mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-12-01 00:32:11 +00:00
bug 1174292 - convert test_cert_version.js to generate certificates at build time r=Cykesiopka
Also remove redundant test-cases.
This commit is contained in:
parent
c035543458
commit
e09f6209c4
@ -9,6 +9,7 @@ TEST_DIRS += [
|
||||
'test_cert_eku',
|
||||
'test_cert_keyUsage',
|
||||
'test_cert_trust',
|
||||
'test_cert_version',
|
||||
'test_intermediate_basic_usage_constraints',
|
||||
'test_pinning_dynamic',
|
||||
]
|
||||
|
@ -12,6 +12,7 @@ The input format is as follows:
|
||||
|
||||
issuer:<string to use as the issuer common name>
|
||||
subject:<string to use as the subject common name>
|
||||
[version:<{1,2,3,4}>]
|
||||
[issuerKey:alternate]
|
||||
[subjectKey:alternate]
|
||||
[extension:<extension name:<extension-specific data>>]
|
||||
@ -26,6 +27,16 @@ extKeyUsage:[serverAuth,clientAuth,codeSigning,emailProtection
|
||||
OCSPSigning,timeStamping]
|
||||
subjectAlternativeName:[<dNSName>,...]
|
||||
|
||||
Where:
|
||||
[] indicates an optional field or component of a field
|
||||
<> indicates a required component of a field
|
||||
{} indicates choice among a set of values
|
||||
[a,b,c] indicates a list of potential values, of which more than one
|
||||
may be used
|
||||
|
||||
For instance, the version field is optional. However, if it is
|
||||
specified, it must have exactly one value from the set {1,2,3,4}.
|
||||
|
||||
In the future it will be possible to specify other properties of the
|
||||
generated certificate (for example, its validity period, signature
|
||||
algorithm, etc.). For now, those fields have reasonable default values.
|
||||
@ -104,6 +115,14 @@ class UnknownKeyTargetError(UnknownBaseError):
|
||||
self.category = 'key target'
|
||||
|
||||
|
||||
class UnknownVersionError(UnknownBaseError):
|
||||
"""Helper exception type to handle unknown specified versions."""
|
||||
|
||||
def __init__(self, value):
|
||||
UnknownBaseError.__init__(self, value)
|
||||
self.category = 'version'
|
||||
|
||||
|
||||
def getASN1Tag(asn1Type):
|
||||
"""Helper function for returning the base tag value of a given
|
||||
type from the pyasn1 package"""
|
||||
@ -239,7 +258,7 @@ class Certificate:
|
||||
'd039ba01adf328ebc5', 16)
|
||||
|
||||
def __init__(self, paramStream, now=datetime.datetime.utcnow()):
|
||||
self.version = 'v3'
|
||||
self.versionValue = 2 # a value of 2 is X509v3
|
||||
self.signature = 'sha256WithRSAEncryption'
|
||||
self.issuer = 'Default Issuer'
|
||||
oneYear = datetime.timedelta(days=365)
|
||||
@ -264,7 +283,7 @@ class Certificate:
|
||||
the build system on OS X (see the comment above main, later in
|
||||
this file)."""
|
||||
hasher = hashlib.sha256()
|
||||
hasher.update(self.version)
|
||||
hasher.update(str(self.versionValue))
|
||||
hasher.update(self.signature)
|
||||
hasher.update(self.issuer)
|
||||
hasher.update(str(self.notBefore))
|
||||
@ -295,7 +314,9 @@ class Certificate:
|
||||
def decodeParam(self, line):
|
||||
param = line.split(':')[0]
|
||||
value = ':'.join(line.split(':')[1:])
|
||||
if param == 'subject':
|
||||
if param == 'version':
|
||||
self.setVersion(value)
|
||||
elif param == 'subject':
|
||||
self.subject = value
|
||||
elif param == 'issuer':
|
||||
self.issuer = value
|
||||
@ -308,6 +329,13 @@ class Certificate:
|
||||
else:
|
||||
raise UnknownParameterTypeError(param)
|
||||
|
||||
def setVersion(self, version):
|
||||
intVersion = int(version)
|
||||
if intVersion >= 1 and intVersion <= 4:
|
||||
self.versionValue = intVersion - 1
|
||||
else:
|
||||
raise UnknownVersionError(version)
|
||||
|
||||
def decodeExtension(self, extension):
|
||||
extensionType = extension.split(':')[0]
|
||||
value = ':'.join(extension.split(':')[1:])
|
||||
@ -402,7 +430,7 @@ class Certificate:
|
||||
self.addExtension(rfc2459.id_ce_subjectAltName, subjectAlternativeName)
|
||||
|
||||
def getVersion(self):
|
||||
return rfc2459.Version(self.version).subtype(
|
||||
return rfc2459.Version(self.versionValue).subtype(
|
||||
explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))
|
||||
|
||||
def getSerialNumber(self):
|
||||
|
@ -3,464 +3,173 @@
|
||||
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
// Tests the interaction between the basic constraints extension and the
|
||||
// certificate version field. In general, the testcases consist of verifying
|
||||
// certificate chains of the form:
|
||||
//
|
||||
// end-entity (issued by) intermediate (issued by) trusted X509v3 root
|
||||
//
|
||||
// where the intermediate is one of X509 v1, v2, v3, or v4, and either does or
|
||||
// does not have the basic constraints extension. If it has the extension, it
|
||||
// either does or does not specify that it is a CA.
|
||||
//
|
||||
// To test cases where the trust anchor has a different version and/or does or
|
||||
// does not have the basic constraint extension, there are testcases where the
|
||||
// intermediate is trusted as an anchor and the verification is repeated.
|
||||
// (Loading a certificate with trust "CTu,," means that it is a trust anchor
|
||||
// for SSL. Loading a certificate with trust ",," means that it inherits its
|
||||
// trust.)
|
||||
//
|
||||
// There are also testcases for end-entities issued by a trusted X509v3 root
|
||||
// where the end-entities similarly cover the range of versions and basic
|
||||
// constraint extensions.
