michael@0: // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- michael@0: // This Source Code Form is subject to the terms of the Mozilla Public michael@0: // License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: // file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: michael@0: "use strict"; michael@0: michael@0: do_get_profile(); // must be called before getting nsIX509CertDB michael@0: const certdb = Cc["@mozilla.org/security/x509certdb;1"] michael@0: .getService(Ci.nsIX509CertDB); michael@0: michael@0: let certList = [ michael@0: 'ee', michael@0: 'int', michael@0: 'ca', michael@0: ] michael@0: michael@0: function load_cert(cert_name, trust_string) { michael@0: let cert_filename = cert_name + ".der"; michael@0: addCertFromFile(certdb, "test_cert_trust/" + cert_filename, trust_string); michael@0: } michael@0: michael@0: function setup_basic_trusts(ca_cert, int_cert) { michael@0: certdb.setCertTrust(ca_cert, Ci.nsIX509Cert.CA_CERT, michael@0: Ci.nsIX509CertDB.TRUSTED_SSL | michael@0: Ci.nsIX509CertDB.TRUSTED_EMAIL | michael@0: Ci.nsIX509CertDB.TRUSTED_OBJSIGN); michael@0: michael@0: certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0); michael@0: } michael@0: michael@0: function check_cert_err_generic(cert, expected_error, usage) { michael@0: do_print("cert cn=" + cert.commonName); michael@0: do_print("cert issuer cn=" + cert.issuerCommonName); michael@0: let hasEVPolicy = {}; michael@0: let verifiedChain = {}; michael@0: let error = certdb.verifyCertNow(cert, usage, michael@0: NO_FLAGS, verifiedChain, hasEVPolicy); michael@0: do_check_eq(error, expected_error); michael@0: }; michael@0: michael@0: function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA, useMozillaPKIX) { michael@0: // On reset most usages are successful michael@0: check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer); michael@0: check_cert_err_generic(ee_cert, 0, certificateUsageSSLClient); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID michael@0: : SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageSSLCA); // expected no bc michael@0: check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner); michael@0: check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 michael@0: : SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageObjectSigner); // expected michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID michael@0: : 0, michael@0: certificateUsageVerifyCA); michael@0: // mozilla::pkix enforces that certificase must have a basic constraints michael@0: // extension with cA:true to be a CA certificate, whereas classic does not michael@0: check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageStatusResponder); //expected michael@0: michael@0: michael@0: // Test of active distrust. No usage should pass. michael@0: setCertTrust(cert_to_modify_trust, 'p,p,p'); michael@0: check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, michael@0: certificateUsageSSLServer); michael@0: check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, michael@0: certificateUsageSSLClient); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID michael@0: : SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageSSLCA); michael@0: check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, michael@0: certificateUsageEmailSigner); michael@0: check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, michael@0: certificateUsageEmailRecipient); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER michael@0: : SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageObjectSigner); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID michael@0: : 0, michael@0: certificateUsageVerifyCA); michael@0: // In mozilla::pkix (but not classic verification), certificate chain michael@0: // properties are checked before the end-entity. Thus, if we're using michael@0: // mozilla::pkix and the root certificate has been distrusted, the error michael@0: // will be "untrusted issuer" and not "inadequate cert type". michael@0: check_cert_err_generic(ee_cert, (!isRootCA && useMozillaPKIX) michael@0: ? SEC_ERROR_UNTRUSTED_ISSUER michael@0: : SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageStatusResponder); michael@0: michael@0: michael@0: // Trust set to T - trusted CA to issue client certs, where client cert is michael@0: // usageSSLClient. michael@0: setCertTrust(cert_to_modify_trust, 'T,T,T'); michael@0: check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER michael@0: : SEC_ERROR_UNTRUSTED_ISSUER michael@0: : 0, michael@0: certificateUsageSSLServer); michael@0: michael@0: check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER //XXX Bug 982340 michael@0: : 0 michael@0: : 0, michael@0: certificateUsageSSLClient); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID michael@0: : SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageSSLCA); michael@0: michael@0: check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER michael@0: : SEC_ERROR_UNTRUSTED_ISSUER michael@0: : 0, michael@0: certificateUsageEmailSigner); michael@0: check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER michael@0: : SEC_ERROR_UNTRUSTED_ISSUER michael@0: : 0, michael@0: certificateUsageEmailRecipient); michael@0: check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER michael@0: : SEC_ERROR_INADEQUATE_CERT_TYPE michael@0: : useMozillaPKIX ? 0 michael@0: : SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageObjectSigner); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID michael@0: : 0, michael@0: certificateUsageVerifyCA); michael@0: check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageStatusResponder); michael@0: michael@0: michael@0: // Now tests on the SSL trust bit michael@0: setCertTrust(cert_to_modify_trust, 'p,C,C'); michael@0: check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, michael@0: certificateUsageSSLServer); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 //XXX Bug 982340 michael@0: : SEC_ERROR_UNTRUSTED_ISSUER, michael@0: certificateUsageSSLClient); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID michael@0: : SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageSSLCA); michael@0: check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner); michael@0: check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 michael@0: : SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageObjectSigner); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID michael@0: : 0, michael@0: certificateUsageVerifyCA); michael@0: // In mozilla::pkix (but not classic verification), certificate chain michael@0: // properties are checked before the end-entity. Thus, if we're using michael@0: // mozilla::pkix and the root certificate has been distrusted, the error michael@0: // will be "untrusted issuer" and not "inadequate cert type". michael@0: check_cert_err_generic(ee_cert, (!isRootCA && useMozillaPKIX) michael@0: ? SEC_ERROR_UNTRUSTED_ISSUER michael@0: : SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageStatusResponder); michael@0: michael@0: // Inherited trust SSL michael@0: setCertTrust(cert_to_modify_trust, ',C,C'); michael@0: check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER michael@0: : SEC_ERROR_UNTRUSTED_ISSUER michael@0: : 0, michael@0: certificateUsageSSLServer); michael@0: check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? 0 // XXX Bug 982340 michael@0: : SEC_ERROR_UNTRUSTED_ISSUER michael@0: : 0, michael@0: certificateUsageSSLClient); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID michael@0: : SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageSSLCA); michael@0: check_cert_err_generic(ee_cert, 0, certificateUsageEmailSigner); michael@0: check_cert_err_generic(ee_cert, 0, certificateUsageEmailRecipient); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 michael@0: : SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageObjectSigner); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID michael@0: : 0, michael@0: certificateUsageVerifyCA); michael@0: check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageStatusResponder); michael@0: michael@0: // Now tests on the EMAIL trust bit michael@0: setCertTrust(cert_to_modify_trust, 'C,p,C'); michael@0: check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer); michael@0: check_cert_err_generic(ee_cert, isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER michael@0: : useMozillaPKIX ? SEC_ERROR_UNTRUSTED_ISSUER michael@0: : 0, // mozilla::pkix is OK, NSS bug michael@0: certificateUsageSSLClient); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID michael@0: : SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageSSLCA); michael@0: check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, michael@0: certificateUsageEmailSigner); michael@0: check_cert_err_generic(ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, michael@0: certificateUsageEmailRecipient); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 michael@0: : SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageObjectSigner); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID michael@0: : 0, michael@0: certificateUsageVerifyCA); michael@0: check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageStatusResponder); michael@0: michael@0: michael@0: //inherited EMAIL Trust michael@0: setCertTrust(cert_to_modify_trust, 'C,,C'); michael@0: check_cert_err_generic(ee_cert, 0, certificateUsageSSLServer); michael@0: check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER michael@0: : SEC_ERROR_UNTRUSTED_ISSUER michael@0: : 0, michael@0: certificateUsageSSLClient); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID michael@0: : SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageSSLCA); michael@0: check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER michael@0: : SEC_ERROR_UNTRUSTED_ISSUER michael@0: : 0, michael@0: certificateUsageEmailSigner); michael@0: check_cert_err_generic(ee_cert, isRootCA ? useMozillaPKIX ? SEC_ERROR_UNKNOWN_ISSUER michael@0: : SEC_ERROR_UNTRUSTED_ISSUER michael@0: : 0, michael@0: certificateUsageEmailRecipient); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? 0 michael@0: : SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageObjectSigner); michael@0: check_cert_err_generic(ee_cert, useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID michael@0: : 0, michael@0: certificateUsageVerifyCA); michael@0: check_cert_err_generic(ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE, michael@0: certificateUsageStatusResponder); michael@0: } michael@0: michael@0: michael@0: function run_test_in_mode(useMozillaPKIX) { michael@0: Services.prefs.setBoolPref("security.use_mozillapkix_verification", useMozillaPKIX); michael@0: michael@0: let ca_cert = certdb.findCertByNickname(null, 'ca'); michael@0: do_check_false(!ca_cert) michael@0: let int_cert = certdb.findCertByNickname(null, 'int'); michael@0: do_check_false(!int_cert) michael@0: let ee_cert = certdb.findCertByNickname(null, 'ee'); michael@0: do_check_false(!ee_cert); michael@0: michael@0: setup_basic_trusts(ca_cert, int_cert); michael@0: test_ca_distrust(ee_cert, ca_cert, true, useMozillaPKIX); michael@0: michael@0: setup_basic_trusts(ca_cert, int_cert); michael@0: test_ca_distrust(ee_cert, int_cert, false, useMozillaPKIX); michael@0: } michael@0: michael@0: function run_test() { michael@0: for (let i = 0 ; i < certList.length; i++) { michael@0: load_cert(certList[i], ',,'); michael@0: } michael@0: michael@0: run_test_in_mode(true); michael@0: run_test_in_mode(false); michael@0: }