7 files changed, 35 insertions, 125 deletions
diff --git a/handler_test.go b/handler_test.go
index cb11a07..4bfb87d 100644
--- a/handler_test.go
+++ b/handler_test.go
@@ -20,8 +20,8 @@ import (
 	"github.com/google/certificate-transparency-go/trillian/mockclient"
 	cttestdata "github.com/google/certificate-transparency-go/trillian/testdata"
 	"github.com/google/trillian"
-	"github.com/system-transparency/stfe/testdata"
 	"github.com/system-transparency/stfe/x509util"
+	"github.com/system-transparency/stfe/x509util/testdata"
 )
 
 type testHandler struct {
@@ -148,6 +148,7 @@ func TestGetAnchors(t *testing.T) {
 }
 
 func TestGetEntries(t *testing.T) {
+	chainLen := 3
 	for _, table := range []struct {
 		description string
 		breq        *GetEntriesRequest
@@ -181,7 +182,7 @@ func TestGetEntries(t *testing.T) {
 				Start: 0,
 				End:   1,
 			},
-			trsp:        makeTrillianGetLeavesByRangeResponse(t, 0, 1, []byte("foobar-1.2.3"), testdata.FirstPemChain, testdata.FirstPemChainKey, false),
+			trsp:        makeTrillianGetLeavesByRangeResponse(t, 0, 1, []byte("foobar-1.2.3"), testdata.RootChain, testdata.EndEntityPrivateKey, false),
 			wantCode:    http.StatusInternalServerError,
 			wantErrText: http.StatusText(http.StatusInternalServerError) + "\n",
 		},
@@ -191,7 +192,7 @@ func TestGetEntries(t *testing.T) {
 				Start: 0,
 				End:   1,
 			},
-			trsp:     makeTrillianGetLeavesByRangeResponse(t, 0, 1, []byte("foobar-1.2.3"), testdata.FirstPemChain, testdata.FirstPemChainKey, true),
+			trsp:     makeTrillianGetLeavesByRangeResponse(t, 0, 1, []byte("foobar-1.2.3"), testdata.RootChain, testdata.EndEntityPrivateKey, true),
 			wantCode: http.StatusOK,
 		},
 	} {
@@ -251,8 +252,7 @@ func TestGetEntries(t *testing.T) {
 				chain, err := x509util.ParseDerList(rsp.Chain)
 				if err != nil {
 					t.Errorf("failed parsing certificate chain: %v", err)
-				} else if got, want := len(chain), 2; got != want {
-					// TODO: test data with trust anchor in chain
+				} else if got, want := len(chain), chainLen; got != want {
 					t.Errorf("got chain length %d, want %d", got, want)
 				} else {
 					if err := x509util.VerifyChain(chain); err != nil {
@@ -282,29 +282,29 @@ func TestAddEntry(t *testing.T) {
 	}{
 		{
 			description: "empty trillian response",
-			breq:        makeTestLeafBuffer(t, []byte("foobar-1.2.3"), testdata.FirstPemChain, testdata.FirstPemChainKey, true),
+			breq:        makeTestLeafBuffer(t, []byte("foobar-1.2.3"), testdata.IntermediateChain, testdata.EndEntityPrivateKey, true),
 			terr:        fmt.Errorf("back-end failure"),
 			wantCode:    http.StatusInternalServerError,
 			wantErrText: http.StatusText(http.StatusInternalServerError) + "\n",
 		},
 		{
 			description: "bad request parameters",
-			breq:        makeTestLeafBuffer(t, []byte("foobar-1.2.3"), testdata.FirstPemChain, testdata.FirstPemChainKey, false),
+			breq:        makeTestLeafBuffer(t, []byte("foobar-1.2.3"), testdata.IntermediateChain, testdata.EndEntityPrivateKey, false),
 			wantCode:    http.StatusBadRequest,
 			wantErrText: http.StatusText(http.StatusBadRequest) + "\n",
 		},
 		{
 			description: "log signature failure",
-			breq:        makeTestLeafBuffer(t, []byte("foobar-1.2.3"), testdata.FirstPemChain, testdata.FirstPemChainKey, true),
-			trsp:        makeTrillianQueueLeafResponse(t, []byte("foobar-1.2.3"), testdata.FirstPemChain, testdata.FirstPemChainKey, false),
+			breq:        makeTestLeafBuffer(t, []byte("foobar-1.2.3"), testdata.IntermediateChain, testdata.EndEntityPrivateKey, true),
+			trsp:        makeTrillianQueueLeafResponse(t, []byte("foobar-1.2.3"), testdata.IntermediateChain, testdata.EndEntityPrivateKey, false),
 			wantCode:    http.StatusInternalServerError,
 			wantErrText: http.StatusText(http.StatusInternalServerError) + "\n",
 			signer:      cttestdata.NewSignerWithErr(nil, fmt.Errorf("signing failed")),
 		},
 		{
 			description: "valid add-entry request-response",
-			breq:        makeTestLeafBuffer(t, []byte("foobar-1.2.3"), testdata.FirstPemChain, testdata.FirstPemChainKey, true),
-			trsp:        makeTrillianQueueLeafResponse(t, []byte("foobar-1.2.3"), testdata.FirstPemChain, testdata.FirstPemChainKey, false),
+			breq:        makeTestLeafBuffer(t, []byte("foobar-1.2.3"), testdata.IntermediateChain, testdata.EndEntityPrivateKey, true),
+			trsp:        makeTrillianQueueLeafResponse(t, []byte("foobar-1.2.3"), testdata.IntermediateChain, testdata.EndEntityPrivateKey, false),
 			wantCode:    http.StatusOK,
 			signer:      cttestdata.NewSignerWithFixedSig(nil, make([]byte, 32)),
 		},
diff --git a/instance_test.go b/instance_test.go
index f4a8fea..582b232 100644
--- a/instance_test.go
+++ b/instance_test.go
@@ -6,8 +6,8 @@ import (
 	"crypto"
 	"crypto/x509"
 
