Update comments for net/data/verify_certificate_chain_unittest/

* Remove some older language about trust anchors, and consistently refer
  to "root certificate" instead

* Omit trivia about the chain (like count of certificates), and focus
  description on what makes it special

* Don't refer to expected validation success/failure in the chain
  descriptions. Instead this logically belongs in the .test file (I didn't
  add comments to the .test files... however the error messages should be
  self-descriptive).

Review-Url: https://codereview.chromium.org/2951403002
Cr-Commit-Position: refs/heads/master@{#481816}

net/data/verify_certificate_chain_unittest/basic-constraints-pathlen-0-self-issued/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 2 intermediates. The first intermediate has a basic
-constraints path length of 0. The second one is self-issued so does not count
-against the path length.
+Certificate chain where the intermediate sets pathlen=0, and is followed by
+a self-issued intermediate.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/basic-constraints-pathlen-0-self-issued/generate-chains.py

@@ -3,16 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 2 intermediates. The first intermediate has a basic
-constraints path length of 0. The second one is self-issued so does not count
-against the path length."""
+"""Certificate chain where the intermediate sets pathlen=0, and is followed by
+a self-issued intermediate."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate with pathlen 0

net/data/verify_certificate_chain_unittest/expired-intermediate/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with a root, intermediate and target. The intermediate has
-a smaller validity range than the other certificates, making it easy to violate
-just its validity.
+Certificate chain where the intermediate has a smaller validity range
+than the other certificates, making it easy to violate just its validity.
 
   Root:          2015/01/01 -> 2016/01/01
   Intermediate:  2015/03/01 -> 2015/09/01

net/data/verify_certificate_chain_unittest/expired-intermediate/generate-chains.py

@@ -3,9 +3,8 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with a root, intermediate and target. The intermediate has
-a smaller validity range than the other certificates, making it easy to violate
-just its validity.
+"""Certificate chain where the intermediate has a smaller validity range
+than the other certificates, making it easy to violate just its validity.
 
   Root:          2015/01/01 -> 2016/01/01
   Intermediate:  2015/03/01 -> 2015/09/01

net/data/verify_certificate_chain_unittest/expired-root/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with a root, intermediate and target. The root has a
-smaller validity range than the other certificates, making it easy to violate
-just its validity.
+Certificate chain where the root has a smaller validity range than the other
+certificates, making it easy to violate just its validity.
 
   Root:          2015/03/01 -> 2015/09/01
   Intermediate:  2015/01/01 -> 2016/01/01

net/data/verify_certificate_chain_unittest/expired-root/generate-chains.py

@@ -3,9 +3,8 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with a root, intermediate and target. The root has a
-smaller validity range than the other certificates, making it easy to violate
-just its validity.
+"""Certificate chain where the root has a smaller validity range than the other
+certificates, making it easy to violate just its validity.
 
   Root:          2015/03/01 -> 2015/09/01
   Intermediate:  2015/01/01 -> 2016/01/01

net/data/verify_certificate_chain_unittest/expired-target/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with a root, intermediate and target. The target has a
-smaller validity range than the other certificates, making it easy to violate
-just its validity.
+Certificate chain where the target certificate has a smaller validity range
+than the other certificates, making it easy to violate just its validity.
 
   Root:          2015/01/01 -> 2016/01/01
   Intermediate:  2015/01/01 -> 2016/01/01

net/data/verify_certificate_chain_unittest/expired-target/generate-chains.py

@@ -3,9 +3,8 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with a root, intermediate and target. The target has a
-smaller validity range than the other certificates, making it easy to violate
-just its validity.
+"""Certificate chain where the target certificate has a smaller validity range
+than the other certificates, making it easy to violate just its validity.
 
