The Tor Browser / file comparison
comparison: security/manager/ssl/tests/unit/test_certificate_usages.js
security/manager/ssl/tests/unit/test_certificate_usages.js
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
equal
deleted
inserted
replaced
| -1:000000000000 | 0:a51b2edf1c5c |
|---|---|
| 1 "use strict"; | |
| 2 | |
| 3 /* To regenerate the certificates and apps for this test: | |
| 4 | |
| 5 cd security/manager/ssl/tests/unit/test_certificate_usages | |
| 6 PATH=$NSS/bin:$NSS/lib:$PATH ./generate.pl | |
| 7 cd ../../../../../.. | |
| 8 make -C $OBJDIR/security/manager/ssl/tests | |
| 9 | |
| 10 $NSS is the path to NSS binaries and libraries built for the host platform. | |
| 11 If you get error messages about "CertUtil" on Windows, then it means that | |
| 12 the Windows CertUtil.exe is ahead of the NSS certutil.exe in $PATH. | |
| 13 | |
| 14 Check in the generated files. These steps are not done as part of the build | |
| 15 because we do not want to add a build-time dependency on the OpenSSL or NSS | |
| 16 tools or libraries built for the host platform. | |
| 17 */ | |
| 18 | |
| 19 do_get_profile(); // must be called before getting nsIX509CertDB | |
| 20 const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB); | |
| 21 | |
| 22 const gNumCAs = 4; | |
| 23 | |
| 24 function run_test() { | |
| 25 //ca's are one based! | |
| 26 for (var i = 0; i < gNumCAs; i++) { | |
| 27 var ca_name = "ca-" + (i + 1); | |
| 28 var ca_filename = ca_name + ".der"; | |
| 29 addCertFromFile(certdb, "test_certificate_usages/" + ca_filename, "CTu,CTu,CTu"); | |
| 30 do_print("ca_name=" + ca_name); | |
| 31 var cert = certdb.findCertByNickname(null, ca_name); | |
| 32 } | |
| 33 | |
| 34 run_test_in_mode(true); | |
| 35 run_test_in_mode(false); | |
| 36 } | |
| 37 | |
| 38 function run_test_in_mode(useMozillaPKIX) { | |
| 39 Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); | |
| 40 clearOCSPCache(); | |
| 41 clearSessionCache(); | |
| 42 | |
| 43 // mozilla::pkix does not allow CA certs to be validated for non-CA usages. | |
| 44 var allCAUsages = useMozillaPKIX | |
| 45 ? 'SSL CA' | |
| 46 : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder'; | |
| 47 | |
| 48 // mozilla::pkix doesn't allow CA certificates to have the Status Responder | |
| 49 // EKU. | |
| 50 var ca_usages = [allCAUsages, | |
| 51 'SSL CA', | |
| 52 allCAUsages, | |
| 53 useMozillaPKIX ? '' | |
| 54 : 'Client,Server,Sign,Encrypt,Status Responder']; | |
| 55 | |
| 56 // mozilla::pkix doesn't implement the Netscape Object Signer restriction. | |
| 57 var basicEndEntityUsages = useMozillaPKIX | |
| 58 ? 'Client,Server,Sign,Encrypt,Object Signer' | |
| 59 : 'Client,Server,Sign,Encrypt'; | |
| 60 var basicEndEntityUsagesWithObjectSigner = basicEndEntityUsages + ",Object Signer" | |
| 61 | |
| 62 // mozilla::pkix won't let a certificate with the "Status Responder" EKU get | |
| 63 // validated for any other usage. | |
| 64 var statusResponderUsages = (useMozillaPKIX ? "" : "Server,") + "Status Responder"; | |
