Review and integrate Chromium certificate test data

[jvdprng]

Context

The Chromium project maintains an extensive collection of certificate test data used for testing Chrome's certificate validation implementation. This test data includes:

• Real-world certificate validation edge cases
• Security-critical test scenarios
• Tests for known vulnerabilities and bugs
• Modern web PKI requirements (CT, name constraints, etc.)
• Browser-specific validation rules

Chromium's test data is particularly valuable because:

• It's actively maintained and reflects current web security requirements
• It includes tests for real security issues found in the wild
• It covers browser-specific validation that may not be in generic RFC 5280 tests
• It represents real-world attack scenarios

Repository: https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/certificates/

Why this matters:

• Real-world relevance: tests based on actual security issues
• Browser PKI focus: covers modern web certificate requirements
• Complementary coverage: different perspective than RFC-focused tests
• Security value: includes tests for known vulnerabilities

Task Description

Goal: Review Chromium's certificate test data repository and integrate relevant test cases into x509-limbo that provide valuable coverage not already present.

Phase 1: Analysis

1. Survey Chromium test data

   • Clone/access Chromium's certificate test repository
   • Catalog test scenarios and organization
   • Understand test structure and expected results
   • Review associated documentation and README files

2. Categorize test cases

   • Group by feature area (name validation, CT, chains, etc.)
   • Identify security-critical tests
   • Document tests for known CVEs or security issues
   • Note browser-specific vs general X.509 tests

3. Gap analysis

   • Compare Chromium coverage with existing x509-limbo test cases
   • Identify Chromium tests that would add value to x509-limbo
   • Priority areas likely include:
     • Certificate Transparency requirements
     • Modern name validation rules
     • CT log signature verification
     • SCT (Signed Certificate Timestamp) handling
     • Real-world attack scenarios
     • Known vulnerability reproductions

Phase 2: Integration Planning

4. Select test cases for integration

   • Prioritize based on:
     • Security relevance
     • Coverage gaps in x509-limbo
     • Applicability beyond just Chrome (general X.509 issues)
     • Real-world attack scenarios
   • Consider tests that revealed actual bugs

5. Adaptation strategy

   • Determine how to represent Chromium tests in x509-limbo format
   • Handle browser-specific requirements vs general validation
   • Plan for CT-specific test case representation
   • Maintain attribution to Chromium

Phase 3: Implementation

6. Convert selected test cases

   • Translate Chromium test structures to x509-limbo format
   • Adapt expected results to x509-limbo conventions
   • Handle any Chrome-specific validation differences
   • Verify converted tests produce expected results

7. Documentation

   • Document which Chromium tests were integrated
   • Explain any adaptations or differences
   • Note browser-specific aspects
   • Provide mapping from Chromium test IDs to x509-limbo test IDs
   • Link to original Chromium test sources

Implementation Requirements

Research Tools:

• Access to Chromium source repository
• Tools to parse Chromium's test certificate formats
• Understanding of Chrome's validation policy
• Comparison tools for coverage analysis

Integration Tools:

• x509-limbo certificate builders to recreate Chromium scenarios
• Support for CT-related structures (SCTs, etc.) if needed
• Test case generation for identified gaps
• Documentation generation

References

• Chromium Cert Test Data: https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/certificates/
• Chrome Certificate Verification: https://chromium.googlesource.com/chromium/src/+/main/net/cert/
• Certificate Transparency: RFC 6962, RFC 9162
• Chrome Root Program: https://www.chromium.org/Home/chromium-security/root-ca-policy/

Acceptance Criteria

• Chromium test data repository surveyed and cataloged
• Gap analysis completed documenting coverage differences
• Priority list created of Chromium tests to integrate
• Selected test cases converted to x509-limbo format
• Converted tests validated against harnesses
• Documentation updated with Chromium integration details
• Attribution and source links maintained
• Browser-specific vs general validation distinctions documented