security/nss/tests/chains/scenarios/trustanchors.cfg@b8a032363ba2 (annotated)
security/nss/tests/chains/scenarios/trustanchors.cfg
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | # This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 2 | # License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 3 | # file, You can obtain one at http://mozilla.org/MPL/2.0/. |
| michael@0 | 4 | |
| michael@0 | 5 | scenario TrustAnchors |
| michael@0 | 6 | |
| michael@0 | 7 | entity RootCA |
| michael@0 | 8 | type Root |
| michael@0 | 9 | |
| michael@0 | 10 | entity CA1 |
| michael@0 | 11 | type Intermediate |
| michael@0 | 12 | issuer RootCA |
| michael@0 | 13 | |
| michael@0 | 14 | entity CA2 |
| michael@0 | 15 | type Intermediate |
| michael@0 | 16 | issuer CA1 |
| michael@0 | 17 | |
| michael@0 | 18 | entity EE1 |
| michael@0 | 19 | type EE |
| michael@0 | 20 | issuer CA2 |
| michael@0 | 21 | |
| michael@0 | 22 | entity OtherRoot |
| michael@0 | 23 | type Root |
| michael@0 | 24 | |
| michael@0 | 25 | entity OtherIntermediate |
| michael@0 | 26 | type Intermediate |
| michael@0 | 27 | issuer OtherRoot |
| michael@0 | 28 | |
| michael@0 | 29 | entity EE2 |
| michael@0 | 30 | type EE |
| michael@0 | 31 | issuer OtherIntermediate |
| michael@0 | 32 | |
| michael@0 | 33 | # Scenarios where trust only comes from the DB |
| michael@0 | 34 | db DBOnly |
| michael@0 | 35 | |
| michael@0 | 36 | import RootCA::CT,C,C |
| michael@0 | 37 | import CA1:RootCA: |
| michael@0 | 38 | |
| michael@0 | 39 | # Simple chaining - no trust anchors |
| michael@0 | 40 | verify EE1:CA2 |
| michael@0 | 41 | cert CA2:CA1 |
| michael@0 | 42 | result pass |
| michael@0 | 43 | |
| michael@0 | 44 | # Simple trust anchors - ignore the Cert DB |
| michael@0 | 45 | verify EE1:CA2 |
| michael@0 | 46 | trust CA2:CA1 |
| michael@0 | 47 | result pass |
| michael@0 | 48 | |
| michael@0 | 49 | # Redundant trust - trust anchor and DB |
| michael@0 | 50 | verify EE1:CA2 |
| michael@0 | 51 | cert CA2:CA1 |
| michael@0 | 52 | trust RootCA |
| michael@0 | 53 | result pass |
| michael@0 | 54 | |
| michael@0 | 55 | |
| michael@0 | 56 | # Scenarios where trust only comes from trust anchors |
| michael@0 | 57 | db TrustOnly |
| michael@0 | 58 | |
| michael@0 | 59 | # Simple checking - direct trust anchor |
| michael@0 | 60 | verify EE1:CA2 |
| michael@0 | 61 | cert CA2:CA1 |
| michael@0 | 62 | cert CA1:RootCA: |
| michael@0 | 63 | trust RootCA: |
| michael@0 | 64 | result pass |
| michael@0 | 65 | |
| michael@0 | 66 | # Partial chain (not self-signed), with a trust anchor |
| michael@0 | 67 | verify EE1:CA2 |
| michael@0 | 68 | trust CA2:CA1 |
| michael@0 | 69 | result pass |
| michael@0 | 70 | |
| michael@0 | 71 | |
| michael@0 | 72 | # Scenarios where trust comes from both trust anchors and the DB |
| michael@0 | 73 | db TrustAndDB |
| michael@0 | 74 | |
| michael@0 | 75 | import RootCA::CT,C,C |
| michael@0 | 76 | import CA1:RootCA: |
| michael@0 | 77 | |
| michael@0 | 78 | # Check that trust in the DB works |
| michael@0 | 79 | verify EE1:CA2 |
| michael@0 | 80 | cert CA2:CA1 |
| michael@0 | 81 | result pass |
| michael@0 | 82 | |
| michael@0 | 83 | # Check that trust anchors work |
| michael@0 | 84 | verify EE2:OtherIntermediate |
| michael@0 | 85 | cert OtherIntermediate:OtherRoot |
| michael@0 | 86 | trust OtherRoot: |
| michael@0 | 87 | result pass |
| michael@0 | 88 | |
| michael@0 | 89 | # Check that specifying a trust anchor still allows searching the cert DB |
| michael@0 | 90 | verify EE1:CA2 |
| michael@0 | 91 | trust_and_db |
| michael@0 | 92 | cert CA2:CA1 |
| michael@0 | 93 | trust OtherIntermediate:OtherRoot |
| michael@0 | 94 | trust OtherRoot: |
| michael@0 | 95 | result pass |
| michael@0 | 96 | |
| michael@0 | 97 | # Scenarios where the trust DB has explicitly distrusted one or more certs, |
| michael@0 | 98 | # even when the trust anchors indicate trust |
| michael@0 | 99 | db ExplicitDistrust |
| michael@0 | 100 | |
| michael@0 | 101 | import RootCA::CT,C,C |
| michael@0 | 102 | import CA1:RootCA:p,p,p |
| michael@0 | 103 | import OtherRoot::p,p,p |
| michael@0 | 104 | |
| michael@0 | 105 | # Verify that a distrusted intermediate, but trusted root, is rejected. |
| michael@0 | 106 | verify EE1:CA2 |
| michael@0 | 107 | cert CA2:CA1 |
| michael@0 | 108 | trust CA1:RootCA |
| michael@0 | 109 | result fail |
| michael@0 | 110 | |
| michael@0 | 111 | # Verify that a trusted intermediate, but distrusted root, is accepted. |
| michael@0 | 112 | verify EE2:OtherIntermediate |
| michael@0 | 113 | trust OtherIntermediate:OtherRoot |
| michael@0 | 114 | result pass |
