bug 1174292 - convert test_cert_version.js to generate certificates at build time r=Cykesiopka

Also remove redundant test-cases.
This commit is contained in:
David Keeler 2015-06-12 14:56:07 -07:00
parent c035543458
commit e09f6209c4
356 changed files with 473 additions and 511 deletions

View File

@ -9,6 +9,7 @@ TEST_DIRS += [
'test_cert_eku',
'test_cert_keyUsage',
'test_cert_trust',
'test_cert_version',
'test_intermediate_basic_usage_constraints',
'test_pinning_dynamic',
]

View File

@ -12,6 +12,7 @@ The input format is as follows:
issuer:<string to use as the issuer common name>
subject:<string to use as the subject common name>
[version:<{1,2,3,4}>]
[issuerKey:alternate]
[subjectKey:alternate]
[extension:<extension name:<extension-specific data>>]
@ -26,6 +27,16 @@ extKeyUsage:[serverAuth,clientAuth,codeSigning,emailProtection
OCSPSigning,timeStamping]
subjectAlternativeName:[<dNSName>,...]
Where:
[] indicates an optional field or component of a field
<> indicates a required component of a field
{} indicates choice among a set of values
[a,b,c] indicates a list of potential values, of which more than one
may be used
For instance, the version field is optional. However, if it is
specified, it must have exactly one value from the set {1,2,3,4}.
In the future it will be possible to specify other properties of the
generated certificate (for example, its validity period, signature
algorithm, etc.). For now, those fields have reasonable default values.
@ -104,6 +115,14 @@ class UnknownKeyTargetError(UnknownBaseError):
self.category = 'key target'
class UnknownVersionError(UnknownBaseError):
"""Helper exception type to handle unknown specified versions."""
def __init__(self, value):
UnknownBaseError.__init__(self, value)
self.category = 'version'
def getASN1Tag(asn1Type):
"""Helper function for returning the base tag value of a given
type from the pyasn1 package"""
@ -239,7 +258,7 @@ class Certificate:
'd039ba01adf328ebc5', 16)
def __init__(self, paramStream, now=datetime.datetime.utcnow()):
self.version = 'v3'
self.versionValue = 2 # a value of 2 is X509v3
self.signature = 'sha256WithRSAEncryption'
self.issuer = 'Default Issuer'
oneYear = datetime.timedelta(days=365)
@ -264,7 +283,7 @@ class Certificate:
the build system on OS X (see the comment above main, later in
this file)."""
hasher = hashlib.sha256()
hasher.update(self.version)
hasher.update(str(self.versionValue))
hasher.update(self.signature)
hasher.update(self.issuer)
hasher.update(str(self.notBefore))
@ -295,7 +314,9 @@ class Certificate:
def decodeParam(self, line):
param = line.split(':')[0]
value = ':'.join(line.split(':')[1:])
if param == 'subject':
if param == 'version':
self.setVersion(value)
elif param == 'subject':
self.subject = value
elif param == 'issuer':
self.issuer = value
@ -308,6 +329,13 @@ class Certificate:
else:
raise UnknownParameterTypeError(param)
def setVersion(self, version):
intVersion = int(version)
if intVersion >= 1 and intVersion <= 4:
self.versionValue = intVersion - 1
else:
raise UnknownVersionError(version)
def decodeExtension(self, extension):
extensionType = extension.split(':')[0]
value = ':'.join(extension.split(':')[1:])
@ -402,7 +430,7 @@ class Certificate:
self.addExtension(rfc2459.id_ce_subjectAltName, subjectAlternativeName)
def getVersion(self):
return rfc2459.Version(self.version).subtype(
return rfc2459.Version(self.versionValue).subtype(
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))
def getSerialNumber(self):

