This release contains a number of new tests and a change to the client-under-test CLI: users need to modify their client wrappers (or add new tests to expected failures).
Changes in client-under-test CLI
- The expected client CLI now includes
--key <FILE>as an alternative to--certificate-identity <IDENTITY> --certificate-oidc-issuer <URL>. Details in cli_protocol.md. Clients that do not support keys as identities can add"test_verify*managed-key-happy-path] test_verify*managed-key-and-trusted-root]"to their expected failure list.
Added tests
- Bundle validity checks
bundle-empty-certificate-chain,bundle-invalid-base64-signature,bundle-malformed-json,bundle-negative-log-index,bundle-unknown-version,inclusion-proof-corrupted-hash message-digest-mismatch: Note that the message digest field in the signature is an unauthenticated hint. The conformance test suite expects a verification failure here only for consistency.- Bundle with SCT extensions
bundle-with-sct-with-extensions-- this is a requirement for using TesseraCT as Fulcio CT in future - Managed key tests
managed-key-happy-path,managed-key-and-trusted-root,managed-key-no-key,managed-key-wrong-key-- these tests require the client-under-test CLI to implement the--keyargument