Codebase Browser
chromium
Go to App

chromium/net/data/verify_certificate_chain_unittest/README 

This directory contains test data for verifying certificate chains.

Tests are grouped into directories that contain the keys, python to generate
chains, and test expectations. "DIR" is used as a generic placeholder below to
identify such a directory.

===============================
DIR/generate-chains.py
===============================

Python script that generates one or more ".pem" file containing a sequence of
CERTIFICATE blocks. In most cases it will generate a single chain called
"chain.pem".

===============================
DIR/keys/*.key
===============================

The keys used (as well as generated) by the .py file generate-chains.py. The
private keys shouldn't be needed to run the tests, however are useful when
re-generating the test data to have stable results (at least for signature
types which are deterministic, like RSASSA PKCS#1 which is used by most of the
certificates data).

===============================
DIR/*.pem
===============================

A sequence of CERTIFICATE blocks that was created by the generate-chains.py
script. (Although in a few cases there are manually created .pem files that
lack a generator script).

===============================
DIR/*.test
===============================

A sequence of key-value pairs that identify the inputs to certificate
verification, as well as the expected outputs. The format is essentially a
newline separated sequence of key/value pairs:

key: value\n

All keys must be specified by tests, although they can be in any order.
The possible keys are:

  "chain" - The value is a file path (relative to the test file) to a .pem
      containing the CERTIFICATE chain.

  "last_cert_trust" - The value identifies the trustedness of the last
      certificate in the chain (i.e. whether it is a trust anchor or not). This
      maps to the CertificateTrustType enum. Possible values are:
          "TRUSTED_ANCHOR"
          "TRUSTED_ANCHOR_WITH_EXPIRATION"
          "TRUSTED_ANCHOR_WITH_CONSTRAINTS"
          "UNSPECIFIED"
          "DISTRUSTED"

  "utc_time" - A string encoding for the generalized time at which verification
      should be done. Example "150302120000Z"

  "key_purpose" - The expected EKU to use when verifying. Maps to
      KeyPurpose enum. Possible values are:
      "ANY_EKU"
      "SERVER_AUTH"
      "CLIENT_AUTH"

  "errors" - This has special parsing rules: it is interpreted as the
      final key in the file. All lines after "errors:\n" are read as being the
      error string (this allows embedding newlines in it).

Additionally, it is possible to add python-style comments by starting a line
with "#".

===============================
generate-all.sh
===============================

Runs all of the generate-chains.py scripts and cleans up the temp files
afterwards.