Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2025-02-05 22:05:40 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1164409 - Reduce PSM xpcshell script code duplication. r=keeler

Browse Source
This commit is contained in:
Cykesiopka 2015-05-15 02:28:00 -04:00
parent cedc0834e3
commit cb7ae71daf
13 changed files with 191 additions and 254 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
security/manager/ssl/tests/unit/head_psm.js
View File

@ -35,20 +35,15 @@ const MOZILLA_PKIX_ERROR_BASE = Ci.nsINSSErrorsService.MOZILLA_PKIX_ERROR_BASE;
const PRErrorCodeSuccess = 0;
// Sort in numerical order
const SEC_ERROR_INVALID_ARGS = SEC_ERROR_BASE + 5; // -8187
const SEC_ERROR_INVALID_TIME = SEC_ERROR_BASE + 8;
const SEC_ERROR_BAD_DER = SEC_ERROR_BASE + 9;
const SEC_ERROR_EXPIRED_CERTIFICATE = SEC_ERROR_BASE + 11;
const SEC_ERROR_REVOKED_CERTIFICATE = SEC_ERROR_BASE + 12; // -8180
const SEC_ERROR_UNKNOWN_ISSUER = SEC_ERROR_BASE + 13;
const SEC_ERROR_BAD_DATABASE = SEC_ERROR_BASE + 18;
const SEC_ERROR_UNTRUSTED_ISSUER = SEC_ERROR_BASE + 20; // -8172
const SEC_ERROR_UNTRUSTED_CERT = SEC_ERROR_BASE + 21; // -8171
const SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE = SEC_ERROR_BASE + 30; // -8162
const SEC_ERROR_EXTENSION_VALUE_INVALID = SEC_ERROR_BASE + 34; // -8158
const SEC_ERROR_EXTENSION_NOT_FOUND = SEC_ERROR_BASE + 35; // -8157
const SEC_ERROR_CA_CERT_INVALID = SEC_ERROR_BASE + 36;
const SEC_ERROR_INVALID_KEY = SEC_ERROR_BASE + 40; // -8152
const SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION = SEC_ERROR_BASE + 41;
const SEC_ERROR_INADEQUATE_KEY_USAGE = SEC_ERROR_BASE + 90; // -8102
const SEC_ERROR_INADEQUATE_CERT_TYPE = SEC_ERROR_BASE + 91; // -8101
@ -68,7 +63,6 @@ const SEC_ERROR_OCSP_INVALID_SIGNING_CERT = SEC_ERROR_BASE + 144;
const SEC_ERROR_POLICY_VALIDATION_FAILED = SEC_ERROR_BASE + 160; // -8032
const SEC_ERROR_OCSP_BAD_SIGNATURE = SEC_ERROR_BASE + 157;
const SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED = SEC_ERROR_BASE + 176;
const SEC_ERROR_APPLICATION_CALLBACK_ERROR = SEC_ERROR_BASE + 178;
const SSL_ERROR_BAD_CERT_DOMAIN = SSL_ERROR_BASE + 12;
const SSL_ERROR_BAD_CERT_ALERT = SSL_ERROR_BASE + 17;
@ -129,15 +123,27 @@ function getXPCOMStatusFromNSS(statusNSS) {
// certdb implements nsIX509CertDB. See nsIX509CertDB.idl for documentation.
// In particular, hostname is optional.
function checkCertErrorGeneric(certdb, cert, expectedError, usage, hostname) {
let hasEVPolicy = {};
function checkCertErrorGeneric(certdb, cert, expectedError, usage,
/*optional*/ hasEVPolicy,
/*optional*/ hostname) {
do_print(`cert cn=${cert.commonName}`);
do_print(`cert issuer cn=${cert.issuerCommonName}`);
let verifiedChain = {};
let error = certdb.verifyCertNow(cert, usage, NO_FLAGS, hostname,
verifiedChain, hasEVPolicy);
verifiedChain, hasEVPolicy || {});
Assert.equal(error, expectedError,
"Actual and expected error should match");
}
function checkEVStatus(certDB, cert, usage, isEVExpected) {
do_print(`cert o=${cert.organization}`);
do_print(`cert issuer o=${cert.issuerOrganization}`);
let hasEVPolicy = {};
checkCertErrorGeneric(certDB, cert, PRErrorCodeSuccess, usage, hasEVPolicy);
Assert.equal(hasEVPolicy.value, isEVExpected,
"Actual and expected EV status should match");
}
function _getLibraryFunctionWithNoArguments(functionName, libraryName) {
// Open the NSS library. copied from services/crypto/modules/WeaveCrypto.js
let path = ctypes.libraryName(libraryName);
@ -393,8 +399,8 @@ function _setupTLSServerTest(serverBinName)
.getService(Ci.nsIEnvironment);
let greBinDir = directoryService.get("GreBinD", Ci.nsIFile);
envSvc.set("DYLD_LIBRARY_PATH", greBinDir.path);
// Android libraries are in /data/local/xpcb, but "GreBinD" does not return
// this path on Android, so hard code it here.
// TODO(bug 1107794): Android libraries are in /data/local/xpcb, but "GreBinD"
// does not return this path on Android, so hard code it here.
envSvc.set("LD_LIBRARY_PATH", greBinDir.path + ":/data/local/xpcb");
envSvc.set("MOZ_TLS_SERVER_DEBUG_LEVEL", "3");
envSvc.set("MOZ_TLS_SERVER_CALLBACK_PORT", CALLBACK_PORT);

