Bug 1125478 - Refactor and clean up key size test files. r=keeler

2024-11-26 14:22:01 +00:00 · 2015-01-27 22:11:00 +01:00 · 2015-01-27 22:11:00 +01:00 · ad8382e07c
commit ad8382e07c
parent 2e2edcd0c4
3 changed files with 75 additions and 195 deletions
--- a/security/manager/ssl/tests/unit/test_keysize.js
+++ b/security/manager/ssl/tests/unit/test_keysize.js
@ -17,42 +17,10 @@ function certFromFile(filename) {
  return certdb.constructX509(der, der.length);
 }

-function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_keysize/" + cert_filename, trust_string);
-  return certFromFile(cert_filename);
-}
-
-function check_cert_err_generic(cert, expected_error, usage) {
-  do_print("cert cn=" + cert.commonName);
-  do_print("cert issuer cn=" + cert.issuerCommonName);
-  let hasEVPolicy = {};
-  let verifiedChain = {};
-  let error = certdb.verifyCertNow(cert, usage,
-                                   NO_FLAGS, verifiedChain, hasEVPolicy);
-  equal(error, expected_error);
-}
-
-function check_cert_err(cert, expected_error) {
-  check_cert_err_generic(cert, expected_error, certificateUsageSSLServer)
-}
-
-function check_ok(cert) {
-  return check_cert_err(cert, 0);
-}
-
-function check_ok_ca(cert) {
-  return check_cert_err_generic(cert, 0, certificateUsageSSLCA);
-}
-
-function check_fail(cert) {
-  return check_cert_err(cert, MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
-}
-
-function check_fail_ca(cert) {
-  return check_cert_err_generic(cert,
-                                MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE,
-                                certificateUsageSSLCA);
+function loadCert(certName, trustString) {
+  let certFilename = certName + ".der";
+  addCertFromFile(certdb, "test_keysize/" + certFilename, trustString);
+  return certFromFile(certFilename);
 }

 /**
@ -77,9 +45,9 @@ function checkChain(rootKeyType, rootKeySize, intKeyType, intKeySize,
  let intFullName = intName + "-" + rootName;
  let eeFullName = eeName + "-" + intName + "-" + rootName;

-  load_cert(rootName, "CTu,CTu,CTu");
-  load_cert(intFullName, ",,");
-  let eeCert = certFromFile(eeFullName + ".der")
+  loadCert(rootName, "CTu,CTu,CTu");
+  loadCert(intFullName, ",,");
+  let eeCert = certFromFile(eeFullName + ".der");

  do_print("cert cn=" + eeCert.commonName);
  do_print("cert o=" + eeCert.organization);
@ -89,37 +57,36 @@ function checkChain(rootKeyType, rootKeySize, intKeyType, intKeySize,
                        certificateUsageSSLServer);
 }

-function checkForKeyType(keyType, inadequateKeySize, adequateKeySize) {
-  let rootOKName = "root_" + keyType + "_" + adequateKeySize;
-  let rootNotOKName = "root_" + keyType + "_" + inadequateKeySize;
-  let intOKName = "int_" + keyType + "_" + adequateKeySize;
-  let intNotOKName = "int_" + keyType + "_" + inadequateKeySize;
-  let eeOKName = "ee_" + keyType + "_" + adequateKeySize;
-  let eeNotOKName = "ee_" + keyType + "_" + inadequateKeySize;
-
+/**
+ * Tests various RSA chains.
+ *
+ * @param {Number} inadequateKeySize
+ * @param {Number} adequateKeySize
+ */
+function checkRSAChains(inadequateKeySize, adequateKeySize) {
  // Chain with certs that have adequate sizes for DV
-  let intFullName = intOKName + "-" + rootOKName;
-  let eeFullName = eeOKName + "-" + intOKName + "-" + rootOKName;
-  check_ok_ca(load_cert(rootOKName, "CTu,CTu,CTu"));
-  check_ok_ca(load_cert(intFullName, ",,"));
-  check_ok(certFromFile(eeFullName + ".der"));
+  checkChain("rsa", adequateKeySize,
+             "rsa", adequateKeySize,
+             "rsa", adequateKeySize,
+             0);