|
||||
//
|
||||
// Finally, there are testcases for self-signed certificates that, again, cover
|
||||
// the range of versions and basic constraint extensions.
|
||||
|
||||
"use strict";
|
||||
|
||||
do_get_profile(); // must be called before getting nsIX509CertDB
|
||||
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
|
||||
.getService(Ci.nsIX509CertDB);
|
||||
|
||||
function cert_from_file(filename) {
|
||||
return constructCertFromFile("test_cert_version/" + filename);
|
||||
function certFromFile(certName) {
|
||||
return constructCertFromFile("test_cert_version/" + certName + ".pem");
|
||||
}
|
||||
|
||||
function load_cert(cert_name, trust_string) {
|
||||
var cert_filename = cert_name + ".der";
|
||||
addCertFromFile(certdb, "test_cert_version/" + cert_filename, trust_string);
|
||||
function loadCertWithTrust(certName, trustString) {
|
||||
addCertFromFile(certdb, "test_cert_version/" + certName + ".pem", trustString);
|
||||
}
|
||||
|
||||
function check_cert_err(cert, expected_error) {
|
||||
checkCertErrorGeneric(certdb, cert, expected_error, certificateUsageSSLServer);
|
||||
function checkEndEntity(cert, expectedResult) {
|
||||
checkCertErrorGeneric(certdb, cert, expectedResult, certificateUsageSSLServer);
|
||||
}
|
||||
|
||||
function check_ca_err(cert, expected_error) {
|
||||
checkCertErrorGeneric(certdb, cert, expected_error, certificateUsageSSLCA);
|
||||
}
|
||||
|
||||
function check_ok(x) {
|
||||
return check_cert_err(x, PRErrorCodeSuccess);
|
||||
}
|
||||
|
||||
function check_ok_ca(x) {
|
||||
checkCertErrorGeneric(certdb, x, PRErrorCodeSuccess, certificateUsageSSLCA);
|
||||
function checkIntermediate(cert, expectedResult) {
|
||||
checkCertErrorGeneric(certdb, cert, expectedResult, certificateUsageSSLCA);
|
||||
}
|
||||
|
||||
function run_test() {
|
||||
load_cert("v1_ca", "CTu,CTu,CTu");
|
||||
load_cert("v1_ca_bc", "CTu,CTu,CTu");
|
||||
load_cert("v2_ca", "CTu,CTu,CTu");
|
||||
load_cert("v2_ca_bc", "CTu,CTu,CTu");
|
||||
load_cert("v3_ca", "CTu,CTu,CTu");
|
||||
load_cert("v3_ca_missing_bc", "CTu,CTu,CTu");
|
||||
loadCertWithTrust("ca", "CTu,,");
|
||||
|
||||
check_ok_ca(cert_from_file('v1_ca.der'));
|
||||
check_ok_ca(cert_from_file('v1_ca_bc.der'));
|
||||
check_ca_err(cert_from_file('v2_ca.der'), SEC_ERROR_CA_CERT_INVALID);
|
||||
check_ok_ca(cert_from_file('v2_ca_bc.der'));
|
||||
check_ok_ca(cert_from_file('v3_ca.der'));
|
||||
check_ca_err(cert_from_file('v3_ca_missing_bc.der'), SEC_ERROR_CA_CERT_INVALID);
|
||||
// Section for CAs lacking the basicConstraints extension entirely:
|
||||
loadCertWithTrust("int-v1-noBC_ca", ",,");
|
||||
checkIntermediate(certFromFile("int-v1-noBC_ca"), MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA);
|
||||
checkEndEntity(certFromFile("ee_int-v1-noBC"), MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA);
|
||||
// A v1 certificate with no basicConstraints extension may issue certificates
|
||||
// if it is a trust anchor.
|
||||
loadCertWithTrust("int-v1-noBC_ca", "CTu,,");
|
||||
checkIntermediate(certFromFile("int-v1-noBC_ca"), PRErrorCodeSuccess);
|
||||
checkEndEntity(certFromFile("ee_int-v1-noBC"), PRErrorCodeSuccess);
|
||||
|
||||
// A v1 certificate may be a CA if it has a basic constraints extension with
|
||||
// CA: TRUE or if it is a trust anchor.
|
||||
loadCertWithTrust("int-v2-noBC_ca", ",,");
|
||||
checkIntermediate(certFromFile("int-v2-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
|
||||
checkEndEntity(certFromFile("ee_int-v2-noBC"), SEC_ERROR_CA_CERT_INVALID);
|
||||
loadCertWithTrust("int-v2-noBC_ca", "CTu,,");
|
||||
checkIntermediate(certFromFile("int-v2-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
|
||||
checkEndEntity(certFromFile("ee_int-v2-noBC"), SEC_ERROR_CA_CERT_INVALID);
|
||||
|
||||
//////////////
|
||||
// v1 CA supersection
|
||||
//////////////////
|
||||
loadCertWithTrust("int-v3-noBC_ca", ",,");
|
||||
checkIntermediate(certFromFile("int-v3-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
|
||||
checkEndEntity(certFromFile("ee_int-v3-noBC"), SEC_ERROR_CA_CERT_INVALID);
|
||||
loadCertWithTrust("int-v3-noBC_ca", "CTu,,");
|
||||
checkIntermediate(certFromFile("int-v3-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
|
||||
checkEndEntity(certFromFile("ee_int-v3-noBC"), SEC_ERROR_CA_CERT_INVALID);
|
||||
|
||||
// v1 intermediate with v1 trust anchor
|
||||
let error = MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA;
|
||||
check_ca_err(cert_from_file('v1_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca.der'), error);
|
||||
loadCertWithTrust("int-v4-noBC_ca", ",,");
|
||||
checkIntermediate(certFromFile("int-v4-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
|
||||
checkEndEntity(certFromFile("ee_int-v4-noBC"), SEC_ERROR_CA_CERT_INVALID);
|
||||
loadCertWithTrust("int-v4-noBC_ca", "CTu,,");
|
||||
checkIntermediate(certFromFile("int-v4-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
|
||||
checkEndEntity(certFromFile("ee_int-v4-noBC"), SEC_ERROR_CA_CERT_INVALID);
|
||||
|
||||
// v1 intermediate with v3 extensions.
|
||||
check_ok_ca(cert_from_file('v1_int_bc-v1_ca.der'));
|
||||
check_ok(cert_from_file('v1_ee-v1_int_bc-v1_ca.der'));
|
||||
check_ok(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca.der'));
|
||||
check_ok(cert_from_file('v2_ee-v1_int_bc-v1_ca.der'));
|
||||
check_ok(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca.der'));
|
||||
check_ok(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca.der'));
|
||||
check_ok(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca.der'));
|
||||
check_ok(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca.der'));
|
||||
// Section for CAs with basicConstraints not specifying cA:
|
||||
loadCertWithTrust("int-v1-BC-not-cA_ca", ",,");
|
||||
checkIntermediate(certFromFile("int-v1-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
|
||||
checkEndEntity(certFromFile("ee_int-v1-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
|
||||
loadCertWithTrust("int-v1-BC-not-cA_ca", "CTu,,");
|
||||
checkIntermediate(certFromFile("int-v1-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
|
||||
checkEndEntity(certFromFile("ee_int-v1-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
|
||||
|
||||
// A v2 intermediate with a v1 CA
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca.der'), error);
|
||||
loadCertWithTrust("int-v2-BC-not-cA_ca", ",,");
|
||||
checkIntermediate(certFromFile("int-v2-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
|
||||
checkEndEntity(certFromFile("ee_int-v2-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
|
||||
loadCertWithTrust("int-v2-BC-not-cA_ca", "CTu,,");
|
||||
checkIntermediate(certFromFile("int-v2-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
|
||||
checkEndEntity(certFromFile("ee_int-v2-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
|
||||
|
||||
// A v2 intermediate with basic constraints
|
||||
check_ok_ca(cert_from_file('v2_int_bc-v1_ca.der'));
|
||||
check_ok(cert_from_file('v1_ee-v2_int_bc-v1_ca.der'));
|
||||
check_ok(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca.der'));
|
||||
check_ok(cert_from_file('v2_ee-v2_int_bc-v1_ca.der'));
|
||||
check_ok(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca.der'));
|
||||
check_ok(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca.der'));
|
||||
check_ok(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca.der'));
|
||||
check_ok(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca.der'));
|
||||
loadCertWithTrust("int-v3-BC-not-cA_ca", ",,");
|
||||
checkIntermediate(certFromFile("int-v3-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
|
||||
checkEndEntity(certFromFile("ee_int-v3-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
|
||||
loadCertWithTrust("int-v3-BC-not-cA_ca", "CTu,,");
|
||||
checkIntermediate(certFromFile("int-v3-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
|
||||
checkEndEntity(certFromFile("ee_int-v3-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
|
||||
|
||||
// Section is OK. A x509 v3 CA MUST have bc
|
||||
// http://tools.ietf.org/html/rfc5280#section-4.2.1.9
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca.der'), error);
|
||||
loadCertWithTrust("int-v4-BC-not-cA_ca", ",,");
|
||||
checkIntermediate(certFromFile("int-v4-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
|
||||
checkEndEntity(certFromFile("ee_int-v4-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
|
||||
loadCertWithTrust("int-v4-BC-not-cA_ca", "CTu,,");
|
||||
checkIntermediate(certFromFile("int-v4-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
|
||||
checkEndEntity(certFromFile("ee_int-v4-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
|
||||
|
||||
// It is valid for a v1 ca to sign a v3 intemediate.
|
||||
check_ok_ca(cert_from_file('v3_int-v1_ca.der'));
|
||||
check_ok(cert_from_file('v1_ee-v3_int-v1_ca.der'));
|
||||
check_ok(cert_from_file('v2_ee-v3_int-v1_ca.der'));
|
||||
check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca.der'));
|
||||
check_ok(cert_from_file('v3_bc_ee-v3_int-v1_ca.der'));
|
||||
check_ok(cert_from_file('v1_bc_ee-v3_int-v1_ca.der'));
|
||||
check_ok(cert_from_file('v2_bc_ee-v3_int-v1_ca.der'));
|
||||
check_ok(cert_from_file('v4_bc_ee-v3_int-v1_ca.der'));
|
||||
// Section for CAs with basicConstraints specifying cA:
|
||||
loadCertWithTrust("int-v1-BC-cA_ca", ",,");
|
||||
checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
|
||||
checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
|
||||
loadCertWithTrust("int-v1-BC-cA_ca", "CTu,,");
|
||||
checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
|
||||
checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
|
||||
|
||||
// The next groups change the v1 ca for a v1 ca with base constraints
|
||||
// (invalid trust anchor). The error pattern is the same as the groups
|
||||
// above
|
||||
loadCertWithTrust("int-v2-BC-cA_ca", ",,");
|
||||
checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
|
||||
checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
|
||||
loadCertWithTrust("int-v2-BC-cA_ca", "CTu,,");
|
||||
checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
|
||||
checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
|
||||
|
||||
// Using A v1 intermediate
|
||||
error = MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA;
|
||||
check_ca_err(cert_from_file('v1_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca_bc.der'), error);
|
||||
loadCertWithTrust("int-v3-BC-cA_ca", ",,");
|
||||
checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
|
||||
checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
|
||||
loadCertWithTrust("int-v3-BC-cA_ca", "CTu,,");
