1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/manager/ssl/tests/unit/test_getchain.js Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,95 @@
1.4 +// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
1.5 +// This Source Code Form is subject to the terms of the Mozilla Public
1.6 +// License, v. 2.0. If a copy of the MPL was not distributed with this
1.7 +// file, You can obtain one at http://mozilla.org/MPL/2.0/.
1.8 +
1.9 +"use strict";
1.10 +
1.11 +do_get_profile(); // must be called before getting nsIX509CertDB
1.12 +const certdb = Cc["@mozilla.org/security/x509certdb;1"]
1.13 + .getService(Ci.nsIX509CertDB);
1.14 +const certdb2 = Cc["@mozilla.org/security/x509certdb;1"]
1.15 + .getService(Ci.nsIX509CertDB2);
1.16 +
1.17 +// This is the list of certificates needed for the test
1.18 +// The certificates prefixed by 'int-' are intermediates
1.19 +let certList = [
1.20 + 'ee',
1.21 + 'ca-1',
1.22 + 'ca-2',
1.23 +]
1.24 +
1.25 +function load_cert(cert_name, trust_string) {
1.26 + var cert_filename = cert_name + ".der";
1.27 + addCertFromFile(certdb, "test_getchain/" + cert_filename, trust_string);
1.28 +}
1.29 +
1.30 +// Since all the ca's are identical expect for the serial number
1.31 +// I have to grab them by enumerating all the certs and then finding
1.32 +// the ones that I am interested in.
1.33 +function get_ca_array() {
1.34 + let ret_array = new Array();
1.35 + let allCerts = certdb2.getCerts();
1.36 + let enumerator = allCerts.getEnumerator();
1.37 + while (enumerator.hasMoreElements()) {
1.38 + let cert = enumerator.getNext().QueryInterface(Ci.nsIX509Cert);
1.39 + if (cert.commonName == 'ca') {
1.40 + ret_array[parseInt(cert.serialNumber)] = cert;
1.41 + }
1.42 + }
1.43 + return ret_array;
1.44 +}
1.45 +
1.46 +
1.47 +function check_matching_issuer_and_getchain(expected_issuer_serial, cert) {
1.48 + const nsIX509Cert = Components.interfaces.nsIX509Cert;
1.49 +
1.50 + do_check_eq(expected_issuer_serial, cert.issuer.serialNumber);
1.51 + let chain = cert.getChain();
1.52 + let issuer_via_getchain = chain.queryElementAt(1, nsIX509Cert);
1.53 + // The issuer returned by cert.issuer or cert.getchain should be consistent.
1.54 + do_check_eq(cert.issuer.serialNumber, issuer_via_getchain.serialNumber);
1.55 +}
1.56 +
1.57 +function check_getchain(ee_cert, ssl_ca, email_ca){
1.58 + // A certificate should first build a chain/issuer to
1.59 + // a SSL trust domain, then an EMAIL trust domain and then
1.60 + // and object signer trust domain
1.61 +
1.62 + const nsIX509Cert = Components.interfaces.nsIX509Cert;
1.63 + certdb.setCertTrust(ssl_ca, nsIX509Cert.CA_CERT,
1.64 + Ci.nsIX509CertDB.TRUSTED_SSL);
1.65 + certdb.setCertTrust(email_ca, nsIX509Cert.CA_CERT,
1.66 + Ci.nsIX509CertDB.TRUSTED_EMAIL);
1.67 + check_matching_issuer_and_getchain(ssl_ca.serialNumber, ee_cert);
1.68 + certdb.setCertTrust(ssl_ca, nsIX509Cert.CA_CERT, 0);
1.69 + check_matching_issuer_and_getchain(email_ca.serialNumber, ee_cert);
1.70 + certdb.setCertTrust(email_ca, nsIX509Cert.CA_CERT, 0);
1.71 + // Do a final test on the case of no trust. The results must
1.72 + // be cosistent (the actual value is non-deterministic).
1.73 + check_matching_issuer_and_getchain(ee_cert.issuer.serialNumber, ee_cert);
1.74 +}
1.75 +
1.76 +function run_test_in_mode(useMozillaPKIX) {
1.77 + Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
1.78 + clearOCSPCache();
1.79 + clearSessionCache();
1.80 +
1.81 + for (let i = 0 ; i < certList.length; i++) {
1.82 + load_cert(certList[i], ',,');
1.83 + }
1.84 +
1.85 + let ee_cert = certdb.findCertByNickname(null, 'ee');
1.86 + do_check_false(!ee_cert);
1.87 +
1.88 + let ca = get_ca_array();
1.89 +
1.90 + check_getchain(ee_cert, ca[1], ca[2]);
1.91 + // Swap ca certs to deal alternate trust settings.
1.92 + check_getchain(ee_cert, ca[2], ca[1]);
1.93 +}
1.94 +
1.95 +function run_test() {
1.96 + run_test_in_mode(true);
1.97 + run_test_in_mode(false);
1.98 +}
