88 lines
3.0 KiB
Plaintext
88 lines
3.0 KiB
Plaintext
|
This directory contains test data for verifying certificate chains.
|
||
|
|
|
||
|
|
Tests are grouped into directories that contain the keys, python to generate
|
||
|
|
chains, and test expectations. "DIR" is used as a generic placeholder below to
|
||
|
|
identify such a directory.
|
||
|
|
|
||
|
|
===============================
|
||
|
|
DIR/generate-chains.py
|
||
|
|
===============================
|
||
|
|
|
||
|
|
Python script that generates one or more ".pem" file containing a sequence of
|
||
|
|
CERTIFICATE blocks. In most cases it will generate a single chain called
|
||
|
|
"chain.pem".
|
||
|
|
|
||
|
|
===============================
|
||
|
|
DIR/keys/*.key
|
||
|
|
===============================
|
||
|
|
|
||
|
|
The keys used (as well as generated) by the .py file generate-chains.py. The
|
||
|
|
private keys shouldn't be needed to run the tests, however are useful when
|
||
|
|
re-generating the test data to have stable results (at least for signature
|
||
|
|
types which are deterministic, like RSASSA PKCS#1 which is used by most of the
|
||
|
|
certificates data).
|
||
|
|
|
||
|
|
===============================
|
||
|
|
DIR/*.pem
|
||
|
|
===============================
|
||
|
|
|
||
|
|
A sequence of CERTIFICATE blocks that was created by the generate-chains.py
|
||
|
|
script. (Although in a few cases there are manually created .pem files that
|
||
|
|
lack a generator script).
|
||
|
|
|
||
|
|
===============================
|
||
|
|
DIR/*.test
|
||
|
|
===============================
|
||
|
|
|
||
|
|
A sequence of key-value pairs that identify the inputs to certificate
|
||
|
|
verification, as well as the expected outputs. The format is essentially a
|
||
|
|
newline separated sequence of key/value pairs:
|
||
|
|
|
||
|
|
key: value\n
|
||
|
|
|
||
|
|
All keys must be specified by tests, although they can be in any order.
|
||
|
|
The possible keys are:
|
||
|
|
|
||
|
|
"chain" - The value is a file path (relative to the test file) to a .pem
|
||
|
|
containing the CERTIFICATE chain.
|
||
|
|
|
||
|
|
"last_cert_trust" - The value identifies the trustedness of the last
|
||
|
|
certificate in the chain (i.e. whether it is a trust anchor or not). This
|
||
|
|
maps to the CertificateTrustType enum. Possible values are:
|
||
|
|
"TRUSTED_ANCHOR"
|
||
|
|
"TRUSTED_ANCHOR_WITH_EXPIRATION"
|
||
|
|
"TRUSTED_ANCHOR_WITH_CONSTRAINTS"
|
||
|
|
"UNSPECIFIED"
|
||
|
|
"DISTRUSTED"
|
||
|
|
|
||
|
|
"utc_time" - A string encoding for the generalized time at which verification
|
||
|
|
should be done. Example "150302120000Z"
|
||
|
|
|
||
|
|
"key_purpose" - The expected EKU to use when verifying. Maps to
|
||
|
|
KeyPurpose enum. Possible values are:
|
||
|
|
"ANY_EKU"
|
||
|
|
"SERVER_AUTH"
|
||
|
|
"CLIENT_AUTH"
|
||
|
|
|
||
|
|
"errors" - This has special parsing rules: it is interpreted as the
|
||
|
|
final key in the file. All lines after "errors:\n" are read as being the
|
||
|
|
error string (this allows embedding newlines in it).
|
||
|
|
|
||
|
|
Additionally, it is possible to add python-style comments by starting a line
|
||
|
|
with "#".
|
||
|
|
|
||
|
|
===============================
|
||
|
|
pkits_errors/*.txt
|
||
|
|
===============================
|
||
|
|
|
||
|
|
These files contain the expected errors for PKITS tests
|
||
|
|
(third_party/nist-pkits). The file name correspond so the PKITS tests number.
|
||
|
|
They are baselined specifically for VerifyCertificateChain().
|
||
|
|
|
||
|
|
===============================
|
||
|
|
generate-all.sh
|
||
|
|
===============================
|
||
|
|
|
||
|
|
Runs all of the generate-chains.py scripts and cleans up the temp files
|
||
|
|
afterwards.
|