security/manager/ssl/tests/unit/test_cert_version.js@b8a032363ba2 (annotated)
security/manager/ssl/tests/unit/test_cert_version.js
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- |
| michael@0 | 2 | // This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 3 | // License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 4 | // file, You can obtain one at http://mozilla.org/MPL/2.0/. |
| michael@0 | 5 | |
| michael@0 | 6 | "use strict"; |
| michael@0 | 7 | |
| michael@0 | 8 | do_get_profile(); // must be called before getting nsIX509CertDB |
| michael@0 | 9 | const certdb = Cc["@mozilla.org/security/x509certdb;1"] |
| michael@0 | 10 | .getService(Ci.nsIX509CertDB); |
| michael@0 | 11 | |
| michael@0 | 12 | function cert_from_file(filename) { |
| michael@0 | 13 | return constructCertFromFile("test_cert_version/" + filename); |
| michael@0 | 14 | } |
| michael@0 | 15 | |
| michael@0 | 16 | function load_cert(cert_name, trust_string) { |
| michael@0 | 17 | var cert_filename = cert_name + ".der"; |
| michael@0 | 18 | addCertFromFile(certdb, "test_cert_version/" + cert_filename, trust_string); |
| michael@0 | 19 | } |
| michael@0 | 20 | |
| michael@0 | 21 | function check_cert_err_generic(cert, expected_error, usage) { |
| michael@0 | 22 | do_print("cert cn=" + cert.commonName); |
| michael@0 | 23 | do_print("cert issuer cn=" + cert.issuerCommonName); |
| michael@0 | 24 | let hasEVPolicy = {}; |
| michael@0 | 25 | let verifiedChain = {}; |
| michael@0 | 26 | let error = certdb.verifyCertNow(cert, usage, |
| michael@0 | 27 | NO_FLAGS, verifiedChain, hasEVPolicy); |
| michael@0 | 28 | do_check_eq(error, expected_error); |
| michael@0 | 29 | } |
| michael@0 | 30 | |
| michael@0 | 31 | function check_cert_err(cert, expected_error) { |
| michael@0 | 32 | check_cert_err_generic(cert, expected_error, certificateUsageSSLServer) |
| michael@0 | 33 | } |
| michael@0 | 34 | |
| michael@0 | 35 | function check_ca_err(cert, expected_error) { |
| michael@0 | 36 | check_cert_err_generic(cert, expected_error, certificateUsageSSLCA) |
| michael@0 | 37 | } |
| michael@0 | 38 | |
| michael@0 | 39 | function check_ok(x) { |
| michael@0 | 40 | return check_cert_err(x, 0); |
| michael@0 | 41 | } |
| michael@0 | 42 | |
| michael@0 | 43 | function check_ok_ca(x) { |
| michael@0 | 44 | return check_cert_err_generic(x, 0, certificateUsageSSLCA); |
| michael@0 | 45 | } |
| michael@0 | 46 | |
| michael@0 | 47 | function run_tests_in_mode(useMozillaPKIX) |
| michael@0 | 48 | { |
| michael@0 | 49 | Services.prefs.setBoolPref("security.use_mozillapkix_verification", |
| michael@0 | 50 | useMozillaPKIX); |
| michael@0 | 51 | |
| michael@0 | 52 | check_ok_ca(cert_from_file('v1_ca.der')); |
| michael@0 | 53 | check_ca_err(cert_from_file('v1_ca_bc.der'), |
| michael@0 | 54 | useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0); |
| michael@0 | 55 | check_ca_err(cert_from_file('v2_ca.der'), |
| michael@0 | 56 | useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0); |
| michael@0 | 57 | check_ca_err(cert_from_file('v2_ca_bc.der'), |
| michael@0 | 58 | useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0); |
| michael@0 | 59 | check_ok_ca(cert_from_file('v3_ca.der')); |
| michael@0 | 60 | check_ca_err(cert_from_file('v3_ca_missing_bc.der'), |
| michael@0 | 61 | useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0); |
| michael@0 | 62 | |
| michael@0 | 63 | // Classic allows v1 and v2 certs to be CA certs in trust anchor positions and |
| michael@0 | 64 | // intermediates when they have a v3 basic constraints extenstion (which |
| michael@0 | 65 | // makes them invalid certs). Insanity only allows v1 certs to be CA in |
| michael@0 | 66 | // anchor position (even if they have invalid encodings), v2 certs are not |
| michael@0 | 67 | // considered CAs in any position. |
| michael@0 | 68 | // Note that currently there are no change of behavior based on the |
| michael@0 | 69 | // version of the end entity. |
| michael@0 | 70 | |
| michael@0 | 71 | let ee_error = 0; |
| michael@0 | 72 | let ca_error = 0; |
| michael@0 | 73 | |
| michael@0 | 74 | ////////////// |
| michael@0 | 75 | // v1 CA supersection |
| michael@0 | 76 | ////////////////// |
| michael@0 | 77 | |
| michael@0 | 78 | // v1 intermediate with v1 trust anchor |
| michael@0 | 79 | if (useMozillaPKIX) { |
| michael@0 | 80 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 81 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 82 | } else { |
| michael@0 | 83 | ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; |
| michael@0 | 84 | ee_error = SEC_ERROR_UNKNOWN_ISSUER; |
| michael@0 | 85 | } |
| michael@0 | 86 | check_ca_err(cert_from_file('v1_int-v1_ca.der'), ca_error); |
| michael@0 | 87 | check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca.der'), ee_error); |
| michael@0 | 88 | check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca.der'), ee_error); |
| michael@0 | 89 | check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca.der'), ee_error); |
| michael@0 | 90 | check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca.der'), ee_error); |
| michael@0 | 91 | if (useMozillaPKIX) { |
| michael@0 | 92 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 93 | } |
| michael@0 | 94 | check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca.der'), ee_error); |
| michael@0 | 95 | check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca.der'), ee_error); |
| michael@0 | 96 | check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca.der'), ee_error); |
| michael@0 | 97 | |
| michael@0 | 98 | // v1 intermediate with v3 extensions. CA is invalid. |
| michael@0 | 99 | if (useMozillaPKIX) { |
| michael@0 | 100 | ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 101 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 102 | } else { |
| michael@0 | 103 | ca_error = 0; |
| michael@0 | 104 | ee_error = 0; |