9
security/manager/ssl/tests/unit/psm_common_py/CertUtils.py
View File

@ -10,6 +10,15 @@ import pexpect
import time
import sys
aia_prefix = 'authorityInfoAccess = OCSP;URI:http://www.example.com:8888/'
aia_suffix = '/\n'
mozilla_testing_ev_policy = ('certificatePolicies = @v3_ca_ev_cp\n\n' +
'[ v3_ca_ev_cp ]\n' +
'policyIdentifier = ' +
'1.3.6.1.4.1.13769.666.666.666.1.500.9.1\n\n' +
'CPS.1 = "http://mytestdomain.local/cps"')
def generate_cert_generic(db_dir, dest_dir, serial_num, key_type, name,
ext_text, signer_key_filename = "",
signer_cert_filename = "",

13
security/manager/ssl/tests/unit/test_add_preexisting_cert.js
View File

@ -28,11 +28,8 @@ function run_test() {
let file = "test_intermediate_basic_usage_constraints/ee-int-limited-depth.der";
let cert_der = readFile(do_get_file(file));
let ee = certDB.constructX509(cert_der, cert_der.length);
let hasEVPolicy = {};
let verifiedChain = {};
equal(PRErrorCodeSuccess, certDB.verifyCertNow(ee, certificateUsageSSLServer,
NO_FLAGS, null, verifiedChain,
hasEVPolicy));
checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
certificateUsageSSLServer);
// Change the already existing intermediate certificate's trust using
// addCertFromBase64(). We use findCertByNickname first to ensure that the
// certificate already exists.
@ -40,8 +37,6 @@ function run_test() {
ok(int_cert);
let base64_cert = btoa(getDERString(int_cert));
certDB.addCertFromBase64(base64_cert, "p,p,p", "ignored_argument");
equal(SEC_ERROR_UNTRUSTED_ISSUER, certDB.verifyCertNow(ee,
certificateUsageSSLServer,
NO_FLAGS, null, verifiedChain,
hasEVPolicy));
checkCertErrorGeneric(certDB, ee, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer);
}

3
security/manager/ssl/tests/unit/test_cert_blocklist.js
View File

@ -138,8 +138,7 @@ converter.charset = "UTF-8";
function verify_cert(file, expectedError) {
let cert_der = readFile(do_get_file(file));
let ee = certDB.constructX509(cert_der, cert_der.length);
equal(expectedError, certDB.verifyCertNow(ee, certificateUsageSSLServer,
NO_FLAGS, null, {}, {}));
checkCertErrorGeneric(certDB, ee, expectedError, certificateUsageSSLServer);
}
function load_cert(cert, trust) {

