summaryrefslogtreecommitdiffstats
path: root/security/nss/tests/chains/scenarios/trustanchors.cfg
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/tests/chains/scenarios/trustanchors.cfg')
-rw-r--r--security/nss/tests/chains/scenarios/trustanchors.cfg114
1 files changed, 114 insertions, 0 deletions
diff --git a/security/nss/tests/chains/scenarios/trustanchors.cfg b/security/nss/tests/chains/scenarios/trustanchors.cfg
new file mode 100644
index 000000000..db18990ac
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/trustanchors.cfg
@@ -0,0 +1,114 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario TrustAnchors
+
+entity RootCA
+ type Root
+
+entity CA1
+ type Intermediate
+ issuer RootCA
+
+entity CA2
+ type Intermediate
+ issuer CA1
+
+entity EE1
+ type EE
+ issuer CA2
+
+entity OtherRoot
+ type Root
+
+entity OtherIntermediate
+ type Intermediate
+ issuer OtherRoot
+
+entity EE2
+ type EE
+ issuer OtherIntermediate
+
+# Scenarios where trust only comes from the DB
+db DBOnly
+
+import RootCA::CT,C,C
+import CA1:RootCA:
+
+# Simple chaining - no trust anchors
+verify EE1:CA2
+ cert CA2:CA1
+ result pass
+
+# Simple trust anchors - ignore the Cert DB
+verify EE1:CA2
+ trust CA2:CA1
+ result pass
+
+# Redundant trust - trust anchor and DB
+verify EE1:CA2
+ cert CA2:CA1
+ trust RootCA
+ result pass
+
+
+# Scenarios where trust only comes from trust anchors
+db TrustOnly
+
+# Simple checking - direct trust anchor
+verify EE1:CA2
+ cert CA2:CA1
+ cert CA1:RootCA:
+ trust RootCA:
+ result pass
+
+# Partial chain (not self-signed), with a trust anchor
+verify EE1:CA2
+ trust CA2:CA1
+ result pass
+
+
+# Scenarios where trust comes from both trust anchors and the DB
+db TrustAndDB
+
+import RootCA::CT,C,C
+import CA1:RootCA:
+
+# Check that trust in the DB works
+verify EE1:CA2
+ cert CA2:CA1
+ result pass
+
+# Check that trust anchors work
+verify EE2:OtherIntermediate
+ cert OtherIntermediate:OtherRoot
+ trust OtherRoot:
+ result pass
+
+# Check that specifying a trust anchor still allows searching the cert DB
+verify EE1:CA2
+ trust_and_db
+ cert CA2:CA1
+ trust OtherIntermediate:OtherRoot
+ trust OtherRoot:
+ result pass
+
+# Scenarios where the trust DB has explicitly distrusted one or more certs,
+# even when the trust anchors indicate trust
+db ExplicitDistrust
+
+import RootCA::CT,C,C
+import CA1:RootCA:p,p,p
+import OtherRoot::p,p,p
+
+# Verify that a distrusted intermediate, but trusted root, is rejected.
+verify EE1:CA2
+ cert CA2:CA1
+ trust CA1:RootCA
+ result fail
+
+# Verify that a trusted intermediate, but distrusted root, is accepted.
+verify EE2:OtherIntermediate
+ trust OtherIntermediate:OtherRoot
+ result pass
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-24 09:16:11 +0000