| michael@0 | 105 | } |
| michael@0 | 106 | check_ca_err(cert_from_file('v1_int_bc-v1_ca.der'), ca_error); |
| michael@0 | 107 | check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca.der'), ee_error); |
| michael@0 | 108 | check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca.der'), ee_error); |
| michael@0 | 109 | check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca.der'), ee_error); |
| michael@0 | 110 | check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca.der'), ee_error); |
| michael@0 | 111 | check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca.der'), ee_error); |
| michael@0 | 112 | check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca.der'), ee_error); |
| michael@0 | 113 | check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca.der'), ee_error); |
| michael@0 | 114 | |
| michael@0 | 115 | // A v2 intermediate with a v1 CA |
| michael@0 | 116 | if (useMozillaPKIX) { |
| michael@0 | 117 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 118 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 119 | } else { |
| michael@0 | 120 | ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; |
| michael@0 | 121 | ee_error = SEC_ERROR_UNKNOWN_ISSUER; |
| michael@0 | 122 | } |
| michael@0 | 123 | check_ca_err(cert_from_file('v2_int-v1_ca.der'), ca_error); |
| michael@0 | 124 | check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca.der'), ee_error); |
| michael@0 | 125 | check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca.der'), ee_error); |
| michael@0 | 126 | check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca.der'), ee_error); |
| michael@0 | 127 | check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca.der'), ee_error); |
| michael@0 | 128 | if (useMozillaPKIX) { |
| michael@0 | 129 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 130 | } |
| michael@0 | 131 | check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca.der'), ee_error); |
| michael@0 | 132 | check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca.der'), ee_error); |
| michael@0 | 133 | check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca.der'), ee_error); |
| michael@0 | 134 | |
| michael@0 | 135 | // A v2 intermediate with basic constraints (not allowed in insanity) |
| michael@0 | 136 | if (useMozillaPKIX) { |
| michael@0 | 137 | ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 138 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 139 | } else { |
| michael@0 | 140 | ca_error = 0; |
| michael@0 | 141 | ee_error = 0; |
| michael@0 | 142 | } |
| michael@0 | 143 | check_ca_err(cert_from_file('v2_int_bc-v1_ca.der'), ca_error); |
| michael@0 | 144 | check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca.der'), ee_error); |
| michael@0 | 145 | check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca.der'), ee_error); |
| michael@0 | 146 | check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca.der'), ee_error); |
| michael@0 | 147 | check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca.der'), ee_error); |
| michael@0 | 148 | check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca.der'), ee_error); |
| michael@0 | 149 | check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca.der'), ee_error); |
| michael@0 | 150 | check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca.der'), ee_error); |
| michael@0 | 151 | |
| michael@0 | 152 | // Section is OK. A x509 v3 CA MUST have bc |
| michael@0 | 153 | // http://tools.ietf.org/html/rfc5280#section-4.2.1.9 |
| michael@0 | 154 | if (useMozillaPKIX) { |
| michael@0 | 155 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 156 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 157 | } else { |
| michael@0 | 158 | ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; |
| michael@0 | 159 | ee_error = SEC_ERROR_UNKNOWN_ISSUER; |
| michael@0 | 160 | } |
| michael@0 | 161 | check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), ca_error); |
| michael@0 | 162 | check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca.der'), ee_error); |
| michael@0 | 163 | check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca.der'), ee_error); |
| michael@0 | 164 | check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); |
| michael@0 | 165 | check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); |
| michael@0 | 166 | if (useMozillaPKIX) { |
| michael@0 | 167 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 168 | } |
| michael@0 | 169 | check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); |
| michael@0 | 170 | check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); |
| michael@0 | 171 | check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); |
| michael@0 | 172 | |
| michael@0 | 173 | // It is valid for a v1 ca to sign a v3 intemediate. |
| michael@0 | 174 | check_ok_ca(cert_from_file('v3_int-v1_ca.der')); |
| michael@0 | 175 | check_ok(cert_from_file('v1_ee-v3_int-v1_ca.der')); |
| michael@0 | 176 | check_ok(cert_from_file('v2_ee-v3_int-v1_ca.der')); |
| michael@0 | 177 | check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca.der')); |
| michael@0 | 178 | check_ok(cert_from_file('v3_bc_ee-v3_int-v1_ca.der')); |
| michael@0 | 179 | if (useMozillaPKIX) { |
| michael@0 | 180 | ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 181 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 182 | } else { |
| michael@0 | 183 | ca_error = 0; |
| michael@0 | 184 | ee_error = 0; |
| michael@0 | 185 | } |
| michael@0 | 186 | check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca.der'), ee_error); |
| michael@0 | 187 | check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca.der'), ee_error); |
| michael@0 | 188 | check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca.der'), ee_error); |
| michael@0 | 189 | |
| michael@0 | 190 | // The next groups change the v1 ca for a v1 ca with base constraints |
