The Tor Browser / file revision

security/nss/tests/chains/scenarios/trustanchors.cfg@b8a032363ba2

security/nss/tests/chains/scenarios/trustanchors.cfg

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

     1 # This Source Code Form is subject to the terms of the Mozilla Public

     2 # License, v. 2.0. If a copy of the MPL was not distributed with this

     3 # file, You can obtain one at http://mozilla.org/MPL/2.0/.

     4 

     5 scenario TrustAnchors

     6 

     7 entity RootCA

     8   type Root

     9 

    10 entity CA1

    11   type Intermediate

    12   issuer RootCA

    13 

    14 entity CA2

    15   type Intermediate

    16   issuer CA1

    17 

    18 entity EE1

    19   type EE

    20   issuer CA2

    21 

    22 entity OtherRoot

    23   type Root

    24 

    25 entity OtherIntermediate

    26   type Intermediate

    27   issuer OtherRoot

    28 

    29 entity EE2

    30   type EE

    31   issuer OtherIntermediate

    32 

    33 # Scenarios where trust only comes from the DB

    34 db DBOnly

    35 

    36 import RootCA::CT,C,C

    37 import CA1:RootCA:

    38 

    39 # Simple chaining - no trust anchors

    40 verify EE1:CA2

    41   cert CA2:CA1

    42   result pass

    43 

    44 # Simple trust anchors - ignore the Cert DB

    45 verify EE1:CA2

    46   trust CA2:CA1

    47   result pass

    48 

    49 # Redundant trust - trust anchor and DB

    50 verify EE1:CA2

    51   cert CA2:CA1

    52   trust RootCA

    53   result pass

    54 

    55 

    56 # Scenarios where trust only comes from trust anchors

    57 db TrustOnly

    58 

    59 # Simple checking - direct trust anchor

    60 verify EE1:CA2

    61   cert CA2:CA1

    62   cert CA1:RootCA:

    63   trust RootCA:

    64   result pass

    65 

    66 # Partial chain (not self-signed), with a trust anchor

    67 verify EE1:CA2

    68   trust CA2:CA1

    69   result pass

    70 

    71 

    72 # Scenarios where trust comes from both trust anchors and the DB

    73 db TrustAndDB

    74 

    75 import RootCA::CT,C,C

    76 import CA1:RootCA:

    77 

    78 # Check that trust in the DB works

    79 verify EE1:CA2

    80   cert CA2:CA1

    81   result pass

    82 

    83 # Check that trust anchors work

    84 verify EE2:OtherIntermediate

    85   cert OtherIntermediate:OtherRoot

    86   trust OtherRoot:

    87   result pass

    88 

    89 # Check that specifying a trust anchor still allows searching the cert DB

    90 verify EE1:CA2

    91   trust_and_db

    92   cert CA2:CA1

    93   trust OtherIntermediate:OtherRoot

    94   trust OtherRoot:

    95   result pass

    96 

    97 # Scenarios where the trust DB has explicitly distrusted one or more certs,

    98 # even when the trust anchors indicate trust

    99 db ExplicitDistrust

   100 

   101 import RootCA::CT,C,C

   102 import CA1:RootCA:p,p,p

   103 import OtherRoot::p,p,p

   104 

   105 # Verify that a distrusted intermediate, but trusted root, is rejected.

   106 verify EE1:CA2

   107   cert CA2:CA1

   108   trust CA1:RootCA

   109   result fail

   110 

   111 # Verify that a trusted intermediate, but distrusted root, is accepted.

   112 verify EE2:OtherIntermediate

   113   trust OtherIntermediate:OtherRoot

   114   result pass

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial