-
Notifications
You must be signed in to change notification settings - Fork 3
BSL Test Matrix
ckrup edited this page Jan 16, 2025
·
1 revision
| Rqmt ID | Description | Verification Procedure ID | Verification Type | Test Type |
|---|---|---|---|---|
| BSL-GEN-1-0 | The BSL shall be compliant with RFC 9172. | BSL_1 (RFC Compliance) | Test | Compilation of all subsequent tests |
| BSL-GEN-1-1 | The BSL shall impose a deterministic processing order for all security blocks. | BSL_2 (Deterministic Processing Order) | Test | Mock BPA |
| BSL-GEN-2-0 | The BSL shall construct security blocks for inclusion in a bundle. | BSL_3 (Security Block Inclusion) | Test | Mock BPA |
| BSL-GEN-2-1 | The BSL shall add security operations to a security block. | BSL_4 (Security Operations) | Test | Mock BPA (Repeat of BSL_2) |
| BSL-GEN-2-2 | The BSL shall determine whether a new security block can be added to the bundle when adding a security operation to a bundle. | BSL_5 (Adding Block to Bundle) | Test | Unit Test |
| BSL-GEN-2-3 | The BSL shall ensure that security operations in a bundle are unique. | BSL_6 (Unique Security Operations) | Test | Unit Test |
| BSL-GEN-3-0 | The BSL shall remove security operations from a bundle. | BSL_7 (Removing Security Operations) | Test | Mock BPA |
| BSL-GEN-3-1 | The BSL shall determine when a security block should be removed from a bundle. | BSL_8 (Bundle Removing Block) | Test | Unit Test |
| BSL-GEN-3-2 | The BSL shall inform the BPA to discard a security block when all security operations for that block have been removed. | BSL_9 (Inform BPA) | Test | Unit Test |
| BSL-GEN-4-0 | The BSL shall read non-security block contents as provided by the BPA. | BLS_10 (Reading Non Security Block) | Test | Unit Test |
| BSL-GEN-5-0 | The BSL shall provide updated block contents to the BPA. | BSL_11 (Updating Block Contents) | Test | Unit Test |
| BSL-GEN-6-0 | The BSL shall encode the BTSD produced for a security block in compliance with RFC9172 encodings. | BSL_12 (Encode BTSD) | Test | Mock BPA |
| BSL-GEN-7-0 | The BSL shall decode the BTSD of a RFC9172 encoded security block. | BSL_13 (Decode BTSD) | Test | Mock BPA |
| BSL-GEN-8-0 | The BSL shall determine what security role (if any) the local node shall have for a given security operation. | BSL_14 (Node Security Role) | Test | Mock BPA |
| BSL-GEN-9-0 | The BSL shall perform processing action(s) in response to security operation lifecycle events when required by policy. | BSL_15 (Operation Lifecycle Events) | Test | Mock BPA (Repeat BSL_4) |
| BSL-GEN-9-1 | The BSL shall request that a BPA remove a security block when required by policy. | BSL_16 (BPA Removing Block) | Test | Mock BPA (Repeat BSL_8) |
| BSL-GEN-9-2 | The BSL shall request that a BPA delete a security target block when required by policy. | BSL_17 (BPA Deleting Block) | Test | Mock BPA |
| BSL-GEN-9-3 | The BSL shall request that the BPA delete all security operations represented by a security block when required by policy. | BSL_18 (BPA Deleting Operations) | Test | Mock BPA (Repeat BSL_4) |
| BSL-GEN-9-4 | The BSL shall request that the BPA delete a bundle when required by policy. | BSL_19 (BPA Deleting Bundle) | Test | Mock BPA |
| BSL-GEN-9-5 | The BSL shall generate a bundle status report when required by policy. | BSL_20 (Bundle Status Report) | Test | Unit Test |
| BSL-SSF-1-0 | The BSL shall generate cryptographic materials based on bundle information and local policy. | BSL_21 (Generate Cryptographs) | Inspection | N/A |
| BSL-SSF-1-1 | The BSL shall determine the success or failure of any attempted cryptographic function. | BSL_22 (Success Cryptographic Function) | Test | Unit Test |