  // Chain with a root cert that has an inadequate size for DV
-  intFullName = intOKName + "-" + rootNotOKName;
-  eeFullName = eeOKName + "-" + intOKName + "-" + rootNotOKName;
-  check_fail_ca(load_cert(rootNotOKName, "CTu,CTu,CTu"));
-  check_fail_ca(load_cert(intFullName, ",,"));
-  check_fail(certFromFile(eeFullName + ".der"));
+  checkChain("rsa", inadequateKeySize,
+             "rsa", adequateKeySize,
+             "rsa", adequateKeySize,
+             MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);

  // Chain with an intermediate cert that has an inadequate size for DV
-  intFullName = intNotOKName + "-" + rootOKName;
-  eeFullName = eeOKName + "-" + intNotOKName + "-" + rootOKName;
-  check_fail_ca(load_cert(intFullName, ",,"));
-  check_fail(certFromFile(eeFullName + ".der"));
+  checkChain("rsa", adequateKeySize,
+             "rsa", inadequateKeySize,
+             "rsa", adequateKeySize,
+             MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);

  // Chain with an end entity cert that has an inadequate size for DV
-  eeFullName = eeNotOKName + "-" + intOKName + "-" + rootOKName;
-  check_fail(certFromFile(eeFullName + ".der"));
+  checkChain("rsa", adequateKeySize,
+             "rsa", adequateKeySize,
+             "rsa", inadequateKeySize,
+             MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
 }

 function checkECCChains() {
@ -165,7 +132,7 @@ function checkCombinationChains() {
 }

 function run_test() {
-  checkForKeyType("rsa", 1016, 1024);
+  checkRSAChains(1016, 1024);
  checkECCChains();
  checkCombinationChains();

--- a/security/manager/ssl/tests/unit/test_keysize/generate.py
+++ b/security/manager/ssl/tests/unit/test_keysize/generate.py
@ -86,7 +86,7 @@ def generate_and_maybe_import_cert(key_type, cert_name_prefix, cert_name_suffix,
        cert_name = 'evroot'
        key_filename = '../test_ev_certs/evroot.key'
        cert_filename = '../test_ev_certs/evroot.der'
-        CertUtils.import_cert_and_pkcs12(srcdir, key_filename,
+        CertUtils.import_cert_and_pkcs12(srcdir, cert_filename,
                                         '../test_ev_certs/evroot.p12',
                                         cert_name, ',,')
        return [cert_name, key_filename, cert_filename]
@ -166,121 +166,41 @@ def generate_cert_chain(root_key_type, root_key_size, int_key_type, int_key_size
        ee_key_size,
        generate_ev)

-def generate_certs(key_type, inadequate_key_size, adequate_key_size, generate_ev):
+def generate_rsa_chains(inadequate_key_size, adequate_key_size, generate_ev):
    """
-    Generates the various certificates used by the key size tests.
+    Generates various RSA chains with different combinations of adequately and
+    inadequately sized certs.

    Arguments:
-      key_type -- the type of key generated: potential values: 'rsa',
-                  or any of the curves found by 'openssl ecparam -list_curves'
      inadequate_key_size -- a string defining the inadequate public key size
                             for the generated certs
      adequate_key_size -- a string defining the adequate public key size for
                           the generated certs
-      generate_ev -- whether an EV cert should be generated
+      generate_ev -- whether EV certs should be generated
    """
    # Generate chain with certs that have adequate sizes
-    if generate_ev and key_type == 'rsa':
-        # Reuse the existing RSA EV root
-        rootOK_nick = 'evroot'
-        caOK_key = '../test_ev_certs/evroot.key'
-        caOK_cert = '../test_ev_certs/evroot.der'
-        caOK_pkcs12_filename = '../test_ev_certs/evroot.p12'
-        CertUtils.import_cert_and_pkcs12(srcdir, caOK_cert, caOK_pkcs12_filename,
-                                         rootOK_nick, ',,')
-    else:
-        [rootOK_nick, caOK_key, caOK_cert] = generate_and_maybe_import_cert(
-            key_type,
-            'root',
-            '',
-            ca_ext_text,
-            '',
-            '',
-            adequate_key_size,
-            generate_ev)
-
-    [intOK_nick, intOK_key, intOK_cert] = generate_and_maybe_import_cert(
-        key_type,
-        'int',
-        rootOK_nick,
-        ca_ext_text,
-        caOK_key,
-        caOK_cert,
-        adequate_key_size,
-        generate_ev)
-
-    generate_and_maybe_import_cert(
-        key_type,
-        'ee',
-        intOK_nick,
-        ee_ext_text,
-        intOK_key,
-        intOK_cert,
-        adequate_key_size,
-        generate_ev)
+    generate_cert_chain('rsa', adequate_key_size,
+                        'rsa', adequate_key_size,
+                        'rsa', adequate_key_size,
+                        generate_ev)

