security/manager/ssl/tests/unit/test_cert_version.js@b8a032363ba2
security/manager/ssl/tests/unit/test_cert_version.js
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 // This Source Code Form is subject to the terms of the Mozilla Public
3 // License, v. 2.0. If a copy of the MPL was not distributed with this
4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
6 "use strict";
8 do_get_profile(); // must be called before getting nsIX509CertDB
9 const certdb = Cc["@mozilla.org/security/x509certdb;1"]
10 .getService(Ci.nsIX509CertDB);
12 function cert_from_file(filename) {
13 return constructCertFromFile("test_cert_version/" + filename);
14 }
16 function load_cert(cert_name, trust_string) {
17 var cert_filename = cert_name + ".der";
18 addCertFromFile(certdb, "test_cert_version/" + cert_filename, trust_string);
19 }
21 function check_cert_err_generic(cert, expected_error, usage) {
22 do_print("cert cn=" + cert.commonName);
23 do_print("cert issuer cn=" + cert.issuerCommonName);
24 let hasEVPolicy = {};
25 let verifiedChain = {};
26 let error = certdb.verifyCertNow(cert, usage,
27 NO_FLAGS, verifiedChain, hasEVPolicy);
28 do_check_eq(error, expected_error);
29 }
31 function check_cert_err(cert, expected_error) {
32 check_cert_err_generic(cert, expected_error, certificateUsageSSLServer)
33 }
35 function check_ca_err(cert, expected_error) {
36 check_cert_err_generic(cert, expected_error, certificateUsageSSLCA)
37 }
39 function check_ok(x) {
40 return check_cert_err(x, 0);
41 }
43 function check_ok_ca(x) {
44 return check_cert_err_generic(x, 0, certificateUsageSSLCA);
45 }
47 function run_tests_in_mode(useMozillaPKIX)
48 {
49 Services.prefs.setBoolPref("security.use_mozillapkix_verification",
50 useMozillaPKIX);
52 check_ok_ca(cert_from_file('v1_ca.der'));
53 check_ca_err(cert_from_file('v1_ca_bc.der'),
54 useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0);
55 check_ca_err(cert_from_file('v2_ca.der'),
56 useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0);
57 check_ca_err(cert_from_file('v2_ca_bc.der'),
58 useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0);
59 check_ok_ca(cert_from_file('v3_ca.der'));
60 check_ca_err(cert_from_file('v3_ca_missing_bc.der'),
61 useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0);
63 // Classic allows v1 and v2 certs to be CA certs in trust anchor positions and
64 // intermediates when they have a v3 basic constraints extenstion (which
65 // makes them invalid certs). Insanity only allows v1 certs to be CA in
66 // anchor position (even if they have invalid encodings), v2 certs are not
67 // considered CAs in any position.
68 // Note that currently there are no change of behavior based on the
69 // version of the end entity.
71 let ee_error = 0;
72 let ca_error = 0;
74 //////////////
75 // v1 CA supersection
76 //////////////////
78 // v1 intermediate with v1 trust anchor
79 if (useMozillaPKIX) {
80 ca_error = SEC_ERROR_CA_CERT_INVALID;
81 ee_error = SEC_ERROR_CA_CERT_INVALID;
82 } else {
83 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
84 ee_error = SEC_ERROR_UNKNOWN_ISSUER;
85 }
86 check_ca_err(cert_from_file('v1_int-v1_ca.der'), ca_error);
87 check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca.der'), ee_error);
88 check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca.der'), ee_error);
89 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca.der'), ee_error);
90 check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca.der'), ee_error);
91 if (useMozillaPKIX) {
92 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
93 }
94 check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca.der'), ee_error);
95 check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca.der'), ee_error);
96 check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca.der'), ee_error);
98 // v1 intermediate with v3 extensions. CA is invalid.