|
||||
checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
|
||||
checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
|
||||
|
||||
// Using a v1 intermediate with v3 extenstions
|
||||
check_ok_ca(cert_from_file('v1_int_bc-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v1_ee-v1_int_bc-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v2_ee-v1_int_bc-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca_bc.der'));
|
||||
loadCertWithTrust("int-v4-BC-cA_ca", ",,");
|
||||
checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
|
||||
checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
|
||||
loadCertWithTrust("int-v4-BC-cA_ca", "CTu,,");
|
||||
checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
|
||||
checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
|
||||
|
||||
// Using v2 intermediate
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca_bc.der'), error);
|
||||
// Section for end-entity certificates with various basicConstraints:
|
||||
checkEndEntity(certFromFile("ee-v1-noBC_ca"), PRErrorCodeSuccess);
|
||||
checkEndEntity(certFromFile("ee-v2-noBC_ca"), PRErrorCodeSuccess);
|
||||
checkEndEntity(certFromFile("ee-v3-noBC_ca"), PRErrorCodeSuccess);
|
||||
checkEndEntity(certFromFile("ee-v4-noBC_ca"), PRErrorCodeSuccess);
|
||||
|
||||
// Using a v2 intermediate with basic constraints
|
||||
check_ok_ca(cert_from_file('v2_int_bc-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v1_ee-v2_int_bc-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v2_ee-v2_int_bc-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca_bc.der'));
|
||||
checkEndEntity(certFromFile("ee-v1-BC-not-cA_ca"), PRErrorCodeSuccess);
|
||||
checkEndEntity(certFromFile("ee-v2-BC-not-cA_ca"), PRErrorCodeSuccess);
|
||||
checkEndEntity(certFromFile("ee-v3-BC-not-cA_ca"), PRErrorCodeSuccess);
|
||||
checkEndEntity(certFromFile("ee-v4-BC-not-cA_ca"), PRErrorCodeSuccess);
|
||||
|
||||
// Using a v3 intermediate that is missing basic constraints (invalid)
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), error);
|
||||
checkEndEntity(certFromFile("ee-v1-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
|
||||
checkEndEntity(certFromFile("ee-v2-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
|
||||
checkEndEntity(certFromFile("ee-v3-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
|
||||
checkEndEntity(certFromFile("ee-v4-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
|
||||
|
||||
// these should pass assuming we are OK with v1 ca signing v3 intermediates
|
||||
check_ok_ca(cert_from_file('v3_int-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v1_ee-v3_int-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v1_bc_ee-v3_int-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v2_ee-v3_int-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v2_bc_ee-v3_int-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v3_bc_ee-v3_int-v1_ca_bc.der'));
|
||||
check_ok(cert_from_file('v4_bc_ee-v3_int-v1_ca_bc.der'));
|
||||
// Section for self-signed certificates:
|
||||
checkEndEntity(certFromFile("ss-v1-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
checkEndEntity(certFromFile("ss-v2-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
checkEndEntity(certFromFile("ss-v3-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
checkEndEntity(certFromFile("ss-v4-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
|
||||
checkEndEntity(certFromFile("ss-v1-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
checkEndEntity(certFromFile("ss-v2-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
checkEndEntity(certFromFile("ss-v3-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
checkEndEntity(certFromFile("ss-v4-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
|
||||
//////////////
|
||||
// v2 CA supersection
|
||||
//////////////////
|
||||
|
||||
// v2 ca, v1 intermediate
|
||||
error = MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA;
|
||||
check_ca_err(cert_from_file('v1_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca.der'), error);
|
||||
|
||||
// v2 ca, v1 intermediate with basic constraints (invalid)
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
|
||||
// v2 ca, v2 intermediate
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca.der'), error);
|
||||
|
||||
// v2 ca, v2 intermediate with basic constraints (invalid)
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), error);
|
||||
|
||||
// v2 ca, v3 intermediate missing basic constraints
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca.der'), error);
|
||||
|
||||
// v2 ca, v3 intermediate
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca.der'), error);
|
||||
|
||||
// v2 ca, v1 intermediate
|
||||
error = MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA;
|
||||
check_ca_err(cert_from_file('v1_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca_bc.der'), error);
|
||||
|
||||
// v2 ca, v1 intermediate with bc
|
||||
check_ok_ca(cert_from_file('v1_int_bc-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v1_ee-v1_int_bc-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v2_ee-v1_int_bc-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca_bc.der'));
|
||||
|
||||
// v2 ca, v2 intermediate
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca_bc.der'), error);
|
||||
|
||||
// v2 ca, v2 intermediate with bc
|
||||
check_ok_ca(cert_from_file('v2_int_bc-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v1_ee-v2_int_bc-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v2_ee-v2_int_bc-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca_bc.der'));
