1# This Source Code Form is subject to the terms of the Mozilla Public 2# License, v. 2.0. If a copy of the MPL was not distributed with this 3# file, You can obtain one at http://mozilla.org/MPL/2.0/. 4 5scenario TrustAnchors 6 7entity RootCA 8 type Root 9 10entity CA1 11 type Intermediate 12 issuer RootCA 13 14entity CA2 15 type Intermediate 16 issuer CA1 17 18entity EE1 19 type EE 20 issuer CA2 21 22entity OtherRoot 23 type Root 24 25entity OtherIntermediate 26 type Intermediate 27 issuer OtherRoot 28 29entity EE2 30 type EE 31 issuer OtherIntermediate 32 33# Scenarios where trust only comes from the DB 34db DBOnly 35 36import RootCA::CT,C,C 37import CA1:RootCA: 38 39# Simple chaining - no trust anchors 40verify EE1:CA2 41 cert CA2:CA1 42 result pass 43 44# Simple trust anchors - ignore the Cert DB 45verify EE1:CA2 46 trust CA2:CA1 47 result pass 48 49# Redundant trust - trust anchor and DB 50verify EE1:CA2 51 cert CA2:CA1 52 trust RootCA 53 result pass 54 55 56# Scenarios where trust only comes from trust anchors 57db TrustOnly 58 59# Simple checking - direct trust anchor 60verify EE1:CA2 61 cert CA2:CA1 62 cert CA1:RootCA: 63 trust RootCA: 64 result pass 65 66# Partial chain (not self-signed), with a trust anchor 67verify EE1:CA2 68 trust CA2:CA1 69 result pass 70 71 72# Scenarios where trust comes from both trust anchors and the DB 73db TrustAndDB 74 75import RootCA::CT,C,C 76import CA1:RootCA: 77 78# Check that trust in the DB works 79verify EE1:CA2 80 cert CA2:CA1 81 result pass 82 83# Check that trust anchors work 84verify EE2:OtherIntermediate 85 cert OtherIntermediate:OtherRoot 86 trust OtherRoot: 87 result pass 88 89# Check that specifying a trust anchor still allows searching the cert DB 90verify EE1:CA2 91 trust_and_db 92 cert CA2:CA1 93 trust OtherIntermediate:OtherRoot 94 trust OtherRoot: 95 result pass 96 97# Scenarios where the trust DB has explicitly distrusted one or more certs, 98# even when the trust anchors indicate trust 99db ExplicitDistrust 100 101import RootCA::CT,C,C 102import CA1:RootCA:p,p,p 103import OtherRoot::p,p,p 104 105# Verify that a distrusted intermediate, but trusted root, is rejected. 106verify EE1:CA2 107 cert CA2:CA1 108 trust CA1:RootCA 109 result fail 110 111# Verify that a trusted intermediate, but distrusted root, is accepted. 112verify EE2:OtherIntermediate 113 trust OtherIntermediate:OtherRoot 114 result pass 115