From 43a97878ce14b72f0981164f87f2e35e14151312 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 11:22:09 +0200 Subject: Adding upstream version 110.0.1. Signed-off-by: Daniel Baumann --- security/manager/android_stub.h | 31 + .../en-US/chrome/pipnss/nsserrors.properties | 331 + .../locales/en-US/chrome/pipnss/pipnss.properties | 123 + .../locales/en-US/chrome/pippki/pippki.properties | 75 + .../en-US/security/certificates/certManager.ftl | 228 + .../en-US/security/certificates/deviceManager.ftl | 132 + .../locales/en-US/security/pippki/pippki.ftl | 79 + security/manager/locales/jar.mn | 14 + security/manager/locales/moz.build | 7 + security/manager/moz.build | 13 + security/manager/pki/components.conf | 21 + security/manager/pki/moz.build | 36 + security/manager/pki/nsIASN1Tree.idl | 24 + security/manager/pki/nsNSSDialogHelper.cpp | 44 + security/manager/pki/nsNSSDialogHelper.h | 39 + security/manager/pki/nsNSSDialogs.cpp | 313 + security/manager/pki/nsNSSDialogs.h | 40 + .../manager/pki/resources/content/certManager.css | 31 + .../manager/pki/resources/content/certManager.js | 824 + .../pki/resources/content/certManager.xhtml | 225 + .../pki/resources/content/changepassword.js | 212 + .../pki/resources/content/changepassword.xhtml | 65 + .../manager/pki/resources/content/clientauthask.js | 200 + .../pki/resources/content/clientauthask.xhtml | 47 + .../manager/pki/resources/content/deletecert.js | 121 + .../manager/pki/resources/content/deletecert.xhtml | 31 + .../pki/resources/content/device_manager.js | 433 + .../pki/resources/content/device_manager.xhtml | 70 + .../manager/pki/resources/content/downloadcert.js | 83 + .../pki/resources/content/downloadcert.xhtml | 61 + .../manager/pki/resources/content/editcacert.js | 55 + .../manager/pki/resources/content/editcacert.xhtml | 36 + .../pki/resources/content/exceptionDialog.css | 38 + .../pki/resources/content/exceptionDialog.js | 334 + .../pki/resources/content/exceptionDialog.xhtml | 88 + .../manager/pki/resources/content/load_device.js | 75 + .../pki/resources/content/load_device.xhtml | 53 + security/manager/pki/resources/content/pippki.js | 301 + .../manager/pki/resources/content/resetpassword.js | 28 + .../pki/resources/content/resetpassword.xhtml | 41 + .../pki/resources/content/setp12password.js | 127 + .../pki/resources/content/setp12password.xhtml | 48 + security/manager/pki/resources/jar.mn | 31 + security/manager/pki/resources/moz.build | 7 + security/manager/ssl/AppSignatureVerification.cpp | 1410 + security/manager/ssl/AppTrustDomain.cpp | 313 + security/manager/ssl/AppTrustDomain.h | 94 + .../manager/ssl/CertStorageMemoryReporting.cpp | 17 + security/manager/ssl/CommonSocketControl.cpp | 520 + security/manager/ssl/CommonSocketControl.h | 191 + security/manager/ssl/ContentSignatureVerifier.cpp | 452 + security/manager/ssl/ContentSignatureVerifier.h | 32 + security/manager/ssl/CredentialManagerSecret.cpp | 114 + security/manager/ssl/CredentialManagerSecret.h | 28 + security/manager/ssl/CryptoTask.cpp | 43 + security/manager/ssl/CryptoTask.h | 52 + security/manager/ssl/DER.jsm | 336 + security/manager/ssl/DataStorage.cpp | 842 + security/manager/ssl/DataStorage.h | 223 + security/manager/ssl/DataStorageIPCUtils.h | 21 + security/manager/ssl/DataStorageList.h | 18 + security/manager/ssl/EnterpriseRoots.cpp | 373 + security/manager/ssl/EnterpriseRoots.h | 35 + security/manager/ssl/IPCClientCertsChild.cpp | 17 + security/manager/ssl/IPCClientCertsChild.h | 36 + security/manager/ssl/IPCClientCertsParent.cpp | 114 + security/manager/ssl/IPCClientCertsParent.h | 40 + security/manager/ssl/KeychainSecret.cpp | 186 + security/manager/ssl/KeychainSecret.h | 49 + security/manager/ssl/LibSecret.cpp | 383 + security/manager/ssl/LibSecret.h | 31 + security/manager/ssl/NSSErrorsService.cpp | 212 + security/manager/ssl/NSSErrorsService.h | 56 + security/manager/ssl/NSSKeyStore.cpp | 225 + security/manager/ssl/NSSKeyStore.h | 36 + security/manager/ssl/NSSSocketControl.cpp | 680 + security/manager/ssl/NSSSocketControl.h | 295 + security/manager/ssl/OSKeyStore.cpp | 726 + security/manager/ssl/OSKeyStore.h | 105 + security/manager/ssl/OSReauthenticator.cpp | 568 + security/manager/ssl/OSReauthenticator.h | 36 + security/manager/ssl/OSReauthenticatorDarwin.mm | 60 + security/manager/ssl/PIPCClientCerts.ipdl | 35 + security/manager/ssl/PKCS11ModuleDB.cpp | 184 + security/manager/ssl/PKCS11ModuleDB.h | 35 + security/manager/ssl/PSMIPCTypes.ipdlh | 51 + security/manager/ssl/PSMRunnable.cpp | 42 + security/manager/ssl/PSMRunnable.h | 48 + security/manager/ssl/PSelectTLSClientAuthCert.ipdl | 26 + security/manager/ssl/PVerifySSLServerCert.ipdl | 31 + security/manager/ssl/PublicKeyPinningService.cpp | 393 + security/manager/ssl/PublicKeyPinningService.h | 54 + security/manager/ssl/PublicSSL.h | 24 + security/manager/ssl/RemoteSecuritySettings.jsm | 719 + .../manager/ssl/RootCertificateTelemetryUtils.cpp | 139 + .../manager/ssl/RootCertificateTelemetryUtils.h | 37 + security/manager/ssl/RootHashes.inc | 1501 + security/manager/ssl/SSLServerCertVerification.cpp | 1130 + security/manager/ssl/SSLServerCertVerification.h | 161 + security/manager/ssl/ScopedNSSTypes.h | 464 + security/manager/ssl/SecretDecoderRing.cpp | 343 + security/manager/ssl/SecretDecoderRing.h | 37 + .../manager/ssl/SelectTLSClientAuthCertChild.h | 42 + .../manager/ssl/SelectTLSClientAuthCertParent.h | 52 + security/manager/ssl/SharedCertVerifier.h | 38 + security/manager/ssl/SharedSSLState.cpp | 190 + security/manager/ssl/SharedSSLState.h | 74 + security/manager/ssl/StaticHPKPins.errors | 33 + security/manager/ssl/StaticHPKPins.h | 1098 + .../manager/ssl/TLSClientAuthCertSelection.cpp | 945 + security/manager/ssl/TLSClientAuthCertSelection.h | 54 + security/manager/ssl/TransportSecurityInfo.cpp | 1128 + security/manager/ssl/TransportSecurityInfo.h | 107 + security/manager/ssl/VerifySSLServerCertChild.cpp | 121 + security/manager/ssl/VerifySSLServerCertChild.h | 62 + security/manager/ssl/VerifySSLServerCertParent.cpp | 183 + security/manager/ssl/VerifySSLServerCertParent.h | 60 + security/manager/ssl/X509.jsm | 644 + security/manager/ssl/X509CertValidity.cpp | 96 + security/manager/ssl/X509CertValidity.h | 31 + .../manager/ssl/addons-public-intermediate.crt | Bin 0 -> 1841 bytes security/manager/ssl/addons-public.crt | Bin 0 -> 1637 bytes security/manager/ssl/addons-stage.crt | Bin 0 -> 1895 bytes security/manager/ssl/builtins/Cargo.toml | 17 + security/manager/ssl/builtins/build.rs | 495 + .../ssl/builtins/dynamic-library/builtins.symbols | 1 + .../manager/ssl/builtins/dynamic-library/moz.build | 37 + .../manager/ssl/builtins/dynamic-library/stub.c | 27 + .../manager/ssl/builtins/dynamic-library/stub.cpp | 17 + security/manager/ssl/builtins/moz.build | 9 + security/manager/ssl/builtins/src/certdata.rs | 43 + security/manager/ssl/builtins/src/internal.rs | 344 + security/manager/ssl/builtins/src/lib.rs | 9 + security/manager/ssl/builtins/src/pkcs11.rs | 1227 + security/manager/ssl/builtins/src/version.rs | 6 + security/manager/ssl/cert_storage/Cargo.toml | 24 + .../manager/ssl/cert_storage/src/cert_storage.h | 24 + security/manager/ssl/cert_storage/src/lib.rs | 1806 + security/manager/ssl/components.conf | 143 + security/manager/ssl/content-signature-local.crt | Bin 0 -> 558 bytes security/manager/ssl/content-signature-prod.crt | Bin 0 -> 1637 bytes security/manager/ssl/content-signature-stage.crt | Bin 0 -> 1904 bytes security/manager/ssl/crashtests/398665-1.html | 1 + security/manager/ssl/crashtests/crashtests.list | 1 + security/manager/ssl/gen_cert_header.py | 46 + security/manager/ssl/ipcclientcerts/Cargo.toml | 15 + .../dynamic-library/ipcclientcerts.symbols | 1 + .../ssl/ipcclientcerts/dynamic-library/moz.build | 39 + .../ssl/ipcclientcerts/dynamic-library/stub.c | 43 + .../ssl/ipcclientcerts/dynamic-library/stub.cpp | 29 + security/manager/ssl/ipcclientcerts/moz.build | 9 + security/manager/ssl/ipcclientcerts/src/backend.rs | 373 + security/manager/ssl/ipcclientcerts/src/lib.rs | 1047 + security/manager/ssl/md4.c | 179 + security/manager/ssl/md4.h | 38 + security/manager/ssl/moz.build | 285 + security/manager/ssl/nsCertOverrideService.cpp | 796 + security/manager/ssl/nsCertOverrideService.h | 154 + security/manager/ssl/nsCertTree.cpp | 843 + security/manager/ssl/nsCertTree.h | 131 + security/manager/ssl/nsClientAuthRemember.cpp | 351 + security/manager/ssl/nsClientAuthRemember.h | 91 + security/manager/ssl/nsCryptoHash.cpp | 213 + security/manager/ssl/nsCryptoHash.h | 38 + security/manager/ssl/nsICertOverrideService.idl | 149 + security/manager/ssl/nsICertStorage.idl | 265 + security/manager/ssl/nsICertTree.idl | 39 + security/manager/ssl/nsICertificateDialogs.idl | 68 + security/manager/ssl/nsIClientAuthDialogs.idl | 41 + .../manager/ssl/nsIClientAuthRememberService.idl | 74 + .../manager/ssl/nsIContentSignatureVerifier.idl | 49 + security/manager/ssl/nsICryptoHash.idl | 113 + security/manager/ssl/nsINSSComponent.idl | 115 + security/manager/ssl/nsINSSErrorsService.idl | 72 + security/manager/ssl/nsINSSVersion.idl | 37 + security/manager/ssl/nsIOSKeyStore.idl | 144 + security/manager/ssl/nsIOSReauthenticator.idl | 45 + security/manager/ssl/nsIPK11Token.idl | 81 + security/manager/ssl/nsIPK11TokenDB.idl | 31 + security/manager/ssl/nsIPKCS11Module.idl | 21 + security/manager/ssl/nsIPKCS11ModuleDB.idl | 40 + security/manager/ssl/nsIPKCS11Slot.idl | 52 + .../manager/ssl/nsIPublicKeyPinningService.idl | 22 + security/manager/ssl/nsISecretDecoderRing.idl | 77 + security/manager/ssl/nsISecurityUITelemetry.idl | 34 + security/manager/ssl/nsISiteSecurityService.idl | 171 + security/manager/ssl/nsITLSSocketControl.idl | 182 + security/manager/ssl/nsITokenPasswordDialogs.idl | 30 + security/manager/ssl/nsITransportSecurityInfo.idl | 137 + security/manager/ssl/nsIX509Cert.idl | 206 + security/manager/ssl/nsIX509CertDB.idl | 351 + security/manager/ssl/nsIX509CertValidity.idl | 25 + security/manager/ssl/nsNSSCallbacks.cpp | 1206 + security/manager/ssl/nsNSSCallbacks.h | 42 + security/manager/ssl/nsNSSCertHelper.cpp | 109 + security/manager/ssl/nsNSSCertHelper.h | 33 + security/manager/ssl/nsNSSCertTrust.cpp | 121 + security/manager/ssl/nsNSSCertTrust.h | 55 + security/manager/ssl/nsNSSCertificate.cpp | 708 + security/manager/ssl/nsNSSCertificate.h | 50 + security/manager/ssl/nsNSSCertificateDB.cpp | 1358 + security/manager/ssl/nsNSSCertificateDB.h | 71 + security/manager/ssl/nsNSSComponent.cpp | 2809 + security/manager/ssl/nsNSSComponent.h | 168 + security/manager/ssl/nsNSSHelper.h | 32 + security/manager/ssl/nsNSSIOLayer.cpp | 1740 + security/manager/ssl/nsNSSIOLayer.h | 134 + security/manager/ssl/nsNSSModule.cpp | 109 + security/manager/ssl/nsNSSModule.h | 21 + security/manager/ssl/nsNSSVersion.cpp | 78 + security/manager/ssl/nsNSSVersion.h | 30 + security/manager/ssl/nsNTLMAuthModule.cpp | 1039 + security/manager/ssl/nsNTLMAuthModule.h | 33 + security/manager/ssl/nsPK11TokenDB.cpp | 286 + security/manager/ssl/nsPK11TokenDB.h | 67 + security/manager/ssl/nsPKCS11Slot.cpp | 276 + security/manager/ssl/nsPKCS11Slot.h | 58 + security/manager/ssl/nsPKCS12Blob.cpp | 356 + security/manager/ssl/nsPKCS12Blob.h | 54 + security/manager/ssl/nsRandomGenerator.cpp | 36 + security/manager/ssl/nsRandomGenerator.h | 29 + security/manager/ssl/nsSSLSocketProvider.cpp | 46 + security/manager/ssl/nsSSLSocketProvider.h | 32 + security/manager/ssl/nsSTSPreloadList.inc | 151910 ++++++++++++++++++ security/manager/ssl/nsSecureBrowserUI.cpp | 162 + security/manager/ssl/nsSecureBrowserUI.h | 53 + security/manager/ssl/nsSecurityHeaderParser.cpp | 206 + security/manager/ssl/nsSecurityHeaderParser.h | 78 + security/manager/ssl/nsSiteSecurityService.cpp | 845 + security/manager/ssl/nsSiteSecurityService.h | 150 + security/manager/ssl/nsTLSSocketProvider.cpp | 47 + security/manager/ssl/nsTLSSocketProvider.h | 31 + security/manager/ssl/nsVerificationJob.h | 48 + security/manager/ssl/osclientcerts/Cargo.toml | 31 + .../ssl/osclientcerts/dynamic-library/moz.build | 32 + .../dynamic-library/osclientcerts.symbols | 1 + .../ssl/osclientcerts/dynamic-library/stub.cpp | 8 + security/manager/ssl/osclientcerts/moz.build | 9 + .../manager/ssl/osclientcerts/src/backend_macos.rs | 849 + .../ssl/osclientcerts/src/backend_windows.rs | 914 + .../ssl/osclientcerts/src/bindings_macos.rs | 79 + security/manager/ssl/osclientcerts/src/lib.rs | 1218 + .../manager/ssl/osclientcerts/test/certificate.bin | Bin 0 -> 909 bytes .../manager/ssl/osclientcerts/test/modulus.bin | 2 + security/manager/ssl/osclientcerts/test/rsa.bin | Bin 0 -> 270 bytes security/manager/ssl/rsclientcerts/Cargo.toml | 10 + security/manager/ssl/rsclientcerts/src/error.rs | 103 + security/manager/ssl/rsclientcerts/src/lib.rs | 11 + security/manager/ssl/rsclientcerts/src/manager.rs | 671 + security/manager/ssl/rsclientcerts/src/util.rs | 540 + .../manager/ssl/rsclientcerts/test/certificate.bin | Bin 0 -> 909 bytes .../manager/ssl/rsclientcerts/test/modulus.bin | 2 + security/manager/ssl/rsclientcerts/test/rsa.bin | Bin 0 -> 270 bytes security/manager/ssl/tests/.eslintrc.js | 8 + security/manager/ssl/tests/gtest/CertDBTest.cpp | 52 + security/manager/ssl/tests/gtest/CoseTest.cpp | 756 + .../manager/ssl/tests/gtest/DataStorageTest.cpp | 201 + .../ssl/tests/gtest/DeserializeCertTest.cpp | 507 + security/manager/ssl/tests/gtest/HMACTest.cpp | 64 + security/manager/ssl/tests/gtest/MD4Test.cpp | 62 + security/manager/ssl/tests/gtest/OCSPCacheTest.cpp | 357 + security/manager/ssl/tests/gtest/README.txt | 2 + .../manager/ssl/tests/gtest/TLSIntoleranceTest.cpp | 383 + security/manager/ssl/tests/gtest/moz.build | 26 + .../ssl/tests/mochitest/browser/browser.ini | 37 + .../ssl/tests/mochitest/browser/browser_HSTS.js | 277 + .../browser/browser_add_exception_dialog.js | 69 + .../browser/browser_bug627234_perwindowpb.js | 91 + .../tests/mochitest/browser/browser_certViewer.js | 107 + .../browser/browser_certificateManager.js | 144 + .../browser/browser_clientAuthRememberService.js | 297 + .../browser/browser_clientAuth_connection.js | 340 + .../mochitest/browser/browser_clientAuth_ui.js | 199 + .../mochitest/browser/browser_deleteCert_ui.js | 259 + .../mochitest/browser/browser_downloadCert_ui.js | 134 + .../mochitest/browser/browser_editCACertTrust.js | 141 + .../browser/browser_exportP12_passwordUI.js | 164 + .../browser/browser_loadPKCS11Module_ui.js | 312 + .../manager/ssl/tests/mochitest/browser/ca.pem | 17 + .../ssl/tests/mochitest/browser/ca.pem.certspec | 4 + .../browser/client-cert-via-intermediate.pem | 19 + .../client-cert-via-intermediate.pem.certspec | 3 + .../browser/client-cert-with-ocsp-signing.pem | 20 + .../client-cert-with-ocsp-signing.pem.certspec | 3 + .../ssl/tests/mochitest/browser/code-ee.pem | 17 + .../tests/mochitest/browser/code-ee.pem.certspec | 3 + .../tests/mochitest/browser/ee-from-expired-ca.pem | 17 + .../browser/ee-from-expired-ca.pem.certspec | 2 + .../mochitest/browser/ee-from-untrusted-ca.pem | 17 + .../browser/ee-from-untrusted-ca.pem.certspec | 2 + .../ssl/tests/mochitest/browser/email-ee.pem | 17 + .../tests/mochitest/browser/email-ee.pem.certspec | 3 + .../ssl/tests/mochitest/browser/expired-ca.pem | 18 + .../mochitest/browser/expired-ca.pem.certspec | 5 + .../manager/ssl/tests/mochitest/browser/has-cn.pem | 18 + .../tests/mochitest/browser/has-cn.pem.certspec | 2 + .../tests/mochitest/browser/has-empty-subject.pem | 16 + .../browser/has-empty-subject.pem.certspec | 3 + .../mochitest/browser/has-non-empty-subject.pem | 17 + .../browser/has-non-empty-subject.pem.certspec | 2 + .../manager/ssl/tests/mochitest/browser/has-o.pem | 17 + .../ssl/tests/mochitest/browser/has-o.pem.certspec | 2 + .../manager/ssl/tests/mochitest/browser/has-ou.pem | 17 + .../tests/mochitest/browser/has-ou.pem.certspec | 2 + .../manager/ssl/tests/mochitest/browser/head.js | 82 + .../ssl/tests/mochitest/browser/hsts_headers.sjs | 16 + .../mochitest/browser/hsts_headers_framed.html | 22 + .../ssl/tests/mochitest/browser/intermediate.pem | 20 + .../mochitest/browser/intermediate.pem.certspec | 4 + .../ssl/tests/mochitest/browser/invalid.pem | 17 + .../tests/mochitest/browser/invalid.pem.certspec | 3 + .../ssl/tests/mochitest/browser/longOID.pem | 25 + .../tests/mochitest/browser/longOID.pem.certspec | 4 + .../manager/ssl/tests/mochitest/browser/md5-ee.pem | 17 + .../tests/mochitest/browser/md5-ee.pem.certspec | 3 + .../manager/ssl/tests/mochitest/browser/moz.build | 7 + .../tests/mochitest/browser/pgo-ca-all-usages.pem | 21 + .../browser/pgo-ca-all-usages.pem.certspec | 4 + .../mochitest/browser/pgo-ca-regular-usages.pem | 21 + .../browser/pgo-ca-regular-usages.pem.certspec | 4 + .../ssl/tests/mochitest/browser/revoked.pem | 17 + .../tests/mochitest/browser/revoked.pem.certspec | 2 + .../ssl/tests/mochitest/browser/some_content.html | 6 + .../mochitest/browser/some_content_framed.html | 14 + .../manager/ssl/tests/mochitest/browser/ssl-ee.pem | 18 + .../tests/mochitest/browser/ssl-ee.pem.certspec | 3 + .../ssl/tests/mochitest/browser/unknown-issuer.pem | 17 + .../mochitest/browser/unknown-issuer.pem.certspec | 2 + .../ssl/tests/mochitest/browser/untrusted-ca.pem | 18 + .../mochitest/browser/untrusted-ca.pem.certspec | 4 + .../tests/mochitest/mixedcontent/alloworigin.sjs | 7 + .../ssl/tests/mochitest/mixedcontent/backward.html | 18 + .../ssl/tests/mochitest/mixedcontent/bug329869.js | 11 + .../mochitest/mixedcontent/bug383369step2.html | 28 + .../mochitest/mixedcontent/bug383369step3.html | 29 + .../ssl/tests/mochitest/mixedcontent/download.auto | 1 + .../mochitest/mixedcontent/download.auto^headers^ | 2 + .../tests/mochitest/mixedcontent/emptyimage.sjs | 6 + .../ssl/tests/mochitest/mixedcontent/hugebmp.sjs | 17 + .../ssl/tests/mochitest/mixedcontent/iframe.html | 14 + .../ssl/tests/mochitest/mixedcontent/iframe2.html | 15 + .../mochitest/mixedcontent/iframeMetaRedirect.html | 8 + .../mochitest/mixedcontent/iframesecredirect.sjs | 9 + .../mochitest/mixedcontent/iframeunsecredirect.sjs | 9 + .../mochitest/mixedcontent/imgsecredirect.sjs | 9 + .../mochitest/mixedcontent/imgunsecredirect.sjs | 9 + .../mochitest/mixedcontent/mixedContentTest.js | 211 + .../ssl/tests/mochitest/mixedcontent/mochitest.ini | 65 + .../tests/mochitest/mixedcontent/moonsurface.jpg | Bin 0 -> 52159 bytes .../ssl/tests/mochitest/mixedcontent/moz.build | 7 + .../ssl/tests/mochitest/mixedcontent/nocontent.sjs | 5 + .../mixedcontent/redirecttoemptyimage.sjs | 9 + .../ssl/tests/mochitest/mixedcontent/somestyle.css | 4 + .../mochitest/mixedcontent/test_bug329869.html | 36 + .../mochitest/mixedcontent/test_bug383369.html | 89 + .../mochitest/mixedcontent/test_bug455367.html | 37 + .../mochitest/mixedcontent/test_bug472986.html | 46 + .../mochitest/mixedcontent/test_bug477118.html | 34 + .../mochitest/mixedcontent/test_bug521461.html | 39 + .../mochitest/mixedcontent/test_cssBefore1.html | 42 + .../mochitest/mixedcontent/test_cssContent1.html | 41 + .../mochitest/mixedcontent/test_cssContent2.html | 46 + .../mixedcontent/test_documentWrite1.html | 38 + .../mixedcontent/test_documentWrite2.html | 40 + .../test_dynDelayedUnsecurePicture.html | 47 + .../mixedcontent/test_dynDelayedUnsecureXHR.html | 48 + .../mixedcontent/test_dynUnsecureBackground.html | 44 + .../test_dynUnsecureIframeRedirect.html | 44 + .../mixedcontent/test_dynUnsecurePicture.html | 46 + .../test_dynUnsecurePicturePreload.html | 36 + .../mixedcontent/test_dynUnsecureRedirect.html | 39 + .../test_innerHtmlDelayedUnsecurePicture.html | 42 + .../test_innerHtmlUnsecurePicture.html | 40 + .../mixedcontent/test_javascriptPicture.html | 34 + .../mochitest/mixedcontent/test_secureAll.html | 42 + .../mochitest/mixedcontent/test_securePicture.html | 36 + .../mixedcontent/test_unsecureBackground.html | 35 + .../mochitest/mixedcontent/test_unsecureCSS.html | 38 + .../mixedcontent/test_unsecureIframe.html | 36 + .../mixedcontent/test_unsecureIframe2.html | 36 + .../test_unsecureIframeMetaRedirect.html | 36 + .../mixedcontent/test_unsecureIframeRedirect.html | 36 + .../mixedcontent/test_unsecurePicture.html | 34 + .../mixedcontent/test_unsecurePictureDup.html | 20 + .../mixedcontent/test_unsecurePictureInIframe.html | 36 + .../mixedcontent/test_unsecureRedirect.html | 36 + .../mochitest/mixedcontent/unsecureIframe.html | 9 + .../mochitest/mixedcontent/unsecurePictureDup.html | 34 + security/manager/ssl/tests/mochitest/moz.build | 10 + security/manager/ssl/tests/moz.build | 17 + .../tests/unit/bad_certs/badSubjectAltNames.pem | 18 + .../unit/bad_certs/badSubjectAltNames.pem.certspec | 3 + .../ssl/tests/unit/bad_certs/beforeEpoch.pem | 19 + .../tests/unit/bad_certs/beforeEpoch.pem.certspec | 5 + .../ssl/tests/unit/bad_certs/beforeEpochINT.pem | 18 + .../unit/bad_certs/beforeEpochINT.pem.certspec | 5 + .../ssl/tests/unit/bad_certs/beforeEpochIssuer.pem | 20 + .../unit/bad_certs/beforeEpochIssuer.pem.certspec | 4 + .../tests/unit/bad_certs/beforeEpochSelfSigned.pem | 20 + .../bad_certs/beforeEpochSelfSigned.pem.certspec | 4 + .../tests/unit/bad_certs/ca-used-as-end-entity.pem | 20 + .../bad_certs/ca-used-as-end-entity.pem.certspec | 5 + .../ssl/tests/unit/bad_certs/default-ee.key | 28 + .../tests/unit/bad_certs/default-ee.key.keyspec | 1 + .../ssl/tests/unit/bad_certs/default-ee.pem | 21 + .../tests/unit/bad_certs/default-ee.pem.certspec | 4 + .../bad_certs/ee-from-missing-intermediate.pem | 19 + .../ee-from-missing-intermediate.pem.certspec | 3 + .../unit/bad_certs/ee-imminently-distrusted.pem | 20 + .../ee-imminently-distrusted.pem.certspec | 4 + .../ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem | 19 + .../unit/bad_certs/eeIssuedByNonCA.pem.certspec | 4 + .../ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem | 18 + .../unit/bad_certs/eeIssuedByV1Cert.pem.certspec | 3 + .../ssl/tests/unit/bad_certs/emptyIssuerName.pem | 18 + .../unit/bad_certs/emptyIssuerName.pem.certspec | 3 + .../ssl/tests/unit/bad_certs/emptyNameCA.pem | 17 + .../tests/unit/bad_certs/emptyNameCA.pem.certspec | 4 + .../tests/unit/bad_certs/ev-test-intermediate.pem | 20 + .../bad_certs/ev-test-intermediate.pem.certspec | 7 + .../manager/ssl/tests/unit/bad_certs/ev-test.pem | 20 + .../ssl/tests/unit/bad_certs/ev-test.pem.certspec | 5 + .../manager/ssl/tests/unit/bad_certs/evroot.key | 28 + .../ssl/tests/unit/bad_certs/evroot.key.keyspec | 1 + .../manager/ssl/tests/unit/bad_certs/evroot.pem | 18 + .../ssl/tests/unit/bad_certs/evroot.pem.certspec | 7 + .../ssl/tests/unit/bad_certs/expired-ee.pem | 19 + .../tests/unit/bad_certs/expired-ee.pem.certspec | 5 + .../ssl/tests/unit/bad_certs/expiredINT.pem | 18 + .../tests/unit/bad_certs/expiredINT.pem.certspec | 5 + .../ssl/tests/unit/bad_certs/expiredissuer.pem | 20 + .../unit/bad_certs/expiredissuer.pem.certspec | 4 + .../ssl/tests/unit/bad_certs/idn-certificate.pem | 19 + .../unit/bad_certs/idn-certificate.pem.certspec | 3 + .../tests/unit/bad_certs/inadequateKeySizeEE.key | 16 + .../unit/bad_certs/inadequateKeySizeEE.key.keyspec | 1 + .../tests/unit/bad_certs/inadequateKeySizeEE.pem | 17 + .../bad_certs/inadequateKeySizeEE.pem.certspec | 5 + .../tests/unit/bad_certs/inadequatekeyusage-ee.pem | 20 + .../bad_certs/inadequatekeyusage-ee.pem.certspec | 5 + .../unit/bad_certs/ipAddressAsDNSNameInSAN.pem | 18 + .../bad_certs/ipAddressAsDNSNameInSAN.pem.certspec | 3 + .../tests/unit/bad_certs/md5signature-expired.pem | 20 + .../bad_certs/md5signature-expired.pem.certspec | 6 + .../ssl/tests/unit/bad_certs/md5signature.pem | 19 + .../tests/unit/bad_certs/md5signature.pem.certspec | 5 + .../ssl/tests/unit/bad_certs/mismatch-expired.pem | 19 + .../unit/bad_certs/mismatch-expired.pem.certspec | 5 + .../tests/unit/bad_certs/mismatch-notYetValid.pem | 20 + .../bad_certs/mismatch-notYetValid.pem.certspec | 5 + .../unit/bad_certs/mismatch-untrusted-expired.pem | 20 + .../mismatch-untrusted-expired.pem.certspec | 5 + .../tests/unit/bad_certs/mismatch-untrusted.pem | 20 + .../unit/bad_certs/mismatch-untrusted.pem.certspec | 4 + .../manager/ssl/tests/unit/bad_certs/mismatch.pem | 20 + .../ssl/tests/unit/bad_certs/mismatch.pem.certspec | 4 + .../ssl/tests/unit/bad_certs/mismatchCN.pem | 17 + .../tests/unit/bad_certs/mismatchCN.pem.certspec | 2 + security/manager/ssl/tests/unit/bad_certs/mitm.pem | 18 + .../ssl/tests/unit/bad_certs/mitm.pem.certspec | 3 + .../ssl/tests/unit/bad_certs/noValidNames.pem | 19 + .../tests/unit/bad_certs/noValidNames.pem.certspec | 3 + .../ssl/tests/unit/bad_certs/notYetValid.pem | 19 + .../tests/unit/bad_certs/notYetValid.pem.certspec | 5 + .../ssl/tests/unit/bad_certs/notYetValidINT.pem | 18 + .../unit/bad_certs/notYetValidINT.pem.certspec | 5 + .../ssl/tests/unit/bad_certs/notYetValidIssuer.pem | 20 + .../unit/bad_certs/notYetValidIssuer.pem.certspec | 4 + .../tests/unit/bad_certs/nsCertTypeCritical.pem | 19 + .../unit/bad_certs/nsCertTypeCritical.pem.certspec | 4 + .../nsCertTypeCriticalWithExtKeyUsage.pem | 20 + .../nsCertTypeCriticalWithExtKeyUsage.pem.certspec | 6 + .../tests/unit/bad_certs/nsCertTypeNotCritical.pem | 19 + .../bad_certs/nsCertTypeNotCritical.pem.certspec | 4 + .../ssl/tests/unit/bad_certs/other-issuer-ee.pem | 21 + .../unit/bad_certs/other-issuer-ee.pem.certspec | 6 + .../ssl/tests/unit/bad_certs/other-test-ca.key | 28 + .../tests/unit/bad_certs/other-test-ca.key.keyspec | 1 + .../ssl/tests/unit/bad_certs/other-test-ca.pem | 18 + .../unit/bad_certs/other-test-ca.pem.certspec | 7 + .../unit/bad_certs/self-signed-EE-with-cA-true.pem | 21 + .../self-signed-EE-with-cA-true.pem.certspec | 5 + .../unit/bad_certs/selfsigned-inadequateEKU.pem | 21 + .../selfsigned-inadequateEKU.pem.certspec | 6 + .../ssl/tests/unit/bad_certs/selfsigned.pem | 20 + .../tests/unit/bad_certs/selfsigned.pem.certspec | 4 + .../manager/ssl/tests/unit/bad_certs/test-ca.pem | 18 + .../ssl/tests/unit/bad_certs/test-ca.pem.certspec | 4 + .../manager/ssl/tests/unit/bad_certs/test-int.pem | 18 + .../ssl/tests/unit/bad_certs/test-int.pem.certspec | 5 + .../ssl/tests/unit/bad_certs/unknownissuer.pem | 22 + .../unit/bad_certs/unknownissuer.pem.certspec | 4 + .../ssl/tests/unit/bad_certs/untrusted-expired.pem | 20 + .../unit/bad_certs/untrusted-expired.pem.certspec | 5 + .../ssl/tests/unit/bad_certs/untrustedissuer.pem | 20 + .../unit/bad_certs/untrustedissuer.pem.certspec | 4 + .../manager/ssl/tests/unit/bad_certs/v1Cert.pem | 17 + .../ssl/tests/unit/bad_certs/v1Cert.pem.certspec | 3 + .../ssl/tests/unit/corrupted_crlite_helper.js | 103 + .../manager/ssl/tests/unit/crlite_enrollment_id.py | 33 + security/manager/ssl/tests/unit/crlite_key.py | 58 + security/manager/ssl/tests/unit/head_psm.js | 1187 + security/manager/ssl/tests/unit/moz.build | 10 + .../unit/ocsp_certs/ca-used-as-end-entity.pem | 20 + .../ocsp_certs/ca-used-as-end-entity.pem.certspec | 5 + .../ssl/tests/unit/ocsp_certs/default-ee.key | 28 + .../tests/unit/ocsp_certs/default-ee.key.keyspec | 1 + .../ssl/tests/unit/ocsp_certs/default-ee.pem | 21 + .../tests/unit/ocsp_certs/default-ee.pem.certspec | 4 + .../tests/unit/ocsp_certs/delegatedSHA1Signer.pem | 18 + .../ocsp_certs/delegatedSHA1Signer.pem.certspec | 5 + .../ssl/tests/unit/ocsp_certs/delegatedSigner.pem | 18 + .../unit/ocsp_certs/delegatedSigner.pem.certspec | 4 + .../invalidDelegatedSignerFromIntermediate.pem | 19 + ...lidDelegatedSignerFromIntermediate.pem.certspec | 4 + .../invalidDelegatedSignerKeyUsageCrlSigning.pem | 18 + ...dDelegatedSignerKeyUsageCrlSigning.pem.certspec | 4 + .../invalidDelegatedSignerNoExtKeyUsage.pem | 18 + ...nvalidDelegatedSignerNoExtKeyUsage.pem.certspec | 3 + .../invalidDelegatedSignerWrongExtKeyUsage.pem | 18 + ...lidDelegatedSignerWrongExtKeyUsage.pem.certspec | 4 + .../unit/ocsp_certs/multi-tls-feature-bad-ee.pem | 19 + .../multi-tls-feature-bad-ee.pem.certspec | 4 + .../unit/ocsp_certs/multi-tls-feature-good-ee.pem | 19 + .../multi-tls-feature-good-ee.pem.certspec | 4 + .../must-staple-ee-with-must-staple-int.pem | 19 + ...ust-staple-ee-with-must-staple-int.pem.certspec | 4 + .../ssl/tests/unit/ocsp_certs/must-staple-ee.pem | 19 + .../unit/ocsp_certs/must-staple-ee.pem.certspec | 5 + .../unit/ocsp_certs/must-staple-missing-ee.pem | 18 + .../ocsp_certs/must-staple-missing-ee.pem.certspec | 3 + .../unit/ocsp_certs/ocspEEWithIntermediate.pem | 20 + .../ocsp_certs/ocspEEWithIntermediate.pem.certspec | 4 + .../tests/unit/ocsp_certs/ocspOtherEndEntity.pem | 19 + .../ocsp_certs/ocspOtherEndEntity.pem.certspec | 4 + .../ssl/tests/unit/ocsp_certs/other-test-ca.key | 28 + .../unit/ocsp_certs/other-test-ca.key.keyspec | 1 + .../ssl/tests/unit/ocsp_certs/other-test-ca.pem | 18 + .../unit/ocsp_certs/other-test-ca.pem.certspec | 7 + .../ocsp_certs/rsa-1016-keysizeDelegatedSigner.key | 16 + .../rsa-1016-keysizeDelegatedSigner.key.keyspec | 1 + .../ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem | 15 + .../rsa-1016-keysizeDelegatedSigner.pem.certspec | 4 + .../manager/ssl/tests/unit/ocsp_certs/test-ca.pem | 18 + .../ssl/tests/unit/ocsp_certs/test-ca.pem.certspec | 4 + .../manager/ssl/tests/unit/ocsp_certs/test-int.pem | 18 + .../tests/unit/ocsp_certs/test-int.pem.certspec | 5 + .../unit/ocsp_certs/test-multi-tls-feature-int.pem | 19 + .../test-multi-tls-feature-int.pem.certspec | 5 + .../tests/unit/ocsp_certs/test-must-staple-int.pem | 19 + .../ocsp_certs/test-must-staple-int.pem.certspec | 5 + .../ssl/tests/unit/pkcs11testmodule/moz.build | 20 + .../unit/pkcs11testmodule/pkcs11testmodule.cpp | 597 + .../unit/pkcs11testmodule/pkcs11testmodule.symbols | 1 + security/manager/ssl/tests/unit/requirements.txt | 6 + security/manager/ssl/tests/unit/sign_app.py | 426 + .../ssl/tests/unit/test_add_preexisting_cert.js | 46 + .../ssl/tests/unit/test_allow_all_cert_errors.js | 25 + .../tests/unit/test_baseline_requirements/ca.pem | 17 + .../test_baseline_requirements/ca.pem.certspec | 5 + .../unit/test_baseline_requirements/no-san-old.pem | 17 + .../no-san-old.pem.certspec | 3 + .../test_baseline_requirements/no-san-older.pem | 17 + .../no-san-older.pem.certspec | 3 + .../test_baseline_requirements/no-san-recent.pem | 17 + .../no-san-recent.pem.certspec | 3 + .../san-contains-no-hostnames-old.pem | 18 + .../san-contains-no-hostnames-old.pem.certspec | 4 + .../san-contains-no-hostnames-older.pem | 18 + .../san-contains-no-hostnames-older.pem.certspec | 4 + .../san-contains-no-hostnames-recent.pem | 18 + .../san-contains-no-hostnames-recent.pem.certspec | 4 + ...st_baseline_requirements_subject_common_name.js | 78 + .../ssl/tests/unit/test_blocklist_onecrl.js | 182 + .../manager/ssl/tests/unit/test_broken_fips.js | 61 + .../ssl/tests/unit/test_broken_fips/key4.db | Bin 0 -> 36864 bytes .../ssl/tests/unit/test_broken_fips/pkcs11.txt | 5 + .../ssl/tests/unit/test_certDB_export_pkcs12.js | 56 + ...t_certDB_export_pkcs12_with_primary_password.js | 117 + .../manager/ssl/tests/unit/test_certDB_import.js | 217 + .../unit/test_certDB_import/cert_from_windows.pfx | Bin 0 -> 2041 bytes .../cert_from_windows_emptypass.pfx | Bin 0 -> 2068 bytes .../cert_from_windows_nopass.pfx | Bin 0 -> 2068 bytes .../ssl/tests/unit/test_certDB_import/emailEE.pem | 17 + .../unit/test_certDB_import/emailEE.pem.certspec | 2 + .../unit/test_certDB_import/encrypted_with_aes.p12 | Bin 0 -> 3239 bytes .../tests/unit/test_certDB_import/importedCA.pem | 17 + .../test_certDB_import/importedCA.pem.certspec | 3 + .../ssl/tests/unit/test_certDB_import_pkcs12.js | 126 + .../test_certDB_import_with_primary_password.js | 148 + .../manager/ssl/tests/unit/test_cert_chains.js | 394 + security/manager/ssl/tests/unit/test_cert_dbKey.js | 263 + security/manager/ssl/tests/unit/test_cert_eku.js | 189 + .../manager/ssl/tests/unit/test_cert_eku/ca.pem | 17 + .../ssl/tests/unit/test_cert_eku/ca.pem.certspec | 4 + .../manager/ssl/tests/unit/test_cert_eku/ee-CA.pem | 17 + .../tests/unit/test_cert_eku/ee-CA.pem.certspec | 3 + .../ssl/tests/unit/test_cert_eku/ee-SA-CA.pem | 18 + .../tests/unit/test_cert_eku/ee-SA-CA.pem.certspec | 3 + .../ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem | 18 + .../unit/test_cert_eku/ee-SA-OCSP.pem.certspec | 3 + .../ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem | 18 + .../unit/test_cert_eku/ee-SA-nsSGC.pem.certspec | 3 + .../manager/ssl/tests/unit/test_cert_eku/ee-SA.pem | 17 + .../tests/unit/test_cert_eku/ee-SA.pem.certspec | 3 + .../ssl/tests/unit/test_cert_eku/ee-int-CA.pem | 17 + .../unit/test_cert_eku/ee-int-CA.pem.certspec | 2 + .../ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem | 17 + .../unit/test_cert_eku/ee-int-SA-CA.pem.certspec | 2 + .../tests/unit/test_cert_eku/ee-int-SA-OCSP.pem | 17 + .../unit/test_cert_eku/ee-int-SA-OCSP.pem.certspec | 2 + .../tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem | 17 + .../test_cert_eku/ee-int-SA-nsSGC.pem.certspec | 2 + .../ssl/tests/unit/test_cert_eku/ee-int-SA.pem | 17 + .../unit/test_cert_eku/ee-int-SA.pem.certspec | 2 + .../tests/unit/test_cert_eku/ee-int-nsSGC-old.pem | 17 + .../test_cert_eku/ee-int-nsSGC-old.pem.certspec | 3 + .../unit/test_cert_eku/ee-int-nsSGC-older.pem | 17 + .../test_cert_eku/ee-int-nsSGC-older.pem.certspec | 3 + .../unit/test_cert_eku/ee-int-nsSGC-recent.pem | 17 + .../test_cert_eku/ee-int-nsSGC-recent.pem.certspec | 3 + .../ssl/tests/unit/test_cert_eku/ee-nsSGC.pem | 17 + .../tests/unit/test_cert_eku/ee-nsSGC.pem.certspec | 3 + .../ssl/tests/unit/test_cert_eku/int-CA.pem | 18 + .../tests/unit/test_cert_eku/int-CA.pem.certspec | 4 + .../ssl/tests/unit/test_cert_eku/int-SA-CA.pem | 18 + .../unit/test_cert_eku/int-SA-CA.pem.certspec | 4 + .../ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem | 18 + .../unit/test_cert_eku/int-SA-OCSP.pem.certspec | 4 + .../ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem | 18 + .../unit/test_cert_eku/int-SA-nsSGC.pem.certspec | 4 + .../ssl/tests/unit/test_cert_eku/int-SA.pem | 18 + .../tests/unit/test_cert_eku/int-SA.pem.certspec | 4 + .../ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem | 18 + .../unit/test_cert_eku/int-nsSGC-old.pem.certspec | 5 + .../tests/unit/test_cert_eku/int-nsSGC-older.pem | 18 + .../test_cert_eku/int-nsSGC-older.pem.certspec | 5 + .../tests/unit/test_cert_eku/int-nsSGC-recent.pem | 18 + .../test_cert_eku/int-nsSGC-recent.pem.certspec | 5 + .../ssl/tests/unit/test_cert_embedded_null.js | 54 + .../ssl/tests/unit/test_cert_embedded_null/ca.pem | 17 + .../unit/test_cert_embedded_null/ca.pem.certspec | 4 + .../unit/test_cert_embedded_null/embeddedNull.pem | 17 + .../embeddedNull.pem.certspec | 2 + .../embeddedNullCNAndSAN.pem | 18 + .../embeddedNullCNAndSAN.pem.certspec | 3 + .../test_cert_embedded_null/embeddedNullSAN.pem | 18 + .../embeddedNullSAN.pem.certspec | 3 + .../test_cert_embedded_null/embeddedNullSAN2.pem | 18 + .../embeddedNullSAN2.pem.certspec | 3 + .../ssl/tests/unit/test_cert_expiration_canary.js | 40 + .../ssl/tests/unit/test_cert_isBuiltInRoot.js | 89 + .../tests/unit/test_cert_isBuiltInRoot_reload.js | 143 + .../unit/test_cert_isBuiltInRoot_reload/cert9.db | Bin 0 -> 28672 bytes .../unit/test_cert_isBuiltInRoot_reload/key4.db | Bin 0 -> 36864 bytes .../manager/ssl/tests/unit/test_cert_keyUsage.js | 76 + .../unit/test_cert_keyUsage/ca-all-usages.pem | 18 + .../test_cert_keyUsage/ca-all-usages.pem.certspec | 4 + .../test_cert_keyUsage/ca-missing-keyCertSign.pem | 18 + .../ca-missing-keyCertSign.pem.certspec | 4 + .../ca-no-keyUsage-extension.pem | 18 + .../ca-no-keyUsage-extension.pem.certspec | 3 + ...yCertSign-and-keyEncipherment-ca-all-usages.pem | 18 + ...-and-keyEncipherment-ca-all-usages.pem.certspec | 3 + ...-and-keyEncipherment-ca-missing-keyCertSign.pem | 18 + ...ncipherment-ca-missing-keyCertSign.pem.certspec | 3 + ...nd-keyEncipherment-ca-no-keyUsage-extension.pem | 18 + ...ipherment-ca-no-keyUsage-extension.pem.certspec | 3 + .../ee-keyCertSign-only-ca-all-usages.pem | 18 + .../ee-keyCertSign-only-ca-all-usages.pem.certspec | 3 + .../ee-keyCertSign-only-ca-missing-keyCertSign.pem | 18 + ...rtSign-only-ca-missing-keyCertSign.pem.certspec | 3 + ...e-keyCertSign-only-ca-no-keyUsage-extension.pem | 18 + ...Sign-only-ca-no-keyUsage-extension.pem.certspec | 3 + .../ee-keyEncipherment-only-ca-all-usages.pem | 18 + ...keyEncipherment-only-ca-all-usages.pem.certspec | 3 + ...keyEncipherment-only-ca-missing-keyCertSign.pem | 18 + ...erment-only-ca-missing-keyCertSign.pem.certspec | 3 + ...yEncipherment-only-ca-no-keyUsage-extension.pem | 18 + ...ment-only-ca-no-keyUsage-extension.pem.certspec | 3 + .../ee-no-keyUsage-extension-ca-all-usages.pem | 17 + ...o-keyUsage-extension-ca-all-usages.pem.certspec | 2 + ...o-keyUsage-extension-ca-missing-keyCertSign.pem | 18 + ...e-extension-ca-missing-keyCertSign.pem.certspec | 2 + ...keyUsage-extension-ca-no-keyUsage-extension.pem | 18 + ...extension-ca-no-keyUsage-extension.pem.certspec | 2 + .../ssl/tests/unit/test_cert_override_read.js | 207 + .../manager/ssl/tests/unit/test_cert_overrides.js | 734 + .../tests/unit/test_cert_overrides_read_only.js | 94 + .../unit/test_cert_overrides_read_only/cert9.db | Bin 0 -> 28672 bytes .../unit/test_cert_overrides_read_only/key4.db | Bin 0 -> 36864 bytes security/manager/ssl/tests/unit/test_cert_sha1.js | 53 + .../manager/ssl/tests/unit/test_cert_sha1/ca.pem | 17 + .../ssl/tests/unit/test_cert_sha1/ca.pem.certspec | 6 + .../tests/unit/test_cert_sha1/ee-post_int-post.pem | 17 + .../test_cert_sha1/ee-post_int-post.pem.certspec | 4 + .../tests/unit/test_cert_sha1/ee-post_int-pre.pem | 17 + .../test_cert_sha1/ee-post_int-pre.pem.certspec | 4 + .../tests/unit/test_cert_sha1/ee-pre_int-pre.pem | 17 + .../test_cert_sha1/ee-pre_int-pre.pem.certspec | 4 + .../ssl/tests/unit/test_cert_sha1/int-post.pem | 18 + .../unit/test_cert_sha1/int-post.pem.certspec | 6 + .../ssl/tests/unit/test_cert_sha1/int-pre.pem | 18 + .../tests/unit/test_cert_sha1/int-pre.pem.certspec | 6 + .../manager/ssl/tests/unit/test_cert_signatures.js | 140 + .../ssl/tests/unit/test_cert_signatures/ca-rsa.pem | 18 + .../unit/test_cert_signatures/ca-rsa.pem.certspec | 4 + .../unit/test_cert_signatures/ca-secp384r1.pem | 11 + .../test_cert_signatures/ca-secp384r1.pem.certspec | 7 + .../unit/test_cert_signatures/ee-rsa-direct.pem | 17 + .../ee-rsa-direct.pem.certspec | 2 + .../ssl/tests/unit/test_cert_signatures/ee-rsa.pem | 17 + .../unit/test_cert_signatures/ee-rsa.pem.certspec | 2 + .../test_cert_signatures/ee-secp384r1-direct.pem | 10 + .../ee-secp384r1-direct.pem.certspec | 5 + .../unit/test_cert_signatures/ee-secp384r1.pem | 10 + .../test_cert_signatures/ee-secp384r1.pem.certspec | 5 + .../tests/unit/test_cert_signatures/int-rsa.pem | 18 + .../unit/test_cert_signatures/int-rsa.pem.certspec | 4 + .../unit/test_cert_signatures/int-secp384r1.pem | 11 + .../int-secp384r1.pem.certspec | 7 + .../manager/ssl/tests/unit/test_cert_storage.js | 258 + .../ssl/tests/unit/test_cert_storage_broken_db.js | 72 + .../ssl/tests/unit/test_cert_storage_direct.js | 417 + .../revoked-cert-issuer.pem | 27 + .../unit/test_cert_storage_direct/revoked-cert.pem | 41 + .../test_cert_storage_direct/test-filter.crlite | Bin 0 -> 15244 bytes .../test_cert_storage_direct/valid-cert-issuer.pem | 27 + .../unit/test_cert_storage_direct/valid-cert.pem | 34 + .../tests/unit/test_cert_storage_preexisting.js | 48 + .../unit/test_cert_storage_preexisting/data.mdb | Bin 0 -> 45056 bytes .../test_cert_storage_preexisting/data.safe.bin | Bin 0 -> 122 bytes .../unit/test_cert_storage_preexisting/lock.mdb | Bin 0 -> 8192 bytes .../unit/test_cert_storage_preexisting_crlite.js | 83 + .../crlite.coverage | Bin 0 -> 97 bytes .../crlite.enrollment | 1 + .../crlite.filter | Bin 0 -> 15244 bytes .../data.safe.bin | Bin 0 -> 1607775 bytes security/manager/ssl/tests/unit/test_cert_trust.js | 324 + .../manager/ssl/tests/unit/test_cert_trust/ca.pem | 17 + .../ssl/tests/unit/test_cert_trust/ca.pem.certspec | 4 + .../manager/ssl/tests/unit/test_cert_trust/ee.pem | 18 + .../ssl/tests/unit/test_cert_trust/ee.pem.certspec | 3 + .../manager/ssl/tests/unit/test_cert_trust/int.pem | 17 + .../tests/unit/test_cert_trust/int.pem.certspec | 4 + security/manager/ssl/tests/unit/test_cert_utf8.js | 79 + .../unit/test_cert_utf8/certificateToAlter.pem | 24 + .../test_cert_utf8/certificateToAlter.pem.certspec | 3 + .../manager/ssl/tests/unit/test_cert_version.js | 304 + .../ssl/tests/unit/test_cert_version/ca.pem | 17 + .../tests/unit/test_cert_version/ca.pem.certspec | 4 + .../unit/test_cert_version/ee-v1-BC-cA_ca.pem | 17 + .../test_cert_version/ee-v1-BC-cA_ca.pem.certspec | 4 + .../unit/test_cert_version/ee-v1-BC-not-cA_ca.pem | 17 + .../ee-v1-BC-not-cA_ca.pem.certspec | 4 + .../tests/unit/test_cert_version/ee-v1-noBC_ca.pem | 17 + .../test_cert_version/ee-v1-noBC_ca.pem.certspec | 3 + .../unit/test_cert_version/ee-v2-BC-cA_ca.pem | 17 + .../test_cert_version/ee-v2-BC-cA_ca.pem.certspec | 4 + .../unit/test_cert_version/ee-v2-BC-not-cA_ca.pem | 17 + .../ee-v2-BC-not-cA_ca.pem.certspec | 4 + .../tests/unit/test_cert_version/ee-v2-noBC_ca.pem | 17 + .../test_cert_version/ee-v2-noBC_ca.pem.certspec | 3 + .../unit/test_cert_version/ee-v3-BC-cA_ca.pem | 17 + .../test_cert_version/ee-v3-BC-cA_ca.pem.certspec | 4 + .../unit/test_cert_version/ee-v3-BC-not-cA_ca.pem | 17 + .../ee-v3-BC-not-cA_ca.pem.certspec | 4 + .../tests/unit/test_cert_version/ee-v3-noBC_ca.pem | 17 + .../test_cert_version/ee-v3-noBC_ca.pem.certspec | 3 + .../unit/test_cert_version/ee-v4-BC-cA_ca.pem | 17 + .../test_cert_version/ee-v4-BC-cA_ca.pem.certspec | 4 + .../unit/test_cert_version/ee-v4-BC-not-cA_ca.pem | 17 + .../ee-v4-BC-not-cA_ca.pem.certspec | 4 + .../tests/unit/test_cert_version/ee-v4-noBC_ca.pem | 17 + .../test_cert_version/ee-v4-noBC_ca.pem.certspec | 3 + .../unit/test_cert_version/ee_int-v1-BC-cA.pem | 17 + .../test_cert_version/ee_int-v1-BC-cA.pem.certspec | 2 + .../unit/test_cert_version/ee_int-v1-BC-not-cA.pem | 17 + .../ee_int-v1-BC-not-cA.pem.certspec | 2 + .../unit/test_cert_version/ee_int-v1-noBC.pem | 17 + .../test_cert_version/ee_int-v1-noBC.pem.certspec | 2 + .../unit/test_cert_version/ee_int-v2-BC-cA.pem | 17 + .../test_cert_version/ee_int-v2-BC-cA.pem.certspec | 2 + .../unit/test_cert_version/ee_int-v2-BC-not-cA.pem | 17 + .../ee_int-v2-BC-not-cA.pem.certspec | 2 + .../unit/test_cert_version/ee_int-v2-noBC.pem | 17 + .../test_cert_version/ee_int-v2-noBC.pem.certspec | 2 + .../unit/test_cert_version/ee_int-v3-BC-cA.pem | 17 + .../test_cert_version/ee_int-v3-BC-cA.pem.certspec | 2 + .../unit/test_cert_version/ee_int-v3-BC-not-cA.pem | 17 + .../ee_int-v3-BC-not-cA.pem.certspec | 2 + .../unit/test_cert_version/ee_int-v3-noBC.pem | 17 + .../test_cert_version/ee_int-v3-noBC.pem.certspec | 2 + .../unit/test_cert_version/ee_int-v4-BC-cA.pem | 17 + .../test_cert_version/ee_int-v4-BC-cA.pem.certspec | 2 + .../unit/test_cert_version/ee_int-v4-BC-not-cA.pem | 17 + .../ee_int-v4-BC-not-cA.pem.certspec | 2 + .../unit/test_cert_version/ee_int-v4-noBC.pem | 17 + .../test_cert_version/ee_int-v4-noBC.pem.certspec | 2 + .../ssl/tests/unit/test_cert_version/generate.py | 93 + .../unit/test_cert_version/int-v1-BC-cA_ca.pem | 18 + .../test_cert_version/int-v1-BC-cA_ca.pem.certspec | 5 + .../unit/test_cert_version/int-v1-BC-not-cA_ca.pem | 18 + .../int-v1-BC-not-cA_ca.pem.certspec | 5 + .../unit/test_cert_version/int-v1-noBC_ca.pem | 17 + .../test_cert_version/int-v1-noBC_ca.pem.certspec | 4 + .../unit/test_cert_version/int-v2-BC-cA_ca.pem | 18 + .../test_cert_version/int-v2-BC-cA_ca.pem.certspec | 5 + .../unit/test_cert_version/int-v2-BC-not-cA_ca.pem | 18 + .../int-v2-BC-not-cA_ca.pem.certspec | 5 + .../unit/test_cert_version/int-v2-noBC_ca.pem | 17 + .../test_cert_version/int-v2-noBC_ca.pem.certspec | 4 + .../unit/test_cert_version/int-v3-BC-cA_ca.pem | 18 + .../test_cert_version/int-v3-BC-cA_ca.pem.certspec | 5 + .../unit/test_cert_version/int-v3-BC-not-cA_ca.pem | 18 + .../int-v3-BC-not-cA_ca.pem.certspec | 5 + .../unit/test_cert_version/int-v3-noBC_ca.pem | 17 + .../test_cert_version/int-v3-noBC_ca.pem.certspec | 4 + .../unit/test_cert_version/int-v4-BC-cA_ca.pem | 18 + .../test_cert_version/int-v4-BC-cA_ca.pem.certspec | 5 + .../unit/test_cert_version/int-v4-BC-not-cA_ca.pem | 18 + .../int-v4-BC-not-cA_ca.pem.certspec | 5 + .../unit/test_cert_version/int-v4-noBC_ca.pem | 17 + .../test_cert_version/int-v4-noBC_ca.pem.certspec | 4 + .../tests/unit/test_cert_version/ss-v1-BC-cA.pem | 17 + .../test_cert_version/ss-v1-BC-cA.pem.certspec | 4 + .../unit/test_cert_version/ss-v1-BC-not-cA.pem | 18 + .../test_cert_version/ss-v1-BC-not-cA.pem.certspec | 4 + .../tests/unit/test_cert_version/ss-v1-noBC.pem | 17 + .../unit/test_cert_version/ss-v1-noBC.pem.certspec | 3 + .../tests/unit/test_cert_version/ss-v2-BC-cA.pem | 18 + .../test_cert_version/ss-v2-BC-cA.pem.certspec | 4 + .../unit/test_cert_version/ss-v2-BC-not-cA.pem | 18 + .../test_cert_version/ss-v2-BC-not-cA.pem.certspec | 4 + .../tests/unit/test_cert_version/ss-v2-noBC.pem | 17 + .../unit/test_cert_version/ss-v2-noBC.pem.certspec | 3 + .../tests/unit/test_cert_version/ss-v3-BC-cA.pem | 18 + .../test_cert_version/ss-v3-BC-cA.pem.certspec | 4 + .../unit/test_cert_version/ss-v3-BC-not-cA.pem | 18 + .../test_cert_version/ss-v3-BC-not-cA.pem.certspec | 4 + .../tests/unit/test_cert_version/ss-v3-noBC.pem | 17 + .../unit/test_cert_version/ss-v3-noBC.pem.certspec | 3 + .../tests/unit/test_cert_version/ss-v4-BC-cA.pem | 18 + .../test_cert_version/ss-v4-BC-cA.pem.certspec | 4 + .../unit/test_cert_version/ss-v4-BC-not-cA.pem | 18 + .../test_cert_version/ss-v4-BC-not-cA.pem.certspec | 4 + .../tests/unit/test_cert_version/ss-v4-noBC.pem | 17 + .../unit/test_cert_version/ss-v4-noBC.pem.certspec | 3 + .../ssl/tests/unit/test_constructX509FromBase64.js | 90 + .../manager/ssl/tests/unit/test_content_signing.js | 431 + .../test_content_signing/content_signing_int.pem | 18 + .../content_signing_int.pem.certspec | 4 + .../content_signing_onecrl_RSA_ee.pem | 18 + .../content_signing_onecrl_RSA_ee.pem.certspec | 4 + .../content_signing_onecrl_ee.pem | 15 + .../content_signing_onecrl_ee.pem.certspec | 5 + .../content_signing_onecrl_ee_expired.pem | 15 + .../content_signing_onecrl_ee_expired.pem.certspec | 6 + .../content_signing_onecrl_ee_not_valid_yet.pem | 15 + ...nt_signing_onecrl_ee_not_valid_yet.pem.certspec | 6 + .../content_signing_onecrl_no_SAN_ee.pem | 14 + .../content_signing_onecrl_no_SAN_ee.pem.certspec | 4 + .../content_signing_onecrl_wrong_key_ee.pem | 14 + ...ontent_signing_onecrl_wrong_key_ee.pem.certspec | 5 + .../content_signing_remote_newtab_ee.pem | 15 + .../content_signing_remote_newtab_ee.pem.certspec | 5 + .../ssl/tests/unit/test_content_signing/pysign.py | 36 + .../ssl/tests/unit/test_content_signing/test.txt | 1 + .../unit/test_content_signing/test.txt.signature | 1 + .../ssl/tests/unit/test_crlite_corrupted/bad.stash | 1 + .../unit/test_crlite_corrupted/hash-alg-0.filter | Bin 0 -> 1 bytes .../trunc-issuer-id.enrollment | 2 + .../test_crlite_corrupted/trunc-log-id.coverage | 2 + .../trunc-max-timestamp.coverage | Bin 0 -> 48 bytes .../trunc-min-timestamp.coverage | Bin 0 -> 36 bytes .../unit/test_crlite_corrupted/version-0.coverage | Bin 0 -> 49 bytes .../test_crlite_corrupted/version-0.enrollment | Bin 0 -> 33 bytes .../ssl/tests/unit/test_crlite_coverage_missing.js | 17 + .../ssl/tests/unit/test_crlite_coverage_trunc1.js | 17 + .../ssl/tests/unit/test_crlite_coverage_trunc2.js | 19 + .../ssl/tests/unit/test_crlite_coverage_trunc3.js | 19 + .../ssl/tests/unit/test_crlite_coverage_version.js | 17 + .../tests/unit/test_crlite_enrollment_trunc1.js | 19 + .../tests/unit/test_crlite_enrollment_version.js | 17 + .../ssl/tests/unit/test_crlite_filter_corrupted.js | 21 + .../manager/ssl/tests/unit/test_crlite_filters.js | 880 + .../unit/test_crlite_filters/20201017-0-filter | Bin 0 -> 62 bytes .../test_crlite_filters/20201017-1-filter.stash | Bin 0 -> 36632 bytes .../test_crlite_filters/20201201-3-filter.stash | Bin 0 -> 57737 bytes .../ssl/tests/unit/test_crlite_filters/issuer.pem | 28 + .../unit/test_crlite_filters/no-sct-issuer.pem | 27 + .../ssl/tests/unit/test_crlite_filters/no-sct.pem | 33 + .../tests/unit/test_crlite_filters/notcovered.pem | 38 + .../test_crlite_filters/revoked-in-stash-2.pem | 36 + .../unit/test_crlite_filters/revoked-in-stash.pem | 36 + .../ssl/tests/unit/test_crlite_filters/revoked.pem | 42 + .../ssl/tests/unit/test_crlite_filters/valid.pem | 39 + .../ssl/tests/unit/test_crlite_preexisting.js | 208 + .../unit/test_crlite_preexisting/crlite.coverage | Bin 0 -> 97 bytes .../unit/test_crlite_preexisting/crlite.enrollment | 1 + .../unit/test_crlite_preexisting/crlite.stash | Bin 0 -> 209843 bytes .../ssl/tests/unit/test_crlite_stash_corrupted.js | 91 + security/manager/ssl/tests/unit/test_ct.js | 72 + .../test_ct/ct-insufficient-scts.example.com.pem | 28 + .../ct-insufficient-scts.example.com.pem.certspec | 4 + .../tests/unit/test_ct/ct-valid.example.com.pem | 34 + .../unit/test_ct/ct-valid.example.com.pem.certspec | 4 + .../manager/ssl/tests/unit/test_ct/default-ee.key | 28 + .../ssl/tests/unit/test_ct/default-ee.key.keyspec | 1 + .../manager/ssl/tests/unit/test_ct/default-ee.pem | 21 + .../ssl/tests/unit/test_ct/default-ee.pem.certspec | 4 + .../manager/ssl/tests/unit/test_ct/test-ca.pem | 18 + .../ssl/tests/unit/test_ct/test-ca.pem.certspec | 4 + .../ssl/tests/unit/test_db_format_pref_new.js | 30 + .../ssl/tests/unit/test_delegated_credentials.js | 91 + .../unit/test_delegated_credentials/default-ee.key | 5 + .../default-ee.key.keyspec | 1 + .../unit/test_delegated_credentials/default-ee.pem | 15 + .../default-ee.pem.certspec | 5 + .../test_delegated_credentials/delegated-ee.pem | 16 + .../delegated-ee.pem.certspec | 7 + .../unit/test_delegated_credentials/delegated.key | 6 + .../delegated.key.keyspec | 1 + .../unit/test_delegated_credentials/test-ca.pem | 18 + .../test-ca.pem.certspec | 4 + .../unit/test_delegated_credentials/test-int.pem | 19 + .../test-int.pem.certspec | 4 + security/manager/ssl/tests/unit/test_der.js | 355 + .../ssl/tests/unit/test_encrypted_client_hello.js | 101 + .../test_encrypted_client_hello/default-ee.key | 28 + .../default-ee.key.keyspec | 1 + .../test_encrypted_client_hello/default-ee.pem | 18 + .../default-ee.pem.certspec | 3 + .../test_encrypted_client_hello/private-ee.key | 28 + .../private-ee.key.keyspec | 1 + .../test_encrypted_client_hello/private-ee.pem | 18 + .../private-ee.pem.certspec | 3 + .../test_encrypted_client_hello/selfsigned.pem | 19 + .../selfsigned.pem.certspec | 3 + .../unit/test_encrypted_client_hello/test-ca.pem | 18 + .../test-ca.pem.certspec | 4 + .../test_encrypted_client_hello_client_only.js | 32 + .../ssl/tests/unit/test_enterprise_roots.js | 82 + security/manager/ssl/tests/unit/test_ev_certs.js | 310 + .../unit/test_ev_certs/anyPolicy-ee-path-ee.pem | 20 + .../anyPolicy-ee-path-ee.pem.certspec | 5 + .../unit/test_ev_certs/anyPolicy-ee-path-int.pem | 20 + .../anyPolicy-ee-path-int.pem.certspec | 7 + .../unit/test_ev_certs/anyPolicy-int-path-ee.pem | 21 + .../anyPolicy-int-path-ee.pem.certspec | 5 + .../unit/test_ev_certs/anyPolicy-int-path-int.pem | 20 + .../anyPolicy-int-path-int.pem.certspec | 7 + ...um-and-test-oid-ee-cabforum-oid-int-path-ee.pem | 23 + ...st-oid-ee-cabforum-oid-int-path-ee.pem.certspec | 5 + ...m-and-test-oid-ee-cabforum-oid-int-path-int.pem | 21 + ...t-oid-ee-cabforum-oid-int-path-int.pem.certspec | 7 + .../cabforum-and-test-oid-ee-path-ee.pem | 22 + .../cabforum-and-test-oid-ee-path-ee.pem.certspec | 5 + .../cabforum-and-test-oid-ee-path-int.pem | 21 + .../cabforum-and-test-oid-ee-path-int.pem.certspec | 7 + .../unit/test_ev_certs/cabforum-oid-path-ee.pem | 20 + .../cabforum-oid-path-ee.pem.certspec | 5 + .../unit/test_ev_certs/cabforum-oid-path-int.pem | 20 + .../cabforum-oid-path-int.pem.certspec | 7 + .../ssl/tests/unit/test_ev_certs/evroot.key | 28 + .../tests/unit/test_ev_certs/evroot.key.keyspec | 1 + .../ssl/tests/unit/test_ev_certs/evroot.pem | 18 + .../tests/unit/test_ev_certs/evroot.pem.certspec | 7 + .../unit/test_ev_certs/no-ocsp-ee-path-ee.pem | 19 + .../test_ev_certs/no-ocsp-ee-path-ee.pem.certspec | 4 + .../unit/test_ev_certs/no-ocsp-ee-path-int.pem | 20 + .../test_ev_certs/no-ocsp-ee-path-int.pem.certspec | 7 + .../unit/test_ev_certs/no-ocsp-int-path-ee.pem | 21 + .../test_ev_certs/no-ocsp-int-path-ee.pem.certspec | 5 + .../unit/test_ev_certs/no-ocsp-int-path-int.pem | 18 + .../no-ocsp-int-path-int.pem.certspec | 6 + .../unit/test_ev_certs/non-ev-root-path-ee.pem | 21 + .../test_ev_certs/non-ev-root-path-ee.pem.certspec | 5 + .../unit/test_ev_certs/non-ev-root-path-int.pem | 20 + .../non-ev-root-path-int.pem.certspec | 6 + .../ssl/tests/unit/test_ev_certs/non-evroot-ca.pem | 18 + .../unit/test_ev_certs/non-evroot-ca.pem.certspec | 4 + .../test_ev_certs/reverse-order-oids-path-ee.pem | 21 + .../reverse-order-oids-path-ee.pem.certspec | 5 + .../test_ev_certs/reverse-order-oids-path-int.pem | 21 + .../reverse-order-oids-path-int.pem.certspec | 7 + ...nd-cabforum-oid-ee-cabforum-oid-int-path-ee.pem | 23 + ...um-oid-ee-cabforum-oid-int-path-ee.pem.certspec | 5 + ...d-cabforum-oid-ee-cabforum-oid-int-path-int.pem | 21 + ...m-oid-ee-cabforum-oid-int-path-int.pem.certspec | 7 + .../test-and-cabforum-oid-ee-path-ee.pem | 22 + .../test-and-cabforum-oid-ee-path-ee.pem.certspec | 5 + .../test-and-cabforum-oid-ee-path-int.pem | 21 + .../test-and-cabforum-oid-ee-path-int.pem.certspec | 7 + .../test-oid-ee-cabforum-oid-int-path-ee.pem | 22 + ...st-oid-ee-cabforum-oid-int-path-ee.pem.certspec | 5 + .../test-oid-ee-cabforum-oid-int-path-int.pem | 21 + ...t-oid-ee-cabforum-oid-int-path-int.pem.certspec | 7 + .../tests/unit/test_ev_certs/test-oid-path-ee.pem | 20 + .../test_ev_certs/test-oid-path-ee.pem.certspec | 5 + .../tests/unit/test_ev_certs/test-oid-path-int.key | 28 + .../test_ev_certs/test-oid-path-int.key.keyspec | 1 + .../tests/unit/test_ev_certs/test-oid-path-int.pem | 20 + .../test_ev_certs/test-oid-path-int.pem.certspec | 7 + .../tests/unit/test_faulty_server/default-ee.key | 5 + .../unit/test_faulty_server/default-ee.key.keyspec | 1 + .../tests/unit/test_faulty_server/default-ee.pem | 14 + .../test_faulty_server/default-ee.pem.certspec | 5 + .../tests/unit/test_faulty_server/no-san-ee.pem | 14 + .../unit/test_faulty_server/no-san-ee.pem.certspec | 4 + .../unit/test_faulty_server/no-san-ee.pem.key | 5 + .../test_faulty_server/no-san-ee.pem.key.keyspec | 1 + .../ssl/tests/unit/test_faulty_server/test-ca.pem | 18 + .../unit/test_faulty_server/test-ca.pem.certspec | 4 + .../ssl/tests/unit/test_faulty_server/test-int.pem | 18 + .../unit/test_faulty_server/test-int.pem.certspec | 4 + .../test_forget_about_site_security_headers.js | 119 + .../manager/ssl/tests/unit/test_hash_algorithms.js | 158 + .../ssl/tests/unit/test_hash_algorithms_wrap.js | 5 + .../test_intermediate_basic_usage_constraints.js | 138 + .../ca.pem | 17 + .../ca.pem.certspec | 3 + .../ee-int-bad-ku-no-eku.pem | 18 + .../ee-int-bad-ku-no-eku.pem.certspec | 4 + .../ee-int-bad-ku-server-eku.pem | 18 + .../ee-int-bad-ku-server-eku.pem.certspec | 4 + .../ee-int-cA-FALSE-asserts-keyCertSign.pem | 19 + ...e-int-cA-FALSE-asserts-keyCertSign.pem.certspec | 4 + .../ee-int-limited-depth-invalid.pem | 18 + .../ee-int-limited-depth-invalid.pem.certspec | 4 + .../ee-int-limited-depth.pem | 18 + .../ee-int-limited-depth.pem.certspec | 4 + .../ee-int-no-extensions.pem | 18 + .../ee-int-no-extensions.pem.certspec | 4 + .../ee-int-no-ku-no-eku.pem | 18 + .../ee-int-no-ku-no-eku.pem.certspec | 4 + .../ee-int-no-ku-server-eku.pem | 18 + .../ee-int-no-ku-server-eku.pem.certspec | 4 + .../ee-int-not-a-ca.pem | 18 + .../ee-int-not-a-ca.pem.certspec | 4 + .../ee-int-valid-ku-no-eku.pem | 18 + .../ee-int-valid-ku-no-eku.pem.certspec | 4 + .../ee-int-valid-ku-server-eku.pem | 18 + .../ee-int-valid-ku-server-eku.pem.certspec | 4 + .../int-bad-ku-no-eku.pem | 18 + .../int-bad-ku-no-eku.pem.certspec | 4 + .../int-bad-ku-server-eku.pem | 18 + .../int-bad-ku-server-eku.pem.certspec | 5 + .../int-cA-FALSE-asserts-keyCertSign.pem | 18 + .../int-cA-FALSE-asserts-keyCertSign.pem.certspec | 4 + .../int-limited-depth-invalid.pem | 18 + .../int-limited-depth-invalid.pem.certspec | 3 + .../int-limited-depth.pem | 18 + .../int-limited-depth.pem.certspec | 3 + .../int-no-extensions.pem | 17 + .../int-no-extensions.pem.certspec | 2 + .../int-no-ku-no-eku.pem | 17 + .../int-no-ku-no-eku.pem.certspec | 3 + .../int-no-ku-server-eku.pem | 18 + .../int-no-ku-server-eku.pem.certspec | 4 + .../int-not-a-ca.pem | 17 + .../int-not-a-ca.pem.certspec | 3 + .../int-valid-ku-no-eku.pem | 18 + .../int-valid-ku-no-eku.pem.certspec | 4 + .../int-valid-ku-server-eku.pem | 19 + .../int-valid-ku-server-eku.pem.certspec | 5 + .../ssl/tests/unit/test_intermediate_preloads.js | 528 + .../tests/unit/test_intermediate_preloads/ca.pem | 18 + .../test_intermediate_preloads/ca.pem.certspec | 5 + .../unit/test_intermediate_preloads/default-ee.key | 28 + .../default-ee.key.keyspec | 1 + .../unit/test_intermediate_preloads/default-ee.pem | 19 + .../default-ee.pem.certspec | 4 + .../tests/unit/test_intermediate_preloads/ee2.pem | 18 + .../test_intermediate_preloads/ee2.pem.certspec | 3 + .../tests/unit/test_intermediate_preloads/int.pem | 19 + .../test_intermediate_preloads/int.pem.certspec | 4 + .../tests/unit/test_intermediate_preloads/int2.pem | 19 + .../test_intermediate_preloads/int2.pem.certspec | 4 + security/manager/ssl/tests/unit/test_keysize.js | 204 + .../ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem | 13 + ...sa_1016-int_rsa_1024-root_rsa_1024.pem.certspec | 4 + .../ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem | 13 + ...sa_1024-int_rsa_1016-root_rsa_1024.pem.certspec | 4 + .../ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem | 15 + ...sa_1024-int_rsa_1024-root_rsa_1016.pem.certspec | 4 + .../ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem | 13 + ...sa_1024-int_rsa_1024-root_rsa_1024.pem.certspec | 4 + ...cp224r1_224-int_secp256r1_256-root_rsa_2048.pem | 10 + ...24-int_secp256r1_256-root_rsa_2048.pem.certspec | 5 + ...r1_224-int_secp256r1_256-root_secp256r1_256.pem | 10 + ...t_secp256r1_256-root_secp256r1_256.pem.certspec | 5 + ...k1_256-int_secp256r1_256-root_secp256r1_256.pem | 10 + ...t_secp256r1_256-root_secp256r1_256.pem.certspec | 5 + ...cp256r1_256-int_rsa_1016-root_secp256r1_256.pem | 11 + ...56-int_rsa_1016-root_secp256r1_256.pem.certspec | 4 + ...r1_256-int_secp224r1_224-root_secp256r1_256.pem | 10 + ...t_secp224r1_224-root_secp256r1_256.pem.certspec | 5 + ...r1_256-int_secp256r1_256-root_secp224r1_224.pem | 10 + ...t_secp256r1_256-root_secp224r1_224.pem.certspec | 5 + ...r1_256-int_secp256r1_256-root_secp256k1_256.pem | 10 + ...t_secp256r1_256-root_secp256k1_256.pem.certspec | 5 + ...cp384r1_384-int_secp256r1_256-root_rsa_2048.pem | 11 + ...84-int_secp256r1_256-root_rsa_2048.pem.certspec | 5 + ...r1_521-int_secp384r1_384-root_secp256r1_256.pem | 12 + ...t_secp384r1_384-root_secp256r1_256.pem.certspec | 5 + .../test_keysize/int_rsa_1016-root_rsa_1024.pem | 13 + .../int_rsa_1016-root_rsa_1024.pem.certspec | 6 + .../int_rsa_1016-root_secp256r1_256.pem | 12 + .../int_rsa_1016-root_secp256r1_256.pem.certspec | 7 + .../test_keysize/int_rsa_1024-root_rsa_1016.pem | 13 + .../int_rsa_1024-root_rsa_1016.pem.certspec | 6 + .../test_keysize/int_rsa_1024-root_rsa_1024.pem | 13 + .../int_rsa_1024-root_rsa_1024.pem.certspec | 6 + .../int_secp224r1_224-root_secp256r1_256.pem | 10 + ...t_secp224r1_224-root_secp256r1_256.pem.certspec | 7 + .../int_secp256r1_256-root_rsa_2048.pem | 14 + .../int_secp256r1_256-root_rsa_2048.pem.certspec | 5 + .../int_secp256r1_256-root_secp224r1_224.pem | 10 + ...t_secp256r1_256-root_secp224r1_224.pem.certspec | 7 + .../int_secp256r1_256-root_secp256k1_256.pem | 10 + ...t_secp256r1_256-root_secp256k1_256.pem.certspec | 7 + .../int_secp256r1_256-root_secp256r1_256.pem | 10 + ...t_secp256r1_256-root_secp256r1_256.pem.certspec | 7 + .../int_secp384r1_384-root_secp256r1_256.pem | 11 + ...t_secp384r1_384-root_secp256r1_256.pem.certspec | 7 + .../ssl/tests/unit/test_keysize/root_rsa_1016.pem | 12 + .../unit/test_keysize/root_rsa_1016.pem.certspec | 6 + .../ssl/tests/unit/test_keysize/root_rsa_1024.pem | 12 + .../unit/test_keysize/root_rsa_1024.pem.certspec | 6 + .../ssl/tests/unit/test_keysize/root_rsa_2048.pem | 18 + .../unit/test_keysize/root_rsa_2048.pem.certspec | 4 + .../tests/unit/test_keysize/root_secp224r1_224.pem | 9 + .../test_keysize/root_secp224r1_224.pem.certspec | 7 + .../tests/unit/test_keysize/root_secp256k1_256.pem | 10 + .../test_keysize/root_secp256k1_256.pem.certspec | 7 + .../tests/unit/test_keysize/root_secp256r1_256.pem | 10 + .../test_keysize/root_secp256r1_256.pem.certspec | 7 + security/manager/ssl/tests/unit/test_keysize_ev.js | 169 + .../ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem | 21 + ...ee_rsa_2040-ev_int_rsa_2048-evroot.pem.certspec | 5 + .../ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem | 21 + ...ee_rsa_2048-ev_int_rsa_2040-evroot.pem.certspec | 5 + ...e_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem | 21 + ...8-ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec | 4 + .../ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem | 21 + ...ee_rsa_2048-ev_int_rsa_2048-evroot.pem.certspec | 4 + .../test_keysize_ev/ev_int_rsa_2040-evroot.pem | 20 + .../ev_int_rsa_2040-evroot.pem.certspec | 8 + .../tests/unit/test_keysize_ev/ev_int_rsa_2040.key | 28 + .../test_keysize_ev/ev_int_rsa_2040.key.keyspec | 1 + .../ev_int_rsa_2048-ev_root_rsa_2040.pem | 21 + .../ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec | 7 + .../test_keysize_ev/ev_int_rsa_2048-evroot.pem | 20 + .../ev_int_rsa_2048-evroot.pem.certspec | 7 + .../tests/unit/test_keysize_ev/ev_int_rsa_2048.key | 28 + .../test_keysize_ev/ev_int_rsa_2048.key.keyspec | 1 + .../unit/test_keysize_ev/ev_root_rsa_2040.key | 28 + .../test_keysize_ev/ev_root_rsa_2040.key.keyspec | 1 + .../unit/test_keysize_ev/ev_root_rsa_2040.pem | 18 + .../test_keysize_ev/ev_root_rsa_2040.pem.certspec | 7 + .../ssl/tests/unit/test_keysize_ev/evroot.key | 28 + .../tests/unit/test_keysize_ev/evroot.key.keyspec | 1 + .../ssl/tests/unit/test_keysize_ev/evroot.pem | 18 + .../tests/unit/test_keysize_ev/evroot.pem.certspec | 7 + .../ssl/tests/unit/test_logoutAndTeardown.js | 195 + .../ssl/tests/unit/test_missing_intermediate.js | 92 + .../missing-intermediate.pem | 18 + .../missing-intermediate.pem.certspec | 4 + .../ssl/tests/unit/test_name_constraints.js | 71 + .../NameConstraints.dcissallowed.pem | 20 + .../NameConstraints.dcissallowed.pem.certspec | 2 + .../NameConstraints.dcissblocked.pem | 20 + .../NameConstraints.dcissblocked.pem.certspec | 2 + .../ca-example-com-permitted.pem | 19 + .../ca-example-com-permitted.pem.certspec | 5 + .../ssl/tests/unit/test_name_constraints/dciss.pem | 22 + .../unit/test_name_constraints/dciss.pem.certspec | 4 + .../ee-example-com-and-org.pem | 19 + .../ee-example-com-and-org.pem.certspec | 3 + .../unit/test_name_constraints/ee-example-com.pem | 18 + .../ee-example-com.pem.certspec | 3 + .../unit/test_name_constraints/ee-example-org.pem | 18 + .../ee-example-org.pem.certspec | 3 + .../unit/test_name_constraints/ee-example-test.pem | 18 + .../ee-example-test.pem.certspec | 3 + .../int-example-org-permitted.pem | 19 + .../int-example-org-permitted.pem.certspec | 5 + .../manager/ssl/tests/unit/test_nonascii_path.js | 52 + security/manager/ssl/tests/unit/test_nsCertType.js | 32 + .../ssl/tests/unit/test_nsIX509CertValidity.js | 25 + .../ssl/tests/unit/test_nsIX509Cert_utf8.js | 96 + .../manager/ssl/tests/unit/test_ocsp_caching.js | 479 + .../ssl/tests/unit/test_ocsp_enabled_pref.js | 146 + .../ssl/tests/unit/test_ocsp_must_staple.js | 160 + .../ssl/tests/unit/test_ocsp_no_hsts_upgrade.js | 58 + .../ssl/tests/unit/test_ocsp_private_caching.js | 115 + .../manager/ssl/tests/unit/test_ocsp_required.js | 95 + .../manager/ssl/tests/unit/test_ocsp_stapling.js | 393 + .../ssl/tests/unit/test_ocsp_stapling_expired.js | 317 + .../unit/test_ocsp_stapling_with_intermediate.js | 48 + .../manager/ssl/tests/unit/test_ocsp_timeout.js | 100 + security/manager/ssl/tests/unit/test_ocsp_url.js | 122 + .../ssl/tests/unit/test_ocsp_url/bad-scheme.pem | 18 + .../unit/test_ocsp_url/bad-scheme.pem.certspec | 3 + .../manager/ssl/tests/unit/test_ocsp_url/ca.pem | 17 + .../ssl/tests/unit/test_ocsp_url/ca.pem.certspec | 4 + .../tests/unit/test_ocsp_url/empty-scheme-url.pem | 18 + .../test_ocsp_url/empty-scheme-url.pem.certspec | 3 + .../ssl/tests/unit/test_ocsp_url/ftp-url.pem | 18 + .../tests/unit/test_ocsp_url/ftp-url.pem.certspec | 3 + .../ssl/tests/unit/test_ocsp_url/hTTp-url.pem | 18 + .../tests/unit/test_ocsp_url/hTTp-url.pem.certspec | 3 + .../ssl/tests/unit/test_ocsp_url/https-url.pem | 18 + .../unit/test_ocsp_url/https-url.pem.certspec | 3 + .../manager/ssl/tests/unit/test_ocsp_url/int.key | 28 + .../ssl/tests/unit/test_ocsp_url/int.key.keyspec | 1 + .../manager/ssl/tests/unit/test_ocsp_url/int.pem | 17 + .../ssl/tests/unit/test_ocsp_url/int.pem.certspec | 4 + .../ssl/tests/unit/test_ocsp_url/negative-port.pem | 18 + .../unit/test_ocsp_url/negative-port.pem.certspec | 3 + .../ssl/tests/unit/test_ocsp_url/no-host-url.pem | 18 + .../unit/test_ocsp_url/no-host-url.pem.certspec | 3 + .../ssl/tests/unit/test_ocsp_url/no-path-url.pem | 18 + .../unit/test_ocsp_url/no-path-url.pem.certspec | 3 + .../unit/test_ocsp_url/no-scheme-host-port.pem | 18 + .../test_ocsp_url/no-scheme-host-port.pem.certspec | 3 + .../ssl/tests/unit/test_ocsp_url/no-scheme-url.pem | 18 + .../unit/test_ocsp_url/no-scheme-url.pem.certspec | 3 + .../tests/unit/test_ocsp_url/unknown-scheme.pem | 18 + .../unit/test_ocsp_url/unknown-scheme.pem.certspec | 3 + .../ssl/tests/unit/test_ocsp_url/user-pass.pem | 18 + .../unit/test_ocsp_url/user-pass.pem.certspec | 3 + ...ther-ee-revoked-by-revocations-txt-serial-2.pem | 17 + ...evoked-by-revocations-txt-serial-2.pem.certspec | 3 + .../another-ee-revoked-by-revocations-txt.pem | 17 + ...ther-ee-revoked-by-revocations-txt.pem.certspec | 3 + .../test_onecrl/ee-revoked-by-revocations-txt.pem | 17 + .../ee-revoked-by-revocations-txt.pem.certspec | 3 + .../ee-revoked-by-subject-and-pubkey.pem | 18 + .../ee-revoked-by-subject-and-pubkey.pem.certspec | 2 + .../ssl/tests/unit/test_onecrl/same-issuer-ee.pem | 19 + .../unit/test_onecrl/same-issuer-ee.pem.certspec | 4 + .../tests/unit/test_onecrl/sample_revocations.txt | 41 + .../ssl/tests/unit/test_onecrl/test-int-ee.pem | 18 + .../unit/test_onecrl/test-int-ee.pem.certspec | 3 + .../ssl/tests/unit/test_osclientcerts_module.js | 63 + security/manager/ssl/tests/unit/test_oskeystore.js | 413 + .../ssl/tests/unit/test_osreauthenticator.js | 27 + .../manager/ssl/tests/unit/test_password_prompt.js | 87 + security/manager/ssl/tests/unit/test_pinning.js | 311 + .../manager/ssl/tests/unit/test_pkcs11_module.js | 58 + .../manager/ssl/tests/unit/test_pkcs11_moduleDB.js | 46 + .../ssl/tests/unit/test_pkcs11_safe_mode.js | 58 + .../manager/ssl/tests/unit/test_pkcs11_slot.js | 161 + .../manager/ssl/tests/unit/test_pkcs11_token.js | 149 + .../manager/ssl/tests/unit/test_pkcs11_tokenDB.js | 20 + .../apple-ist-ca-8-g1-intermediate.pem | 20 + .../tests/unit/test_sanctions/cds-apple-com.pem | 38 + .../ssl/tests/unit/test_sanctions/default-ee.key | 28 + .../unit/test_sanctions/default-ee.key.keyspec | 1 + .../ssl/tests/unit/test_sanctions/default-ee.pem | 21 + .../unit/test_sanctions/default-ee.pem.certspec | 4 + .../symantec-ee-from-allowlist-after-cutoff.pem | 20 + ...tec-ee-from-allowlist-after-cutoff.pem.certspec | 4 + .../symantec-ee-from-allowlist-before-cutoff.pem | 20 + ...ec-ee-from-allowlist-before-cutoff.pem.certspec | 4 + .../symantec-ee-not-allowlisted-after-cutoff.pem | 20 + ...ec-ee-not-allowlisted-after-cutoff.pem.certspec | 4 + .../symantec-ee-not-allowlisted-before-cutoff.pem | 20 + ...c-ee-not-allowlisted-before-cutoff.pem.certspec | 4 + .../symantec-intermediate-allowlisted.pem | 22 + .../symantec-intermediate-allowlisted.pem.certspec | 5 + .../symantec-intermediate-other-crossigned.pem | 19 + ...ntec-intermediate-other-crossigned.pem.certspec | 5 + .../test_sanctions/symantec-intermediate-other.pem | 22 + .../symantec-intermediate-other.pem.certspec | 5 + .../tests/unit/test_sanctions/symantec-test-ca.pem | 23 + .../test_sanctions/symantec-test-ca.pem.certspec | 5 + .../unit/test_sanctions_symantec_apple_google.js | 95 + security/manager/ssl/tests/unit/test_sdr.js | 272 + .../manager/ssl/tests/unit/test_sdr_preexisting.js | 79 + .../ssl/tests/unit/test_sdr_preexisting/key4.db | Bin 0 -> 36864 bytes .../unit/test_sdr_preexisting_with_password.js | 135 + .../test_sdr_preexisting_with_password/key4.db | Bin 0 -> 36864 bytes .../ssl/tests/unit/test_self_signed_certs.js | 69 + .../ssl/tests/unit/test_self_signed_certs/cert9.db | Bin 0 -> 45056 bytes .../ssl/tests/unit/test_session_resumption.js | 291 + .../manager/ssl/tests/unit/test_signed_apps.js | 1038 + .../ssl/tests/unit/test_signed_apps/app/README | 1 + .../tests/unit/test_signed_apps/app/data/image.png | Bin 0 -> 534 bytes .../tests/unit/test_signed_apps/app/manifest.json | 5 + .../app_cose_tampered/META-INF/cose.manifest | 10 + .../app_cose_tampered/META-INF/cose.sig | Bin 0 -> 655 bytes .../unit/test_signed_apps/app_cose_tampered/README | 2 + .../app_cose_tampered/data/image.png | Bin 0 -> 534 bytes .../app_cose_tampered/manifest.json | 5 + .../app_mf-1-256_sf-1-256_p7-1-256.zip | Bin 0 -> 2678 bytes .../app_mf-1-256_sf-1-256_p7-1.zip | Bin 0 -> 2341 bytes .../app_mf-1-256_sf-1-256_p7-256.zip | Bin 0 -> 2362 bytes .../app_mf-1-256_sf-1_p7-1-256.zip | Bin 0 -> 2624 bytes .../test_signed_apps/app_mf-1-256_sf-1_p7-1.zip | Bin 0 -> 2288 bytes .../test_signed_apps/app_mf-1-256_sf-1_p7-256.zip | Bin 0 -> 2309 bytes .../app_mf-1-256_sf-256_p7-1-256.zip | Bin 0 -> 2643 bytes .../test_signed_apps/app_mf-1-256_sf-256_p7-1.zip | Bin 0 -> 2307 bytes .../app_mf-1-256_sf-256_p7-256.zip | Bin 0 -> 2327 bytes .../app_mf-1_sf-1-256_p7-1-256.zip | Bin 0 -> 2562 bytes .../test_signed_apps/app_mf-1_sf-1-256_p7-1.zip | Bin 0 -> 2226 bytes .../test_signed_apps/app_mf-1_sf-1-256_p7-256.zip | Bin 0 -> 2247 bytes .../test_signed_apps/app_mf-1_sf-1_p7-1-256.zip | Bin 0 -> 2513 bytes .../unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip | Bin 0 -> 2174 bytes .../unit/test_signed_apps/app_mf-1_sf-1_p7-256.zip | Bin 0 -> 2196 bytes .../test_signed_apps/app_mf-1_sf-256_p7-1-256.zip | Bin 0 -> 2526 bytes .../unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip | Bin 0 -> 2192 bytes .../test_signed_apps/app_mf-1_sf-256_p7-256.zip | Bin 0 -> 2210 bytes .../app_mf-256_sf-1-256_p7-1-256.zip | Bin 0 -> 2601 bytes .../test_signed_apps/app_mf-256_sf-1-256_p7-1.zip | Bin 0 -> 2264 bytes .../app_mf-256_sf-1-256_p7-256.zip | Bin 0 -> 2287 bytes .../test_signed_apps/app_mf-256_sf-1_p7-1-256.zip | Bin 0 -> 2549 bytes .../unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip | Bin 0 -> 2213 bytes .../test_signed_apps/app_mf-256_sf-1_p7-256.zip | Bin 0 -> 2234 bytes .../app_mf-256_sf-256_p7-1-256.zip | Bin 0 -> 2567 bytes .../test_signed_apps/app_mf-256_sf-256_p7-1.zip | Bin 0 -> 2232 bytes .../test_signed_apps/app_mf-256_sf-256_p7-256.zip | Bin 0 -> 2251 bytes ...48-prod-tomato-clock-PKCS7-SHA1-ES256-ES384.zip | Bin 0 -> 459148 bytes ...48-prod-tomato-clock-PKCS7-SHA1-ES256-PS256.zip | Bin 0 -> 459984 bytes ...714ba248-prod-tomato-clock-PKCS7-SHA1-ES256.zip | Bin 0 -> 458382 bytes ...714ba248-prod-tomato-clock-PKCS7-SHA1-PS256.zip | Bin 0 -> 459272 bytes ...8-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip | Bin 0 -> 459192 bytes ...8-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip | Bin 0 -> 460028 bytes ...14ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip | Bin 0 -> 458426 bytes ...14ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip | Bin 0 -> 459315 bytes .../tests/unit/test_signed_apps/big_manifest.zip | Bin 0 -> 8107 bytes .../tests/unit/test_signed_apps/bug_1411458.zip | Bin 0 -> 2698 bytes .../cose_int_signed_with_pkcs7.zip | Bin 0 -> 4046 bytes .../cose_multiple_signed_with_pkcs7.zip | Bin 0 -> 3942 bytes .../test_signed_apps/cose_signed_with_pkcs7.zip | Bin 0 -> 3400 bytes .../test_signed_apps/cose_tampered_good_pkcs7.zip | Bin 0 -> 3379 bytes .../unit/test_signed_apps/empty_signerInfos.zip | Bin 0 -> 1890 bytes .../tests/unit/test_signed_apps/huge_manifest.zip | Bin 0 -> 31397 bytes .../ssl/tests/unit/test_signed_apps/moz.build | 78 + .../test_signed_apps/only_cose_multiple_signed.zip | Bin 0 -> 2107 bytes .../unit/test_signed_apps/only_cose_signed.zip | Bin 0 -> 1563 bytes .../unit/test_signed_apps/unknown_issuer_app.zip | Bin 0 -> 2256 bytes .../tests/unit/test_signed_apps/unsigned_app.zip | Bin 0 -> 510 bytes .../unit/test_signed_apps/validity_expired.zip | Bin 0 -> 3394 bytes .../test_signed_apps/validity_not_yet_valid.zip | Bin 0 -> 3393 bytes .../unit/test_signed_apps/xpcshellTestRoot.der | Bin 0 -> 794 bytes .../test_signed_apps/xpcshellTestRoot.pem.certspec | 6 + security/manager/ssl/tests/unit/test_ssl_status.js | 75 + .../manager/ssl/tests/unit/test_sss_enumerate.js | 79 + .../manager/ssl/tests/unit/test_sss_eviction.js | 88 + .../ssl/tests/unit/test_sss_originAttributes.js | 99 + .../manager/ssl/tests/unit/test_sss_readstate.js | 123 + .../ssl/tests/unit/test_sss_readstate_empty.js | 50 + .../ssl/tests/unit/test_sss_readstate_garbage.js | 95 + .../ssl/tests/unit/test_sss_readstate_huge.js | 80 + .../manager/ssl/tests/unit/test_sss_resetState.js | 62 + .../ssl/tests/unit/test_sss_sanitizeOnShutdown.js | 69 + .../manager/ssl/tests/unit/test_sss_savestate.js | 126 + security/manager/ssl/tests/unit/test_sts_fqdn.js | 40 + .../manager/ssl/tests/unit/test_sts_ipv4_ipv6.js | 55 + security/manager/ssl/tests/unit/test_sts_parser.js | 123 + .../tests/unit/test_sts_preloadlist_perwindowpb.js | 266 + .../unit/test_sts_preloadlist_selfdestruct.js | 22 + security/manager/ssl/tests/unit/test_validity.js | 106 + .../ev_ee_27_months-ev_int_60_months-evroot.pem | 21 + ..._27_months-ev_int_60_months-evroot.pem.certspec | 5 + .../ev_ee_28_months-ev_int_60_months-evroot.pem | 21 + ..._28_months-ev_int_60_months-evroot.pem.certspec | 5 + .../unit/test_validity/ev_int_60_months-evroot.key | 28 + .../ev_int_60_months-evroot.key.keyspec | 1 + .../unit/test_validity/ev_int_60_months-evroot.pem | 20 + .../ev_int_60_months-evroot.pem.certspec | 8 + .../ssl/tests/unit/test_validity/evroot.key | 28 + .../tests/unit/test_validity/evroot.key.keyspec | 1 + .../ssl/tests/unit/test_validity/evroot.pem | 18 + .../tests/unit/test_validity/evroot.pem.certspec | 7 + security/manager/ssl/tests/unit/test_x509.js | 142 + .../unit/tlsserver/cmd/BadCertAndPinningServer.cpp | 141 + .../tlsserver/cmd/DelegatedCredentialsServer.cpp | 142 + .../tlsserver/cmd/EncryptedClientHelloServer.cpp | 178 + .../ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp | 206 + .../unit/tlsserver/cmd/GenerateOCSPResponse.cpp | 168 + .../unit/tlsserver/cmd/OCSPStaplingServer.cpp | 153 + .../unit/tlsserver/cmd/SanctionsTestServer.cpp | 87 + .../manager/ssl/tests/unit/tlsserver/cmd/moz.build | 45 + .../ssl/tests/unit/tlsserver/default-ee.der | 3 + .../ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp | 204 + .../ssl/tests/unit/tlsserver/lib/OCSPCommon.h | 66 + .../ssl/tests/unit/tlsserver/lib/TLSServer.cpp | 694 + .../ssl/tests/unit/tlsserver/lib/TLSServer.h | 93 + .../manager/ssl/tests/unit/tlsserver/lib/moz.build | 50 + .../manager/ssl/tests/unit/tlsserver/moz.build | 8 + .../manager/ssl/tests/unit/xpcshell-smartcards.ini | 17 + security/manager/ssl/tests/unit/xpcshell.ini | 242 + security/manager/tools/.eslintrc.js | 13 + security/manager/tools/KnownRootHashes.json | 1263 + security/manager/tools/PreloadedHPKPins.json | 214 + .../crtshToIdentifyingStruct.py | 156 + .../crtshToIdentifyingStruct/requirements.txt | 4 + security/manager/tools/dumpGoogleRoots.js | 96 + security/manager/tools/genRootCAHashes.js | 274 + security/manager/tools/getCTKnownLogs.py | 333 + security/manager/tools/log_list.json | 128 + security/manager/tools/mach_commands.py | 104 + security/manager/tools/pycert.py | 814 + security/manager/tools/pycms.py | 219 + security/manager/tools/pyct.py | 103 + security/manager/tools/pykey.py | 959 + 1410 files changed, 248669 insertions(+) create mode 100644 security/manager/android_stub.h create mode 100644 security/manager/locales/en-US/chrome/pipnss/nsserrors.properties create mode 100644 security/manager/locales/en-US/chrome/pipnss/pipnss.properties create mode 100644 security/manager/locales/en-US/chrome/pippki/pippki.properties create mode 100644 security/manager/locales/en-US/security/certificates/certManager.ftl create mode 100644 security/manager/locales/en-US/security/certificates/deviceManager.ftl create mode 100644 security/manager/locales/en-US/security/pippki/pippki.ftl create mode 100644 security/manager/locales/jar.mn create mode 100644 security/manager/locales/moz.build create mode 100644 security/manager/moz.build create mode 100644 security/manager/pki/components.conf create mode 100644 security/manager/pki/moz.build create mode 100644 security/manager/pki/nsIASN1Tree.idl create mode 100644 security/manager/pki/nsNSSDialogHelper.cpp create mode 100644 security/manager/pki/nsNSSDialogHelper.h create mode 100644 security/manager/pki/nsNSSDialogs.cpp create mode 100644 security/manager/pki/nsNSSDialogs.h create mode 100644 security/manager/pki/resources/content/certManager.css create mode 100644 security/manager/pki/resources/content/certManager.js create mode 100644 security/manager/pki/resources/content/certManager.xhtml create mode 100644 security/manager/pki/resources/content/changepassword.js create mode 100644 security/manager/pki/resources/content/changepassword.xhtml create mode 100644 security/manager/pki/resources/content/clientauthask.js create mode 100644 security/manager/pki/resources/content/clientauthask.xhtml create mode 100644 security/manager/pki/resources/content/deletecert.js create mode 100644 security/manager/pki/resources/content/deletecert.xhtml create mode 100644 security/manager/pki/resources/content/device_manager.js create mode 100644 security/manager/pki/resources/content/device_manager.xhtml create mode 100644 security/manager/pki/resources/content/downloadcert.js create mode 100644 security/manager/pki/resources/content/downloadcert.xhtml create mode 100644 security/manager/pki/resources/content/editcacert.js create mode 100644 security/manager/pki/resources/content/editcacert.xhtml create mode 100644 security/manager/pki/resources/content/exceptionDialog.css create mode 100644 security/manager/pki/resources/content/exceptionDialog.js create mode 100644 security/manager/pki/resources/content/exceptionDialog.xhtml