   Root:          2015/01/01 -> 2016/01/01
   Intermediate:  2015/01/01 -> 2016/01/01

net/data/verify_certificate_chain_unittest/incorrect-trust-anchor/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate, but the trust anchor used is
-incorrect (neither subject nor signature matches). Verification is expected to
-fail.
+Certificate chain where the supposed root certificate is wrong:
+
+  * The intermediate's "issuer" does not match the root's "subject"
+  * The intermediate's signature was not generated using the root's key
+
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/incorrect-trust-anchor/generate-chains.py

@@ -3,16 +3,18 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate, but the trust anchor used is
-incorrect (neither subject nor signature matches). Verification is expected to
-fail."""
+"""Certificate chain where the supposed root certificate is wrong:
+
+  * The intermediate's "issuer" does not match the root's "subject"
+  * The intermediate's signature was not generated using the root's key
+"""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate, which is NOT saved as the trust anchor.
+# Self-signed root certificate, which actually signed the intermediate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate certificate.
@@ -21,8 +23,8 @@ intermediate = common.create_intermediate_certificate('Intermediate', root)
 # Target certificate.
 target = common.create_end_entity_certificate('Target', intermediate)
 
-# Self-signed root certificate, not part of chain, which is saved as trust
-# anchor.
+# Self-signed root certificate that has nothing to do with this chain, but will
+# be saved as its root certificate.
 bogus_root = common.create_self_signed_root_certificate('BogusRoot')
 
 chain = [target, intermediate, bogus_root]

net/data/verify_certificate_chain_unittest/intermediate-basic-constraints-ca-false/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate and a trusted root. The intermediate
-has a basic constraints extension that indicates it is NOT a CA. Verification
-is expected to fail.
+Certificate chain where the intermediate has a basic constraints extension
+that indicates it is NOT a CA.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/intermediate-basic-constraints-ca-false/generate-chains.py

@@ -3,16 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate and a trusted root. The intermediate
-has a basic constraints extension that indicates it is NOT a CA. Verification
-is expected to fail."""
+"""Certificate chain where the intermediate has a basic constraints extension
+that indicates it is NOT a CA."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate with incorrect basic constraints.

net/data/verify_certificate_chain_unittest/intermediate-basic-constraints-not-critical/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate and a trusted root. The intermediate
-has a basic constraints extension but does not mark it as critical.
-Verification is expected to succeed, since although not critical, the
-basicConstraints indicates CA=true as expected.
+Certificate chain where the intermediate's Basic Constraints extension is
+not marked as critical.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/intermediate-basic-constraints-not-critical/generate-chains.py

@@ -3,20 +3,18 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate and a trusted root. The intermediate
-has a basic constraints extension but does not mark it as critical.
-Verification is expected to succeed, since although not critical, the
-basicConstraints indicates CA=true as expected."""
+"""Certificate chain where the intermediate's Basic Constraints extension is
+not marked as critical."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
-# Intermediate with non-critical basic constarints.
+# Intermediate with non-critical basic constraints.
 intermediate = common.create_intermediate_certificate('Intermediate', root)
 intermediate.get_extensions().set_property('basicConstraints', 'CA:true')
 

net/data/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate and a trusted root. The intermediate
-restricts the EKU to clientAuth + any, and the target has serverAuth +
-clientAuth. Verification is expected to succeed because intermediate will match
-the "any".
+Certificate chain where the intermediate restricts the extended key usage to
+clientAuth + any, and the target sets serverAuth + clientAuth.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/intermediate-eku-any-and-clientauth/generate-chains.py

@@ -3,17 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate and a trusted root. The intermediate
-restricts the EKU to clientAuth + any, and the target has serverAuth +
-clientAuth. Verification is expected to succeed because intermediate will match
-the "any"."""
+"""Certificate chain where the intermediate restricts the extended key usage to
+clientAuth + any, and the target sets serverAuth + clientAuth."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate certificate.

net/data/verify_certificate_chain_unittest/intermediate-eku-clientauth/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate and a trusted root. The intermediate
-restricts the EKU to clientAuth, and the target has serverAuth +
-clientAuth. Verification is expected to fail when requesting serverAuth.
+Certificate chain where the intermediate restricts the extended key usage to
+clientAuth, and the target asserts serverAuth + clientAuth.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/intermediate-eku-clientauth/generate-chains.py

@@ -3,16 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate and a trusted root. The intermediate
-restricts the EKU to clientAuth, and the target has serverAuth +
-clientAuth. Verification is expected to fail when requesting serverAuth."""
+"""Certificate chain where the intermediate restricts the extended key usage to
+clientAuth, and the target asserts serverAuth + clientAuth."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate certificate.

net/data/verify_certificate_chain_unittest/intermediate-lacks-basic-constraints/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate and a trusted root. The intermediate
-lacks the basic constraints extension, and hence is expected to fail validation
-(RFC 5280 requires v3 signing certificates have a BasicConstaints).
+Certificate chain where the intermediate lacks a basic constraints
+extension (yet is used to issue another certificate).
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/intermediate-lacks-basic-constraints/generate-chains.py

@@ -3,16 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate and a trusted root. The intermediate
-lacks the basic constraints extension, and hence is expected to fail validation
-(RFC 5280 requires v3 signing certificates have a BasicConstaints)."""
+"""Certificate chain where the intermediate lacks a basic constraints
+extension (yet is used to issue another certificate)."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate that lacks basic constraints.

net/data/verify_certificate_chain_unittest/intermediate-lacks-signing-key-usage/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate and a trusted root. The intermediate
-contains a keyUsage extension, HOWEVER it does not contain the keyCertSign bit.
-Hence validation is expected to fail.
+Certificate chain where the intermediate lacks a keyUsage extension.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/intermediate-lacks-signing-key-usage/generate-chains.py

@@ -3,16 +3,14 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate and a trusted root. The intermediate
-contains a keyUsage extension, HOWEVER it does not contain the keyCertSign bit.
-Hence validation is expected to fail."""
+"""Certificate chain where the intermediate lacks a keyUsage extension."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate that is missing keyCertSign.

net/data/verify_certificate_chain_unittest/intermediate-signed-with-md5/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate and a trusted root. The intermediate
-however is signed using the MD5 hash. Verification is expected to fail because
-MD5 is too weak.
+Certificate chain where the intermediate has a valid signature, however uses
+MD5 in the signature algorithm.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/intermediate-signed-with-md5/generate-chains.py

@@ -3,16 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate and a trusted root. The intermediate
-however is signed using the MD5 hash. Verification is expected to fail because
-MD5 is too weak."""
+"""Certificate chain where the intermediate has a valid signature, however uses
+MD5 in the signature algorithm."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate.

net/data/verify_certificate_chain_unittest/intermediate-unknown-critical-extension/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate and a trusted root. The intermediate
-has an unknown X.509v3 extension (OID=1.2.3.4) that is marked as critical.
-Verifying this certificate chain is expected to fail because there is an
-unrecognized critical extension.
+Certificate chain where the intermediate has an unknown critical
+extension.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/intermediate-unknown-critical-extension/generate-chains.py

@@ -3,17 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate and a trusted root. The intermediate
-has an unknown X.509v3 extension (OID=1.2.3.4) that is marked as critical.
-Verifying this certificate chain is expected to fail because there is an
-unrecognized critical extension."""
+"""Certificate chain where the intermediate has an unknown critical
+extension."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate that has an unknown critical extension.

net/data/verify_certificate_chain_unittest/intermediate-unknown-non-critical-extension/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate and a trusted root. The intermediate
-has an unknown X.509v3 extension that is marked as non-critical. Verification
-is expected to succeed because although unrecognized, the extension is not
-critical.
+Certificate chain where the intermediate contains an unknown non-critical
+extension.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/intermediate-unknown-non-critical-extension/generate-chains.py

@@ -3,17 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate and a trusted root. The intermediate
-has an unknown X.509v3 extension that is marked as non-critical. Verification
-is expected to succeed because although unrecognized, the extension is not
-critical."""
+"""Certificate chain where the intermediate contains an unknown non-critical
+extension."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 intermediate = common.create_intermediate_certificate('Intermediate', root)
 

net/data/verify_certificate_chain_unittest/non-self-signed-root/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate and a trusted root. The trusted root
-is NOT self signed, however its issuer is not included in the chain or root
-store. Verification is expected to succeed since the root is trusted.
+Certificate chain where the root certificate is not self-signed (or
+self-issued for that matter).
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/non-self-signed-root/generate-chains.py