| BSL-SSF-2-0 | The BSL shall alter the contents of non-security blocks to incorporate cryptographic outputs in accordance with RFC 9173. | BSL_23 (RFC Compliant Cryptographs) | Test | Mock BPA |
| BSL-SSF-2-1 | The BSL shall place cryptographic material in security block security result fields in accordance with RFC 9172 and RFC 9173. | BSL_24 (Security Block Result Fields) | Test | Mock BPA |
| BSL-SSF-3-0 | The BSL shall extract the set of bundle and block data needed to assemble security context inputs. | BSL_25 (Extracting Bundle Block Data) | Test | Mock BPA (Repeat BSL_27) |
| BSL-SSF-3-1 | The BSL shall retrieve key-related parameters required by key-based security contexts. | BSL_26 (Retrieving Key Parameters) | Test | Mock BPA |
| BSL-SSF-4-0 | The BSL shall support the security contexts identified in RFC 9173. | BLS_27 (Supporting Security Contexts) | Test | Mock BPA |
| BSL-SSF-4-1 | The BSL shall support the use of the BCB-AES-GCM default security context [RFC 9173] for BCB-confidentiality security operations. | BSL_28 (Supporting BCB AES GCM) | Test | Mock BPA |
| BSL-SSF-4-2 | The BSL shall support the use of the BIB-HMAC-SHA default security context [RFC 9173] for bib-integrity security operations. | BSL_29 (Supporting BIB HMAC SHA) | Test | Mock BPA |
| BSL-ERR-1-0 | The BSL shall indicate to the BPA the result (e.g. success, failure, or error) of each attempted security operation. | BSL_30 (Results of Operation) | Inspection | N/A |
| BSL-ERR-1-1 | The BSL shall verify the security operations of a security block for which the BPA is the Security Verifier as defined in RFC 9172. | BSL_31 (BPA Security Verifier) | Test | Unit Test |
| BSL-ERR-1-2 | The BSL shall verify that every security block required by security policy at the current node is present in the bundle. | BSL_32 (Security Block Node) | Test | Unit Test |
| BSL-ERR-1-3 | The BSL shall have the ability to inform the BPA that a block is unintelligible using Reason Code 8 as defined in RFC 9171. | BSL_33 (Reason Code 8) | Test | Mock BPA |
| BSL-ERR-2-0 | The BSL shall collect metrics indicating health and performance. | BSL_34 (Health Performance Metrics) | Inspection | N/A |
| BSL-ERR-2-1 | The BSL shall write diagnostic information to a configurable logging system. | BSL_35 (Configurable Logging System) | Inspection | N/A |
| BSL-ERR-3-0 | The BSL shall establish abort procedures to recover from security operation failures. | BSL_36 (Abort Procedures) | Test | Unit Test |
| BSL-ERR-3-1 | The BSL shall report on the failure of any interface to perform a requested operation. | BSL_37 (Interface Failure) | Test | Unit Test |
| BSL-ERR-3-2 | The BSL shall cease processing related security operations when there is a processing error associated with those operations. | BSL_38 (Processing Error) | Test | Unit Test |
| BSL-ERR-4-0 | The BSL shall implement fault-injection interfaces. | BSL_39 (Fault Injection Interfaces) | Inspection | N/A |
| BSL-BIN-1-0 | The BSL shall use a BPA interface to query node-specific BPA configuration items. | BSL_40 (Query BPA Items) | Test | Unit Test |
| BSL-BIN-2-0 | The BSL shall use a BPA interface to query specific processing activities which are executed as part of processing a security operation. | BSL_41 (Query BPA Processing Activities) | Test | Unit Test |
| BSL-BIN-3-0 | The BSL shall use a BPA interface to request the BPA to remove a bundle. | BSL_42 (Remove BPA Bundle) | Test | Unit Test |
| BSL-BIN-4-0 | The BSL shall use a BPA interface to query what block types exist in a bundle. | BSL_43 (Query Existing Block Types) | Test | Mock BPA |
| BSL-BIN-4-1 | The BSL shall use a BPA interface to query what block numbers are present in a bundle. | BSL_44 (Query Block Numbers) | Test | Mock BPA |
