1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/manager/ssl/tests/unit/test_cert_version.js Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,784 @@
1.4 +// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
1.5 +// This Source Code Form is subject to the terms of the Mozilla Public
1.6 +// License, v. 2.0. If a copy of the MPL was not distributed with this
1.7 +// file, You can obtain one at http://mozilla.org/MPL/2.0/.
1.8 +
1.9 +"use strict";
1.10 +
1.11 +do_get_profile(); // must be called before getting nsIX509CertDB
1.12 +const certdb = Cc["@mozilla.org/security/x509certdb;1"]
1.13 + .getService(Ci.nsIX509CertDB);
1.14 +
1.15 +function cert_from_file(filename) {
1.16 + return constructCertFromFile("test_cert_version/" + filename);
1.17 +}
1.18 +
1.19 +function load_cert(cert_name, trust_string) {
1.20 + var cert_filename = cert_name + ".der";
1.21 + addCertFromFile(certdb, "test_cert_version/" + cert_filename, trust_string);
1.22 +}
1.23 +
1.24 +function check_cert_err_generic(cert, expected_error, usage) {
1.25 + do_print("cert cn=" + cert.commonName);
1.26 + do_print("cert issuer cn=" + cert.issuerCommonName);
1.27 + let hasEVPolicy = {};
1.28 + let verifiedChain = {};
1.29 + let error = certdb.verifyCertNow(cert, usage,
1.30 + NO_FLAGS, verifiedChain, hasEVPolicy);
1.31 + do_check_eq(error, expected_error);
1.32 +}
1.33 +
1.34 +function check_cert_err(cert, expected_error) {
1.35 + check_cert_err_generic(cert, expected_error, certificateUsageSSLServer)
1.36 +}
1.37 +
1.38 +function check_ca_err(cert, expected_error) {
1.39 + check_cert_err_generic(cert, expected_error, certificateUsageSSLCA)
1.40 +}
1.41 +
1.42 +function check_ok(x) {
1.43 + return check_cert_err(x, 0);
1.44 +}
1.45 +
1.46 +function check_ok_ca(x) {
1.47 + return check_cert_err_generic(x, 0, certificateUsageSSLCA);
1.48 +}
1.49 +
1.50 +function run_tests_in_mode(useMozillaPKIX)
1.51 +{
1.52 + Services.prefs.setBoolPref("security.use_mozillapkix_verification",
1.53 + useMozillaPKIX);
1.54 +
1.55 + check_ok_ca(cert_from_file('v1_ca.der'));
1.56 + check_ca_err(cert_from_file('v1_ca_bc.der'),
1.57 + useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0);
1.58 + check_ca_err(cert_from_file('v2_ca.der'),
1.59 + useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0);
1.60 + check_ca_err(cert_from_file('v2_ca_bc.der'),
1.61 + useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0);
1.62 + check_ok_ca(cert_from_file('v3_ca.der'));
1.63 + check_ca_err(cert_from_file('v3_ca_missing_bc.der'),
1.64 + useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0);
1.65 +
1.66 + // Classic allows v1 and v2 certs to be CA certs in trust anchor positions and
1.67 + // intermediates when they have a v3 basic constraints extenstion (which
1.68 + // makes them invalid certs). Insanity only allows v1 certs to be CA in
1.69 + // anchor position (even if they have invalid encodings), v2 certs are not
1.70 + // considered CAs in any position.
1.71 + // Note that currently there are no change of behavior based on the
1.72 + // version of the end entity.
1.73 +
1.74 + let ee_error = 0;
1.75 + let ca_error = 0;
1.76 +
1.77 + //////////////
1.78 + // v1 CA supersection
1.79 + //////////////////
1.80 +
1.81 + // v1 intermediate with v1 trust anchor
1.82 + if (useMozillaPKIX) {
1.83 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.84 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.85 + } else {
1.86 + ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
1.87 + ee_error = SEC_ERROR_UNKNOWN_ISSUER;
1.88 + }
1.89 + check_ca_err(cert_from_file('v1_int-v1_ca.der'), ca_error);
1.90 + check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca.der'), ee_error);
1.91 + check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca.der'), ee_error);
1.92 + check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca.der'), ee_error);
1.93 + check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca.der'), ee_error);
1.94 + if (useMozillaPKIX) {
1.95 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.96 + }
1.97 + check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca.der'), ee_error);
1.98 + check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca.der'), ee_error);
1.99 + check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca.der'), ee_error);
1.100 +
1.101 + // v1 intermediate with v3 extensions. CA is invalid.