268
security/manager/ssl/tests/unit/test_cert_trust.js
View File

@ -13,7 +13,7 @@ let certList = [
'ee',
'int',
'ca',
]
];
function load_cert(cert_name, trust_string) {
let cert_filename = cert_name + ".der";
@ -29,178 +29,162 @@ function setup_basic_trusts(ca_cert, int_cert) {
certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0);
}
function check_cert_err_generic(cert, expected_error, usage) {
do_print("cert cn=" + cert.commonName);
do_print("cert issuer cn=" + cert.issuerCommonName);
let hasEVPolicy = {};
let verifiedChain = {};
let error = certdb.verifyCertNow(cert, usage, NO_FLAGS, null, verifiedChain,
hasEVPolicy);
do_check_eq(error, expected_error);
};
function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
// On reset most usages are successful
check_cert_err_generic(ee_cert, PRErrorCodeSuccess,
certificateUsageSSLServer);
check_cert_err_generic(ee_cert, PRErrorCodeSuccess,
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA); // expected no bc
check_cert_err_generic(ee_cert, PRErrorCodeSuccess,
certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, PRErrorCodeSuccess,
certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, PRErrorCodeSuccess,
certificateUsageObjectSigner); // expected
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
// mozilla::pkix enforces that certificase must have a basic constraints
// extension with cA:true to be a CA certificate, whereas classic does not
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder); //expected
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailRecipient);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageObjectSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
// Test of active distrust. No usage should pass.
setCertTrust(cert_to_modify_trust, 'p,p,p');
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
// In mozilla::pkix (but not classic verification), certificate chain
// properties are checked before the end-entity. Thus, if we're using
// mozilla::pkix and the root certificate has been distrusted, the error
// will be "untrusted issuer" and not "inadequate cert type".
check_cert_err_generic(ee_cert,
!isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageObjectSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
checkCertErrorGeneric(certdb, ee_cert,
!isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
// Trust set to T - trusted CA to issue client certs, where client cert is
// usageSSLClient.
setCertTrust(cert_to_modify_trust, 'T,T,T');
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageSSLServer);
// XXX(Bug 982340)
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageEmailRecipient);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageObjectSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
// Now tests on the SSL trust bit
setCertTrust(cert_to_modify_trust, 'p,C,C');
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer);
//XXX(Bug 982340)
check_cert_err_generic(ee_cert, PRErrorCodeSuccess,
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, PRErrorCodeSuccess,
certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, PRErrorCodeSuccess,
certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, PRErrorCodeSuccess,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert,
isRootCA ? SEC_ERROR_INADEQUATE_CERT_TYPE
: SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageStatusResponder);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailRecipient);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageObjectSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
checkCertErrorGeneric(certdb, ee_cert,
isRootCA ? SEC_ERROR_INADEQUATE_CERT_TYPE
: SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageStatusResponder);
// Inherited trust SSL
setCertTrust(cert_to_modify_trust, ',C,C');
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageSSLServer);
// XXX(Bug 982340)
check_cert_err_generic(ee_cert, PRErrorCodeSuccess,
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, PRErrorCodeSuccess,
certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, PRErrorCodeSuccess,
certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, PRErrorCodeSuccess,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailRecipient);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageObjectSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
// Now tests on the EMAIL trust bit
setCertTrust(cert_to_modify_trust, 'C,p,C');
check_cert_err_generic(ee_cert, PRErrorCodeSuccess,
certificateUsageSSLServer);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, PRErrorCodeSuccess,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageObjectSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
//inherited EMAIL Trust
setCertTrust(cert_to_modify_trust, 'C,,C');
check_cert_err_generic(ee_cert, PRErrorCodeSuccess,
certificateUsageSSLServer);
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageSSLClient);
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageEmailSigner);
check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageEmailRecipient);
check_cert_err_generic(ee_cert, PRErrorCodeSuccess,
certificateUsageObjectSigner);
check_cert_err_generic(ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageEmailRecipient);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageObjectSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
}

