The Tor Browser / file revision

security/manager/ssl/tests/mochitest/bugs/test_generateCRMFRequest.html@b8a032363ba2

security/manager/ssl/tests/mochitest/bugs/test_generateCRMFRequest.html

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

     1 <!DOCTYPE HTML>

     2 <html>

     3 <head>

     4   <title>crypto.generateCRMFRequest bugs</title>

     5   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>

     6   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />

     7 </head>

     8 <body onload="onWindowLoad()">

     9 <script class="testbody" type="text/javascript">

    10 

    11   SimpleTest.waitForExplicitFinish();

    12 

    13   function onWindowLoad()

    14   {

    15     // Does it work at all?

    16     try {

    17       var crmfObject = crypto.generateCRMFRequest("CN=undefined", "regToken",

    18                                                   "authenticator", null, "",

    19                                                   512, null, "  rsa-ex   ",

    20                                                   1024, null, "\r\n\t rsa-sign\t");

    21       ok(true, "no exception thrown in generateCRMFRequest");

    22     } catch (e) {

    23       ok(false, "unexpected exception: " + e);

    24     }

    25 

    26     // bug 849553

    27     // This should fail because 8 is too small of a key size.

    28     try {

    29       var crmfObject = crypto.generateCRMFRequest("CN=undefined", "regToken",

    30                                                   "authenticator", null, "",

    31                                                   8, null, "rsa-ex",

    32                                                   1024, null, "rsa-sign");

    33       ok(false, "execution should not reach this line");

    34     } catch (e) {

    35       is(e.toString(), "Error: error:could not generate the key for algorithm rsa-ex", "expected exception");

    36     }

    37     // This should fail because 65536 is too large of a key size.

    38     try {

    39       var crmfObject = crypto.generateCRMFRequest("CN=undefined", "regToken",

    40                                                   "authenticator", null, "",

    41                                                   65536, null, "rsa-ex",

    42                                                   1024, null, "rsa-sign");

    43       ok(false, "execution should not reach this line");

    44     } catch (e) {

    45       is(e.toString(), "Error: error:could not generate the key for algorithm rsa-ex", "expected exception");

    46     }

    47 

    48     // bug 882865

    49     var o200 = document.documentElement;

    50     var o1 = crypto;

    51     try {

    52       o1.generateCRMFRequest("undefined", o200, 'X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X', null, o1, 1404343237, Math.PI, []);

    53       ok(false, "execution should not reach this line");

    54     } catch (e) {

    55       // The 'key generation argument' in this case was an empty array,

    56       // which gets interpreted as an empty string.

    57       is(e.toString(), "Error: error:invalid key generation argument:", "expected exception");

    58     }

    59 

    60     // Test that an rsa certificate isn't used to generate an ec key.

    61     try {

    62       var crmfObject = crypto.generateCRMFRequest("CN=a", "a", "a", null, "",

    63                          1024, "popcert=MIIBjzCB+aADAgECAgUAnVC3BjANBgkqhkiG9w0BAQUFADAMMQowCAYDVQQDEwFhMB4XDTEzMTEwNjE3NDU1NFoXDTIzMTEwNjE3NDU1NFowDDEKMAgGA1UEAxMBYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3G2mwjE8IGVwv6H1NGZFSKE3UrTsgez2DtNIYb5zdi0P0w9SbmL2GWfveu9DZhRebhVz7QSMPKLagI4aoIzoP5BxRl7a8wR5wbU0z8qXnAvy9p3Ex5oN5vX47TWB7cnItoWpi6A81GSn5X1CFFHhVCEwnQsHuWXrEvLD5hrfdmcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCNo+yLKfAd2NBI5DUpwgHSFBA+59pdNtHY7E2KZjyc9tXN6PHkPp8nScVCtk0g60j4aiiZQm8maPQPLo7Hipgpk83iYqquHRvcJVX4fWJpS/7vX+qTNT0hRiKRhVlI6S4Ttp2J2W6uxy2xxeqC6nBbU98QmDj3UQAY31LyejbecQ==", "ec-dual-use");

    64       ok(crmfObject, "generateCRMFRequest succeeded");

    65       var request = crmfObject.request;

    66       var bytes = atob(request.replace(/\r\n/g, ""));

    67 

    68       // rsaEncryption oid encoded in the request (as ASN1)

    69       var badIdentifier = [ 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,

    70                             0x01, 0x01, 0x01 ];

    71       ok(!findIdentifierInString(badIdentifier, bytes),

    72          "didn't find bad identifier in request");

    73 

    74       // secp256r1 encoded in the request (as ASN1) (this is the default for

    75       // a "1024-bit" ec key)

    76       var goodIdentifier = [ 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03,

    77                              0x01, 0x07 ];

    78       ok(findIdentifierInString(goodIdentifier, bytes),

    79          "found good identifier in request");

    80     } catch (e) {

    81       ok(false, "unexpected exception: " + e);

    82     }

    83 

    84     // Test that only the first of repeated keygen parameters are used.

