security/manager/ssl/tests/unit/test_cert_signatures.js@b8a032363ba2 (annotated)
security/manager/ssl/tests/unit/test_cert_signatures.js
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- |
| michael@0 | 2 | // This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 3 | // License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 4 | // file, You can obtain one at http://mozilla.org/MPL/2.0/. |
| michael@0 | 5 | |
| michael@0 | 6 | "use strict"; |
| michael@0 | 7 | /* |
| michael@0 | 8 | * The purpose of this test is to verify that we correctly detect bad |
| michael@0 | 9 | * signatures on tampered certificates. Eventually, we should also be |
| michael@0 | 10 | * verifying that the error we return is the correct error. |
| michael@0 | 11 | * |
| michael@0 | 12 | * To regenerate the certificates for this test: |
| michael@0 | 13 | * |
| michael@0 | 14 | * cd security/manager/ssl/tests/unit/test_cert_signatures |
| michael@0 | 15 | * ./generate.py |
| michael@0 | 16 | * cd ../../../../../.. |
| michael@0 | 17 | * make -C $OBJDIR/security/manager/ssl/tests |
| michael@0 | 18 | * |
| michael@0 | 19 | * Check in the generated files. These steps are not done as part of the build |
| michael@0 | 20 | * because we do not want to add a build-time dependency on the OpenSSL or NSS |
| michael@0 | 21 | * tools or libraries built for the host platform. |
| michael@0 | 22 | */ |
| michael@0 | 23 | |
| michael@0 | 24 | do_get_profile(); // must be called before getting nsIX509CertDB |
| michael@0 | 25 | const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB); |
| michael@0 | 26 | |
| michael@0 | 27 | function load_ca(ca_name) { |
| michael@0 | 28 | let ca_filename = ca_name + ".der"; |
| michael@0 | 29 | addCertFromFile(certdb, "test_cert_signatures/" + ca_filename, 'CTu,CTu,CTu'); |
| michael@0 | 30 | } |
| michael@0 | 31 | |
| michael@0 | 32 | function check_ca(ca_name) { |
| michael@0 | 33 | do_print("ca_name=" + ca_name); |
| michael@0 | 34 | let cert = certdb.findCertByNickname(null, ca_name); |
| michael@0 | 35 | |
| michael@0 | 36 | let verified = {}; |
| michael@0 | 37 | let usages = {}; |
| michael@0 | 38 | cert.getUsagesString(true, verified, usages); |
| michael@0 | 39 | do_check_eq('SSL CA', usages.value); |
| michael@0 | 40 | } |
| michael@0 | 41 | |
| michael@0 | 42 | function run_test() { |
| michael@0 | 43 | // Load the ca into mem |
| michael@0 | 44 | load_ca("ca-rsa"); |
| michael@0 | 45 | load_ca("ca-p384"); |
| michael@0 | 46 | load_ca("ca-dsa"); |
| michael@0 | 47 | |
| michael@0 | 48 | run_test_in_mode(true); |
| michael@0 | 49 | run_test_in_mode(false); |
| michael@0 | 50 | } |
| michael@0 | 51 | |
| michael@0 | 52 | function run_test_in_mode(useMozillaPKIX) { |
| michael@0 | 53 | Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); |
| michael@0 | 54 | clearOCSPCache(); |
| michael@0 | 55 | clearSessionCache(); |
| michael@0 | 56 | |
| michael@0 | 57 | check_ca("ca-rsa"); |
| michael@0 | 58 | check_ca("ca-p384"); |
| michael@0 | 59 | check_ca("ca-dsa"); |
| michael@0 | 60 | |
| michael@0 | 61 | // mozilla::pkix does not allow CA certs to be validated for end-entity |
| michael@0 | 62 | // usages. |
| michael@0 | 63 | let int_usage = useMozillaPKIX |
| michael@0 | 64 | ? 'SSL CA' |
| michael@0 | 65 | : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder'; |
| michael@0 | 66 | |
| michael@0 | 67 | // mozilla::pkix doesn't implement the Netscape Object Signer restriction. |
| michael@0 | 68 | const ee_usage = useMozillaPKIX |
| michael@0 | 69 | ? 'Client,Server,Sign,Encrypt,Object Signer' |
| michael@0 | 70 | : 'Client,Server,Sign,Encrypt'; |
| michael@0 | 71 | |
| michael@0 | 72 | let cert2usage = { |
| michael@0 | 73 | // certs without the "int" prefix are end entity certs. |
| michael@0 | 74 | 'int-rsa-valid': int_usage, |
| michael@0 | 75 | 'rsa-valid': ee_usage, |
| michael@0 | 76 | 'int-p384-valid': int_usage, |
| michael@0 | 77 | 'p384-valid': ee_usage, |
| michael@0 | 78 | 'int-dsa-valid': int_usage, |
| michael@0 | 79 | 'dsa-valid': ee_usage, |
| michael@0 | 80 | |
| michael@0 | 81 | 'rsa-valid-int-tampered-ee': "", |
| michael@0 | 82 | 'p384-valid-int-tampered-ee': "", |
| michael@0 | 83 | 'dsa-valid-int-tampered-ee': "", |
| michael@0 | 84 | |
| michael@0 | 85 | 'int-rsa-tampered': "", |
| michael@0 | 86 | 'rsa-tampered-int-valid-ee': "", |
| michael@0 | 87 | 'int-p384-tampered': "", |
| michael@0 | 88 | 'p384-tampered-int-valid-ee': "", |
| michael@0 | 89 | 'int-dsa-tampered': "", |
| michael@0 | 90 | 'dsa-tampered-int-valid-ee': "", |
| michael@0 | 91 | |
| michael@0 | 92 | }; |
| michael@0 | 93 | |
| michael@0 | 94 | // Load certs first |
| michael@0 | 95 | for (let cert_name in cert2usage) { |
| michael@0 | 96 | let cert_filename = cert_name + ".der"; |
| michael@0 | 97 | addCertFromFile(certdb, "test_cert_signatures/" + cert_filename, ',,'); |
| michael@0 | 98 | } |
| michael@0 | 99 | |
| michael@0 | 100 | for (let cert_name in cert2usage) { |
| michael@0 | 101 | do_print("cert_name=" + cert_name); |
| michael@0 | 102 | |
| michael@0 | 103 | let cert = certdb.findCertByNickname(null, cert_name); |
| michael@0 | 104 | |
| michael@0 | 105 | let verified = {}; |
| michael@0 | 106 | let usages = {}; |
| michael@0 | 107 | cert.getUsagesString(true, verified, usages); |
| michael@0 | 108 | do_check_eq(cert2usage[cert_name], usages.value); |
| michael@0 | 109 | } |
| michael@0 | 110 | } |
