security/manager/ssl/tests/unit/test_cert_signatures.js@b8a032363ba2
security/manager/ssl/tests/unit/test_cert_signatures.js
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 // This Source Code Form is subject to the terms of the Mozilla Public
3 // License, v. 2.0. If a copy of the MPL was not distributed with this
4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
6 "use strict";
7 /*
8 * The purpose of this test is to verify that we correctly detect bad
9 * signatures on tampered certificates. Eventually, we should also be
10 * verifying that the error we return is the correct error.
11 *
12 * To regenerate the certificates for this test:
13 *
14 * cd security/manager/ssl/tests/unit/test_cert_signatures
15 * ./generate.py
16 * cd ../../../../../..
17 * make -C $OBJDIR/security/manager/ssl/tests
18 *
19 * Check in the generated files. These steps are not done as part of the build
20 * because we do not want to add a build-time dependency on the OpenSSL or NSS
21 * tools or libraries built for the host platform.
22 */
24 do_get_profile(); // must be called before getting nsIX509CertDB
25 const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
27 function load_ca(ca_name) {
28 let ca_filename = ca_name + ".der";
29 addCertFromFile(certdb, "test_cert_signatures/" + ca_filename, 'CTu,CTu,CTu');
30 }
32 function check_ca(ca_name) {
33 do_print("ca_name=" + ca_name);
34 let cert = certdb.findCertByNickname(null, ca_name);
36 let verified = {};
37 let usages = {};
38 cert.getUsagesString(true, verified, usages);
39 do_check_eq('SSL CA', usages.value);
40 }
42 function run_test() {
43 // Load the ca into mem
44 load_ca("ca-rsa");
45 load_ca("ca-p384");
46 load_ca("ca-dsa");
48 run_test_in_mode(true);
49 run_test_in_mode(false);
50 }
52 function run_test_in_mode(useMozillaPKIX) {
53 Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
54 clearOCSPCache();
55 clearSessionCache();
57 check_ca("ca-rsa");
58 check_ca("ca-p384");
59 check_ca("ca-dsa");
61 // mozilla::pkix does not allow CA certs to be validated for end-entity
62 // usages.
63 let int_usage = useMozillaPKIX
64 ? 'SSL CA'
65 : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
67 // mozilla::pkix doesn't implement the Netscape Object Signer restriction.
68 const ee_usage = useMozillaPKIX
69 ? 'Client,Server,Sign,Encrypt,Object Signer'
70 : 'Client,Server,Sign,Encrypt';
72 let cert2usage = {
73 // certs without the "int" prefix are end entity certs.
74 'int-rsa-valid': int_usage,
75 'rsa-valid': ee_usage,
76 'int-p384-valid': int_usage,
77 'p384-valid': ee_usage,
78 'int-dsa-valid': int_usage,
79 'dsa-valid': ee_usage,
81 'rsa-valid-int-tampered-ee': "",
82 'p384-valid-int-tampered-ee': "",
83 'dsa-valid-int-tampered-ee': "",
85 'int-rsa-tampered': "",
86 'rsa-tampered-int-valid-ee': "",
87 'int-p384-tampered': "",
88 'p384-tampered-int-valid-ee': "",
89 'int-dsa-tampered': "",
90 'dsa-tampered-int-valid-ee': "",
92 };
94 // Load certs first
95 for (let cert_name in cert2usage) {
96 let cert_filename = cert_name + ".der";
97 addCertFromFile(certdb, "test_cert_signatures/" + cert_filename, ',,');
98 }
100 for (let cert_name in cert2usage) {
101 do_print("cert_name=" + cert_name);
103 let cert = certdb.findCertByNickname(null, cert_name);
105 let verified = {};
106 let usages = {};
107 cert.getUsagesString(true, verified, usages);
108 do_check_eq(cert2usage[cert_name], usages.value);
109 }
110 }