-	"github.com/system-transparency/stfe/testdata"
 	"github.com/system-transparency/stfe/x509util"
+	"github.com/system-transparency/stfe/x509util/testdata"
 )
 
 var (
@@ -21,13 +21,10 @@ var (
 )
 
 func makeTestLogParameters(t *testing.T, signer crypto.Signer) *LogParameters {
-	anchorList, err := x509util.NewCertificateList(testdata.PemAnchors)
+	anchorList, err := x509util.NewCertificateList(testdata.TrustAnchors)
 	if err != nil {
 		t.Fatalf("must decode trust anchors: %v", err)
 	}
-	if got, want := len(anchorList), testdata.NumPemAnchors; got != want {
-		t.Fatalf("must have %d trust anchor(s), got %d", want, got)
-	}
 	return &LogParameters{
 		LogId:      testLogId,
 		TreeId:     testTreeId,
diff --git a/reqres_test.go b/reqres_test.go
index 53f6f07..1a6304b 100644
--- a/reqres_test.go
+++ b/reqres_test.go
@@ -10,7 +10,7 @@ import (
 	"net/http"
 
 	"github.com/google/trillian"
-	"github.com/system-transparency/stfe/testdata"
+	"github.com/system-transparency/stfe/x509util/testdata"
 )
 
 // TODO: TestNewAddEntryRequest
@@ -229,7 +229,7 @@ func TestNewGetEntryResponse(t *testing.T) {
 	lp := makeTestLogParameters(t, nil)
 
 	var appendix Appendix
-	leaf, app := makeTestLeaf(t, testPackage, testdata.FirstPemChain, testdata.FirstPemChainKey)
+	leaf, app := makeTestLeaf(t, testPackage, testdata.RootChain, testdata.EndEntityPrivateKey)
 	if err := appendix.Unmarshal(app); err != nil {
 		t.Fatalf("must unmarshal appendix: %v", err)
 	}
@@ -266,7 +266,7 @@ func TestNewGetEntriesResponse(t *testing.T) {
 	lp := makeTestLogParameters(t, nil)
 
