michael@0: // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- michael@0: // This Source Code Form is subject to the terms of the Mozilla Public michael@0: // License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: // file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: michael@0: "use strict"; michael@0: michael@0: do_get_profile(); // must be called before getting nsIX509CertDB michael@0: const certdb = Cc["@mozilla.org/security/x509certdb;1"] michael@0: .getService(Ci.nsIX509CertDB); michael@0: michael@0: function cert_from_file(filename) { michael@0: return constructCertFromFile("test_cert_version/" + filename); michael@0: } michael@0: michael@0: function load_cert(cert_name, trust_string) { michael@0: var cert_filename = cert_name + ".der"; michael@0: addCertFromFile(certdb, "test_cert_version/" + cert_filename, trust_string); michael@0: } michael@0: michael@0: function check_cert_err_generic(cert, expected_error, usage) { michael@0: do_print("cert cn=" + cert.commonName); michael@0: do_print("cert issuer cn=" + cert.issuerCommonName); michael@0: let hasEVPolicy = {}; michael@0: let verifiedChain = {}; michael@0: let error = certdb.verifyCertNow(cert, usage, michael@0: NO_FLAGS, verifiedChain, hasEVPolicy); michael@0: do_check_eq(error, expected_error); michael@0: } michael@0: michael@0: function check_cert_err(cert, expected_error) { michael@0: check_cert_err_generic(cert, expected_error, certificateUsageSSLServer) michael@0: } michael@0: michael@0: function check_ca_err(cert, expected_error) { michael@0: check_cert_err_generic(cert, expected_error, certificateUsageSSLCA) michael@0: } michael@0: michael@0: function check_ok(x) { michael@0: return check_cert_err(x, 0); michael@0: } michael@0: michael@0: function check_ok_ca(x) { michael@0: return check_cert_err_generic(x, 0, certificateUsageSSLCA); michael@0: } michael@0: michael@0: function run_tests_in_mode(useMozillaPKIX) michael@0: { michael@0: Services.prefs.setBoolPref("security.use_mozillapkix_verification", michael@0: useMozillaPKIX); michael@0: michael@0: check_ok_ca(cert_from_file('v1_ca.der')); michael@0: check_ca_err(cert_from_file('v1_ca_bc.der'), michael@0: useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0); michael@0: check_ca_err(cert_from_file('v2_ca.der'), michael@0: useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0); michael@0: check_ca_err(cert_from_file('v2_ca_bc.der'), michael@0: useMozillaPKIX ? SEC_ERROR_EXTENSION_VALUE_INVALID : 0); michael@0: check_ok_ca(cert_from_file('v3_ca.der')); michael@0: check_ca_err(cert_from_file('v3_ca_missing_bc.der'), michael@0: useMozillaPKIX ? SEC_ERROR_CA_CERT_INVALID : 0); michael@0: michael@0: // Classic allows v1 and v2 certs to be CA certs in trust anchor positions and michael@0: // intermediates when they have a v3 basic constraints extenstion (which michael@0: // makes them invalid certs). Insanity only allows v1 certs to be CA in michael@0: // anchor position (even if they have invalid encodings), v2 certs are not michael@0: // considered CAs in any position. michael@0: // Note that currently there are no change of behavior based on the michael@0: // version of the end entity. michael@0: michael@0: let ee_error = 0; michael@0: let ca_error = 0; michael@0: michael@0: ////////////// michael@0: // v1 CA supersection michael@0: ////////////////// michael@0: michael@0: // v1 intermediate with v1 trust anchor michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; michael@0: ee_error = SEC_ERROR_UNKNOWN_ISSUER; michael@0: } michael@0: check_ca_err(cert_from_file('v1_int-v1_ca.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca.der'), ee_error); michael@0: michael@0: // v1 intermediate with v3 extensions. CA is invalid. michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_ca_err(cert_from_file('v1_int_bc-v1_ca.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca.der'), ee_error); michael@0: michael@0: // A v2 intermediate with a v1 CA michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; michael@0: ee_error = SEC_ERROR_UNKNOWN_ISSUER; michael@0: } michael@0: check_ca_err(cert_from_file('v2_int-v1_ca.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca.der'), ee_error); michael@0: michael@0: // A v2 intermediate with basic constraints (not allowed in insanity) michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_ca_err(cert_from_file('v2_int_bc-v1_ca.