net/data/verify_certificate_chain_unittest/README - cobalt - Git at Google

 This directory contains test data for verifying certificate chains.

 Tests are grouped into directories that contain the keys, python to generate
 chains, and test expectations. "DIR" is used as a generic placeholder below to
 identify such a directory.

 ===============================
 DIR/generate-chains.py
 ===============================

 Python script that generates one or more ".pem" file containing a sequence of
 CERTIFICATE blocks. In most cases it will generate a single chain called
 "chain.pem".

 ===============================
 DIR/keys/*.key
 ===============================

 The keys used (as well as generated) by the .py file generate-chains.py. The
 private keys shouldn't be needed to run the tests, however are useful when
 re-generating the test data to have stable results (at least for signature
 types which are deterministic, like RSASSA PKCS#1 which is used by most of the
 certificates data).

 ===============================
 DIR/*.pem
 ===============================

 A sequence of CERTIFICATE blocks that was created by the generate-chains.py
 script. (Although in a few cases there are manually created .pem files that
 lack a generator script).

 ===============================
 DIR/*.test
 ===============================

 A sequence of key-value pairs that identify the inputs to certificate
 verification, as well as the expected outputs. The format is essentially a
 newline separated sequence of key/value pairs:

 key: value\n

 All keys must be specified by tests, although they can be in any order.
 The possible keys are:

   "chain" - The value is a file path (relative to the test file) to a .pem
       containing the CERTIFICATE chain.

   "last_cert_trust" - The value identifies the trustedness of the last
       certificate in the chain (i.e. whether it is a trust anchor or not). This
       maps to the CertificateTrustType enum. Possible values are:
           "TRUSTED_ANCHOR"
           "TRUSTED_ANCHOR_WITH_CONSTRAINTS"
           "UNSPECIFIED"
           "DISTRUSTED"

   "utc_time" - A string encoding for the generalized time at which verification
       should be done. Example "150302120000Z"

   "key_purpose" - The expected EKU to use when verifying. Maps to
       KeyPurpose enum. Possible values are:
       "ANY_EKU"
       "SERVER_AUTH"
       "CLIENT_AUTH"

   "errors" - This has special parsing rules: it is interpreted as the
       final key in the file. All lines after "errors:\n" are read as being the
       error string (this allows embedding newlines in it).

 Additionally, it is possible to add python-style comments by starting a line
 with "#".

 ===============================
 pkits_errors/*.txt
 ===============================

 These files contain the expected errors for PKITS tests
 (third_party/nist-pkits). The file name correspond so the PKITS tests number.
 They are baselined specifically for VerifyCertificateChain().

 ===============================
 generate-all.sh
 ===============================

 Runs all of the generate-chains.py scripts and cleans up the temp files
 afterwards.
	This directory contains test data for verifying certificate chains.

	Tests are grouped into directories that contain the keys, python to generate
	chains, and test expectations. "DIR" is used as a generic placeholder below to
	identify such a directory.

	===============================
	DIR/generate-chains.py
	===============================

	Python script that generates one or more ".pem" file containing a sequence of
	CERTIFICATE blocks. In most cases it will generate a single chain called
	"chain.pem".

	===============================
	DIR/keys/*.key
	===============================

	The keys used (as well as generated) by the .py file generate-chains.py. The
	private keys shouldn't be needed to run the tests, however are useful when
	re-generating the test data to have stable results (at least for signature
	types which are deterministic, like RSASSA PKCS#1 which is used by most of the
	certificates data).

	===============================
	DIR/*.pem
	===============================

	A sequence of CERTIFICATE blocks that was created by the generate-chains.py
	script. (Although in a few cases there are manually created .pem files that
	lack a generator script).

	===============================
	DIR/*.test
	===============================

	A sequence of key-value pairs that identify the inputs to certificate
	verification, as well as the expected outputs. The format is essentially a
	newline separated sequence of key/value pairs:

	key: value\n

	All keys must be specified by tests, although they can be in any order.
	The possible keys are:

	"chain" - The value is a file path (relative to the test file) to a .pem
	containing the CERTIFICATE chain.

	"last_cert_trust" - The value identifies the trustedness of the last
	certificate in the chain (i.e. whether it is a trust anchor or not). This
	maps to the CertificateTrustType enum. Possible values are:
	"TRUSTED_ANCHOR"
	"TRUSTED_ANCHOR_WITH_CONSTRAINTS"
	"UNSPECIFIED"
	"DISTRUSTED"

	"utc_time" - A string encoding for the generalized time at which verification
	should be done. Example "150302120000Z"

	"key_purpose" - The expected EKU to use when verifying. Maps to
	KeyPurpose enum. Possible values are:
	"ANY_EKU"
	"SERVER_AUTH"
	"CLIENT_AUTH"

	"errors" - This has special parsing rules: it is interpreted as the
	final key in the file. All lines after "errors:\n" are read as being the
	error string (this allows embedding newlines in it).

	Additionally, it is possible to add python-style comments by starting a line
	with "#".

	===============================
	pkits_errors/*.txt
	===============================

	These files contain the expected errors for PKITS tests
	(third_party/nist-pkits). The file name correspond so the PKITS tests number.
	They are baselined specifically for VerifyCertificateChain().

	===============================
	generate-all.sh
	===============================

	Runs all of the generate-chains.py scripts and cleans up the temp files
	afterwards.