|
||||
|
||||
// v2 ca, invalid v3 intermediate
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), error);
|
||||
|
||||
// v2 ca, valid v3 intermediate
|
||||
check_ok_ca(cert_from_file('v3_int-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v1_ee-v3_int-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v1_bc_ee-v3_int-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v2_ee-v3_int-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v2_bc_ee-v3_int-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v3_bc_ee-v3_int-v2_ca_bc.der'));
|
||||
check_ok(cert_from_file('v4_bc_ee-v3_int-v2_ca_bc.der'));
|
||||
|
||||
//////////////
|
||||
// v3 CA supersection
|
||||
//////////////////
|
||||
|
||||
// v3 ca, v1 intermediate
|
||||
error = MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA;
|
||||
check_ca_err(cert_from_file('v1_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca.der'), error);
|
||||
|
||||
// A v1 intermediate with v3 extensions
|
||||
check_ok_ca(cert_from_file('v1_int_bc-v3_ca.der'));
|
||||
check_ok(cert_from_file('v1_ee-v1_int_bc-v3_ca.der'));
|
||||
check_ok(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca.der'));
|
||||
check_ok(cert_from_file('v2_ee-v1_int_bc-v3_ca.der'));
|
||||
check_ok(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca.der'));
|
||||
check_ok(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca.der'));
|
||||
check_ok(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca.der'));
|
||||
check_ok(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca.der'));
|
||||
|
||||
// reject a v2 cert as intermediate
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca.der'), error);
|
||||
|
||||
// v2 intermediate with bc (invalid)
|
||||
check_ok_ca(cert_from_file('v2_int_bc-v3_ca.der'));
|
||||
check_ok(cert_from_file('v1_ee-v2_int_bc-v3_ca.der'));
|
||||
check_ok(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca.der'));
|
||||
check_ok(cert_from_file('v2_ee-v2_int_bc-v3_ca.der'));
|
||||
check_ok(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca.der'));
|
||||
check_ok(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca.der'));
|
||||
check_ok(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca.der'));
|
||||
check_ok(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca.der'));
|
||||
|
||||
// invalid v3 intermediate
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca.der'), error);
|
||||
|
||||
// v1/v2 end entity, v3 intermediate
|
||||
check_ok_ca(cert_from_file('v3_int-v3_ca.der'));
|
||||
check_ok(cert_from_file('v1_ee-v3_int-v3_ca.der'));
|
||||
check_ok(cert_from_file('v2_ee-v3_int-v3_ca.der'));
|
||||
check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca.der'));
|
||||
check_ok(cert_from_file('v3_bc_ee-v3_int-v3_ca.der'));
|
||||
check_ok(cert_from_file('v1_bc_ee-v3_int-v3_ca.der'));
|
||||
check_ok(cert_from_file('v2_bc_ee-v3_int-v3_ca.der'));
|
||||
check_ok(cert_from_file('v4_bc_ee-v3_int-v3_ca.der'));
|
||||
|
||||
// v3 CA, invalid v3 intermediate
|
||||
error = MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA;
|
||||
check_ca_err(cert_from_file('v1_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca_missing_bc.der'), error);
|
||||
|
||||
// Int v1 with BC that is just invalid
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v1_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), error);
|
||||
|
||||
// Good section (all fail)
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca_missing_bc.der'), error);
|
||||
|
||||
// v3 intermediate missing basic constraints is invalid
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v2_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), error);
|
||||
|
||||
// v3 intermediate missing basic constraints is invalid
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), error);
|
||||
|
||||
// With a v3 root missing bc and valid v3 intermediate
|
||||
error = SEC_ERROR_CA_CERT_INVALID;
|
||||
check_ca_err(cert_from_file('v3_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_ee-v3_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_ee-v3_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v3_bc_ee-v3_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca_missing_bc.der'), error);
|
||||
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca_missing_bc.der'), error);
|
||||
|
||||
// self-signed
|
||||
check_cert_err(cert_from_file('v1_self_signed.der'), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
check_cert_err(cert_from_file('v1_self_signed_bc.der'), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
check_cert_err(cert_from_file('v2_self_signed.der'), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
check_cert_err(cert_from_file('v2_self_signed_bc.der'), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
check_cert_err(cert_from_file('v3_self_signed.der'), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
check_cert_err(cert_from_file('v3_self_signed_bc.der'), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
check_cert_err(cert_from_file('v4_self_signed.der'), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
check_cert_err(cert_from_file('v4_self_signed_bc.der'), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
checkEndEntity(certFromFile("ss-v1-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
checkEndEntity(certFromFile("ss-v2-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
checkEndEntity(certFromFile("ss-v3-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
checkEndEntity(certFromFile("ss-v4-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