@@ -3,9 +3,8 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate and a trusted root. The trusted root
-is NOT self signed, however its issuer is not included in the chain or root
-store. Verification is expected to succeed since the root is trusted."""
+"""Certificate chain where the root certificate is not self-signed (or
+self-issued for that matter)."""
 
 import sys
 sys.path += ['..']
@@ -14,7 +13,7 @@ import common
 
 shadow_root = common.create_self_signed_root_certificate('ShadowRoot')
 
-# Non-self-signed root (part of trust store).
+# Non-self-signed root certificate.
 root = common.create_intermediate_certificate('Root', shadow_root)
 
 # Intermediate certificate.

net/data/verify_certificate_chain_unittest/root-basic-constraints-ca-false/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate and a trust anchor. The trust anchor
-has a basic constraints extension that indicates it is NOT a CA. Verification
-is expected to succeed even though the trust anchor enforces constraints, since
-the CA part of basic constraints is not enforced.
+Certificate chain where the root certificate contains a basic constraints
+extension that indicates it is NOT a CA.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/root-basic-constraints-ca-false/generate-chains.py

@@ -3,18 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate and a trust anchor. The trust anchor
-has a basic constraints extension that indicates it is NOT a CA. Verification
-is expected to succeed even though the trust anchor enforces constraints, since
-the CA part of basic constraints is not enforced."""
+"""Certificate chain where the root certificate contains a basic constraints
+extension that indicates it is NOT a CA."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor) with non-CA basic
-# constraints.
+# Self-signed root certificate with non-CA basic constraints.
 root = common.create_self_signed_root_certificate('Root')
 root.get_extensions().set_property('basicConstraints', 'critical,CA:false')
 

net/data/verify_certificate_chain_unittest/root-eku-clientauth/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate and a trust anchor. The trust anchor
-has an EKU that restricts it to clientAuth. Verification is expected to fail as
-the end-entity is verified for serverAuth, and the trust anchor enforces
-constraints.
+Certificate chain where the root certificate restricts the extended key
+usage to clientAuth.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/root-eku-clientauth/generate-chains.py

@@ -3,18 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate and a trust anchor. The trust anchor
-has an EKU that restricts it to clientAuth. Verification is expected to fail as
-the end-entity is verified for serverAuth, and the trust anchor enforces
-constraints."""
+"""Certificate chain where the root certificate restricts the extended key
+usage to clientAuth."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor) with non-CA basic
-# constraints.
+# Self-signed root certificate with extended key usage of clientAuth.
 root = common.create_self_signed_root_certificate('Root')
 root.get_extensions().set_property('extendedKeyUsage', 'clientAuth')
 

net/data/verify_certificate_chain_unittest/root-lacks-basic-constraints/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate and a trust anchor. The trust anchor
-lacks the basic constraints extension. This is not a problem and verification
-should succeed.
+Certificate chain where the root certificate lacks a basic constraints
+extension.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/root-lacks-basic-constraints/generate-chains.py

@@ -3,16 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate and a trust anchor. The trust anchor
-lacks the basic constraints extension. This is not a problem and verification
-should succeed."""
+"""Certificate chain where the root certificate lacks a basic constraints
+extension."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 root.get_extensions().remove_property('basicConstraints')
 

net/data/verify_certificate_chain_unittest/target-and-intermediate/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate and a trusted root. Verification is
-expected to succeed.
+Simple certificate chain for a serverAuth which is comprised of a root,
+intermediate, and leaf certificate.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/target-and-intermediate/generate-chains.py

@@ -3,15 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate and a trusted root. Verification is
-expected to succeed."""
+"""Simple certificate chain for a serverAuth which is comprised of a root,
+intermediate, and leaf certificate."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate certificate.

net/data/verify_certificate_chain_unittest/target-eku-clientauth/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate and a trusted root. The target
-certificate has only clientAuth EKU, so is expected to fail when verifying for
-serverAuth.
+Certificate chain where the target certificate sets the extended key usage
+to clientAuth. Neither the root nor the intermediate have an EKU.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/target-eku-clientauth/generate-chains.py