| BSL-BIN-5-0 | The BSL shall use a BPA interface to request, from the BPA, block contents associated with a specific block. | BSL_45 (Request BPA Block Contents) | Test | Mock BPA |
| BSL-BIN-5-1 | The BSL shall use a BPA interface to query block-type-specific data in a piecewise, sequential manner. | BSL_46 (Query Block Specific Data) | Inspection | N/A |
| BSL-BIN-6-0 | The BSL shall use a BPA interface to have the BPA add new blocks to a bundle. | BSL_47 (Add New BPA Blocks) | Test | Mock BPA |
| BSL-BIN-7-0 | The BSL shall use a BPA interface to have the BPA remove existing blocks from a bundle. | BSL_48 (Remove BPA Blocks) | Test | Mock BPA |
| BSL-BIN-8-0 | The BSL shall use a BPA interface to modify the block-type-specific data of non-security, non-primary blocks. | BSL_49 (Modify Block Specific Data) | Test | Mock BPA |
| BSL-BIN-9-0 | The BSL shall use a BPA interface to have a provided bundle status report transmitted by the BPA. | BSL_50 (Transmitting Bundle Report) | Inspection | N/A |
| BSL-BIN-10-0 | The BSL shall use a BPA interface for encoding complex structures (such as Endpoint IDs). | BSL_51 (Encoding Complex Structures) | Test | Unit Test |
| BSL-BIN-10-1 | The BSL shall use a BPA interface for decoding complex structures (such as Endpoint IDs). | BSL_52 (Decoding Complex Structures) | Test | Unit Test |
| BSL-CIN-1-0 | The BSL crypto interface shall identify private key material indirectly. | BSL_53 (Identify Private Key) | Test | Unit Test |
| BSL-CIN-1-2 | The BSL crypto interface shall retrieve certificates. | BSL_54 (Crypto Retrieving Certificates) | Inspection | N/A |
| BSL-CIN-1-3 | The BSL crypto interface shall store certificates. | BSL_55 (Crypto Storing Certificates) | Inspection | N/A |
| BSL-CIN-2-0 | The BSL crypto interface shall update statistics associated with keys. | BSL_56 (Crypto Updating Statistics) | Test | Unit Test |
| BSL-CIN-3-0 | The BSL crypto interface shall process all cryptographic primitives (such as symmetric and asymmetric cipher operations, key agreement and key derivation, and random number generation). | BSL_57 (Processing Crypto Primitives) | Inspection | N/A |
| BSL-PIN-1-0 | The BSL policy interface shall determine the security operations to be performed by the local BPA for a given set of blocks in a bundle. | BSL_58 (Policy For Local BPA) | Test | Unit Test |
| BSL-PIN-1-1 | The BSL policy interface shall determine what security roles are performed by the local BPA for a given security operation. | BSL_59 (Policy Determining Security Roles) | Test | Unit Test |
| BSL-PIN-1-2 | The BSL policy interface shall determine what security operations are expected to exist in a given bundle. | BSL_60 (Policy Determining Security Operations) | Test | Unit Test |
| BSL-PIN-2-0 | The BSL policy interface shall query security context information for a given security operation. This information includes the security context identifier and parameters. | BSL_61 (Query Security Context) | Test | Unit Test |
| BSL-PIN-2-1 | The BSL policy interface shall query what policy-provided parameters should override parameters present in security blocks. | BSL_62 (Query Policy Parameters) | Test | Unit Test |
| BSL-PIN-3-0 | The BSL policy interface shall provide specific processing activities which are executed as part of processing a security operation. | BSL_63 (Specific Processing Activities) | Test | Unit Test |
| BSL-TIN-1-0 | The BSL telemetry interface shall allow a host to query metrics from the BSL. | BSL_64 (Telemetry Host Query Metrics) | Test | Unit Test |