View File

@ -3,464 +3,173 @@
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
// Tests the interaction between the basic constraints extension and the
// certificate version field. In general, the testcases consist of verifying
// certificate chains of the form:
//
// end-entity (issued by) intermediate (issued by) trusted X509v3 root
//
// where the intermediate is one of X509 v1, v2, v3, or v4, and either does or
// does not have the basic constraints extension. If it has the extension, it
// either does or does not specify that it is a CA.
//
// To test cases where the trust anchor has a different version and/or does or
// does not have the basic constraint extension, there are testcases where the
// intermediate is trusted as an anchor and the verification is repeated.
// (Loading a certificate with trust "CTu,," means that it is a trust anchor
// for SSL. Loading a certificate with trust ",," means that it inherits its
// trust.)
//
// There are also testcases for end-entities issued by a trusted X509v3 root
// where the end-entities similarly cover the range of versions and basic
// constraint extensions.
//
// Finally, there are testcases for self-signed certificates that, again, cover
// the range of versions and basic constraint extensions.
"use strict";
do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
function cert_from_file(filename) {
return constructCertFromFile("test_cert_version/" + filename);
function certFromFile(certName) {
return constructCertFromFile("test_cert_version/" + certName + ".pem");
}
function load_cert(cert_name, trust_string) {
var cert_filename = cert_name + ".der";
addCertFromFile(certdb, "test_cert_version/" + cert_filename, trust_string);
function loadCertWithTrust(certName, trustString) {
addCertFromFile(certdb, "test_cert_version/" + certName + ".pem", trustString);
}
function check_cert_err(cert, expected_error) {
checkCertErrorGeneric(certdb, cert, expected_error, certificateUsageSSLServer);
function checkEndEntity(cert, expectedResult) {
checkCertErrorGeneric(certdb, cert, expectedResult, certificateUsageSSLServer);
}
function check_ca_err(cert, expected_error) {
checkCertErrorGeneric(certdb, cert, expected_error, certificateUsageSSLCA);
}
function check_ok(x) {
return check_cert_err(x, PRErrorCodeSuccess);
}
function check_ok_ca(x) {
checkCertErrorGeneric(certdb, x, PRErrorCodeSuccess, certificateUsageSSLCA);
function checkIntermediate(cert, expectedResult) {
checkCertErrorGeneric(certdb, cert, expectedResult, certificateUsageSSLCA);
}
function run_test() {
load_cert("v1_ca", "CTu,CTu,CTu");
load_cert("v1_ca_bc", "CTu,CTu,CTu");
load_cert("v2_ca", "CTu,CTu,CTu");
load_cert("v2_ca_bc", "CTu,CTu,CTu");
load_cert("v3_ca", "CTu,CTu,CTu");
load_cert("v3_ca_missing_bc", "CTu,CTu,CTu");
loadCertWithTrust("ca", "CTu,,");
check_ok_ca(cert_from_file('v1_ca.der'));
check_ok_ca(cert_from_file('v1_ca_bc.der'));
check_ca_err(cert_from_file('v2_ca.der'), SEC_ERROR_CA_CERT_INVALID);
check_ok_ca(cert_from_file('v2_ca_bc.der'));
check_ok_ca(cert_from_file('v3_ca.der'));
check_ca_err(cert_from_file('v3_ca_missing_bc.der'), SEC_ERROR_CA_CERT_INVALID);
// Section for CAs lacking the basicConstraints extension entirely:
loadCertWithTrust("int-v1-noBC_ca", ",,");
checkIntermediate(certFromFile("int-v1-noBC_ca"), MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA);
checkEndEntity(certFromFile("ee_int-v1-noBC"), MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA);
// A v1 certificate with no basicConstraints extension may issue certificates
// if it is a trust anchor.
loadCertWithTrust("int-v1-noBC_ca", "CTu,,");
checkIntermediate(certFromFile("int-v1-noBC_ca"), PRErrorCodeSuccess);
checkEndEntity(certFromFile("ee_int-v1-noBC"), PRErrorCodeSuccess);
// A v1 certificate may be a CA if it has a basic constraints extension with
// CA: TRUE or if it is a trust anchor.
loadCertWithTrust("int-v2-noBC_ca", ",,");
checkIntermediate(certFromFile("int-v2-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
checkEndEntity(certFromFile("ee_int-v2-noBC"), SEC_ERROR_CA_CERT_INVALID);
loadCertWithTrust("int-v2-noBC_ca", "CTu,,");
checkIntermediate(certFromFile("int-v2-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
checkEndEntity(certFromFile("ee_int-v2-noBC"), SEC_ERROR_CA_CERT_INVALID);
//////////////
// v1 CA supersection
//////////////////
loadCertWithTrust("int-v3-noBC_ca", ",,");
checkIntermediate(certFromFile("int-v3-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
checkEndEntity(certFromFile("ee_int-v3-noBC"), SEC_ERROR_CA_CERT_INVALID);
loadCertWithTrust("int-v3-noBC_ca", "CTu,,");
checkIntermediate(certFromFile("int-v3-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
checkEndEntity(certFromFile("ee_int-v3-noBC"), SEC_ERROR_CA_CERT_INVALID);
// v1 intermediate with v1 trust anchor
let error = MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA;
check_ca_err(cert_from_file('v1_int-v1_ca.der'), error);
check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca.der'), error);
check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca.der'), error);
loadCertWithTrust("int-v4-noBC_ca", ",,");
checkIntermediate(certFromFile("int-v4-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
checkEndEntity(certFromFile("ee_int-v4-noBC"), SEC_ERROR_CA_CERT_INVALID);
loadCertWithTrust("int-v4-noBC_ca", "CTu,,");
checkIntermediate(certFromFile("int-v4-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
checkEndEntity(certFromFile("ee_int-v4-noBC"), SEC_ERROR_CA_CERT_INVALID);
// v1 intermediate with v3 extensions.
check_ok_ca(cert_from_file('v1_int_bc-v1_ca.der'));
check_ok(cert_from_file('v1_ee-v1_int_bc-v1_ca.der'));
check_ok(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca.der'));
check_ok(cert_from_file('v2_ee-v1_int_bc-v1_ca.der'));
check_ok(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca.der'));
check_ok(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca.der'));
check_ok(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca.der'));
check_ok(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca.der'));
// Section for CAs with basicConstraints not specifying cA:
loadCertWithTrust("int-v1-BC-not-cA_ca", ",,");
checkIntermediate(certFromFile("int-v1-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
checkEndEntity(certFromFile("ee_int-v1-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
loadCertWithTrust("int-v1-BC-not-cA_ca", "CTu,,");
checkIntermediate(certFromFile("int-v1-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
checkEndEntity(certFromFile("ee_int-v1-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
// A v2 intermediate with a v1 CA
error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v2_int-v1_ca.der'), error);
check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca.der'), error);
check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca.der'), error);
loadCertWithTrust("int-v2-BC-not-cA_ca", ",,");
checkIntermediate(certFromFile("int-v2-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
checkEndEntity(certFromFile("ee_int-v2-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
loadCertWithTrust("int-v2-BC-not-cA_ca", "CTu,,");
checkIntermediate(certFromFile("int-v2-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
checkEndEntity(certFromFile("ee_int-v2-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
// A v2 intermediate with basic constraints
check_ok_ca(cert_from_file('v2_int_bc-v1_ca.der'));
check_ok(cert_from_file('v1_ee-v2_int_bc-v1_ca.der'));
check_ok(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca.der'));
check_ok(cert_from_file('v2_ee-v2_int_bc-v1_ca.der'));
check_ok(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca.der'));
check_ok(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca.der'));
check_ok(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca.der'));
check_ok(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca.der'));
loadCertWithTrust("int-v3-BC-not-cA_ca", ",,");
checkIntermediate(certFromFile("int-v3-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
checkEndEntity(certFromFile("ee_int-v3-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
loadCertWithTrust("int-v3-BC-not-cA_ca", "CTu,,");
checkIntermediate(certFromFile("int-v3-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
checkEndEntity(certFromFile("ee_int-v3-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
// Section is OK. A x509 v3 CA MUST have bc
// http://tools.ietf.org/html/rfc5280#section-4.2.1.9
error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca.der'), error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca.der'), error);
loadCertWithTrust("int-v4-BC-not-cA_ca", ",,");
checkIntermediate(certFromFile("int-v4-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
checkEndEntity(certFromFile("ee_int-v4-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
loadCertWithTrust("int-v4-BC-not-cA_ca", "CTu,,");
checkIntermediate(certFromFile("int-v4-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
checkEndEntity(certFromFile("ee_int-v4-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
// It is valid for a v1 ca to sign a v3 intemediate.
check_ok_ca(cert_from_file('v3_int-v1_ca.der'));
check_ok(cert_from_file('v1_ee-v3_int-v1_ca.der'));
check_ok(cert_from_file('v2_ee-v3_int-v1_ca.der'));
check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca.der'));
check_ok(cert_from_file('v3_bc_ee-v3_int-v1_ca.der'));
check_ok(cert_from_file('v1_bc_ee-v3_int-v1_ca.der'));
check_ok(cert_from_file('v2_bc_ee-v3_int-v1_ca.der'));
check_ok(cert_from_file('v4_bc_ee-v3_int-v1_ca.der'));
// Section for CAs with basicConstraints specifying cA:
loadCertWithTrust("int-v1-BC-cA_ca", ",,");
checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
loadCertWithTrust("int-v1-BC-cA_ca", "CTu,,");
checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
// The next groups change the v1 ca for a v1 ca with base constraints
// (invalid trust anchor). The error pattern is the same as the groups
// above
loadCertWithTrust("int-v2-BC-cA_ca", ",,");
checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
loadCertWithTrust("int-v2-BC-cA_ca", "CTu,,");
checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
// Using A v1 intermediate
error = MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA;
check_ca_err(cert_from_file('v1_int-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca_bc.der'), error);
loadCertWithTrust("int-v3-BC-cA_ca", ",,");
checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
loadCertWithTrust("int-v3-BC-cA_ca", "CTu,,");
checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
// Using a v1 intermediate with v3 extenstions
check_ok_ca(cert_from_file('v1_int_bc-v1_ca_bc.der'));
check_ok(cert_from_file('v1_ee-v1_int_bc-v1_ca_bc.der'));
check_ok(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca_bc.der'));
check_ok(cert_from_file('v2_ee-v1_int_bc-v1_ca_bc.der'));
check_ok(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca_bc.der'));
check_ok(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca_bc.der'));
check_ok(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca_bc.der'));
check_ok(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca_bc.der'));