create mode 100644 security/manager/pki/resources/content/load_device.js create mode 100644 security/manager/pki/resources/content/load_device.xhtml create mode 100644 security/manager/pki/resources/content/pippki.js create mode 100644 security/manager/pki/resources/content/resetpassword.js create mode 100644 security/manager/pki/resources/content/resetpassword.xhtml create mode 100644 security/manager/pki/resources/content/setp12password.js create mode 100644 security/manager/pki/resources/content/setp12password.xhtml create mode 100644 security/manager/pki/resources/jar.mn create mode 100644 security/manager/pki/resources/moz.build create mode 100644 security/manager/ssl/AppSignatureVerification.cpp create mode 100644 security/manager/ssl/AppTrustDomain.cpp create mode 100644 security/manager/ssl/AppTrustDomain.h create mode 100644 security/manager/ssl/CertStorageMemoryReporting.cpp create mode 100644 security/manager/ssl/CommonSocketControl.cpp create mode 100644 security/manager/ssl/CommonSocketControl.h create mode 100644 security/manager/ssl/ContentSignatureVerifier.cpp create mode 100644 security/manager/ssl/ContentSignatureVerifier.h create mode 100644 security/manager/ssl/CredentialManagerSecret.cpp create mode 100644 security/manager/ssl/CredentialManagerSecret.h create mode 100644 security/manager/ssl/CryptoTask.cpp create mode 100644 security/manager/ssl/CryptoTask.h create mode 100644 security/manager/ssl/DER.jsm create mode 100644 security/manager/ssl/DataStorage.cpp create mode 100644 security/manager/ssl/DataStorage.h create mode 100644 security/manager/ssl/DataStorageIPCUtils.h create mode 100644 security/manager/ssl/DataStorageList.h create mode 100644 security/manager/ssl/EnterpriseRoots.cpp create mode 100644 security/manager/ssl/EnterpriseRoots.h create mode 100644 security/manager/ssl/IPCClientCertsChild.cpp create mode 100644 security/manager/ssl/IPCClientCertsChild.h create mode 100644 security/manager/ssl/IPCClientCertsParent.cpp create mode 100644 security/manager/ssl/IPCClientCertsParent.h create mode 100644 security/manager/ssl/KeychainSecret.cpp create mode 100644 security/manager/ssl/KeychainSecret.h create mode 100644 security/manager/ssl/LibSecret.cpp create mode 100644 security/manager/ssl/LibSecret.h create mode 100644 security/manager/ssl/NSSErrorsService.cpp create mode 100644 security/manager/ssl/NSSErrorsService.h create mode 100644 security/manager/ssl/NSSKeyStore.cpp create mode 100644 security/manager/ssl/NSSKeyStore.h create mode 100644 security/manager/ssl/NSSSocketControl.cpp create mode 100644 security/manager/ssl/NSSSocketControl.h create mode 100644 security/manager/ssl/OSKeyStore.cpp create mode 100644 security/manager/ssl/OSKeyStore.h create mode 100644 security/manager/ssl/OSReauthenticator.cpp create mode 100644 security/manager/ssl/OSReauthenticator.h create mode 100644 security/manager/ssl/OSReauthenticatorDarwin.mm create mode 100644 security/manager/ssl/PIPCClientCerts.ipdl create mode 100644 security/manager/ssl/PKCS11ModuleDB.cpp create mode 100644 security/manager/ssl/PKCS11ModuleDB.h create mode 100644 security/manager/ssl/PSMIPCTypes.ipdlh create mode 100644 security/manager/ssl/PSMRunnable.cpp create mode 100644 security/manager/ssl/PSMRunnable.h create mode 100644 security/manager/ssl/PSelectTLSClientAuthCert.ipdl create mode 100644 security/manager/ssl/PVerifySSLServerCert.ipdl create mode 100644 security/manager/ssl/PublicKeyPinningService.cpp create mode 100644 security/manager/ssl/PublicKeyPinningService.h create mode 100644 security/manager/ssl/PublicSSL.h create mode 100644 security/manager/ssl/RemoteSecuritySettings.jsm create mode 100644 security/manager/ssl/RootCertificateTelemetryUtils.cpp create mode 100644 security/manager/ssl/RootCertificateTelemetryUtils.h create mode 100644 security/manager/ssl/RootHashes.inc create mode 100644 security/manager/ssl/SSLServerCertVerification.cpp create mode 100644 security/manager/ssl/SSLServerCertVerification.h create mode 100644 security/manager/ssl/ScopedNSSTypes.h create mode 100644 security/manager/ssl/SecretDecoderRing.cpp create mode 100644 security/manager/ssl/SecretDecoderRing.h create mode 100644 security/manager/ssl/SelectTLSClientAuthCertChild.h create mode 100644 security/manager/ssl/SelectTLSClientAuthCertParent.h create mode 100644 security/manager/ssl/SharedCertVerifier.h create mode 100644 security/manager/ssl/SharedSSLState.cpp create mode 100644 security/manager/ssl/SharedSSLState.h create mode 100644 security/manager/ssl/StaticHPKPins.errors create mode 100644 security/manager/ssl/StaticHPKPins.h create mode 100644 security/manager/ssl/TLSClientAuthCertSelection.cpp create mode 100644 security/manager/ssl/TLSClientAuthCertSelection.h create mode 100644 security/manager/ssl/TransportSecurityInfo.cpp create mode 100644 security/manager/ssl/TransportSecurityInfo.h create mode 100644 security/manager/ssl/VerifySSLServerCertChild.cpp create mode 100644 security/manager/ssl/VerifySSLServerCertChild.h create mode 100644 security/manager/ssl/VerifySSLServerCertParent.cpp create mode 100644 security/manager/ssl/VerifySSLServerCertParent.h create mode 100644 security/manager/ssl/X509.jsm create mode 100644 security/manager/ssl/X509CertValidity.cpp create mode 100644 security/manager/ssl/X509CertValidity.h create mode 100644 security/manager/ssl/addons-public-intermediate.crt create mode 100644 security/manager/ssl/addons-public.crt create mode 100644 security/manager/ssl/addons-stage.crt create mode 100644 security/manager/ssl/builtins/Cargo.toml create mode 100644 security/manager/ssl/builtins/build.rs create mode 100644 security/manager/ssl/builtins/dynamic-library/builtins.symbols create mode 100644 security/manager/ssl/builtins/dynamic-library/moz.build create mode 100644 security/manager/ssl/builtins/dynamic-library/stub.c create mode 100644 security/manager/ssl/builtins/dynamic-library/stub.cpp create mode 100644 security/manager/ssl/builtins/moz.build create mode 100644 security/manager/ssl/builtins/src/certdata.rs create mode 100644 security/manager/ssl/builtins/src/internal.rs create mode 100644 security/manager/ssl/builtins/src/lib.rs create mode 100644 security/manager/ssl/builtins/src/pkcs11.rs create mode 100644 security/manager/ssl/builtins/src/version.rs create mode 100644 security/manager/ssl/cert_storage/Cargo.toml create mode 100644 security/manager/ssl/cert_storage/src/cert_storage.h create mode 100644 security/manager/ssl/cert_storage/src/lib.rs create mode 100644 security/manager/ssl/components.conf create mode 100644 security/manager/ssl/content-signature-local.crt create mode 100644 security/manager/ssl/content-signature-prod.crt create mode 100644 security/manager/ssl/content-signature-stage.crt create mode 100644 security/manager/ssl/crashtests/398665-1.html create mode 100644 security/manager/ssl/crashtests/crashtests.list create mode 100644 security/manager/ssl/gen_cert_header.py create mode 100644 security/manager/ssl/ipcclientcerts/Cargo.toml create mode 100644 security/manager/ssl/ipcclientcerts/dynamic-library/ipcclientcerts.symbols create mode 100644 security/manager/ssl/ipcclientcerts/dynamic-library/moz.build create mode 100644 security/manager/ssl/ipcclientcerts/dynamic-library/stub.c create mode 100644 security/manager/ssl/ipcclientcerts/dynamic-library/stub.cpp create mode 100644 security/manager/ssl/ipcclientcerts/moz.build create mode 100644 security/manager/ssl/ipcclientcerts/src/backend.rs create mode 100644 security/manager/ssl/ipcclientcerts/src/lib.rs create mode 100644 security/manager/ssl/md4.c create mode 100644 security/manager/ssl/md4.h create mode 100644 security/manager/ssl/moz.build create mode 100644 security/manager/ssl/nsCertOverrideService.cpp create mode 100644 security/manager/ssl/nsCertOverrideService.h create mode 100644 security/manager/ssl/nsCertTree.cpp create mode 100644 security/manager/ssl/nsCertTree.h create mode 100644 security/manager/ssl/nsClientAuthRemember.cpp create mode 100644 security/manager/ssl/nsClientAuthRemember.h create mode 100644 security/manager/ssl/nsCryptoHash.cpp create mode 100644 security/manager/ssl/nsCryptoHash.h create mode 100644 security/manager/ssl/nsICertOverrideService.idl create mode 100644 security/manager/ssl/nsICertStorage.idl create mode 100644 security/manager/ssl/nsICertTree.idl create mode 100644 security/manager/ssl/nsICertificateDialogs.idl create mode 100644 security/manager/ssl/nsIClientAuthDialogs.idl create mode 100644 security/manager/ssl/nsIClientAuthRememberService.idl create mode 100644 security/manager/ssl/nsIContentSignatureVerifier.idl create mode 100644 security/manager/ssl/nsICryptoHash.idl create mode 100644 security/manager/ssl/nsINSSComponent.idl create mode 100644 security/manager/ssl/nsINSSErrorsService.idl create mode 100644 security/manager/ssl/nsINSSVersion.idl create mode 100644 security/manager/ssl/nsIOSKeyStore.idl create mode 100644 security/manager/ssl/nsIOSReauthenticator.idl create mode 100644 security/manager/ssl/nsIPK11Token.idl create mode 100644 security/manager/ssl/nsIPK11TokenDB.idl create mode 100644 security/manager/ssl/nsIPKCS11Module.idl create mode 100644 security/manager/ssl/nsIPKCS11ModuleDB.idl create mode 100644 security/manager/ssl/nsIPKCS11Slot.idl create mode 100644 security/manager/ssl/nsIPublicKeyPinningService.idl create mode 100644 security/manager/ssl/nsISecretDecoderRing.idl create mode 100644 security/manager/ssl/nsISecurityUITelemetry.idl create mode 100644 security/manager/ssl/nsISiteSecurityService.idl create mode 100644 security/manager/ssl/nsITLSSocketControl.idl create mode 100644 security/manager/ssl/nsITokenPasswordDialogs.idl create mode 100644 security/manager/ssl/nsITransportSecurityInfo.idl create mode 100644 security/manager/ssl/nsIX509Cert.idl create mode 100644 security/manager/ssl/nsIX509CertDB.idl create mode 100644 security/manager/ssl/nsIX509CertValidity.idl create mode 100644 security/manager/ssl/nsNSSCallbacks.cpp create mode 100644 security/manager/ssl/nsNSSCallbacks.h create mode 100644 security/manager/ssl/nsNSSCertHelper.cpp create mode 100644 security/manager/ssl/nsNSSCertHelper.h create mode 100644 security/manager/ssl/nsNSSCertTrust.cpp create mode 100644 security/manager/ssl/nsNSSCertTrust.h create mode 100644 security/manager/ssl/nsNSSCertificate.cpp create mode 100644 security/manager/ssl/nsNSSCertificate.h create mode 100644 security/manager/ssl/nsNSSCertificateDB.cpp create mode 100644 security/manager/ssl/nsNSSCertificateDB.h create mode 100644 security/manager/ssl/nsNSSComponent.cpp create mode 100644 security/manager/ssl/nsNSSComponent.h create mode 100644 security/manager/ssl/nsNSSHelper.h create mode 100644 security/manager/ssl/nsNSSIOLayer.cpp create mode 100644 security/manager/ssl/nsNSSIOLayer.h create mode 100644 security/manager/ssl/nsNSSModule.cpp create mode 100644 security/manager/ssl/nsNSSModule.h create mode 100644 security/manager/ssl/nsNSSVersion.cpp create mode 100644 security/manager/ssl/nsNSSVersion.h create mode 100644 security/manager/ssl/nsNTLMAuthModule.cpp create mode 100644 security/manager/ssl/nsNTLMAuthModule.h create mode 100644 security/manager/ssl/nsPK11TokenDB.cpp create mode 100644 security/manager/ssl/nsPK11TokenDB.h create mode 100644 security/manager/ssl/nsPKCS11Slot.cpp create mode 100644 security/manager/ssl/nsPKCS11Slot.h create mode 100644 security/manager/ssl/nsPKCS12Blob.cpp create mode 100644 security/manager/ssl/nsPKCS12Blob.h create mode 100644 security/manager/ssl/nsRandomGenerator.cpp create mode 100644 security/manager/ssl/nsRandomGenerator.h create mode 100644 security/manager/ssl/nsSSLSocketProvider.cpp create mode 100644 security/manager/ssl/nsSSLSocketProvider.h create mode 100644 security/manager/ssl/nsSTSPreloadList.inc create mode 100644 security/manager/ssl/nsSecureBrowserUI.cpp create mode 100644 security/manager/ssl/nsSecureBrowserUI.h create mode 100644 security/manager/ssl/nsSecurityHeaderParser.cpp create mode 100644 security/manager/ssl/nsSecurityHeaderParser.h create mode 100644 security/manager/ssl/nsSiteSecurityService.cpp create mode 100644 security/manager/ssl/nsSiteSecurityService.h create mode 100644 security/manager/ssl/nsTLSSocketProvider.cpp create mode 100644 security/manager/ssl/nsTLSSocketProvider.h create mode 100644 security/manager/ssl/nsVerificationJob.h create mode 100644 security/manager/ssl/osclientcerts/Cargo.toml create mode 100644 security/manager/ssl/osclientcerts/dynamic-library/moz.build create mode 100644 security/manager/ssl/osclientcerts/dynamic-library/osclientcerts.symbols create mode 100644 security/manager/ssl/osclientcerts/dynamic-library/stub.cpp create mode 100644 security/manager/ssl/osclientcerts/moz.build create mode 100644 security/manager/ssl/osclientcerts/src/backend_macos.rs create mode 100644 security/manager/ssl/osclientcerts/src/backend_windows.rs create mode 100644 security/manager/ssl/osclientcerts/src/bindings_macos.rs create mode 100644 security/manager/ssl/osclientcerts/src/lib.rs create mode 100644 security/manager/ssl/osclientcerts/test/certificate.bin create mode 100644 security/manager/ssl/osclientcerts/test/modulus.bin create mode 100644 security/manager/ssl/osclientcerts/test/rsa.bin create mode 100644 security/manager/ssl/rsclientcerts/Cargo.toml create mode 100644 security/manager/ssl/rsclientcerts/src/error.rs create mode 100644 security/manager/ssl/rsclientcerts/src/lib.rs create mode 100644 security/manager/ssl/rsclientcerts/src/manager.rs create mode 100644 security/manager/ssl/rsclientcerts/src/util.rs create mode 100644 security/manager/ssl/rsclientcerts/test/certificate.bin create mode 100644 security/manager/ssl/rsclientcerts/test/modulus.bin create mode 100644 security/manager/ssl/rsclientcerts/test/rsa.bin create mode 100644 security/manager/ssl/tests/.eslintrc.js create mode 100644 security/manager/ssl/tests/gtest/CertDBTest.cpp create mode 100644 security/manager/ssl/tests/gtest/CoseTest.cpp create mode 100644 security/manager/ssl/tests/gtest/DataStorageTest.cpp create mode 100644 security/manager/ssl/tests/gtest/DeserializeCertTest.cpp create mode 100644 security/manager/ssl/tests/gtest/HMACTest.cpp create mode 100644 security/manager/ssl/tests/gtest/MD4Test.cpp create mode 100644 security/manager/ssl/tests/gtest/OCSPCacheTest.cpp create mode 100644 security/manager/ssl/tests/gtest/README.txt create mode 100644 security/manager/ssl/tests/gtest/TLSIntoleranceTest.cpp create mode 100644 security/manager/ssl/tests/gtest/moz.build create mode 100644 security/manager/ssl/tests/mochitest/browser/browser.ini create mode 100644 security/manager/ssl/tests/mochitest/browser/browser_HSTS.js create mode 100644 security/manager/ssl/tests/mochitest/browser/browser_add_exception_dialog.js create mode 100644 security/manager/ssl/tests/mochitest/browser/browser_bug627234_perwindowpb.js create mode 100644 security/manager/ssl/tests/mochitest/browser/browser_certViewer.js create mode 100644 security/manager/ssl/tests/mochitest/browser/browser_certificateManager.js create mode 100644 security/manager/ssl/tests/mochitest/browser/browser_clientAuthRememberService.js create mode 100644 security/manager/ssl/tests/mochitest/browser/browser_clientAuth_connection.js create mode 100644 security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js create mode 100644 security/manager/ssl/tests/mochitest/browser/browser_deleteCert_ui.js create mode 100644 security/manager/ssl/tests/mochitest/browser/browser_downloadCert_ui.js create mode 100644 security/manager/ssl/tests/mochitest/browser/browser_editCACertTrust.js create mode 100644 security/manager/ssl/tests/mochitest/browser/browser_exportP12_passwordUI.js create mode 100644 security/manager/ssl/tests/mochitest/browser/browser_loadPKCS11Module_ui.js create mode 100644 security/manager/ssl/tests/mochitest/browser/ca.