security/manager/ssl/tests/unit/test_certificate_usages.js@b8a032363ba2 (annotated)
security/manager/ssl/tests/unit/test_certificate_usages.js
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | "use strict"; |
| michael@0 | 2 | |
| michael@0 | 3 | /* To regenerate the certificates and apps for this test: |
| michael@0 | 4 | |
| michael@0 | 5 | cd security/manager/ssl/tests/unit/test_certificate_usages |
| michael@0 | 6 | PATH=$NSS/bin:$NSS/lib:$PATH ./generate.pl |
| michael@0 | 7 | cd ../../../../../.. |
| michael@0 | 8 | make -C $OBJDIR/security/manager/ssl/tests |
| michael@0 | 9 | |
| michael@0 | 10 | $NSS is the path to NSS binaries and libraries built for the host platform. |
| michael@0 | 11 | If you get error messages about "CertUtil" on Windows, then it means that |
| michael@0 | 12 | the Windows CertUtil.exe is ahead of the NSS certutil.exe in $PATH. |
| michael@0 | 13 | |
| michael@0 | 14 | Check in the generated files. These steps are not done as part of the build |
| michael@0 | 15 | because we do not want to add a build-time dependency on the OpenSSL or NSS |
| michael@0 | 16 | tools or libraries built for the host platform. |
| michael@0 | 17 | */ |
| michael@0 | 18 | |
| michael@0 | 19 | do_get_profile(); // must be called before getting nsIX509CertDB |
| michael@0 | 20 | const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB); |
| michael@0 | 21 | |
| michael@0 | 22 | const gNumCAs = 4; |
| michael@0 | 23 | |
| michael@0 | 24 | function run_test() { |
| michael@0 | 25 | //ca's are one based! |
| michael@0 | 26 | for (var i = 0; i < gNumCAs; i++) { |
| michael@0 | 27 | var ca_name = "ca-" + (i + 1); |
| michael@0 | 28 | var ca_filename = ca_name + ".der"; |
| michael@0 | 29 | addCertFromFile(certdb, "test_certificate_usages/" + ca_filename, "CTu,CTu,CTu"); |
| michael@0 | 30 | do_print("ca_name=" + ca_name); |
| michael@0 | 31 | var cert = certdb.findCertByNickname(null, ca_name); |
| michael@0 | 32 | } |
| michael@0 | 33 | |
| michael@0 | 34 | run_test_in_mode(true); |
| michael@0 | 35 | run_test_in_mode(false); |
| michael@0 | 36 | } |
| michael@0 | 37 | |
| michael@0 | 38 | function run_test_in_mode(useMozillaPKIX) { |
| michael@0 | 39 | Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); |
| michael@0 | 40 | clearOCSPCache(); |
| michael@0 | 41 | clearSessionCache(); |
| michael@0 | 42 | |
| michael@0 | 43 | // mozilla::pkix does not allow CA certs to be validated for non-CA usages. |
| michael@0 | 44 | var allCAUsages = useMozillaPKIX |
| michael@0 | 45 | ? 'SSL CA' |
| michael@0 | 46 | : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder'; |
| michael@0 | 47 | |
| michael@0 | 48 | // mozilla::pkix doesn't allow CA certificates to have the Status Responder |
| michael@0 | 49 | // EKU. |
| michael@0 | 50 | var ca_usages = [allCAUsages, |
| michael@0 | 51 | 'SSL CA', |
| michael@0 | 52 | allCAUsages, |
| michael@0 | 53 | useMozillaPKIX ? '' |
| michael@0 | 54 | : 'Client,Server,Sign,Encrypt,Status Responder']; |
| michael@0 | 55 | |
| michael@0 | 56 | // mozilla::pkix doesn't implement the Netscape Object Signer restriction. |
| michael@0 | 57 | var basicEndEntityUsages = useMozillaPKIX |
| michael@0 | 58 | ? 'Client,Server,Sign,Encrypt,Object Signer' |
| michael@0 | 59 | : 'Client,Server,Sign,Encrypt'; |
| michael@0 | 60 | var basicEndEntityUsagesWithObjectSigner = basicEndEntityUsages + ",Object Signer" |
| michael@0 | 61 | |
| michael@0 | 62 | // mozilla::pkix won't let a certificate with the "Status Responder" EKU get |
| michael@0 | 63 | // validated for any other usage. |
| michael@0 | 64 | var statusResponderUsages = (useMozillaPKIX ? "" : "Server,") + "Status Responder"; |
| michael@0 | 65 | var statusResponderUsagesFull |
| michael@0 | 66 | = useMozillaPKIX ? statusResponderUsages |
