1# This Source Code Form is subject to the terms of the Mozilla Public
2# License, v. 2.0. If a copy of the MPL was not distributed with this
3# file, You can obtain one at http://mozilla.org/MPL/2.0/.
4
5scenario TrustAnchors
6
7entity RootCA
8  type Root
9
10entity CA1
11  type Intermediate
12  issuer RootCA
13
14entity CA2
15  type Intermediate
16  issuer CA1
17
18entity EE1
19  type EE
20  issuer CA2
21
22entity OtherRoot
23  type Root
24
25entity OtherIntermediate
26  type Intermediate
27  issuer OtherRoot
28
29entity EE2
30  type EE
31  issuer OtherIntermediate
32
33# Scenarios where trust only comes from the DB
34db DBOnly
35
36import RootCA::CT,C,C
37import CA1:RootCA:
38
39# Simple chaining - no trust anchors
40verify EE1:CA2
41  cert CA2:CA1
42  result pass
43
44# Simple trust anchors - ignore the Cert DB
45verify EE1:CA2
46  trust CA2:CA1
47  result pass
48
49# Redundant trust - trust anchor and DB
50verify EE1:CA2
51  cert CA2:CA1
52  trust RootCA
53  result pass
54
55
56# Scenarios where trust only comes from trust anchors
57db TrustOnly
58
59# Simple checking - direct trust anchor
60verify EE1:CA2
61  cert CA2:CA1
62  cert CA1:RootCA:
63  trust RootCA:
64  result pass
65
66# Partial chain (not self-signed), with a trust anchor
67verify EE1:CA2
68  trust CA2:CA1
69  result pass
70
71
72# Scenarios where trust comes from both trust anchors and the DB
73db TrustAndDB
74
75import RootCA::CT,C,C
76import CA1:RootCA:
77
78# Check that trust in the DB works
79verify EE1:CA2
80  cert CA2:CA1
81  result pass
82
83# Check that trust anchors work
84verify EE2:OtherIntermediate
85  cert OtherIntermediate:OtherRoot
86  trust OtherRoot:
87  result pass
88
89# Check that specifying a trust anchor still allows searching the cert DB
90verify EE1:CA2
91  trust_and_db
92  cert CA2:CA1
93  trust OtherIntermediate:OtherRoot
94  trust OtherRoot:
95  result pass
96
97# Scenarios where the trust DB has explicitly distrusted one or more certs,
98# even when the trust anchors indicate trust
99db ExplicitDistrust
100
101import RootCA::CT,C,C
102import CA1:RootCA:p,p,p
103import OtherRoot::p,p,p
104
105# Verify that a distrusted intermediate, but trusted root, is rejected.
106verify EE1:CA2
107  cert CA2:CA1
108  trust CA1:RootCA
109  result fail
110
111# Verify that a trusted intermediate, but distrusted root, is accepted.
112verify EE2:OtherIntermediate
113  trust OtherIntermediate:OtherRoot
114  result pass
115