tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

trustanchors.cfg (2206B)

      1 # This Source Code Form is subject to the terms of the Mozilla Public
      2 # License, v. 2.0. If a copy of the MPL was not distributed with this
      3 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
      4 
      5 scenario TrustAnchors
      6 
      7 entity RootCA
      8  type Root
      9 
     10 entity CA1
     11  type Intermediate
     12  issuer RootCA
     13 
     14 entity CA2
     15  type Intermediate
     16  issuer CA1
     17 
     18 entity EE1
     19  type EE
     20  issuer CA2
     21 
     22 entity OtherRoot
     23  type Root
     24 
     25 entity OtherIntermediate
     26  type Intermediate
     27  issuer OtherRoot
     28 
     29 entity EE2
     30  type EE
     31  issuer OtherIntermediate
     32 
     33 # Scenarios where trust only comes from the DB
     34 db DBOnly
     35 
     36 import RootCA::CT,C,C
     37 import CA1:RootCA:
     38 
     39 # Simple chaining - no trust anchors
     40 verify EE1:CA2
     41  cert CA2:CA1
     42  result pass
     43 
     44 # Simple trust anchors - ignore the Cert DB
     45 verify EE1:CA2
     46  trust CA2:CA1
     47  result pass
     48 
     49 # Redundant trust - trust anchor and DB
     50 verify EE1:CA2
     51  cert CA2:CA1
     52  trust RootCA
     53  result pass
     54 
     55 
     56 # Scenarios where trust only comes from trust anchors
     57 db TrustOnly
     58 
     59 # Simple checking - direct trust anchor
     60 verify EE1:CA2
     61  cert CA2:CA1
     62  cert CA1:RootCA:
     63  trust RootCA:
     64  result pass
     65 
     66 # Partial chain (not self-signed), with a trust anchor
     67 verify EE1:CA2
     68  trust CA2:CA1
     69  result pass
     70 
     71 
     72 # Scenarios where trust comes from both trust anchors and the DB
     73 db TrustAndDB
     74 
     75 import RootCA::CT,C,C
     76 import CA1:RootCA:
     77 
     78 # Check that trust in the DB works
     79 verify EE1:CA2
     80  cert CA2:CA1
     81  result pass
     82 
     83 # Check that trust anchors work
     84 verify EE2:OtherIntermediate
     85  cert OtherIntermediate:OtherRoot
     86  trust OtherRoot:
     87  result pass
     88 
     89 # Check that specifying a trust anchor still allows searching the cert DB
     90 verify EE1:CA2
     91  trust_and_db
     92  cert CA2:CA1
     93  trust OtherIntermediate:OtherRoot
     94  trust OtherRoot:
     95  result pass
     96 
     97 # Scenarios where the trust DB has explicitly distrusted one or more certs,
     98 # even when the trust anchors indicate trust
     99 db ExplicitDistrust
    100 
    101 import RootCA::CT,C,C
    102 import CA1:RootCA:p,p,p
    103 import OtherRoot::p,p,p
    104 
    105 # Verify that a distrusted intermediate, but trusted root, is rejected.
    106 verify EE1:CA2
    107  cert CA2:CA1
    108  trust CA1:RootCA
    109  result fail
    110 
    111 # Verify that a trusted intermediate, but distrusted root, is accepted.
    112 verify EE2:OtherIntermediate
    113  trust OtherIntermediate:OtherRoot
    114  result pass