 	// Invalid
-	leaf := makeTrillianQueueLeafResponse(t, testPackage, testdata.FirstPemChain, testdata.FirstPemChainKey, false).QueuedLeaf.Leaf
+	leaf := makeTrillianQueueLeafResponse(t, testPackage, testdata.RootChain, testdata.EndEntityPrivateKey, false).QueuedLeaf.Leaf
 	leaf.ExtraData = leaf.ExtraData[1:]
 	if _, err := lp.newGetEntriesResponse([]*trillian.LogLeaf{leaf}); err == nil {
 		t.Errorf("got no error for invalid appendix")
@@ -276,7 +276,7 @@ func TestNewGetEntriesResponse(t *testing.T) {
 	for n, numEntries := 0, 5; n < numEntries; n++ {
 		leaves := make([]*trillian.LogLeaf, 0, n)
 		for i := 0; i < n; i++ {
-			leaves = append(leaves, makeTrillianQueueLeafResponse(t, []byte(fmt.Sprintf("%s-%d", testPackage, i)), testdata.FirstPemChain, testdata.FirstPemChainKey, false).QueuedLeaf.Leaf)
+			leaves = append(leaves, makeTrillianQueueLeafResponse(t, []byte(fmt.Sprintf("%s-%d", testPackage, i)), testdata.RootChain, testdata.EndEntityPrivateKey, false).QueuedLeaf.Leaf)
 		}
 		if rsp, err := lp.newGetEntriesResponse(leaves); err != nil {
 			t.Errorf("got error for %d valid leaves: %v", n, err)
@@ -289,7 +289,7 @@ func TestNewGetEntriesResponse(t *testing.T) {
 
 func TestNewGetAnchorsResponse(t *testing.T) {
 	rawAnchors := makeTestLogParameters(t, nil).newGetAnchorsResponse()
-	if got, want := len(rawAnchors), testdata.NumPemAnchors; got != want {
+	if got, want := len(rawAnchors), testdata.NumTrustAnchors; got != want {
 		t.Errorf("got %d anchors but wanted %d", got, want)
 	}
 	for _, rawAnchor := range rawAnchors {
diff --git a/testdata/data.go b/testdata/data.go
deleted file mode 100644
index 1145505..0000000
--- a/testdata/data.go
+++ /dev/null
@@ -1,89 +0,0 @@
-package testdata
-
-var (
-	// NumPemAnchors is the number of trust anchors in PemAnchors
-	NumPemAnchors = 2
-	// PemAnchors is a list of trusted root certificates
-	PemAnchors = []byte(`-----BEGIN CERTIFICATE-----
-MIIB/TCCAa+gAwIBAgIUDYJzaC5VSkKwiLVAxO5MyphAkN8wBQYDK2VwMGwxCzAJ
-BgNVBAYTAk5BMQswCQYDVQQIDAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5B
-MQswCQYDVQQLDAJOQTEWMBQGA1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3
-DQEJARYCTkEwHhcNMjAxMTAzMTgzMTMxWhcNMzIwMTIxMTgzMTMxWjBsMQswCQYD
-VQQGEwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTEL
-MAkGA1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0B
-CQEWAk5BMCowBQYDK2VwAyEAJ1IiXCB4YHwdWka9MM0bc7LvKAtksmtIo8IhkuEB
-uzGjYzBhMB0GA1UdDgQWBBQBvsxROtKU6zmr/SxcfTMDsAQcMTAfBgNVHSMEGDAW
-gBQBvsxROtKU6zmr/SxcfTMDsAQcMTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
-/wQEAwIChDAFBgMrZXADQQCXh6kDnE5giTjcLET2S94qTwnHVAj57DJcR/rf9Jy8
-NMGbtzTL0/V0B8DHuJFA/islbZJbN7rSvqddEKL8N2gI
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB/TCCAa+gAwIBAgIUCFGFq5zAkH03LQ2fpAamPhGd8FgwBQYDK2VwMGwxCzAJ
-BgNVBAYTAk5BMQswCQYDVQQIDAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5B
-MQswCQYDVQQLDAJOQTEWMBQGA1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3
-DQEJARYCTkEwHhcNMjAxMTE3MTgxNTQyWhcNMzIwMjA0MTgxNTQyWjBsMQswCQYD
-VQQGEwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTEL
-MAkGA1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0B
-CQEWAk5BMCowBQYDK2VwAyEAFOG1Lof1UiV2mYsM17EopyVCR87qRrNW9YHP0biu
-pOyjYzBhMB0GA1UdDgQWBBQeeImH1qUrWk+pq3YOkwI8bWdEuTAfBgNVHSMEGDAW
-gBQeeImH1qUrWk+pq3YOkwI8bWdEuTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
-/wQEAwIChDAFBgMrZXADQQDP4IQePN5Krr7jn+RM8AbF+c4fXgamA1XDHVIfXy/n
-MexxZMsuSCSDq5XM5GMImffmBXA1dNJ6ytfJi668C+kF
------END CERTIFICATE-----`)
-	// FirstPemChain is composed of an end-entity and intermediate certificate
-	FirstPemChain = []byte(`-----BEGIN CERTIFICATE-----
-MIIBbDCCAR4CFDfeuu6XURfn7AE4WShuwZBHEaLIMAUGAytlcDBsMQswCQYDVQQG
-EwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkG
-A1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEW
-Ak5BMB4XDTIwMTEwMzE4MzI0MFoXDTMyMDEyMTE4MzI0MFowRTELMAkGA1UEBhMC
-QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp
-dHMgUHR5IEx0ZDAqMAUGAytlcAMhAJvk390ZvwULplBri03Od4LLz+Sf/OUHu+20
-wik+T9y5MAUGAytlcANBANekliXq4ttoClBJDZoktIQxyHHNcWyXFrj1HlOaT5bC
