The Tor Browser: security/manager/ssl/tests/unit/test_getchain.js@b8a032363ba2 (annotated)

security/manager/ssl/tests/unit/test_getchain.js@b8a032363ba2 (annotated)

security/manager/ssl/tests/unit/test_getchain.js

Thu, 22 Jan 2015 13:21:57 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Thu, 22 Jan 2015 13:21:57 +0100
branch: TOR_BUG_9701
changeset 15: b8a032363ba2
permissions: -rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

 // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 "use strict";
 do_get_profile(); // must be called before getting nsIX509CertDB
 const certdb  = Cc["@mozilla.org/security/x509certdb;1"]
                   .getService(Ci.nsIX509CertDB);
 const certdb2 = Cc["@mozilla.org/security/x509certdb;1"]
                   .getService(Ci.nsIX509CertDB2);
 // This is the list of certificates needed for the test
 // The certificates prefixed by 'int-' are intermediates
 let certList = [
   'ee',
   'ca-1',
   'ca-2',
 ]
 function load_cert(cert_name, trust_string) {
   var cert_filename = cert_name + ".der";
   addCertFromFile(certdb, "test_getchain/" + cert_filename, trust_string);
 }
 // Since all the ca's are identical expect for the serial number
 // I have to grab them by enumerating all the certs and then finding
 // the ones that I am interested in.
 function get_ca_array() {
   let ret_array = new Array();
   let allCerts = certdb2.getCerts();
   let enumerator = allCerts.getEnumerator();
   while (enumerator.hasMoreElements()) {
     let cert = enumerator.getNext().QueryInterface(Ci.nsIX509Cert);
     if (cert.commonName == 'ca') {
       ret_array[parseInt(cert.serialNumber)] = cert;
     }
   }
   return ret_array;
 }
 function check_matching_issuer_and_getchain(expected_issuer_serial, cert) {
   const nsIX509Cert = Components.interfaces.nsIX509Cert;
   do_check_eq(expected_issuer_serial, cert.issuer.serialNumber);
   let chain = cert.getChain();
   let issuer_via_getchain = chain.queryElementAt(1, nsIX509Cert);
   // The issuer returned by cert.issuer or cert.getchain should be consistent.
   do_check_eq(cert.issuer.serialNumber, issuer_via_getchain.serialNumber);
 }
 function check_getchain(ee_cert, ssl_ca, email_ca){
   // A certificate should first build a chain/issuer to
   // a SSL trust domain, then an EMAIL trust domain and then
   // and object signer trust domain
   const nsIX509Cert = Components.interfaces.nsIX509Cert;
   certdb.setCertTrust(ssl_ca, nsIX509Cert.CA_CERT,
                       Ci.nsIX509CertDB.TRUSTED_SSL);
   certdb.setCertTrust(email_ca, nsIX509Cert.CA_CERT,
                       Ci.nsIX509CertDB.TRUSTED_EMAIL);
   check_matching_issuer_and_getchain(ssl_ca.serialNumber, ee_cert);
   certdb.setCertTrust(ssl_ca, nsIX509Cert.CA_CERT, 0);
   check_matching_issuer_and_getchain(email_ca.serialNumber, ee_cert);
   certdb.setCertTrust(email_ca, nsIX509Cert.CA_CERT, 0);
   // Do a final test on the case of no trust. The results must
   // be cosistent (the actual value is non-deterministic).
   check_matching_issuer_and_getchain(ee_cert.issuer.serialNumber, ee_cert);
 }
 function run_test_in_mode(useMozillaPKIX) {
   Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
   clearOCSPCache();
   clearSessionCache();
   for (let i = 0 ; i < certList.length; i++) {
     load_cert(certList[i], ',,');
   }
   let ee_cert = certdb.findCertByNickname(null, 'ee');
   do_check_false(!ee_cert);
   let ca = get_ca_array();
   check_getchain(ee_cert, ca[1], ca[2]);
   // Swap ca certs to deal alternate trust settings.
   check_getchain(ee_cert, ca[2], ca[1]);
 }
 function run_test() {
   run_test_in_mode(true);
   run_test_in_mode(false);
 }