16
security/manager/ssl/tests/unit/test_cert_version.js
View File

@ -18,22 +18,12 @@ function load_cert(cert_name, trust_string) {
addCertFromFile(certdb, "test_cert_version/" + cert_filename, trust_string);
}
function check_cert_err_generic(cert, expected_error, usage) {
do_print("cert cn=" + cert.commonName);
do_print("cert issuer cn=" + cert.issuerCommonName);
let hasEVPolicy = {};
let verifiedChain = {};
let error = certdb.verifyCertNow(cert, usage, NO_FLAGS, null, verifiedChain,
hasEVPolicy);
do_check_eq(error, expected_error);
}
function check_cert_err(cert, expected_error) {
check_cert_err_generic(cert, expected_error, certificateUsageSSLServer)
checkCertErrorGeneric(certdb, cert, expected_error, certificateUsageSSLServer);
}
function check_ca_err(cert, expected_error) {
check_cert_err_generic(cert, expected_error, certificateUsageSSLCA)
checkCertErrorGeneric(certdb, cert, expected_error, certificateUsageSSLCA);
}
function check_ok(x) {
@ -41,7 +31,7 @@ function check_ok(x) {
}
function check_ok_ca(x) {
return check_cert_err_generic(x, PRErrorCodeSuccess, certificateUsageSSLCA);
checkCertErrorGeneric(certdb, x, PRErrorCodeSuccess, certificateUsageSSLCA);
}
function run_test() {

15
security/manager/ssl/tests/unit/test_ev_certs.js
View File

@ -48,22 +48,13 @@ function start_ocsp_responder(expectedCertNames) {
function check_cert_err(cert_name, expected_error) {
let cert = certdb.findCertByNickname(null, cert_name);
let hasEVPolicy = {};
let verifiedChain = {};
let error = certdb.verifyCertNow(cert, certificateUsageSSLServer, NO_FLAGS,
null, verifiedChain, hasEVPolicy);
do_check_eq(error, expected_error);
checkCertErrorGeneric(certdb, cert, expected_error, certificateUsageSSLServer);
}
function check_ee_for_ev(cert_name, expected_ev) {
let cert = certdb.findCertByNickname(null, cert_name);
let hasEVPolicy = {};
let verifiedChain = {};
let error = certdb.verifyCertNow(cert, certificateUsageSSLServer, NO_FLAGS,
null, verifiedChain, hasEVPolicy);
do_check_eq(hasEVPolicy.value, expected_ev);
do_check_eq(error, PRErrorCodeSuccess);
let cert = certdb.findCertByNickname(null, cert_name);
checkEVStatus(certdb, cert, certificateUsageSSLServer, expected_ev);
}
function run_test() {