loadCertWithTrust("int-v4-BC-cA_ca", ",,");
checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
loadCertWithTrust("int-v4-BC-cA_ca", "CTu,,");
checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
// Using v2 intermediate
error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v2_int-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca_bc.der'), error);
// Section for end-entity certificates with various basicConstraints:
checkEndEntity(certFromFile("ee-v1-noBC_ca"), PRErrorCodeSuccess);
checkEndEntity(certFromFile("ee-v2-noBC_ca"), PRErrorCodeSuccess);
checkEndEntity(certFromFile("ee-v3-noBC_ca"), PRErrorCodeSuccess);
checkEndEntity(certFromFile("ee-v4-noBC_ca"), PRErrorCodeSuccess);
// Using a v2 intermediate with basic constraints
check_ok_ca(cert_from_file('v2_int_bc-v1_ca_bc.der'));
check_ok(cert_from_file('v1_ee-v2_int_bc-v1_ca_bc.der'));
check_ok(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca_bc.der'));
check_ok(cert_from_file('v2_ee-v2_int_bc-v1_ca_bc.der'));
check_ok(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca_bc.der'));
check_ok(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca_bc.der'));
check_ok(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca_bc.der'));
check_ok(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca_bc.der'));
checkEndEntity(certFromFile("ee-v1-BC-not-cA_ca"), PRErrorCodeSuccess);
checkEndEntity(certFromFile("ee-v2-BC-not-cA_ca"), PRErrorCodeSuccess);
checkEndEntity(certFromFile("ee-v3-BC-not-cA_ca"), PRErrorCodeSuccess);
checkEndEntity(certFromFile("ee-v4-BC-not-cA_ca"), PRErrorCodeSuccess);
// Using a v3 intermediate that is missing basic constraints (invalid)
error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
checkEndEntity(certFromFile("ee-v1-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
checkEndEntity(certFromFile("ee-v2-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
checkEndEntity(certFromFile("ee-v3-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
checkEndEntity(certFromFile("ee-v4-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
// these should pass assuming we are OK with v1 ca signing v3 intermediates
check_ok_ca(cert_from_file('v3_int-v1_ca_bc.der'));
check_ok(cert_from_file('v1_ee-v3_int-v1_ca_bc.der'));
check_ok(cert_from_file('v1_bc_ee-v3_int-v1_ca_bc.der'));
check_ok(cert_from_file('v2_ee-v3_int-v1_ca_bc.der'));
check_ok(cert_from_file('v2_bc_ee-v3_int-v1_ca_bc.der'));
check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca_bc.der'));
check_ok(cert_from_file('v3_bc_ee-v3_int-v1_ca_bc.der'));
check_ok(cert_from_file('v4_bc_ee-v3_int-v1_ca_bc.der'));
// Section for self-signed certificates:
checkEndEntity(certFromFile("ss-v1-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
checkEndEntity(certFromFile("ss-v2-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
checkEndEntity(certFromFile("ss-v3-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
checkEndEntity(certFromFile("ss-v4-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
checkEndEntity(certFromFile("ss-v1-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
checkEndEntity(certFromFile("ss-v2-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
checkEndEntity(certFromFile("ss-v3-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
checkEndEntity(certFromFile("ss-v4-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
//////////////
// v2 CA supersection
//////////////////
// v2 ca, v1 intermediate
error = MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA;
check_ca_err(cert_from_file('v1_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca.der'), error);
// v2 ca, v1 intermediate with basic constraints (invalid)
error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), error);
// v2 ca, v2 intermediate
error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v2_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca.der'), error);
// v2 ca, v2 intermediate with basic constraints (invalid)
error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), error);
// v2 ca, v3 intermediate missing basic constraints
error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca.der'), error);
// v2 ca, v3 intermediate
error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca.der'), error);
// v2 ca, v1 intermediate
error = MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA;
check_ca_err(cert_from_file('v1_int-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca_bc.der'), error);
// v2 ca, v1 intermediate with bc
check_ok_ca(cert_from_file('v1_int_bc-v2_ca_bc.der'));
check_ok(cert_from_file('v1_ee-v1_int_bc-v2_ca_bc.der'));
check_ok(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca_bc.der'));
check_ok(cert_from_file('v2_ee-v1_int_bc-v2_ca_bc.der'));
check_ok(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca_bc.der'));
check_ok(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca_bc.der'));
check_ok(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca_bc.der'));
check_ok(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca_bc.der'));
// v2 ca, v2 intermediate
error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v2_int-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca_bc.der'), error);
// v2 ca, v2 intermediate with bc
check_ok_ca(cert_from_file('v2_int_bc-v2_ca_bc.der'));
check_ok(cert_from_file('v1_ee-v2_int_bc-v2_ca_bc.der'));
check_ok(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca_bc.der'));
check_ok(cert_from_file('v2_ee-v2_int_bc-v2_ca_bc.der'));
check_ok(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca_bc.der'));
check_ok(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca_bc.der'));
check_ok(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca_bc.der'));
check_ok(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca_bc.der'));
// v2 ca, invalid v3 intermediate
error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
// v2 ca, valid v3 intermediate
check_ok_ca(cert_from_file('v3_int-v2_ca_bc.der'));
check_ok(cert_from_file('v1_ee-v3_int-v2_ca_bc.der'));
check_ok(cert_from_file('v1_bc_ee-v3_int-v2_ca_bc.der'));
check_ok(cert_from_file('v2_ee-v3_int-v2_ca_bc.der'));
check_ok(cert_from_file('v2_bc_ee-v3_int-v2_ca_bc.der'));
check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca_bc.der'));
check_ok(cert_from_file('v3_bc_ee-v3_int-v2_ca_bc.der'));
check_ok(cert_from_file('v4_bc_ee-v3_int-v2_ca_bc.der'));
//////////////
// v3 CA supersection
//////////////////
// v3 ca, v1 intermediate
error = MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA;
check_ca_err(cert_from_file('v1_int-v3_ca.der'), error);
check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca.der'), error);
check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca.der'), error);
// A v1 intermediate with v3 extensions
check_ok_ca(cert_from_file('v1_int_bc-v3_ca.der'));
check_ok(cert_from_file('v1_ee-v1_int_bc-v3_ca.der'));
check_ok(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca.der'));
check_ok(cert_from_file('v2_ee-v1_int_bc-v3_ca.der'));
check_ok(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca.der'));
check_ok(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca.der'));
check_ok(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca.der'));
check_ok(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca.der'));
// reject a v2 cert as intermediate
error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v2_int-v3_ca.der'), error);
check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca.der'), error);
check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca.der'), error);
// v2 intermediate with bc (invalid)
check_ok_ca(cert_from_file('v2_int_bc-v3_ca.der'));
check_ok(cert_from_file('v1_ee-v2_int_bc-v3_ca.der'));
check_ok(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca.der'));
check_ok(cert_from_file('v2_ee-v2_int_bc-v3_ca.der'));
check_ok(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca.der'));
check_ok(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca.der'));
check_ok(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca.der'));
check_ok(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca.der'));
// invalid v3 intermediate
error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca.der'), error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca.der'), error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca.der'), error);
// v1/v2 end entity, v3 intermediate
check_ok_ca(cert_from_file('v3_int-v3_ca.der'));
check_ok(cert_from_file('v1_ee-v3_int-v3_ca.der'));
check_ok(cert_from_file('v2_ee-v3_int-v3_ca.der'));
check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca.der'));
check_ok(cert_from_file('v3_bc_ee-v3_int-v3_ca.der'));
check_ok(cert_from_file('v1_bc_ee-v3_int-v3_ca.der'));
check_ok(cert_from_file('v2_bc_ee-v3_int-v3_ca.der'));
check_ok(cert_from_file('v4_bc_ee-v3_int-v3_ca.der'));
// v3 CA, invalid v3 intermediate
error = MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA;
check_ca_err(cert_from_file('v1_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca_missing_bc.der'), error);
// Int v1 with BC that is just invalid
error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v1_int_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
// Good section (all fail)
error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v2_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca_missing_bc.der'), error);
// v3 intermediate missing basic constraints is invalid
error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v2_int_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
// v3 intermediate missing basic constraints is invalid
error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
// With a v3 root missing bc and valid v3 intermediate
error = SEC_ERROR_CA_CERT_INVALID;
check_ca_err(cert_from_file('v3_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v1_ee-v3_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v2_ee-v3_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v3_bc_ee-v3_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca_missing_bc.der'), error);
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca_missing_bc.der'), error);
// self-signed
check_cert_err(cert_from_file('v1_self_signed.der'), SEC_ERROR_UNKNOWN_ISSUER);
check_cert_err(cert_from_file('v1_self_signed_bc.der'), SEC_ERROR_UNKNOWN_ISSUER);
check_cert_err(cert_from_file('v2_self_signed.der'), SEC_ERROR_UNKNOWN_ISSUER);
check_cert_err(cert_from_file('v2_self_signed_bc.der'), SEC_ERROR_UNKNOWN_ISSUER);
check_cert_err(cert_from_file('v3_self_signed.der'), SEC_ERROR_UNKNOWN_ISSUER);
check_cert_err(cert_from_file('v3_self_signed_bc.der'), SEC_ERROR_UNKNOWN_ISSUER);
check_cert_err(cert_from_file('v4_self_signed.der'), SEC_ERROR_UNKNOWN_ISSUER);
check_cert_err(cert_from_file('v4_self_signed_bc.der'), SEC_ERROR_UNKNOWN_ISSUER);
checkEndEntity(certFromFile("ss-v1-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
checkEndEntity(certFromFile("ss-v2-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
checkEndEntity(certFromFile("ss-v3-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
checkEndEntity(certFromFile("ss-v4-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
}

View File

@ -0,0 +1,4 @@
issuer:ca
subject:ca
extension:keyUsage:keyCertSign,cRLSign
extension:basicConstraints:cA,

View File

@ -0,0 +1,4 @@
issuer:ca
subject:ee-v1-BC-cA
version:1
extension:basicConstraints:cA,

View File

@ -0,0 +1,4 @@
issuer:ca
subject:ee-v1-BC-not-cA
version:1
extension:basicConstraints:,

View File

@ -0,0 +1,3 @@
issuer:ca
subject:ee-v1-noBC
version:1

View File

@ -0,0 +1,4 @@
issuer:ca
subject:ee-v2-BC-cA
version:2
extension:basicConstraints:cA,

View File

@ -0,0 +1,4 @@
issuer:ca
subject:ee-v2-BC-not-cA
version:2
extension:basicConstraints:,

View File

@ -0,0 +1,3 @@
issuer:ca
subject:ee-v2-noBC
version:2

View File

@ -0,0 +1,4 @@
issuer:ca
subject:ee-v3-BC-cA
version:3
extension:basicConstraints:cA,

View File

@ -0,0 +1,4 @@
issuer:ca
subject:ee-v3-BC-not-cA
version:3
extension:basicConstraints:,

View File

@ -0,0 +1,3 @@
issuer:ca
subject:ee-v3-noBC
version:3

View File

@ -0,0 +1,4 @@
issuer:ca
subject:ee-v4-BC-cA
version:4
extension:basicConstraints:cA,

View File

@ -0,0 +1,4 @@
issuer:ca
subject:ee-v4-BC-not-cA
version:4
extension:basicConstraints:,

View File

@ -0,0 +1,3 @@
issuer:ca
subject:ee-v4-noBC
version:4

View File

@ -0,0 +1,2 @@
issuer:int-v1-BC-cA
subject:ee

View File

@ -0,0 +1,2 @@
issuer:int-v1-BC-not-cA
subject:ee

View File

@ -0,0 +1,2 @@
issuer:int-v1-noBC
subject:ee

View File

@ -0,0 +1,2 @@
issuer:int-v2-BC-cA
subject:ee

View File

@ -0,0 +1,2 @@
issuer:int-v2-BC-not-cA
subject:ee

View File

@ -0,0 +1,2 @@
issuer:int-v2-noBC
subject:ee

View File

@ -0,0 +1,2 @@
issuer:int-v3-BC-cA
subject:ee

View File

@ -0,0 +1,2 @@
issuer:int-v3-BC-not-cA
subject:ee

View File

@ -0,0 +1,2 @@
issuer:int-v3-noBC
subject:ee

View File

@ -0,0 +1,2 @@
issuer:int-v4-BC-cA
subject:ee

View File

@ -0,0 +1,2 @@
issuer:int-v4-BC-not-cA
subject:ee

View File

@ -0,0 +1,2 @@
issuer:int-v4-noBC
subject:ee

View File

@ -1,4 +1,4 @@
#!/usr/bin/python
#!/usr/bin/env python
# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
# vim: set filetype=python
@ -6,90 +6,77 @@
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
import tempfile, os, sys
# This file generates the certspec files for test_cert_version.js. The naming
# convention for those files is generally of the form
# "<subject-description>_<issuer-description>.pem.certspec". End-entity
# certificates are generally called "ee". Intermediates are called
# "int". The root CA is called "ca" and self-signed certificates are called
# "ss".
# In the case that the subject and issuer are the same, the redundant part is
# not repeated.
# If there is nothing particularly special about a certificate, it has no
# description ("nothing particularly special" meaning the certificate is X509v3
# and has or does not have the basic constraints extension as expected by where
# it is in the hierarchy). Otherwise, the description includes its version and
# details about the extension. If the extension is not present, the string
# "noBC" is used. If it is present but the cA bit is not asserted, the string
# "BC-not-cA" is used. If it is present with the cA bit asserted, the string
# "BC-cA" is used.
# For example, a v1 intermediate that does not have the extension that was
# issued by the root CA has the name "int-v1-noBC_ca.pem.certspec".
# A v4 end-entity that does have the extension but does not assert the cA bit
# that was issued by the root CA has the name
# "ee-v4-BC-not-cA_ca.pem.certspec".
# An end-entity issued by a v3 intermediate with the extension that asserts the
# cA bit has the name "ee_int-v3-BC-cA.pem.certspec".
libpath = os.path.abspath('../psm_common_py')
sys.path.append(libpath)
import CertUtils
versions = {
'v1': 1,
'v2': 2,
'v3': 3,
'v4': 4
}
srcdir = os.getcwd()
db = tempfile.mkdtemp()
basicConstraintsTypes = {
'noBC': '',
'BC-not-cA': 'extension:basicConstraints:,',
'BC-cA': 'extension:basicConstraints:cA,'
}
def generate_child_cert(db_dir, dest_dir, noise_file, name, ca_nick,
cert_version, do_bc, is_ee):
return CertUtils.generate_child_cert(db_dir, dest_dir, noise_file, name,
ca_nick, cert_version, do_bc, is_ee, '')
def writeCertspec(issuer, subject, fields):
filename = '%s_%s.pem.certspec' % (subject, issuer)
if issuer == subject:
filename = '%s.pem.certspec' % subject
with open(filename, 'w') as f:
f.write('issuer:%s\n' % issuer)
f.write('subject:%s\n' % subject)
for field in fields:
if len(field) > 0:
f.write('%s\n' % field)
def generate_ee_family(db_dir, dest_dir, noise_file, ca_name):
name = "v1_ee-"+ ca_name;
generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 1, False, True)
name = "v1_bc_ee-"+ ca_name;
generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 1, True, True)
keyUsage = 'extension:keyUsage:keyCertSign,cRLSign'
basicConstraintsCA = 'extension:basicConstraints:cA,'
name = "v2_ee-"+ ca_name;
generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 2, False, True)
name = "v2_bc_ee-"+ ca_name;
generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 2, True, True)
writeCertspec('ca', 'ca', [keyUsage, basicConstraintsCA])
name = "v3_missing_bc_ee-"+ ca_name;
generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 3, False, True)
name = "v3_bc_ee-"+ ca_name;
generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 3, True, True)
for versionStr, versionVal in versions.iteritems():
# intermediates
versionText = 'version:%s' % versionVal
for basicConstraintsType, basicConstraintsExtension in basicConstraintsTypes.iteritems():
intermediateName = 'int-%s-%s' % (versionStr, basicConstraintsType)
writeCertspec('ca', intermediateName,
[keyUsage, versionText, basicConstraintsExtension])
writeCertspec(intermediateName, 'ee', [])
name = "v4_bc_ee-"+ ca_name;
generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 4, True, True)
# end-entities
versionText = 'version:%s' % versionVal
for basicConstraintsType, basicConstraintsExtension in basicConstraintsTypes.iteritems():
writeCertspec('ca', 'ee-%s-%s' % (versionStr, basicConstraintsType),
[versionText, basicConstraintsExtension])
def generate_intermediates_and_ee_set(db_dir, dest_dir, noise_file, ca_name):
name = "v1_int-" + ca_name;
generate_child_cert(db, srcdir, noise_file, name, ca_name, 1, False, False)
generate_ee_family(db, srcdir, noise_file, name)
name = "v1_int_bc-" + ca_name;
generate_child_cert(db, srcdir, noise_file, name, ca_name, 1, True, False)
generate_ee_family(db, srcdir, noise_file, name)
name = "v2_int-" + ca_name;
generate_child_cert(db, srcdir, noise_file, name, ca_name, 2, False, False)
generate_ee_family(db, srcdir, noise_file, name)
name = "v2_int_bc-" + ca_name;
generate_child_cert(db, srcdir, noise_file, name, ca_name, 2, True, False)
generate_ee_family(db, srcdir, noise_file, name)
name = "v3_int_missing_bc-" + ca_name;
generate_child_cert(db, srcdir, noise_file, name, ca_name, 3, False, False)
generate_ee_family(db, srcdir, noise_file, name)
name = "v3_int-" + ca_name;
generate_child_cert(db, srcdir, noise_file, name, ca_name, 3, True, False)
generate_ee_family(db, srcdir, noise_file, name)
def generate_ca(db_dir, dest_dir, noise_file, name, version, do_bc):
CertUtils.generate_ca_cert(db_dir, dest_dir, noise_file, name, version, do_bc)
generate_intermediates_and_ee_set(db_dir, dest_dir, noise_file, name)
def generate_certs():
[noise_file, pwd_file] = CertUtils.init_nss_db(db)
generate_ca(db, srcdir, noise_file, "v1_ca", 1, False )
generate_ca(db, srcdir, noise_file, "v1_ca_bc", 1, True)
generate_ca(db, srcdir, noise_file, "v2_ca", 2, False )
generate_ca(db, srcdir, noise_file, "v2_ca_bc", 2, True)
generate_ca(db, srcdir, noise_file, "v3_ca", 3, True )
generate_ca(db, srcdir, noise_file, "v3_ca_missing_bc", 3, False)
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v1_self_signed",
1, False, False)
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v1_self_signed_bc",
1, True, False)
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v2_self_signed",
2, False, False)
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v2_self_signed_bc",
2, True, False)
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v3_self_signed",
3, False, False)
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v3_self_signed_bc",
3, True, False)
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v4_self_signed",
4, False, False);
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v4_self_signed_bc",
4, True, False);
generate_certs();
# self-signed certificates
versionText = 'version:%s' % versionVal
for basicConstraintsType, basicConstraintsExtension in basicConstraintsTypes.iteritems():
selfSignedName = 'ss-%s-%s' % (versionStr, basicConstraintsType)
writeCertspec(selfSignedName, selfSignedName,
[versionText, basicConstraintsExtension])

