|
|
|
@ -85,7 +85,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// v1 intermediate with v3 extensions. CA is invalid.
|
|
|
|
|
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
@ -97,7 +97,7 @@ function run_test() {
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// A v2 intermediate with a v1 CA
|
|
|
|
|
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
|
|
|
@ -110,7 +110,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// A v2 intermediate with basic constraints (not allowed in insanity)
|
|
|
|
|
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
@ -122,7 +122,7 @@ function run_test() {
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// Section is OK. A x509 v3 CA MUST have bc
|
|
|
|
|
// http://tools.ietf.org/html/rfc5280#section-4.2.1.9
|
|
|
|
@ -136,7 +136,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// It is valid for a v1 ca to sign a v3 intemediate.
|
|
|
|
|
check_ok_ca(cert_from_file('v3_int-v1_ca.der'));
|
|
|
|
@ -148,7 +148,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// The next groups change the v1 ca for a v1 ca with base constraints
|
|
|
|
|
// (invalid trust anchor). The error pattern is the same as the groups
|
|
|
|
@ -165,7 +165,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca_bc.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// Using a v1 intermediate with v3 extenstions (invalid).
|
|
|
|
|
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
@ -177,7 +177,7 @@ function run_test() {
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca_bc.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// Using v2 intermediate
|
|
|
|
|
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
|
|
|
@ -190,7 +190,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca_bc.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// Using a v2 intermediate with basic constraints (invalid)
|
|
|
|
|
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
@ -202,7 +202,7 @@ function run_test() {
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca_bc.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// Using a v3 intermediate that is missing basic constraints (invalid)
|
|
|
|
|
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
|
|
|
@ -215,7 +215,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// these should pass assuming we are OK with v1 ca signing v3 intermediates
|
|
|
|
|
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
@ -227,7 +227,7 @@ function run_test() {
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca_bc.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
//////////////
|
|
|
|
@ -245,7 +245,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca.der'), ee_error)
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// v2 ca, v1 intermediate with basic constraints (invalid)
|
|
|
|
|
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
@ -257,7 +257,7 @@ function run_test() {
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// v2 ca, v2 intermediate
|
|
|
|
|
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
|
|
|
@ -270,7 +270,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca.der'), ee_error)
|
|
|
|
|
|
|
|
|
|
// v2 ca, v2 intermediate with basic constraints (invalid)
|
|
|
|
|
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
@ -282,7 +282,7 @@ function run_test() {
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// v2 ca, v3 intermediate missing basic constraints
|
|
|
|
|
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
|
|
|
@ -295,7 +295,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// v2 ca, v3 intermediate
|
|
|
|
|
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
|
|
|
@ -309,7 +309,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// v2 ca, v1 intermediate
|
|
|
|
|
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
|
|
|
@ -322,7 +322,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca_bc.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// v2 ca, v1 intermediate with bc (invalid)
|
|
|
|
|
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
@ -334,7 +334,7 @@ function run_test() {
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca_bc.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// v2 ca, v2 intermediate
|
|
|
|
|
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
|
|
|
@ -347,7 +347,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca_bc.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// v2 ca, v2 intermediate with bc (invalid)
|
|
|
|
|
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
@ -359,7 +359,7 @@ function run_test() {
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca_bc.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// v2 ca, invalid v3 intermediate
|
|
|
|
|
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
|
|
|
@ -372,7 +372,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error)
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// v2 ca, valid v3 intermediate (is OK if we use 'classic' semantics)
|
|
|
|
|
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
@ -384,7 +384,7 @@ function run_test() {
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca_bc.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
//////////////
|
|
|
|
|
// v3 CA supersection
|
|
|
|
@ -401,7 +401,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// A v1 intermediate with v3 extensions
|
|
|
|
|
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
@ -413,7 +413,7 @@ function run_test() {
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca.der'), ee_error)
|
|
|
|
|
|
|
|
|
|
// reject a v2 cert as intermediate
|
|
|
|
|
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
|
|
|
@ -426,7 +426,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// v2 intermediate with bc (invalid)
|
|
|
|
|
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
@ -438,7 +438,7 @@ function run_test() {
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// invalid v3 intermediate
|
|
|
|
|
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
|
|
|
@ -451,7 +451,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// I dont think that v3 intermediates should be allowed to sign v1 or v2
|
|
|
|
|
// certs, but other thanthat this is what we usually get in the wild.
|
|
|
|
@ -464,7 +464,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// v3 CA, invalid v3 intermediate
|
|
|
|
|
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
|
|
|
@ -477,7 +477,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca_missing_bc.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// Int v1 with BC that is just invalid (classic fail insanity OK)
|
|
|
|
|
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
@ -489,7 +489,7 @@ function run_test() {
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// Good section (all fail)
|
|
|
|
|
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
|
|
|
@ -502,7 +502,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca_missing_bc.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// v2 intermediate (even with basic constraints) is invalid
|
|
|
|
|
ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
@ -514,7 +514,7 @@ function run_test() {
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// v3 intermediate missing basic constraints is invalid
|
|
|
|
|
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
|
|
|
@ -527,7 +527,7 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
|
|
|
|
|
// With a v3 root missing bc and valid v3 intermediate
|
|
|
|
|
ca_error = SEC_ERROR_CA_CERT_INVALID;
|
|
|
|
@ -541,5 +541,5 @@ function run_test() {
|
|
|
|
|
ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
|
|
|
|
|
check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca_missing_bc.der'), SEC_ERROR_BAD_DER);
|
|
|
|
|
check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
|
|
|
|
|
}
|
|
|
|
|