-I3GIqqZ60Ua3jKytnEsKsD2rLMPItDwmG6wYSecy2ws=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB7jCCAaCgAwIBAgICEAAwBQYDK2VwMGwxCzAJBgNVBAYTAk5BMQswCQYDVQQI
-DAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5BMQswCQYDVQQLDAJOQTEWMBQG
-A1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3DQEJARYCTkEwHhcNMjAxMTAz
-MTgzMjE4WhcNMzIwMTIxMTgzMjE4WjBsMQswCQYDVQQGEwJOQTELMAkGA1UECAwC
-TkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkGA1UECwwCTkExFjAUBgNV
-BAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEWAk5BMCowBQYDK2VwAyEA
-F1yPPpjHKDAKN73pBFGXzAvIjdkLLimydu2y1HLMOiKjZjBkMB0GA1UdDgQWBBQ6
-P7JQ7yXtrTh7YkVU0I78P9A+nDAfBgNVHSMEGDAWgBQBvsxROtKU6zmr/SxcfTMD
-sAQcMTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIChDAFBgMrZXAD
-QQBm1GMV0ADPnXRWnelCW9tcyTh0p9hKefuSy/MNx7/XLHKnM5fX+yHqD84QOxES
-Vc510vi4dM8I+e/vcoBsmMQP
------END CERTIFICATE-----`)
-	// FirstPemChainKey is the end-entity private key for FirstPemChain[0]
-	FirstPemChainKey = []byte(`-----BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEIDme3WaCwW2/FX095yh02yIIsn0D3vbvN5NsJzcdUwq1
------END PRIVATE KEY-----`)
-	// SecondPemChain is composed of an end-entity and intermediate certificate
-	SecondPemChain = []byte(`-----BEGIN CERTIFICATE-----
-MIIBbDCCAR4CFCv557zJa/p94Hu3n+k7iYR/75xJMAUGAytlcDBsMQswCQYDVQQG
-EwJOQTELMAkGA1UECAwCTkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkG
-A1UECwwCTkExFjAUBgNVBAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEW
-Ak5BMB4XDTIwMTExNzE4MTc1MFoXDTMyMDIwNDE4MTc1MFowRTELMAkGA1UEBhMC
-QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp
-dHMgUHR5IEx0ZDAqMAUGAytlcAMhAKwG0O/Ql+L6O8aq8BZ+KOdJmVLdcnOmMENR
-H7O84kVFMAUGAytlcANBAI9Lq6SWu2Ua+lFcZSuFvOwoTgzLJVFYFVobLaobXZSL
-TKYluMIXPewoG+aywySEmsWletUcUVA5pHFAiz2rrwo=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB7jCCAaCgAwIBAgICEAAwBQYDK2VwMGwxCzAJBgNVBAYTAk5BMQswCQYDVQQI
-DAJOQTELMAkGA1UEBwwCTkExCzAJBgNVBAoMAk5BMQswCQYDVQQLDAJOQTEWMBQG
-A1UEAwwNc3RmZSB0ZXN0ZGF0YTERMA8GCSqGSIb3DQEJARYCTkEwHhcNMjAxMTE3
-MTgxNjQ4WhcNMzIwMjA0MTgxNjQ4WjBsMQswCQYDVQQGEwJOQTELMAkGA1UECAwC
-TkExCzAJBgNVBAcMAk5BMQswCQYDVQQKDAJOQTELMAkGA1UECwwCTkExFjAUBgNV
-BAMMDXN0ZmUgdGVzdGRhdGExETAPBgkqhkiG9w0BCQEWAk5BMCowBQYDK2VwAyEA
-DD23ESkuIKaCkU6xCncIwvD12w4ETBgAiHAubr/wDwujZjBkMB0GA1UdDgQWBBSy
-uua2yvX+VM9JBc19GQisnLnH5zAfBgNVHSMEGDAWgBQBvsxROtKU6zmr/SxcfTMD
-sAQcMTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIChDAFBgMrZXAD
-QQCKFy3FEGogW8/G8NS/AmJHfZQGlZxDPbCjPclB0HmWTOaLTq+jgpCvZz1VQapc
-us/Fs+5Pvt4UGYiAuTYJu7YK
------END CERTIFICATE-----`)
-	// SecondPemChainKey is the end-entity private key for SecondPemChain[0]
-	SecondPemChainKey = []byte(`-----BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEIH65lXoCT4N9q4mPmDcsmAqIqG9CrqrB4KV2nqBC9JlZ
------END PRIVATE KEY-----`)
-)
diff --git a/trillian_test.go b/trillian_test.go
index ab053a5..749f22a 100644
--- a/trillian_test.go
+++ b/trillian_test.go
@@ -6,7 +6,7 @@ import (
 