1.102 + if (useMozillaPKIX) {
1.103 + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.104 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.105 + } else {
1.106 + ca_error = 0;
1.107 + ee_error = 0;
1.108 + }
1.109 + check_ca_err(cert_from_file('v1_int_bc-v1_ca.der'), ca_error);
1.110 + check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca.der'), ee_error);
1.111 + check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
1.112 + check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca.der'), ee_error);
1.113 + check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
1.114 + check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
1.115 + check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
1.116 + check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
1.117 +
1.118 + // A v2 intermediate with a v1 CA
1.119 + if (useMozillaPKIX) {
1.120 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.121 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.122 + } else {
1.123 + ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
1.124 + ee_error = SEC_ERROR_UNKNOWN_ISSUER;
1.125 + }
1.126 + check_ca_err(cert_from_file('v2_int-v1_ca.der'), ca_error);
1.127 + check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca.der'), ee_error);
1.128 + check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca.der'), ee_error);
1.129 + check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca.der'), ee_error);
1.130 + check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca.der'), ee_error);
1.131 + if (useMozillaPKIX) {
1.132 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.133 + }
1.134 + check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca.der'), ee_error);
1.135 + check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca.der'), ee_error);
1.136 + check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca.der'), ee_error);
1.137 +
1.138 + // A v2 intermediate with basic constraints (not allowed in insanity)
1.139 + if (useMozillaPKIX) {
1.140 + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.141 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.142 + } else {
1.143 + ca_error = 0;
1.144 + ee_error = 0;
1.145 + }
1.146 + check_ca_err(cert_from_file('v2_int_bc-v1_ca.der'), ca_error);
1.147 + check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca.der'), ee_error);
1.148 + check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
1.149 + check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca.der'), ee_error);
1.150 + check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
1.151 + check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
1.152 + check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
1.153 + check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
1.154 +
1.155 + // Section is OK. A x509 v3 CA MUST have bc
1.156 + // http://tools.ietf.org/html/rfc5280#section-4.2.1.9
1.157 + if (useMozillaPKIX) {
1.158 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.159 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.160 + } else {
1.161 + ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
1.162 + ee_error = SEC_ERROR_UNKNOWN_ISSUER;
1.163 + }
1.164 + check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), ca_error);
1.165 + check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
1.166 + check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
1.167 + check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
1.168 + check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
1.169 + if (useMozillaPKIX) {
1.170 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.171 + }
1.172 + check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
1.173 + check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
1.174 + check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
1.175 +
1.176 + // It is valid for a v1 ca to sign a v3 intemediate.
1.177 + check_ok_ca(cert_from_file('v3_int-v1_ca.der'));
1.178 + check_ok(cert_from_file('v1_ee-v3_int-v1_ca.der'));
1.179 + check_ok(cert_from_file('v2_ee-v3_int-v1_ca.der'));
1.180 + check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca.der'));
1.181 + check_ok(cert_from_file('v3_bc_ee-v3_int-v1_ca.der'));
1.182 + if (useMozillaPKIX) {
1.183 + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.184 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.185 + } else {
1.186 + ca_error = 0;
1.187 + ee_error = 0;
1.188 + }
1.189 + check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca.der'), ee_error);
1.190 + check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca.der'), ee_error);
1.191 + check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca.der'), ee_error);
1.192 +
1.193 + // The next groups change the v1 ca for a v1 ca with base constraints
1.194 + // (invalid trust anchor). The error pattern is the same as the groups
1.195 + // above
1.196 +
1.197 + // Using A v1 intermediate
1.198 + if (useMozillaPKIX) {
1.199 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.200 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.201 + } else {
1.202 + ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
1.203 + ee_error = SEC_ERROR_UNKNOWN_ISSUER;
1.204 + }
1.205 + check_ca_err(cert_from_file('v1_int-v1_ca_bc.der'), ca_error);
1.206 + check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca_bc.der'), ee_error);
1.207 + check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca_bc.der'), ee_error);
1.208 + check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
1.209 + check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
1.210 + if (useMozillaPKIX) {
1.211 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.212 + }
1.213 + check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
1.214 + check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
1.215 + check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
1.216 +
1.217 + // Using a v1 intermediate with v3 extenstions (invalid).
