1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/manager/ssl/tests/unit/test_certificate_usages.js Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,145 @@
1.4 +"use strict";
1.5 +
1.6 +/* To regenerate the certificates and apps for this test:
1.7 +
1.8 + cd security/manager/ssl/tests/unit/test_certificate_usages
1.9 + PATH=$NSS/bin:$NSS/lib:$PATH ./generate.pl
1.10 + cd ../../../../../..
1.11 + make -C $OBJDIR/security/manager/ssl/tests
1.12 +
1.13 + $NSS is the path to NSS binaries and libraries built for the host platform.
1.14 + If you get error messages about "CertUtil" on Windows, then it means that
1.15 + the Windows CertUtil.exe is ahead of the NSS certutil.exe in $PATH.
1.16 +
1.17 + Check in the generated files. These steps are not done as part of the build
1.18 + because we do not want to add a build-time dependency on the OpenSSL or NSS
1.19 + tools or libraries built for the host platform.
1.20 +*/
1.21 +
1.22 +do_get_profile(); // must be called before getting nsIX509CertDB
1.23 +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
1.24 +
1.25 +const gNumCAs = 4;
1.26 +
1.27 +function run_test() {
1.28 + //ca's are one based!
1.29 + for (var i = 0; i < gNumCAs; i++) {
1.30 + var ca_name = "ca-" + (i + 1);
1.31 + var ca_filename = ca_name + ".der";
1.32 + addCertFromFile(certdb, "test_certificate_usages/" + ca_filename, "CTu,CTu,CTu");
1.33 + do_print("ca_name=" + ca_name);
1.34 + var cert = certdb.findCertByNickname(null, ca_name);
1.35 + }
1.36 +
1.37 + run_test_in_mode(true);
1.38 + run_test_in_mode(false);
1.39 +}
1.40 +
1.41 +function run_test_in_mode(useMozillaPKIX) {
1.42 + Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
1.43 + clearOCSPCache();
1.44 + clearSessionCache();
1.45 +
1.46 + // mozilla::pkix does not allow CA certs to be validated for non-CA usages.
1.47 + var allCAUsages = useMozillaPKIX
1.48 + ? 'SSL CA'
1.49 + : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
1.50 +
1.51 + // mozilla::pkix doesn't allow CA certificates to have the Status Responder
1.52 + // EKU.
1.53 + var ca_usages = [allCAUsages,
1.54 + 'SSL CA',
1.55 + allCAUsages,
1.56 + useMozillaPKIX ? ''
1.57 + : 'Client,Server,Sign,Encrypt,Status Responder'];
1.58 +
1.59 + // mozilla::pkix doesn't implement the Netscape Object Signer restriction.
1.60 + var basicEndEntityUsages = useMozillaPKIX
1.61 + ? 'Client,Server,Sign,Encrypt,Object Signer'
1.62 + : 'Client,Server,Sign,Encrypt';
1.63 + var basicEndEntityUsagesWithObjectSigner = basicEndEntityUsages + ",Object Signer"
1.64 +
1.65 + // mozilla::pkix won't let a certificate with the "Status Responder" EKU get
1.66 + // validated for any other usage.
1.67 + var statusResponderUsages = (useMozillaPKIX ? "" : "Server,") + "Status Responder";
1.68 + var statusResponderUsagesFull
1.69 + = useMozillaPKIX ? statusResponderUsages
1.70 + : basicEndEntityUsages + ',Object Signer,Status Responder';
1.71 +
1.72 + var ee_usages = [
1.73 + [ basicEndEntityUsages,
1.74 + basicEndEntityUsages,
1.75 + basicEndEntityUsages,
1.76 + '',
1.77 + statusResponderUsagesFull,
1.78 + 'Client,Server',
1.79 + 'Sign,Encrypt,Object Signer',
1.80 + statusResponderUsages
1.81 + ],
1.82 +
1.83 + [ basicEndEntityUsages,
1.84 + basicEndEntityUsages,
1.85 + basicEndEntityUsages,
1.86 + '',
1.87 + statusResponderUsagesFull,
1.88 + 'Client,Server',
1.89 + 'Sign,Encrypt,Object Signer',
1.90 + statusResponderUsages
1.91 + ],
1.92 +
1.93 + [ basicEndEntityUsages,
1.94 + basicEndEntityUsages,
1.95 + basicEndEntityUsages,
1.96 + '',
1.97 + statusResponderUsagesFull,
1.98 + 'Client,Server',
1.99 + 'Sign,Encrypt,Object Signer',
1.100 + statusResponderUsages
1.101 + ],
1.102 +
1.103 + // The CA has isCA=true without keyCertSign.
1.104 + //
1.105 + // The 'classic' NSS mode uses the 'union' of the
1.106 + // capabilites so the cert is considered a CA.
1.107 + // mozilla::pkix and libpkix use the intersection of
1.108 + // capabilites, so the cert is NOT considered a CA.
1.109 + [ useMozillaPKIX ? '' : basicEndEntityUsages,
1.110 + useMozillaPKIX ? '' : basicEndEntityUsages,
1.111 + useMozillaPKIX ? '' : basicEndEntityUsages,
1.112 + '',
1.113 + useMozillaPKIX ? '' : statusResponderUsagesFull,
1.114 + useMozillaPKIX ? '' : 'Client,Server',
1.115 + useMozillaPKIX ? '' : 'Sign,Encrypt,Object Signer',
1.116 + useMozillaPKIX ? '' : 'Server,Status Responder'
1.117 + ]
1.118 + ];
1.119 +
1.120 + do_check_eq(gNumCAs, ca_usages.length);
1.121 +
1.122 + for (var i = 0; i < gNumCAs; i++) {
1.123 + var ca_name = "ca-" + (i + 1);
1.124 + var verified = {};
1.125 + var usages = {};
1.126 + var cert = certdb.findCertByNickname(null, ca_name);
1.127 + cert.getUsagesString(true, verified, usages);
1.128 + do_print("usages.value=" + usages.value);
1.129 + do_check_eq(ca_usages[i], usages.value);
1.130 + if (ca_usages[i].indexOf('SSL CA') != -1) {
1.131 + checkCertErrorGeneric(certdb, cert, 0, certificateUsageVerifyCA);
1.132 + }
1.133 + //now the ee, names also one based
1.134 + for (var j = 0; j < ee_usages[i].length; j++) {
1.135 + var ee_name = "ee-" + (j + 1) + "-" + ca_name;
1.136 + var ee_filename = ee_name + ".der";
1.137 + //do_print("ee_filename" + ee_filename);
1.138 + addCertFromFile(certdb, "test_certificate_usages/" + ee_filename, ",,");
1.139 + var ee_cert;
1.140 + ee_cert = certdb.findCertByNickname(null, ee_name);
1.141 + var verified = {};
1.142 + var usages = {};
1.143 + ee_cert.getUsagesString(true, verified, usages);
1.144 + do_print("cert usages.value=" + usages.value);
1.145 + do_check_eq(ee_usages[i][j], usages.value);
1.146 + }
1.147 + }
1.148 +}