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca.der'), ee_error); michael@0: michael@0: // Section is OK. A x509 v3 CA MUST have bc michael@0: // http://tools.ietf.org/html/rfc5280#section-4.2.1.9 michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; michael@0: ee_error = SEC_ERROR_UNKNOWN_ISSUER; michael@0: } michael@0: check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca.der'), ee_error); michael@0: michael@0: // It is valid for a v1 ca to sign a v3 intemediate. michael@0: check_ok_ca(cert_from_file('v3_int-v1_ca.der')); michael@0: check_ok(cert_from_file('v1_ee-v3_int-v1_ca.der')); michael@0: check_ok(cert_from_file('v2_ee-v3_int-v1_ca.der')); michael@0: check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca.der')); michael@0: check_ok(cert_from_file('v3_bc_ee-v3_int-v1_ca.der')); michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca.der'), ee_error); michael@0: michael@0: // The next groups change the v1 ca for a v1 ca with base constraints michael@0: // (invalid trust anchor). The error pattern is the same as the groups michael@0: // above michael@0: michael@0: // Using A v1 intermediate michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; michael@0: ee_error = SEC_ERROR_UNKNOWN_ISSUER; michael@0: } michael@0: check_ca_err(cert_from_file('v1_int-v1_ca_bc.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v1_int-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v1_int-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v1_int-v1_ca_bc.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v1_int-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v1_int-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v1_int-v1_ca_bc.der'), ee_error); michael@0: michael@0: // Using a v1 intermediate with v3 extenstions (invalid). michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_ca_err(cert_from_file('v1_int_bc-v1_ca_bc.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v1_int_bc-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v1_int_bc-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v1_ca_bc.der'), ee_error); michael@0: michael@0: // Using v2 intermediate michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; michael@0: ee_error = SEC_ERROR_UNKNOWN_ISSUER; michael@0: } michael@0: check_ca_err(cert_from_file('v2_int-v1_ca_bc.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v2_int-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v2_int-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v2_int-v1_ca_bc.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v2_int-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v2_int-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v2_int-v1_ca_bc.der'), ee_error); michael@0: michael@0: // Using a v2 intermediate with basic constraints (invalid) michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_ca_err(cert_from_file('v2_int_bc-v1_ca_bc.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v2_int_bc-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v2_int_bc-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v1_ca_bc.der'), ee_error); michael@0: michael@0: // Using a v3 intermediate that is missing basic constraints (invalid) michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; michael@0: ee_error = SEC_ERROR_UNKNOWN_ISSUER; michael@0: } michael@0: check_ca_err(cert_from_file('v3_int_missing_bc-v1_ca_bc.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v1_ca_bc.der'), ee_error); michael@0: michael@0: // these should pass assuming we are OK with v1 ca signing v3 intermediates michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_ca_err(cert_from_file('v3_int-v1_ca_bc.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v3_int-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v1_bc_ee-v3_int-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v3_int-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v3_int-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v3_int-v1_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v3_int-v1_ca_bc.der'), ee_error); michael@0: michael@0: michael@0: ////////////// michael@0: // v2 CA supersection michael@0: ////////////////// michael@0: michael@0: // v2 ca, v1 intermediate michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; michael@0: ee_error = SEC_ERROR_UNKNOWN_ISSUER; michael@0: } michael@0: check_ca_err(cert_from_file('v1_int-v2_ca.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca.der'), ee_error) michael@0: check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca.der'), ee_error); michael@0: michael@0: // v2 ca, v1 intermediate with basic constraints (invalid) michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_ca_err(cert_from_file('v1_int_bc-v2_ca.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca.der'), ee_error); michael@0: michael@0: // v2 ca, v2 intermediate michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; michael@0: ee_error = SEC_ERROR_UNKNOWN_ISSUER; michael@0: } michael@0: check_ca_err(cert_from_file('v2_int-v2_ca.