1.218 + if (useMozillaPKIX) {
1.219 + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.220 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.221 + } else {
1.222 + ca_error = 0;
1.223 + ee_error = 0;
1.224 + }
1.225 + check_ca_err(cert_from_file('v1_int_bc-v1_ca_bc.der'), ca_error);
1.226 + check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
1.227 + check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
1.228 + check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
1.229 + check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
1.230 + check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
1.231 + check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
1.232 + check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
1.233 +
1.234 + // Using v2 intermediate
1.235 + if (useMozillaPKIX) {
1.236 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.237 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.238 + } else {
1.239 + ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
1.240 + ee_error = SEC_ERROR_UNKNOWN_ISSUER;
1.241 + }
1.242 + check_ca_err(cert_from_file('v2_int-v1_ca_bc.der'), ca_error);
1.243 + check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca_bc.der'), ee_error);
1.244 + check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca_bc.der'), ee_error);
1.245 + check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
1.246 + check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
1.247 + if (useMozillaPKIX) {
1.248 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.249 + }
1.250 + check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
1.251 + check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
1.252 + check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
1.253 +
1.254 + // Using a v2 intermediate with basic constraints (invalid)
1.255 + if (useMozillaPKIX) {
1.256 + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.257 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.258 + } else {
1.259 + ca_error = 0;
1.260 + ee_error = 0;
1.261 + }
1.262 + check_ca_err(cert_from_file('v2_int_bc-v1_ca_bc.der'), ca_error);
1.263 + check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
1.264 + check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
1.265 + check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
1.266 + check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
1.267 + check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
1.268 + check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
1.269 + check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
1.270 +
1.271 + // Using a v3 intermediate that is missing basic constraints (invalid)
1.272 + if (useMozillaPKIX) {
1.273 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.274 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.275 + } else {
1.276 + ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
1.277 + ee_error = SEC_ERROR_UNKNOWN_ISSUER;
1.278 + }
1.279 + check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca_bc.der'), ca_error);
1.280 + check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
1.281 + check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
1.282 + check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
1.283 + check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
1.284 + if (useMozillaPKIX) {
1.285 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.286 + }
1.287 + check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
1.288 + check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
1.289 + check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
1.290 +
1.291 + // these should pass assuming we are OK with v1 ca signing v3 intermediates
1.292 + if (useMozillaPKIX) {
1.293 + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.294 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.295 + } else {
1.296 + ca_error = 0;
1.297 + ee_error = 0;
1.298 + }
1.299 + check_ca_err(cert_from_file('v3_int-v1_ca_bc.der'), ca_error);
1.300 + check_cert_err(cert_from_file('v1_ee-v3_int-v1_ca_bc.der'), ee_error);
1.301 + check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
1.302 + check_cert_err(cert_from_file('v2_ee-v3_int-v1_ca_bc.der'), ee_error);
1.303 + check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
1.304 + check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
1.305 + check_cert_err(cert_from_file('v3_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
1.306 + check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
1.307 +
1.308 +
1.309 + //////////////
1.310 + // v2 CA supersection
1.311 + //////////////////
1.312 +
1.313 + // v2 ca, v1 intermediate
1.314 + if (useMozillaPKIX) {
1.315 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.316 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.317 + } else {
1.318 + ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
1.319 + ee_error = SEC_ERROR_UNKNOWN_ISSUER;
1.320 + }
1.321 + check_ca_err(cert_from_file('v1_int-v2_ca.der'), ca_error);
1.322 + check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca.der'), ee_error);
1.323 + check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca.der'), ee_error);
1.324 + check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca.der'), ee_error);
1.325 + check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca.der'), ee_error);
