Index: net/data/verify_certificate_chain_unittest/README |
diff --git a/net/data/verify_certificate_chain_unittest/README b/net/data/verify_certificate_chain_unittest/README |
index 87a46987990f19acbb63f9f1afe99e9294f9fa45..508588a81f3f6a4027db3189d7072eab21012fed 100644 |
--- a/net/data/verify_certificate_chain_unittest/README |
+++ b/net/data/verify_certificate_chain_unittest/README |
@@ -1,79 +1,46 @@ |
This directory contains test data for verifying certificate chains. |
-It contains the following types of files: |
+Tests are grouped into directories that contain the keys, python to generate |
+chains, and test expectations. "DIR" is used as a generic placeholder below to |
+identify such a directory. |
=============================== |
-generate-*.py |
+DIR/generate-chain[s].py |
=============================== |
-Generates the file for an individual test case. If the python file was |
-named generate-XXX.py, then the corresponding output will be named |
-XXX.pem. |
+Python script that generates a ".pem" file containing a sequence of CERTIFICATE |
+blocks. |
=============================== |
-generate-all.sh |
-=============================== |
- |
-Runs all of the generate-*.py scripts and does some cleanup. |
- |
-=============================== |
-keys/XXX/*.key |
+DIR/keys/*.key |
=============================== |
-The keys used/generated by test XXX. The private keys shouldn't be needed to run |
+The keys used/generated by the test. The private keys shouldn't be needed to run |
the tests, however are useful when re-generating the test data to have stable |
results (at least for signature types which are deterministic, like RSASSA |
PKCS#1 which is used by most of the certificates data). |
=============================== |
-*.pem |
+DIR/*.pem |
=============================== |
-Each .pem file describes the inputs for certificate chain verification, and the |
-expected result. These are the PEM blocks that each file contains and their |
-interpretation: |
- |
-CERTIFICATE: |
- |
-These PEM blocks describe the ordered chain of certificates starting from the |
-target certificate and progressing towards the trust anchor (but not including |
-the trust anchor). |
- |
- - There must be one or more such PEM blocks |
- - Its contents are a DER-encoded X.509 certificate |
- - The first block is the target certificate |
- - The (i+1)th CERTIFICATE is (allegedly) the one which issued the ith |
- CERTIFICATE. |
- |
-TRUST_ANCHOR_{XXX}: |
- |
-This PEM block describes the trust anchor to use when verifying the chain. |
-There are two possible names for this PEM block, which affect how it is |
-interpreted: TRUST_ANCHOR_CONSTRAINED or TRUST_ANCHOR_UNCONSTRAINED. |
+A sequence of CERTIFICATE blocks that was created by the generate-chain.py |
+script (typically). |
- - There must be exactly one TRUST_ANCHOR_{XXX} block. |
- - Its contents are a DER-encoded X.509 certificate |
- - The subject and SPKI from the certificate define the trust anchor |
- - If the block was named TRUST_ANCHOR_CONSTRAINED, then any constraints on the |
- certificate are also considered normative when verifying paths. Otherwise |
- any standard extensions provided by the root certificate are not used during |
- path validation. |
- |
-TIMESTAMP: |
- |
-This PEM block describes the time to use when verifying the chain. |
- |
- - There must be exactly one such PEM block |
- - Its contents are a DER-encoded UTCTime. |
- |
-VERIFY_RESULT: |
+=============================== |
+DIR/*.test |
+=============================== |
-This PEM block describes the expected result from verifying the path. |
+A sequence of key-value pairs that identify the inputs to certificate |
+verification, as well as the expected outputs. It's grammar is: |
- - There must be exactly one such PEM block |
- - Its contents are a string with value of either "SUCCESS" or "FAIL" |
+chain: <path to .pem file> |
+last_cert_trust: "trustAnchor" | "trustAnchor (enforcesConstraints)" | "distrusted" | "unspecified" |
+utc_time: <string of the UTC time to do verification at> |
mattm
2017/05/02 06:43:46
key_purpose should be mentioned here
eroman
2017/05/02 19:20:23
Done.
|
+errors: "" | "\n" <errors> |
mattm
2017/05/02 06:43:46
expected_errors
eroman
2017/05/02 19:20:23
Done.
|
-ERRORS: |
+=============================== |
+generate-all.sh |
+=============================== |
-This PEM block is a pretty-printed textual dump of all the errors, as given by |
-CertErrors::ToDebugString(). |
+Runs all of the generate-*.py scripts and does some cleanup. |