The Tor Browser / file diff

diff: security/manager/ssl/tests/unit/test_cert_signatures.js

security/manager/ssl/tests/unit/test_cert_signatures.js

changeset 0
6474c204b198
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/security/manager/ssl/tests/unit/test_cert_signatures.js	Wed Dec 31 06:09:35 2014 +0100
     1.3 @@ -0,0 +1,110 @@
     1.4 +// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
     1.5 +// This Source Code Form is subject to the terms of the Mozilla Public
     1.6 +// License, v. 2.0. If a copy of the MPL was not distributed with this
     1.7 +// file, You can obtain one at http://mozilla.org/MPL/2.0/.
     1.8 +
     1.9 +"use strict";
    1.10 +/*
    1.11 + * The purpose of this test is to verify that we correctly detect bad
    1.12 + * signatures on tampered certificates. Eventually, we should also be
    1.13 + * verifying that the error we return is the correct error.
    1.14 + *
    1.15 + * To regenerate the certificates for this test:
    1.16 + *
    1.17 + *      cd security/manager/ssl/tests/unit/test_cert_signatures
    1.18 + *       ./generate.py
    1.19 + *      cd ../../../../../..
    1.20 + *      make -C $OBJDIR/security/manager/ssl/tests
    1.21 + *
    1.22 + * Check in the generated files. These steps are not done as part of the build
    1.23 + * because we do not want to add a build-time dependency on the OpenSSL or NSS
    1.24 + * tools or libraries built for the host platform.
    1.25 + */
    1.26 +
    1.27 +do_get_profile(); // must be called before getting nsIX509CertDB
    1.28 +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
    1.29 +
    1.30 +function load_ca(ca_name) {
    1.31 +  let ca_filename = ca_name + ".der";
    1.32 +  addCertFromFile(certdb, "test_cert_signatures/" + ca_filename, 'CTu,CTu,CTu');
    1.33 +}
    1.34 +
    1.35 +function check_ca(ca_name) {
    1.36 +  do_print("ca_name=" + ca_name);
    1.37 +  let cert = certdb.findCertByNickname(null, ca_name);
    1.38 +
    1.39 +  let verified = {};
    1.40 +  let usages = {};
    1.41 +  cert.getUsagesString(true, verified, usages);
    1.42 +  do_check_eq('SSL CA', usages.value);
    1.43 +}
    1.44 +
    1.45 +function run_test() {
    1.46 +  // Load the ca into mem
    1.47 +  load_ca("ca-rsa");
    1.48 +  load_ca("ca-p384");
    1.49 +  load_ca("ca-dsa");
    1.50 +
    1.51 +  run_test_in_mode(true);
    1.52 +  run_test_in_mode(false);
    1.53 +}
    1.54 +
    1.55 +function run_test_in_mode(useMozillaPKIX) {
    1.56 +  Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
    1.57 +  clearOCSPCache();
    1.58 +  clearSessionCache();
    1.59 +
    1.60 +  check_ca("ca-rsa");
    1.61 +  check_ca("ca-p384");
    1.62 +  check_ca("ca-dsa");
    1.63 +
    1.64 +  // mozilla::pkix does not allow CA certs to be validated for end-entity
    1.65 +  // usages.
    1.66 +  let int_usage = useMozillaPKIX
    1.67 +                ? 'SSL CA'
    1.68 +                : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
    1.69 +
    1.70 +  // mozilla::pkix doesn't implement the Netscape Object Signer restriction.
    1.71 +  const ee_usage = useMozillaPKIX
    1.72 +                 ? 'Client,Server,Sign,Encrypt,Object Signer'
    1.73 +                 : 'Client,Server,Sign,Encrypt';
    1.74 +
    1.75 +  let cert2usage = {
    1.76 +    // certs without the "int" prefix are end entity certs.
    1.77 +    'int-rsa-valid': int_usage,
    1.78 +    'rsa-valid': ee_usage,
    1.79 +    'int-p384-valid': int_usage,
    1.80 +    'p384-valid': ee_usage,
    1.81 +    'int-dsa-valid': int_usage,
    1.82 +    'dsa-valid': ee_usage,
    1.83 +
    1.84 +    'rsa-valid-int-tampered-ee': "",
    1.85 +    'p384-valid-int-tampered-ee': "",
    1.86 +    'dsa-valid-int-tampered-ee': "",
    1.87 +
    1.88 +    'int-rsa-tampered': "",
    1.89 +    'rsa-tampered-int-valid-ee': "",
    1.90 +    'int-p384-tampered': "",
    1.91 +    'p384-tampered-int-valid-ee': "",
    1.92 +    'int-dsa-tampered': "",
    1.93 +    'dsa-tampered-int-valid-ee': "",
    1.94 +
    1.95 +  };
    1.96 +
    1.97 +  // Load certs first
    1.98 +  for (let cert_name in cert2usage) {
    1.99 +    let cert_filename = cert_name + ".der";
   1.100 +    addCertFromFile(certdb, "test_cert_signatures/" + cert_filename, ',,');
   1.101 +  }
   1.102 +
   1.103 +  for (let cert_name in cert2usage) {
   1.104 +    do_print("cert_name=" + cert_name);
   1.105 +
   1.106 +    let cert = certdb.findCertByNickname(null, cert_name);
   1.107 +
   1.108 +    let verified = {};
   1.109 +    let usages = {};
   1.110 +    cert.getUsagesString(true, verified, usages);
   1.111 +    do_check_eq(cert2usage[cert_name], usages.value);
   1.112 +  }
   1.113 +}

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial