blob: f30bf5b7855834e8f96a7d8416b7bba9fe62df85 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
This directory contains X509 certificate tests generated by the
Netflix "bettertls" suite from https://github.com/Netflix/bettertls
cloned at commit 8950fdf2a46eaa357aa8d338c871f2cbc00e86e5 in July 2020.
The certificates are in "certificates", generated by running the
generator with gradle as per the directions. They are named
corresponding to the number of the test, currently from 1 to 3645.
In the directory "scripts" are the "expects.json" which contains the
expected results for each certificate, generated as per the
instructions with bettertls. This includes a description of what the
issues are with each certificate. The "expects.json" output was then
converted to the simple output format used by us here using the
"convert.perl" script in that directory.
"validate.c" runs X509_verify against each certificate, trying with
both a required name of "localhost.local" for the "DNS" test and
the ip of 127.0.0.1 for the "IP" test, so each cert is tested
twice (once expecting the DNS name to validate, and once for the IP).
The output from validate.c is checked by check.perl against "known"
and "expected"
-An expected value of OK means the cert is valid.
-An expected value of ERROR means the cert is invalid.
-An expected value of WEAK-OK means the cert could be considered valid
but may be rejected.
As anything is fixed in libressl, the known file should be updated
to indicate your improved result, and prevent future regressions.
|