|
||||
}
|
||||
|
@ -0,0 +1,4 @@
|
||||
issuer:ca
|
||||
subject:ca
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
extension:basicConstraints:cA,
|
@ -0,0 +1,4 @@
|
||||
issuer:ca
|
||||
subject:ee-v1-BC-cA
|
||||
version:1
|
||||
extension:basicConstraints:cA,
|
@ -0,0 +1,4 @@
|
||||
issuer:ca
|
||||
subject:ee-v1-BC-not-cA
|
||||
version:1
|
||||
extension:basicConstraints:,
|
@ -0,0 +1,3 @@
|
||||
issuer:ca
|
||||
subject:ee-v1-noBC
|
||||
version:1
|
@ -0,0 +1,4 @@
|
||||
issuer:ca
|
||||
subject:ee-v2-BC-cA
|
||||
version:2
|
||||
extension:basicConstraints:cA,
|
@ -0,0 +1,4 @@
|
||||
issuer:ca
|
||||
subject:ee-v2-BC-not-cA
|
||||
version:2
|
||||
extension:basicConstraints:,
|
@ -0,0 +1,3 @@
|
||||
issuer:ca
|
||||
subject:ee-v2-noBC
|
||||
version:2
|
@ -0,0 +1,4 @@
|
||||
issuer:ca
|
||||
subject:ee-v3-BC-cA
|
||||
version:3
|
||||
extension:basicConstraints:cA,
|
@ -0,0 +1,4 @@
|
||||
issuer:ca
|
||||
subject:ee-v3-BC-not-cA
|
||||
version:3
|
||||
extension:basicConstraints:,
|
@ -0,0 +1,3 @@
|
||||
issuer:ca
|
||||
subject:ee-v3-noBC
|
||||
version:3
|
@ -0,0 +1,4 @@
|
||||
issuer:ca
|
||||
subject:ee-v4-BC-cA
|
||||
version:4
|
||||
extension:basicConstraints:cA,
|
@ -0,0 +1,4 @@
|
||||
issuer:ca
|
||||
subject:ee-v4-BC-not-cA
|
||||
version:4
|
||||
extension:basicConstraints:,
|
@ -0,0 +1,3 @@
|
||||
issuer:ca
|
||||
subject:ee-v4-noBC
|
||||
version:4
|
@ -0,0 +1,2 @@
|
||||
issuer:int-v1-BC-cA
|
||||
subject:ee
|
@ -0,0 +1,2 @@
|
||||
issuer:int-v1-BC-not-cA
|
||||
subject:ee
|
@ -0,0 +1,2 @@
|
||||
issuer:int-v1-noBC
|
||||
subject:ee
|
@ -0,0 +1,2 @@
|
||||
issuer:int-v2-BC-cA
|
||||
subject:ee
|
@ -0,0 +1,2 @@
|
||||
issuer:int-v2-BC-not-cA
|
||||
subject:ee
|
@ -0,0 +1,2 @@
|
||||
issuer:int-v2-noBC
|
||||
subject:ee
|
@ -0,0 +1,2 @@
|
||||
issuer:int-v3-BC-cA
|
||||
subject:ee
|
@ -0,0 +1,2 @@
|
||||
issuer:int-v3-BC-not-cA
|
||||
subject:ee
|
@ -0,0 +1,2 @@
|
||||
issuer:int-v3-noBC
|
||||
subject:ee
|
@ -0,0 +1,2 @@
|
||||
issuer:int-v4-BC-cA
|
||||
subject:ee
|
@ -0,0 +1,2 @@
|
||||
issuer:int-v4-BC-not-cA
|
||||
subject:ee
|
@ -0,0 +1,2 @@
|
||||
issuer:int-v4-noBC
|
||||
subject:ee
|
@ -1,4 +1,4 @@
|
||||
#!/usr/bin/python
|
||||
#!/usr/bin/env python
|
||||
# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
|
||||
# vim: set filetype=python
|
||||
|
||||
@ -6,90 +6,77 @@
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
import tempfile, os, sys
|
||||
# This file generates the certspec files for test_cert_version.js. The naming
|
||||
# convention for those files is generally of the form
|
||||
# "<subject-description>_<issuer-description>.pem.certspec". End-entity
|
||||
# certificates are generally called "ee". Intermediates are called
|
||||
# "int". The root CA is called "ca" and self-signed certificates are called
|
||||
# "ss".
|
||||
# In the case that the subject and issuer are the same, the redundant part is
|
||||
# not repeated.
|
||||
# If there is nothing particularly special about a certificate, it has no
|
||||
# description ("nothing particularly special" meaning the certificate is X509v3
|
||||
# and has or does not have the basic constraints extension as expected by where
|
||||
# it is in the hierarchy). Otherwise, the description includes its version and
|
||||
# details about the extension. If the extension is not present, the string
|
||||
# "noBC" is used. If it is present but the cA bit is not asserted, the string
|
||||
# "BC-not-cA" is used. If it is present with the cA bit asserted, the string
|
||||
# "BC-cA" is used.
|
||||
# For example, a v1 intermediate that does not have the extension that was
|
||||
# issued by the root CA has the name "int-v1-noBC_ca.pem.certspec".
|
||||
# A v4 end-entity that does have the extension but does not assert the cA bit
|
||||
# that was issued by the root CA has the name
|
||||
# "ee-v4-BC-not-cA_ca.pem.certspec".
|
||||
# An end-entity issued by a v3 intermediate with the extension that asserts the
|
||||
# cA bit has the name "ee_int-v3-BC-cA.pem.certspec".
|
||||
|
||||
libpath = os.path.abspath('../psm_common_py')
|
||||
sys.path.append(libpath)
|
||||
import CertUtils
|
||||
versions = {
|
||||
'v1': 1,
|
||||
'v2': 2,
|
||||
'v3': 3,
|
||||
'v4': 4
|
||||
}
|
||||
|
||||
srcdir = os.getcwd()
|
||||
db = tempfile.mkdtemp()
|
||||
basicConstraintsTypes = {
|
||||
'noBC': '',
|
||||
'BC-not-cA': 'extension:basicConstraints:,',
|
||||
'BC-cA': 'extension:basicConstraints:cA,'
|
||||
}
|
||||
|
||||
def generate_child_cert(db_dir, dest_dir, noise_file, name, ca_nick,
|
||||
cert_version, do_bc, is_ee):
|
||||
return CertUtils.generate_child_cert(db_dir, dest_dir, noise_file, name,
|
||||
ca_nick, cert_version, do_bc, is_ee, '')
|
||||
def writeCertspec(issuer, subject, fields):
|
||||
filename = '%s_%s.pem.certspec' % (subject, issuer)
|
||||
if issuer == subject:
|
||||
filename = '%s.pem.certspec' % subject
|
||||
with open(filename, 'w') as f:
|
||||
f.write('issuer:%s\n' % issuer)
|
||||
f.write('subject:%s\n' % subject)
|
||||
for field in fields:
|
||||
if len(field) > 0:
|
||||
f.write('%s\n' % field)
|
||||
|
||||
def generate_ee_family(db_dir, dest_dir, noise_file, ca_name):
