Refactor how net/data/verify_certificate_chain_unittest/*

net/data/verify_certificate_chain_unittest/README

 This directory contains test data for verifying certificate chains.
 
-It contains the following types of files:
+Tests are grouped into directories that contain the keys, python to generate
+chains, and test expectations. "DIR" is used as a generic placeholder below to
+identify such a directory.
 
 ===============================
-generate-*.py
+DIR/generate-chains.py
 ===============================
 
-Generates the file for an individual test case. If the python file was
-named generate-XXX.py, then the corresponding output will be named
-XXX.pem.
+Python script that generates one or more ".pem" file containing a sequence of
+CERTIFICATE blocks. In most cases it will generate a single chain called
+"chain.pem".
+
+===============================
+DIR/keys/*.key
+===============================
+
+The keys used (as well as generated) by the .py file generate-chains.py. The
+private keys shouldn't be needed to run the tests, however are useful when
+re-generating the test data to have stable results (at least for signature
+types which are deterministic, like RSASSA PKCS#1 which is used by most of the
+certificates data).
+
+===============================
+DIR/*.pem
+===============================
+
+A sequence of CERTIFICATE blocks that was created by the generate-chains.py
+script. (Although in a few cases there are manually created .pem files that
+lack a generator script).
+
+===============================
+DIR/*.test
+===============================
+
+A sequence of key-value pairs that identify the inputs to certificate
+verification, as well as the expected outputs. The format is essentially a
+newline separated sequence of key/value pairs:
+
+key: value\n
+
+All keys must be specified by tests, although they can be in any order.
+The possible keys are:
+
+  "chain" - The value is a file path (relative to the test file) to a .pem
+      containing the CERTIFICATE chain.
+
+  "last_cert_trust" - The value identifies the trustedness of the last
+      certificate in the chain (i.e. whether it is a trust anchor or not). This
+      maps to the CertificateTrustType enum. Possible values are:
+          "TRUSTED_ANCHOR"
+          "TRUSTED_ANCHOR_WITH_CONSTRAINTS"
+          "UNSPECIFIED"
+          "DISTRUSTED"
+
+  "utc_time" - A string encoding for the generalized time at which verification
+      should be done. Example "150302120000Z"
+
+  "key_purpose" - The expected EKU to use when verifying. Maps to
+      KeyPurpose enum. Possible values are:
+      "ANY_EKU"
+      "SERVER_AUTH"
+      "CLIENT_AUTH"
+
+  "errors" - This has special parsing rules: it is interpreted as the
+      final key in the file. All lines after "errors:\n" are read as being the
+      error string (this allows embedding newlines in it).
+
+Additionally, it is possible to add python-style comments by starting a line
+with "#".
 
 ===============================
 generate-all.sh
 ===============================
 
-Runs all of the generate-*.py scripts and does some cleanup.
-
-===============================
-keys/XXX/*.key
-===============================
-
-The keys used/generated by test XXX. The private keys shouldn't be needed to run
-the tests, however are useful when re-generating the test data to have stable
-results (at least for signature types which are deterministic, like RSASSA
-PKCS#1 which is used by most of the certificates data).
-
-===============================
-*.pem
-===============================
-
-Each .pem file describes the inputs for certificate chain verification, and the
-expected result. These are the PEM blocks that each file contains and their
-interpretation:
-
-CERTIFICATE:
-
-These PEM blocks describe the ordered chain of certificates starting from the
-target certificate and progressing towards the trust anchor (but not including
-the trust anchor).
-
- - There must be one or more such PEM blocks
- - Its contents are a DER-encoded X.509 certificate
- - The first block is the target certificate
- - The (i+1)th CERTIFICATE is (allegedly) the one which issued the ith
-   CERTIFICATE.
-
-TRUST_ANCHOR_{XXX}:
-
-This PEM block describes the trust anchor to use when verifying the chain.
-There are two possible names for this PEM block, which affect how it is
-interpreted: TRUST_ANCHOR_CONSTRAINED or TRUST_ANCHOR_UNCONSTRAINED.
-
- - There must be exactly one TRUST_ANCHOR_{XXX} block.
- - Its contents are a DER-encoded X.509 certificate
- - The subject and SPKI from the certificate define the trust anchor
- - If the block was named TRUST_ANCHOR_CONSTRAINED, then any constraints on the
-   certificate are also considered normative when verifying paths. Otherwise
-   any standard extensions provided by the root certificate are not used during
-   path validation.
-
-TIMESTAMP:
-
-This PEM block describes the time to use when verifying the chain.
-
- - There must be exactly one such PEM block
- - Its contents are a DER-encoded UTCTime.
-
-VERIFY_RESULT:
-
-This PEM block describes the expected result from verifying the path.
-
- - There must be exactly one such PEM block
- - Its contents are a string with value of either "SUCCESS" or "FAIL"
-
-ERRORS:
-
-This PEM block is a pretty-printed textual dump of all the errors, as given by
-CertErrors::ToDebugString().
+Runs all of the generate-chains.py scripts and cleans up the temp files
+afterwards.