summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/tests/unit/test_validity.js
blob: 1809faf24c94c6072428a39e2e4366795dddb64b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// Any copyright is dedicated to the Public Domain.
// http://creativecommons.org/publicdomain/zero/1.0/
"use strict";

// Tests that chains containing an end-entity cert with an overly long validity
// period are rejected.

do_get_profile(); // Must be called before getting nsIX509CertDB
const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
  Ci.nsIX509CertDB
);

const SERVER_PORT = 8888;

function getOCSPResponder(expectedCertNames) {
  let expectedPaths = expectedCertNames.slice();
  return startOCSPResponder(
    SERVER_PORT,
    "www.example.com",
    "test_validity",
    expectedCertNames,
    expectedPaths
  );
}

function certFromFile(filename) {
  return constructCertFromFile(`test_validity/${filename}`);
}

function loadCert(certFilename, trustString) {
  addCertFromFile(certDB, `test_validity/${certFilename}`, trustString);
}

/**
 * Asynchronously runs a single EV test.
 *
 * @param {Array} expectedNamesForOCSP
 *        An array of nicknames of the certs to be responded to.
 * @param {String} rootCertFileName
 *        The file name of the root cert. Can begin with ".." to reference
 *        certs in folders other than "test_validity/".
 * @param {Array} intCertFileNames
 *        An array of file names of any intermediate certificates.
 * @param {String} endEntityCertFileName
 *        The file name of the end entity cert.
 * @param {Boolean} expectedResult
 *        Whether the chain is expected to validate as EV.
 */
async function doEVTest(
  expectedNamesForOCSP,
  rootCertFileName,
  intCertFileNames,
  endEntityCertFileName,
  expectedResult
) {
  clearOCSPCache();
  let ocspResponder = getOCSPResponder(expectedNamesForOCSP);

  loadCert(`${rootCertFileName}.pem`, "CTu,CTu,CTu");
  for (let intCertFileName of intCertFileNames) {
    loadCert(`${intCertFileName}.pem`, ",,");
  }
  await checkEVStatus(
    certDB,
    certFromFile(`${endEntityCertFileName}.pem`),
    certificateUsageSSLServer,
    expectedResult
  );

  await stopOCSPResponder(ocspResponder);
}

async function checkEVChains() {
  // Chain with an end entity cert with a validity period that is acceptable
  // for EV.
  const intFullName = "ev_int_60_months-evroot";
  let eeFullName = `ev_ee_27_months-${intFullName}`;
  let expectedNamesForOCSP = gEVExpected
    ? [intFullName, eeFullName]
    : [eeFullName];
  await doEVTest(
    expectedNamesForOCSP,
    "../test_ev_certs/evroot",
    [intFullName],
    eeFullName,
    gEVExpected
  );

  // Chain with an end entity cert with a validity period that is too long
  // for EV.
  eeFullName = `ev_ee_28_months-${intFullName}`;
  expectedNamesForOCSP = gEVExpected ? [intFullName, eeFullName] : [eeFullName];
  await doEVTest(
    expectedNamesForOCSP,
    "../test_ev_certs/evroot",
    [intFullName],
    eeFullName,
    false
  );
}

add_task(async function() {
  Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
  Services.prefs.setIntPref("security.OCSP.enabled", 1);

  await checkEVChains();
});