// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.

"use strict";

do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
  Ci.nsIX509CertDB
);

function load_cert(cert_name, trust_string) {
  let cert_filename = cert_name + ".pem";
  return addCertFromFile(
    certdb,
    "test_cert_trust/" + cert_filename,
    trust_string
  );
}

function setup_basic_trusts(ca_cert, int_cert) {
  certdb.setCertTrust(
    ca_cert,
    Ci.nsIX509Cert.CA_CERT,
    Ci.nsIX509CertDB.TRUSTED_SSL | Ci.nsIX509CertDB.TRUSTED_EMAIL
  );

  certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0);
}

async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
  // On reset most usages are successful
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    PRErrorCodeSuccess,
    certificateUsageSSLServer
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    PRErrorCodeSuccess,
    certificateUsageSSLClient
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    SEC_ERROR_CA_CERT_INVALID,
    certificateUsageSSLCA
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    PRErrorCodeSuccess,
    certificateUsageEmailSigner
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    PRErrorCodeSuccess,
    certificateUsageEmailRecipient
  );

  // Test of active distrust. No usage should pass.
  setCertTrust(cert_to_modify_trust, "p,p,p");
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    SEC_ERROR_UNTRUSTED_ISSUER,
    certificateUsageSSLServer
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    SEC_ERROR_UNTRUSTED_ISSUER,
    certificateUsageSSLClient
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    SEC_ERROR_CA_CERT_INVALID,
    certificateUsageSSLCA
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    SEC_ERROR_UNTRUSTED_ISSUER,
    certificateUsageEmailSigner
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    SEC_ERROR_UNTRUSTED_ISSUER,
    certificateUsageEmailRecipient
  );

  // Trust set to T  -  trusted CA to issue client certs, where client cert is
  // usageSSLClient.
  setCertTrust(cert_to_modify_trust, "T,T,T");
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
    certificateUsageSSLServer
  );

  // XXX(Bug 982340)
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
    certificateUsageSSLClient
  );

  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    SEC_ERROR_CA_CERT_INVALID,
    certificateUsageSSLCA
  );

  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
    certificateUsageEmailSigner
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
    certificateUsageEmailRecipient
  );

  // Now tests on the SSL trust bit
  setCertTrust(cert_to_modify_trust, "p,C,C");
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    SEC_ERROR_UNTRUSTED_ISSUER,
    certificateUsageSSLServer
  );

  // XXX(Bug 982340)
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    PRErrorCodeSuccess,
    certificateUsageSSLClient
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    SEC_ERROR_CA_CERT_INVALID,
    certificateUsageSSLCA
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    PRErrorCodeSuccess,
    certificateUsageEmailSigner
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    PRErrorCodeSuccess,
    certificateUsageEmailRecipient
  );

  // Inherited trust SSL
  setCertTrust(cert_to_modify_trust, ",C,C");
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
    certificateUsageSSLServer
  );
  // XXX(Bug 982340)
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    PRErrorCodeSuccess,
    certificateUsageSSLClient
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    SEC_ERROR_CA_CERT_INVALID,
    certificateUsageSSLCA
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    PRErrorCodeSuccess,
    certificateUsageEmailSigner
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    PRErrorCodeSuccess,
    certificateUsageEmailRecipient
  );

  // Now tests on the EMAIL trust bit
  setCertTrust(cert_to_modify_trust, "C,p,C");
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    PRErrorCodeSuccess,
    certificateUsageSSLServer
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    SEC_ERROR_UNTRUSTED_ISSUER,
    certificateUsageSSLClient
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    SEC_ERROR_CA_CERT_INVALID,
    certificateUsageSSLCA
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    SEC_ERROR_UNTRUSTED_ISSUER,
    certificateUsageEmailSigner
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    SEC_ERROR_UNTRUSTED_ISSUER,
    certificateUsageEmailRecipient
  );

  // inherited EMAIL Trust
  setCertTrust(cert_to_modify_trust, "C,,C");
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    PRErrorCodeSuccess,
    certificateUsageSSLServer
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
    certificateUsageSSLClient
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    SEC_ERROR_CA_CERT_INVALID,
    certificateUsageSSLCA
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
    certificateUsageEmailSigner
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
    certificateUsageEmailRecipient
  );
}

add_task(async function () {
  let certList = ["ca", "int", "ee"];
  let loadedCerts = [];
  for (let certName of certList) {
    loadedCerts.push(load_cert(certName, ",,"));
  }

  let ca_cert = loadedCerts[0];
  notEqual(ca_cert, null, "CA cert should have successfully loaded");
  let int_cert = loadedCerts[1];
  notEqual(int_cert, null, "Intermediate cert should have successfully loaded");
  let ee_cert = loadedCerts[2];
  notEqual(ee_cert, null, "EE cert should have successfully loaded");

  setup_basic_trusts(ca_cert, int_cert);
  await test_ca_distrust(ee_cert, ca_cert, true);

  setup_basic_trusts(ca_cert, int_cert);
  await test_ca_distrust(ee_cert, int_cert, false);

  // Reset trust to default ("inherit trust")
  setCertTrust(ca_cert, ",,");
  setCertTrust(int_cert, ",,");

  // End-entities can be trust anchors for interoperability with users who
  // prefer not to build a hierarchy and instead directly trust a particular
  // server certificate.
  setCertTrust(ee_cert, "CTu,CTu,CTu");
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    PRErrorCodeSuccess,
    certificateUsageSSLServer
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    PRErrorCodeSuccess,
    certificateUsageSSLClient
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    PRErrorCodeSuccess,
    certificateUsageEmailSigner
  );
  await checkCertErrorGeneric(
    certdb,
    ee_cert,
    PRErrorCodeSuccess,
    certificateUsageEmailRecipient
  );
});