99 if (useMozillaPKIX) {
100 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
101 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
102 } else {
103 ca_error = 0;
104 ee_error = 0;
105 }
106 check_ca_err(cert_from_file('v1_int_bc-v1_ca.der'), ca_error);
107 check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca.der'), ee_error);
108 check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
109 check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca.der'), ee_error);
110 check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
111 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
112 check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
113 check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca.der'), ee_error);
115 // A v2 intermediate with a v1 CA
116 if (useMozillaPKIX) {
117 ca_error = SEC_ERROR_CA_CERT_INVALID;
118 ee_error = SEC_ERROR_CA_CERT_INVALID;
119 } else {
120 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
121 ee_error = SEC_ERROR_UNKNOWN_ISSUER;
122 }
123 check_ca_err(cert_from_file('v2_int-v1_ca.der'), ca_error);
124 check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca.der'), ee_error);
125 check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca.der'), ee_error);
126 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca.der'), ee_error);
127 check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca.der'), ee_error);
128 if (useMozillaPKIX) {
129 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
130 }
131 check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca.der'), ee_error);
132 check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca.der'), ee_error);
133 check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca.der'), ee_error);
135 // A v2 intermediate with basic constraints (not allowed in insanity)
136 if (useMozillaPKIX) {
137 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
138 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
139 } else {
140 ca_error = 0;
141 ee_error = 0;
142 }
143 check_ca_err(cert_from_file('v2_int_bc-v1_ca.der'), ca_error);
144 check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca.der'), ee_error);
145 check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
146 check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca.der'), ee_error);
147 check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
148 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
149 check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
150 check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca.der'), ee_error);
152 // Section is OK. A x509 v3 CA MUST have bc
153 // http://tools.ietf.org/html/rfc5280#section-4.2.1.9
154 if (useMozillaPKIX) {
155 ca_error = SEC_ERROR_CA_CERT_INVALID;
156 ee_error = SEC_ERROR_CA_CERT_INVALID;
157 } else {
158 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
159 ee_error = SEC_ERROR_UNKNOWN_ISSUER;
160 }
161 check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), ca_error);
162 check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
163 check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
164 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
165 check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
166 if (useMozillaPKIX) {
167 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
168 }
169 check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
170 check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
171 check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error);
173 // It is valid for a v1 ca to sign a v3 intemediate.
174 check_ok_ca(cert_from_file('v3_int-v1_ca.der'));
175 check_ok(cert_from_file('v1_ee-v3_int-v1_ca.der'));
176 check_ok(cert_from_file('v2_ee-v3_int-v1_ca.der'));
177 check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca.der'));
178 check_ok(cert_from_file('v3_bc_ee-v3_int-v1_ca.der'));
179 if (useMozillaPKIX) {
180 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
181 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
182 } else {
183 ca_error = 0;
184 ee_error = 0;
185 }
186 check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca.der'), ee_error);
187 check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca.der'), ee_error);
188 check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca.der'), ee_error);
190 // The next groups change the v1 ca for a v1 ca with base constraints
191 // (invalid trust anchor). The error pattern is the same as the groups
192 // above
194 // Using A v1 intermediate
195 if (useMozillaPKIX) {
196 ca_error = SEC_ERROR_CA_CERT_INVALID;
197 ee_error = SEC_ERROR_CA_CERT_INVALID;
198 } else {
199 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
200 ee_error = SEC_ERROR_UNKNOWN_ISSUER;
201 }
202 check_ca_err(cert_from_file('v1_int-v1_ca_bc.der'), ca_error);
203 check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca_bc.der'), ee_error);
204 check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca_bc.der'), ee_error);
205 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
206 check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
207 if (useMozillaPKIX) {
208 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
209 }
210 check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
211 check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
212 check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca_bc.der'), ee_error);
214 // Using a v1 intermediate with v3 extenstions (invalid).
215 if (useMozillaPKIX) {
216 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
217 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
218 } else {
219 ca_error = 0;
220 ee_error = 0;
221 }
222 check_ca_err(cert_from_file('v1_int_bc-v1_ca_bc.der'), ca_error);
223 check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
224 check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
225 check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
226 check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
227 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
228 check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
229 check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error);
231 // Using v2 intermediate
232 if (useMozillaPKIX) {
233 ca_error = SEC_ERROR_CA_CERT_INVALID;
234 ee_error = SEC_ERROR_CA_CERT_INVALID;
235 } else {
236 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
237 ee_error = SEC_ERROR_UNKNOWN_ISSUER;
238 }
239 check_ca_err(cert_from_file('v2_int-v1_ca_bc.der'), ca_error);
240 check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca_bc.der'), ee_error);
241 check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca_bc.der'), ee_error);
242 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
243 check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
244 if (useMozillaPKIX) {
245 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
246 }
247 check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
248 check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
249 check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca_bc.der'), ee_error);
251 // Using a v2 intermediate with basic constraints (invalid)
252 if (useMozillaPKIX) {
253 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
254 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
255 } else {
256 ca_error = 0;
257 ee_error = 0;
258 }
259 check_ca_err(cert_from_file('v2_int_bc-v1_ca_bc.der'), ca_error);
260 check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
261 check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
262 check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
263 check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
264 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
265 check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
266 check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error);
268 // Using a v3 intermediate that is missing basic constraints (invalid)
269 if (useMozillaPKIX) {
270 ca_error = SEC_ERROR_CA_CERT_INVALID;
271 ee_error = SEC_ERROR_CA_CERT_INVALID;
272 } else {
273 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
274 ee_error = SEC_ERROR_UNKNOWN_ISSUER;
275 }
276 check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca_bc.der'), ca_error);
277 check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
278 check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
279 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
280 check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
281 if (useMozillaPKIX) {
282 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
283 }
284 check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
285 check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
286 check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error);
288 // these should pass assuming we are OK with v1 ca signing v3 intermediates
289 if (useMozillaPKIX) {
290 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
291 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
292 } else {
293 ca_error = 0;
294 ee_error = 0;
295 }
296 check_ca_err(cert_from_file('v3_int-v1_ca_bc.der'), ca_error);
297 check_cert_err(cert_from_file('v1_ee-v3_int-v1_ca_bc.der'), ee_error);
298 check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
299 check_cert_err(cert_from_file('v2_ee-v3_int-v1_ca_bc.der'), ee_error);
300 check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
301 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
302 check_cert_err(cert_from_file('v3_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
303 check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca_bc.der'), ee_error);
306 //////////////
307 // v2 CA supersection
308 //////////////////
310 // v2 ca, v1 intermediate
311 if (useMozillaPKIX) {
312 ca_error = SEC_ERROR_CA_CERT_INVALID;
313 ee_error = SEC_ERROR_CA_CERT_INVALID;
314 } else {
315 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
316 ee_error = SEC_ERROR_UNKNOWN_ISSUER;
317 }
318 check_ca_err(cert_from_file('v1_int-v2_ca.der'), ca_error);
319 check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca.der'), ee_error);
320 check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca.der'), ee_error);
321 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca.der'), ee_error);
322 check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca.der'), ee_error);
323 if (useMozillaPKIX) {
324 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
325 }
326 check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca.der'), ee_error)
327 check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca.der'), ee_error);
328 check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca.der'), ee_error);
330 // v2 ca, v1 intermediate with basic constraints (invalid)
331 if (useMozillaPKIX) {
332 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
333 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
334 } else {
335 ca_error = 0;
336 ee_error = 0;
337 }
338 check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), ca_error);
339 check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), ee_error);
340 check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
341 check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca.der'), ee_error);
342 check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
343 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
344 check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
345 check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), ee_error);
347 // v2 ca, v2 intermediate
348 if (useMozillaPKIX) {
349 ca_error = SEC_ERROR_CA_CERT_INVALID;
350 ee_error = SEC_ERROR_CA_CERT_INVALID;
351 } else {
352 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
353 ee_error = SEC_ERROR_UNKNOWN_ISSUER;
354 }
355 check_ca_err(cert_from_file('v2_int-v2_ca.der'), ca_error);
356 check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca.der'), ee_error);
357 check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca.der'), ee_error);
