summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/tests/unit/test_cert_trust
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust.js324
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust/ca.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec4
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust/ee.pem18
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec3
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust/int.pem17
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec4
7 files changed, 387 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/test_cert_trust.js b/security/manager/ssl/tests/unit/test_cert_trust.js
new file mode 100644
index 0000000000..45ff78a253
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@@ -0,0 +1,324 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
+ Ci.nsIX509CertDB
+);
+
+function load_cert(cert_name, trust_string) {
+ let cert_filename = cert_name + ".pem";
+ return addCertFromFile(
+ certdb,
+ "test_cert_trust/" + cert_filename,
+ trust_string
+ );
+}
+
+function setup_basic_trusts(ca_cert, int_cert) {
+ certdb.setCertTrust(
+ ca_cert,
+ Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_SSL | Ci.nsIX509CertDB.TRUSTED_EMAIL
+ );
+
+ certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0);
+}
+
+async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
+ // On reset most usages are successful
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+
+ // Test of active distrust. No usage should pass.
+ setCertTrust(cert_to_modify_trust, "p,p,p");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLServer
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailRecipient
+ );
+
+ // Trust set to T - trusted CA to issue client certs, where client cert is
+ // usageSSLClient.
+ setCertTrust(cert_to_modify_trust, "T,T,T");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+
+ // XXX(Bug 982340)
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+
+ // Now tests on the SSL trust bit
+ setCertTrust(cert_to_modify_trust, "p,C,C");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLServer
+ );
+
+ // XXX(Bug 982340)
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+
+ // Inherited trust SSL
+ setCertTrust(cert_to_modify_trust, ",C,C");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ // XXX(Bug 982340)
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+
+ // Now tests on the EMAIL trust bit
+ setCertTrust(cert_to_modify_trust, "C,p,C");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailRecipient
+ );
+
+ // inherited EMAIL Trust
+ setCertTrust(cert_to_modify_trust, "C,,C");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+}
+
+add_task(async function () {
+ let certList = ["ca", "int", "ee"];
+ let loadedCerts = [];
+ for (let certName of certList) {
+ loadedCerts.push(load_cert(certName, ",,"));
+ }
+
+ let ca_cert = loadedCerts[0];
+ notEqual(ca_cert, null, "CA cert should have successfully loaded");
+ let int_cert = loadedCerts[1];
+ notEqual(int_cert, null, "Intermediate cert should have successfully loaded");
+ let ee_cert = loadedCerts[2];
+ notEqual(ee_cert, null, "EE cert should have successfully loaded");
+
+ setup_basic_trusts(ca_cert, int_cert);
+ await test_ca_distrust(ee_cert, ca_cert, true);
+
+ setup_basic_trusts(ca_cert, int_cert);
+ await test_ca_distrust(ee_cert, int_cert, false);
+
+ // Reset trust to default ("inherit trust")
+ setCertTrust(ca_cert, ",,");
+ setCertTrust(int_cert, ",,");
+
+ // End-entities can be trust anchors for interoperability with users who
+ // prefer not to build a hierarchy and instead directly trust a particular
+ // server certificate.
+ setCertTrust(ee_cert, "CTu,CTu,CTu");
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLServer
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageSSLClient
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailSigner
+ );
+ await checkCertErrorGeneric(
+ certdb,
+ ee_cert,
+ PRErrorCodeSuccess,
+ certificateUsageEmailRecipient
+ );
+});
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ca.pem b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem
new file mode 100644
index 0000000000..8131655251
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyTCCAbGgAwIBAgIUZUAG1XrIsypGQCcYFFUTqaoZw5MwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG
+m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr
+bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4
+SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3
+/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z
+FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD
+VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQA+F3G6RbYWkt2VtLqA43GkRvQg
+PZGNxGlXGWazQRKDLXMFtbT9FG2l7nRQPPKhoaeKd+36zBPxgwJaC1+N5e9nxAm/
+YUY4ipA7RAaUf0l6hCyCNnbtd6o6E6hnU4ucX7GvgGQQEdXHPIpzF3AfVZviHVpl
+5u02rYNB6wGC9/vSsNKhpGYaIOB2yFzbXhwH4YqC2VwfpukNuSQ7oywFbH2IIj/5
+ik3Mp8uwL1qQ7XcF9se5rtNYcWzNe0aMKS7s/vRn1QeYp5Jsq6kEn0/aNvEmDskR
+GAGbbQ/4CQqKH2vqKQRq8KbDlzsxmfEF8cDZzvXZHWtQmGGURy/4ZAytgXFT
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec
new file mode 100644
index 0000000000..d809dbd635
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ee.pem b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem
new file mode 100644
index 0000000000..26d9c4bb0c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC4jCCAcqgAwIBAgIUBTLnMBdk7nC9ESAE2f+8kxwS7wwwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjIxMTI3MDAwMDAwWhgPMjAyNTAyMDQw
+MDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
+BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
+a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
+uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
+9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
+mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozUwMzAxBgNVHSUEKjAoBggrBgEF
+BQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDAzANBgkqhkiG9w0BAQsF
+AAOCAQEAHWVweJbi7RcBDHJ5c+M9O4LfBbY5F7yUfj426fFutBIYT7gkdZBOLLBA
+FXbXMq9OJr//iiU7KdPAk5jeDCKJacP1tDi8vEBG51lt6LDfTYRPn9ncPqlwspIM
+xa/Z8yBFfLgwy3NwkuyxLwWsYCNBkTPbumJXYvnyLju+cGLMmToV24qkMLYNg6m9
+316aao5kx9Oo29qmbnUDK1VUjc6ko64ilPH5RxW4HAjhTYN9unY13F+x1i8rrAA4
+29BXxG31UVZA4Jv9KE/Ck2CMAQteuSTq1tgJaklGCwhDg7ARa4lPIANN8v/yiKbJ
+ag0EYzra8S1FUoXKsaH/B1falyDt7g==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec
new file mode 100644
index 0000000000..9666c18062
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec
@@ -0,0 +1,3 @@
+issuer:int
+subject:ee
+extension:extKeyUsage:serverAuth,clientAuth,emailProtection,codeSigning
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/int.pem b/security/manager/ssl/tests/unit/test_cert_trust/int.pem
new file mode 100644
index 0000000000..b31a9cda93
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/int.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyjCCAbKgAwIBAgIUe2LIDV1Nhfro/wXnL4PUQK5N24QwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMjExMjcwMDAwMDBaGA8yMDI1MDIwNDAw
+MDAwMFowDjEMMAoGA1UEAwwDaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc
+BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC
+a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg
+uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK
+9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP
+mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG
+A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAjQy0NtsF3aykS9j0nzTjuaXO
+H3lWVMJJBYNZw0YcFUIfTFpkAdwLyvWrw9vpNBURseXog/pFe+Wo1vh7LtESg8Kc
+WFnE7LWeZSzOLgUTRPuHU45ehkaJpAOXaBUo/RNNYykE44EVIXvNCUuPe06SfSnD
+fSHNDdrg0jv4V+Xjoq+8+yhBNmjNNylBMfZmj7NiN8ZKka+AovStBoxuvSD6Oef3
+ENuMtUH10KETCkUf/u04RMU8sTZP65zg2xQ3hcvDAoJvIwwaq/TtcghO0AcD6RbN
+yoHIgJe2TiWRltAPOTzm/2OmUGOHin1p4DCA7usZRpU/iRqr06ZZFzBtj+0v4A==
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec b/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec
new file mode 100644
index 0000000000..a7f6d81419
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec
@@ -0,0 +1,4 @@
+issuer:ca
+subject:int
+extension:basicConstraints:cA,
+extension:keyUsage:keyCertSign,cRLSign
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-04 05:32:08 +0000