svn.apache.org/repos/asf/incubator/clerezza/trunk/parent/platform.security.foafssl/test>;
    doap:programming-language "Scala";
    doap:developer <http://bblfish.net/#hjs>;
    doap:name "WebID Test suite in Clerezza" .


<https://svn.apache.org/repos/asf/incubator/clerezza/trunk/parent/platform.security.foafssl/test> a doap:SVNRepository .

###############################################
#
# Initial Test vocabulary to write somewhere
#
# todo: where should these be placed?
#
################################################

# profile and pubkey tests

wit:profileGet a earl:TestRequirement;
  dct:title "WebId Profile is accessible and downloadable".

wit:profileWF a earl:TestRequirement;
  dct:title "WebId Profile is well formed";
  dct:description "The WebId Profile is parseable Content and transformable to RDF" .

wit:profileWFKey a earl:TestRequirement;
   dct:title "WebIdProfile Contains well formed Keys";
   dct:description "All the keys in the profile are well formed and not misleading";
   skos:note "One does not need to test all keys in a profile, only those that are tied to the WebIDs found in the X509 cert. But to help users one could give them a deeper test of the profile." .

wit:pubkey a earl:TestRequirement;
   dct:title "Public Key is well formed" ;
   dct:description "A particular Public key is well formed" .

wit:pubkeyMod a earl:TestRequirement;
   dct:title "rsa:modulus is well formed" .

wit:pubkeyMod_func a earl:TestCase;
   dct:title "not more than one modulus";
     dct:description "More than one modulus if they don't convert to the same number will lead to erratic behavior (one server will choose one the other server will chose the other)".

wit:pubkeyMod_lit a earl:TestCase;
   dct:title "rsa:modulus is a literal number";
   dct:description "In the current ontology we have moved to literals as the standard way of describing modulus and exponents".

wit:pubkeyExp a earl:TestRequirement;
   dct:title "rsa:public_exponent is well formed" .

wit:pubkeyExp_func a earl:TestCase;
   dct:title "not more than one public exponent per RSA public key - or else they have to be identical" .
   dct:description "More than one exponent if they don't convert to the same number is very likely to create erratic behavior (one server will choose one the other server will chose the other)".

wit:pubkeyExp_lit a earl:TestCase;
   dct:title "rsa:exponent key is a literal";
   dct:description "In the current ontology we have moved to literals as the standard way of describing modulus and exponents".

wit:pubkeyMod_old_func a earl:TestCase;
   dct:title "if modulus is using non literal notation, there should be only one cert:hex relation to plain literal";
   skos:note "this should be a deprecated test sooner rather than later. Warn people to move to newer notation.".

wit:pubkeyExp_old_func a earl:TestCase;
   dct:title "if exponent is using non literal notation, there should be only one cert:decimal relation to plain literal" .


#tying pubkey to Webid

wit:webid_verification_gt0 a earl:TestRequirement;
   dct:title "At least one webid mentioned in certificate has public key that verifies".

wit:webid_verification a earl:TestRequirement;
   dct:title "A WebId in cert's public key has public key declared in profile that matches the public key corresponding to private key used in TLS connection".

# tests on certificate internet heritage conformance
# useful for test suites to help developers understand why they should build certificates
# a certain way. TODO.

###############################################
#
# Example test result to make sure the above ontology is at least partially correct
#
################################################
 

[] a earl:Assertion;
  earl:test wit:webid_verification;
  earl:result [ a earl:TestResult;
     dct:description "rsa public key has two relations for modulus";
     earl:outcome earl:failed ];
  earl:subject :webProfile, :x509, { 
    [] cert:identity <http://bblfish.net/person/henry/card#me>; 
       cert:modulus "as123123..."^^cert:hex, "dfff32093sd..."^^cert:hex; 
       cert:public_exponent "65537"^^cert:int;
  };
  earl:assertedBy zz:tester .


[] a earl:Assertion;
  earl:test wit:pubkeyMod_func;
  earl:result [ a earl:TestResult;
     dct:description "webid http://user.example/#me does not have a matching public key in profile";
     earl:outcome earl:success ]; 
  earl:subject :webProfile, :x509;
  earl:assertedBy zz:tester .

:x509 a cert:X509Certificate;
     cert:pemFormat """-----BEGIN CERTIFICATE-----
MIIDgzCCAuygAwIBAgIQZ84ABvhjj7hqFoWqSsvBFjANBgkqhkiG9w0BAQUFADBj
MREwDwYDVQQKDAhGT0FGK1NTTDEmMCQGA1UECwwdVGhlIENvbW11bml0eSBvZiBT
ZWxmIFNpZ25lcnMxJjAkBgNVBAMMHU5vdCBhIENlcnRpZmljYXRpb24gQXV0aG9y
aXR5MB4XDTExMDMyODE0MDY1MFoXDTEyMDMxODE2MDY1MFowgYsxETAPBgNVBAoM
CEZPQUYrU1NMMSYwJAYDVQQLDB1UaGUgQ29tbXVuaXR5IE9mIFNlbGYgU2lnbmVy
czE3MDUGCgmSJomT8ixkAQEMJ2h0dHA6Ly9iYmxmaXNoLm5ldC9wZW9wbGUvaGVu
cnkvY2FyZCNtZTEVMBMGA1UEAwwMYmJsZmlzaCBjYXJkMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA5+kuueCGksuOuQciIrf7hjSRiahB8c3hd8hPjTH/
6k+NBKN+H0MRHPiSVCVwvvhstF2zmE6Ms0NwzSDWHuSOqjEwu6+CKE8tvL0Y0OHk
bkhVDhenLPQagKIWjXe0k4CDIcizyNj1L8zRwsN0TaxrYZZPlaTx2/VpMI3ApaVK
yb/4+mJ4UZDBol9TMkTfyBbPq3iISMz6rt3vsNgksXar0DCftGag2V2E1L/t8Hvu
De0UaqKajsIlVtu/iUMSYKu41dZJCVCYm/DrqcX0m1aUwHAYWKtSap9Z5p7PnJVo
wqp2/3jnsf7h6WlUN9yQtm/FeEeMp+3Mx7DokAYYTElTaQIDAQABo4GKMIGHMAwG
A1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgLsMBEGCWCGSAGG+EIBAQQEAwIFoDAd
BgNVHQ4EFgQUzoQy71OnKyW8qE7boOHpLrjN2aQwNQYDVR0RAQH/BCswKYYnaHR0
cDovL2JibGZpc2gubmV0L3Blb3BsZS9oZW5yeS9jYXJkI21lMA0GCSqGSIb3DQEB
BQUAA4GBAH0kxSBDYGAMah4cloznjsnglGNMCTd2zPtxnWDFUjuD2YWhc8QXd/k7
T1GlVZdLfT175/D7jYpXEVH7UyO8DTnttlAePmDqbspT+vcpV1orUrWlMTJ7hAzP
Ev9aBOHrZPyKDeUJO0JgwAWxOU/ND347Ssg3lTbFt0jrZxDLHLxC
-----END CERTIFICATE-----""";
  # should we also have a relation to the openssl type text format? Is that a standard?
  cert:subjectAlternativeName <http://bblfish.net/people/henry/card#me>;
  cert:IssuerDistinguishedName "O=FOAF+SSL, OU=The Community of Self Signers, CN=Not a Certification Authority"...

:webProfile a http:Response;
          http:httpVersion "1.1";
          http:headers [...];
          http:body "#the rdf file used. could be n3, or something. This could also point to the content?..."] .

---------------------------------------------------------------------------

Henry
http://bblfish.net/
Received on Friday, 15 April 2011 11:37:28 UTC