36
security/manager/ssl/tests/unit/test_ev_certs/generate.py
View File

@ -15,19 +15,11 @@ db = tempfile.mkdtemp()
CA_extensions = ("basicConstraints = critical, CA:TRUE\n"
"keyUsage = keyCertSign, cRLSign\n")
aia_prefix = "authorityInfoAccess = OCSP;URI:http://www.example.com:8888/"
aia_suffix ="/\n"
intermediate_crl = ("crlDistributionPoints = " +
"URI:http://crl.example.com:8888/root-ev.crl\n")
endentity_crl = ("crlDistributionPoints = " +
"URI:http://crl.example.com:8888/ee-crl.crl\n")
mozilla_testing_ev_policy = ("certificatePolicies = @v3_ca_ev_cp\n\n" +
"[ v3_ca_ev_cp ]\n" +
"policyIdentifier = " +
"1.3.6.1.4.1.13769.666.666.666.1.500.9.1\n\n" +
"CPS.1 = \"http://mytestdomain.local/cps\"")
anypolicy_policy = ("certificatePolicies = @v3_ca_ev_cp\n\n" +
"[ v3_ca_ev_cp ]\n" +
"policyIdentifier = " +
@ -44,10 +36,11 @@ def generate_certs():
ca_key = 'evroot.key'
prefix = "ev-valid"
key_type = 'rsa'
ee_ext_text = (aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + mozilla_testing_ev_policy)
ee_ext_text = (CertUtils.aia_prefix + prefix + CertUtils.aia_suffix +
endentity_crl + CertUtils.mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + CertUtils.aia_prefix + "int-" + prefix +
CertUtils.aia_suffix + intermediate_crl +
CertUtils.mozilla_testing_ev_policy)
CertUtils.init_nss_db(srcdir)
CertUtils.import_cert_and_pkcs12(srcdir, ca_cert, 'evroot.p12', 'evroot',
@ -76,16 +69,16 @@ def generate_certs():
key_type,
'no-ocsp-url-cert',
no_ocsp_url_ext_aia + endentity_crl +
mozilla_testing_ev_policy,
CertUtils.mozilla_testing_ev_policy,
int_key, int_cert);
import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert');
# add an ev cert whose intermediate has a anypolicy oid
prefix = "ev-valid-anypolicy-int"
ee_ext_text = (aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + anypolicy_policy)
ee_ext_text = (CertUtils.aia_prefix + prefix + CertUtils.aia_suffix +
endentity_crl + CertUtils.mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + CertUtils.aia_prefix + "int-" + prefix +
CertUtils.aia_suffix + intermediate_crl + anypolicy_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
@ -113,10 +106,11 @@ def generate_certs():
CertUtils.import_cert_and_pkcs12(srcdir, bad_ca_cert, pk12file,
'non-evroot-ca', 'C,C,C')
prefix = "non-ev-root"
ee_ext_text = (aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + mozilla_testing_ev_policy)
ee_ext_text = (CertUtils.aia_prefix + prefix + CertUtils.aia_suffix +
endentity_crl + CertUtils.mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + CertUtils.aia_prefix + "int-" + prefix +
CertUtils.aia_suffix + intermediate_crl +
CertUtils.mozilla_testing_ev_policy)
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
bad_ca_key,

2
security/manager/ssl/tests/unit/test_keysize.js
View File

@ -49,9 +49,7 @@ function checkChain(rootKeyType, rootKeySize, intKeyType, intKeySize,
loadCert(intFullName, ",,");
let eeCert = certFromFile(eeFullName + ".der");
do_print("cert cn=" + eeCert.commonName);
do_print("cert o=" + eeCert.organization);
do_print("cert issuer cn=" + eeCert.issuerCommonName);
do_print("cert issuer o=" + eeCert.issuerOrganization);
checkCertErrorGeneric(certdb, eeCert, eeExpectedError,
certificateUsageSSLServer);

13
security/manager/ssl/tests/unit/test_keysize/generate.py
View File

@ -20,15 +20,6 @@ ca_ext_text = ('basicConstraints = critical, CA:TRUE\n' +
'keyUsage = keyCertSign, cRLSign\n')
ee_ext_text = ''
aia_prefix = 'authorityInfoAccess = OCSP;URI:http://www.example.com:8888/'
aia_suffix = '/\n'
mozilla_testing_ev_policy = ('certificatePolicies = @v3_ca_ev_cp\n\n' +
'[ v3_ca_ev_cp ]\n' +
'policyIdentifier = ' +
'1.3.6.1.4.1.13769.666.666.666.1.500.9.1\n\n' +
'CPS.1 = "http://mytestdomain.local/cps"')
generated_ev_root_filenames = []
generated_certs = []
@ -73,8 +64,8 @@ def generate_and_maybe_import_cert(key_type, cert_name_prefix, cert_name_suffix,
(key_type, key_size))
if generate_ev:
cert_name = 'ev_' + cert_name
ev_ext_text = (aia_prefix + cert_name + aia_suffix +
mozilla_testing_ev_policy)
ev_ext_text = (CertUtils.aia_prefix + cert_name + CertUtils.aia_suffix +
CertUtils.mozilla_testing_ev_policy)
subject_string += ' (EV)'
# Use the organization field to store the cert nickname for easier debugging