@@ -3,16 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate and a trusted root. The target
-certificate has only clientAuth EKU, so is expected to fail when verifying for
-serverAuth."""
+"""Certificate chain where the target certificate sets the extended key usage
+to clientAuth. Neither the root nor the intermediate have an EKU."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate certificate.

net/data/verify_certificate_chain_unittest/target-eku-none/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate and a trusted root. The target has no
-Extended Key Usage extension (meaning it is unrestricted). Verification is
-expected to succeed.
+Certificate chain where the leaf certificate lacks an extended key usage
+extension.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/target-eku-none/generate-chains.py

@@ -3,16 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate and a trusted root. The target has no
-Extended Key Usage extension (meaning it is unrestricted). Verification is
-expected to succeed."""
+"""Certificate chain where the leaf certificate lacks an extended key usage
+extension."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate certificate.

net/data/verify_certificate_chain_unittest/target-has-keycertsign-but-not-ca/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate, a trusted root, and a target
-certificate that is not a CA, and yet has the keyCertSign bit set. Verification
-is expected to fail, since keyCertSign should only be asserted when CA is
-true.
+Certificate chain where the leaf certificate asserts the keyCertSign key
+usage, however does not have CA=true in the basic constraints extension to
+indicate it is a CA.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/target-has-keycertsign-but-not-ca/generate-chains.py

@@ -3,17 +3,16 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate, a trusted root, and a target
-certificate that is not a CA, and yet has the keyCertSign bit set. Verification
-is expected to fail, since keyCertSign should only be asserted when CA is
-true."""
+"""Certificate chain where the leaf certificate asserts the keyCertSign key
+usage, however does not have CA=true in the basic constraints extension to
+indicate it is a CA."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate certificate.

net/data/verify_certificate_chain_unittest/target-has-pathlen-but-not-ca/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate, a trusted root, and a target
-certificate that is not a CA, and yet has a pathlen set. Verification is
-expected to fail, since pathlen should only be set for CAs.
+Certificate chain where the leaf has a basic constraints extension with
+CA=false, however specifies the optional pathlen.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/target-has-pathlen-but-not-ca/generate-chains.py

@@ -3,16 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate, a trusted root, and a target
-certificate that is not a CA, and yet has a pathlen set. Verification is
-expected to fail, since pathlen should only be set for CAs."""
+"""Certificate chain where the leaf has a basic constraints extension with
+CA=false, however specifies the optional pathlen."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate certificate.

net/data/verify_certificate_chain_unittest/target-not-end-entity/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate, a trusted root, and a target
-certificate that is also a CA. Verification is expected to succeed, as the test
-code accepts any target certificate.
+Certificate chain where the target certificate is a CA rather than an
+end-entity certificate (based on the basic constraints extension).
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/target-not-end-entity/generate-chains.py

@@ -3,16 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate, a trusted root, and a target
-certificate that is also a CA. Verification is expected to succeed, as the test
-code accepts any target certificate."""
+"""Certificate chain where the target certificate is a CA rather than an
+end-entity certificate (based on the basic constraints extension)."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate certificate.

net/data/verify_certificate_chain_unittest/target-serverauth-various-keyusages/ec-decipherOnly.pem

 [Created by: generate-chains.py]
 
-Certificate chain where the target uses a EC key and has the single key usage decipherOnly
+Certificate chain where the target certificate uses a EC key and has the single key usage decipherOnly
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/target-serverauth-various-keyusages/ec-digitalSignature.pem

 [Created by: generate-chains.py]
 
-Certificate chain where the target uses a EC key and has the single key usage digitalSignature
+Certificate chain where the target certificate uses a EC key and has the single key usage digitalSignature
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/target-serverauth-various-keyusages/ec-keyAgreement.pem

 [Created by: generate-chains.py]
 
-Certificate chain where the target uses a EC key and has the single key usage keyAgreement
+Certificate chain where the target certificate uses a EC key and has the single key usage keyAgreement
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/target-serverauth-various-keyusages/ec-keyEncipherment.pem