    85     try {

    86       var curveCrmfObject = crypto.generateCRMFRequest("CN=a", "a", "a", null,

    87                               "", 1024, "curve=secp521r1;curve=nistp384",

    88                               "ec-dual-use");

    89       ok(curveCrmfObject, "generateCRMFRequest succeeded");

    90       var curveRequest = curveCrmfObject.request;

    91       var curveBytes = atob(curveRequest.replace(/\r\n/g, ""));

    92 

    93       // nistp384 encoded in the request (as ASN1)

    94       var badIdentifier = [ 0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22 ];

    95       ok(!findIdentifierInString(badIdentifier, curveBytes),

    96          "didn't find bad identifier in curve request");

    97 

    98       // secp512r1 encoded in the request (as ASN1)

    99       var goodIdentifier = [ 0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x23 ];

   100       ok(findIdentifierInString(goodIdentifier, curveBytes),

   101          "found good identifier in curve request");

   102 

   103       // The popcert=MII... values are base-64 encodings of self-signed

   104       // certificates. The key of the first one is a secp521r1 key, whereas

   105       // the second is nistp384.

   106       var popcertCrmfObject = crypto.generateCRMFRequest("CN=a", "a", "a",

   107                                 null, "", 1024, "popcert=MIIBjjCB8aADAgECAgUAnVEmVTAJBgcqhkjOPQQBMAwxCjAIBgNVBAMTAWkwHhcNMTMxMTA2MjE1NDUxWhcNMTQwMjA2MjE1NDUxWjAMMQowCAYDVQQDEwFpMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA5juM0J3Od2Ih4s0ZiTkzVkh96J4yO12/L71df3GWy/Ex3LaGcew/EucY5ZITEqNHn22+3pKf3pwL6GJ/zA/foJwBspiE42ITo2BHHXl2Uuf1QK70UH5gzaqf1Cc4lPv3ibOf3EAmHx0a8sdDxRlUN2+V38iYWnMmV1qf4jM15fsYEDMwCQYHKoZIzj0EAQOBjAAwgYgCQgDO34oQkVDNkwtto1OAEbFZgq1xP9aqc+Nt7vnOuEGTISdFXCjlhon7SysTejFhO8d8wG500NrlJEmaie9FJbmWpQJCARcVtnC0K+ilxz307GyuANTaLEd7vBJxTAho8l6xkibNoxY1D9+hcc6ECbK7PCtAaysZoAVx5XhJlsnFdJdDj3wG;popcert=MIIBRDCBy6ADAgECAgUAnVEotzAJBgcqhkjOPQQBMAwxCjAIBgNVBAMTAWkwHhcNMTMxMTA2MjIwMDExWhcNMTQwMjA2MjIwMDExWjAMMQowCAYDVQQDEwFpMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEXjFpZ9bodzikeN4C8p2mVj1Ia1t+8zIndSavQHmxaD3+kvhkt18+P20ZagfBOaVEQZdArZ6KxBeW9oYZqaNpqHLveGlKYi6u9z5FyozAx4MXzyLdfu+bzOLIsryKRnLFMAkGByqGSM49BAEDaQAwZgIxAJDawIJLQ5iZsJVC3vV1YEKsI2aNEicdZ3YTMp/zUy+64Z2/cjyyfa7d5m1xKLDBogIxANHOQoy/7DioCyWNDDzx5QK0M24dOURVWRXsxjAjrg4vDmV/fkVzwpUzIr5fMgXEyQ==", "ec-dual-use");

   108       ok(popcertCrmfObject, "generateCRMFRequest succeeded");

   109       var popcertRequest = popcertCrmfObject.request;

   110       var popcertBytes = atob(popcertRequest.replace(/\r\n/g, ""));

   111       ok(!findIdentifierInString(badIdentifier, popcertBytes),

   112          "didn't find bad identifier in popcert request");

   113 

   114       ok(findIdentifierInString(goodIdentifier, popcertBytes),

   115          "found good identifier in popcert request");

   116     } catch (e) {

   117       ok(false, "unexpected exception: " + e);

   118     }

   119     SimpleTest.finish();

   120   }

   121 

   122   function findIdentifierInString(identifier, str) {

   123     var matches = 0;

   124     for (var i = 0; i < str.length - identifier.length;

   125          i += (matches != 0 ? matches : 1)) {

   126       matches = 0;

   127       for (var j = 0; j < identifier.length; j++) {

   128         if (identifier[j] == str.charCodeAt(i + j)) {

   129           matches++;

   130         } else {

   131           break;

   132         }

   133       }

   134       if (matches == identifier.length) {

   135         return true;

   136       }

   137     }

   138     return false;

   139   }

   140 </script>

   141 </body>

   142 </html>

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial