mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-23 12:51:06 +00:00
bug 1042889 - test certificate overrides for untrusted x509v1 certificates used as CAs r=mmc
This commit is contained in:
David Keeler
parent
36e798be2b
commit
8c488b9625
2
config/external/nss/nss.def
vendored
2
config/external/nss/nss.def
vendored
@ -87,6 +87,7 @@ CERT_FilterCertListByUsage
|
||||
CERT_FilterCertListForUserCerts
|
||||
CERT_FindCertByDERCert
|
||||
CERT_FindCertByIssuerAndSN
|
||||
CERT_FindCertByName
|
||||
CERT_FindCertByNickname
|
||||
CERT_FindCertByNicknameOrEmailAddr
|
||||
CERT_FindCertExtension
|
||||
@ -632,6 +633,7 @@ SSL_CipherPrefSet
|
||||
SSL_CipherPrefSetDefault
|
||||
SSL_ClearSessionCache
|
||||
SSL_ConfigSecureServer
|
||||
SSL_ConfigSecureServerWithCertChain
|
||||
SSL_ConfigServerSessionIDCache
|
||||
SSL_ExportKeyingMaterial
|
||||
SSL_ForceHandshake
|
||||
|
||||
@ -64,6 +64,7 @@ const SSL_ERROR_BAD_CERT_ALERT = SSL_ERROR_BASE + 17;
|
||||
const MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = MOZILLA_PKIX_ERROR_BASE + 0;
|
||||
const MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = MOZILLA_PKIX_ERROR_BASE + 1;
|
||||
const MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = MOZILLA_PKIX_ERROR_BASE + 2; // -16382
|
||||
const MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA = MOZILLA_PKIX_ERROR_BASE + 3;
|
||||
|
||||
// Supported Certificate Usages
|
||||
const certificateUsageSSLClient = 0x0001;
|
||||
|
||||
@ -62,6 +62,7 @@ function check_telemetry() {
|
||||
do_check_eq(histogram.counts[ 9], 5); // SSL_ERROR_BAD_CERT_DOMAIN
|
||||
do_check_eq(histogram.counts[10], 5); // SEC_ERROR_EXPIRED_CERTIFICATE
|
||||
do_check_eq(histogram.counts[11], 2); // MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
|
||||
do_check_eq(histogram.counts[12], 1); // MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA
|
||||
run_next_test();
|
||||
}
|
||||
|
||||
@ -126,6 +127,28 @@ function add_simple_tests() {
|
||||
add_cert_override_test("ca-used-as-end-entity.example.com",
|
||||
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
|
||||
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY));
|
||||
|
||||
// If an X.509 version 1 certificate is not a trust anchor, we will
|
||||
// encounter an overridable error.
|
||||
add_cert_override_test("end-entity-issued-by-v1-cert.example.com",
|
||||
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
|
||||
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA));
|
||||
// If we make that certificate a trust anchor, the connection will succeed.
|
||||
add_test(function() {
|
||||
certOverrideService.clearValidityOverride("end-entity-issued-by-v1-cert.example.com", 8443);
|
||||
let v1Cert = constructCertFromFile("tlsserver/v1Cert.der");
|
||||
setCertTrust(v1Cert, "CTu,,");
|
||||
clearSessionCache();
|
||||
run_next_test();
|
||||
});
|
||||
add_connection_test("end-entity-issued-by-v1-cert.example.com", Cr.NS_OK);
|
||||
// Reset the trust for that certificate.
|
||||
add_test(function() {
|
||||
let v1Cert = constructCertFromFile("tlsserver/v1Cert.der");
|
||||
setCertTrust(v1Cert, ",,");
|
||||
clearSessionCache();
|
||||
run_next_test();
|
||||
});
|
||||
}
|
||||
|
||||
function add_combo_tests() {
|
||||
|
||||
@ -59,32 +59,23 @@ function run_test() {
|
||||
check_ok_ca(cert_from_file('v3_ca.der'));
|
||||
check_ca_err(cert_from_file('v3_ca_missing_bc.der'), SEC_ERROR_CA_CERT_INVALID);
|
||||
|
||||
// Classic allows v1 and v2 certs to be CA certs in trust anchor positions and
|
||||
// intermediates when they have a v3 basic constraints extenstion (which
|
||||
// makes them invalid certs). Insanity only allows v1 certs to be CA in
|
||||
// anchor position (even if they have invalid encodings), v2 certs are not
|
||||
// considered CAs in any position.
|
||||
// Note that currently there are no change of behavior based on the
|
||||
// version of the end entity.
|
||||
|
||||
let ee_error = 0;
|
||||
let ca_error = 0;
|
||||
// A v1 certificate may be a CA if it has a basic constraints extension with
|
||||
// CA: TRUE or if it is a trust anchor.