15
security/manager/ssl/tests/unit/test_keysize_ev.js
View File

@ -29,19 +29,6 @@ function loadCert(certName, trustString) {
return certFromFile(certFilename);
}
function checkEVStatus(cert, usage, isEVExpected) {
do_print("cert cn=" + cert.commonName);
do_print("cert o=" + cert.organization);
do_print("cert issuer cn=" + cert.issuerCommonName);
do_print("cert issuer o=" + cert.issuerOrganization);
let hasEVPolicy = {};
let verifiedChain = {};
let error = certDB.verifyCertNow(cert, usage, NO_FLAGS, null, verifiedChain,
hasEVPolicy);
equal(hasEVPolicy.value, isEVExpected);
equal(error, PRErrorCodeSuccess);
}
/**
* Adds a single EV key size test.
*
@ -69,7 +56,7 @@ function addKeySizeTestForEV(expectedNamesForOCSP,
for (let intCertFileName of intCertFileNames) {
loadCert(intCertFileName, ",,");
}
checkEVStatus(certFromFile(endEntityCertFileName + ".der"),
checkEVStatus(certDB, certFromFile(endEntityCertFileName + ".der"),
certificateUsageSSLServer, expectedResult);
ocspResponder.stop(run_next_test);

23
security/manager/ssl/tests/unit/test_name_constraints.js
View File

@ -20,18 +20,8 @@ function load_cert(cert_name, trust_string) {
return certFromFile(cert_filename);
}
function check_cert_err_generic(cert, expected_error, usage) {
do_print("cert cn=" + cert.commonName);
do_print("cert issuer cn=" + cert.issuerCommonName);
let hasEVPolicy = {};
let verifiedChain = {};
let error = certdb.verifyCertNow(cert, usage, NO_FLAGS, null, verifiedChain,
hasEVPolicy);
do_check_eq(error, expected_error);
}
function check_cert_err(cert, expected_error) {
check_cert_err_generic(cert, expected_error, certificateUsageSSLServer)
checkCertErrorGeneric(certdb, cert, expected_error, certificateUsageSSLServer);
}
function check_ok(x) {
@ -39,7 +29,7 @@ function check_ok(x) {
}
function check_ok_ca (x) {
return check_cert_err_generic(x, PRErrorCodeSuccess, certificateUsageSSLCA);
checkCertErrorGeneric(certdb, x, PRErrorCodeSuccess, certificateUsageSSLCA);
}
function check_fail(x) {
@ -47,7 +37,8 @@ function check_fail(x) {
}
function check_fail_ca(x) {
return check_cert_err_generic(x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLCA);
checkCertErrorGeneric(certdb, x, SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
certificateUsageSSLCA);
}
function run_test() {
@ -266,8 +257,10 @@ function run_test() {
// NSS get it right.
{
let cert = certFromFile('cn-www.foo.org-int-nc-perm-foo.com-ca-nc.der');
check_cert_err_generic(cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, certificateUsageSSLServer);
check_cert_err_generic(cert, PRErrorCodeSuccess, certificateUsageSSLClient);
checkCertErrorGeneric(certdb, cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess,
certificateUsageSSLClient);
}
// DCISS tests

4
security/manager/ssl/tests/unit/test_pinning_dynamic.js
View File

@ -27,12 +27,12 @@ function loadCert(cert_name, trust_string) {
function checkOK(cert, hostname) {
return checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess,
certificateUsageSSLServer, hostname);
certificateUsageSSLServer, {}, hostname);
}
function checkFail(cert, hostname) {
return checkCertErrorGeneric(certdb, cert, MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE,
certificateUsageSSLServer, hostname);
certificateUsageSSLServer, {}, hostname);
}
const NON_ISSUED_KEY_HASH = "KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN=";