| michael@0 | 191 | // (invalid trust anchor). The error pattern is the same as the groups |
| michael@0 | 192 | // above |
| michael@0 | 193 | |
| michael@0 | 194 | // Using A v1 intermediate |
| michael@0 | 195 | if (useMozillaPKIX) { |
| michael@0 | 196 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 197 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 198 | } else { |
| michael@0 | 199 | ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; |
| michael@0 | 200 | ee_error = SEC_ERROR_UNKNOWN_ISSUER; |
| michael@0 | 201 | } |
| michael@0 | 202 | check_ca_err(cert_from_file('v1_int-v1_ca_bc.der'), ca_error); |
| michael@0 | 203 | check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 204 | check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 205 | check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 206 | check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 207 | if (useMozillaPKIX) { |
| michael@0 | 208 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 209 | } |
| michael@0 | 210 | check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 211 | check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 212 | check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 213 | |
| michael@0 | 214 | // Using a v1 intermediate with v3 extenstions (invalid). |
| michael@0 | 215 | if (useMozillaPKIX) { |
| michael@0 | 216 | ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 217 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 218 | } else { |
| michael@0 | 219 | ca_error = 0; |
| michael@0 | 220 | ee_error = 0; |
| michael@0 | 221 | } |
| michael@0 | 222 | check_ca_err(cert_from_file('v1_int_bc-v1_ca_bc.der'), ca_error); |
| michael@0 | 223 | check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 224 | check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 225 | check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 226 | check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 227 | check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 228 | check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 229 | check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 230 | |
| michael@0 | 231 | // Using v2 intermediate |
| michael@0 | 232 | if (useMozillaPKIX) { |
| michael@0 | 233 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 234 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 235 | } else { |
| michael@0 | 236 | ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; |
| michael@0 | 237 | ee_error = SEC_ERROR_UNKNOWN_ISSUER; |
| michael@0 | 238 | } |
| michael@0 | 239 | check_ca_err(cert_from_file('v2_int-v1_ca_bc.der'), ca_error); |
| michael@0 | 240 | check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 241 | check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 242 | check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 243 | check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 244 | if (useMozillaPKIX) { |
| michael@0 | 245 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 246 | } |
| michael@0 | 247 | check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 248 | check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 249 | check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 250 | |
| michael@0 | 251 | // Using a v2 intermediate with basic constraints (invalid) |
| michael@0 | 252 | if (useMozillaPKIX) { |
| michael@0 | 253 | ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 254 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 255 | } else { |
| michael@0 | 256 | ca_error = 0; |
| michael@0 | 257 | ee_error = 0; |
| michael@0 | 258 | } |
| michael@0 | 259 | check_ca_err(cert_from_file('v2_int_bc-v1_ca_bc.der'), ca_error); |
| michael@0 | 260 | check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 261 | check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 262 | check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 263 | check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 264 | check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 265 | check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 266 | check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 267 | |
| michael@0 | 268 | // Using a v3 intermediate that is missing basic constraints (invalid) |
| michael@0 | 269 | if (useMozillaPKIX) { |
| michael@0 | 270 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 271 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 272 | } else { |
| michael@0 | 273 | ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; |
| michael@0 | 274 | ee_error = SEC_ERROR_UNKNOWN_ISSUER; |
| michael@0 | 275 | } |
| michael@0 | 276 | check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca_bc.der'), ca_error); |
| michael@0 | 277 | check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 278 | check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 279 | check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 280 | check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 281 | if (useMozillaPKIX) { |
| michael@0 | 282 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 283 | } |
| michael@0 | 284 | check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 285 | check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 286 | check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); |
| michael@0 | 287 | |
| michael@0 | 288 | // these should pass assuming we are OK with v1 ca signing v3 intermediates |
| michael@0 | 289 | if (useMozillaPKIX) { |
| michael@0 | 290 | ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 291 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 292 | } else { |
| michael@0 | 293 | ca_error = 0; |
| michael@0 | 294 | ee_error = 0; |
| michael@0 | 295 | } |
| michael@0 | 296 | check_ca_err(cert_from_file('v3_int-v1_ca_bc.der'), ca_error); |