1.326 + if (useMozillaPKIX) {
1.327 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.328 + }
1.329 + check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca.der'), ee_error)
1.330 + check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca.der'), ee_error);
1.331 + check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca.der'), ee_error);
1.332 +
1.333 + // v2 ca, v1 intermediate with basic constraints (invalid)
1.334 + if (useMozillaPKIX) {
1.335 + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.336 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.337 + } else {
1.338 + ca_error = 0;
1.339 + ee_error = 0;
1.340 + }
1.341 + check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), ca_error);
1.342 + check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), ee_error);
1.343 + check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
1.344 + check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca.der'), ee_error);
1.345 + check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
1.346 + check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
1.347 + check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
1.348 + check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
1.349 +
1.350 + // v2 ca, v2 intermediate
1.351 + if (useMozillaPKIX) {
1.352 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.353 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.354 + } else {
1.355 + ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
1.356 + ee_error = SEC_ERROR_UNKNOWN_ISSUER;
1.357 + }
1.358 + check_ca_err(cert_from_file('v2_int-v2_ca.der'), ca_error);
1.359 + check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca.der'), ee_error);
1.360 + check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca.der'), ee_error);
1.361 + check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca.der'), ee_error);
1.362 + check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca.der'), ee_error);
1.363 + if (useMozillaPKIX) {
1.364 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.365 + }
1.366 + check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca.der'), ee_error);
1.367 + check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca.der'), ee_error);
1.368 + check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca.der'), ee_error)
1.369 +
1.370 + // v2 ca, v2 intermediate with basic constraints (invalid)
1.371 + if (useMozillaPKIX) {
1.372 + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.373 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.374 + } else {
1.375 + ca_error = 0;
1.376 + ee_error = 0;
1.377 + }
1.378 + check_ca_err(cert_from_file('v2_int_bc-v2_ca.der'), ca_error);
1.379 + check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca.der'), ee_error);
1.380 + check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
1.381 + check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca.der'), ee_error);
1.382 + check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
1.383 + check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
1.384 + check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
1.385 + check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
1.386 +
1.387 + // v2 ca, v3 intermediate missing basic constraints
1.388 + if (useMozillaPKIX) {
1.389 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.390 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.391 + } else {
1.392 + ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
1.393 + ee_error = SEC_ERROR_UNKNOWN_ISSUER;
1.394 + }
1.395 + check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca.der'), ca_error);
1.396 + check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
1.397 + check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
1.398 + check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
1.399 + check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
1.400 + if (useMozillaPKIX) {
1.401 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.402 + }
1.403 + check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
1.404 + check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
1.405 + check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
1.406 +
1.407 + // v2 ca, v3 intermediate
1.408 + if (useMozillaPKIX) {
1.409 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.410 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.411 + } else {
1.412 + ca_error = 0;
1.413 + ee_error = 0;
1.414 + }
1.415 + check_ca_err(cert_from_file('v3_int-v2_ca.der'), ca_error);
1.416 + check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca.der'), ee_error);
1.417 + check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca.der'), ee_error);
1.418 + check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca.der'), ee_error);
1.419 + check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca.der'), ee_error);
1.420 + if (useMozillaPKIX) {
1.421 + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.422 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.423 + } else {
1.424 + ca_error = 0;
1.425 + ee_error = 0;
1.426 + }
1.427 + check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca.der'), ee_error);
1.428 + check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca.der'), ee_error);
1.429 + check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca.der'), ee_error);
