michael@0: // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- michael@0: // This Source Code Form is subject to the terms of the Mozilla Public michael@0: // License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: // file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: michael@0: "use strict"; michael@0: /* michael@0: * The purpose of this test is to verify that we correctly detect bad michael@0: * signatures on tampered certificates. Eventually, we should also be michael@0: * verifying that the error we return is the correct error. michael@0: * michael@0: * To regenerate the certificates for this test: michael@0: * michael@0: * cd security/manager/ssl/tests/unit/test_cert_signatures michael@0: * ./generate.py michael@0: * cd ../../../../../.. michael@0: * make -C $OBJDIR/security/manager/ssl/tests michael@0: * michael@0: * Check in the generated files. These steps are not done as part of the build michael@0: * because we do not want to add a build-time dependency on the OpenSSL or NSS michael@0: * tools or libraries built for the host platform. michael@0: */ michael@0: michael@0: do_get_profile(); // must be called before getting nsIX509CertDB michael@0: const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB); michael@0: michael@0: function load_ca(ca_name) { michael@0: let ca_filename = ca_name + ".der"; michael@0: addCertFromFile(certdb, "test_cert_signatures/" + ca_filename, 'CTu,CTu,CTu'); michael@0: } michael@0: michael@0: function check_ca(ca_name) { michael@0: do_print("ca_name=" + ca_name); michael@0: let cert = certdb.findCertByNickname(null, ca_name); michael@0: michael@0: let verified = {}; michael@0: let usages = {}; michael@0: cert.getUsagesString(true, verified, usages); michael@0: do_check_eq('SSL CA', usages.value); michael@0: } michael@0: michael@0: function run_test() { michael@0: // Load the ca into mem michael@0: load_ca("ca-rsa"); michael@0: load_ca("ca-p384"); michael@0: load_ca("ca-dsa"); michael@0: michael@0: run_test_in_mode(true); michael@0: run_test_in_mode(false); michael@0: } michael@0: michael@0: function run_test_in_mode(useMozillaPKIX) { michael@0: Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); michael@0: clearOCSPCache(); michael@0: clearSessionCache(); michael@0: michael@0: check_ca("ca-rsa"); michael@0: check_ca("ca-p384"); michael@0: check_ca("ca-dsa"); michael@0: michael@0: // mozilla::pkix does not allow CA certs to be validated for end-entity michael@0: // usages. michael@0: let int_usage = useMozillaPKIX michael@0: ? 'SSL CA' michael@0: : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder'; michael@0: michael@0: // mozilla::pkix doesn't implement the Netscape Object Signer restriction. michael@0: const ee_usage = useMozillaPKIX michael@0: ? 'Client,Server,Sign,Encrypt,Object Signer' michael@0: : 'Client,Server,Sign,Encrypt'; michael@0: michael@0: let cert2usage = { michael@0: // certs without the "int" prefix are end entity certs. michael@0: 'int-rsa-valid': int_usage, michael@0: 'rsa-valid': ee_usage, michael@0: 'int-p384-valid': int_usage, michael@0: 'p384-valid': ee_usage, michael@0: 'int-dsa-valid': int_usage, michael@0: 'dsa-valid': ee_usage, michael@0: michael@0: 'rsa-valid-int-tampered-ee': "", michael@0: 'p384-valid-int-tampered-ee': "", michael@0: 'dsa-valid-int-tampered-ee': "", michael@0: michael@0: 'int-rsa-tampered': "", michael@0: 'rsa-tampered-int-valid-ee': "", michael@0: 'int-p384-tampered': "", michael@0: 'p384-tampered-int-valid-ee': "", michael@0: 'int-dsa-tampered': "", michael@0: 'dsa-tampered-int-valid-ee': "", michael@0: michael@0: }; michael@0: michael@0: // Load certs first michael@0: for (let cert_name in cert2usage) { michael@0: let cert_filename = cert_name + ".der"; michael@0: addCertFromFile(certdb, "test_cert_signatures/" + cert_filename, ',,'); michael@0: } michael@0: michael@0: for (let cert_name in cert2usage) { michael@0: do_print("cert_name=" + cert_name); michael@0: michael@0: let cert = certdb.findCertByNickname(null, cert_name); michael@0: michael@0: let verified = {}; michael@0: let usages = {}; michael@0: cert.getUsagesString(true, verified, usages); michael@0: do_check_eq(cert2usage[cert_name], usages.value); michael@0: } michael@0: }