The Tor Browser / file comparison
comparison: security/manager/ssl/tests/unit/test_cert_version.js
security/manager/ssl/tests/unit/test_cert_version.js
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
equal
deleted
inserted
replaced
| -1:000000000000 | 0:0b024aa566ff |
|---|---|
| 1 // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- | |
| 2 // This Source Code Form is subject to the terms of the Mozilla Public | |
| 3 // License, v. 2.0. If a copy of the MPL was not distributed with this | |
| 4 // file, You can obtain one at http://mozilla.org/MPL/2.0/. | |
| 5 | |
| 6 "use strict"; | |
| 7 | |
| 8 do_get_profile(); // must be called before getting nsIX509CertDB | |
| 9 const certdb = Cc["@mozilla.org/security/x509certdb;1"] | |
| 10 .getService(Ci.nsIX509CertDB); | |
| 11 | |
| 12 function cert_from_file(filename) { | |
| 13 return constructCertFromFile("test_cert_version/" + filename); | |
| 14 } | |
| 15 | |
| 16 function load_cert(cert_name, trust_string) { | |
| 17 var cert_filename = cert_name + ".der"; | |
| 18 addCertFromFile(certdb, "test_cert_version/" + cert_filename, trust_string); | |
| 19 } | |
| 20 | |
| 21 function check_cert_err_generic(cert, expected_error, usage) { | |
| 22 do_print("cert cn=" + cert.commonName); | |
| 23 do_print("cert issuer cn=" + cert.issuerCommonName); | |
| 24 let hasEVPolicy = {}; | |
| 25 let verifiedChain = {}; | |
| 26 let error = certdb.verifyCertNow(cert, usage, | |
| 27 NO_FLAGS, verifiedChain, hasEVPolicy); | |
| 28 do_check_eq(error, expected_error); | |
| 29 } | |
| 30 | |
| 31 function check_cert_err(cert, expected_error) { | |
| 32 check_cert_err_generic(cert, expected_error, certificateUsageSSLServer) | |
| 33 } | |
| 34 | |
| 35 function check_ca_err(cert, expected_error) { | |
| 36 check_cert_err_generic(cert, expected_error, certificateUsageSSLCA) | |
| 37 } | |
| 38 | |
| 39 function check_ok(x) { | |
| 40 return check_cert_err(x, 0); | |
| 41 } | |
| 42 | |
| 43 function check_ok_ca(x) { | |
| 44 return check_cert_err_generic(x, 0, certificateUsageSSLCA); | |
| 45 } | |
| 46 | |
| 47 function run_tests_in_mode(useMozillaPKIX) | |
| 48 { | |
| 49 Services.prefs.setBoolPref("security.use_mozillapkix_verification", | |
| 50 useMozillaPKIX); | |
| 51 | |
| 52 check_ok_ca(cert_from_file('v1_ca.der')); | |
| 53 check_ca_err(cert_from_file('v1_ca_bc.der'), | |
| 54 useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0); | |
| 55 check_ca_err(cert_from_file('v2_ca.der'), | |
| 56 useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0); | |
| 57 check_ca_err(cert_from_file('v2_ca_bc.der'), | |
| 58 useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0); | |
| 59 check_ok_ca(cert_from_file('v3_ca.der')); | |
| 60 check_ca_err(cert_from_file('v3_ca_missing_bc.der'), | |
| 61 useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0); | |
| 62 | |
| 63 // Classic allows v1 and v2 certs to be CA certs in trust anchor positions and | |
| 64 // intermediates when they have a v3 basic constraints extenstion (which | |
| 65 // makes them invalid certs). Insanity only allows v1 certs to be CA in | |
| 66 // anchor position (even if they have invalid encodings), v2 certs are not | |
| 67 // considered CAs in any position. | |
| 68 // Note that currently there are no change of behavior based on the | |
| 69 // version of the end entity. | |
| 70 | |
| 71 let ee_error = 0; | |
| 72 let ca_error = 0; | |
| 73 | |
| 74 ////////////// | |
| 75 // v1 CA supersection | |
| 76 ////////////////// | |
| 77 | |
| 78 // v1 intermediate with v1 trust anchor | |
| 79 if (useMozillaPKIX) { | |
| 80 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 81 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 82 } else { | |
| 83 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; | |
| 84 ee_error = SEC_ERROR_UNKNOWN_ISSUER; | |
| 85 } | |
| 86 check_ca_err(cert_from_file('v1_int-v1_ca.der'), ca_error); | |
| 87 check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca.der'), ee_error); | |
| 88 check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca.der'), ee_error); | |
| 89 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca.der'), ee_error); | |
| 90 check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca.der'), ee_error); | |
| 91 if (useMozillaPKIX) { | |
| 92 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 93 } | |
| 94 check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca.der'), ee_error); | |
| 95 check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca.der'), ee_error); | |
| 96 check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca.der'), ee_error); | |
| 97 | |
| 98 // v1 intermediate with v3 extensions. CA is invalid. | |
| 99 if (useMozillaPKIX) { | |
| 100 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 101 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 102 } else { | |
| 103 ca_error = 0; | |
| 104 ee_error = 0; | |
| 105 } | |
| 106 check_ca_err(cert_from_file('v1_int_bc-v1_ca.der'), ca_error); | |
| 107 check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca.der'), ee_error); | |
| 108 check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca.der'), ee_error); | |
| 109 check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca.der'), ee_error); | |