 [Created by: generate-chains.py]
 
-Certificate chain where the target uses a EC key and has the single key usage keyEncipherment
+Certificate chain where the target certificate uses a EC key and has the single key usage keyEncipherment
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/target-serverauth-various-keyusages/generate-chains.py

@@ -47,6 +47,7 @@ for key_type in sorted(KEYS.keys()):
 
     # Write the chain.
     chain = [target, intermediate, root]
-    description = ('Certificate chain where the target uses a %s key and has '
-                   'the single key usage %s') % (key_type.upper(), key_usage)
+    description = ('Certificate chain where the target certificate uses a %s '
+                   'key and has the single key usage %s') % (key_type.upper(),
+                                                             key_usage)
     common.write_chain(description, chain, '%s-%s.pem' % (key_type, key_usage))

net/data/verify_certificate_chain_unittest/target-serverauth-various-keyusages/rsa-decipherOnly.pem

 [Created by: generate-chains.py]
 
-Certificate chain where the target uses a RSA key and has the single key usage decipherOnly
+Certificate chain where the target certificate uses a RSA key and has the single key usage decipherOnly
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/target-serverauth-various-keyusages/rsa-digitalSignature.pem

 [Created by: generate-chains.py]
 
-Certificate chain where the target uses a RSA key and has the single key usage digitalSignature
+Certificate chain where the target certificate uses a RSA key and has the single key usage digitalSignature
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/target-serverauth-various-keyusages/rsa-keyAgreement.pem

 [Created by: generate-chains.py]
 
-Certificate chain where the target uses a RSA key and has the single key usage keyAgreement
+Certificate chain where the target certificate uses a RSA key and has the single key usage keyAgreement
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/target-serverauth-various-keyusages/rsa-keyEncipherment.pem

 [Created by: generate-chains.py]
 
-Certificate chain where the target uses a RSA key and has the single key usage keyEncipherment
+Certificate chain where the target certificate uses a RSA key and has the single key usage keyEncipherment
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/target-signed-by-512bit-rsa/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate and a trusted root. The target
-certificate is signed using a weak RSA key (512-bit modulus), and so
-verification is expected to fail.
+Certificate chain where the target certificate is signed using a weak RSA
+key (512-bit modulus).
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/target-signed-by-512bit-rsa/generate-chains.py

@@ -3,16 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate and a trusted root. The target
-certificate is signed using a weak RSA key (512-bit modulus), and so
-verification is expected to fail."""
+"""Certificate chain where the target certificate is signed using a weak RSA
+key (512-bit modulus)."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate with a very weak key size (512-bit RSA).

net/data/verify_certificate_chain_unittest/target-signed-using-ecdsa/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with a trusted root using RSA, and intermediate using EC,
-and a target certificate using RSA. Verification is expected to succeed.
+Certificate chain where the root certificate holds an RSA key, intermediate
+certificate holds an EC key, and target certificate holds an RSA key. The
+target certificate has a valid signature using ECDSA.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/target-signed-using-ecdsa/generate-chains.py

@@ -3,15 +3,16 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with a trusted root using RSA, and intermediate using EC,
-and a target certificate using RSA. Verification is expected to succeed."""
+"""Certificate chain where the root certificate holds an RSA key, intermediate
+certificate holds an EC key, and target certificate holds an RSA key. The
+target certificate has a valid signature using ECDSA."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor). using RSA.
+# Self-signed root certificate using an RSA key.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate using an EC key for the P-384 curve.

net/data/verify_certificate_chain_unittest/target-signed-with-md5/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with an intermediate that uses MD5 to sign the target
-certificate. This is expected to fail because MD5 is too weak.
+Certificate chain where the intermediate used MD5 to sign the target
+certificate.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/target-signed-with-md5/generate-chains.py

@@ -3,15 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with an intermediate that uses MD5 to sign the target
-certificate. This is expected to fail because MD5 is too weak."""
+"""Certificate chain where the intermediate used MD5 to sign the target
+certificate."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate.

