michael@0: "use strict"; michael@0: michael@0: /* To regenerate the certificates and apps for this test: michael@0: michael@0: cd security/manager/ssl/tests/unit/test_certificate_usages michael@0: PATH=$NSS/bin:$NSS/lib:$PATH ./generate.pl michael@0: cd ../../../../../.. michael@0: make -C $OBJDIR/security/manager/ssl/tests michael@0: michael@0: $NSS is the path to NSS binaries and libraries built for the host platform. michael@0: If you get error messages about "CertUtil" on Windows, then it means that michael@0: the Windows CertUtil.exe is ahead of the NSS certutil.exe in $PATH. michael@0: michael@0: Check in the generated files. These steps are not done as part of the build michael@0: because we do not want to add a build-time dependency on the OpenSSL or NSS michael@0: tools or libraries built for the host platform. michael@0: */ michael@0: michael@0: do_get_profile(); // must be called before getting nsIX509CertDB michael@0: const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB); michael@0: michael@0: const gNumCAs = 4; michael@0: michael@0: function run_test() { michael@0: //ca's are one based! michael@0: for (var i = 0; i < gNumCAs; i++) { michael@0: var ca_name = "ca-" + (i + 1); michael@0: var ca_filename = ca_name + ".der"; michael@0: addCertFromFile(certdb, "test_certificate_usages/" + ca_filename, "CTu,CTu,CTu"); michael@0: do_print("ca_name=" + ca_name); michael@0: var cert = certdb.findCertByNickname(null, ca_name); michael@0: } michael@0: michael@0: run_test_in_mode(true); michael@0: run_test_in_mode(false); michael@0: } michael@0: michael@0: function run_test_in_mode(useMozillaPKIX) { michael@0: Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); michael@0: clearOCSPCache(); michael@0: clearSessionCache(); michael@0: michael@0: // mozilla::pkix does not allow CA certs to be validated for non-CA usages. michael@0: var allCAUsages = useMozillaPKIX michael@0: ? 'SSL CA' michael@0: : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder'; michael@0: michael@0: // mozilla::pkix doesn't allow CA certificates to have the Status Responder michael@0: // EKU. michael@0: var ca_usages = [allCAUsages, michael@0: 'SSL CA', michael@0: allCAUsages, michael@0: useMozillaPKIX ? '' michael@0: : 'Client,Server,Sign,Encrypt,Status Responder']; michael@0: michael@0: // mozilla::pkix doesn't implement the Netscape Object Signer restriction. michael@0: var basicEndEntityUsages = useMozillaPKIX michael@0: ? 'Client,Server,Sign,Encrypt,Object Signer' michael@0: : 'Client,Server,Sign,Encrypt'; michael@0: var basicEndEntityUsagesWithObjectSigner = basicEndEntityUsages + ",Object Signer" michael@0: michael@0: // mozilla::pkix won't let a certificate with the "Status Responder" EKU get michael@0: // validated for any other usage. michael@0: var statusResponderUsages = (useMozillaPKIX ? "" : "Server,") + "Status Responder"; michael@0: var statusResponderUsagesFull michael@0: = useMozillaPKIX ? statusResponderUsages michael@0: : basicEndEntityUsages + ',Object Signer,Status Responder'; michael@0: michael@0: var ee_usages = [ michael@0: [ basicEndEntityUsages, michael@0: basicEndEntityUsages, michael@0: basicEndEntityUsages, michael@0: '', michael@0: statusResponderUsagesFull, michael@0: 'Client,Server', michael@0: 'Sign,Encrypt,Object Signer', michael@0: statusResponderUsages michael@0: ], michael@0: michael@0: [ basicEndEntityUsages, michael@0: basicEndEntityUsages, michael@0: basicEndEntityUsages, michael@0: '', michael@0: statusResponderUsagesFull, michael@0: 'Client,Server', michael@0: 'Sign,Encrypt,Object Signer', michael@0: statusResponderUsages michael@0: ], michael@0: michael@0: [ basicEndEntityUsages, michael@0: basicEndEntityUsages, michael@0: basicEndEntityUsages, michael@0: '', michael@0: statusResponderUsagesFull, michael@0: 'Client,Server', michael@0: 'Sign,Encrypt,Object Signer', michael@0: statusResponderUsages michael@0: ], michael@0: michael@0: // The CA has isCA=true without keyCertSign. michael@0: // michael@0: // The 'classic' NSS mode uses the 'union' of the michael@0: // capabilites so the cert is considered a CA. michael@0: // mozilla::pkix and libpkix use the intersection of michael@0: // capabilites, so the cert is NOT considered a CA. michael@0: [ useMozillaPKIX ? '' : basicEndEntityUsages, michael@0: useMozillaPKIX ? '' : basicEndEntityUsages, michael@0: useMozillaPKIX ? '' : basicEndEntityUsages, michael@0: '', michael@0: useMozillaPKIX ? '' : statusResponderUsagesFull, michael@0: useMozillaPKIX ? '' : 'Client,Server', michael@0: useMozillaPKIX ? '' : 'Sign,Encrypt,Object Signer', michael@0: useMozillaPKIX ? '' : 'Server,Status Responder' michael@0: ] michael@0: ]; michael@0: michael@0: do_check_eq(gNumCAs, ca_usages.length); michael@0: michael@0: for (var i = 0; i < gNumCAs; i++) { michael@0: var ca_name = "ca-" + (i + 1); michael@0: var verified = {}; michael@0: var usages = {}; michael@0: var cert = certdb.findCertByNickname(null, ca_name); michael@0: cert.getUsagesString(true, verified, usages); michael@0: do_print("usages.value=" + usages.value); michael@0: do_check_eq(ca_usages[i], usages.value); michael@0: if (ca_usages[i].indexOf('SSL CA') != -1) { michael@0: checkCertErrorGeneric(certdb, cert, 0, certificateUsageVerifyCA); michael@0: } michael@0: //now the ee, names also one based michael@0: for (var j = 0; j < ee_usages[i].length; j++) { michael@0: var ee_name = "ee-" + (j + 1) + "-" + ca_name; michael@0: var ee_filename = ee_name + ".der"; michael@0: //do_print("ee_filename" + ee_filename); michael@0: addCertFromFile(certdb, "test_certificate_usages/" + ee_filename, ",,"); michael@0: var ee_cert; michael@0: ee_cert = certdb.findCertByNickname(null, ee_name); michael@0: var verified = {}; michael@0: var usages = {}; michael@0: ee_cert.getUsagesString(true, verified, usages); michael@0: do_print("cert usages.value=" + usages.value); michael@0: do_check_eq(ee_usages[i][j], usages.value); michael@0: } michael@0: } michael@0: }