nss-3.41/nss/tests/chains/scenarios/trustanchors.cfg - manifest_repos/nss - Git at Google

 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.

 scenario TrustAnchors

 entity RootCA
   type Root

 entity CA1
   type Intermediate
   issuer RootCA

 entity CA2
   type Intermediate
   issuer CA1

 entity EE1
   type EE
   issuer CA2

 entity OtherRoot
   type Root

 entity OtherIntermediate
   type Intermediate
   issuer OtherRoot

 entity EE2
   type EE
   issuer OtherIntermediate

 # Scenarios where trust only comes from the DB
 db DBOnly

 import RootCA::CT,C,C
 import CA1:RootCA:

 # Simple chaining - no trust anchors
 verify EE1:CA2
   cert CA2:CA1
   result pass

 # Simple trust anchors - ignore the Cert DB
 verify EE1:CA2
   trust CA2:CA1
   result pass

 # Redundant trust - trust anchor and DB
 verify EE1:CA2
   cert CA2:CA1
   trust RootCA
   result pass


 # Scenarios where trust only comes from trust anchors
 db TrustOnly

 # Simple checking - direct trust anchor
 verify EE1:CA2
   cert CA2:CA1
   cert CA1:RootCA:
   trust RootCA:
   result pass

 # Partial chain (not self-signed), with a trust anchor
 verify EE1:CA2
   trust CA2:CA1
   result pass


 # Scenarios where trust comes from both trust anchors and the DB
 db TrustAndDB

 import RootCA::CT,C,C
 import CA1:RootCA:

 # Check that trust in the DB works
 verify EE1:CA2
   cert CA2:CA1
   result pass

 # Check that trust anchors work
 verify EE2:OtherIntermediate
   cert OtherIntermediate:OtherRoot
   trust OtherRoot:
   result pass

 # Check that specifying a trust anchor still allows searching the cert DB
 verify EE1:CA2
   trust_and_db
   cert CA2:CA1
   trust OtherIntermediate:OtherRoot
   trust OtherRoot:
   result pass

 # Scenarios where the trust DB has explicitly distrusted one or more certs,
 # even when the trust anchors indicate trust
 db ExplicitDistrust

 import RootCA::CT,C,C
 import CA1:RootCA:p,p,p
 import OtherRoot::p,p,p

 # Verify that a distrusted intermediate, but trusted root, is rejected.
 verify EE1:CA2
   cert CA2:CA1
   trust CA1:RootCA
   result fail

 # Verify that a trusted intermediate, but distrusted root, is accepted.
 verify EE2:OtherIntermediate
   trust OtherIntermediate:OtherRoot
   result pass
	# This Source Code Form is subject to the terms of the Mozilla Public
	# License, v. 2.0. If a copy of the MPL was not distributed with this
	# file, You can obtain one at http://mozilla.org/MPL/2.0/.

	scenario TrustAnchors

	entity RootCA
	type Root

	entity CA1
	type Intermediate
	issuer RootCA

	entity CA2
	type Intermediate
	issuer CA1

	entity EE1
	type EE
	issuer CA2

	entity OtherRoot
	type Root

	entity OtherIntermediate
	type Intermediate
	issuer OtherRoot

	entity EE2
	type EE
	issuer OtherIntermediate

	# Scenarios where trust only comes from the DB
	db DBOnly

	import RootCA::CT,C,C
	import CA1:RootCA:

	# Simple chaining - no trust anchors
	verify EE1:CA2
	cert CA2:CA1
	result pass

	# Simple trust anchors - ignore the Cert DB
	verify EE1:CA2
	trust CA2:CA1
	result pass

	# Redundant trust - trust anchor and DB
	verify EE1:CA2
	cert CA2:CA1
	trust RootCA
	result pass


	# Scenarios where trust only comes from trust anchors
	db TrustOnly

	# Simple checking - direct trust anchor
	verify EE1:CA2
	cert CA2:CA1
	cert CA1:RootCA:
	trust RootCA:
	result pass

	# Partial chain (not self-signed), with a trust anchor
	verify EE1:CA2
	trust CA2:CA1
	result pass


	# Scenarios where trust comes from both trust anchors and the DB
	db TrustAndDB

	import RootCA::CT,C,C
	import CA1:RootCA:

	# Check that trust in the DB works
	verify EE1:CA2
	cert CA2:CA1
	result pass

	# Check that trust anchors work
	verify EE2:OtherIntermediate
	cert OtherIntermediate:OtherRoot
	trust OtherRoot:
	result pass

	# Check that specifying a trust anchor still allows searching the cert DB
	verify EE1:CA2
	trust_and_db
	cert CA2:CA1
	trust OtherIntermediate:OtherRoot
	trust OtherRoot:
	result pass

	# Scenarios where the trust DB has explicitly distrusted one or more certs,
	# even when the trust anchors indicate trust
	db ExplicitDistrust

	import RootCA::CT,C,C
	import CA1:RootCA:p,p,p
	import OtherRoot::p,p,p

	# Verify that a distrusted intermediate, but trusted root, is rejected.
	verify EE1:CA2
	cert CA2:CA1
	trust CA1:RootCA
	result fail

	# Verify that a trusted intermediate, but distrusted root, is accepted.
	verify EE2:OtherIntermediate
	trust OtherIntermediate:OtherRoot
	result pass