    # Generate chain with a root cert that has an inadequate size
-    [rootNotOK_nick, rootNotOK_key, rootNotOK_cert] = generate_and_maybe_import_cert(
-        key_type,
-        'root',
-        '',
-        ca_ext_text,
-        '',
-        '',
-        inadequate_key_size,
-        generate_ev)
-
-    [int_nick, int_key, int_cert] = generate_and_maybe_import_cert(
-        key_type,
-        'int',
-        rootNotOK_nick,
-        ca_ext_text,
-        rootNotOK_key,
-        rootNotOK_cert,
-        adequate_key_size,
-        generate_ev)
-
-    generate_and_maybe_import_cert(
-        key_type,
-        'ee',
-        int_nick,
-        ee_ext_text,
-        int_key,
-        int_cert,
-        adequate_key_size,
-        generate_ev)
+    generate_cert_chain('rsa', inadequate_key_size,
+                        'rsa', adequate_key_size,
+                        'rsa', adequate_key_size,
+                        generate_ev)

    # Generate chain with an intermediate cert that has an inadequate size
-    [intNotOK_nick, intNotOK_key, intNotOK_cert] = generate_and_maybe_import_cert(
-        key_type,
-        'int',
-        rootOK_nick,
-        ca_ext_text,
-        caOK_key,
-        caOK_cert,
-        inadequate_key_size,
-        generate_ev)
-
-    generate_and_maybe_import_cert(
-        key_type,
-        'ee',
-        intNotOK_nick,
-        ee_ext_text,
-        intNotOK_key,
-        intNotOK_cert,
-        adequate_key_size,
-        generate_ev)
+    generate_cert_chain('rsa', adequate_key_size,
+                        'rsa', inadequate_key_size,
+                        'rsa', adequate_key_size,
+                        generate_ev)

    # Generate chain with an end entity cert that has an inadequate size
-    generate_and_maybe_import_cert(
-        key_type,
-        'ee',
-        intOK_nick,
-        ee_ext_text,
-        intOK_key,
-        intOK_cert,
-        inadequate_key_size,
-        generate_ev)
+    generate_cert_chain('rsa', adequate_key_size,
+                        'rsa', adequate_key_size,
+                        'rsa', inadequate_key_size,
+                        generate_ev)

 def generate_ecc_chains():
    generate_cert_chain('prime256v1', '256',
@ -328,8 +248,8 @@ CertUtils.init_nss_db(srcdir)
 # TODO(bug 636807): SECKEY_PublicKeyStrengthInBits() rounds up the number of
 # bits to the next multiple of 8 - therefore the highest key size less than 1024
 # that can be tested is 1016, less than 2048 is 2040 and so on.
-generate_certs('rsa', '1016', '1024', False)
-generate_certs('rsa', '2040', '2048', True)
+generate_rsa_chains('1016', '1024', False)
+generate_rsa_chains('2040', '2048', True)
 generate_ecc_chains()
 generate_combination_chains()

