Chromium Code Reviews Chromium Code Reviews
Issue 2233233002:
Refactor some certificate verification tests in preparation to adding (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@trust_anchor| Index: net/data/verify_certificate_chain_unittest/README |
| diff --git a/net/data/verify_certificate_chain_unittest/README b/net/data/verify_certificate_chain_unittest/README |
| index 5c7019d07abfa027fd8a6ba2c34c9fa42e2b5b1d..76fbc956e31eed6d36c0fb7aa402e9527fe6225a 100644 |
| --- a/net/data/verify_certificate_chain_unittest/README |
| +++ b/net/data/verify_certificate_chain_unittest/README |
| @@ -20,10 +20,45 @@ Runs all of the generate-*.py scripts and does some cleanup. |
| *.pem |
| =============================== |
| -These files descibe a test case for certificate chain verification. |
| +Each .pem file describes the inputs for certificate chain verification, and the |
| +expected result. These are the PEM blocks that each file contains and their |
| +interpretation: |
| -The input file is a PEM file with blocks for: |
| - * The trust store |
| - * The certificate chain (target certificate and all intermediates) |
| - * The timestamp to use when verifying |
| - * The expected result of verification (success or fail) |
| +CERTIFICATE: |
| + |
| +These PEM blocks describe the ordered chain of certificates starting from the |
| +target certificate and progressing towards the trust anchor (but not including |
| +the trust anchor). |
| + |
| + - There must be one or more such PEM blocks |
| + - Its contents are a DER-encoded X.509 certificate |
| + - The first block is the target certificate |
| + - The (i+1)th CERTIFICATE is (allegedly) the one which issued the ith CERTIFICATE. |
| + |
| +TRUST_ANCHOR_{XXX}: |
| + |
| +This PEM block describes the trust anchor to use when verifying the chain. |
| +There are two possible names for this PEM block, which affect how it is |
| +interpreted: TRUST_ANCHOR_CONSTRAINED or TRUST_ANCHOR_UNCONSTRAINED. |
|
eroman
2016/08/11 01:02:30
Maybe I should remove mention of "_CONSTRAINED" si
|
| + |
| + - There must be exactly one TRUST_ANCHOR_{XXX} block. |
| + - Its contents are a DER-encoded X.509 certificate |
| + - The name and SPKI from the certificate define the trust anchor |
| + - If the block was named TRUST_ANCHOR_CONSTRAINED, then any constraints on the |
| + certificate are also considered normative when verifying paths. Otherwise |
| + any standard extensions provided by the root certificate are not used during |
| + path validation. |
| + |
| +TIMESTAMP: |
| + |
| +This PEM block describes the time to use when verifying the chain. |
| + |
| + - There must be exactly one such PEM block |
| + - Its contents are a DER-encoded UTCTime. |
| + |
| +VERIFY_RESULT: |
| + |
| +This PEM block describes the expected result from verifying the path. |
| + |
| + - There must be exactly one such PEM block |
| + - Its contents are a string with value of either "SUCCESS" or "FAIL" |