 	"github.com/google/trillian"
 	"github.com/google/trillian/types"
-	"github.com/system-transparency/stfe/testdata"
+	"github.com/system-transparency/stfe/x509util/testdata"
 
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
@@ -35,11 +35,11 @@ func TestCheckQueueLeaf(t *testing.T) {
 		},
 		{
 			description: "ok response: duplicate leaf",
-			rsp:         makeTrillianQueueLeafResponse(t, testPackage, testdata.FirstPemChain, testdata.FirstPemChainKey, true),
+			rsp:         makeTrillianQueueLeafResponse(t, testPackage, testdata.RootChain, testdata.EndEntityPrivateKey, true),
 		},
 		{
 			description: "ok response: new leaf",
-			rsp:         makeTrillianQueueLeafResponse(t, testPackage, testdata.FirstPemChain, testdata.FirstPemChainKey, false),
+			rsp:         makeTrillianQueueLeafResponse(t, testPackage, testdata.RootChain, testdata.EndEntityPrivateKey, false),
 		},
 	} {
 		if err := checkQueueLeaf(table.rsp, table.err); (err != nil) != table.wantErr {
@@ -70,7 +70,7 @@ func TestCheckGetLeavesByRange(t *testing.T) {
 			rsp: func(rsp *trillian.GetLeavesByRangeResponse) *trillian.GetLeavesByRangeResponse {
 				rsp.Leaves = nil
 				return rsp
-			}(makeTrillianGetLeavesByRangeResponse(t, 0, 1, testPackage, testdata.FirstPemChain, testdata.FirstPemChainKey, true)),
+			}(makeTrillianGetLeavesByRangeResponse(t, 0, 1, testPackage, testdata.RootChain, testdata.EndEntityPrivateKey, true)),
 			wantErr: true,
 		},
 		{
@@ -78,7 +78,7 @@ func TestCheckGetLeavesByRange(t *testing.T) {
 			rsp: func(rsp *trillian.GetLeavesByRangeResponse) *trillian.GetLeavesByRangeResponse {
 				rsp.SignedLogRoot = nil
 				return rsp
-			}(makeTrillianGetLeavesByRangeResponse(t, 0, 1, testPackage, testdata.FirstPemChain, testdata.FirstPemChainKey, true)),
+			}(makeTrillianGetLeavesByRangeResponse(t, 0, 1, testPackage, testdata.RootChain, testdata.EndEntityPrivateKey, true)),
 			wantErr: true,
 		},
 		{
@@ -86,7 +86,7 @@ func TestCheckGetLeavesByRange(t *testing.T) {
 			rsp: func(rsp *trillian.GetLeavesByRangeResponse) *trillian.GetLeavesByRangeResponse {
 				rsp.SignedLogRoot.LogRoot = nil
 				return rsp
-			}(makeTrillianGetLeavesByRangeResponse(t, 0, 1, testPackage, testdata.FirstPemChain, testdata.FirstPemChainKey, true)),
+			}(makeTrillianGetLeavesByRangeResponse(t, 0, 1, testPackage, testdata.RootChain, testdata.EndEntityPrivateKey, true)),
 			wantErr: true,
 		},
 		{
@@ -95,13 +95,13 @@ func TestCheckGetLeavesByRange(t *testing.T) {
 			rsp: func(rsp *trillian.GetLeavesByRangeResponse) *trillian.GetLeavesByRangeResponse {
 				rsp.SignedLogRoot.LogRoot = rsp.SignedLogRoot.LogRoot[1:]
 				return rsp
-			}(makeTrillianGetLeavesByRangeResponse(t, 0, 1, testPackage, testdata.FirstPemChain, testdata.FirstPemChainKey, true)),
+			}(makeTrillianGetLeavesByRangeResponse(t, 0, 1, testPackage, testdata.RootChain, testdata.EndEntityPrivateKey, true)),
 			wantErr: true,
 		},
 		{
 			description: "bad response: too many leaves",
 			req:         &GetEntriesRequest{Start: 0, End: 1},
-			rsp:         makeTrillianGetLeavesByRangeResponse(t, 0, 2, testPackage, testdata.FirstPemChain, testdata.FirstPemChainKey, true),
+			rsp:         makeTrillianGetLeavesByRangeResponse(t, 0, 2, testPackage, testdata.RootChain, testdata.EndEntityPrivateKey, true),
 			wantErr:     true,
 		},
 		{
@@ -110,13 +110,13 @@ func TestCheckGetLeavesByRange(t *testing.T) {
 			rsp: func(rsp *trillian.GetLeavesByRangeResponse) *trillian.GetLeavesByRangeResponse {
 				rsp.SignedLogRoot = makeLatestSignedLogRootResponse(t, 0, testTreeSize, testNodeHash).SignedLogRoot
 				return rsp
-			}(makeTrillianGetLeavesByRangeResponse(t, int64(testTreeSize)-1, int64(testTreeSize)-1, testPackage, testdata.FirstPemChain, testdata.FirstPemChainKey, true)),
+			}(makeTrillianGetLeavesByRangeResponse(t, int64(testTreeSize)-1, int64(testTreeSize)-1, testPackage, testdata.RootChain, testdata.EndEntityPrivateKey, true)),
 			wantErr: true,
 		},
 		{
 			description: "bad response: invalid leaf indices",
 			req:         &GetEntriesRequest{Start: 10, End: 11},
-			rsp:         makeTrillianGetLeavesByRangeResponse(t, 11, 12, testPackage, testdata.FirstPemChain, testdata.FirstPemChainKey, true),
+			rsp:         makeTrillianGetLeavesByRangeResponse(t, 11, 12, testPackage, testdata.RootChain, testdata.EndEntityPrivateKey, true),
 			wantErr:     true,
 		},
 		{
@@ -125,12 +125,12 @@ func TestCheckGetLeavesByRange(t *testing.T) {
 			rsp: func(rsp *trillian.GetLeavesByRangeResponse) *trillian.GetLeavesByRangeResponse {
 				rsp.SignedLogRoot = makeLatestSignedLogRootResponse(t, 0, testTreeSize, testNodeHash).SignedLogRoot
 				return rsp
-			}(makeTrillianGetLeavesByRangeResponse(t, int64(testTreeSize)-1, int64(testTreeSize)-1, testPackage, testdata.FirstPemChain, testdata.FirstPemChainKey, true)),
+			}(makeTrillianGetLeavesByRangeResponse(t, int64(testTreeSize)-1, int64(testTreeSize)-1, testPackage, testdata.RootChain, testdata.EndEntityPrivateKey, true)),
 		},
 		{
 			description: "ok response: a bunch of leaves",
 			req:         &GetEntriesRequest{Start: 10, End: 20},
-			rsp:         makeTrillianGetLeavesByRangeResponse(t, 10, 20, testPackage, testdata.FirstPemChain, testdata.FirstPemChainKey, true),
+			rsp:         makeTrillianGetLeavesByRangeResponse(t, 10, 20, testPackage, testdata.RootChain, testdata.EndEntityPrivateKey, true),
 		},
 	} {
 		if _, err := checkGetLeavesByRange(table.req, table.rsp, table.err); (err != nil) != table.wantErr {
diff --git a/type_test.go b/type_test.go
index ea3ab36..e8dce00 100644
--- a/type_test.go
+++ b/type_test.go
@@ -5,8 +5,8 @@ import (
 
