mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-25 13:51:41 +00:00
Bug 971178, Part 4: Expand test_intermediates_basic_constraints.js test insanity::pkix, r=cviecco
--HG-- extra : rebase_source : b419a3087b3d327c9a48d984551abeac4943be7a
This commit is contained in:
parent
c03179e90d
commit
a729acfc4a
@ -1,8 +1,8 @@
|
||||
"use strict";
|
||||
/* To regenerate the certificates for this test:
|
||||
*
|
||||
* cd security/manager/ssl/tests/unit/test_certificate_usages
|
||||
* ./generate.py
|
||||
* cd security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints
|
||||
* ./generate.py
|
||||
* cd ../../../../../..
|
||||
* make -C $OBJDIR/security/manager/ssl/tests
|
||||
*
|
||||
@ -15,49 +15,22 @@ do_get_profile(); // must be called before getting nsIX509CertDB
|
||||
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
|
||||
.getService(Ci.nsIX509CertDB);
|
||||
|
||||
const ca_usage1 = 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
|
||||
const ee_usage1 = 'Client,Server,Sign,Encrypt';
|
||||
const ee_usage2 = 'Client,Server,Sign,Encrypt,Status Responder';
|
||||
|
||||
const cert2usage = {
|
||||
'int-no-extensions': ee_usage1,
|
||||
'ee-int-no-extensions': "",
|
||||
|
||||
'int-not-a-ca': ee_usage1,
|
||||
'ee-int-not-a-ca': "",
|
||||
|
||||
'int-limited-depth' : ca_usage1,
|
||||
'ee-int-limited-depth' : ee_usage1,
|
||||
|
||||
'int-limited-depth-invalid' : ca_usage1, // XXX this should be ''
|
||||
'ee-int-limited-depth-invalid' : "",
|
||||
|
||||
'int-valid-ku-no-eku' : 'SSL CA',
|
||||
'ee-int-valid-ku-no-eku' : ee_usage1,
|
||||
|
||||
'int-bad-ku-no-eku' : ee_usage2,
|
||||
'ee-int-bad-ku-no-eku' : "",
|
||||
|
||||
'int-no-ku-no-eku' : ca_usage1,
|
||||
'ee-int-no-ku-no-eku' : ee_usage1,
|
||||
|
||||
'int-valid-ku-server-eku' : 'SSL CA',
|
||||
'ee-int-valid-ku-server-eku' : "",
|
||||
|
||||
'int-bad-ku-server-eku' : '',
|
||||
'ee-int-bad-ku-server-eku' : "",
|
||||
|
||||
'int-no-ku-server-eku' : 'SSL CA',
|
||||
'ee-int-no-ku-server-eku' : ""
|
||||
};
|
||||
|
||||
function load_cert(name, trust) {
|
||||
let filename = "test_intermediate_basic_usage_constraints/" + name + ".der";
|
||||
addCertFromFile(certdb, filename, trust);
|
||||
}
|
||||
|
||||
function test_cert_for_usages(cert_nick, expected_usages_string) {
|
||||
let cert = certdb.findCertByNickname(null, cert_nick);
|
||||
function test_cert_for_usages(certChainNicks, expected_usages_string) {
|
||||
let certs = [];
|
||||
for (let i in certChainNicks) {
|
||||
let certNick = certChainNicks[i];
|
||||
let certDER = readFile(do_get_file(
|
||||
"test_intermediate_basic_usage_constraints/"
|
||||
+ certNick + ".der"), false);
|
||||
certs.push(certdb.constructX509(certDER, certDER.length));
|
||||
}
|
||||
|
||||
let cert = certs[0];
|
||||
let verified = {};
|
||||
let usages = {};
|
||||
cert.getUsagesString(true, verified, usages);
|
||||
@ -65,21 +38,102 @@ function test_cert_for_usages(cert_nick, expected_usages_string) {
|
||||
do_check_eq(expected_usages_string, usages.value);
|
||||
}
|
||||
|
||||
function run_test() {
|
||||
function run_test_in_mode(useInsanity) {
|
||||
Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
|
||||
|
||||
// insanity::pkix doesn't support the obsolete Netscape object signing
|
||||
// extension, but NSS does.
|
||||
let ee_usage1 = useInsanity
|
||||
? 'Client,Server,Sign,Encrypt,Object Signer'
|
||||
: 'Client,Server,Sign,Encrypt'
|
||||
|
||||
// insanity::pkix doesn't validate CA certificates for non-CA uses, but
|
||||
// NSS does.
|
||||
let ca_usage1 = useInsanity
|
||||
? "SSL CA"
|
||||
: 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
|
||||
|
||||
// Load the ca into mem
|
||||
let ca_name = "ca";
|
||||
load_cert(ca_name, "CTu,CTu,CTu");
|
||||
do_print("ca_name = " + ca_name);
|
||||
test_cert_for_usages(ca_name, ca_usage1);
|
||||
test_cert_for_usages([ca_name], ca_usage1);
|
||||
|
||||
// Load certs first
|
||||
for (let cert_name in cert2usage) {
|
||||
load_cert(cert_name, ',,');
|
||||
}
|
||||
// A certificate with no basicConstraints extension is considered an EE.
|
||||
test_cert_for_usages(["int-no-extensions"], ee_usage1);
|
||||
|
||||
// Now do the checks
|
||||
for (let cert_name in cert2usage) {
|
||||
do_print("cert_name =" + cert_name);
|
||||
test_cert_for_usages(cert_name, cert2usage[cert_name]);
|
||||
}
|
||||
// int-no-extensions is an EE (see previous case), so no certs can chain to
|
||||
// it.
|
||||
test_cert_for_usages(["ee-int-no-extensions", "int-no-extensions"], "");
|
||||
|
||||
// a certificate with bsaicConstraints.cA==false is considered an EE.
|
||||
test_cert_for_usages(["int-not-a-ca"], ee_usage1);
|
||||
|
||||
// int-not-a-ca is an EE (see previous case), so no certs can chain to it.
|
||||
test_cert_for_usages(["ee-int-not-a-ca", "int-not-a-ca"], "");
|
||||
|
||||
// int-limited-depth has cA==true and a path length constraint of zero.
|
||||
test_cert_for_usages(["int-limited-depth"], ca_usage1);
|
||||
|
||||
// path length constraints do not affect the ability of a non-CA cert to
|
||||
// chain to to the CA cert.
|
||||
test_cert_for_usages(["ee-int-limited-depth", "int-limited-depth"],
|
||||
ee_usage1);
|
||||
|
||||
// ca
|
||||
// int-limited-depth (cA==true, pathLenConstraint==0)
|
||||
// int-limited-depth-invalid (cA==true)
|
||||
//
|
||||
// XXX: It seems the NSS code does not consider the path length of the
|
||||
// certificate we're validating, but insanity::pkix does. insanity::pkix's
|
||||
// behavior is correct.
|
||||
test_cert_for_usages(["int-limited-depth-invalid", "int-limited-depth"],
|
||||
useInsanity ? "" : ca_usage1);
|
||||
test_cert_for_usages(["ee-int-limited-depth-invalid",
|
||||
"int-limited-depth-invalid",
|
||||
"int-limited-depth"],
|
||||
"");
|
||||
|
||||
// int-valid-ku-no-eku has keyCertSign
|
||||
test_cert_for_usages(["int-valid-ku-no-eku"], "SSL CA");
|
||||
test_cert_for_usages(["ee-int-valid-ku-no-eku", "int-valid-ku-no-eku"],
|
||||
ee_usage1);
|
||||
|
||||
// int-bad-ku-no-eku has basicConstraints.cA==true and has a KU extension
|
||||
// but the KU extension is missing keyCertSign. Note that insanity::pkix
|
||||
// doesn't validate certificates with basicConstraints.Ca==true for non-CA
|
||||
// uses, but NSS does.
|
||||
test_cert_for_usages(["int-bad-ku-no-eku"],
|
||||
useInsanity
|
||||
? ""
|
||||
: 'Client,Server,Sign,Encrypt,Status Responder');
|
||||
test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], "");
|
||||
|
||||
// int-no-ku-no-eku has basicConstraints.cA==true and no KU extension.
|
||||
// We treat a missing KU as "any key usage is OK".
|
||||
test_cert_for_usages(["int-no-ku-no-eku"], ca_usage1);
|
||||
test_cert_for_usages(["ee-int-no-ku-no-eku", "int-no-ku-no-eku"], ee_usage1);
|
||||
|
||||
// int-valid-ku-server-eku has basicConstraints.cA==true, keyCertSign in KU,
|
||||
// and EKU=={id-kp-serverAuth,id-kp-clientAuth}.
|
||||
test_cert_for_usages(["int-valid-ku-server-eku"], "SSL CA");
|
||||
test_cert_for_usages(["ee-int-valid-ku-server-eku",
|
||||
"int-valid-ku-server-eku"], "Client,Server");
|
||||
|
||||
// int-bad-ku-server-eku has basicConstraints.cA==true, a KU without
|
||||
// keyCertSign, and EKU=={id-kp-serverAuth,id-kp-clientAuth}.
|
||||
test_cert_for_usages(["int-bad-ku-server-eku"], "");
|
||||
test_cert_for_usages(["ee-int-bad-ku-server-eku", "int-bad-ku-server-eku"],
|
||||
"");
|
||||
|
||||
// int-bad-ku-server-eku has basicConstraints.cA==true, no KU, and
|
||||
// EKU=={id-kp-serverAuth,id-kp-clientAuth}.
|
||||
test_cert_for_usages(["int-no-ku-server-eku"], "SSL CA");
|
||||
test_cert_for_usages(["ee-int-no-ku-server-eku", "int-no-ku-server-eku"],
|
||||
"Client,Server");
|
||||
}
|
||||
|
||||
function run_test() {
|
||||
run_test_in_mode(true);
|
||||
run_test_in_mode(false);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user