This directory contains test data for verifying certificate chains.

It contains the following types of files:

===============================
generate-*.py
===============================

Generates the file for an individual test case. If the python file was
named generate-XXX.py, then the corresponding output will be named
XXX.pem.

===============================
generate-all.sh
===============================

Runs all of the generate-*.py scripts and does some cleanup.

===============================
*.pem
===============================

Each .pem file describes the inputs for certificate chain verification, and the
expected result. These are the PEM blocks that each file contains and their
interpretation:

CERTIFICATE:

These PEM blocks describe the ordered chain of certificates starting from the
target certificate and progressing towards the trust anchor (but not including
the trust anchor).

 - There must be one or more such PEM blocks
 - Its contents are a DER-encoded X.509 certificate
 - The first block is the target certificate
 - The (i+1)th CERTIFICATE is (allegedly) the one which issued the ith
   CERTIFICATE.

TRUST_ANCHOR_{XXX}:

This PEM block describes the trust anchor to use when verifying the chain.
There are two possible names for this PEM block, which affect how it is
interpreted: TRUST_ANCHOR_CONSTRAINED or TRUST_ANCHOR_UNCONSTRAINED.

 - There must be exactly one TRUST_ANCHOR_{XXX} block.
 - Its contents are a DER-encoded X.509 certificate
 - The subject and SPKI from the certificate define the trust anchor
 - If the block was named TRUST_ANCHOR_CONSTRAINED, then any constraints on the
   certificate are also considered normative when verifying paths. Otherwise
   any standard extensions provided by the root certificate are not used during
   path validation.

TIMESTAMP:

This PEM block describes the time to use when verifying the chain.

 - There must be exactly one such PEM block
 - Its contents are a DER-encoded UTCTime.

VERIFY_RESULT:

This PEM block describes the expected result from verifying the path.

 - There must be exactly one such PEM block
 - Its contents are a string with value of either "SUCCESS" or "FAIL"

ERRORS:

This PEM block is a pretty-printed textual dump of all the errors, as given by
CertErrors::ToDebugString().
