security/manager/ssl/tests/unit/test_cert_trust.js@b8a032363ba2
security/manager/ssl/tests/unit/test_cert_trust.js
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 // This Source Code Form is subject to the terms of the Mozilla Public
3 // License, v. 2.0. If a copy of the MPL was not distributed with this
4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
6 "use strict";
8 do_get_profile(); // must be called before getting nsIX509CertDB
9 const certdb = Cc["@mozilla.org/security/x509certdb;1"]
10 .getService(Ci.nsIX509CertDB);
12 let certList = [
13 'ee',
14 'int',
15 'ca',
16 ]
18 function load_cert(cert_name, trust_string) {
19 let cert_filename = cert_name + ".der";
20 addCertFromFile(certdb, "test_cert_trust/" + cert_filename, trust_string);
21 }
23 function setup_basic_trusts(ca_cert, int_cert) {
24 certdb.setCertTrust(ca_cert, Ci.nsIX509Cert.CA_CERT,
25 Ci.nsIX509CertDB.TRUSTED_SSL |
26 Ci.nsIX509CertDB.TRUSTED_EMAIL |
27 Ci.nsIX509CertDB.TRUSTED_OBJSIGN);
29 certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0);
30 }
32 function check_cert_err_generic(cert, expected_error, usage) {
33 do_print("cert cn=" + cert.commonName);
34 do_print("cert issuer cn=" + cert.issuerCommonName);
35 let hasEVPolicy = {};
36 let verifiedChain = {};
37 let error = certdb.verifyCertNow(cert, usage,
38 NO_FLAGS, verifiedChain, hasEVPolicy);
39 do_check_eq(error, expected_error);
40 };
42 function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKIX) {
43 // On reset most usages are successful
44 check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
45 check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient);
46 check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
47 : SEC_ERROR_INADEQUATE_CERT_TYPE,
48 certificateUsageSSLCA); // expected no bc
49 check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
50 check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
51 check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
52 : SEC_ERROR_INADEQUATE_CERT_TYPE,
53 certificateUsageObjectSigner); // expected
54 check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
55 : 0,
56 certificateUsageVerifyCA);
57 // mozilla::pkix enforces that certificase must have a basic constraints
58 // extension with cA:true to be a CA certificate, whereas classic does not
59 check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
60 certificateUsageStatusResponder); //expected
63 // Test of active distrust. No usage should pass.
64 setCertTrust(cert_to_modify_trust, 'p,p,p');
65 check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
66 certificateUsageSSLServer);
67 check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
68 certificateUsageSSLClient);
69 check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
70 : SEC_ERROR_INADEQUATE_CERT_TYPE,
71 certificateUsageSSLCA);
72 check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
73 certificateUsageEmailSigner);
74 check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
75 certificateUsageEmailRecipient);
76 check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
77 : SEC_ERROR_INADEQUATE_CERT_TYPE,
78 certificateUsageObjectSigner);
79 check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
80 : 0,
81 certificateUsageVerifyCA);
82 // In mozilla::pkix (but not classic verification), certificate chain
83 // properties are checked before the end-entity. Thus, if we're using
84 // mozilla::pkix and the root certificate has been distrusted, the error
85 // will be "untrusted issuer" and not "inadequate cert type".
86 check_cert_err_generic(ee_cert, (!isRootCA && useMozillaPKIX)
87 ? SEC_ERROR_UNTRUSTED_ISSUER
88 : SEC_ERROR_INADEQUATE_CERT_TYPE,
89 certificateUsageStatusResponder);
92 // Trust set to T - trusted CA to issue client certs, where client cert is
93 // usageSSLClient.
94 setCertTrust(cert_to_modify_trust, 'T,T,T');
95 check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
96 : SEC_ERROR_UNTRUSTED_ISSUER
97 : 0,
98 certificateUsageSSLServer);
100 check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER //XXX Bug 982340
101 : 0
102 : 0,
103 certificateUsageSSLClient);
104 check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
105 : SEC_ERROR_INADEQUATE_CERT_TYPE,
106 certificateUsageSSLCA);
108 check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
109 : SEC_ERROR_UNTRUSTED_ISSUER
110 : 0,
111 certificateUsageEmailSigner);
112 check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
113 : SEC_ERROR_UNTRUSTED_ISSUER
114 : 0,
115 certificateUsageEmailRecipient);
116 check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
117 : SEC_ERROR_INADEQUATE_CERT_TYPE
118 : useMozillaPKIX ? 0
119 : SEC_ERROR_INADEQUATE_CERT_TYPE,
120 certificateUsageObjectSigner);
121 check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
122 : 0,
123 certificateUsageVerifyCA);
124 check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
125 certificateUsageStatusResponder);
128 // Now tests on the SSL trust bit
129 setCertTrust(cert_to_modify_trust, 'p,C,C');
130 check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
131 certificateUsageSSLServer);
132 check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 //XXX Bug 982340
133 : SEC_ERROR_UNTRUSTED_ISSUER,
134 certificateUsageSSLClient);
135 check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
136 : SEC_ERROR_INADEQUATE_CERT_TYPE,
137 certificateUsageSSLCA);
138 check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
139 check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
140 check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
141 : SEC_ERROR_INADEQUATE_CERT_TYPE,
142 certificateUsageObjectSigner);
143 check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
144 : 0,
145 certificateUsageVerifyCA);
146 // In mozilla::pkix (but not classic verification), certificate chain
147 // properties are checked before the end-entity. Thus, if we're using
148 // mozilla::pkix and the root certificate has been distrusted, the error
149 // will be "untrusted issuer" and not "inadequate cert type".