| 110 check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca.der'), ee_error); | |
| 111 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca.der'), ee_error); | |
| 112 check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca.der'), ee_error); | |
| 113 check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca.der'), ee_error); | |
| 114 | |
| 115 // A v2 intermediate with a v1 CA | |
| 116 if (useMozillaPKIX) { | |
| 117 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 118 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 119 } else { | |
| 120 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; | |
| 121 ee_error = SEC_ERROR_UNKNOWN_ISSUER; | |
| 122 } | |
| 123 check_ca_err(cert_from_file('v2_int-v1_ca.der'), ca_error); | |
| 124 check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca.der'), ee_error); | |
| 125 check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca.der'), ee_error); | |
| 126 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca.der'), ee_error); | |
| 127 check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca.der'), ee_error); | |
| 128 if (useMozillaPKIX) { | |
| 129 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 130 } | |
| 131 check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca.der'), ee_error); | |
| 132 check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca.der'), ee_error); | |
| 133 check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca.der'), ee_error); | |
| 134 | |
| 135 // A v2 intermediate with basic constraints (not allowed in insanity) | |
| 136 if (useMozillaPKIX) { | |
| 137 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 138 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 139 } else { | |
| 140 ca_error = 0; | |
| 141 ee_error = 0; | |
| 142 } | |
| 143 check_ca_err(cert_from_file('v2_int_bc-v1_ca.der'), ca_error); | |
| 144 check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca.der'), ee_error); | |
| 145 check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca.der'), ee_error); | |
| 146 check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca.der'), ee_error); | |
| 147 check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca.der'), ee_error); | |
| 148 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca.der'), ee_error); | |
| 149 check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca.der'), ee_error); | |
| 150 check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca.der'), ee_error); | |
| 151 | |
| 152 // Section is OK. A x509 v3 CA MUST have bc | |
| 153 // http://tools.ietf.org/html/rfc5280#section-4.2.1.9 | |
| 154 if (useMozillaPKIX) { | |
| 155 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 156 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 157 } else { | |
| 158 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; | |
| 159 ee_error = SEC_ERROR_UNKNOWN_ISSUER; | |
| 160 } | |
| 161 check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), ca_error); | |
| 162 check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca.der'), ee_error); | |
| 163 check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca.der'), ee_error); | |
| 164 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); | |
| 165 check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); | |
| 166 if (useMozillaPKIX) { | |
| 167 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 168 } | |
| 169 check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); | |
| 170 check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); | |
| 171 check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); | |
| 172 | |
| 173 // It is valid for a v1 ca to sign a v3 intemediate. | |
| 174 check_ok_ca(cert_from_file('v3_int-v1_ca.der')); | |
| 175 check_ok(cert_from_file('v1_ee-v3_int-v1_ca.der')); | |
| 176 check_ok(cert_from_file('v2_ee-v3_int-v1_ca.der')); | |
| 177 check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca.der')); | |
| 178 check_ok(cert_from_file('v3_bc_ee-v3_int-v1_ca.der')); | |
| 179 if (useMozillaPKIX) { | |
| 180 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 181 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 182 } else { | |
| 183 ca_error = 0; | |
| 184 ee_error = 0; | |
| 185 } | |
| 186 check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca.der'), ee_error); | |
| 187 check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca.der'), ee_error); | |
| 188 check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca.der'), ee_error); | |
| 189 | |
| 190 // The next groups change the v1 ca for a v1 ca with base constraints | |
| 191 // (invalid trust anchor). The error pattern is the same as the groups | |
| 192 // above | |
| 193 | |
| 194 // Using A v1 intermediate | |
| 195 if (useMozillaPKIX) { | |
| 196 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 197 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 198 } else { | |
| 199 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; | |
| 200 ee_error = SEC_ERROR_UNKNOWN_ISSUER; | |
| 201 } | |
| 202 check_ca_err(cert_from_file('v1_int-v1_ca_bc.der'), ca_error); | |
| 203 check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca_bc.der'), ee_error); | |
| 204 check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca_bc.der'), ee_error); | |
| 205 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca_bc.der'), ee_error); | |
| 206 check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca_bc.der'), ee_error); | |
| 207 if (useMozillaPKIX) { | |
| 208 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 209 } | |
| 210 check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca_bc.der'), ee_error); | |
| 211 check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca_bc.der'), ee_error); | |
| 212 check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca_bc.der'), ee_error); | |
| 213 | |
| 214 // Using a v1 intermediate with v3 extenstions (invalid). | |
| 215 if (useMozillaPKIX) { | |
| 216 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 217 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 218 } else { | |
| 219 ca_error = 0; | |
| 220 ee_error = 0; | |
| 221 } | |
| 222 check_ca_err(cert_from_file('v1_int_bc-v1_ca_bc.der'), ca_error); | |
| 223 check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca_bc.der'), ee_error); | |
| 224 check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); | |
| 225 check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca_bc.der'), ee_error); | |
| 226 check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); | |
| 227 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); | |
| 228 check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); | |
| 229 check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); | |
| 230 | |
| 231 // Using v2 intermediate | |
| 232 if (useMozillaPKIX) { | |
| 233 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 234 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 235 } else { | |
| 236 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; | |
| 237 ee_error = SEC_ERROR_UNKNOWN_ISSUER; | |
| 238 } | |
| 239 check_ca_err(cert_from_file('v2_int-v1_ca_bc.der'), ca_error); | |
| 240 check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca_bc.der'), ee_error); | |
| 241 check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca_bc.der'), ee_error); | |
| 242 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca_bc.der'), ee_error); | |
| 243 check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca_bc.der'), ee_error); | |
| 244 if (useMozillaPKIX) { | |
| 245 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 246 } | |
| 247 check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca_bc.der'), ee_error); | |
| 248 check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca_bc.der'), ee_error); | |
| 249 check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca_bc.der'), ee_error); | |
| 250 | |
| 251 // Using a v2 intermediate with basic constraints (invalid) | |
| 252 if (useMozillaPKIX) { | |
| 253 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 254 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 255 } else { | |
| 256 ca_error = 0; | |
| 257 ee_error = 0; | |
| 258 } | |
| 259 check_ca_err(cert_from_file('v2_int_bc-v1_ca_bc.der'), ca_error); | |
| 260 check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca_bc.der'), ee_error); | |
| 261 check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); | |
| 262 check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca_bc.der'), ee_error); | |
| 263 check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); | |
| 264 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); | |
| 265 check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); | |
| 266 check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); | |
| 267 | |
| 268 // Using a v3 intermediate that is missing basic constraints (invalid) | |
| 269 if (useMozillaPKIX) { | |
| 270 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 271 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 272 } else { | |
| 273 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; | |
| 274 ee_error = SEC_ERROR_UNKNOWN_ISSUER; | |
| 275 } | |
| 276 check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca_bc.der'), ca_error); | |
| 277 check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); | |
| 278 check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); | |
| 279 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); | |
| 280 check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); | |
| 281 if (useMozillaPKIX) { | |
| 282 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 283 } | |
| 284 check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); | |
| 285 check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); | |
| 286 check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); | |
| 287 | |
| 288 // these should pass assuming we are OK with v1 ca signing v3 intermediates | |
| 289 if (useMozillaPKIX) { | |
| 290 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 291 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 292 } else { | |
| 293 ca_error = 0; | |
| 294 ee_error = 0; | |
| 295 } | |
| 296 check_ca_err(cert_from_file('v3_int-v1_ca_bc.der'), ca_error); | |
| 297 check_cert_err(cert_from_file('v1_ee-v3_int-v1_ca_bc.der'), ee_error); | |
| 298 check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca_bc.der'), ee_error); | |
| 299 check_cert_err(cert_from_file('v2_ee-v3_int-v1_ca_bc.der'), ee_error); | |
| 300 check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca_bc.der'), ee_error); | |
| 301 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca_bc.der'), ee_error); | |
| 302 check_cert_err(cert_from_file('v3_bc_ee-v3_int-v1_ca_bc.der'), ee_error); | |
| 303 check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca_bc.der'), ee_error); | |
| 304 | |
| 305 | |
| 306 ////////////// | |
| 307 // v2 CA supersection | |
| 308 ////////////////// | |
| 309 | |
| 310 // v2 ca, v1 intermediate | |
| 311 if (useMozillaPKIX) { | |
| 312 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 313 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 314 } else { | |
| 315 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; | |
| 316 ee_error = SEC_ERROR_UNKNOWN_ISSUER; | |
| 317 } | |
| 318 check_ca_err(cert_from_file('v1_int-v2_ca.der'), ca_error); | |
| 319 check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca.der'), ee_error); | |
| 320 check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca.der'), ee_error); | |
| 321 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca.der'), ee_error); | |
| 322 check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca.der'), ee_error); | |
| 323 if (useMozillaPKIX) { | |
| 324 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 325 } | |
| 326 check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca.der'), ee_error) | |
| 327 check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca.der'), ee_error); | |
| 328 check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca.der'), ee_error); | |
| 329 | |
| 330 // v2 ca, v1 intermediate with basic constraints (invalid) | |
| 331 if (useMozillaPKIX) { | |
| 332 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 333 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 334 } else { | |
| 335 ca_error = 0; | |
| 336 ee_error = 0; | |
| 337 } | |
| 338 check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), ca_error); | |
| 339 check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), ee_error); | |
| 340 check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), ee_error); | |
| 341 check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca.der'), ee_error); | |
| 342 check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca.der'), ee_error); | |
| 343 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca.der'), ee_error); | |
| 344 check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca.der'), ee_error); | |
| 345 check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), ee_error); | |
| 346 | |
| 347 // v2 ca, v2 intermediate | |
| 348 if (useMozillaPKIX) { | |
| 349 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 350 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 351 } else { | |
| 352 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; | |
| 353 ee_error = SEC_ERROR_UNKNOWN_ISSUER; | |
| 354 } | |
| 355 check_ca_err(cert_from_file('v2_int-v2_ca.der'), ca_error); | |
| 356 check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca.der'), ee_error); | |
| 357 check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca.der'), ee_error); | |
| 358 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca.der'), ee_error); | |
| 359 check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca.der'), ee_error); | |
| 360 if (useMozillaPKIX) { | |
| 361 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 362 } | |
| 363 check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca.der'), ee_error); | |
| 364 check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca.der'), ee_error); | |
| 365 check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca.der'), ee_error) | |
| 366 | |
| 367 // v2 ca, v2 intermediate with basic constraints (invalid) | |
| 368 if (useMozillaPKIX) { | |
| 369 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 370 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 371 } else { | |
| 372 ca_error = 0; | |
| 373 ee_error = 0; | |
| 374 } | |
| 375 check_ca_err(cert_from_file('v2_int_bc-v2_ca.der'), ca_error); | |
| 376 check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca.der'), ee_error); | |
| 377 check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca.der'), ee_error); | |
| 378 check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca.der'), ee_error); | |
| 379 check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca.der'), ee_error); | |
| 380 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca.der'), ee_error); | |
| 381 check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca.der'), ee_error); | |
| 382 check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca.der'), ee_error); | |
| 383 | |
| 384 // v2 ca, v3 intermediate missing basic constraints | |
| 385 if (useMozillaPKIX) { | |
| 386 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 387 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 388 } else { | |
| 389 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; | |
| 390 ee_error = SEC_ERROR_UNKNOWN_ISSUER; | |
| 391 } | |
| 392 check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca.der'), ca_error); | |