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/ca.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/client-cert-via-intermediate.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/client-cert-with-ocsp-signing.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/code-ee.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/code-ee.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/ee-from-expired-ca.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/ee-from-untrusted-ca.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/email-ee.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/email-ee.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/expired-ca.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/expired-ca.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/has-cn.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/has-cn.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/has-empty-subject.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/has-non-empty-subject.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/has-o.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/has-o.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/has-ou.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/has-ou.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/head.js create mode 100644 security/manager/ssl/tests/mochitest/browser/hsts_headers.sjs create mode 100644 security/manager/ssl/tests/mochitest/browser/hsts_headers_framed.html create mode 100644 security/manager/ssl/tests/mochitest/browser/intermediate.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/invalid.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/invalid.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/longOID.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/longOID.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/md5-ee.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/md5-ee.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/moz.build create mode 100644 security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/revoked.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/revoked.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/some_content.html create mode 100644 security/manager/ssl/tests/mochitest/browser/some_content_framed.html create mode 100644 security/manager/ssl/tests/mochitest/browser/ssl-ee.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/ssl-ee.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem create mode 100644 security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem.certspec create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/alloworigin.sjs create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/backward.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/bug329869.js create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/bug383369step2.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/bug383369step3.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/download.auto create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/download.auto^headers^ create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/emptyimage.sjs create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/iframe.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/iframe2.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/iframeMetaRedirect.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/iframesecredirect.sjs create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/imgsecredirect.sjs create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/mixedContentTest.js create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/mochitest.ini create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/moz.build create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/nocontent.sjs create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/redirecttoemptyimage.sjs create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_bug329869.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_bug383369.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_bug455367.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_bug472986.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_bug477118.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_bug521461.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_cssBefore1.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent1.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent2.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite1.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite2.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecurePicture.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecureXHR.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureBackground.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureIframeRedirect.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicture.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicturePreload.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureRedirect.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlDelayedUnsecurePicture.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlUnsecurePicture.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_javascriptPicture.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_secureAll.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_securePicture.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureBackground.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureCSS.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe2.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeMetaRedirect.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeRedirect.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePicture.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureDup.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureInIframe.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureRedirect.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/unsecureIframe.html create mode 100644 security/manager/ssl/tests/mochitest/mixedcontent/unsecurePictureDup.html create mode 100644 security/manager/ssl/tests/mochitest/moz.build create mode 100644 security/manager/ssl/tests/moz.build create mode 100644 security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/default-ee.key create mode 100644 security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/default-ee.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/ev-test.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/evroot.key create mode 100644 security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/evroot.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/expired-ee.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/expired-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/expiredINT.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/expiredINT.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key create mode 100644 security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key.keyspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/md5signature.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/md5signature.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/mismatch.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/mismatch.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/mitm.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/mitm.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/noValidNames.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/noValidNames.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/notYetValid.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/notYetValid.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/other-test-ca.key create mode 100644 security/manager/ssl/tests/unit/bad_certs/other-test-ca.key.keyspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/selfsigned.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/selfsigned.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/test-ca.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/test-ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/test-int.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/test-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem.certspec create mode 100644 security/manager/ssl/tests/unit/bad_certs/v1Cert.pem create mode 100644 security/manager/ssl/tests/unit/bad_certs/v1Cert.pem.certspec create mode 100644 security/manager/ssl/tests/unit/corrupted_crlite_helper.js create mode 100755 security/manager/ssl/tests/unit/crlite_enrollment_id.py create mode 100755 security/manager/ssl/tests/unit/crlite_key.py create mode 100644 security/manager/ssl/tests/unit/head_psm.js create mode 100644 security/manager/ssl/tests/unit/moz.build create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/default-ee.key create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/default-ee.key.keyspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key.keyspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key.keyspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/test-int.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/test-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem create mode 100644 security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/pkcs11testmodule/moz.build create mode 100644 security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.cpp create mode 100644 security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.symbols create mode 100644 security/manager/ssl/tests/unit/requirements.txt create mode 100755 security/manager/ssl/tests/unit/sign_app.py create mode 100644 security/manager/ssl/tests/unit/test_add_preexisting_cert.js create mode 100644 security/manager/ssl/tests/unit/test_allow_all_cert_errors.js create mode 100644 security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem create mode 100644 security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem create mode 100644 security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem create mode 100644 security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem create mode 100644 security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem create mode 100644 security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem create mode 100644 security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem create mode 100644 security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js create mode 100644 security/manager/ssl/tests/unit/test_blocklist_onecrl.js create mode 100644 security/manager/ssl/tests/unit/test_broken_fips.js create mode 100644 security/manager/ssl/tests/unit/test_broken_fips/key4.db create mode 100644 security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt create mode 100644 security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js create mode 100644 security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js create mode 100644 security/manager/ssl/tests/unit/test_certDB_import.js create mode 100644 security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfx create mode 100644 security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfx create mode 100644 security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfx create mode 100644 security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem create mode 100644 security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12 create mode 100644 security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem create mode 100644 security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js create mode 100644 security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js create mode 100644 security/manager/ssl/tests/unit/test_cert_chains.js create mode 100644 security/manager/ssl/tests/unit/test_cert_dbKey.js create mode 100644 security/manager/ssl/tests/unit/test_cert_eku.js create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_embedded_null.js create mode 100644 security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_expiration_canary.js create mode 100644 security/manager/ssl/tests/unit/test_cert_isBuiltInRoot.js create mode 100644 security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload.js create mode 100644 security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/cert9.db create mode 100644 security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/key4.db create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage.js create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_override_read.js create mode 100644 security/manager/ssl/tests/unit/test_cert_overrides.js create mode 100644 security/manager/ssl/tests/unit/test_cert_overrides_read_only.js create mode 100644 security/manager/ssl/tests/unit/test_cert_overrides_read_only/cert9.db create mode 100644 security/manager/ssl/tests/unit/test_cert_overrides_read_only/key4.db create mode 100644 security/manager/ssl/tests/unit/test_cert_sha1.js create mode 100644 security/manager/ssl/tests/unit/test_cert_sha1/ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_sha1/ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_signatures.js create mode 100644 security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_storage.js create mode 100644 security/manager/ssl/tests/unit/test_cert_storage_broken_db.js create mode 100644 security/manager/ssl/tests/unit/test_cert_storage_direct.js create mode 100644 security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert-issuer.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_storage_direct/test-filter.crlite create mode 100644 security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert-issuer.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_storage_preexisting.js create mode 100644 security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.mdb create mode 100644 security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.safe.bin create mode 100644 security/manager/ssl/tests/unit/test_cert_storage_preexisting/lock.mdb create mode 100644 security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js create mode 100644 security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.coverage create mode 100644 security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.enrollment create mode 100644 security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.filter create mode 100644 security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/data.safe.bin create mode 100644 security/manager/ssl/tests/unit/test_cert_trust.js create mode 100644 security/manager/ssl/tests/unit/test_cert_trust/ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_trust/ee.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_trust/int.