|
||||
name = "v1_ee-"+ ca_name;
|
||||
generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 1, False, True)
|
||||
name = "v1_bc_ee-"+ ca_name;
|
||||
generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 1, True, True)
|
||||
keyUsage = 'extension:keyUsage:keyCertSign,cRLSign'
|
||||
basicConstraintsCA = 'extension:basicConstraints:cA,'
|
||||
|
||||
name = "v2_ee-"+ ca_name;
|
||||
generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 2, False, True)
|
||||
name = "v2_bc_ee-"+ ca_name;
|
||||
generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 2, True, True)
|
||||
writeCertspec('ca', 'ca', [keyUsage, basicConstraintsCA])
|
||||
|
||||
name = "v3_missing_bc_ee-"+ ca_name;
|
||||
generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 3, False, True)
|
||||
name = "v3_bc_ee-"+ ca_name;
|
||||
generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 3, True, True)
|
||||
for versionStr, versionVal in versions.iteritems():
|
||||
# intermediates
|
||||
versionText = 'version:%s' % versionVal
|
||||
for basicConstraintsType, basicConstraintsExtension in basicConstraintsTypes.iteritems():
|
||||
intermediateName = 'int-%s-%s' % (versionStr, basicConstraintsType)
|
||||
writeCertspec('ca', intermediateName,
|
||||
[keyUsage, versionText, basicConstraintsExtension])
|
||||
writeCertspec(intermediateName, 'ee', [])
|
||||
|
||||
name = "v4_bc_ee-"+ ca_name;
|
||||
generate_child_cert(db_dir, dest_dir, noise_file, name, ca_name, 4, True, True)
|
||||
# end-entities
|
||||
versionText = 'version:%s' % versionVal
|
||||
for basicConstraintsType, basicConstraintsExtension in basicConstraintsTypes.iteritems():
|
||||
writeCertspec('ca', 'ee-%s-%s' % (versionStr, basicConstraintsType),
|
||||
[versionText, basicConstraintsExtension])
|
||||
|
||||
def generate_intermediates_and_ee_set(db_dir, dest_dir, noise_file, ca_name):
|
||||
name = "v1_int-" + ca_name;
|
||||
generate_child_cert(db, srcdir, noise_file, name, ca_name, 1, False, False)
|
||||
generate_ee_family(db, srcdir, noise_file, name)
|
||||
name = "v1_int_bc-" + ca_name;
|
||||
generate_child_cert(db, srcdir, noise_file, name, ca_name, 1, True, False)
|
||||
generate_ee_family(db, srcdir, noise_file, name)
|
||||
|
||||
name = "v2_int-" + ca_name;
|
||||
generate_child_cert(db, srcdir, noise_file, name, ca_name, 2, False, False)
|
||||
generate_ee_family(db, srcdir, noise_file, name)
|
||||
name = "v2_int_bc-" + ca_name;
|
||||
generate_child_cert(db, srcdir, noise_file, name, ca_name, 2, True, False)
|
||||
generate_ee_family(db, srcdir, noise_file, name)
|
||||
|
||||
name = "v3_int_missing_bc-" + ca_name;
|
||||
generate_child_cert(db, srcdir, noise_file, name, ca_name, 3, False, False)
|
||||
generate_ee_family(db, srcdir, noise_file, name)
|
||||
name = "v3_int-" + ca_name;
|
||||
generate_child_cert(db, srcdir, noise_file, name, ca_name, 3, True, False)
|
||||
generate_ee_family(db, srcdir, noise_file, name)
|
||||
|
||||
def generate_ca(db_dir, dest_dir, noise_file, name, version, do_bc):
|
||||
CertUtils.generate_ca_cert(db_dir, dest_dir, noise_file, name, version, do_bc)
|
||||
generate_intermediates_and_ee_set(db_dir, dest_dir, noise_file, name)
|
||||
|
||||
def generate_certs():
|
||||
[noise_file, pwd_file] = CertUtils.init_nss_db(db)
|
||||
generate_ca(db, srcdir, noise_file, "v1_ca", 1, False )
|
||||
generate_ca(db, srcdir, noise_file, "v1_ca_bc", 1, True)
|
||||
generate_ca(db, srcdir, noise_file, "v2_ca", 2, False )
|
||||
generate_ca(db, srcdir, noise_file, "v2_ca_bc", 2, True)
|
||||
generate_ca(db, srcdir, noise_file, "v3_ca", 3, True )
|
||||
generate_ca(db, srcdir, noise_file, "v3_ca_missing_bc", 3, False)
|
||||
|
||||
|
||||
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v1_self_signed",
|
||||
1, False, False)
|
||||
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v1_self_signed_bc",
|
||||
1, True, False)
|
||||
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v2_self_signed",
|
||||
2, False, False)
|
||||
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v2_self_signed_bc",
|
||||
2, True, False)
|
||||
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v3_self_signed",
|
||||
3, False, False)
|
||||
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v3_self_signed_bc",
|
||||
3, True, False)
|
||||
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v4_self_signed",
|
||||
4, False, False);
|
||||
CertUtils.generate_self_signed_cert(db, srcdir, noise_file, "v4_self_signed_bc",
|
||||
4, True, False);
|
||||
|
||||
generate_certs();
|
||||
# self-signed certificates
|
||||
versionText = 'version:%s' % versionVal
|
||||
for basicConstraintsType, basicConstraintsExtension in basicConstraintsTypes.iteritems():
|
||||
selfSignedName = 'ss-%s-%s' % (versionStr, basicConstraintsType)
|
||||
writeCertspec(selfSignedName, selfSignedName,
|
||||
[versionText, basicConstraintsExtension])
|
||||
|
@ -0,0 +1,5 @@
|
||||
issuer:ca
|
||||
subject:int-v1-BC-cA
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
version:1
|
||||
extension:basicConstraints:cA,
|
@ -0,0 +1,5 @@
|
||||
issuer:ca
|
||||
subject:int-v1-BC-not-cA
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
