| OLD | NEW |
|---|
| 1 This directory contains test data for verifying certificate chains. | 1 This directory contains test data for verifying certificate chains. |
| 2 | 2 |
| 3 It contains the following types of files: | 3 It contains the following types of files: |
| 4 | 4 |
| 5 =============================== | 5 =============================== |
| 6 generate-*.py | 6 generate-*.py |
| 7 =============================== | 7 =============================== |
| 8 | 8 |
| 9 Generates the file for an individual test case. If the python file was | 9 Generates the file for an individual test case. If the python file was |
| 10 named generate-XXX.py, then the corresponding output will be named | 10 named generate-XXX.py, then the corresponding output will be named |
| 11 XXX.pem. | 11 XXX.pem. |
| 12 | 12 |
| 13 =============================== | 13 =============================== |
| 14 generate-all.sh | 14 generate-all.sh |
| 15 =============================== | 15 =============================== |
| 16 | 16 |
| 17 Runs all of the generate-*.py scripts and does some cleanup. | 17 Runs all of the generate-*.py scripts and does some cleanup. |
| 18 | 18 |
| 19 =============================== | 19 =============================== |
| 20 *.pem | 20 *.pem |
| 21 =============================== | 21 =============================== |
| 22 | 22 |
| 23 These files descibe a test case for certificate chain verification. | 23 Each .pem file describes the inputs for certificate chain verification, and the |
| 24 expected result. These are the PEM blocks that each file contains and their |
| 25 interpretation: |
| 24 | 26 |
| 25 The input file is a PEM file with blocks for: | 27 CERTIFICATE: |
| 26 * The trust store | 28 |
| 27 * The certificate chain (target certificate and all intermediates) | 29 These PEM blocks describe the ordered chain of certificates starting from the |
| 28 * The timestamp to use when verifying | 30 target certificate and progressing towards the trust anchor (but not including |
| 29 * The expected result of verification (success or fail) | 31 the trust anchor). |
| 32 |
| 33 - There must be one or more such PEM blocks |
| 34 - Its contents are a DER-encoded X.509 certificate |
| 35 - The first block is the target certificate |
| 36 - The (i+1)th CERTIFICATE is (allegedly) the one which issued the ith |
| 37 CERTIFICATE. |
| 38 |
| 39 TRUST_ANCHOR_{XXX}: |
| 40 |
| 41 This PEM block describes the trust anchor to use when verifying the chain. |
| 42 There are two possible names for this PEM block, which affect how it is |
| 43 interpreted: TRUST_ANCHOR_CONSTRAINED or TRUST_ANCHOR_UNCONSTRAINED. |
| 44 |
| 45 - There must be exactly one TRUST_ANCHOR_{XXX} block. |
| 46 - Its contents are a DER-encoded X.509 certificate |
| 47 - The subject and SPKI from the certificate define the trust anchor |
| 48 - If the block was named TRUST_ANCHOR_CONSTRAINED, then any constraints on the |
| 49 certificate are also considered normative when verifying paths. Otherwise |
| 50 any standard extensions provided by the root certificate are not used during |
| 51 path validation. |
| 52 |
| 53 TIMESTAMP: |
| 54 |
| 55 This PEM block describes the time to use when verifying the chain. |
| 56 |
| 57 - There must be exactly one such PEM block |
| 58 - Its contents are a DER-encoded UTCTime. |
| 59 |
| 60 VERIFY_RESULT: |
| 61 |
| 62 This PEM block describes the expected result from verifying the path. |
| 63 |
| 64 - There must be exactly one such PEM block |
| 65 - Its contents are a string with value of either "SUCCESS" or "FAIL" |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2233233002:
Refactor some certificate verification tests in preparation to adding (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@trust_anchor