Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(275)

Unified Diff: net/data/verify_certificate_chain_unittest/README

Issue 2805213004: Refactor how net/data/verify_certificate_chain_unittest/* (Closed)
Patch Set: rebase Created 3 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: net/data/verify_certificate_chain_unittest/README
diff --git a/net/data/verify_certificate_chain_unittest/README b/net/data/verify_certificate_chain_unittest/README
index 87a46987990f19acbb63f9f1afe99e9294f9fa45..508588a81f3f6a4027db3189d7072eab21012fed 100644
--- a/net/data/verify_certificate_chain_unittest/README
+++ b/net/data/verify_certificate_chain_unittest/README
@@ -1,79 +1,46 @@
This directory contains test data for verifying certificate chains.
-It contains the following types of files:
+Tests are grouped into directories that contain the keys, python to generate
+chains, and test expectations. "DIR" is used as a generic placeholder below to
+identify such a directory.
===============================
-generate-*.py
+DIR/generate-chain[s].py
===============================
-Generates the file for an individual test case. If the python file was
-named generate-XXX.py, then the corresponding output will be named
-XXX.pem.
+Python script that generates a ".pem" file containing a sequence of CERTIFICATE
+blocks.
===============================
-generate-all.sh
-===============================
-
-Runs all of the generate-*.py scripts and does some cleanup.
-
-===============================
-keys/XXX/*.key
+DIR/keys/*.key
===============================
-The keys used/generated by test XXX. The private keys shouldn't be needed to run
+The keys used/generated by the test. The private keys shouldn't be needed to run
the tests, however are useful when re-generating the test data to have stable
results (at least for signature types which are deterministic, like RSASSA
PKCS#1 which is used by most of the certificates data).
===============================
-*.pem
+DIR/*.pem
===============================
-Each .pem file describes the inputs for certificate chain verification, and the
-expected result. These are the PEM blocks that each file contains and their
-interpretation:
-
-CERTIFICATE:
-
-These PEM blocks describe the ordered chain of certificates starting from the
-target certificate and progressing towards the trust anchor (but not including
-the trust anchor).
-
- - There must be one or more such PEM blocks
- - Its contents are a DER-encoded X.509 certificate
- - The first block is the target certificate
- - The (i+1)th CERTIFICATE is (allegedly) the one which issued the ith
- CERTIFICATE.
-
-TRUST_ANCHOR_{XXX}:
-
-This PEM block describes the trust anchor to use when verifying the chain.
-There are two possible names for this PEM block, which affect how it is
-interpreted: TRUST_ANCHOR_CONSTRAINED or TRUST_ANCHOR_UNCONSTRAINED.
+A sequence of CERTIFICATE blocks that was created by the generate-chain.py
+script (typically).
- - There must be exactly one TRUST_ANCHOR_{XXX} block.
- - Its contents are a DER-encoded X.509 certificate
- - The subject and SPKI from the certificate define the trust anchor
- - If the block was named TRUST_ANCHOR_CONSTRAINED, then any constraints on the
- certificate are also considered normative when verifying paths. Otherwise
- any standard extensions provided by the root certificate are not used during
- path validation.
-
-TIMESTAMP:
-
-This PEM block describes the time to use when verifying the chain.
-
- - There must be exactly one such PEM block
- - Its contents are a DER-encoded UTCTime.
-
-VERIFY_RESULT:
+===============================
+DIR/*.test
+===============================
-This PEM block describes the expected result from verifying the path.
+A sequence of key-value pairs that identify the inputs to certificate
+verification, as well as the expected outputs. It's grammar is:
- - There must be exactly one such PEM block
- - Its contents are a string with value of either "SUCCESS" or "FAIL"
+chain: <path to .pem file>
+last_cert_trust: "trustAnchor" | "trustAnchor (enforcesConstraints)" | "distrusted" | "unspecified"
+utc_time: <string of the UTC time to do verification at>
mattm 2017/05/02 06:43:46 key_purpose should be mentioned here
eroman 2017/05/02 19:20:23 Done.
+errors: "" | "\n" <errors>
mattm 2017/05/02 06:43:46 expected_errors
eroman 2017/05/02 19:20:23 Done.
-ERRORS:
+===============================
+generate-all.sh
+===============================
-This PEM block is a pretty-printed textual dump of all the errors, as given by
-CertErrors::ToDebugString().
+Runs all of the generate-*.py scripts and does some cleanup.

Powered by Google App Engine
This is Rietveld 408576698