1.430 +
1.431 + // v2 ca, v1 intermediate
1.432 + if (useMozillaPKIX) {
1.433 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.434 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.435 + } else {
1.436 + ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
1.437 + ee_error = SEC_ERROR_UNKNOWN_ISSUER;
1.438 + }
1.439 + check_ca_err(cert_from_file('v1_int-v2_ca_bc.der'), ca_error);
1.440 + check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca_bc.der'), ee_error);
1.441 + check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca_bc.der'), ee_error);
1.442 + check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
1.443 + check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
1.444 + if (useMozillaPKIX) {
1.445 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.446 + }
1.447 + check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
1.448 + check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
1.449 + check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
1.450 +
1.451 + // v2 ca, v1 intermediate with bc (invalid)
1.452 + if (useMozillaPKIX) {
1.453 + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.454 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.455 + } else {
1.456 + ca_error = 0;
1.457 + ee_error = 0;
1.458 + }
1.459 + check_ca_err(cert_from_file('v1_int_bc-v2_ca_bc.der'), ca_error);
1.460 + check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
1.461 + check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
1.462 + check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
1.463 + check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
1.464 + check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
1.465 + check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
1.466 + check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
1.467 +
1.468 + // v2 ca, v2 intermediate
1.469 + if (useMozillaPKIX) {
1.470 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.471 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.472 + } else {
1.473 + ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
1.474 + ee_error = SEC_ERROR_UNKNOWN_ISSUER;
1.475 + }
1.476 + check_ca_err(cert_from_file('v2_int-v2_ca_bc.der'), ca_error);
1.477 + check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca_bc.der'), ee_error);
1.478 + check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca_bc.der'), ee_error);
1.479 + check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
1.480 + check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
1.481 + if (useMozillaPKIX) {
1.482 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.483 + }
1.484 + check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
1.485 + check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
1.486 + check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
1.487 +
1.488 + // v2 ca, v2 intermediate with bc (invalid)
1.489 + if (useMozillaPKIX) {
1.490 + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.491 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.492 + } else {
1.493 + ca_error = 0;
1.494 + ee_error = 0;
1.495 + }
1.496 + check_ca_err(cert_from_file('v2_int_bc-v2_ca_bc.der'), ca_error);
1.497 + check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
1.498 + check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
1.499 + check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
1.500 + check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
1.501 + check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
1.502 + check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
1.503 + check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
1.504 +
1.505 + // v2 ca, invalid v3 intermediate
1.506 + if (useMozillaPKIX) {
1.507 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.508 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.509 + } else {
1.510 + ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
1.511 + ee_error = SEC_ERROR_UNKNOWN_ISSUER;
1.512 + }
1.513 + check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca_bc.der'), ca_error);
1.514 + check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
1.515 + check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
1.516 + check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
1.517 + check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
1.518 + if (useMozillaPKIX) {
1.519 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.520 + }
1.521 + check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
1.522 + check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error)
1.523 + check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
1.524 +
1.525 + // v2 ca, valid v3 intermediate (is OK if we use 'classic' semantics)
1.526 + if (useMozillaPKIX) {
1.527 + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.528 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.529 + } else {
1.530 + ca_error = 0;
1.531 + ee_error = 0;
1.532 + }
1.533 + check_ca_err(cert_from_file('v3_int-v2_ca_bc.der'), ca_error);
1.534 + check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca_bc.der'), ee_error);
1.535 + check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
1.536 + check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca_bc.der'), ee_error);
1.537 + check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
