README
1This directory contains test data for verifying certificate chains. 2 3Tests are grouped into directories that contain the keys, python to generate 4chains, and test expectations. "DIR" is used as a generic placeholder below to 5identify such a directory. 6 7=============================== 8DIR/generate-chains.py 9=============================== 10 11Python script that generates one or more ".pem" file containing a sequence of 12CERTIFICATE blocks. In most cases it will generate a single chain called 13"chain.pem". 14 15=============================== 16DIR/keys/*.key 17=============================== 18 19The keys used (as well as generated) by the .py file generate-chains.py. The 20private keys shouldn't be needed to run the tests, however are useful when 21re-generating the test data to have stable results (at least for signature 22types which are deterministic, like RSASSA PKCS#1 which is used by most of the 23certificates data). 24 25=============================== 26DIR/*.pem 27=============================== 28 29A sequence of CERTIFICATE blocks that was created by the generate-chains.py 30script. (Although in a few cases there are manually created .pem files that 31lack a generator script). 32 33=============================== 34DIR/*.test 35=============================== 36 37A sequence of key-value pairs that identify the inputs to certificate 38verification, as well as the expected outputs. The format is essentially a 39newline separated sequence of key/value pairs: 40 41key: value\n 42 43All keys must be specified by tests, although they can be in any order. 44The possible keys are: 45 46 "chain" - The value is a file path (relative to the test file) to a .pem 47 containing the CERTIFICATE chain. 48 49 "last_cert_trust" - The value identifies the trustedness of the last 50 certificate in the chain (i.e. whether it is a trust anchor or not). This 51 maps to the CertificateTrustType enum. Possible values are: 52 "TRUSTED_ANCHOR" 53 "TRUSTED_ANCHOR_WITH_EXPIRATION" 54 "TRUSTED_ANCHOR_WITH_CONSTRAINTS" 55 "UNSPECIFIED" 56 "DISTRUSTED" 57 58 "utc_time" - A string encoding for the generalized time at which verification 59 should be done. Example "150302120000Z" 60 61 "key_purpose" - The expected EKU to use when verifying. Maps to 62 KeyPurpose enum. Possible values are: 63 "ANY_EKU" 64 "SERVER_AUTH" 65 "CLIENT_AUTH" 66 67 "errors" - This has special parsing rules: it is interpreted as the 68 final key in the file. All lines after "errors:\n" are read as being the 69 error string (this allows embedding newlines in it). 70 71Additionally, it is possible to add python-style comments by starting a line 72with "#". 73 74=============================== 75pkits_errors/*.txt 76=============================== 77 78These files contain the expected errors for PKITS tests 79(third_party/nist-pkits). The file name correspond so the PKITS tests number. 80They are baselined specifically for VerifyCertificateChain(). 81 82=============================== 83generate-all.sh 84=============================== 85 86Runs all of the generate-chains.py scripts and cleans up the temp files 87afterwards. 88