The Tor Browser / file comparison
comparison: security/manager/ssl/tests/unit/test_cert_signatures.js
security/manager/ssl/tests/unit/test_cert_signatures.js
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
equal
deleted
inserted
replaced
| -1:000000000000 | 0:ccf50e4a80e8 |
|---|---|
| 1 // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- | |
| 2 // This Source Code Form is subject to the terms of the Mozilla Public | |
| 3 // License, v. 2.0. If a copy of the MPL was not distributed with this | |
| 4 // file, You can obtain one at http://mozilla.org/MPL/2.0/. | |
| 5 | |
| 6 "use strict"; | |
| 7 /* | |
| 8 * The purpose of this test is to verify that we correctly detect bad | |
| 9 * signatures on tampered certificates. Eventually, we should also be | |
| 10 * verifying that the error we return is the correct error. | |
| 11 * | |
| 12 * To regenerate the certificates for this test: | |
| 13 * | |
| 14 * cd security/manager/ssl/tests/unit/test_cert_signatures | |
| 15 * ./generate.py | |
| 16 * cd ../../../../../.. | |
| 17 * make -C $OBJDIR/security/manager/ssl/tests | |
| 18 * | |
| 19 * Check in the generated files. These steps are not done as part of the build | |
| 20 * because we do not want to add a build-time dependency on the OpenSSL or NSS | |
| 21 * tools or libraries built for the host platform. | |
| 22 */ | |
| 23 | |
| 24 do_get_profile(); // must be called before getting nsIX509CertDB | |
| 25 const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB); | |
| 26 | |
| 27 function load_ca(ca_name) { | |
| 28 let ca_filename = ca_name + ".der"; | |
| 29 addCertFromFile(certdb, "test_cert_signatures/" + ca_filename, 'CTu,CTu,CTu'); | |
| 30 } | |
| 31 | |
| 32 function check_ca(ca_name) { | |
| 33 do_print("ca_name=" + ca_name); | |
| 34 let cert = certdb.findCertByNickname(null, ca_name); | |
| 35 | |
| 36 let verified = {}; | |
| 37 let usages = {}; | |
| 38 cert.getUsagesString(true, verified, usages); | |
| 39 do_check_eq('SSL CA', usages.value); | |
| 40 } | |
| 41 | |
| 42 function run_test() { | |
| 43 // Load the ca into mem | |
| 44 load_ca("ca-rsa"); | |
| 45 load_ca("ca-p384"); | |
| 46 load_ca("ca-dsa"); | |
| 47 | |
| 48 run_test_in_mode(true); | |
| 49 run_test_in_mode(false); | |
| 50 } | |
| 51 | |
| 52 function run_test_in_mode(useMozillaPKIX) { | |
| 53 Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); | |
| 54 clearOCSPCache(); | |
| 55 clearSessionCache(); | |
| 56 | |
| 57 check_ca("ca-rsa"); | |
| 58 check_ca("ca-p384"); | |
| 59 check_ca("ca-dsa"); | |
| 60 | |
| 61 // mozilla::pkix does not allow CA certs to be validated for end-entity | |
| 62 // usages. | |
| 63 let int_usage = useMozillaPKIX | |
| 64 ? 'SSL CA' | |
| 65 : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder'; | |
| 66 | |
| 67 // mozilla::pkix doesn't implement the Netscape Object Signer restriction. | |
| 68 const ee_usage = useMozillaPKIX | |
| 69 ? 'Client,Server,Sign,Encrypt,Object Signer' | |
| 70 : 'Client,Server,Sign,Encrypt'; | |
| 71 | |
| 72 let cert2usage = { | |
| 73 // certs without the "int" prefix are end entity certs. | |
| 74 'int-rsa-valid': int_usage, | |
| 75 'rsa-valid': ee_usage, | |
| 76 'int-p384-valid': int_usage, | |
| 77 'p384-valid': ee_usage, | |
| 78 'int-dsa-valid': int_usage, | |
| 79 'dsa-valid': ee_usage, | |
| 80 | |
| 81 'rsa-valid-int-tampered-ee': "", | |
| 82 'p384-valid-int-tampered-ee': "", | |
| 83 'dsa-valid-int-tampered-ee': "", | |
| 84 | |
| 85 'int-rsa-tampered': "", | |
| 86 'rsa-tampered-int-valid-ee': "", | |
| 87 'int-p384-tampered': "", | |
| 88 'p384-tampered-int-valid-ee': "", | |
| 89 'int-dsa-tampered': "", | |
| 90 'dsa-tampered-int-valid-ee': "", | |
| 91 | |
| 92 }; | |
| 93 | |
| 94 // Load certs first | |
| 95 for (let cert_name in cert2usage) { | |
| 96 let cert_filename = cert_name + ".der"; | |
| 97 addCertFromFile(certdb, "test_cert_signatures/" + cert_filename, ',,'); | |
| 98 } | |
| 99 | |
| 100 for (let cert_name in cert2usage) { | |
| 101 do_print("cert_name=" + cert_name); | |
| 102 | |
| 103 let cert = certdb.findCertByNickname(null, cert_name); | |
| 104 | |
| 105 let verified = {}; | |
| 106 let usages = {}; | |
| 107 cert.getUsagesString(true, verified, usages); | |
| 108 do_check_eq(cert2usage[cert_name], usages.value); | |
| 109 } | |
| 110 } |