| 393 check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca.der'), ee_error); | |
| 394 check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca.der'), ee_error); | |
| 395 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); | |
| 396 check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); | |
| 397 if (useMozillaPKIX) { | |
| 398 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 399 } | |
| 400 check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); | |
| 401 check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); | |
| 402 check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); | |
| 403 | |
| 404 // v2 ca, v3 intermediate | |
| 405 if (useMozillaPKIX) { | |
| 406 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 407 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 408 } else { | |
| 409 ca_error = 0; | |
| 410 ee_error = 0; | |
| 411 } | |
| 412 check_ca_err(cert_from_file('v3_int-v2_ca.der'), ca_error); | |
| 413 check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca.der'), ee_error); | |
| 414 check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca.der'), ee_error); | |
| 415 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca.der'), ee_error); | |
| 416 check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca.der'), ee_error); | |
| 417 if (useMozillaPKIX) { | |
| 418 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 419 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 420 } else { | |
| 421 ca_error = 0; | |
| 422 ee_error = 0; | |
| 423 } | |
| 424 check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca.der'), ee_error); | |
| 425 check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca.der'), ee_error); | |
| 426 check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca.der'), ee_error); | |
| 427 | |
| 428 // v2 ca, v1 intermediate | |
| 429 if (useMozillaPKIX) { | |
| 430 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 431 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 432 } else { | |
| 433 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; | |
| 434 ee_error = SEC_ERROR_UNKNOWN_ISSUER; | |
| 435 } | |
| 436 check_ca_err(cert_from_file('v1_int-v2_ca_bc.der'), ca_error); | |
| 437 check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca_bc.der'), ee_error); | |
| 438 check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca_bc.der'), ee_error); | |
| 439 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca_bc.der'), ee_error); | |
| 440 check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca_bc.der'), ee_error); | |
| 441 if (useMozillaPKIX) { | |
| 442 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 443 } | |
| 444 check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca_bc.der'), ee_error); | |
| 445 check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca_bc.der'), ee_error); | |
| 446 check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca_bc.der'), ee_error); | |
| 447 | |
| 448 // v2 ca, v1 intermediate with bc (invalid) | |
| 449 if (useMozillaPKIX) { | |
| 450 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 451 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 452 } else { | |
| 453 ca_error = 0; | |
| 454 ee_error = 0; | |
| 455 } | |
| 456 check_ca_err(cert_from_file('v1_int_bc-v2_ca_bc.der'), ca_error); | |
| 457 check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca_bc.der'), ee_error); | |
| 458 check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); | |
| 459 check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca_bc.der'), ee_error); | |
| 460 check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); | |
| 461 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); | |
| 462 check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); | |
| 463 check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); | |
| 464 | |
| 465 // v2 ca, v2 intermediate | |
| 466 if (useMozillaPKIX) { | |
| 467 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 468 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 469 } else { | |
| 470 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; | |
| 471 ee_error = SEC_ERROR_UNKNOWN_ISSUER; | |
| 472 } | |
| 473 check_ca_err(cert_from_file('v2_int-v2_ca_bc.der'), ca_error); | |
| 474 check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca_bc.der'), ee_error); | |
| 475 check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca_bc.der'), ee_error); | |
| 476 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca_bc.der'), ee_error); | |
| 477 check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca_bc.der'), ee_error); | |
| 478 if (useMozillaPKIX) { | |
| 479 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 480 } | |
| 481 check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca_bc.der'), ee_error); | |
| 482 check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca_bc.der'), ee_error); | |
| 483 check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca_bc.der'), ee_error); | |
| 484 | |
| 485 // v2 ca, v2 intermediate with bc (invalid) | |
| 486 if (useMozillaPKIX) { | |
| 487 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 488 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 489 } else { | |