 	"crypto/tls"
 
-	"github.com/system-transparency/stfe/testdata"
 	"github.com/system-transparency/stfe/x509util"
+	"github.com/system-transparency/stfe/x509util/testdata"
 )
 
 var (
@@ -275,7 +275,7 @@ func TestEncDecStItem(t *testing.T) {
 //
 // Note: max limits for certificate chains are not tested.
 func TestEncDecAppendix(t *testing.T) {
-	chain, err := x509util.NewCertificateList(testdata.FirstPemChain)
+	chain, err := x509util.NewCertificateList(testdata.RootChain)
 	if err != nil {
 		t.Fatalf("must decode certificate chain: %v", err)
 	}
@@ -398,7 +398,7 @@ func TestStItemUnmarshalFailure(t *testing.T) {
 
 // TestAppendixUnmarshal tests that invalid appendices cannot be unmarshaled
 func TestAppendixUnmarshalFailure(t *testing.T) {
-	chain, err := x509util.NewCertificateList(testdata.FirstPemChain)
+	chain, err := x509util.NewCertificateList(testdata.RootChain)
 	if err != nil {
 		t.Fatalf("must decode certificate chain: %v", err)
 	}
diff --git a/x509util/testdata/data.go b/x509util/testdata/data.go
index 46f4ab5..832a3aa 100644
--- a/x509util/testdata/data.go
+++ b/x509util/testdata/data.go
@@ -161,6 +161,8 @@ MC4CAQAwBQYDK2VwBCIEIKQd3B84w9pB6zJLGljuDyGKfz9uPP6QBeLiFcw0EME4
 		RootCertificate,
 		RootCertificate2,
 	}, []byte("\n"))
+	// NumTrustAnchors is the number of test trust anchors
+	NumTrustAnchors = 2
 
 	// ExpiredCertificate is a PEM-encoded certificate that is always expired,
 	// i.e., `Not Before`=`Not After`.  It is signed by IntermediateCertificate.