net/data/verify_certificate_chain_unittest/target-unknown-critical-extension/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 1 intermediate and a trusted root. The target
-certificate has an unknown X.509v3 extension (OID=1.2.3.4) that is marked as
-critical. Verifying this certificate chain is expected to fail because there is
-an unrecognized critical extension.
+Certificate chain where the target certificate contains an unknown X.509v3
+extension (OID=1.2.3.4) that is marked as critical.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/target-unknown-critical-extension/generate-chains.py

@@ -3,17 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 1 intermediate and a trusted root. The target
-certificate has an unknown X.509v3 extension (OID=1.2.3.4) that is marked as
-critical. Verifying this certificate chain is expected to fail because there is
-an unrecognized critical extension."""
+"""Certificate chain where the target certificate contains an unknown X.509v3
+extension (OID=1.2.3.4) that is marked as critical."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate certificate.

net/data/verify_certificate_chain_unittest/target-wrong-signature/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain where the target has an incorrect signature. Everything
-else should check out, however the digital signature contained in the target
-certificate is wrong.
+Certificate chain where the target certificate has an incorrect signature.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/target-wrong-signature/generate-chains.py

@@ -3,16 +3,14 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain where the target has an incorrect signature. Everything
-else should check out, however the digital signature contained in the target
-certificate is wrong."""
+"""Certificate chain where the target certificate has an incorrect signature."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate certificate to include in the certificate chain.

net/data/verify_certificate_chain_unittest/unknown-critical-policy-qualifier/chain.pem

 [Created by: generate-chains.py]
 
-The intermediate has a policies extension marked as critical, which contains
-an unknown qualifer (1.2.3.4).
+Certificate chain where the intermediate has a policies extension marked as
+critical, and contains an unknown policy qualifer (1.2.3.4).
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/unknown-critical-policy-qualifier/generate-chains.py

@@ -3,15 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""The intermediate has a policies extension marked as critical, which contains
-an unknown qualifer (1.2.3.4)."""
+"""Certificate chain where the intermediate has a policies extension marked as
+critical, and contains an unknown policy qualifer (1.2.3.4)."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate that has a critical policies extension containing an unknown

net/data/verify_certificate_chain_unittest/unknown-non-critical-policy-qualifier/chain.pem

 [Created by: generate-chains.py]
 
-The intermediate has a policies extension (not marked as critical),
-which contains an unknown qualifer (1.2.3.4).
+Certificate chain where the intermediate has a policies extension (not
+marked as critical) which contains an unknown policy qualifer (1.2.3.4).
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/unknown-non-critical-policy-qualifier/generate-chains.py

@@ -3,15 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""The intermediate has a policies extension (not marked as critical),
-which contains an unknown qualifer (1.2.3.4)."""
+"""Certificate chain where the intermediate has a policies extension (not
+marked as critical) which contains an unknown policy qualifer (1.2.3.4)."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate that has a non-critical policies extension containing an unknown

net/data/verify_certificate_chain_unittest/violates-basic-constraints-pathlen-0/chain.pem

 [Created by: generate-chains.py]
 
-Certificate chain with 2 intermediates. The first intermediate has a basic
-constraints path length of 0, so it is a violation for it to have a subordinate
-intermediate.
+Certificate chain where the intermediate sets pathlen=0, however
+violates this by issuing another (non-self-issued) intermediate.
 
 Certificate:
     Data:

net/data/verify_certificate_chain_unittest/violates-basic-constraints-pathlen-0/generate-chains.py

@@ -3,16 +3,15 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Certificate chain with 2 intermediates. The first intermediate has a basic
-constraints path length of 0, so it is a violation for it to have a subordinate
-intermediate."""
+"""Certificate chain where the intermediate sets pathlen=0, however
+violates this by issuing another (non-self-issued) intermediate."""
 
 import sys
 sys.path += ['..']
 
 import common
 
-# Self-signed root certificate (used as trust anchor).
+# Self-signed root certificate.
 root = common.create_self_signed_root_certificate('Root')
 
 # Intermediate with pathlen 0