diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
commit | 26a029d407be480d791972afb5975cf62c9360a6 (patch) | |
tree | f435a8308119effd964b339f76abb83a57c29483 /security/nss/tests/chains/scenarios/trustanchors.cfg | |
parent | Initial commit. (diff) | |
download | firefox-26a029d407be480d791972afb5975cf62c9360a6.tar.xz firefox-26a029d407be480d791972afb5975cf62c9360a6.zip |
Adding upstream version 124.0.1.upstream/124.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/nss/tests/chains/scenarios/trustanchors.cfg')
-rw-r--r-- | security/nss/tests/chains/scenarios/trustanchors.cfg | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/security/nss/tests/chains/scenarios/trustanchors.cfg b/security/nss/tests/chains/scenarios/trustanchors.cfg new file mode 100644 index 0000000000..db18990ac6 --- /dev/null +++ b/security/nss/tests/chains/scenarios/trustanchors.cfg @@ -0,0 +1,114 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +scenario TrustAnchors + +entity RootCA + type Root + +entity CA1 + type Intermediate + issuer RootCA + +entity CA2 + type Intermediate + issuer CA1 + +entity EE1 + type EE + issuer CA2 + +entity OtherRoot + type Root + +entity OtherIntermediate + type Intermediate + issuer OtherRoot + +entity EE2 + type EE + issuer OtherIntermediate + +# Scenarios where trust only comes from the DB +db DBOnly + +import RootCA::CT,C,C +import CA1:RootCA: + +# Simple chaining - no trust anchors +verify EE1:CA2 + cert CA2:CA1 + result pass + +# Simple trust anchors - ignore the Cert DB +verify EE1:CA2 + trust CA2:CA1 + result pass + +# Redundant trust - trust anchor and DB +verify EE1:CA2 + cert CA2:CA1 + trust RootCA + result pass + + +# Scenarios where trust only comes from trust anchors +db TrustOnly + +# Simple checking - direct trust anchor +verify EE1:CA2 + cert CA2:CA1 + cert CA1:RootCA: + trust RootCA: + result pass + +# Partial chain (not self-signed), with a trust anchor +verify EE1:CA2 + trust CA2:CA1 + result pass + + +# Scenarios where trust comes from both trust anchors and the DB +db TrustAndDB + +import RootCA::CT,C,C +import CA1:RootCA: + +# Check that trust in the DB works +verify EE1:CA2 + cert CA2:CA1 + result pass + +# Check that trust anchors work +verify EE2:OtherIntermediate + cert OtherIntermediate:OtherRoot + trust OtherRoot: + result pass + +# Check that specifying a trust anchor still allows searching the cert DB +verify EE1:CA2 + trust_and_db + cert CA2:CA1 + trust OtherIntermediate:OtherRoot + trust OtherRoot: + result pass + +# Scenarios where the trust DB has explicitly distrusted one or more certs, +# even when the trust anchors indicate trust +db ExplicitDistrust + +import RootCA::CT,C,C +import CA1:RootCA:p,p,p +import OtherRoot::p,p,p + +# Verify that a distrusted intermediate, but trusted root, is rejected. +verify EE1:CA2 + cert CA2:CA1 + trust CA1:RootCA + result fail + +# Verify that a trusted intermediate, but distrusted root, is accepted. +verify EE2:OtherIntermediate + trust OtherIntermediate:OtherRoot + result pass |