# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.

scenario TrustAnchors

entity RootCA
  type Root

entity CA1
  type Intermediate
  issuer RootCA

entity CA2
  type Intermediate
  issuer CA1

entity EE1
  type EE
  issuer CA2

entity OtherRoot
  type Root

entity OtherIntermediate
  type Intermediate
  issuer OtherRoot

entity EE2
  type EE
  issuer OtherIntermediate

# Scenarios where trust only comes from the DB
db DBOnly

import RootCA::CT,C,C
import CA1:RootCA:

# Simple chaining - no trust anchors
verify EE1:CA2
  cert CA2:CA1
  result pass

# Simple trust anchors - ignore the Cert DB
verify EE1:CA2
  trust CA2:CA1
  result pass

# Redundant trust - trust anchor and DB
verify EE1:CA2
  cert CA2:CA1
  trust RootCA
  result pass


# Scenarios where trust only comes from trust anchors
db TrustOnly

# Simple checking - direct trust anchor
verify EE1:CA2
  cert CA2:CA1
  cert CA1:RootCA:
  trust RootCA:
  result pass

# Partial chain (not self-signed), with a trust anchor
verify EE1:CA2
  trust CA2:CA1
  result pass


# Scenarios where trust comes from both trust anchors and the DB
db TrustAndDB

import RootCA::CT,C,C
import CA1:RootCA:

# Check that trust in the DB works
verify EE1:CA2
  cert CA2:CA1
  result pass

# Check that trust anchors work
verify EE2:OtherIntermediate
  cert OtherIntermediate:OtherRoot
  trust OtherRoot:
  result pass

# Check that specifying a trust anchor still allows searching the cert DB
verify EE1:CA2
  trust_and_db
  cert CA2:CA1
  trust OtherIntermediate:OtherRoot
  trust OtherRoot:
  result pass

# Scenarios where the trust DB has explicitly distrusted one or more certs,
# even when the trust anchors indicate trust
db ExplicitDistrust

import RootCA::CT,C,C
import CA1:RootCA:p,p,p
import OtherRoot::p,p,p

# Verify that a distrusted intermediate, but trusted root, is rejected.
verify EE1:CA2
  cert CA2:CA1
  trust CA1:RootCA
  result fail

# Verify that a trusted intermediate, but distrusted root, is accepted.
verify EE2:OtherIntermediate
  trust OtherIntermediate:OtherRoot
  result pass