# This Source Code Form is subject to the terms of the Mozilla Public
# License: v. 2.0. If a copy of the MPL was not distributed with this
# file: You can obtain one at http://mozilla.org/MPL/2.0/.
#
# This file enables policy testing
#
# The policy string is set to the config= line in the pkcs11.txt
# it currently has 2 keywords:
#
# disallow= turn off the use of this algorithm by policy. (implies disable)
# allow= allow this algorithm to by used if selected by policy.
# disable= turn off the use of this algorithm even if allowed by policy
#          (application can override)
# enable= turn off this algorithm by default (implies allow)
# flags= policy-lock: can't change policy with NSS_SetAlgorithmPolicy:
#  NSS_SetOption: or SSL_SetCipherPolicy
#        ssl-lock: can't change the cipher suite settings with the application.
#
# The syntax is disallow=algorithm{/uses}:algorithm{/uses}
# where {} signifies an optional element
#
# Signatures:
#	DSA
#	RSA-PKCS
#	RSA-PSS
#       ECDSA
# Hashes:
#	MD2
#	MD4
#	MD5
#	SHA1
#	SHA224
#	SHA256
#	SHA384
#	SHA512
#	SHA3_224
#	SHA3_256
#	SHA3_384
#	SHA3_512
# Ciphers:
#	AES128-CBC
#	AES192-CBC
#	AES256-CBC
#	CAMELLIA128-CBC
#	CAMELLIA192-CBC
#	CAMELLIA256-CBC
#	SEED-CBC
#	DES-EDE3-CBC
#	RC2-40-CBC
#	RC2-64-CBC
#	RC2-128-CBC
# Key exchange
#	RSA-PKCS
#	RSA-OAEP
#	DH
#	ECDH
# Include all of the above:
#       ALL
#-----------------------------------------------
# Uses are:
#    smime
#    smime-legacy
#    smime-key-exchange
#    key-exchange (includes smime-key-exchange)
#    cert-signature
#    smime-signature  (=cms-signature)
#    all-signature (includes cert-signature)
#    signature (all signatures off: some signature allowed based on other option)
#    all (includes all of the above)
#
# NOTE: the certificates used in validation are rsa-pkcs1/sha256 signed.
#
# Sign Vfy Enc Dec hash rec_email rec_name rec_policy snd_name snd_policy alg Test Name
  0 0 0 0 SHA256 dave@example.com Dave enable=hmac-sha1 Alice enable=hmac-sha1 AES-256-CBC  Use default policy and enable
  0 0 0 0 SHA512 bob@example.com Bob enable=aes256-cbc Alice enable=aes256-cbc AES-256-CBC Only enable aes-256
  0 0 0 0 SHA512 bob@example.com Bob enable=camellia256-cbc Alice enable=camellia256-cbc CAMELLIA-256-CBC Only enable camellia
  0 0 1 x SHA1 bob@example.com Bob allow=aes128-cbc:aes192-cbc:aes256-cbc:camellia128-cbc:camellia192-cbc:camellia256-cbc:des-ede3-cbc:rc2-40-cbc:rc2-64-cbc:rc2-128-cbc Alice enable=camellia256-cbc NONE-FAILURE Bob allows all: enables default, alice allows and enables camellia
  0 0 0 1 SHA384 bob@example.com Bob enable=camellia256-cbc Alice allow=aes128-cbc:aes192-cbc:aes256-cbc:camellia128-cbc:camellia192-cbc:camellia256-cbc:des-ede3-cbc:rc2-40-cbc:rc2-64-cbc:rc2-128-cbc RC2-CBC Alice allows all: enables default, bob allows and enables camellia
  0 0 1 x SHA384 bob@example.com Bob enable=aes256-cbc Alice enable=camellia256-cbc NONE-FAILURE Bob Only enables aes Alice Only enables camellia
  0 0 0 0 SHA384 bob@example.com Bob enable=camellia256-cbc Alice enable=aes128-cbc:aes192-cbc:aes256-cbc:camellia128-cbc:camellia192-cbc:camellia256-cbc:des-ede3-cbc:rc2-40-cbc:rc2-64-cbc:rc2-128-cbc CAMELLIA-256-CBC Alice enable all explicit, bob allows and enables camellia
  0 0 0 0 SHA1 bob@example.com Bob enable=aes128-cbc:aes192-cbc:aes256-cbc:camellia128-cbc:camellia192-cbc:camellia256-cbc:des-ede3-cbc:rc2-40-cbc:rc2-64-cbc:rc2-128-cbc Alice enable=camellia256-cbc CAMELLIA-256-CBC Bob enables all explicit, alice allows and enables camellia
  0 0 0 1 SHA256 dave@example.com Dave disallow=rsa-pkcs/smime-key-exchange Alice enable=hmac-sha1 AES-256-CBC  turn off RSA key exchange (decrypt)
  1 x x x SHA-1 dave@example.com Dave disallow=sha1/smime-signature Alice enable=hmac-sha1 NONE-FAILURE turn off sha-1 for S/MIME (generate sig)
  0 1 x x SHA-1 dave@example.com Dave enable=hmac-sha1 Alice disallow=sha1/smime-signature  NONE-FAILURE turn off sha-1 for S/MIME (verify sig)
  0 0 1 x SHA256 dave@example.com Dave enable-hmac-sha1 Alice disallow=rsa-pkcs/smime-key-exchange NONE-FAILURE turn off RSA key exchange (encrypt)
  0 0 1 x SHA256 dave@example.com Dave enable-hmac-sha1 Alice disallow=rsa-pkcs/smime-key-exchange_allow=rsa-pkcs/smime-key-echange_legacy NONE_FAILURE turn off RSA key exchange for encrypt only (try to encrypt)
  0 0 0 0 SHA256 dave@example.com Dave disallow=rsa-pkcs/smime-key-exchange-encrypt Alice enable=hmac-sha1 AES-256-CBC  turn off RSA key exchange for encrypt only (try to decrypt)
  1 x x x SHA256 dave@example.com Dave allow=rsa-min=3000 Alice allow=all NONE-FAILED  Enforce all key size policy on Sender
  0 1 x x SHA256 dave@example.com Dave allow=all Alice allow=rsa-min=3000 NONE-FAILED  Enforce all key size policy on Recipient
  0 0 1 x SHA256 dave@example.com Dave allow=all Alice allow=key-size-flags=key-size-smime:rsa-min=3000 NONE-FAILED  Enforce KEA key size policy on Recipient
  0 0 0 1 SHA256 dave@example.com Dave allow=key-size-flags=key-size-smime:rsa-min=3000 Alice allow=all AES-256-CBC  Enforce KEA key size policy on Sender