xref: /aosp_15_r20/external/cronet/net/data/verify_certificate_chain_unittest/README (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1This directory contains test data for verifying certificate chains.
2
3Tests are grouped into directories that contain the keys, python to generate
4chains, and test expectations. "DIR" is used as a generic placeholder below to
5identify such a directory.
6
7===============================
8DIR/generate-chains.py
9===============================
10
11Python script that generates one or more ".pem" file containing a sequence of
12CERTIFICATE blocks. In most cases it will generate a single chain called
13"chain.pem".
14
15===============================
16DIR/keys/*.key
17===============================
18
19The keys used (as well as generated) by the .py file generate-chains.py. The
20private keys shouldn't be needed to run the tests, however are useful when
21re-generating the test data to have stable results (at least for signature
22types which are deterministic, like RSASSA PKCS#1 which is used by most of the
23certificates data).
24
25===============================
26DIR/*.pem
27===============================
28
29A sequence of CERTIFICATE blocks that was created by the generate-chains.py
30script. (Although in a few cases there are manually created .pem files that
31lack a generator script).
32
33===============================
34DIR/*.test
35===============================
36
37A sequence of key-value pairs that identify the inputs to certificate
38verification, as well as the expected outputs. The format is essentially a
39newline separated sequence of key/value pairs:
40
41key: value\n
42
43All keys must be specified by tests, although they can be in any order.
44The possible keys are:
45
46  "chain" - The value is a file path (relative to the test file) to a .pem
47      containing the CERTIFICATE chain.
48
49  "last_cert_trust" - The value identifies the trustedness of the last
50      certificate in the chain (i.e. whether it is a trust anchor or not). This
51      maps to the CertificateTrustType enum. Possible values are:
52          "TRUSTED_ANCHOR"
53          "TRUSTED_ANCHOR_WITH_EXPIRATION"
54          "TRUSTED_ANCHOR_WITH_CONSTRAINTS"
55          "UNSPECIFIED"
56          "DISTRUSTED"
57
58  "utc_time" - A string encoding for the generalized time at which verification
59      should be done. Example "150302120000Z"
60
61  "key_purpose" - The expected EKU to use when verifying. Maps to
62      KeyPurpose enum. Possible values are:
63      "ANY_EKU"
64      "SERVER_AUTH"
65      "CLIENT_AUTH"
66
67  "errors" - This has special parsing rules: it is interpreted as the
68      final key in the file. All lines after "errors:\n" are read as being the
69      error string (this allows embedding newlines in it).
70
71Additionally, it is possible to add python-style comments by starting a line
72with "#".
73
74===============================
75generate-all.sh
76===============================
77
78Runs all of the generate-chains.py scripts and cleans up the temp files
79afterwards.
80