| 490 ca_error = 0; | |
| 491 ee_error = 0; | |
| 492 } | |
| 493 check_ca_err(cert_from_file('v2_int_bc-v2_ca_bc.der'), ca_error); | |
| 494 check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca_bc.der'), ee_error); | |
| 495 check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); | |
| 496 check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca_bc.der'), ee_error); | |
| 497 check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); | |
| 498 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); | |
| 499 check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); | |
| 500 check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); | |
| 501 | |
| 502 // v2 ca, invalid v3 intermediate | |
| 503 if (useMozillaPKIX) { | |
| 504 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 505 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 506 } else { | |
| 507 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; | |
| 508 ee_error = SEC_ERROR_UNKNOWN_ISSUER; | |
| 509 } | |
| 510 check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca_bc.der'), ca_error); | |
| 511 check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); | |
| 512 check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); | |
| 513 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); | |
| 514 check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); | |
| 515 if (useMozillaPKIX) { | |
| 516 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 517 } | |
| 518 check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); | |
| 519 check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error) | |
| 520 check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); | |
| 521 | |
| 522 // v2 ca, valid v3 intermediate (is OK if we use 'classic' semantics) | |
| 523 if (useMozillaPKIX) { | |
| 524 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 525 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 526 } else { | |
| 527 ca_error = 0; | |
| 528 ee_error = 0; | |
| 529 } | |
| 530 check_ca_err(cert_from_file('v3_int-v2_ca_bc.der'), ca_error); | |
| 531 check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca_bc.der'), ee_error); | |
| 532 check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca_bc.der'), ee_error); | |
| 533 check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca_bc.der'), ee_error); | |
| 534 check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca_bc.der'), ee_error); | |
| 535 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca_bc.der'), ee_error); | |
| 536 check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca_bc.der'), ee_error); | |
| 537 check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca_bc.der'), ee_error); | |
| 538 | |
| 539 ////////////// | |
| 540 // v3 CA supersection | |
| 541 ////////////////// | |
| 542 | |
| 543 // v3 ca, v1 intermediate | |
| 544 if (useMozillaPKIX) { | |
| 545 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 546 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 547 } else { | |
| 548 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; | |
| 549 ee_error = SEC_ERROR_UNKNOWN_ISSUER; | |
| 550 } | |
| 551 check_ca_err(cert_from_file('v1_int-v3_ca.der'), ca_error); | |
| 552 check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca.der'), ee_error); | |
| 553 check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca.der'), ee_error); | |
| 554 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca.der'), ee_error); | |
| 555 check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca.der'), ee_error); | |
| 556 if (useMozillaPKIX) { | |
| 557 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 558 } | |
| 559 check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca.der'), ee_error); | |
| 560 check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca.der'), ee_error); | |
| 561 check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca.der'), ee_error); | |
| 562 | |
| 563 // A v1 intermediate with v3 extensions | |
| 564 if (useMozillaPKIX) { | |
| 565 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 566 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 567 } else { | |
| 568 ca_error = 0; | |
| 569 ee_error = 0; | |
| 570 } | |
| 571 check_ca_err(cert_from_file('v1_int_bc-v3_ca.der'), ca_error); | |
| 572 check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca.der'), ee_error); | |
| 573 check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca.der'), ee_error); | |
| 574 check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca.der'), ee_error); | |
| 575 check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca.der'), ee_error); | |
| 576 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca.der'), ee_error); | |
| 577 check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca.der'), ee_error); | |
| 578 check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca.der'), ee_error) | |
| 579 | |
| 580 // reject a v2 cert as intermediate | |
| 581 if (useMozillaPKIX) { | |
| 582 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 583 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 584 } else { | |
| 585 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; | |
| 586 ee_error = SEC_ERROR_UNKNOWN_ISSUER; | |
| 587 } | |
| 588 check_ca_err(cert_from_file('v2_int-v3_ca.der'), ca_error); | |
| 589 check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca.der'), ee_error); | |
| 590 check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca.der'), ee_error); | |
| 591 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca.der'), ee_error); | |
| 592 check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca.der'), ee_error); | |
| 593 if (useMozillaPKIX) { | |
| 594 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 595 } | |
| 596 check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca.der'), ee_error); | |
| 597 check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca.der'), ee_error); | |
| 598 check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca.der'), ee_error); | |
| 599 | |
| 600 // v2 intermediate with bc (invalid) | |
| 601 if (useMozillaPKIX) { | |
| 602 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 603 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 604 } else { | |
| 605 ca_error = 0; | |
| 606 ee_error = 0; | |
| 607 } | |
| 608 check_ca_err(cert_from_file('v2_int_bc-v3_ca.der'), ca_error); | |
| 609 check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca.der'), ee_error); | |
| 610 check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca.der'), ee_error); | |
| 611 check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca.der'), ee_error); | |
| 612 check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca.der'), ee_error); | |
| 613 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca.der'), ee_error); | |
| 614 check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca.der'), ee_error); | |
| 615 check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca.der'), ee_error); | |
| 616 | |
| 617 // invalid v3 intermediate | |
| 618 if (useMozillaPKIX) { | |
| 619 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 620 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 621 } else { | |
| 622 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; | |
| 623 ee_error = SEC_ERROR_UNKNOWN_ISSUER; | |
| 624 } | |
| 625 check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca.der'), ca_error); | |
| 626 check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca.der'), ee_error); | |
| 627 check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca.der'), ee_error); | |
| 628 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); | |
| 629 check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); | |
| 630 if (useMozillaPKIX) { | |
| 631 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 632 } | |
| 633 check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); | |
| 634 check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); | |
| 635 check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); | |
| 636 | |
| 637 // I dont think that v3 intermediates should be allowed to sign v1 or v2 | |
| 638 // certs, but other thanthat this is what we usually get in the wild. | |
| 639 check_ok_ca(cert_from_file('v3_int-v3_ca.der')); | |
| 640 check_ok(cert_from_file('v1_ee-v3_int-v3_ca.der')); | |
| 641 check_ok(cert_from_file('v2_ee-v3_int-v3_ca.der')); | |
| 642 check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca.der')); | |
| 643 check_ok(cert_from_file('v3_bc_ee-v3_int-v3_ca.der')); | |
| 644 if (useMozillaPKIX) { | |
| 645 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 646 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 647 } else { | |
| 648 ca_error = 0; | |
| 649 ee_error = 0; | |
| 650 } | |
| 651 check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca.der'), ee_error); | |
| 652 check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca.der'), ee_error); | |
| 653 check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca.der'), ee_error); | |
| 654 | |
| 655 // v3 CA, invalid v3 intermediate | |
| 656 if (useMozillaPKIX) { | |
| 657 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 658 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 659 } else { | |
| 660 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; | |
| 661 ee_error = SEC_ERROR_UNKNOWN_ISSUER; | |
| 662 } | |
| 663 check_ca_err(cert_from_file('v1_int-v3_ca_missing_bc.der'), ca_error); | |
| 664 check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca_missing_bc.der'), ee_error); | |
| 665 check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca_missing_bc.der'), ee_error); | |
| 666 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); | |
| 667 check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); | |
| 668 if (useMozillaPKIX) { | |
| 669 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 670 } | |
| 671 check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); | |
| 672 check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); | |
| 673 check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); | |
| 674 | |
| 675 // Int v1 with BC that is just invalid (classic fail insanity OK) | |
| 676 if (useMozillaPKIX) { | |
| 677 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 678 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 679 } else { | |