150 check_cert_err_generic(ee_cert, (!isRootCA && useMozillaPKIX)
151 ? SEC_ERROR_UNTRUSTED_ISSUER
152 : SEC_ERROR_INADEQUATE_CERT_TYPE,
153 certificateUsageStatusResponder);
155 // Inherited trust SSL
156 setCertTrust(cert_to_modify_trust, ',C,C');
157 check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
158 : SEC_ERROR_UNTRUSTED_ISSUER
159 : 0,
160 certificateUsageSSLServer);
161 check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? 0 // XXX Bug 982340
162 : SEC_ERROR_UNTRUSTED_ISSUER
163 : 0,
164 certificateUsageSSLClient);
165 check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
166 : SEC_ERROR_INADEQUATE_CERT_TYPE,
167 certificateUsageSSLCA);
168 check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner);
169 check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient);
170 check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
171 : SEC_ERROR_INADEQUATE_CERT_TYPE,
172 certificateUsageObjectSigner);
173 check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
174 : 0,
175 certificateUsageVerifyCA);
176 check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
177 certificateUsageStatusResponder);
179 // Now tests on the EMAIL trust bit
180 setCertTrust(cert_to_modify_trust, 'C,p,C');
181 check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
182 check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER
183 : useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER
184 : 0, // mozilla::pkix is OK, NSS bug
185 certificateUsageSSLClient);
186 check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
187 : SEC_ERROR_INADEQUATE_CERT_TYPE,
188 certificateUsageSSLCA);
189 check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
190 certificateUsageEmailSigner);
191 check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
192 certificateUsageEmailRecipient);
193 check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
194 : SEC_ERROR_INADEQUATE_CERT_TYPE,
195 certificateUsageObjectSigner);
196 check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
197 : 0,
198 certificateUsageVerifyCA);
199 check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
200 certificateUsageStatusResponder);
203 //inherited EMAIL Trust
204 setCertTrust(cert_to_modify_trust, 'C,,C');
205 check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer);
206 check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
207 : SEC_ERROR_UNTRUSTED_ISSUER
208 : 0,
209 certificateUsageSSLClient);
210 check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
211 : SEC_ERROR_INADEQUATE_CERT_TYPE,
212 certificateUsageSSLCA);
213 check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
214 : SEC_ERROR_UNTRUSTED_ISSUER
215 : 0,
216 certificateUsageEmailSigner);
217 check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER
218 : SEC_ERROR_UNTRUSTED_ISSUER
219 : 0,
220 certificateUsageEmailRecipient);
221 check_cert_err_generic(ee_cert, useMozillaPKIX ? 0
222 : SEC_ERROR_INADEQUATE_CERT_TYPE,
223 certificateUsageObjectSigner);
224 check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID
225 : 0,
226 certificateUsageVerifyCA);
227 check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
228 certificateUsageStatusResponder);
229 }
232 function run_test_in_mode(useMozillaPKIX) {
233 Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
235 let ca_cert = certdb.findCertByNickname(null, 'ca');
236 do_check_false(!ca_cert)
237 let int_cert = certdb.findCertByNickname(null, 'int');
238 do_check_false(!int_cert)
239 let ee_cert = certdb.findCertByNickname(null, 'ee');
240 do_check_false(!ee_cert);
242 setup_basic_trusts(ca_cert, int_cert);
243 test_ca_distrust(ee_cert, ca_cert, true, useMozillaPKIX);
245 setup_basic_trusts(ca_cert, int_cert);
246 test_ca_distrust(ee_cert, int_cert, false, useMozillaPKIX);
247 }
249 function run_test() {
250 for (let i = 0 ; i < certList.length; i++) {
251 load_cert(certList[i], ',,');
252 }
254 run_test_in_mode(true);
255 run_test_in_mode(false);
256 }
