security/manager/ssl/tests/unit/test_getchain.js@b8a032363ba2
security/manager/ssl/tests/unit/test_getchain.js
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 // This Source Code Form is subject to the terms of the Mozilla Public
3 // License, v. 2.0. If a copy of the MPL was not distributed with this
4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
6 "use strict";
8 do_get_profile(); // must be called before getting nsIX509CertDB
9 const certdb = Cc["@mozilla.org/security/x509certdb;1"]
10 .getService(Ci.nsIX509CertDB);
11 const certdb2 = Cc["@mozilla.org/security/x509certdb;1"]
12 .getService(Ci.nsIX509CertDB2);
14 // This is the list of certificates needed for the test
15 // The certificates prefixed by 'int-' are intermediates
16 let certList = [
17 'ee',
18 'ca-1',
19 'ca-2',
20 ]
22 function load_cert(cert_name, trust_string) {
23 var cert_filename = cert_name + ".der";
24 addCertFromFile(certdb, "test_getchain/" + cert_filename, trust_string);
25 }
27 // Since all the ca's are identical expect for the serial number
28 // I have to grab them by enumerating all the certs and then finding
29 // the ones that I am interested in.
30 function get_ca_array() {
31 let ret_array = new Array();
32 let allCerts = certdb2.getCerts();
33 let enumerator = allCerts.getEnumerator();
34 while (enumerator.hasMoreElements()) {
35 let cert = enumerator.getNext().QueryInterface(Ci.nsIX509Cert);
36 if (cert.commonName == 'ca') {
37 ret_array[parseInt(cert.serialNumber)] = cert;
38 }
39 }
40 return ret_array;
41 }
44 function check_matching_issuer_and_getchain(expected_issuer_serial, cert) {
45 const nsIX509Cert = Components.interfaces.nsIX509Cert;
47 do_check_eq(expected_issuer_serial, cert.issuer.serialNumber);
48 let chain = cert.getChain();
49 let issuer_via_getchain = chain.queryElementAt(1, nsIX509Cert);
50 // The issuer returned by cert.issuer or cert.getchain should be consistent.
51 do_check_eq(cert.issuer.serialNumber, issuer_via_getchain.serialNumber);
52 }
54 function check_getchain(ee_cert, ssl_ca, email_ca){
55 // A certificate should first build a chain/issuer to
56 // a SSL trust domain, then an EMAIL trust domain and then
57 // and object signer trust domain
59 const nsIX509Cert = Components.interfaces.nsIX509Cert;
60 certdb.setCertTrust(ssl_ca, nsIX509Cert.CA_CERT,
61 Ci.nsIX509CertDB.TRUSTED_SSL);
62 certdb.setCertTrust(email_ca, nsIX509Cert.CA_CERT,
63 Ci.nsIX509CertDB.TRUSTED_EMAIL);
64 check_matching_issuer_and_getchain(ssl_ca.serialNumber, ee_cert);
65 certdb.setCertTrust(ssl_ca, nsIX509Cert.CA_CERT, 0);
66 check_matching_issuer_and_getchain(email_ca.serialNumber, ee_cert);
67 certdb.setCertTrust(email_ca, nsIX509Cert.CA_CERT, 0);
68 // Do a final test on the case of no trust. The results must
69 // be cosistent (the actual value is non-deterministic).
70 check_matching_issuer_and_getchain(ee_cert.issuer.serialNumber, ee_cert);
71 }
73 function run_test_in_mode(useMozillaPKIX) {
74 Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX);
75 clearOCSPCache();
76 clearSessionCache();
78 for (let i = 0 ; i < certList.length; i++) {
79 load_cert(certList[i], ',,');
80 }
82 let ee_cert = certdb.findCertByNickname(null, 'ee');
83 do_check_false(!ee_cert);
85 let ca = get_ca_array();
87 check_getchain(ee_cert, ca[1], ca[2]);
88 // Swap ca certs to deal alternate trust settings.
89 check_getchain(ee_cert, ca[2], ca[1]);
90 }
92 function run_test() {
93 run_test_in_mode(true);
94 run_test_in_mode(false);
95 }
