firefox/security/manager/ssl/tests/unit/test_cert_eku.js

// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.

// Tests that the extended key usage extension is properly processed by the
// platform when verifying certificates. There are already comprehensive tests
// in mozilla::pkix itself, but these tests serve as integration tests to ensure
// that the cases we're particularly concerned about are correctly handled.

"use strict";

do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
  Ci.nsIX509CertDB
);

function certFromFile(certName) {
  return constructCertFromFile(`test_cert_eku/${certName}.pem`);
}

function loadCertWithTrust(certName, trustString) {
  addCertFromFile(certdb, `test_cert_eku/${certName}.pem`, trustString);
}

function checkEndEntity(cert, expectedResult) {
  return checkCertErrorGeneric(
    certdb,
    cert,
    expectedResult,
    Ci.nsIX509CertDB.verifyUsageTLSServer
  );
}

function checkCertOn25August2016(cert, expectedResult) {
  // (new Date("2016-08-25T00:00:00Z")).getTime() / 1000
  const VALIDATION_TIME = 1472083200;
  return checkCertErrorGenericAtTime(
    certdb,
    cert,
    expectedResult,
    Ci.nsIX509CertDB.verifyUsageTLSServer,
    VALIDATION_TIME
  );
}

add_task(async function () {
  registerCleanupFunction(() => {
    Services.prefs.clearUserPref("privacy.reduceTimerPrecision");
  });
  Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false);

  loadCertWithTrust("ca", "CTu,,");
  // end-entity has id-kp-serverAuth => success
  await checkEndEntity(certFromFile("ee-SA"), PRErrorCodeSuccess);
  // end-entity has id-kp-serverAuth => success
  await checkEndEntity(certFromFile("ee-SA-CA"), PRErrorCodeSuccess);
  // end-entity has extended key usage, but id-kp-serverAuth is not present =>
  // failure
  await checkEndEntity(certFromFile("ee-CA"), SEC_ERROR_INADEQUATE_CERT_TYPE);
  // end-entity has id-kp-serverAuth => success
  await checkEndEntity(certFromFile("ee-SA-nsSGC"), PRErrorCodeSuccess);

  // end-entity has extended key usage, but id-kp-serverAuth is not present =>
  // failure (in particular, Netscape Server Gated Crypto (also known as
  // Netscape Step Up) is not an acceptable substitute for end-entity
  // certificates).
  // Verify this for all Netscape Step Up policy configurations.
  // 0 = "always accept nsSGC in place of serverAuth for CA certificates"
  Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0);
  await checkEndEntity(
    certFromFile("ee-nsSGC"),
    SEC_ERROR_INADEQUATE_CERT_TYPE
  );
  // 1 = "accept nsSGC before 23 August 2016"
  Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1);
  await checkEndEntity(
    certFromFile("ee-nsSGC"),
    SEC_ERROR_INADEQUATE_CERT_TYPE
  );
  // 2 = "accept nsSGC before 23 August 2015"
  Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2);
  await checkEndEntity(
    certFromFile("ee-nsSGC"),
    SEC_ERROR_INADEQUATE_CERT_TYPE
  );
  // 3 = "never accept nsSGC"
  Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3);
  await checkEndEntity(
    certFromFile("ee-nsSGC"),
    SEC_ERROR_INADEQUATE_CERT_TYPE
  );

  // end-entity has id-kp-OCSPSigning, which is not acceptable for end-entity
  // certificates being verified as TLS server certificates => failure
  await checkEndEntity(
    certFromFile("ee-SA-OCSP"),
    SEC_ERROR_INADEQUATE_CERT_TYPE
  );

  // intermediate has id-kp-serverAuth => success
  loadCertWithTrust("int-SA", ",,");
  await checkEndEntity(certFromFile("ee-int-SA"), PRErrorCodeSuccess);
  // intermediate has id-kp-serverAuth => success
  loadCertWithTrust("int-SA-CA", ",,");
  await checkEndEntity(certFromFile("ee-int-SA-CA"), PRErrorCodeSuccess);
  // intermediate has extended key usage, but id-kp-serverAuth is not present
  // => failure
  loadCertWithTrust("int-CA", ",,");
  await checkEndEntity(
    certFromFile("ee-int-CA"),
    SEC_ERROR_INADEQUATE_CERT_TYPE
  );
  // intermediate has id-kp-serverAuth => success
  loadCertWithTrust("int-SA-nsSGC", ",,");
  await checkEndEntity(certFromFile("ee-int-SA-nsSGC"), PRErrorCodeSuccess);

  // Intermediate has Netscape Server Gated Crypto. Success will depend on the
  // Netscape Step Up policy configuration and the notBefore property of the
  // intermediate.
  loadCertWithTrust("int-nsSGC-recent", ",,");
  loadCertWithTrust("int-nsSGC-old", ",,");
  loadCertWithTrust("int-nsSGC-older", ",,");
  // 0 = "always accept nsSGC in place of serverAuth for CA certificates"
  Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0);
  info("Netscape Step Up policy: always accept");
  await checkCertOn25August2016(
    certFromFile("ee-int-nsSGC-recent"),
    PRErrorCodeSuccess
  );
  await checkCertOn25August2016(
    certFromFile("ee-int-nsSGC-old"),
    PRErrorCodeSuccess
  );
  await checkCertOn25August2016(
    certFromFile("ee-int-nsSGC-older"),
    PRErrorCodeSuccess
  );
  // 1 = "accept nsSGC before 23 August 2016"
  info("Netscape Step Up policy: accept before 23 August 2016");
  Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1);
  await checkCertOn25August2016(
    certFromFile("ee-int-nsSGC-recent"),
    SEC_ERROR_INADEQUATE_CERT_TYPE
  );
  await checkCertOn25August2016(
    certFromFile("ee-int-nsSGC-old"),
    PRErrorCodeSuccess
  );
  await checkCertOn25August2016(
    certFromFile("ee-int-nsSGC-older"),
    PRErrorCodeSuccess
  );
  // 2 = "accept nsSGC before 23 August 2015"
  info("Netscape Step Up policy: accept before 23 August 2015");
  Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2);
  await checkCertOn25August2016(
    certFromFile("ee-int-nsSGC-recent"),
    SEC_ERROR_INADEQUATE_CERT_TYPE
  );
  await checkCertOn25August2016(
    certFromFile("ee-int-nsSGC-old"),
    SEC_ERROR_INADEQUATE_CERT_TYPE
  );
  await checkCertOn25August2016(
    certFromFile("ee-int-nsSGC-older"),
    PRErrorCodeSuccess
  );
  // 3 = "never accept nsSGC"
  info("Netscape Step Up policy: never accept");
  Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3);
  await checkCertOn25August2016(
    certFromFile("ee-int-nsSGC-recent"),
    SEC_ERROR_INADEQUATE_CERT_TYPE
  );
  await checkCertOn25August2016(
    certFromFile("ee-int-nsSGC-old"),
    SEC_ERROR_INADEQUATE_CERT_TYPE
  );
  await checkCertOn25August2016(
    certFromFile("ee-int-nsSGC-older"),
    SEC_ERROR_INADEQUATE_CERT_TYPE
  );

  // intermediate has id-kp-OCSPSigning, which is acceptable for CA
  // certificates => success
  loadCertWithTrust("int-SA-OCSP", ",,");
  await checkEndEntity(certFromFile("ee-int-SA-OCSP"), PRErrorCodeSuccess);
});