version:1
|
||||
extension:basicConstraints:,
|
@ -0,0 +1,4 @@
|
||||
issuer:ca
|
||||
subject:int-v1-noBC
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
version:1
|
@ -0,0 +1,5 @@
|
||||
issuer:ca
|
||||
subject:int-v2-BC-cA
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
version:2
|
||||
extension:basicConstraints:cA,
|
@ -0,0 +1,5 @@
|
||||
issuer:ca
|
||||
subject:int-v2-BC-not-cA
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
version:2
|
||||
extension:basicConstraints:,
|
@ -0,0 +1,4 @@
|
||||
issuer:ca
|
||||
subject:int-v2-noBC
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
version:2
|
@ -0,0 +1,5 @@
|
||||
issuer:ca
|
||||
subject:int-v3-BC-cA
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
version:3
|
||||
extension:basicConstraints:cA,
|
@ -0,0 +1,5 @@
|
||||
issuer:ca
|
||||
subject:int-v3-BC-not-cA
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
version:3
|
||||
extension:basicConstraints:,
|
@ -0,0 +1,4 @@
|
||||
issuer:ca
|
||||
subject:int-v3-noBC
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
version:3
|
@ -0,0 +1,5 @@
|
||||
issuer:ca
|
||||
subject:int-v4-BC-cA
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
version:4
|
||||
extension:basicConstraints:cA,
|
@ -0,0 +1,5 @@
|
||||
issuer:ca
|
||||
subject:int-v4-BC-not-cA
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
version:4
|
||||
extension:basicConstraints:,
|
@ -0,0 +1,4 @@
|
||||
issuer:ca
|
||||
subject:int-v4-noBC
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
version:4
|
65
security/manager/ssl/tests/unit/test_cert_version/moz.build
Normal file
65
security/manager/ssl/tests/unit/test_cert_version/moz.build
Normal file
@ -0,0 +1,65 @@
|
||||
# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
|
||||
# vim: set filetype=python:
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
test_certificates = (
|
||||
'ca.pem',
|
||||
'ee_int-v1-BC-cA.pem',
|
||||
'ee_int-v1-BC-not-cA.pem',
|
||||
'ee_int-v1-noBC.pem',
|
||||
'ee_int-v2-BC-cA.pem',
|
||||
'ee_int-v2-BC-not-cA.pem',
|
||||
'ee_int-v2-noBC.pem',
|
||||
'ee_int-v3-BC-cA.pem',
|
||||
'ee_int-v3-BC-not-cA.pem',
|
||||
'ee_int-v3-noBC.pem',
|
||||
'ee_int-v4-BC-cA.pem',
|
||||
'ee_int-v4-BC-not-cA.pem',
|
||||
'ee_int-v4-noBC.pem',
|
||||
'ee-v1-BC-cA_ca.pem',
|
||||
'ee-v1-BC-not-cA_ca.pem',
|
||||
'ee-v1-noBC_ca.pem',
|
||||
'ee-v2-BC-cA_ca.pem',
|
||||
'ee-v2-BC-not-cA_ca.pem',
|
||||
'ee-v2-noBC_ca.pem',
|
||||
'ee-v3-BC-cA_ca.pem',
|
||||
'ee-v3-BC-not-cA_ca.pem',
|
||||
'ee-v3-noBC_ca.pem',
|
||||
'ee-v4-BC-cA_ca.pem',
|
||||
'ee-v4-BC-not-cA_ca.pem',
|
||||
'ee-v4-noBC_ca.pem',
|
||||
'int-v1-BC-cA_ca.pem',
|
||||
'int-v1-BC-not-cA_ca.pem',
|
||||
'int-v1-noBC_ca.pem',
|
||||
'int-v2-BC-cA_ca.pem',
|
||||
'int-v2-BC-not-cA_ca.pem',
|
||||
'int-v2-noBC_ca.pem',
|
||||
'int-v3-BC-cA_ca.pem',
|
||||
'int-v3-BC-not-cA_ca.pem',
|
||||
'int-v3-noBC_ca.pem',
|
||||
'int-v4-BC-cA_ca.pem',
|
||||
'int-v4-BC-not-cA_ca.pem',
|
||||
'int-v4-noBC_ca.pem',
|
||||
'ss-v1-BC-cA.pem',
|
||||
'ss-v1-BC-not-cA.pem',
|
||||
'ss-v1-noBC.pem',
|
||||
'ss-v2-BC-cA.pem',
|
||||
'ss-v2-BC-not-cA.pem',
|
||||
'ss-v2-noBC.pem',
|
||||
'ss-v3-BC-cA.pem',
|
||||
'ss-v3-BC-not-cA.pem',
|
||||
'ss-v3-noBC.pem',
|
||||
'ss-v4-BC-cA.pem',
|
||||
'ss-v4-BC-not-cA.pem',
|
||||
'ss-v4-noBC.pem',
|
||||
)
|
||||
|
||||
for test_certificate in test_certificates:
|
||||
input_file = test_certificate + '.certspec'
|
||||
GENERATED_FILES += [test_certificate]
|
||||
props = GENERATED_FILES[test_certificate]
|
||||
props.script = '../pycert.py'
|
||||
props.inputs = [input_file, '!/config/buildid']
|
||||
TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_cert_version += ['!%s' % test_certificate]
|
@ -0,0 +1,4 @@
|
||||
issuer:ss-v1-BC-cA
|
||||
subject:ss-v1-BC-cA
|
||||
version:1
|
||||
extension:basicConstraints:cA,
|
@ -0,0 +1,4 @@
|
||||
issuer:ss-v1-BC-not-cA
|
||||
subject:ss-v1-BC-not-cA
|
||||
version:1
|
||||
extension:basicConstraints:,
|
@ -0,0 +1,3 @@
|
||||
issuer:ss-v1-noBC
|
||||
subject:ss-v1-noBC
|
||||
version:1
|
@ -0,0 +1,4 @@
|
||||
issuer:ss-v2-BC-cA
|
||||
subject:ss-v2-BC-cA
|
||||
version:2
|
||||
extension:basicConstraints:cA,
|
@ -0,0 +1,4 @@
|
||||
issuer:ss-v2-BC-not-cA
|
||||
subject:ss-v2-BC-not-cA
|
||||
version:2
|
||||
extension:basicConstraints:,
|
@ -0,0 +1,3 @@
|
||||
issuer:ss-v2-noBC
|
||||
subject:ss-v2-noBC
|
||||
version:2
|
@ -0,0 +1,4 @@
|
||||
issuer:ss-v3-BC-cA
|
||||
subject:ss-v3-BC-cA
|
||||
version:3
|
||||
extension:basicConstraints:cA,
|
@ -0,0 +1,4 @@
|
||||
issuer:ss-v3-BC-not-cA
|
||||
subject:ss-v3-BC-not-cA
|
||||
version:3
|
||||
extension:basicConstraints:,
|
@ -0,0 +1,3 @@
|
||||
issuer:ss-v3-noBC
|
||||
subject:ss-v3-noBC
|
||||
version:3
|
@ -0,0 +1,4 @@
|
||||
issuer:ss-v4-BC-cA
|
||||
subject:ss-v4-BC-cA
|
||||
version:4
|
||||
extension:basicConstraints:cA,
|
@ -0,0 +1,4 @@
|
||||
issuer:ss-v4-BC-not-cA
|
||||
subject:ss-v4-BC-not-cA
|
||||
version:4
|
||||
extension:basicConstraints:,
|
@ -0,0 +1,3 @@
|
||||
issuer:ss-v4-noBC
|
||||
subject:ss-v4-noBC
|
||||
version:4
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user