Chromium Code Reviews Chromium Code Reviews
Issue 2233233002:
Refactor some certificate verification tests in preparation to adding (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@trust_anchor| OLD | NEW |
|---|---|
| 1 This directory contains test data for verifying certificate chains. | 1 This directory contains test data for verifying certificate chains. |
| 2 | 2 |
| 3 It contains the following types of files: | 3 It contains the following types of files: |
| 4 | 4 |
| 5 =============================== | 5 =============================== |
| 6 generate-*.py | 6 generate-*.py |
| 7 =============================== | 7 =============================== |
| 8 | 8 |
| 9 Generates the file for an individual test case. If the python file was | 9 Generates the file for an individual test case. If the python file was |
| 10 named generate-XXX.py, then the corresponding output will be named | 10 named generate-XXX.py, then the corresponding output will be named |
| 11 XXX.pem. | 11 XXX.pem. |
| 12 | 12 |
| 13 =============================== | 13 =============================== |
| 14 generate-all.sh | 14 generate-all.sh |
| 15 =============================== | 15 =============================== |
| 16 | 16 |
| 17 Runs all of the generate-*.py scripts and does some cleanup. | 17 Runs all of the generate-*.py scripts and does some cleanup. |
| 18 | 18 |
| 19 =============================== | 19 =============================== |
| 20 *.pem | 20 *.pem |
| 21 =============================== | 21 =============================== |
| 22 | 22 |
| 23 These files descibe a test case for certificate chain verification. | 23 Each .pem file describes the inputs for certificate chain verification, and the |
| 24 expected result. These are the PEM blocks that each file contains and their | |
| 25 interpretation: | |
| 24 | 26 |
| 25 The input file is a PEM file with blocks for: | 27 CERTIFICATE: |
| 26 * The trust store | 28 |
| 27 * The certificate chain (target certificate and all intermediates) | 29 These PEM blocks describe the ordered chain of certificates starting from the |
| 28 * The timestamp to use when verifying | 30 target certificate and progressing towards the trust anchor (but not including |
| 29 * The expected result of verification (success or fail) | 31 the trust anchor). |
| 32 | |
| 33 - There must be one or more such PEM blocks | |
| 34 - Its contents are a DER-encoded X.509 certificate | |
| 35 - The first block is the target certificate | |
| 36 - The (i+1)th CERTIFICATE is (allegedly) the one which issued the ith CERTIFICA TE. | |
| 37 | |
| 38 TRUST_ANCHOR_{XXX}: | |
| 39 | |
| 40 This PEM block describes the trust anchor to use when verifying the chain. | |
| 41 There are two possible names for this PEM block, which affect how it is | |
| 42 interpreted: TRUST_ANCHOR_CONSTRAINED or TRUST_ANCHOR_UNCONSTRAINED. | |
|
eroman
2016/08/11 01:02:30
Maybe I should remove mention of "_CONSTRAINED" si
| |
| 43 | |
| 44 - There must be exactly one TRUST_ANCHOR_{XXX} block. | |
| 45 - Its contents are a DER-encoded X.509 certificate | |
| 46 - The name and SPKI from the certificate define the trust anchor | |
| 47 - If the block was named TRUST_ANCHOR_CONSTRAINED, then any constraints on the | |
| 48 certificate are also considered normative when verifying paths. Otherwise | |
| 49 any standard extensions provided by the root certificate are not used during | |
| 50 path validation. | |
| 51 | |
| 52 TIMESTAMP: | |
| 53 | |
| 54 This PEM block describes the time to use when verifying the chain. | |
| 55 | |
| 56 - There must be exactly one such PEM block | |
| 57 - Its contents are a DER-encoded UTCTime. | |
| 58 | |
| 59 VERIFY_RESULT: | |
| 60 | |
| 61 This PEM block describes the expected result from verifying the path. | |
| 62 | |
| 63 - There must be exactly one such PEM block | |
| 64 - Its contents are a string with value of either "SUCCESS" or "FAIL" | |
| OLD | NEW |