1.538 + check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
1.539 + check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
1.540 + check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
1.541 +
1.542 + //////////////
1.543 + // v3 CA supersection
1.544 + //////////////////
1.545 +
1.546 + // v3 ca, v1 intermediate
1.547 + if (useMozillaPKIX) {
1.548 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.549 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.550 + } else {
1.551 + ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
1.552 + ee_error = SEC_ERROR_UNKNOWN_ISSUER;
1.553 + }
1.554 + check_ca_err(cert_from_file('v1_int-v3_ca.der'), ca_error);
1.555 + check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca.der'), ee_error);
1.556 + check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca.der'), ee_error);
1.557 + check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca.der'), ee_error);
1.558 + check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca.der'), ee_error);
1.559 + if (useMozillaPKIX) {
1.560 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.561 + }
1.562 + check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca.der'), ee_error);
1.563 + check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca.der'), ee_error);
1.564 + check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca.der'), ee_error);
1.565 +
1.566 + // A v1 intermediate with v3 extensions
1.567 + if (useMozillaPKIX) {
1.568 + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.569 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.570 + } else {
1.571 + ca_error = 0;
1.572 + ee_error = 0;
1.573 + }
1.574 + check_ca_err(cert_from_file('v1_int_bc-v3_ca.der'), ca_error);
1.575 + check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca.der'), ee_error);
1.576 + check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
1.577 + check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca.der'), ee_error);
1.578 + check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
1.579 + check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
1.580 + check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
1.581 + check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca.der'), ee_error)
1.582 +
1.583 + // reject a v2 cert as intermediate
1.584 + if (useMozillaPKIX) {
1.585 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.586 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.587 + } else {
1.588 + ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
1.589 + ee_error = SEC_ERROR_UNKNOWN_ISSUER;
1.590 + }
1.591 + check_ca_err(cert_from_file('v2_int-v3_ca.der'), ca_error);
1.592 + check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca.der'), ee_error);
1.593 + check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca.der'), ee_error);
1.594 + check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca.der'), ee_error);
1.595 + check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca.der'), ee_error);
1.596 + if (useMozillaPKIX) {
1.597 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.598 + }
1.599 + check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca.der'), ee_error);
1.600 + check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca.der'), ee_error);
1.601 + check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca.der'), ee_error);
1.602 +
1.603 + // v2 intermediate with bc (invalid)
1.604 + if (useMozillaPKIX) {
1.605 + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.606 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.607 + } else {
1.608 + ca_error = 0;
1.609 + ee_error = 0;
1.610 + }
1.611 + check_ca_err(cert_from_file('v2_int_bc-v3_ca.der'), ca_error);
1.612 + check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca.der'), ee_error);
1.613 + check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
1.614 + check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca.der'), ee_error);
1.615 + check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
1.616 + check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
1.617 + check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
1.618 + check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
1.619 +
1.620 + // invalid v3 intermediate
1.621 + if (useMozillaPKIX) {
1.622 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.623 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.624 + } else {
1.625 + ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
1.626 + ee_error = SEC_ERROR_UNKNOWN_ISSUER;
1.627 + }
1.628 + check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca.der'), ca_error);
1.629 + check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
1.630 + check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
1.631 + check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
1.632 + check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
1.633 + if (useMozillaPKIX) {
1.634 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.635 + }
1.636 + check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
1.637 + check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
1.638 + check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
1.639 +
1.640 + // I dont think that v3 intermediates should be allowed to sign v1 or v2
1.641 + // certs, but other thanthat this is what we usually get in the wild.