358 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca.der'), ee_error);
359 check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca.der'), ee_error);
360 if (useMozillaPKIX) {
361 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
362 }
363 check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca.der'), ee_error);
364 check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca.der'), ee_error);
365 check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca.der'), ee_error)
367 // v2 ca, v2 intermediate with basic constraints (invalid)
368 if (useMozillaPKIX) {
369 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
370 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
371 } else {
372 ca_error = 0;
373 ee_error = 0;
374 }
375 check_ca_err(cert_from_file('v2_int_bc-v2_ca.der'), ca_error);
376 check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca.der'), ee_error);
377 check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
378 check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca.der'), ee_error);
379 check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
380 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
381 check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
382 check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca.der'), ee_error);
384 // v2 ca, v3 intermediate missing basic constraints
385 if (useMozillaPKIX) {
386 ca_error = SEC_ERROR_CA_CERT_INVALID;
387 ee_error = SEC_ERROR_CA_CERT_INVALID;
388 } else {
389 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
390 ee_error = SEC_ERROR_UNKNOWN_ISSUER;
391 }
392 check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca.der'), ca_error);
393 check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
394 check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
395 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
396 check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
397 if (useMozillaPKIX) {
398 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
399 }
400 check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
401 check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
402 check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error);
404 // v2 ca, v3 intermediate
405 if (useMozillaPKIX) {
406 ca_error = SEC_ERROR_CA_CERT_INVALID;
407 ee_error = SEC_ERROR_CA_CERT_INVALID;
408 } else {
409 ca_error = 0;
410 ee_error = 0;
411 }
412 check_ca_err(cert_from_file('v3_int-v2_ca.der'), ca_error);
413 check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca.der'), ee_error);
414 check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca.der'), ee_error);
415 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca.der'), ee_error);
416 check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca.der'), ee_error);
417 if (useMozillaPKIX) {
418 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
419 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
420 } else {
421 ca_error = 0;
422 ee_error = 0;
423 }
424 check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca.der'), ee_error);
425 check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca.der'), ee_error);
426 check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca.der'), ee_error);
428 // v2 ca, v1 intermediate
429 if (useMozillaPKIX) {
430 ca_error = SEC_ERROR_CA_CERT_INVALID;
431 ee_error = SEC_ERROR_CA_CERT_INVALID;
432 } else {
433 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
434 ee_error = SEC_ERROR_UNKNOWN_ISSUER;
435 }
436 check_ca_err(cert_from_file('v1_int-v2_ca_bc.der'), ca_error);
437 check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca_bc.der'), ee_error);
438 check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca_bc.der'), ee_error);
439 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
440 check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
441 if (useMozillaPKIX) {
442 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
443 }
444 check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
445 check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
446 check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca_bc.der'), ee_error);
448 // v2 ca, v1 intermediate with bc (invalid)
449 if (useMozillaPKIX) {
450 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
451 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
452 } else {
453 ca_error = 0;
454 ee_error = 0;
455 }
456 check_ca_err(cert_from_file('v1_int_bc-v2_ca_bc.der'), ca_error);
457 check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
458 check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
459 check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
460 check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
461 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
462 check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
463 check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error);
465 // v2 ca, v2 intermediate
466 if (useMozillaPKIX) {
467 ca_error = SEC_ERROR_CA_CERT_INVALID;
468 ee_error = SEC_ERROR_CA_CERT_INVALID;
469 } else {
470 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
471 ee_error = SEC_ERROR_UNKNOWN_ISSUER;
472 }
473 check_ca_err(cert_from_file('v2_int-v2_ca_bc.der'), ca_error);
474 check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca_bc.der'), ee_error);
475 check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca_bc.der'), ee_error);
476 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
477 check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
478 if (useMozillaPKIX) {
479 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
480 }
481 check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
482 check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
483 check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca_bc.der'), ee_error);
485 // v2 ca, v2 intermediate with bc (invalid)
486 if (useMozillaPKIX) {
487 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
488 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
489 } else {
490 ca_error = 0;
491 ee_error = 0;
492 }
493 check_ca_err(cert_from_file('v2_int_bc-v2_ca_bc.der'), ca_error);
494 check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
495 check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
496 check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
497 check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
498 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
499 check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