| michael@0 | 297 | check_cert_err(cert_from_file('v1_ee-v3_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 298 | check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 299 | check_cert_err(cert_from_file('v2_ee-v3_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 300 | check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 301 | check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 302 | check_cert_err(cert_from_file('v3_bc_ee-v3_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 303 | check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca_bc.der'), ee_error); |
| michael@0 | 304 | |
| michael@0 | 305 | |
| michael@0 | 306 | ////////////// |
| michael@0 | 307 | // v2 CA supersection |
| michael@0 | 308 | ////////////////// |
| michael@0 | 309 | |
| michael@0 | 310 | // v2 ca, v1 intermediate |
| michael@0 | 311 | if (useMozillaPKIX) { |
| michael@0 | 312 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 313 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 314 | } else { |
| michael@0 | 315 | ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; |
| michael@0 | 316 | ee_error = SEC_ERROR_UNKNOWN_ISSUER; |
| michael@0 | 317 | } |
| michael@0 | 318 | check_ca_err(cert_from_file('v1_int-v2_ca.der'), ca_error); |
| michael@0 | 319 | check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca.der'), ee_error); |
| michael@0 | 320 | check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca.der'), ee_error); |
| michael@0 | 321 | check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca.der'), ee_error); |
| michael@0 | 322 | check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca.der'), ee_error); |
| michael@0 | 323 | if (useMozillaPKIX) { |
| michael@0 | 324 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 325 | } |
| michael@0 | 326 | check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca.der'), ee_error) |
| michael@0 | 327 | check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca.der'), ee_error); |
| michael@0 | 328 | check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca.der'), ee_error); |
| michael@0 | 329 | |
| michael@0 | 330 | // v2 ca, v1 intermediate with basic constraints (invalid) |
| michael@0 | 331 | if (useMozillaPKIX) { |
| michael@0 | 332 | ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 333 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 334 | } else { |
| michael@0 | 335 | ca_error = 0; |
| michael@0 | 336 | ee_error = 0; |
| michael@0 | 337 | } |
| michael@0 | 338 | check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), ca_error); |
| michael@0 | 339 | check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), ee_error); |
| michael@0 | 340 | check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), ee_error); |
| michael@0 | 341 | check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca.der'), ee_error); |
| michael@0 | 342 | check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca.der'), ee_error); |
| michael@0 | 343 | check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca.der'), ee_error); |
| michael@0 | 344 | check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca.der'), ee_error); |
| michael@0 | 345 | check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), ee_error); |
| michael@0 | 346 | |
| michael@0 | 347 | // v2 ca, v2 intermediate |
| michael@0 | 348 | if (useMozillaPKIX) { |
| michael@0 | 349 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 350 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 351 | } else { |
| michael@0 | 352 | ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; |
| michael@0 | 353 | ee_error = SEC_ERROR_UNKNOWN_ISSUER; |
| michael@0 | 354 | } |
| michael@0 | 355 | check_ca_err(cert_from_file('v2_int-v2_ca.der'), ca_error); |
| michael@0 | 356 | check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca.der'), ee_error); |
| michael@0 | 357 | check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca.der'), ee_error); |
| michael@0 | 358 | check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca.der'), ee_error); |
| michael@0 | 359 | check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca.der'), ee_error); |
| michael@0 | 360 | if (useMozillaPKIX) { |
| michael@0 | 361 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 362 | } |
| michael@0 | 363 | check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca.der'), ee_error); |
| michael@0 | 364 | check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca.der'), ee_error); |
| michael@0 | 365 | check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca.der'), ee_error) |
| michael@0 | 366 | |
| michael@0 | 367 | // v2 ca, v2 intermediate with basic constraints (invalid) |
| michael@0 | 368 | if (useMozillaPKIX) { |
| michael@0 | 369 | ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 370 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 371 | } else { |
| michael@0 | 372 | ca_error = 0; |
| michael@0 | 373 | ee_error = 0; |
| michael@0 | 374 | } |
| michael@0 | 375 | check_ca_err(cert_from_file('v2_int_bc-v2_ca.der'), ca_error); |
| michael@0 | 376 | check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca.der'), ee_error); |
| michael@0 | 377 | check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca.der'), ee_error); |
| michael@0 | 378 | check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca.der'), ee_error); |
| michael@0 | 379 | check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca.der'), ee_error); |
| michael@0 | 380 | check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca.der'), ee_error); |
| michael@0 | 381 | check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca.der'), ee_error); |
| michael@0 | 382 | check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca.der'), ee_error); |
| michael@0 | 383 | |
| michael@0 | 384 | // v2 ca, v3 intermediate missing basic constraints |
| michael@0 | 385 | if (useMozillaPKIX) { |
