Chromium Code Reviews Chromium Code Reviews
Issue 2805213004:
Refactor how net/data/verify_certificate_chain_unittest/* (Closed)
| OLD | NEW |
|---|---|
| 1 This directory contains test data for verifying certificate chains. | 1 This directory contains test data for verifying certificate chains. |
| 2 | 2 |
| 3 It contains the following types of files: | 3 Tests are grouped into directories that contain the keys, python to generate |
| 4 chains, and test expectations. "DIR" is used as a generic placeholder below to | |
| 5 identify such a directory. | |
| 4 | 6 |
| 5 =============================== | 7 =============================== |
| 6 generate-*.py | 8 DIR/generate-chain[s].py |
| 7 =============================== | 9 =============================== |
| 8 | 10 |
| 9 Generates the file for an individual test case. If the python file was | 11 Python script that generates a ".pem" file containing a sequence of CERTIFICATE |
| 10 named generate-XXX.py, then the corresponding output will be named | 12 blocks. |
| 11 XXX.pem. | 13 |
| 14 =============================== | |
| 15 DIR/keys/*.key | |
| 16 =============================== | |
| 17 | |
| 18 The keys used/generated by the test. The private keys shouldn't be needed to run | |
| 19 the tests, however are useful when re-generating the test data to have stable | |
| 20 results (at least for signature types which are deterministic, like RSASSA | |
| 21 PKCS#1 which is used by most of the certificates data). | |
| 22 | |
| 23 =============================== | |
| 24 DIR/*.pem | |
| 25 =============================== | |
| 26 | |
| 27 A sequence of CERTIFICATE blocks that was created by the generate-chain.py | |
| 28 script (typically). | |
| 29 | |
| 30 =============================== | |
| 31 DIR/*.test | |
| 32 =============================== | |
| 33 | |
| 34 A sequence of key-value pairs that identify the inputs to certificate | |
| 35 verification, as well as the expected outputs. It's grammar is: | |
| 36 | |
| 37 chain: <path to .pem file> | |
| 38 last_cert_trust: "trustAnchor" | "trustAnchor (enforcesConstraints)" | "distrust ed" | "unspecified" | |
| 39 utc_time: <string of the UTC time to do verification at> | |
|
mattm
2017/05/02 06:43:46
key_purpose should be mentioned here
eroman
2017/05/02 19:20:23
Done.
| |
| 40 errors: "" | "\n" <errors> | |
|
mattm
2017/05/02 06:43:46
expected_errors
eroman
2017/05/02 19:20:23
Done.
| |
| 12 | 41 |
| 13 =============================== | 42 =============================== |
| 14 generate-all.sh | 43 generate-all.sh |
| 15 =============================== | 44 =============================== |
| 16 | 45 |
| 17 Runs all of the generate-*.py scripts and does some cleanup. | 46 Runs all of the generate-*.py scripts and does some cleanup. |
| 18 | |
| 19 =============================== | |
| 20 keys/XXX/*.key | |
| 21 =============================== | |
| 22 | |
| 23 The keys used/generated by test XXX. The private keys shouldn't be needed to run | |
| 24 the tests, however are useful when re-generating the test data to have stable | |
| 25 results (at least for signature types which are deterministic, like RSASSA | |
| 26 PKCS#1 which is used by most of the certificates data). | |
| 27 | |
| 28 =============================== | |
| 29 *.pem | |
| 30 =============================== | |
| 31 | |
| 32 Each .pem file describes the inputs for certificate chain verification, and the | |
| 33 expected result. These are the PEM blocks that each file contains and their | |
| 34 interpretation: | |
| 35 | |
| 36 CERTIFICATE: | |
| 37 | |
| 38 These PEM blocks describe the ordered chain of certificates starting from the | |
| 39 target certificate and progressing towards the trust anchor (but not including | |
| 40 the trust anchor). | |
| 41 | |
| 42 - There must be one or more such PEM blocks | |
| 43 - Its contents are a DER-encoded X.509 certificate | |
| 44 - The first block is the target certificate | |
| 45 - The (i+1)th CERTIFICATE is (allegedly) the one which issued the ith | |
| 46 CERTIFICATE. | |
| 47 | |
| 48 TRUST_ANCHOR_{XXX}: | |
| 49 | |
| 50 This PEM block describes the trust anchor to use when verifying the chain. | |
| 51 There are two possible names for this PEM block, which affect how it is | |
| 52 interpreted: TRUST_ANCHOR_CONSTRAINED or TRUST_ANCHOR_UNCONSTRAINED. | |
| 53 | |
| 54 - There must be exactly one TRUST_ANCHOR_{XXX} block. | |
| 55 - Its contents are a DER-encoded X.509 certificate | |
| 56 - The subject and SPKI from the certificate define the trust anchor | |
| 57 - If the block was named TRUST_ANCHOR_CONSTRAINED, then any constraints on the | |
| 58 certificate are also considered normative when verifying paths. Otherwise | |
| 59 any standard extensions provided by the root certificate are not used during | |
| 60 path validation. | |
| 61 | |
| 62 TIMESTAMP: | |
| 63 | |
| 64 This PEM block describes the time to use when verifying the chain. | |
| 65 | |
| 66 - There must be exactly one such PEM block | |
| 67 - Its contents are a DER-encoded UTCTime. | |
| 68 | |
| 69 VERIFY_RESULT: | |
| 70 | |
| 71 This PEM block describes the expected result from verifying the path. | |
| 72 | |
| 73 - There must be exactly one such PEM block | |
| 74 - Its contents are a string with value of either "SUCCESS" or "FAIL" | |
| 75 | |
| 76 ERRORS: | |
| 77 | |
| 78 This PEM block is a pretty-printed textual dump of all the errors, as given by | |
| 79 CertErrors::ToDebugString(). | |
| OLD | NEW |