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca.der'), ee_error) michael@0: michael@0: // v2 ca, v2 intermediate with basic constraints (invalid) michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_ca_err(cert_from_file('v2_int_bc-v2_ca.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca.der'), ee_error); michael@0: michael@0: // v2 ca, v3 intermediate missing basic constraints michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; michael@0: ee_error = SEC_ERROR_UNKNOWN_ISSUER; michael@0: } michael@0: check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca.der'), ee_error); michael@0: michael@0: // v2 ca, v3 intermediate michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_ca_err(cert_from_file('v3_int-v2_ca.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca.der'), ee_error); michael@0: michael@0: // v2 ca, v1 intermediate michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; michael@0: ee_error = SEC_ERROR_UNKNOWN_ISSUER; michael@0: } michael@0: check_ca_err(cert_from_file('v1_int-v2_ca_bc.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v1_int-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v1_int-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v1_int-v2_ca_bc.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v1_int-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v1_int-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v1_int-v2_ca_bc.der'), ee_error); michael@0: michael@0: // v2 ca, v1 intermediate with bc (invalid) michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_ca_err(cert_from_file('v1_int_bc-v2_ca_bc.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v1_int_bc-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v1_int_bc-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v2_ca_bc.der'), ee_error); michael@0: michael@0: // v2 ca, v2 intermediate michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; michael@0: ee_error = SEC_ERROR_UNKNOWN_ISSUER; michael@0: } michael@0: check_ca_err(cert_from_file('v2_int-v2_ca_bc.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v2_int-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v2_int-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v2_int-v2_ca_bc.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v2_int-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v2_int-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v2_int-v2_ca_bc.der'), ee_error); michael@0: michael@0: // v2 ca, v2 intermediate with bc (invalid) michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_ca_err(cert_from_file('v2_int_bc-v2_ca_bc.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v2_int_bc-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v2_int_bc-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v2_ca_bc.der'), ee_error); michael@0: michael@0: // v2 ca, invalid v3 intermediate michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; michael@0: ee_error = SEC_ERROR_UNKNOWN_ISSUER; michael@0: } michael@0: check_ca_err(cert_from_file('v3_int_missing_bc-v2_ca_bc.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error) michael@0: check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v2_ca_bc.der'), ee_error); michael@0: michael@0: // v2 ca, valid v3 intermediate (is OK if we use 'classic' semantics) michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_ca_err(cert_from_file('v3_int-v2_ca_bc.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v3_int-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v1_bc_ee-v3_int-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v3_int-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v3_int-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v3_int-v2_ca_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v3_int-v2_ca_bc.der'), ee_error); michael@0: michael@0: ////////////// michael@0: // v3 CA supersection michael@0: ////////////////// michael@0: michael@0: // v3 ca, v1 intermediate michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; michael@0: ee_error = SEC_ERROR_UNKNOWN_ISSUER; michael@0: } michael@0: check_ca_err(cert_from_file('v1_int-v3_ca.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca.der'), ee_error); michael@0: michael@0: // A v1 intermediate with v3 extensions michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_ca_err(cert_from_file('v1_int_bc-v3_ca.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca.der'), ee_error) michael@0: michael@0: // reject a v2 cert as intermediate michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; michael@0: ee_error = SEC_ERROR_UNKNOWN_ISSUER; michael@0: } michael@0: check_ca_err(cert_from_file('v2_int-v3_ca.