| michael@0 | 67 | : basicEndEntityUsages + ',Object Signer,Status Responder'; |
| michael@0 | 68 | |
| michael@0 | 69 | var ee_usages = [ |
| michael@0 | 70 | [ basicEndEntityUsages, |
| michael@0 | 71 | basicEndEntityUsages, |
| michael@0 | 72 | basicEndEntityUsages, |
| michael@0 | 73 | '', |
| michael@0 | 74 | statusResponderUsagesFull, |
| michael@0 | 75 | 'Client,Server', |
| michael@0 | 76 | 'Sign,Encrypt,Object Signer', |
| michael@0 | 77 | statusResponderUsages |
| michael@0 | 78 | ], |
| michael@0 | 79 | |
| michael@0 | 80 | [ basicEndEntityUsages, |
| michael@0 | 81 | basicEndEntityUsages, |
| michael@0 | 82 | basicEndEntityUsages, |
| michael@0 | 83 | '', |
| michael@0 | 84 | statusResponderUsagesFull, |
| michael@0 | 85 | 'Client,Server', |
| michael@0 | 86 | 'Sign,Encrypt,Object Signer', |
| michael@0 | 87 | statusResponderUsages |
| michael@0 | 88 | ], |
| michael@0 | 89 | |
| michael@0 | 90 | [ basicEndEntityUsages, |
| michael@0 | 91 | basicEndEntityUsages, |
| michael@0 | 92 | basicEndEntityUsages, |
| michael@0 | 93 | '', |
| michael@0 | 94 | statusResponderUsagesFull, |
| michael@0 | 95 | 'Client,Server', |
| michael@0 | 96 | 'Sign,Encrypt,Object Signer', |
| michael@0 | 97 | statusResponderUsages |
| michael@0 | 98 | ], |
| michael@0 | 99 | |
| michael@0 | 100 | // The CA has isCA=true without keyCertSign. |
| michael@0 | 101 | // |
| michael@0 | 102 | // The 'classic' NSS mode uses the 'union' of the |
| michael@0 | 103 | // capabilites so the cert is considered a CA. |
| michael@0 | 104 | // mozilla::pkix and libpkix use the intersection of |
| michael@0 | 105 | // capabilites, so the cert is NOT considered a CA. |
| michael@0 | 106 | [ useMozillaPKIX ? '' : basicEndEntityUsages, |
| michael@0 | 107 | useMozillaPKIX ? '' : basicEndEntityUsages, |
| michael@0 | 108 | useMozillaPKIX ? '' : basicEndEntityUsages, |
| michael@0 | 109 | '', |
| michael@0 | 110 | useMozillaPKIX ? '' : statusResponderUsagesFull, |
| michael@0 | 111 | useMozillaPKIX ? '' : 'Client,Server', |
| michael@0 | 112 | useMozillaPKIX ? '' : 'Sign,Encrypt,Object Signer', |
| michael@0 | 113 | useMozillaPKIX ? '' : 'Server,Status Responder' |
| michael@0 | 114 | ] |
| michael@0 | 115 | ]; |
| michael@0 | 116 | |
| michael@0 | 117 | do_check_eq(gNumCAs, ca_usages.length); |
| michael@0 | 118 | |
| michael@0 | 119 | for (var i = 0; i < gNumCAs; i++) { |
| michael@0 | 120 | var ca_name = "ca-" + (i + 1); |
| michael@0 | 121 | var verified = {}; |
| michael@0 | 122 | var usages = {}; |
| michael@0 | 123 | var cert = certdb.findCertByNickname(null, ca_name); |
| michael@0 | 124 | cert.getUsagesString(true, verified, usages); |
| michael@0 | 125 | do_print("usages.value=" + usages.value); |
| michael@0 | 126 | do_check_eq(ca_usages[i], usages.value); |
| michael@0 | 127 | if (ca_usages[i].indexOf('SSL CA') != -1) { |
| michael@0 | 128 | checkCertErrorGeneric(certdb, cert, 0, certificateUsageVerifyCA); |
| michael@0 | 129 | } |
| michael@0 | 130 | //now the ee, names also one based |
| michael@0 | 131 | for (var j = 0; j < ee_usages[i].length; j++) { |
| michael@0 | 132 | var ee_name = "ee-" + (j + 1) + "-" + ca_name; |
| michael@0 | 133 | var ee_filename = ee_name + ".der"; |
| michael@0 | 134 | //do_print("ee_filename" + ee_filename); |
| michael@0 | 135 | addCertFromFile(certdb, "test_certificate_usages/" + ee_filename, ",,"); |
| michael@0 | 136 | var ee_cert; |
| michael@0 | 137 | ee_cert = certdb.findCertByNickname(null, ee_name); |
| michael@0 | 138 | var verified = {}; |
| michael@0 | 139 | var usages = {}; |
| michael@0 | 140 | ee_cert.getUsagesString(true, verified, usages); |
| michael@0 | 141 | do_print("cert usages.value=" + usages.value); |
| michael@0 | 142 | do_check_eq(ee_usages[i][j], usages.value); |
| michael@0 | 143 | } |
| michael@0 | 144 | } |
| michael@0 | 145 | } |
