1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/manager/ssl/tests/unit/test_cert_trust.js Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,256 @@
1.4 +// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
1.5 +// This Source Code Form is subject to the terms of the Mozilla Public
1.6 +// License, v. 2.0. If a copy of the MPL was not distributed with this
1.7 +// file, You can obtain one at http://mozilla.org/MPL/2.0/.
1.8 +
1.9 +"use strict";
1.10 +
1.11 +do_get_profile(); // must be called before getting nsIX509CertDB
1.12 +const certdb = Cc["@mozilla.org/security/x509certdb;1"]
1.13 + .getService(Ci.nsIX509CertDB);
1.14 +
1.15 +let certList = [
1.16 + 'ee',
1.17 + 'int',
1.18 + 'ca',
1.19 +]
1.20 +
1.21 +function load_cert(cert_name, trust_string) {
1.22 + let cert_filename = cert_name + ".der";
1.23 + addCertFromFile(certdb, "test_cert_trust/" + cert_filename, trust_string);
1.24 +}
1.25 +
1.26 +function setup_basic_trusts(ca_cert, int_cert) {
1.27 + certdb.setCertTrust(ca_cert, Ci.nsIX509Cert.CA_CERT,
1.28 + Ci.nsIX509CertDB.TRUSTED_SSL |
1.29 + Ci.nsIX509CertDB.TRUSTED_EMAIL |
1.30 + Ci.nsIX509CertDB.TRUSTED_OBJSIGN);
1.31 +
1.32 + certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0);
1.33 +}
1.34 +
1.35 +function check_cert_err_generic(cert, expected_error, usage) {
1.36 + do_print("cert cn=" + cert.commonName);
1.37 + do_print("cert issuer cn=" + cert.issuerCommonName);
1.38 + let hasEVPolicy = {};
1.39 + let verifiedChain = {};
1.40 + let error = certdb.verifyCertNow(cert, usage,
1.41 + NO_FLAGS, verifiedChain, hasEVPolicy);
1.42 + do_check_eq(error, expected_error);
1.43 +};
1.44 +
1.45 +function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKIX) {
1.46 + // On reset most usages are successful
1.47 + check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
1.48 + check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
1.49 + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
1.50 + : SEC_ERROR_INADEQUATE_CERT_TYPE,
1.51 + certificateUsageSSLCA); // expected no bc
1.52 + check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
1.53 + check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
1.54 + check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
1.55 + : SEC_ERROR_INADEQUATE_CERT_TYPE,
1.56 + certificateUsageObjectSigner); // expected
1.57 + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
1.58 + : 0,
1.59 + certificateUsageVerifyCA);
1.60 + // mozilla::pkix enforces that certificase must have a basic constraints
1.61 + // extension with cA:true to be a CA certificate, whereas classic does not
1.62 + check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
1.63 + certificateUsageStatusResponder); //expected
1.64 +
1.65 +
1.66 + // Test of active distrust. No usage should pass.
1.67 + setCertTrust(cert_to_modify_trust, 'p,p,p');
1.68 + check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
1.69 + certificateUsageSSLServer);
1.70 + check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
1.71 + certificateUsageSSLClient);
1.72 + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
1.73 + : SEC_ERROR_INADEQUATE_CERT_TYPE,
1.74 + certificateUsageSSLCA);
1.75 + check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
1.76 + certificateUsageEmailSigner);
1.77 + check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
1.78 + certificateUsageEmailRecipient);
1.79 + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
1.80 + : SEC_ERROR_INADEQUATE_CERT_TYPE,
1.81 + certificateUsageObjectSigner);
1.82 + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
1.83 + : 0,
1.84 + certificateUsageVerifyCA);
1.85 + // In mozilla::pkix (but not classic verification), certificate chain
1.86 + // properties are checked before the end-entity. Thus, if we're using
1.87 + // mozilla::pkix and the root certificate has been distrusted, the error
1.88 + // will be "untrusted issuer" and not "inadequate cert type".
1.89 + check_cert_err_generic(ee_cert, (!isRootCA && useMozillaPKIX)
1.90 + ? SEC_ERROR_UNTRUSTED_ISSUER
1.91 + : SEC_ERROR_INADEQUATE_CERT_TYPE,
1.92 + certificateUsageStatusResponder);
1.93 +
1.94 +
1.95 + // Trust set to T - trusted CA to issue client certs, where client cert is
1.96 + // usageSSLClient.
1.97 + setCertTrust(cert_to_modify_trust, 'T,T,T');
1.98 + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
1.99 + : SEC_ERROR_UNTRUSTED_ISSUER
1.100 + : 0,
1.101 + certificateUsageSSLServer);
1.102 +
1.103 + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER //XXX Bug 982340
1.104 + : 0
1.105 + : 0,
1.106 + certificateUsageSSLClient);
1.107 + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
1.108 + : SEC_ERROR_INADEQUATE_CERT_TYPE,
1.109 + certificateUsageSSLCA);
1.110 +
1.111 + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
1.112 + : SEC_ERROR_UNTRUSTED_ISSUER
1.113 + : 0,
1.114 + certificateUsageEmailSigner);
1.115 + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
1.116 + : SEC_ERROR_UNTRUSTED_ISSUER
1.117 + : 0,
1.118 + certificateUsageEmailRecipient);
1.119 + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
1.120 + : SEC_ERROR_INADEQUATE_CERT_TYPE
1.121 + : useMozillaPKIX ? 0
1.122 + : SEC_ERROR_INADEQUATE_CERT_TYPE,
1.123 + certificateUsageObjectSigner);
1.124 + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
1.125 + : 0,
1.126 + certificateUsageVerifyCA);
1.127 + check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
1.128 + certificateUsageStatusResponder);
1.129 +
1.130 +
1.131 + // Now tests on the SSL trust bit
1.132 + setCertTrust(cert_to_modify_trust, 'p,C,C');
1.133 + check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
1.134 + certificateUsageSSLServer);
1.135 + check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 //XXX Bug 982340
1.136 + : SEC_ERROR_UNTRUSTED_ISSUER,
1.137 + certificateUsageSSLClient);
1.138 + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
1.139 + : SEC_ERROR_INADEQUATE_CERT_TYPE,
1.140 + certificateUsageSSLCA);
1.141 + check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
1.142 + check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
1.143 + check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
1.144 + : SEC_ERROR_INADEQUATE_CERT_TYPE,
1.145 + certificateUsageObjectSigner);
1.146 + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
1.147 + : 0,
1.148 + certificateUsageVerifyCA);
1.149 + // In mozilla::pkix (but not classic verification), certificate chain
1.150 + // properties are checked before the end-entity. Thus, if we're using
1.151 + // mozilla::pkix and the root certificate has been distrusted, the error
1.152 + // will be "untrusted issuer" and not "inadequate cert type".