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca.der'), ee_error); michael@0: michael@0: // v2 intermediate with bc (invalid) michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_ca_err(cert_from_file('v2_int_bc-v3_ca.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca.der'), ee_error); michael@0: michael@0: // invalid v3 intermediate michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; michael@0: ee_error = SEC_ERROR_UNKNOWN_ISSUER; michael@0: } michael@0: check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca.der'), ee_error); michael@0: michael@0: // I dont think that v3 intermediates should be allowed to sign v1 or v2 michael@0: // certs, but other thanthat this is what we usually get in the wild. michael@0: check_ok_ca(cert_from_file('v3_int-v3_ca.der')); michael@0: check_ok(cert_from_file('v1_ee-v3_int-v3_ca.der')); michael@0: check_ok(cert_from_file('v2_ee-v3_int-v3_ca.der')); michael@0: check_ok(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca.der')); michael@0: check_ok(cert_from_file('v3_bc_ee-v3_int-v3_ca.der')); michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca.der'), ee_error); michael@0: michael@0: // v3 CA, invalid v3 intermediate michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; michael@0: ee_error = SEC_ERROR_UNKNOWN_ISSUER; michael@0: } michael@0: check_ca_err(cert_from_file('v1_int-v3_ca_missing_bc.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v1_int-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v1_int-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v1_int-v3_ca_missing_bc.der'), ee_error); michael@0: michael@0: // Int v1 with BC that is just invalid (classic fail insanity OK) michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_ca_err(cert_from_file('v1_int_bc-v3_ca_missing_bc.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v1_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v1_int_bc-v3_ca_missing_bc.der'), ee_error); michael@0: michael@0: // Good section (all fail) michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; michael@0: ee_error = SEC_ERROR_UNKNOWN_ISSUER; michael@0: } michael@0: check_ca_err(cert_from_file('v2_int-v3_ca_missing_bc.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v2_int-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v2_int-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v2_int-v3_ca_missing_bc.der'), ee_error); michael@0: michael@0: // v2 intermediate (even with basic constraints) is invalid michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_ca_err(cert_from_file('v2_int_bc-v3_ca_missing_bc.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v1_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v2_int_bc-v3_ca_missing_bc.der'), ee_error); michael@0: michael@0: // v3 intermediate missing basic constraints is invalid michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = SEC_ERROR_INADEQUATE_CERT_TYPE; michael@0: ee_error = SEC_ERROR_UNKNOWN_ISSUER; michael@0: } michael@0: check_ca_err(cert_from_file('v3_int_missing_bc-v3_ca_missing_bc.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v3_int_missing_bc-v3_ca_missing_bc.der'), ee_error); michael@0: michael@0: // With a v3 root missing bc and valid v3 intermediate michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_CA_CERT_INVALID; michael@0: ee_error = SEC_ERROR_CA_CERT_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_ca_err(cert_from_file('v3_int-v3_ca_missing_bc.der'), ca_error); michael@0: check_cert_err(cert_from_file('v1_ee-v3_int-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_ee-v3_int-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_missing_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v3_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); michael@0: if (useMozillaPKIX) { michael@0: ca_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: ee_error = SEC_ERROR_EXTENSION_VALUE_INVALID; michael@0: } else { michael@0: ca_error = 0; michael@0: ee_error = 0; michael@0: } michael@0: check_cert_err(cert_from_file('v1_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v2_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); michael@0: check_cert_err(cert_from_file('v4_bc_ee-v3_int-v3_ca_missing_bc.der'), ee_error); michael@0: } michael@0: michael@0: function run_test() { michael@0: load_cert("v1_ca", "CTu,CTu,CTu"); michael@0: load_cert("v1_ca_bc", "CTu,CTu,CTu"); michael@0: load_cert("v2_ca", "CTu,CTu,CTu"); michael@0: load_cert("v2_ca_bc", "CTu,CTu,CTu"); michael@0: load_cert("v3_ca", "CTu,CTu,CTu"); michael@0: load_cert("v3_ca_missing_bc", "CTu,CTu,CTu"); michael@0: michael@0: run_tests_in_mode(false); michael@0: run_tests_in_mode(true); michael@0: }