The Tor Browser / annotate

security/manager/ssl/tests/mochitest/bugs/test_generateCRMFRequest.html@b8a032363ba2 (annotated)

security/manager/ssl/tests/mochitest/bugs/test_generateCRMFRequest.html

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 <!DOCTYPE HTML>
michael@0 2 <html>
michael@0 3 <head>
michael@0 4 <title>crypto.generateCRMFRequest bugs</title>
michael@0 5 <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
michael@0 6 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
michael@0 7 </head>
michael@0 8 <body onload="onWindowLoad()">
michael@0 9 <script class="testbody" type="text/javascript">
michael@0 10
michael@0 11 SimpleTest.waitForExplicitFinish();
michael@0 12
michael@0 13 function onWindowLoad()
michael@0 14 {
michael@0 15 // Does it work at all?
michael@0 16 try {
michael@0 17 var crmfObject = crypto.generateCRMFRequest("CN=undefined", "regToken",
michael@0 18 "authenticator", null, "",
michael@0 19 512, null, " rsa-ex ",
michael@0 20 1024, null, "\r\n\t rsa-sign\t");
michael@0 21 ok(true, "no exception thrown in generateCRMFRequest");
michael@0 22 } catch (e) {
michael@0 23 ok(false, "unexpected exception: " + e);
michael@0 24 }
michael@0 25
michael@0 26 // bug 849553
michael@0 27 // This should fail because 8 is too small of a key size.
michael@0 28 try {
michael@0 29 var crmfObject = crypto.generateCRMFRequest("CN=undefined", "regToken",
michael@0 30 "authenticator", null, "",
michael@0 31 8, null, "rsa-ex",
michael@0 32 1024, null, "rsa-sign");
michael@0 33 ok(false, "execution should not reach this line");
michael@0 34 } catch (e) {
michael@0 35 is(e.toString(), "Error: error:could not generate the key for algorithm rsa-ex", "expected exception");
michael@0 36 }
michael@0 37 // This should fail because 65536 is too large of a key size.
michael@0 38 try {
michael@0 39 var crmfObject = crypto.generateCRMFRequest("CN=undefined", "regToken",
michael@0 40 "authenticator", null, "",
michael@0 41 65536, null, "rsa-ex",
michael@0 42 1024, null, "rsa-sign");
michael@0 43 ok(false, "execution should not reach this line");
michael@0 44 } catch (e) {
michael@0 45 is(e.toString(), "Error: error:could not generate the key for algorithm rsa-ex", "expected exception");
michael@0 46 }
michael@0 47
michael@0 48 // bug 882865
michael@0 49 var o200 = document.documentElement;
michael@0 50 var o1 = crypto;
michael@0 51 try {
michael@0 52 o1.generateCRMFRequest("undefined", o200, 'X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X', null, o1, 1404343237, Math.PI, []);
michael@0 53 ok(false, "execution should not reach this line");
michael@0 54 } catch (e) {
michael@0 55 // The 'key generation argument' in this case was an empty array,
michael@0 56 // which gets interpreted as an empty string.
michael@0 57 is(e.toString(), "Error: error:invalid key generation argument:", "expected exception");
michael@0 58 }
michael@0 59
michael@0 60 // Test that an rsa certificate isn't used to generate an ec key.
michael@0 61 try {
michael@0 62 var crmfObject = crypto.generateCRMFRequest("CN=a", "a", "a", null, "",
michael@0 63 1024, "popcert=MIIBjzCB+aADAgECAgUAnVC3BjANBgkqhkiG9w0BAQUFADAMMQowCAYDVQQDEwFhMB4XDTEzMTEwNjE3NDU1NFoXDTIzMTEwNjE3NDU1NFowDDEKMAgGA1UEAxMBYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3G2mwjE8IGVwv6H1NGZFSKE3UrTsgez2DtNIYb5zdi0P0w9SbmL2GWfveu9DZhRebhVz7QSMPKLagI4aoIzoP5BxRl7a8wR5wbU0z8qXnAvy9p3Ex5oN5vX47TWB7cnItoWpi6A81GSn5X1CFFHhVCEwnQsHuWXrEvLD5hrfdmcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCNo+yLKfAd2NBI5DUpwgHSFBA+59pdNtHY7E2KZjyc9tXN6PHkPp8nScVCtk0g60j4aiiZQm8maPQPLo7Hipgpk83iYqquHRvcJVX4fWJpS/7vX+qTNT0hRiKRhVlI6S4Ttp2J2W6uxy2xxeqC6nBbU98QmDj3UQAY31LyejbecQ==", "ec-dual-use");
michael@0 64 ok(crmfObject, "generateCRMFRequest succeeded");
michael@0 65 var request = crmfObject.request;
michael@0 66 var bytes = atob(request.replace(/\r\n/g, ""));
michael@0 67
michael@0 68 // rsaEncryption oid encoded in the request (as ASN1)
michael@0 69 var badIdentifier = [ 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
michael@0 70 0x01, 0x01, 0x01 ];
michael@0 71 ok(!findIdentifierInString(badIdentifier, bytes),
michael@0 72 "didn't find bad identifier in request");
michael@0 73
michael@0 74 // secp256r1 encoded in the request (as ASN1) (this is the default for
michael@0 75 // a "1024-bit" ec key)
michael@0 76 var goodIdentifier = [ 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03,
michael@0 77 0x01, 0x07 ];
michael@0 78 ok(findIdentifierInString(goodIdentifier, bytes),
michael@0 79 "found good identifier in request");
michael@0 80 } catch (e) {
michael@0 81 ok(false, "unexpected exception: " + e);
michael@0 82 }
michael@0 83
michael@0 84 // Test that only the first of repeated keygen parameters are used.
michael@0 85 try {
michael@0 86 var curveCrmfObject = crypto.generateCRMFRequest("CN=a", "a", "a", null,
michael@0 87 "", 1024, "curve=secp521r1;curve=nistp384",
michael@0 88 "ec-dual-use");
michael@0 89 ok(curveCrmfObject, "generateCRMFRequest succeeded");
michael@0 90 var curveRequest = curveCrmfObject.request;
michael@0 91 var curveBytes = atob(curveRequest.replace(/\r\n/g, ""));
michael@0 92
michael@0 93 // nistp384 encoded in the request (as ASN1)
michael@0 94 var badIdentifier = [ 0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22 ];
michael@0 95 ok(!findIdentifierInString(badIdentifier, curveBytes),
michael@0 96 "didn't find bad identifier in curve request");
michael@0 97
michael@0 98 // secp512r1 encoded in the request (as ASN1)
michael@0 99 var goodIdentifier = [ 0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x23 ];
michael@0 100 ok(findIdentifierInString(goodIdentifier, curveBytes),
michael@0 101 "found good identifier in curve request");
michael@0 102
michael@0 103 // The popcert=MII... values are base-64 encodings of self-signed
michael@0 104 // certificates. The key of the first one is a secp521r1 key, whereas
michael@0 105 // the second is nistp384.
michael@0 106 var popcertCrmfObject = crypto.generateCRMFRequest("CN=a", "a", "a",
michael@0 107 null, "", 1024, "popcert=MIIBjjCB8aADAgECAgUAnVEmVTAJBgcqhkjOPQQBMAwxCjAIBgNVBAMTAWkwHhcNMTMxMTA2MjE1NDUxWhcNMTQwMjA2MjE1NDUxWjAMMQowCAYDVQQDEwFpMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA5juM0J3Od2Ih4s0ZiTkzVkh96J4yO12/L71df3GWy/Ex3LaGcew/EucY5ZITEqNHn22+3pKf3pwL6GJ/zA/foJwBspiE42ITo2BHHXl2Uuf1QK70UH5gzaqf1Cc4lPv3ibOf3EAmHx0a8sdDxRlUN2+V38iYWnMmV1qf4jM15fsYEDMwCQYHKoZIzj0EAQOBjAAwgYgCQgDO34oQkVDNkwtto1OAEbFZgq1xP9aqc+Nt7vnOuEGTISdFXCjlhon7SysTejFhO8d8wG500NrlJEmaie9FJbmWpQJCARcVtnC0K+ilxz307GyuANTaLEd7vBJxTAho8l6xkibNoxY1D9+hcc6ECbK7PCtAaysZoAVx5XhJlsnFdJdDj3wG;popcert=MIIBRDCBy6ADAgECAgUAnVEotzAJBgcqhkjOPQQBMAwxCjAIBgNVBAMTAWkwHhcNMTMxMTA2MjIwMDExWhcNMTQwMjA2MjIwMDExWjAMMQowCAYDVQQDEwFpMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEXjFpZ9bodzikeN4C8p2mVj1Ia1t+8zIndSavQHmxaD3+kvhkt18+P20ZagfBOaVEQZdArZ6KxBeW9oYZqaNpqHLveGlKYi6u9z5FyozAx4MXzyLdfu+bzOLIsryKRnLFMAkGByqGSM49BAEDaQAwZgIxAJDawIJLQ5iZsJVC3vV1YEKsI2aNEicdZ3YTMp/zUy+64Z2/cjyyfa7d5m1xKLDBogIxANHOQoy/7DioCyWNDDzx5QK0M24dOURVWRXsxjAjrg4vDmV/fkVzwpUzIr5fMgXEyQ==", "ec-dual-use");
michael@0 108 ok(popcertCrmfObject, "generateCRMFRequest succeeded");
michael@0 109 var popcertRequest = popcertCrmfObject.request;
michael@0 110 var popcertBytes = atob(popcertRequest.replace(/\r\n/g, ""));
michael@0 111 ok(!findIdentifierInString(badIdentifier, popcertBytes),
michael@0 112 "didn't find bad identifier in popcert request");
michael@0 113
michael@0 114 ok(findIdentifierInString(goodIdentifier, popcertBytes),
michael@0 115 "found good identifier in popcert request");
michael@0 116 } catch (e) {
michael@0 117 ok(false, "unexpected exception: " + e);
michael@0 118 }
michael@0 119 SimpleTest.finish();
michael@0 120 }
michael@0 121
michael@0 122 function findIdentifierInString(identifier, str) {
michael@0 123 var matches = 0;
michael@0 124 for (var i = 0; i < str.length - identifier.length;
michael@0 125 i += (matches != 0 ? matches : 1)) {
michael@0 126 matches = 0;
michael@0 127 for (var j = 0; j < identifier.length; j++) {
michael@0 128 if (identifier[j] == str.charCodeAt(i + j)) {
michael@0 129 matches++;
michael@0 130 } else {
michael@0 131 break;
michael@0 132 }
michael@0 133 }
michael@0 134 if (matches == identifier.length) {
michael@0 135 return true;
michael@0 136 }
michael@0 137 }
michael@0 138 return false;
michael@0 139 }
michael@0 140 </script>
michael@0 141 </body>
michael@0 142 </html>

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial