verify_certificate_chain_unittest
Folders and files
Name | Name | Last commit date | ||
---|---|---|---|---|
parent directory.. | ||||
This directory contains test data for verifying certificate chains. Tests are grouped into directories that contain the keys, python to generate chains, and test expectations. "DIR" is used as a generic placeholder below to identify such a directory. =============================== DIR/generate-chains.py =============================== Python script that generates one or more ".pem" file containing a sequence of CERTIFICATE blocks. In most cases it will generate a single chain called "chain.pem". =============================== DIR/keys/*.key =============================== The keys used (as well as generated) by the .py file generate-chains.py. The private keys shouldn't be needed to run the tests, however are useful when re-generating the test data to have stable results (at least for signature types which are deterministic, like RSASSA PKCS#1 which is used by most of the certificates data). =============================== DIR/*.pem =============================== A sequence of CERTIFICATE blocks that was created by the generate-chains.py script. (Although in a few cases there are manually created .pem files that lack a generator script). =============================== DIR/*.test =============================== A sequence of key-value pairs that identify the inputs to certificate verification, as well as the expected outputs. The format is essentially a newline separated sequence of key/value pairs: key: value\n All keys must be specified by tests, although they can be in any order. The possible keys are: "chain" - The value is a file path (relative to the test file) to a .pem containing the CERTIFICATE chain. "last_cert_trust" - The value identifies the trustedness of the last certificate in the chain (i.e. whether it is a trust anchor or not). This maps to the CertificateTrustType enum. Possible values are: "TRUSTED_ANCHOR" "TRUSTED_ANCHOR_WITH_EXPIRATION" "TRUSTED_ANCHOR_WITH_CONSTRAINTS" "UNSPECIFIED" "DISTRUSTED" "utc_time" - A string encoding for the generalized time at which verification should be done. Example "150302120000Z" "key_purpose" - The expected EKU to use when verifying. Maps to KeyPurpose enum. Possible values are: "ANY_EKU" "SERVER_AUTH" "CLIENT_AUTH" "errors" - This has special parsing rules: it is interpreted as the final key in the file. All lines after "errors:\n" are read as being the error string (this allows embedding newlines in it). Additionally, it is possible to add python-style comments by starting a line with "#". =============================== pkits_errors/*.txt =============================== These files contain the expected errors for PKITS tests (third_party/nist-pkits). The file name correspond so the PKITS tests number. They are baselined specifically for VerifyCertificateChain(). =============================== generate-all.sh =============================== Runs all of the generate-chains.py scripts and cleans up the temp files afterwards.