| michael@0 | 386 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 387 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 388 | } else { |
| michael@0 | 389 | ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; |
| michael@0 | 390 | ee_error = SEC_ERROR_UNKNOWN_ISSUER; |
| michael@0 | 391 | } |
| michael@0 | 392 | check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca.der'), ca_error); |
| michael@0 | 393 | check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca.der'), ee_error); |
| michael@0 | 394 | check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca.der'), ee_error); |
| michael@0 | 395 | check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); |
| michael@0 | 396 | check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); |
| michael@0 | 397 | if (useMozillaPKIX) { |
| michael@0 | 398 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 399 | } |
| michael@0 | 400 | check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); |
| michael@0 | 401 | check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); |
| michael@0 | 402 | check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); |
| michael@0 | 403 | |
| michael@0 | 404 | // v2 ca, v3 intermediate |
| michael@0 | 405 | if (useMozillaPKIX) { |
| michael@0 | 406 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 407 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 408 | } else { |
| michael@0 | 409 | ca_error = 0; |
| michael@0 | 410 | ee_error = 0; |
| michael@0 | 411 | } |
| michael@0 | 412 | check_ca_err(cert_from_file('v3_int-v2_ca.der'), ca_error); |
| michael@0 | 413 | check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca.der'), ee_error); |
| michael@0 | 414 | check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca.der'), ee_error); |
| michael@0 | 415 | check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca.der'), ee_error); |
| michael@0 | 416 | check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca.der'), ee_error); |
| michael@0 | 417 | if (useMozillaPKIX) { |
| michael@0 | 418 | ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 419 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 420 | } else { |
| michael@0 | 421 | ca_error = 0; |
| michael@0 | 422 | ee_error = 0; |
| michael@0 | 423 | } |
| michael@0 | 424 | check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca.der'), ee_error); |
| michael@0 | 425 | check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca.der'), ee_error); |
| michael@0 | 426 | check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca.der'), ee_error); |
| michael@0 | 427 | |
| michael@0 | 428 | // v2 ca, v1 intermediate |
| michael@0 | 429 | if (useMozillaPKIX) { |
| michael@0 | 430 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 431 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 432 | } else { |
| michael@0 | 433 | ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; |
| michael@0 | 434 | ee_error = SEC_ERROR_UNKNOWN_ISSUER; |
| michael@0 | 435 | } |
| michael@0 | 436 | check_ca_err(cert_from_file('v1_int-v2_ca_bc.der'), ca_error); |
| michael@0 | 437 | check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 438 | check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 439 | check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 440 | check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 441 | if (useMozillaPKIX) { |
| michael@0 | 442 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 443 | } |
| michael@0 | 444 | check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 445 | check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 446 | check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 447 | |
| michael@0 | 448 | // v2 ca, v1 intermediate with bc (invalid) |
| michael@0 | 449 | if (useMozillaPKIX) { |
| michael@0 | 450 | ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 451 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 452 | } else { |
| michael@0 | 453 | ca_error = 0; |
| michael@0 | 454 | ee_error = 0; |
| michael@0 | 455 | } |
| michael@0 | 456 | check_ca_err(cert_from_file('v1_int_bc-v2_ca_bc.der'), ca_error); |
| michael@0 | 457 | check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 458 | check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 459 | check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 460 | check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 461 | check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 462 | check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 463 | check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 464 | |
| michael@0 | 465 | // v2 ca, v2 intermediate |
| michael@0 | 466 | if (useMozillaPKIX) { |
| michael@0 | 467 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 468 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 469 | } else { |
| michael@0 | 470 | ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; |
| michael@0 | 471 | ee_error = SEC_ERROR_UNKNOWN_ISSUER; |
| michael@0 | 472 | } |
| michael@0 | 473 | check_ca_err(cert_from_file('v2_int-v2_ca_bc.der'), ca_error); |
| michael@0 | 474 | check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 475 | check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 476 | check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 477 | check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 478 | if (useMozillaPKIX) { |
| michael@0 | 479 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 480 | } |
| michael@0 | 481 | check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 482 | check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 483 | check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 484 | |
| michael@0 | 485 | // v2 ca, v2 intermediate with bc (invalid) |
| michael@0 | 486 | if (useMozillaPKIX) { |