|
||||
|
||||
//////////////
|
||||
// v1 CA supersection
|
||||
//////////////////
|
||||
|
||||
// v1 intermediate with v1 trust anchor
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v1_int-v1_ca.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca.der'), ee_error);
|
||||
let error = MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA;
|
||||
check_ca_err(cert_from_file('v1_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca.der'), error);
|
||||
|
||||
// v1 intermediate with v3 extensions.
|
||||
check_ok_ca(cert_from_file('v1_int_bc-v1_ca.der'));
|
||||
@ -97,16 +88,15 @@ function run_test() {
|
||||
check_ok(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca.der'));
|
||||
|
||||
// A v2 intermediate with a v1 CA
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int-v1_ca.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca.der'), ee_error);
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca.der'), error);
|
||||
|
||||
// A v2 intermediate with basic constraints
|
||||
check_ok_ca(cert_from_file('v2_int_bc-v1_ca.der'));
|
||||
@ -120,16 +110,15 @@ function run_test() {
|
||||
|
||||
// Section is OK. A x509 v3 CA MUST have bc
|
||||
// http://tools.ietf.org/html/rfc5280#section-4.2.1.9
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca.der'), error);
|
||||
|
||||
// It is valid for a v1 ca to sign a v3 intemediate.
|
||||
check_ok_ca(cert_from_file('v3_int-v1_ca.der'));
|
||||
@ -146,16 +135,15 @@ function run_test() {
|
||||
// above
|
||||
|
||||
// Using A v1 intermediate
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v1_int-v1_ca_bc.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
|
||||
error = MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA;
|
||||
check_ca_err(cert_from_file('v1_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca_bc.der'), error);
|
||||
|
||||
// Using a v1 intermediate with v3 extenstions
|
||||
check_ok_ca(cert_from_file('v1_int_bc-v1_ca_bc.der'));
|
||||
@ -168,16 +156,15 @@ function run_test() {
|
||||
check_ok(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca_bc.der'));
|
||||
|
||||
// Using v2 intermediate
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int-v1_ca_bc.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca_bc.der'), error);
|
||||
|
||||
// Using a v2 intermediate with basic constraints
|
||||
check_ok_ca(cert_from_file('v2_int_bc-v1_ca_bc.der'));
|
||||
@ -190,16 +177,15 @@ function run_test() {
|
||||
check_ok(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca_bc.der'));
|
||||
|
||||
// Using a v3 intermediate that is missing basic constraints (invalid)
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca_bc.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
|
||||
|
||||
// these should pass assuming we are OK with v1 ca signing v3 intermediates
|
||||
check_ok_ca(cert_from_file('v3_int-v1_ca_bc.der'));
|
||||
@ -217,88 +203,81 @@ function run_test() {
|
||||
//////////////////
|
||||
|
||||
// v2 ca, v1 intermediate
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v1_int-v2_ca.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca.der'), ee_error);
|
||||
error = MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA;
|
||||
check_ca_err(cert_from_file('v1_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca.der'), error);
|
||||
|
||||
// v2 ca, v1 intermediate with basic constraints (invalid)
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
|
||||
// v2 ca, v2 intermediate
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int-v2_ca.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca.der'), ee_error);
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca.der'), error);
|
||||
|
||||
// v2 ca, v2 intermediate with basic constraints (invalid)
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
|
||||
// v2 ca, v3 intermediate missing basic constraints
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca.der'), error);
|
||||
|
||||
// v2 ca, v3 intermediate
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int-v2_ca.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca.der'), ee_error);
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca.der'), error);
|
||||
|
||||
// v2 ca, v1 intermediate
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v1_int-v2_ca_bc.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
|
||||
error = MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA;
|
||||
check_ca_err(cert_from_file('v1_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca_bc.der'), error);
|
||||
|
||||
// v2 ca, v1 intermediate with bc
|
||||
check_ok_ca(cert_from_file('v1_int_bc-v2_ca_bc.der'));
|
||||
@ -311,16 +290,15 @@ function run_test() {
|
||||
check_ok(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca_bc.der'));
|
||||
|
||||
// v2 ca, v2 intermediate
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int-v2_ca_bc.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca_bc.der'), error);
|
||||
|
||||
// v2 ca, v2 intermediate with bc
|
||||
check_ok_ca(cert_from_file('v2_int_bc-v2_ca_bc.der'));
|
||||
@ -333,16 +311,15 @@ function run_test() {
|
||||
check_ok(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca_bc.der'));
|
||||
|
||||
// v2 ca, invalid v3 intermediate
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca_bc.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
|
||||
|
||||
// v2 ca, valid v3 intermediate
|
||||
check_ok_ca(cert_from_file('v3_int-v2_ca_bc.der'));
|
||||
@ -359,16 +336,15 @@ function run_test() {
|
||||
//////////////////
|
||||
|
||||
// v3 ca, v1 intermediate
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v1_int-v3_ca.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca.der'), ee_error);
|
||||
error = MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA;
|
||||
check_ca_err(cert_from_file('v1_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca.der'), error);
|
||||
|
||||
// A v1 intermediate with v3 extensions
|
||||
check_ok_ca(cert_from_file('v1_int_bc-v3_ca.der'));
|
||||
@ -381,16 +357,15 @@ function run_test() {
|
||||
check_ok(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca.der'));
|
||||
|
||||
// reject a v2 cert as intermediate
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int-v3_ca.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca.der'), ee_error);
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca.der'), error);
|
||||
|
||||
// v2 intermediate with bc (invalid)
|
||||
check_ok_ca(cert_from_file('v2_int_bc-v3_ca.der'));
|
||||
@ -403,16 +378,15 @@ function run_test() {
|
||||
check_ok(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca.der'));
|
||||
|
||||
// invalid v3 intermediate
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca.der'), error);
|
||||
|
||||
// v1/v2 end entity, v3 intermediate
|
||||
check_ok_ca(cert_from_file('v3_int-v3_ca.der'));
|
||||
@ -425,76 +399,70 @@ function run_test() {
|
||||
check_ok(cert_from_file('v4_bc_ee-v3_int-v3_ca.der'));
|
||||
|
||||
// v3 CA, invalid v3 intermediate
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v1_int-v3_ca_missing_bc.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
|
||||
error = MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA;
|
||||
check_ca_err(cert_from_file('v1_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca_missing_bc.der'), error);
|
||||
|
||||
// Int v1 with BC that is just invalid
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v1_int_bc-v3_ca_missing_bc.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v1_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
|
||||
|
||||
// Good section (all fail)
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int-v3_ca_missing_bc.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca_missing_bc.der'), error);
|
||||
|
||||
// v3 intermediate missing basic constraints is invalid
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int_bc-v3_ca_missing_bc.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
|
||||
|
||||
// v3 intermediate missing basic constraints is invalid
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca_missing_bc.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
|
||||
|
||||
// With a v3 root missing bc and valid v3 intermediate
|
||||
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
ee_error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int-v3_ca_missing_bc.der'), ca_error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca_missing_bc.der'), error);
|
||||
|
||||
// self-signed
|
||||
check_cert_err(cert_from_file('v1_self_signed.der'), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
|
||||
Binary file not shown.
@ -59,6 +59,7 @@ const BadCertHost sBadCertHosts[] =
|
||||
{ "nsCertTypeNotCritical.example.com", "nsCertTypeNotCritical" },
|
||||
{ "nsCertTypeCriticalWithExtKeyUsage.example.com", "nsCertTypeCriticalWithExtKeyUsage" },
|
||||
{ "nsCertTypeCritical.example.com", "nsCertTypeCritical" },
|
||||
{ "end-entity-issued-by-v1-cert.example.com", "eeIssuedByV1Cert" },
|
||||
{ nullptr, nullptr }
|
||||
};
|
||||
|
||||
|
||||
@ -145,6 +145,31 @@ function make_INT {
|
||||
SERIALNO=$(($SERIALNO + 1))
|
||||
}
|
||||
|
||||
# This creates an X.509 version 1 certificate (note --certVersion 1 and a lack
|
||||
# of extensions).
|
||||
function make_V1 {
|
||||
NICKNAME="${1}"
|
||||
SUBJECT="${2}"
|
||||
CA="${3}"
|
||||
|
||||
cert_already_exists $NICKNAME
|
||||
if [ $ALREADY_EXISTS -eq 1 ]; then
|
||||
echo "cert \"$NICKNAME\" already exists - not regenerating it (use --clobber to force regeneration)"
|
||||
return
|
||||
fi
|
||||
|
||||
$RUN_MOZILLA $CERTUTIL -d $DB_ARGUMENT -S \
|
||||
-n $NICKNAME \
|
||||
-s "$SUBJECT" \
|
||||
-c $CA \
|
||||
-t ",," \
|
||||
-m $SERIALNO \
|
||||
--certVersion 1 \
|
||||
-v 360 -w -1 -z $NOISE_FILE
|
||||
|
||||
SERIALNO=$(($SERIALNO + 1))
|
||||
}
|
||||
|
||||
function make_EE {
|
||||
CERT_RESPONSES="n\n\ny\n2\n7\nhttp://localhost:8080/\n\nn\nn\n"
|
||||
NICKNAME="${1}"
|
||||
@ -287,4 +312,11 @@ make_EE_with_nsCertType nsCertTypeCritical 'CN=nsCertType Critical' testCA "loca
|
||||
make_EE_with_nsCertType nsCertTypeNotCritical 'CN=nsCertType Not Critical' testCA "localhost,*.example.com" "n"
|
||||
make_EE_with_nsCertType nsCertTypeCriticalWithExtKeyUsage 'CN=nsCertType Critical With extKeyUsage' testCA "localhost,*.example.com" "y" "--extKeyUsage serverAuth"
