Chromium Code Reviews Chromium Code Reviews
Issue 2805213004:
Refactor how net/data/verify_certificate_chain_unittest/* (Closed)
| Index: net/data/verify_certificate_chain_unittest/README |
| diff --git a/net/data/verify_certificate_chain_unittest/README b/net/data/verify_certificate_chain_unittest/README |
| index 87a46987990f19acbb63f9f1afe99e9294f9fa45..508588a81f3f6a4027db3189d7072eab21012fed 100644 |
| --- a/net/data/verify_certificate_chain_unittest/README |
| +++ b/net/data/verify_certificate_chain_unittest/README |
| @@ -1,79 +1,46 @@ |
| This directory contains test data for verifying certificate chains. |
| -It contains the following types of files: |
| +Tests are grouped into directories that contain the keys, python to generate |
| +chains, and test expectations. "DIR" is used as a generic placeholder below to |
| +identify such a directory. |
| =============================== |
| -generate-*.py |
| +DIR/generate-chain[s].py |
| =============================== |
| -Generates the file for an individual test case. If the python file was |
| -named generate-XXX.py, then the corresponding output will be named |
| -XXX.pem. |
| +Python script that generates a ".pem" file containing a sequence of CERTIFICATE |
| +blocks. |
| =============================== |
| -generate-all.sh |
| -=============================== |
| - |
| -Runs all of the generate-*.py scripts and does some cleanup. |
| - |
| -=============================== |
| -keys/XXX/*.key |
| +DIR/keys/*.key |
| =============================== |
| -The keys used/generated by test XXX. The private keys shouldn't be needed to run |
| +The keys used/generated by the test. The private keys shouldn't be needed to run |
| the tests, however are useful when re-generating the test data to have stable |
| results (at least for signature types which are deterministic, like RSASSA |
| PKCS#1 which is used by most of the certificates data). |
| =============================== |
| -*.pem |
| +DIR/*.pem |
| =============================== |
| -Each .pem file describes the inputs for certificate chain verification, and the |
| -expected result. These are the PEM blocks that each file contains and their |
| -interpretation: |
| - |
| -CERTIFICATE: |
| - |
| -These PEM blocks describe the ordered chain of certificates starting from the |
| -target certificate and progressing towards the trust anchor (but not including |
| -the trust anchor). |
| - |
| - - There must be one or more such PEM blocks |
| - - Its contents are a DER-encoded X.509 certificate |
| - - The first block is the target certificate |
| - - The (i+1)th CERTIFICATE is (allegedly) the one which issued the ith |
| - CERTIFICATE. |
| - |
| -TRUST_ANCHOR_{XXX}: |
| - |
| -This PEM block describes the trust anchor to use when verifying the chain. |
| -There are two possible names for this PEM block, which affect how it is |
| -interpreted: TRUST_ANCHOR_CONSTRAINED or TRUST_ANCHOR_UNCONSTRAINED. |
| +A sequence of CERTIFICATE blocks that was created by the generate-chain.py |
| +script (typically). |
| - - There must be exactly one TRUST_ANCHOR_{XXX} block. |
| - - Its contents are a DER-encoded X.509 certificate |
| - - The subject and SPKI from the certificate define the trust anchor |
| - - If the block was named TRUST_ANCHOR_CONSTRAINED, then any constraints on the |
| - certificate are also considered normative when verifying paths. Otherwise |
| - any standard extensions provided by the root certificate are not used during |
| - path validation. |
| - |
| -TIMESTAMP: |
| - |
| -This PEM block describes the time to use when verifying the chain. |
| - |
| - - There must be exactly one such PEM block |
| - - Its contents are a DER-encoded UTCTime. |
| - |
| -VERIFY_RESULT: |
| +=============================== |
| +DIR/*.test |
| +=============================== |
| -This PEM block describes the expected result from verifying the path. |
| +A sequence of key-value pairs that identify the inputs to certificate |
| +verification, as well as the expected outputs. It's grammar is: |
| - - There must be exactly one such PEM block |
| - - Its contents are a string with value of either "SUCCESS" or "FAIL" |
| +chain: <path to .pem file> |
| +last_cert_trust: "trustAnchor" | "trustAnchor (enforcesConstraints)" | "distrusted" | "unspecified" |
| +utc_time: <string of the UTC time to do verification at> |
|
mattm
2017/05/02 06:43:46
key_purpose should be mentioned here
eroman
2017/05/02 19:20:23
Done.
|
| +errors: "" | "\n" <errors> |
|
mattm
2017/05/02 06:43:46
expected_errors
eroman
2017/05/02 19:20:23
Done.
|
| -ERRORS: |
| +=============================== |
| +generate-all.sh |
| +=============================== |
| -This PEM block is a pretty-printed textual dump of all the errors, as given by |
| -CertErrors::ToDebugString(). |
| +Runs all of the generate-*.py scripts and does some cleanup. |