| michael@0 | 487 | ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 488 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 489 | } else { |
| michael@0 | 490 | ca_error = 0; |
| michael@0 | 491 | ee_error = 0; |
| michael@0 | 492 | } |
| michael@0 | 493 | check_ca_err(cert_from_file('v2_int_bc-v2_ca_bc.der'), ca_error); |
| michael@0 | 494 | check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 495 | check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 496 | check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 497 | check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 498 | check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 499 | check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 500 | check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 501 | |
| michael@0 | 502 | // v2 ca, invalid v3 intermediate |
| michael@0 | 503 | if (useMozillaPKIX) { |
| michael@0 | 504 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 505 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 506 | } else { |
| michael@0 | 507 | ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; |
| michael@0 | 508 | ee_error = SEC_ERROR_UNKNOWN_ISSUER; |
| michael@0 | 509 | } |
| michael@0 | 510 | check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca_bc.der'), ca_error); |
| michael@0 | 511 | check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 512 | check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 513 | check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 514 | check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 515 | if (useMozillaPKIX) { |
| michael@0 | 516 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 517 | } |
| michael@0 | 518 | check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 519 | check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error) |
| michael@0 | 520 | check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); |
| michael@0 | 521 | |
| michael@0 | 522 | // v2 ca, valid v3 intermediate (is OK if we use 'classic' semantics) |
| michael@0 | 523 | if (useMozillaPKIX) { |
| michael@0 | 524 | ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 525 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 526 | } else { |
| michael@0 | 527 | ca_error = 0; |
| michael@0 | 528 | ee_error = 0; |
| michael@0 | 529 | } |
| michael@0 | 530 | check_ca_err(cert_from_file('v3_int-v2_ca_bc.der'), ca_error); |
| michael@0 | 531 | check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 532 | check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 533 | check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 534 | check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 535 | check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 536 | check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 537 | check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca_bc.der'), ee_error); |
| michael@0 | 538 | |
| michael@0 | 539 | ////////////// |
| michael@0 | 540 | // v3 CA supersection |
| michael@0 | 541 | ////////////////// |
| michael@0 | 542 | |
| michael@0 | 543 | // v3 ca, v1 intermediate |
| michael@0 | 544 | if (useMozillaPKIX) { |
| michael@0 | 545 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 546 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 547 | } else { |
| michael@0 | 548 | ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; |
| michael@0 | 549 | ee_error = SEC_ERROR_UNKNOWN_ISSUER; |
| michael@0 | 550 | } |
| michael@0 | 551 | check_ca_err(cert_from_file('v1_int-v3_ca.der'), ca_error); |
| michael@0 | 552 | check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca.der'), ee_error); |
| michael@0 | 553 | check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca.der'), ee_error); |
| michael@0 | 554 | check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca.der'), ee_error); |
| michael@0 | 555 | check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca.der'), ee_error); |
| michael@0 | 556 | if (useMozillaPKIX) { |
| michael@0 | 557 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 558 | } |
| michael@0 | 559 | check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca.der'), ee_error); |
| michael@0 | 560 | check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca.der'), ee_error); |
| michael@0 | 561 | check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca.der'), ee_error); |
| michael@0 | 562 | |
| michael@0 | 563 | // A v1 intermediate with v3 extensions |
| michael@0 | 564 | if (useMozillaPKIX) { |
| michael@0 | 565 | ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 566 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 567 | } else { |
| michael@0 | 568 | ca_error = 0; |
| michael@0 | 569 | ee_error = 0; |
| michael@0 | 570 | } |
| michael@0 | 571 | check_ca_err(cert_from_file('v1_int_bc-v3_ca.der'), ca_error); |
| michael@0 | 572 | check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca.der'), ee_error); |
| michael@0 | 573 | check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca.der'), ee_error); |
| michael@0 | 574 | check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca.der'), ee_error); |
| michael@0 | 575 | check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca.der'), ee_error); |
| michael@0 | 576 | check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca.der'), ee_error); |
| michael@0 | 577 | check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca.der'), ee_error); |
| michael@0 | 578 | check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca.der'), ee_error) |
| michael@0 | 579 | |
| michael@0 | 580 | // reject a v2 cert as intermediate |
| michael@0 | 581 | if (useMozillaPKIX) { |
| michael@0 | 582 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 583 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 584 | } else { |
| michael@0 | 585 | ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; |
| michael@0 | 586 | ee_error = SEC_ERROR_UNKNOWN_ISSUER; |