1.153 + check_cert_err_generic(ee_cert, (!isRootCA && useMozillaPKIX)
1.154 + ? SEC_ERROR_UNTRUSTED_ISSUER
1.155 + : SEC_ERROR_INADEQUATE_CERT_TYPE,
1.156 + certificateUsageStatusResponder);
1.157 +
1.158 + // Inherited trust SSL
1.159 + setCertTrust(cert_to_modify_trust, ',C,C');
1.160 + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
1.161 + : SEC_ERROR_UNTRUSTED_ISSUER
1.162 + : 0,
1.163 + certificateUsageSSLServer);
1.164 + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? 0 // XXX Bug 982340
1.165 + : SEC_ERROR_UNTRUSTED_ISSUER
1.166 + : 0,
1.167 + certificateUsageSSLClient);
1.168 + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
1.169 + : SEC_ERROR_INADEQUATE_CERT_TYPE,
1.170 + certificateUsageSSLCA);
1.171 + check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
1.172 + check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
1.173 + check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
1.174 + : SEC_ERROR_INADEQUATE_CERT_TYPE,
1.175 + certificateUsageObjectSigner);
1.176 + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
1.177 + : 0,
1.178 + certificateUsageVerifyCA);
1.179 + check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
1.180 + certificateUsageStatusResponder);
1.181 +
1.182 + // Now tests on the EMAIL trust bit
1.183 + setCertTrust(cert_to_modify_trust, 'C,p,C');
1.184 + check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
1.185 + check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER
1.186 + : useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
1.187 + : 0, // mozilla::pkix is OK, NSS bug
1.188 + certificateUsageSSLClient);
1.189 + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
1.190 + : SEC_ERROR_INADEQUATE_CERT_TYPE,
1.191 + certificateUsageSSLCA);
1.192 + check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
1.193 + certificateUsageEmailSigner);
1.194 + check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
1.195 + certificateUsageEmailRecipient);
1.196 + check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
1.197 + : SEC_ERROR_INADEQUATE_CERT_TYPE,
1.198 + certificateUsageObjectSigner);
1.199 + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
1.200 + : 0,
1.201 + certificateUsageVerifyCA);
1.202 + check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
1.203 + certificateUsageStatusResponder);
1.204 +
1.205 +
1.206 + //inherited EMAIL Trust
1.207 + setCertTrust(cert_to_modify_trust, 'C,,C');
1.208 + check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
1.209 + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
1.210 + : SEC_ERROR_UNTRUSTED_ISSUER
1.211 + : 0,
1.212 + certificateUsageSSLClient);
1.213 + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
1.214 + : SEC_ERROR_INADEQUATE_CERT_TYPE,
1.215 + certificateUsageSSLCA);
1.216 + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
1.217 + : SEC_ERROR_UNTRUSTED_ISSUER
1.218 + : 0,
1.219 + certificateUsageEmailSigner);
1.220 + check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
1.221 + : SEC_ERROR_UNTRUSTED_ISSUER
1.222 + : 0,
1.223 + certificateUsageEmailRecipient);
1.224 + check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
1.225 + : SEC_ERROR_INADEQUATE_CERT_TYPE,
1.226 + certificateUsageObjectSigner);
1.227 + check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
1.228 + : 0,
1.229 + certificateUsageVerifyCA);
1.230 + check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
1.231 + certificateUsageStatusResponder);
1.232 +}
1.233 +
1.234 +
1.235 +function run_test_in_mode(useMozillaPKIX) {
1.236 + Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
1.237 +
1.238 + let ca_cert = certdb.findCertByNickname(null, 'ca');
1.239 + do_check_false(!ca_cert)
1.240 + let int_cert = certdb.findCertByNickname(null, 'int');
1.241 + do_check_false(!int_cert)
1.242 + let ee_cert = certdb.findCertByNickname(null, 'ee');
1.243 + do_check_false(!ee_cert);
1.244 +
1.245 + setup_basic_trusts(ca_cert, int_cert);
1.246 + test_ca_distrust(ee_cert, ca_cert, true, useMozillaPKIX);
1.247 +
1.248 + setup_basic_trusts(ca_cert, int_cert);
1.249 + test_ca_distrust(ee_cert, int_cert, false, useMozillaPKIX);
1.250 +}
1.251 +
1.252 +function run_test() {
1.253 + for (let i = 0 ; i < certList.length; i++) {
1.254 + load_cert(certList[i], ',,');
1.255 + }
1.256 +
1.257 + run_test_in_mode(true);
1.258 + run_test_in_mode(false);
1.259 +}
