Bug 971178, Part 4: Expand test_intermediates_basic_constraints.js test insanity::pkix, r=cviecco

--HG--
extra : rebase_source : b419a3087b3d327c9a48d984551abeac4943be7a
This commit is contained in:
Brian Smith 2014-02-11 16:24:45 -08:00
parent c03179e90d
commit a729acfc4a

View File

@ -1,8 +1,8 @@
"use strict";
/* To regenerate the certificates for this test:
*
* cd security/manager/ssl/tests/unit/test_certificate_usages
* ./generate.py
* cd security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints
* ./generate.py
* cd ../../../../../..
* make -C $OBJDIR/security/manager/ssl/tests
*
@ -15,49 +15,22 @@ do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
const ca_usage1 = 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
const ee_usage1 = 'Client,Server,Sign,Encrypt';
const ee_usage2 = 'Client,Server,Sign,Encrypt,Status Responder';
const cert2usage = {
'int-no-extensions': ee_usage1,
'ee-int-no-extensions': "",
'int-not-a-ca': ee_usage1,
'ee-int-not-a-ca': "",
'int-limited-depth' : ca_usage1,
'ee-int-limited-depth' : ee_usage1,
'int-limited-depth-invalid' : ca_usage1, // XXX this should be ''
'ee-int-limited-depth-invalid' : "",
'int-valid-ku-no-eku' : 'SSL CA',
'ee-int-valid-ku-no-eku' : ee_usage1,
'int-bad-ku-no-eku' : ee_usage2,
'ee-int-bad-ku-no-eku' : "",
'int-no-ku-no-eku' : ca_usage1,
'ee-int-no-ku-no-eku' : ee_usage1,
'int-valid-ku-server-eku' : 'SSL CA',
'ee-int-valid-ku-server-eku' : "",
'int-bad-ku-server-eku' : '',
'ee-int-bad-ku-server-eku' : "",
'int-no-ku-server-eku' : 'SSL CA',
'ee-int-no-ku-server-eku' : ""
};
function load_cert(name, trust) {
let filename = "test_intermediate_basic_usage_constraints/" + name + ".der";
addCertFromFile(certdb, filename, trust);
}
function test_cert_for_usages(cert_nick, expected_usages_string) {
let cert = certdb.findCertByNickname(null, cert_nick);
function test_cert_for_usages(certChainNicks, expected_usages_string) {
let certs = [];
for (let i in certChainNicks) {
let certNick = certChainNicks[i];
let certDER = readFile(do_get_file(
"test_intermediate_basic_usage_constraints/"
+ certNick + ".der"), false);
certs.push(certdb.constructX509(certDER, certDER.length));
}
let cert = certs[0];
let verified = {};
let usages = {};
cert.getUsagesString(true, verified, usages);
@ -65,21 +38,102 @@ function test_cert_for_usages(cert_nick, expected_usages_string) {
do_check_eq(expected_usages_string, usages.value);
}
function run_test() {
function run_test_in_mode(useInsanity) {
Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
// insanity::pkix doesn't support the obsolete Netscape object signing
// extension, but NSS does.
let ee_usage1 = useInsanity
? 'Client,Server,Sign,Encrypt,Object Signer'
: 'Client,Server,Sign,Encrypt'
// insanity::pkix doesn't validate CA certificates for non-CA uses, but
// NSS does.
let ca_usage1 = useInsanity
? "SSL CA"
: 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
// Load the ca into mem
let ca_name = "ca";
load_cert(ca_name, "CTu,CTu,CTu");
do_print("ca_name = " + ca_name);
test_cert_for_usages(ca_name, ca_usage1);
test_cert_for_usages([ca_name], ca_usage1);
// Load certs first
for (let cert_name in cert2usage) {
load_cert(cert_name, ',,');
}
// A certificate with no basicConstraints extension is considered an EE.
test_cert_for_usages(["int-no-extensions"], ee_usage1);
// Now do the checks
for (let cert_name in cert2usage) {
do_print("cert_name =" + cert_name);
test_cert_for_usages(cert_name, cert2usage[cert_name]);
}
// int-no-extensions is an EE (see previous case), so no certs can chain to
// it.
test_cert_for_usages(["ee-int-no-extensions", "int-no-extensions"], "");
// a certificate with bsaicConstraints.cA==false is considered an EE.
test_cert_for_usages(["int-not-a-ca"], ee_usage1);
// int-not-a-ca is an EE (see previous case), so no certs can chain to it.
test_cert_for_usages(["ee-int-not-a-ca", "int-not-a-ca"], "");
// int-limited-depth has cA==true and a path length constraint of zero.
test_cert_for_usages(["int-limited-depth"], ca_usage1);
// path length constraints do not affect the ability of a non-CA cert to
// chain to to the CA cert.
test_cert_for_usages(["ee-int-limited-depth", "int-limited-depth"],
ee_usage1);
// ca
// int-limited-depth (cA==true, pathLenConstraint==0)
// int-limited-depth-invalid (cA==true)
//
// XXX: It seems the NSS code does not consider the path length of the
// certificate we're validating, but insanity::pkix does. insanity::pkix's
// behavior is correct.
test_cert_for_usages(["int-limited-depth-invalid", "int-limited-depth"],
useInsanity ? "" : ca_usage1);
test_cert_for_usages(["ee-int-limited-depth-invalid",
"int-limited-depth-invalid",
"int-limited-depth"],
"");
// int-valid-ku-no-eku has keyCertSign
test_cert_for_usages(["int-valid-ku-no-eku"], "SSL CA");
test_cert_for_usages(["ee-int-valid-ku-no-eku", "int-valid-ku-no-eku"],
ee_usage1);
// int-bad-ku-no-eku has basicConstraints.cA==true and has a KU extension
// but the KU extension is missing keyCertSign. Note that insanity::pkix
// doesn't validate certificates with basicConstraints.Ca==true for non-CA
// uses, but NSS does.
test_cert_for_usages(["int-bad-ku-no-eku"],
useInsanity
? ""
: 'Client,Server,Sign,Encrypt,Status Responder');
test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], "");
// int-no-ku-no-eku has basicConstraints.cA==true and no KU extension.
// We treat a missing KU as "any key usage is OK".
test_cert_for_usages(["int-no-ku-no-eku"], ca_usage1);
test_cert_for_usages(["ee-int-no-ku-no-eku", "int-no-ku-no-eku"], ee_usage1);
// int-valid-ku-server-eku has basicConstraints.cA==true, keyCertSign in KU,
// and EKU=={id-kp-serverAuth,id-kp-clientAuth}.
test_cert_for_usages(["int-valid-ku-server-eku"], "SSL CA");
test_cert_for_usages(["ee-int-valid-ku-server-eku",
"int-valid-ku-server-eku"], "Client,Server");
// int-bad-ku-server-eku has basicConstraints.cA==true, a KU without
// keyCertSign, and EKU=={id-kp-serverAuth,id-kp-clientAuth}.
test_cert_for_usages(["int-bad-ku-server-eku"], "");
test_cert_for_usages(["ee-int-bad-ku-server-eku", "int-bad-ku-server-eku"],
"");
// int-bad-ku-server-eku has basicConstraints.cA==true, no KU, and
// EKU=={id-kp-serverAuth,id-kp-clientAuth}.
test_cert_for_usages(["int-no-ku-server-eku"], "SSL CA");
test_cert_for_usages(["ee-int-no-ku-server-eku", "int-no-ku-server-eku"],
"Client,Server");
}
function run_test() {
run_test_in_mode(true);
run_test_in_mode(false);
}