mirror of
https://github.com/rn10950/RetroZilla.git
synced 2024-11-15 04:00:12 +01:00
115 lines
2.2 KiB
INI
115 lines
2.2 KiB
INI
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
||
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||
|
|
||
|
scenario TrustAnchors
|
||
|
|
||
|
entity RootCA
|
||
|
type Root
|
||
|
|
||
|
entity CA1
|
||
|
type Intermediate
|
||
|
issuer RootCA
|
||
|
|
||
|
entity CA2
|
||
|
type Intermediate
|
||
|
issuer CA1
|
||
|
|
||
|
entity EE1
|
||
|
type EE
|
||
|
issuer CA2
|
||
|
|
||
|
entity OtherRoot
|
||
|
type Root
|
||
|
|
||
|
entity OtherIntermediate
|
||
|
type Intermediate
|
||
|
issuer OtherRoot
|
||
|
|
||
|
entity EE2
|
||
|
type EE
|
||
|
issuer OtherIntermediate
|
||
|
|
||
|
# Scenarios where trust only comes from the DB
|
||
|
db DBOnly
|
||
|
|
||
|
import RootCA::CT,C,C
|
||
|
import CA1:RootCA:
|
||
|
|
||
|
# Simple chaining - no trust anchors
|
||
|
verify EE1:CA2
|
||
|
cert CA2:CA1
|
||
|
result pass
|
||
|
|
||
|
# Simple trust anchors - ignore the Cert DB
|
||
|
verify EE1:CA2
|
||
|
trust CA2:CA1
|
||
|
result pass
|
||
|
|
||
|
# Redundant trust - trust anchor and DB
|
||
|
verify EE1:CA2
|
||
|
cert CA2:CA1
|
||
|
trust RootCA
|
||
|
result pass
|
||
|
|
||
|
|
||
|
# Scenarios where trust only comes from trust anchors
|
||
|
db TrustOnly
|
||
|
|
||
|
# Simple checking - direct trust anchor
|
||
|
verify EE1:CA2
|
||
|
cert CA2:CA1
|
||
|
cert CA1:RootCA:
|
||
|
trust RootCA:
|
||
|
result pass
|
||
|
|
||
|
# Partial chain (not self-signed), with a trust anchor
|
||
|
verify EE1:CA2
|
||
|
trust CA2:CA1
|
||
|
result pass
|
||
|
|
||
|
|
||
|
# Scenarios where trust comes from both trust anchors and the DB
|
||
|
db TrustAndDB
|
||
|
|
||
|
import RootCA::CT,C,C
|
||
|
import CA1:RootCA:
|
||
|
|
||
|
# Check that trust in the DB works
|
||
|
verify EE1:CA2
|
||
|
cert CA2:CA1
|
||
|
result pass
|
||
|
|
||
|
# Check that trust anchors work
|
||
|
verify EE2:OtherIntermediate
|
||
|
cert OtherIntermediate:OtherRoot
|
||
|
trust OtherRoot:
|
||
|
result pass
|
||
|
|
||
|
# Check that specifying a trust anchor still allows searching the cert DB
|
||
|
verify EE1:CA2
|
||
|
trust_and_db
|
||
|
cert CA2:CA1
|
||
|
trust OtherIntermediate:OtherRoot
|
||
|
trust OtherRoot:
|
||
|
result pass
|
||
|
|
||
|
# Scenarios where the trust DB has explicitly distrusted one or more certs,
|
||
|
# even when the trust anchors indicate trust
|
||
|
db ExplicitDistrust
|
||
|
|
||
|
import RootCA::CT,C,C
|
||
|
import CA1:RootCA:p,p,p
|
||
|
import OtherRoot::p,p,p
|
||
|
|
||
|
# Verify that a distrusted intermediate, but trusted root, is rejected.
|
||
|
verify EE1:CA2
|
||
|
cert CA2:CA1
|
||
|
trust CA1:RootCA
|
||
|
result fail
|
||
|
|
||
|
# Verify that a trusted intermediate, but distrusted root, is accepted.
|
||
|
verify EE2:OtherIntermediate
|
||
|
trust OtherIntermediate:OtherRoot
|
||
|
result pass
|