| michael@0 | 587 | } |
| michael@0 | 588 | check_ca_err(cert_from_file('v2_int-v3_ca.der'), ca_error); |
| michael@0 | 589 | check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca.der'), ee_error); |
| michael@0 | 590 | check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca.der'), ee_error); |
| michael@0 | 591 | check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca.der'), ee_error); |
| michael@0 | 592 | check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca.der'), ee_error); |
| michael@0 | 593 | if (useMozillaPKIX) { |
| michael@0 | 594 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 595 | } |
| michael@0 | 596 | check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca.der'), ee_error); |
| michael@0 | 597 | check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca.der'), ee_error); |
| michael@0 | 598 | check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca.der'), ee_error); |
| michael@0 | 599 | |
| michael@0 | 600 | // v2 intermediate with bc (invalid) |
| michael@0 | 601 | if (useMozillaPKIX) { |
| michael@0 | 602 | ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 603 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 604 | } else { |
| michael@0 | 605 | ca_error = 0; |
| michael@0 | 606 | ee_error = 0; |
| michael@0 | 607 | } |
| michael@0 | 608 | check_ca_err(cert_from_file('v2_int_bc-v3_ca.der'), ca_error); |
| michael@0 | 609 | check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca.der'), ee_error); |
| michael@0 | 610 | check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca.der'), ee_error); |
| michael@0 | 611 | check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca.der'), ee_error); |
| michael@0 | 612 | check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca.der'), ee_error); |
| michael@0 | 613 | check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca.der'), ee_error); |
| michael@0 | 614 | check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca.der'), ee_error); |
| michael@0 | 615 | check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca.der'), ee_error); |
| michael@0 | 616 | |
| michael@0 | 617 | // invalid v3 intermediate |
| michael@0 | 618 | if (useMozillaPKIX) { |
| michael@0 | 619 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 620 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 621 | } else { |
| michael@0 | 622 | ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; |
| michael@0 | 623 | ee_error = SEC_ERROR_UNKNOWN_ISSUER; |
| michael@0 | 624 | } |
| michael@0 | 625 | check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca.der'), ca_error); |
| michael@0 | 626 | check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca.der'), ee_error); |
| michael@0 | 627 | check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca.der'), ee_error); |
| michael@0 | 628 | check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); |
| michael@0 | 629 | check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); |
| michael@0 | 630 | if (useMozillaPKIX) { |
| michael@0 | 631 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 632 | } |
| michael@0 | 633 | check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); |
| michael@0 | 634 | check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); |
| michael@0 | 635 | check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); |
| michael@0 | 636 | |
| michael@0 | 637 | // I dont think that v3 intermediates should be allowed to sign v1 or v2 |
| michael@0 | 638 | // certs, but other thanthat this is what we usually get in the wild. |
| michael@0 | 639 | check_ok_ca(cert_from_file('v3_int-v3_ca.der')); |
| michael@0 | 640 | check_ok(cert_from_file('v1_ee-v3_int-v3_ca.der')); |
| michael@0 | 641 | check_ok(cert_from_file('v2_ee-v3_int-v3_ca.der')); |
| michael@0 | 642 | check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca.der')); |
| michael@0 | 643 | check_ok(cert_from_file('v3_bc_ee-v3_int-v3_ca.der')); |
| michael@0 | 644 | if (useMozillaPKIX) { |
| michael@0 | 645 | ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 646 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 647 | } else { |
| michael@0 | 648 | ca_error = 0; |
| michael@0 | 649 | ee_error = 0; |
| michael@0 | 650 | } |
| michael@0 | 651 | check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca.der'), ee_error); |
| michael@0 | 652 | check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca.der'), ee_error); |
| michael@0 | 653 | check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca.der'), ee_error); |
| michael@0 | 654 | |
| michael@0 | 655 | // v3 CA, invalid v3 intermediate |
| michael@0 | 656 | if (useMozillaPKIX) { |
| michael@0 | 657 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 658 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 659 | } else { |
| michael@0 | 660 | ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; |
| michael@0 | 661 | ee_error = SEC_ERROR_UNKNOWN_ISSUER; |
| michael@0 | 662 | } |
| michael@0 | 663 | check_ca_err(cert_from_file('v1_int-v3_ca_missing_bc.der'), ca_error); |
| michael@0 | 664 | check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 665 | check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 666 | check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 667 | check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 668 | if (useMozillaPKIX) { |
| michael@0 | 669 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 670 | } |
| michael@0 | 671 | check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 672 | check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 673 | check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 674 | |
| michael@0 | 675 | // Int v1 with BC that is just invalid (classic fail insanity OK) |
| michael@0 | 676 | if (useMozillaPKIX) { |