| BSL-LIN-1-0 | The BSL logging interface associate logging levels with log entries, to include the levels of Critical, Error, Warning, Notification, and Debug. | BSL_65 (Logging Levels) | Inspection | N/A |
| BSL-LIN-2-0 | The BSL logging interface annotate log entries with metadata related to time and process doing the logging. | BSL_66 (Log Entries With Metadata) | Test | Unit Test |
| BSL-LIN-3-0 | The BSL logging interface shall truncate the length of individual log entries to stay within configured limits. | BSL_67 (Truncate Log Entries) | Inspection | N/A |
| BSL-LIN-4-0 | The BSL logging interface shall determine whether an attempt to log an event succeeded. | BSL_68 (Successful Log Attempt) | Inspection | N/A |
| BSL-SVC-1-0 | The BSL shall request from all policy providers the specific policy associated with a bundle at the current node. | BSL_69 (Policy At Current Node) | Test | Unit Test |
| BSL-SVC-1-1 | The BSL shall validate and prioritize security policy statements before applying them to a bundle. | BSL_70 (Validating Policy Statements) | Test | Unit Test |
| BSL-SVC-2-0 | After the BSL validates security policy for a bundle, the BSL shall coordinate functions of the associated security context to apply that rule. | BSL_71 (Coordinate Functions) | Test | Unit Test |
| BSL-SVC-3-0 | The BSL shall perform the processing action(s) provided by a security policy rule when a security processing failure occurs. | BSL_72 (Processing Actions From Failure) | Test | Unit Test |
| BSL-CFG-1-0 | The BSL shall establish a catalog of settings that users may configure at run-time. | BSL_73 (Settings Catalog) | Inspection | N/A |
| BSL-CFG-2-0 | The BSL shall allow parameterization via configuration files and environment variables. | BSL_74 (Parameterization Via Configuration) | Inspection | N/A |
| BSL-CFG-3-0 | The BSL shall embed build information into runtime artifacts | BSL_75 (Embedding Information) | Inspection | N/A |
| BSL-CFG-4-0 | The BSL shall embed version into the executable, and be identified when running the application. | BSL_76 (Embedding Version) | Inspection | N/A |
| BSL-CFG-5-0 | The BSL shall provide a catalog of configurable compile-time items. | BSL_77 (Compile Time Catalog) | Inspection | N/A |
| BSL-CFG-6-0 | The BSL shall provide a catalog of configurable run-time items. | BSL_78 (Run Time Catalog) | Inspection | N/A |
| BSL-CFG-7-0 | The BSL shall support parameterization by compiler command line arguments and configuration files. | BSL_79 (Compiler Command Line Arguments) | Inspection | N/A |
| BSL-PFR-1-0 | The BSL shall compile using strict compiler flags for error and warning checks. | BSL_80 (Strict Compiler Flags) | Inspection | N/A |
| BSL-PFR-2-0 | The BSL telemetry interfaces shall support asynchronous operation. | BSL_81 (Supporting Asynchronous Operations) | Inspection | N/A |
| BSL-SEC-1-0 | The BSL shall delegate all cryptographic functions to an external library accessibly only through the crypto interface. | BSL_82 (Delegate Crypto Functions) | Inspection | N/A |
| BSL-SEC-2-0 | The BSL shall delegate the handling and storage of all cryptographic key material to external libraries. | BSL_83 (Delegate Handling And Storage) | Inspection | N/A |
| BSL-ADP-1-0 | The BSL shall provide an API to register security contexts. | BSL_84 (Register Security Contexts) | Inspection | N/A |
| BSL-ADP-2-0 | The BSL shall provide an API to register policy providers. | BSL_85 (Register Policy Providers) | Inspection | N/A |
| BSL-ADP-3-0 | The BSL shall use an abstraction layer to avoid OS-specific operations. | BSL_86 (Use Abstraction Layer) | Inspection | N/A |
| BSL-ADP-4-0 | The BSL crypto function interface shall be stateless. | BSL_87 (Stateless Crypto Function) | Inspection | N/A |