|
||||
|
||||
# Make an X.509 version 1 certificate that will issue another certificate.
|
||||
# By default, this causes an error in verification that we allow overrides for.
|
||||
# However, if the v1 certificate is a trust anchor, then verification succeeds.
|
||||
make_V1 v1Cert 'CN=V1 Cert' testCA
|
||||
export_cert v1Cert v1Cert.der
|
||||
make_EE eeIssuedByV1Cert 'CN=EE Issued by V1 Cert' v1Cert "localhost,*.example.com"
|
||||
|
||||
cleanup
|
||||
|
||||
Binary file not shown.
@ -197,6 +197,47 @@ ConfigSecureServerWithNamedCert(PRFileDesc *fd, const char *certName,
|
||||
PrintPRError("PK11_FindCertFromNickname failed");
|
||||
return SECFailure;
|
||||
}
|
||||
// If an intermediate certificate issued the server certificate (rather than
|
||||
// directly by a trust anchor), we want to send it along in the handshake so
|
||||
// we don't encounter unknown issuer errors when that's not what we're
|
||||
// testing.
|
||||
ScopedCERTCertificateList certList;
|
||||
ScopedCERTCertificate issuerCert(
|
||||
CERT_FindCertByName(CERT_GetDefaultCertDB(), &cert->derIssuer));
|
||||
// If we can't find the issuer cert, continue without it.
|
||||
if (issuerCert) {
|
||||
// Sadly, CERTCertificateList does not have a CERT_NewCertificateList
|
||||
// utility function, so we must create it ourselves. This consists
|
||||
// of creating an arena, allocating space for the CERTCertificateList,
|
||||
// and then transferring ownership of the arena to that list.
|
||||
ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
|
||||
if (!arena) {
|
||||
PrintPRError("PORT_NewArena failed");
|
||||
return SECFailure;
|
||||
}
|
||||
certList = reinterpret_cast<CERTCertificateList*>(
|
||||
PORT_ArenaAlloc(arena, sizeof(CERTCertificateList)));
|
||||
if (!certList) {
|
||||
PrintPRError("PORT_ArenaAlloc failed");
|
||||
return SECFailure;
|
||||
}
|
||||
certList->arena = arena.forget();
|
||||
// We also have to manually copy the certificates we care about to the
|
||||
// list, because there aren't any utility functions for that either.
|
||||
certList->certs = reinterpret_cast<SECItem*>(
|
||||
PORT_ArenaAlloc(certList->arena, 2 * sizeof(SECItem)));
|
||||
if (SECITEM_CopyItem(certList->arena, certList->certs, &cert->derCert)
|
||||
!= SECSuccess) {
|
||||
PrintPRError("SECITEM_CopyItem failed");
|
||||
return SECFailure;
|
||||
}
|
||||
if (SECITEM_CopyItem(certList->arena, certList->certs + 1,
|
||||
&issuerCert->derCert) != SECSuccess) {
|
||||
PrintPRError("SECITEM_CopyItem failed");
|
||||
return SECFailure;
|
||||
}
|
||||
certList->len = 2;
|
||||
}
|
||||
|
||||
ScopedSECKEYPrivateKey key(PK11_FindKeyByAnyCert(cert, nullptr));
|
||||
if (!key) {
|
||||
@ -206,7 +247,8 @@ ConfigSecureServerWithNamedCert(PRFileDesc *fd, const char *certName,
|
||||
|
||||
SSLKEAType certKEA = NSS_FindCertKEAType(cert);
|
||||
|
||||
if (SSL_ConfigSecureServer(fd, cert, key, certKEA) != SECSuccess) {
|
||||
if (SSL_ConfigSecureServerWithCertChain(fd, cert, certList, key, certKEA)
|
||||
!= SECSuccess) {
|
||||
PrintPRError("SSL_ConfigSecureServer failed");
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
BIN
security/manager/ssl/tests/unit/tlsserver/v1Cert.der
Normal file
BIN
security/manager/ssl/tests/unit/tlsserver/v1Cert.der
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user