| 680 ca_error = 0; | |
| 681 ee_error = 0; | |
| 682 } | |
| 683 check_ca_err(cert_from_file('v1_int_bc-v3_ca_missing_bc.der'), ca_error); | |
| 684 check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); | |
| 685 check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); | |
| 686 check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); | |
| 687 check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); | |
| 688 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); | |
| 689 check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); | |
| 690 check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); | |
| 691 | |
| 692 // Good section (all fail) | |
| 693 if (useMozillaPKIX) { | |
| 694 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 695 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 696 } else { | |
| 697 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; | |
| 698 ee_error = SEC_ERROR_UNKNOWN_ISSUER; | |
| 699 } | |
| 700 check_ca_err(cert_from_file('v2_int-v3_ca_missing_bc.der'), ca_error); | |
| 701 check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca_missing_bc.der'), ee_error); | |
| 702 check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca_missing_bc.der'), ee_error); | |
| 703 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); | |
| 704 check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); | |
| 705 if (useMozillaPKIX) { | |
| 706 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 707 } | |
| 708 check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); | |
| 709 check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); | |
| 710 check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); | |
| 711 | |
| 712 // v2 intermediate (even with basic constraints) is invalid | |
| 713 if (useMozillaPKIX) { | |
| 714 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 715 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 716 } else { | |
| 717 ca_error = 0; | |
| 718 ee_error = 0; | |
| 719 } | |
| 720 check_ca_err(cert_from_file('v2_int_bc-v3_ca_missing_bc.der'), ca_error); | |
| 721 check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); | |
| 722 check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); | |
| 723 check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); | |
| 724 check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); | |
| 725 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); | |
| 726 check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); | |
| 727 check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); | |
| 728 | |
| 729 // v3 intermediate missing basic constraints is invalid | |
| 730 if (useMozillaPKIX) { | |
| 731 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 732 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 733 } else { | |
| 734 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; | |
| 735 ee_error = SEC_ERROR_UNKNOWN_ISSUER; | |
| 736 } | |
| 737 check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca_missing_bc.der'), ca_error); | |
| 738 check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); | |
| 739 check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); | |
| 740 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); | |
| 741 check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); | |
| 742 if (useMozillaPKIX) { | |
| 743 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 744 } | |
| 745 check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); | |
| 746 check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); | |
| 747 check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); | |
| 748 | |
| 749 // With a v3 root missing bc and valid v3 intermediate | |
| 750 if (useMozillaPKIX) { | |
| 751 ca_error = SEC_ERROR_CA_CERT_INVALID; | |
| 752 ee_error = SEC_ERROR_CA_CERT_INVALID; | |
| 753 } else { | |
| 754 ca_error = 0; | |
| 755 ee_error = 0; | |
| 756 } | |
| 757 check_ca_err(cert_from_file('v3_int-v3_ca_missing_bc.der'), ca_error); | |
| 758 check_cert_err(cert_from_file('v1_ee-v3_int-v3_ca_missing_bc.der'), ee_error); | |
| 759 check_cert_err(cert_from_file('v2_ee-v3_int-v3_ca_missing_bc.der'), ee_error); | |
| 760 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); | |
| 761 check_cert_err(cert_from_file('v3_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); | |
| 762 if (useMozillaPKIX) { | |
| 763 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 764 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; | |
| 765 } else { | |
| 766 ca_error = 0; | |
| 767 ee_error = 0; | |
| 768 } | |
| 769 check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); | |
| 770 check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); | |
| 771 check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); | |
| 772 } | |
| 773 | |
| 774 function run_test() { | |
| 775 load_cert("v1_ca", "CTu,CTu,CTu"); | |
| 776 load_cert("v1_ca_bc", "CTu,CTu,CTu"); | |
| 777 load_cert("v2_ca", "CTu,CTu,CTu"); | |
| 778 load_cert("v2_ca_bc", "CTu,CTu,CTu"); | |
| 779 load_cert("v3_ca", "CTu,CTu,CTu"); | |
| 780 load_cert("v3_ca_missing_bc", "CTu,CTu,CTu"); | |
| 781 | |
| 782 run_tests_in_mode(false); | |
| 783 run_tests_in_mode(true); | |
| 784 } |