500 check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error);
502 // v2 ca, invalid v3 intermediate
503 if (useMozillaPKIX) {
504 ca_error = SEC_ERROR_CA_CERT_INVALID;
505 ee_error = SEC_ERROR_CA_CERT_INVALID;
506 } else {
507 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
508 ee_error = SEC_ERROR_UNKNOWN_ISSUER;
509 }
510 check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca_bc.der'), ca_error);
511 check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
512 check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
513 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
514 check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
515 if (useMozillaPKIX) {
516 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
517 }
518 check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
519 check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error)
520 check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error);
522 // v2 ca, valid v3 intermediate (is OK if we use 'classic' semantics)
523 if (useMozillaPKIX) {
524 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
525 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
526 } else {
527 ca_error = 0;
528 ee_error = 0;
529 }
530 check_ca_err(cert_from_file('v3_int-v2_ca_bc.der'), ca_error);
531 check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca_bc.der'), ee_error);
532 check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
533 check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca_bc.der'), ee_error);
534 check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
535 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
536 check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
537 check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca_bc.der'), ee_error);
539 //////////////
540 // v3 CA supersection
541 //////////////////
543 // v3 ca, v1 intermediate
544 if (useMozillaPKIX) {
545 ca_error = SEC_ERROR_CA_CERT_INVALID;
546 ee_error = SEC_ERROR_CA_CERT_INVALID;
547 } else {
548 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
549 ee_error = SEC_ERROR_UNKNOWN_ISSUER;
550 }
551 check_ca_err(cert_from_file('v1_int-v3_ca.der'), ca_error);
552 check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca.der'), ee_error);
553 check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca.der'), ee_error);
554 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca.der'), ee_error);
555 check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca.der'), ee_error);
556 if (useMozillaPKIX) {
557 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
558 }
559 check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca.der'), ee_error);
560 check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca.der'), ee_error);
561 check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca.der'), ee_error);
563 // A v1 intermediate with v3 extensions
564 if (useMozillaPKIX) {
565 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
566 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
567 } else {
568 ca_error = 0;
569 ee_error = 0;
570 }
571 check_ca_err(cert_from_file('v1_int_bc-v3_ca.der'), ca_error);
572 check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca.der'), ee_error);
573 check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
574 check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca.der'), ee_error);
575 check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
576 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
577 check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca.der'), ee_error);
578 check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca.der'), ee_error)
580 // reject a v2 cert as intermediate
581 if (useMozillaPKIX) {
582 ca_error = SEC_ERROR_CA_CERT_INVALID;
583 ee_error = SEC_ERROR_CA_CERT_INVALID;
584 } else {
585 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
586 ee_error = SEC_ERROR_UNKNOWN_ISSUER;
587 }
588 check_ca_err(cert_from_file('v2_int-v3_ca.der'), ca_error);
589 check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca.der'), ee_error);
590 check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca.der'), ee_error);
591 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca.der'), ee_error);
592 check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca.der'), ee_error);
593 if (useMozillaPKIX) {
594 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
595 }
596 check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca.der'), ee_error);
597 check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca.der'), ee_error);
598 check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca.der'), ee_error);
600 // v2 intermediate with bc (invalid)
601 if (useMozillaPKIX) {
602 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
603 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
604 } else {
605 ca_error = 0;
606 ee_error = 0;
607 }
608 check_ca_err(cert_from_file('v2_int_bc-v3_ca.der'), ca_error);
609 check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca.der'), ee_error);
610 check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
611 check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca.der'), ee_error);
612 check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
613 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
614 check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
615 check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca.der'), ee_error);
617 // invalid v3 intermediate
618 if (useMozillaPKIX) {
619 ca_error = SEC_ERROR_CA_CERT_INVALID;
620 ee_error = SEC_ERROR_CA_CERT_INVALID;
621 } else {
622 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
623 ee_error = SEC_ERROR_UNKNOWN_ISSUER;
624 }
625 check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca.der'), ca_error);
626 check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
627 check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
628 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
629 check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
630 if (useMozillaPKIX) {
631 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
632 }
633 check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
634 check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
635 check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error);
637 // I dont think that v3 intermediates should be allowed to sign v1 or v2
638 // certs, but other thanthat this is what we usually get in the wild.
639 check_ok_ca(cert_from_file('v3_int-v3_ca.der'));
640 check_ok(cert_from_file('v1_ee-v3_int-v3_ca.der'));
641 check_ok(cert_from_file('v2_ee-v3_int-v3_ca.der'));
642 check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca.der'));
643 check_ok(cert_from_file('v3_bc_ee-v3_int-v3_ca.der'));
644 if (useMozillaPKIX) {
645 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
646 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
647 } else {
648 ca_error = 0;
649 ee_error = 0;
650 }
651 check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca.der'), ee_error);
652 check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca.der'), ee_error);
653 check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca.der'), ee_error);
655 // v3 CA, invalid v3 intermediate
656 if (useMozillaPKIX) {
657 ca_error = SEC_ERROR_CA_CERT_INVALID;
658 ee_error = SEC_ERROR_CA_CERT_INVALID;
659 } else {
660 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
661 ee_error = SEC_ERROR_UNKNOWN_ISSUER;
662 }
663 check_ca_err(cert_from_file('v1_int-v3_ca_missing_bc.der'), ca_error);
664 check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
665 check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
666 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
667 check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
668 if (useMozillaPKIX) {
669 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
670 }
671 check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
672 check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
673 check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error);
675 // Int v1 with BC that is just invalid (classic fail insanity OK)
676 if (useMozillaPKIX) {
677 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
678 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
679 } else {
680 ca_error = 0;
681 ee_error = 0;
682 }
683 check_ca_err(cert_from_file('v1_int_bc-v3_ca_missing_bc.der'), ca_error);
684 check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
685 check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
686 check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
687 check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
688 check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
689 check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
690 check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error);
692 // Good section (all fail)
693 if (useMozillaPKIX) {
694 ca_error = SEC_ERROR_CA_CERT_INVALID;
695 ee_error = SEC_ERROR_CA_CERT_INVALID;
696 } else {
697 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
698 ee_error = SEC_ERROR_UNKNOWN_ISSUER;
699 }
700 check_ca_err(cert_from_file('v2_int-v3_ca_missing_bc.der'), ca_error);
701 check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
702 check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
703 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
704 check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
705 if (useMozillaPKIX) {
706 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
707 }
708 check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
709 check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
710 check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error);
712 // v2 intermediate (even with basic constraints) is invalid
713 if (useMozillaPKIX) {
714 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
715 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
716 } else {
717 ca_error = 0;
718 ee_error = 0;
719 }
720 check_ca_err(cert_from_file('v2_int_bc-v3_ca_missing_bc.der'), ca_error);
721 check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
722 check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
723 check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
724 check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
725 check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
726 check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
727 check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error);
729 // v3 intermediate missing basic constraints is invalid
730 if (useMozillaPKIX) {
731 ca_error = SEC_ERROR_CA_CERT_INVALID;
732 ee_error = SEC_ERROR_CA_CERT_INVALID;
733 } else {
734 ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE;
735 ee_error = SEC_ERROR_UNKNOWN_ISSUER;
736 }
737 check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca_missing_bc.der'), ca_error);
738 check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
739 check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
740 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
741 check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
742 if (useMozillaPKIX) {
743 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
744 }
745 check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
746 check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
747 check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error);
749 // With a v3 root missing bc and valid v3 intermediate
750 if (useMozillaPKIX) {
751 ca_error = SEC_ERROR_CA_CERT_INVALID;
752 ee_error = SEC_ERROR_CA_CERT_INVALID;
753 } else {
754 ca_error = 0;
755 ee_error = 0;
756 }
757 check_ca_err(cert_from_file('v3_int-v3_ca_missing_bc.der'), ca_error);
758 check_cert_err(cert_from_file('v1_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
759 check_cert_err(cert_from_file('v2_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
760 check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
761 check_cert_err(cert_from_file('v3_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
762 if (useMozillaPKIX) {
763 ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
764 ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID;
765 } else {
766 ca_error = 0;
767 ee_error = 0;
768 }
769 check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
770 check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
771 check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error);
772 }
774 function run_test() {
775 load_cert("v1_ca", "CTu,CTu,CTu");
776 load_cert("v1_ca_bc", "CTu,CTu,CTu");
777 load_cert("v2_ca", "CTu,CTu,CTu");
778 load_cert("v2_ca_bc", "CTu,CTu,CTu");
779 load_cert("v3_ca", "CTu,CTu,CTu");
780 load_cert("v3_ca_missing_bc", "CTu,CTu,CTu");
782 run_tests_in_mode(false);
783 run_tests_in_mode(true);
784 }