| michael@0 | 677 | ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 678 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 679 | } else { |
| michael@0 | 680 | ca_error = 0; |
| michael@0 | 681 | ee_error = 0; |
| michael@0 | 682 | } |
| michael@0 | 683 | check_ca_err(cert_from_file('v1_int_bc-v3_ca_missing_bc.der'), ca_error); |
| michael@0 | 684 | check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 685 | check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 686 | check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 687 | check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 688 | check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 689 | check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 690 | check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 691 | |
| michael@0 | 692 | // Good section (all fail) |
| michael@0 | 693 | if (useMozillaPKIX) { |
| michael@0 | 694 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 695 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 696 | } else { |
| michael@0 | 697 | ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; |
| michael@0 | 698 | ee_error = SEC_ERROR_UNKNOWN_ISSUER; |
| michael@0 | 699 | } |
| michael@0 | 700 | check_ca_err(cert_from_file('v2_int-v3_ca_missing_bc.der'), ca_error); |
| michael@0 | 701 | check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 702 | check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 703 | check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 704 | check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 705 | if (useMozillaPKIX) { |
| michael@0 | 706 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 707 | } |
| michael@0 | 708 | check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 709 | check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 710 | check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 711 | |
| michael@0 | 712 | // v2 intermediate (even with basic constraints) is invalid |
| michael@0 | 713 | if (useMozillaPKIX) { |
| michael@0 | 714 | ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 715 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 716 | } else { |
| michael@0 | 717 | ca_error = 0; |
| michael@0 | 718 | ee_error = 0; |
| michael@0 | 719 | } |
| michael@0 | 720 | check_ca_err(cert_from_file('v2_int_bc-v3_ca_missing_bc.der'), ca_error); |
| michael@0 | 721 | check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 722 | check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 723 | check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 724 | check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 725 | check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 726 | check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 727 | check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 728 | |
| michael@0 | 729 | // v3 intermediate missing basic constraints is invalid |
| michael@0 | 730 | if (useMozillaPKIX) { |
| michael@0 | 731 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 732 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 733 | } else { |
| michael@0 | 734 | ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; |
| michael@0 | 735 | ee_error = SEC_ERROR_UNKNOWN_ISSUER; |
| michael@0 | 736 | } |
| michael@0 | 737 | check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca_missing_bc.der'), ca_error); |
| michael@0 | 738 | check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 739 | check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 740 | check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 741 | check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 742 | if (useMozillaPKIX) { |
| michael@0 | 743 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 744 | } |
| michael@0 | 745 | check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 746 | check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 747 | check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 748 | |
| michael@0 | 749 | // With a v3 root missing bc and valid v3 intermediate |
| michael@0 | 750 | if (useMozillaPKIX) { |
| michael@0 | 751 | ca_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 752 | ee_error = SEC_ERROR_CA_CERT_INVALID; |
| michael@0 | 753 | } else { |
| michael@0 | 754 | ca_error = 0; |
| michael@0 | 755 | ee_error = 0; |
| michael@0 | 756 | } |
| michael@0 | 757 | check_ca_err(cert_from_file('v3_int-v3_ca_missing_bc.der'), ca_error); |
| michael@0 | 758 | check_cert_err(cert_from_file('v1_ee-v3_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 759 | check_cert_err(cert_from_file('v2_ee-v3_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 760 | check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 761 | check_cert_err(cert_from_file('v3_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 762 | if (useMozillaPKIX) { |
| michael@0 | 763 | ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 764 | ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; |
| michael@0 | 765 | } else { |
| michael@0 | 766 | ca_error = 0; |
| michael@0 | 767 | ee_error = 0; |
| michael@0 | 768 | } |
| michael@0 | 769 | check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 770 | check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 771 | check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); |
| michael@0 | 772 | } |
| michael@0 | 773 | |
| michael@0 | 774 | function run_test() { |
| michael@0 | 775 | load_cert("v1_ca", "CTu,CTu,CTu"); |
| michael@0 | 776 | load_cert("v1_ca_bc", "CTu,CTu,CTu"); |
| michael@0 | 777 | load_cert("v2_ca", "CTu,CTu,CTu"); |
| michael@0 | 778 | load_cert("v2_ca_bc", "CTu,CTu,CTu"); |
| michael@0 | 779 | load_cert("v3_ca", "CTu,CTu,CTu"); |
| michael@0 | 780 | load_cert("v3_ca_missing_bc", "CTu,CTu,CTu"); |
| michael@0 | 781 | |
| michael@0 | 782 | run_tests_in_mode(false); |
| michael@0 | 783 | run_tests_in_mode(true); |
| michael@0 | 784 | } |
