Add tests for verify_restartable()
For selection of test cases, see comments added in the commit. It makes the most sense to test with chains using ECC only, so for the chain of length 2 we use server10 -> int-ca3 -> int-ca2 and trust int-ca2 directly. Note: server10.crt was created by copying server10_int3_int-ca2.crt and manually truncating it to remove the intermediates. That base can now be used to create derived certs (without or with a chain) in a programmatic way.
This commit is contained in:
Manuel Pégourié-Gonnard
parent
bc3f44ae9c
commit
d19a41d9aa
10 changed files with 169 additions and 2 deletions
|
|
@ -2069,6 +2069,16 @@ static int x509_crt_check_ee_locally_trusted(
|
|||
* - EE, Ci1, ..., Ciq cannot be continued with a trusted root
|
||||
* -> return that chain with NOT_TRUSTED set on Ciq
|
||||
*
|
||||
* Tests for (aspects of) this function should include at least:
|
||||
* - trusted EE
|
||||
* - EE -> trusted root
|
||||
* - EE -> intermedate CA -> trusted root
|
||||
* - if relevant: EE untrusted
|
||||
* - if relevant: EE -> intermediate, untrusted
|
||||
* with the aspect under test checked at each relevant level (EE, int, root).
|
||||
* For some aspects longer chains are required, but usually length 2 is
|
||||
* enough (but length 1 is not in general).
|
||||
*
|
||||
* Arguments:
|
||||
* - [in] crt: the cert list EE, C1, ..., Cn
|
||||
* - [in] trust_ca: the trusted list R1, ..., Rp
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue