| # This Source Code Form is subject to the terms of the Mozilla Public |
| # License, v. 2.0. If a copy of the MPL was not distributed with this |
| # file, You can obtain one at http://mozilla.org/MPL/2.0/. |
| |
| scenario TrustAnchors |
| |
| entity RootCA |
| type Root |
| |
| entity CA1 |
| type Intermediate |
| issuer RootCA |
| |
| entity CA2 |
| type Intermediate |
| issuer CA1 |
| |
| entity EE1 |
| type EE |
| issuer CA2 |
| |
| entity OtherRoot |
| type Root |
| |
| entity OtherIntermediate |
| type Intermediate |
| issuer OtherRoot |
| |
| entity EE2 |
| type EE |
| issuer OtherIntermediate |
| |
| # Scenarios where trust only comes from the DB |
| db DBOnly |
| |
| import RootCA::CT,C,C |
| import CA1:RootCA: |
| |
| # Simple chaining - no trust anchors |
| verify EE1:CA2 |
| cert CA2:CA1 |
| result pass |
| |
| # Simple trust anchors - ignore the Cert DB |
| verify EE1:CA2 |
| trust CA2:CA1 |
| result pass |
| |
| # Redundant trust - trust anchor and DB |
| verify EE1:CA2 |
| cert CA2:CA1 |
| trust RootCA |
| result pass |
| |
| |
| # Scenarios where trust only comes from trust anchors |
| db TrustOnly |
| |
| # Simple checking - direct trust anchor |
| verify EE1:CA2 |
| cert CA2:CA1 |
| cert CA1:RootCA: |
| trust RootCA: |
| result pass |
| |
| # Partial chain (not self-signed), with a trust anchor |
| verify EE1:CA2 |
| trust CA2:CA1 |
| result pass |
| |
| |
| # Scenarios where trust comes from both trust anchors and the DB |
| db TrustAndDB |
| |
| import RootCA::CT,C,C |
| import CA1:RootCA: |
| |
| # Check that trust in the DB works |
| verify EE1:CA2 |
| cert CA2:CA1 |
| result pass |
| |
| # Check that trust anchors work |
| verify EE2:OtherIntermediate |
| cert OtherIntermediate:OtherRoot |
| trust OtherRoot: |
| result pass |
| |
| # Check that specifying a trust anchor still allows searching the cert DB |
| verify EE1:CA2 |
| trust_and_db |
| cert CA2:CA1 |
| trust OtherIntermediate:OtherRoot |
| trust OtherRoot: |
| result pass |
| |
| # Scenarios where the trust DB has explicitly distrusted one or more certs, |
| # even when the trust anchors indicate trust |
| db ExplicitDistrust |
| |
| import RootCA::CT,C,C |
| import CA1:RootCA:p,p,p |
| import OtherRoot::p,p,p |
| |
| # Verify that a distrusted intermediate, but trusted root, is rejected. |
| verify EE1:CA2 |
| cert CA2:CA1 |
| trust CA1:RootCA |
| result fail |
| |
| # Verify that a trusted intermediate, but distrusted root, is accepted. |
| verify EE2:OtherIntermediate |
| trust OtherIntermediate:OtherRoot |
| result pass |