View File

@ -0,0 +1,5 @@
issuer:ca
subject:int-v1-BC-cA
extension:keyUsage:keyCertSign,cRLSign
version:1
extension:basicConstraints:cA,

View File

@ -0,0 +1,5 @@
issuer:ca
subject:int-v1-BC-not-cA
extension:keyUsage:keyCertSign,cRLSign
version:1
extension:basicConstraints:,

View File

@ -0,0 +1,4 @@
issuer:ca
subject:int-v1-noBC
extension:keyUsage:keyCertSign,cRLSign
version:1

View File

@ -0,0 +1,5 @@
issuer:ca
subject:int-v2-BC-cA
extension:keyUsage:keyCertSign,cRLSign
version:2
extension:basicConstraints:cA,

View File

@ -0,0 +1,5 @@
issuer:ca
subject:int-v2-BC-not-cA
extension:keyUsage:keyCertSign,cRLSign
version:2
extension:basicConstraints:,

View File

@ -0,0 +1,4 @@
issuer:ca
subject:int-v2-noBC
extension:keyUsage:keyCertSign,cRLSign
version:2

View File

@ -0,0 +1,5 @@
issuer:ca
subject:int-v3-BC-cA
extension:keyUsage:keyCertSign,cRLSign
version:3
extension:basicConstraints:cA,

View File

@ -0,0 +1,5 @@
issuer:ca
subject:int-v3-BC-not-cA
extension:keyUsage:keyCertSign,cRLSign
version:3
extension:basicConstraints:,

View File

@ -0,0 +1,4 @@
issuer:ca
subject:int-v3-noBC
extension:keyUsage:keyCertSign,cRLSign
version:3