1.642 + check_ok_ca(cert_from_file('v3_int-v3_ca.der'));
1.643 + check_ok(cert_from_file('v1_ee-v3_int-v3_ca.der'));
1.644 + check_ok(cert_from_file('v2_ee-v3_int-v3_ca.der'));
1.645 + check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca.der'));
1.646 + check_ok(cert_from_file('v3_bc_ee-v3_int-v3_ca.der'));
1.647 + if (useMozillaPKIX) {
1.648 + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.649 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.650 + } else {
1.651 + ca_error = 0;
1.652 + ee_error = 0;
1.653 + }
1.654 + check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca.der'), ee_error);
1.655 + check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca.der'), ee_error);
1.656 + check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca.der'), ee_error);
1.657 +
1.658 + // v3 CA, invalid v3 intermediate
1.659 + if (useMozillaPKIX) {
1.660 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.661 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.662 + } else {
1.663 + ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
1.664 + ee_error = SEC_ERROR_UNKNOWN_ISSUER;
1.665 + }
1.666 + check_ca_err(cert_from_file('v1_int-v3_ca_missing_bc.der'), ca_error);
1.667 + check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
1.668 + check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
1.669 + check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
1.670 + check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
1.671 + if (useMozillaPKIX) {
1.672 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.673 + }
1.674 + check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
1.675 + check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
1.676 + check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
1.677 +
1.678 + // Int v1 with BC that is just invalid (classic fail insanity OK)
1.679 + if (useMozillaPKIX) {
1.680 + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.681 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.682 + } else {
1.683 + ca_error = 0;
1.684 + ee_error = 0;
1.685 + }
1.686 + check_ca_err(cert_from_file('v1_int_bc-v3_ca_missing_bc.der'), ca_error);
1.687 + check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
1.688 + check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
1.689 + check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
1.690 + check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
1.691 + check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
1.692 + check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
1.693 + check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
1.694 +
1.695 + // Good section (all fail)
1.696 + if (useMozillaPKIX) {
1.697 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.698 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.699 + } else {
1.700 + ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
1.701 + ee_error = SEC_ERROR_UNKNOWN_ISSUER;
1.702 + }
1.703 + check_ca_err(cert_from_file('v2_int-v3_ca_missing_bc.der'), ca_error);
1.704 + check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
1.705 + check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
1.706 + check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
1.707 + check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
1.708 + if (useMozillaPKIX) {
1.709 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.710 + }
1.711 + check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
1.712 + check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
1.713 + check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
1.714 +
1.715 + // v2 intermediate (even with basic constraints) is invalid
1.716 + if (useMozillaPKIX) {
1.717 + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.718 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.719 + } else {
1.720 + ca_error = 0;
1.721 + ee_error = 0;
1.722 + }
1.723 + check_ca_err(cert_from_file('v2_int_bc-v3_ca_missing_bc.der'), ca_error);
1.724 + check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
1.725 + check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
1.726 + check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
1.727 + check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
1.728 + check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
1.729 + check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
1.730 + check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
1.731 +
1.732 + // v3 intermediate missing basic constraints is invalid
1.733 + if (useMozillaPKIX) {
1.734 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.735 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.736 + } else {
1.737 + ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
1.738 + ee_error = SEC_ERROR_UNKNOWN_ISSUER;
1.739 + }
1.740 + check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca_missing_bc.der'), ca_error);
1.741 + check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
1.742 + check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
1.743 + check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
1.744 + check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
1.745 + if (useMozillaPKIX) {
1.746 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.747 + }
1.748 + check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
1.749 + check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
1.750 + check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
1.751 +
1.752 + // With a v3 root missing bc and valid v3 intermediate
1.753 + if (useMozillaPKIX) {
1.754 + ca_error = SEC_ERROR_CA_CERT_INVALID;
1.755 + ee_error = SEC_ERROR_CA_CERT_INVALID;
1.756 + } else {
1.757 + ca_error = 0;
1.758 + ee_error = 0;
1.759 + }
1.760 + check_ca_err(cert_from_file('v3_int-v3_ca_missing_bc.der'), ca_error);
1.761 + check_cert_err(cert_from_file('v1_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
1.762 + check_cert_err(cert_from_file('v2_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
1.763 + check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
1.764 + check_cert_err(cert_from_file('v3_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
1.765 + if (useMozillaPKIX) {
1.766 + ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.767 + ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
1.768 + } else {
1.769 + ca_error = 0;
1.770 + ee_error = 0;
1.771 + }
1.772 + check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
1.773 + check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
1.774 + check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
1.775 +}
1.776 +
1.777 +function run_test() {
1.778 + load_cert("v1_ca", "CTu,CTu,CTu");
1.779 + load_cert("v1_ca_bc", "CTu,CTu,CTu");
1.780 + load_cert("v2_ca", "CTu,CTu,CTu");
1.781 + load_cert("v2_ca_bc", "CTu,CTu,CTu");
1.782 + load_cert("v3_ca", "CTu,CTu,CTu");
1.783 + load_cert("v3_ca_missing_bc", "CTu,CTu,CTu");
1.784 +
1.785 + run_tests_in_mode(false);
1.786 + run_tests_in_mode(true);
1.787 +}