| 65 var statusResponderUsagesFull | |
| 66 = useMozillaPKIX ? statusResponderUsages | |
| 67 : basicEndEntityUsages + ',Object Signer,Status Responder'; | |
| 68 | |
| 69 var ee_usages = [ | |
| 70 [ basicEndEntityUsages, | |
| 71 basicEndEntityUsages, | |
| 72 basicEndEntityUsages, | |
| 73 '', | |
| 74 statusResponderUsagesFull, | |
| 75 'Client,Server', | |
| 76 'Sign,Encrypt,Object Signer', | |
| 77 statusResponderUsages | |
| 78 ], | |
| 79 | |
| 80 [ basicEndEntityUsages, | |
| 81 basicEndEntityUsages, | |
| 82 basicEndEntityUsages, | |
| 83 '', | |
| 84 statusResponderUsagesFull, | |
| 85 'Client,Server', | |
| 86 'Sign,Encrypt,Object Signer', | |
| 87 statusResponderUsages | |
| 88 ], | |
| 89 | |
| 90 [ basicEndEntityUsages, | |
| 91 basicEndEntityUsages, | |
| 92 basicEndEntityUsages, | |
| 93 '', | |
| 94 statusResponderUsagesFull, | |
| 95 'Client,Server', | |
| 96 'Sign,Encrypt,Object Signer', | |
| 97 statusResponderUsages | |
| 98 ], | |
| 99 | |
| 100 // The CA has isCA=true without keyCertSign. | |
| 101 // | |
| 102 // The 'classic' NSS mode uses the 'union' of the | |
| 103 // capabilites so the cert is considered a CA. | |
| 104 // mozilla::pkix and libpkix use the intersection of | |
| 105 // capabilites, so the cert is NOT considered a CA. | |
| 106 [ useMozillaPKIX ? '' : basicEndEntityUsages, | |
| 107 useMozillaPKIX ? '' : basicEndEntityUsages, | |
| 108 useMozillaPKIX ? '' : basicEndEntityUsages, | |
| 109 '', | |
| 110 useMozillaPKIX ? '' : statusResponderUsagesFull, | |
| 111 useMozillaPKIX ? '' : 'Client,Server', | |
| 112 useMozillaPKIX ? '' : 'Sign,Encrypt,Object Signer', | |
| 113 useMozillaPKIX ? '' : 'Server,Status Responder' | |
| 114 ] | |
| 115 ]; | |
| 116 | |
| 117 do_check_eq(gNumCAs, ca_usages.length); | |
| 118 | |
| 119 for (var i = 0; i < gNumCAs; i++) { | |
| 120 var ca_name = "ca-" + (i + 1); | |
| 121 var verified = {}; | |
| 122 var usages = {}; | |
| 123 var cert = certdb.findCertByNickname(null, ca_name); | |
| 124 cert.getUsagesString(true, verified, usages); | |
| 125 do_print("usages.value=" + usages.value); | |
| 126 do_check_eq(ca_usages[i], usages.value); | |
| 127 if (ca_usages[i].indexOf('SSL CA') != -1) { | |
| 128 checkCertErrorGeneric(certdb, cert, 0, certificateUsageVerifyCA); | |
| 129 } | |
| 130 //now the ee, names also one based | |
| 131 for (var j = 0; j < ee_usages[i].length; j++) { | |
| 132 var ee_name = "ee-" + (j + 1) + "-" + ca_name; | |
| 133 var ee_filename = ee_name + ".der"; | |
| 134 //do_print("ee_filename" + ee_filename); | |
| 135 addCertFromFile(certdb, "test_certificate_usages/" + ee_filename, ",,"); | |
| 136 var ee_cert; | |
| 137 ee_cert = certdb.findCertByNickname(null, ee_name); | |
| 138 var verified = {}; | |
| 139 var usages = {}; | |
| 140 ee_cert.getUsagesString(true, verified, usages); | |
| 141 do_print("cert usages.value=" + usages.value); | |
| 142 do_check_eq(ee_usages[i][j], usages.value); | |
| 143 } | |
| 144 } | |
| 145 } |
