This directory contains test data for verifying certificate chains.
Tests are grouped into directories that contain the keys, python to generate
chains, and test expectations. "DIR" is used as a generic placeholder below to
identify such a directory.
===============================
DIR/generate-chains.py
===============================
Python script that generates one or more ".pem" file containing a sequence of
CERTIFICATE blocks. In most cases it will generate a single chain called
"chain.pem".
===============================
DIR/keys/*.key
===============================
The keys used (as well as generated) by the .py file generate-chains.py. The
private keys shouldn't be needed to run the tests, however are useful when
re-generating the test data to have stable results (at least for signature
types which are deterministic, like RSASSA PKCS#1 which is used by most of the
certificates data).
===============================
DIR/*.pem
===============================
A sequence of CERTIFICATE blocks that was created by the generate-chains.py
script. (Although in a few cases there are manually created .pem files that
lack a generator script).
===============================
DIR/*.test
===============================
A sequence of key-value pairs that identify the inputs to certificate
verification, as well as the expected outputs. The format is essentially a
newline separated sequence of key/value pairs:
key: value\n
All keys must be specified by tests, although they can be in any order.
The possible keys are:
"chain" - The value is a file path (relative to the test file) to a .pem
containing the CERTIFICATE chain.
"last_cert_trust" - The value identifies the trustedness of the last
certificate in the chain (i.e. whether it is a trust anchor or not). This
maps to the CertificateTrustType enum. Possible values are:
"TRUSTED_ANCHOR"
"TRUSTED_ANCHOR_WITH_EXPIRATION"
"TRUSTED_ANCHOR_WITH_CONSTRAINTS"
"UNSPECIFIED"
"DISTRUSTED"
"utc_time" - A string encoding for the generalized time at which verification
should be done. Example "150302120000Z"
"key_purpose" - The expected EKU to use when verifying. Maps to
KeyPurpose enum. Possible values are:
"ANY_EKU"
"SERVER_AUTH"
"CLIENT_AUTH"
"errors" - This has special parsing rules: it is interpreted as the
final key in the file. All lines after "errors:\n" are read as being the
error string (this allows embedding newlines in it).
Additionally, it is possible to add python-style comments by starting a line
with "#".
===============================
pkits_errors/*.txt
===============================
These files contain the expected errors for PKITS tests
(third_party/nist-pkits). The file name correspond so the PKITS tests number.
They are baselined specifically for VerifyCertificateChain().
===============================
generate-all.sh
===============================
Runs all of the generate-chains.py scripts and cleans up the temp files
afterwards.