View File

@ -0,0 +1,5 @@
issuer:ca
subject:int-v4-BC-cA
extension:keyUsage:keyCertSign,cRLSign
version:4
extension:basicConstraints:cA,

View File

@ -0,0 +1,5 @@
issuer:ca
subject:int-v4-BC-not-cA
extension:keyUsage:keyCertSign,cRLSign
version:4
extension:basicConstraints:,

View File

@ -0,0 +1,4 @@
issuer:ca
subject:int-v4-noBC
extension:keyUsage:keyCertSign,cRLSign
version:4

View File

@ -0,0 +1,65 @@
# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
# vim: set filetype=python:
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
test_certificates = (
'ca.pem',
'ee_int-v1-BC-cA.pem',
'ee_int-v1-BC-not-cA.pem',
'ee_int-v1-noBC.pem',
'ee_int-v2-BC-cA.pem',
'ee_int-v2-BC-not-cA.pem',
'ee_int-v2-noBC.pem',
'ee_int-v3-BC-cA.pem',
'ee_int-v3-BC-not-cA.pem',
'ee_int-v3-noBC.pem',
'ee_int-v4-BC-cA.pem',
'ee_int-v4-BC-not-cA.pem',
'ee_int-v4-noBC.pem',
'ee-v1-BC-cA_ca.pem',
'ee-v1-BC-not-cA_ca.pem',
'ee-v1-noBC_ca.pem',
'ee-v2-BC-cA_ca.pem',
'ee-v2-BC-not-cA_ca.pem',
'ee-v2-noBC_ca.pem',
'ee-v3-BC-cA_ca.pem',
'ee-v3-BC-not-cA_ca.pem',
'ee-v3-noBC_ca.pem',
'ee-v4-BC-cA_ca.pem',
'ee-v4-BC-not-cA_ca.pem',
'ee-v4-noBC_ca.pem',
'int-v1-BC-cA_ca.pem',
'int-v1-BC-not-cA_ca.pem',
'int-v1-noBC_ca.pem',
'int-v2-BC-cA_ca.pem',
'int-v2-BC-not-cA_ca.pem',
'int-v2-noBC_ca.pem',
'int-v3-BC-cA_ca.pem',
'int-v3-BC-not-cA_ca.pem',
'int-v3-noBC_ca.pem',
'int-v4-BC-cA_ca.pem',
'int-v4-BC-not-cA_ca.pem',
'int-v4-noBC_ca.pem',
'ss-v1-BC-cA.pem',
'ss-v1-BC-not-cA.pem',
'ss-v1-noBC.pem',
'ss-v2-BC-cA.pem',
'ss-v2-BC-not-cA.pem',
'ss-v2-noBC.pem',
'ss-v3-BC-cA.pem',
'ss-v3-BC-not-cA.pem',
'ss-v3-noBC.pem',
'ss-v4-BC-cA.pem',
'ss-v4-BC-not-cA.pem',
'ss-v4-noBC.pem',
)
for test_certificate in test_certificates:
input_file = test_certificate + '.certspec'
GENERATED_FILES += [test_certificate]
props = GENERATED_FILES[test_certificate]
props.script = '../pycert.py'
props.inputs = [input_file, '!/config/buildid']
TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_cert_version += ['!%s' % test_certificate]

View File

@ -0,0 +1,4 @@
issuer:ss-v1-BC-cA
subject:ss-v1-BC-cA
version:1
extension:basicConstraints:cA,

View File

@ -0,0 +1,4 @@
issuer:ss-v1-BC-not-cA
subject:ss-v1-BC-not-cA
version:1
extension:basicConstraints:,

View File

@ -0,0 +1,3 @@
issuer:ss-v1-noBC
subject:ss-v1-noBC
version:1

View File

@ -0,0 +1,4 @@
issuer:ss-v2-BC-cA
subject:ss-v2-BC-cA
version:2
extension:basicConstraints:cA,

View File

@ -0,0 +1,4 @@
issuer:ss-v2-BC-not-cA
subject:ss-v2-BC-not-cA
version:2
extension:basicConstraints:,

View File

@ -0,0 +1,3 @@
issuer:ss-v2-noBC
subject:ss-v2-noBC
version:2

View File

@ -0,0 +1,4 @@
issuer:ss-v3-BC-cA
subject:ss-v3-BC-cA
version:3
extension:basicConstraints:cA,

View File

@ -0,0 +1,4 @@
issuer:ss-v3-BC-not-cA
subject:ss-v3-BC-not-cA
version:3
extension:basicConstraints:,

View File

@ -0,0 +1,3 @@
issuer:ss-v3-noBC
subject:ss-v3-noBC
version:3

View File

@ -0,0 +1,4 @@
issuer:ss-v4-BC-cA
subject:ss-v4-BC-cA
version:4
extension:basicConstraints:cA,

View File

@ -0,0 +1,4 @@
issuer:ss-v4-BC-not-cA
subject:ss-v4-BC-not-cA
version:4
extension:basicConstraints:,

View File

@ -0,0 +1,3 @@
issuer:ss-v4-noBC
subject:ss-v4-noBC
version:4

Some files were not shown because too many files have changed in this diff Show More