1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/tests/chains/scenarios/trustanchors.cfg Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,114 @@
1.4 +# This Source Code Form is subject to the terms of the Mozilla Public
1.5 +# License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 +# file, You can obtain one at http://mozilla.org/MPL/2.0/.
1.7 +
1.8 +scenario TrustAnchors
1.9 +
1.10 +entity RootCA
1.11 + type Root
1.12 +
1.13 +entity CA1
1.14 + type Intermediate
1.15 + issuer RootCA
1.16 +
1.17 +entity CA2
1.18 + type Intermediate
1.19 + issuer CA1
1.20 +
1.21 +entity EE1
1.22 + type EE
1.23 + issuer CA2
1.24 +
1.25 +entity OtherRoot
1.26 + type Root
1.27 +
1.28 +entity OtherIntermediate
1.29 + type Intermediate
1.30 + issuer OtherRoot
1.31 +
1.32 +entity EE2
1.33 + type EE
1.34 + issuer OtherIntermediate
1.35 +
1.36 +# Scenarios where trust only comes from the DB
1.37 +db DBOnly
1.38 +
1.39 +import RootCA::CT,C,C
1.40 +import CA1:RootCA:
1.41 +
1.42 +# Simple chaining - no trust anchors
1.43 +verify EE1:CA2
1.44 + cert CA2:CA1
1.45 + result pass
1.46 +
1.47 +# Simple trust anchors - ignore the Cert DB
1.48 +verify EE1:CA2
1.49 + trust CA2:CA1
1.50 + result pass
1.51 +
1.52 +# Redundant trust - trust anchor and DB
1.53 +verify EE1:CA2
1.54 + cert CA2:CA1
1.55 + trust RootCA
1.56 + result pass
1.57 +
1.58 +
1.59 +# Scenarios where trust only comes from trust anchors
1.60 +db TrustOnly
1.61 +
1.62 +# Simple checking - direct trust anchor
1.63 +verify EE1:CA2
1.64 + cert CA2:CA1
1.65 + cert CA1:RootCA:
1.66 + trust RootCA:
1.67 + result pass
1.68 +
1.69 +# Partial chain (not self-signed), with a trust anchor
1.70 +verify EE1:CA2
1.71 + trust CA2:CA1
1.72 + result pass
1.73 +
1.74 +
1.75 +# Scenarios where trust comes from both trust anchors and the DB
1.76 +db TrustAndDB
1.77 +
1.78 +import RootCA::CT,C,C
1.79 +import CA1:RootCA:
1.80 +
1.81 +# Check that trust in the DB works
1.82 +verify EE1:CA2
1.83 + cert CA2:CA1
1.84 + result pass
1.85 +
1.86 +# Check that trust anchors work
1.87 +verify EE2:OtherIntermediate
1.88 + cert OtherIntermediate:OtherRoot
1.89 + trust OtherRoot:
1.90 + result pass
1.91 +
1.92 +# Check that specifying a trust anchor still allows searching the cert DB
1.93 +verify EE1:CA2
1.94 + trust_and_db
1.95 + cert CA2:CA1
1.96 + trust OtherIntermediate:OtherRoot
1.97 + trust OtherRoot:
1.98 + result pass
1.99 +
1.100 +# Scenarios where the trust DB has explicitly distrusted one or more certs,
1.101 +# even when the trust anchors indicate trust
1.102 +db ExplicitDistrust
1.103 +
1.104 +import RootCA::CT,C,C
1.105 +import CA1:RootCA:p,p,p
1.106 +import OtherRoot::p,p,p
1.107 +
1.108 +# Verify that a distrusted intermediate, but trusted root, is rejected.
1.109 +verify EE1:CA2
1.110 + cert CA2:CA1
1.111 + trust CA1:RootCA
1.112 + result fail
1.113 +
1.114 +# Verify that a trusted intermediate, but distrusted root, is accepted.
1.115 +verify EE2:OtherIntermediate
1.116 + trust OtherIntermediate:OtherRoot
1.117 + result pass