--- a/security/manager/ssl/tests/unit/test_keysize_ev.js
+++ b/security/manager/ssl/tests/unit/test_keysize_ev.js
@ -47,27 +47,27 @@ function checkEVStatus(cert, usage, isEVExpected) {
 *
 * @param {Array} expectedNamesForOCSP
 *        An array of nicknames of the certs to be responded to.
- * @param {String} rootCACertFileName
- *        The file name of the root CA cert. Can begin with ".." to reference
+ * @param {String} rootCertFileName
+ *        The file name of the root cert. Can begin with ".." to reference
 *        certs in folders other than "test_keysize/".
- * @param {Array} subCACertFileNames
- *        An array of file names of any sub CA certificates.
+ * @param {Array} intCertFileNames
+ *        An array of file names of any intermediate certificates.
 * @param {String} endEntityCertFileName
 *        The file name of the end entity cert.
 * @param {Boolean} expectedResult
 *        Whether the chain is expected to validate as EV.
 */
 function addKeySizeTestForEV(expectedNamesForOCSP,
-                             rootCACertFileName, subCACertFileNames,
+                             rootCertFileName, intCertFileNames,
                             endEntityCertFileName, expectedResult)
 {
  add_test(function() {
    clearOCSPCache();
    let ocspResponder = getOCSPResponder(expectedNamesForOCSP);

-    loadCert(rootCACertFileName, "CTu,CTu,CTu");
-    for (let subCACertFileName of subCACertFileNames) {
-      loadCert(subCACertFileName, ",,");
+    loadCert(rootCertFileName, "CTu,CTu,CTu");
+    for (let intCertFileName of intCertFileNames) {
+      loadCert(intCertFileName, ",,");
    }
    checkEVStatus(certFromFile(endEntityCertFileName + ".der"),
                  certificateUsageSSLServer, expectedResult);
@ -77,36 +77,30 @@ function addKeySizeTestForEV(expectedNamesForOCSP,
 }

 /**
- * For debug builds which have the test EV roots compiled in, checks for the
- * given key type that chains that contain certs with key sizes adequate for EV
- * are validated as such, while chains that contain any cert with an inadequate
- * key size fail EV and validate as DV.
+ * For debug builds which have the test EV roots compiled in, checks RSA chains
+ * which contain certs with key sizes adequate for EV are validated as such,
+ * while chains that contain any cert with an inadequate key size fail EV and
+ * validate as DV.
 * For opt builds which don't have the test EV roots compiled in, checks that
 * none of the chains validate as EV.
 *
 * Note: This function assumes that the key size requirements for EV are greater
 * than or equal to the requirements for DV.
 *
- * @param {String} keyType
- *        The key type to check (e.g. "rsa").
 * @param {Number} inadequateKeySize
 *        The inadequate key size of the generated certs.
 * @param {Number} adequateKeySize
 *        The adequate key size of the generated certs.
 */
-function checkForKeyType(keyType, inadequateKeySize, adequateKeySize) {
+function checkRSAChains(inadequateKeySize, adequateKeySize) {
  // Reuse the existing test RSA EV root
-  let rootOKCertFileName = keyType == "rsa"
-                         ? "../test_ev_certs/evroot"
-                         : "ev_root_" + keyType + "_" + adequateKeySize;
-  let rootOKName = keyType == "rsa"
-                 ? "evroot"
-                 : "ev_root_" + keyType + "_" + adequateKeySize;
-  let rootNotOKName = "ev_root_" + keyType + "_" + inadequateKeySize;
-  let intOKName = "ev_int_" + keyType + "_" + adequateKeySize;
-  let intNotOKName = "ev_int_" + keyType + "_" + inadequateKeySize;
-  let eeOKName = "ev_ee_" + keyType + "_" + adequateKeySize;
-  let eeNotOKName = "ev_ee_" + keyType + "_" + inadequateKeySize;
+  let rootOKCertFileName = "../test_ev_certs/evroot";
+  let rootOKName = "evroot";
+  let rootNotOKName = "ev_root_rsa_" + inadequateKeySize;
+  let intOKName = "ev_int_rsa_" + adequateKeySize;
+  let intNotOKName = "ev_int_rsa_" + inadequateKeySize;
+  let eeOKName = "ev_ee_rsa_" + adequateKeySize;
+  let eeNotOKName = "ev_ee_rsa_" + inadequateKeySize;

  // Chain with certs that have adequate sizes for EV and DV
  // In opt builds, this chain is only validated for DV. Hence, an OCSP fetch
@ -149,10 +143,9 @@ function checkForKeyType(keyType, inadequateKeySize, adequateKeySize) {
 }

 function run_test() {
-  // Setup OCSP responder
  Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");

-  checkForKeyType("rsa", 2040, 2048);
+  checkRSAChains(2040, 2048);

  run_next_test();
 }