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_utf8.js create mode 100644 security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version.js create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem.certspec create mode 100755 security/manager/ssl/tests/unit/test_cert_version/generate.py create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem create mode 100644 security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_constructX509FromBase64.js create mode 100644 security/manager/ssl/tests/unit/test_content_signing.js create mode 100644 security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem create mode 100644 security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem create mode 100644 security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem create mode 100644 security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem create mode 100644 security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem create mode 100644 security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem create mode 100644 security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem create mode 100644 security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem create mode 100644 security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_content_signing/pysign.py create mode 100644 security/manager/ssl/tests/unit/test_content_signing/test.txt create mode 100644 security/manager/ssl/tests/unit/test_content_signing/test.txt.signature create mode 100644 security/manager/ssl/tests/unit/test_crlite_corrupted/bad.stash create mode 100644 security/manager/ssl/tests/unit/test_crlite_corrupted/hash-alg-0.filter create mode 100644 security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-issuer-id.enrollment create mode 100644 security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-log-id.coverage create mode 100644 security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-max-timestamp.coverage create mode 100644 security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-min-timestamp.coverage create mode 100644 security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.coverage create mode 100644 security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.enrollment create mode 100644 security/manager/ssl/tests/unit/test_crlite_coverage_missing.js create mode 100644 security/manager/ssl/tests/unit/test_crlite_coverage_trunc1.js create mode 100644 security/manager/ssl/tests/unit/test_crlite_coverage_trunc2.js create mode 100644 security/manager/ssl/tests/unit/test_crlite_coverage_trunc3.js create mode 100644 security/manager/ssl/tests/unit/test_crlite_coverage_version.js create mode 100644 security/manager/ssl/tests/unit/test_crlite_enrollment_trunc1.js create mode 100644 security/manager/ssl/tests/unit/test_crlite_enrollment_version.js create mode 100644 security/manager/ssl/tests/unit/test_crlite_filter_corrupted.js create mode 100644 security/manager/ssl/tests/unit/test_crlite_filters.js create mode 100644 security/manager/ssl/tests/unit/test_crlite_filters/20201017-0-filter create mode 100644 security/manager/ssl/tests/unit/test_crlite_filters/20201017-1-filter.stash create mode 100644 security/manager/ssl/tests/unit/test_crlite_filters/20201201-3-filter.stash create mode 100644 security/manager/ssl/tests/unit/test_crlite_filters/issuer.pem create mode 100644 security/manager/ssl/tests/unit/test_crlite_filters/no-sct-issuer.pem create mode 100644 security/manager/ssl/tests/unit/test_crlite_filters/no-sct.pem create mode 100644 security/manager/ssl/tests/unit/test_crlite_filters/notcovered.pem create mode 100644 security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash-2.pem create mode 100644 security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash.pem create mode 100644 security/manager/ssl/tests/unit/test_crlite_filters/revoked.pem create mode 100644 security/manager/ssl/tests/unit/test_crlite_filters/valid.pem create mode 100644 security/manager/ssl/tests/unit/test_crlite_preexisting.js create mode 100644 security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.coverage create mode 100644 security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.enrollment create mode 100644 security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.stash create mode 100644 security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js create mode 100644 security/manager/ssl/tests/unit/test_ct.js create mode 100644 security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem create mode 100644 security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem create mode 100644 security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ct/default-ee.key create mode 100644 security/manager/ssl/tests/unit/test_ct/default-ee.key.keyspec create mode 100644 security/manager/ssl/tests/unit/test_ct/default-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_ct/default-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ct/test-ca.pem create mode 100644 security/manager/ssl/tests/unit/test_ct/test-ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_db_format_pref_new.js create mode 100644 security/manager/ssl/tests/unit/test_delegated_credentials.js create mode 100644 security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key create mode 100644 security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key.keyspec create mode 100644 security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key create mode 100644 security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec create mode 100644 security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem create mode 100644 security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem create mode 100644 security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_der.js create mode 100644 security/manager/ssl/tests/unit/test_encrypted_client_hello.js create mode 100644 security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key create mode 100644 security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key.keyspec create mode 100644 security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key create mode 100644 security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key.keyspec create mode 100644 security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem create mode 100644 security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem create mode 100644 security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_encrypted_client_hello_client_only.js create mode 100644 security/manager/ssl/tests/unit/test_enterprise_roots.js create mode 100644 security/manager/ssl/tests/unit/test_ev_certs.js create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/evroot.key create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/evroot.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem create mode 100644 security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_faulty_server/default-ee.key create mode 100644 security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec create mode 100644 security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key create mode 100644 security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec create mode 100644 security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem create mode 100644 security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_faulty_server/test-int.pem create mode 100644 security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js create mode 100644 security/manager/ssl/tests/unit/test_hash_algorithms.js create mode 100644 security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_preloads.js create mode 100644 security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key create mode 100644 security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key.keyspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem create mode 100644 security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize.js create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev.js create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key.keyspec create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key.keyspec create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key.keyspec create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/evroot.key create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/evroot.key.keyspec create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem create mode 100644 security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_logoutAndTeardown.js create mode 100644 security/manager/ssl/tests/unit/test_missing_intermediate.js create mode 100644 security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem create mode 100644 security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_name_constraints.js create mode 100644 security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem create mode 100644 security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem create mode 100644 security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem create mode 100644 security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_name_constraints/dciss.pem create mode 100644 security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem create mode 100644 security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem create mode 100644 security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem create mode 100644 security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem create mode 100644 security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem create mode 100644 security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_nonascii_path.js create mode 100644 security/manager/ssl/tests/unit/test_nsCertType.js create mode 100644 security/manager/ssl/tests/unit/test_nsIX509CertValidity.js create mode 100644 security/manager/ssl/tests/unit/test_nsIX509Cert_utf8.js create mode 100644 security/manager/ssl/tests/unit/test_ocsp_caching.js create mode 100644 security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js create mode 100644 security/manager/ssl/tests/unit/test_ocsp_must_staple.js create mode 100644 security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js create mode 100644 security/manager/ssl/tests/unit/test_ocsp_private_caching.js create mode 100644 security/manager/ssl/tests/unit/test_ocsp_required.js create mode 100644 security/manager/ssl/tests/unit/test_ocsp_stapling.js create mode 100644 security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js create mode 100644 security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js create mode 100644 security/manager/ssl/tests/unit/test_ocsp_timeout.js create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url.js create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/ca.pem create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/int.key create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/int.key.keyspec create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/int.pem create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/int.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem create mode 100644 security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem create mode 100644 security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem create mode 100644 security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem create mode 100644 security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem create mode 100644 security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_onecrl/sample_revocations.txt create mode 100644 security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_osclientcerts_module.js create mode 100644 security/manager/ssl/tests/unit/test_oskeystore.js create mode 100644 security/manager/ssl/tests/unit/test_osreauthenticator.js create mode 100644 security/manager/ssl/tests/unit/test_password_prompt.js create mode 100644 security/manager/ssl/tests/unit/test_pinning.js create mode 100644 security/manager/ssl/tests/unit/test_pkcs11_module.js create mode 100644 security/manager/ssl/tests/unit/test_pkcs11_moduleDB.js create mode 100644 security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js create mode 100644 security/manager/ssl/tests/unit/test_pkcs11_slot.js create mode 100644 security/manager/ssl/tests/unit/test_pkcs11_token.js create mode 100644 security/manager/ssl/tests/unit/test_pkcs11_tokenDB.js create mode 100644 security/manager/ssl/tests/unit/test_sanctions/apple-ist-ca-8-g1-intermediate.pem create mode 100644 security/manager/ssl/tests/unit/test_sanctions/cds-apple-com.pem create mode 100644 security/manager/ssl/tests/unit/test_sanctions/default-ee.key create mode 100644 security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec create mode 100644 security/manager/ssl/tests/unit/test_sanctions/default-ee.pem create mode 100644 security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem create mode 100644 security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem create mode 100644 security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem create mode 100644 security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem create mode 100644 security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem create mode 100644 security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem create mode 100644 security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem create mode 100644 security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem create mode 100644 security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js create mode 100644 security/manager/ssl/tests/unit/test_sdr.js create mode 100644 security/manager/ssl/tests/unit/test_sdr_preexisting.js create mode 100644 security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db create mode 100644 security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js create mode 100644 security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.db create mode 100644 security/manager/ssl/tests/unit/test_self_signed_certs.js create mode 100644 security/manager/ssl/tests/unit/test_self_signed_certs/cert9.db create mode 100644 security/manager/ssl/tests/unit/test_session_resumption.js create mode 100644 security/manager/ssl/tests/unit/test_signed_apps.js create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app/README create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app/data/image.png create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app/manifest.json create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.manifest create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.sig create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/README create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/data/image.png create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/manifest.json create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1-256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1-256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1-256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1-256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1-256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1-256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1-256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1-256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/big_manifest.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/bug_1411458.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/cose_tampered_good_pkcs7.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/empty_signerInfos.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/huge_manifest.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/moz.build create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/validity_expired.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/validity_not_yet_valid.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_ssl_status.js create mode 100644 security/manager/ssl/tests/unit/test_sss_enumerate.js create mode 100644 security/manager/ssl/tests/unit/test_sss_eviction.js create mode 100644 security/manager/ssl/tests/unit/test_sss_originAttributes.js create mode 100644 security/manager/ssl/tests/unit/test_sss_readstate.js create mode 100644 security/manager/ssl/tests/unit/test_sss_readstate_empty.js create mode 100644 security/manager/ssl/tests/unit/test_sss_readstate_garbage.js create mode 100644 security/manager/ssl/tests/unit/test_sss_readstate_huge.js create mode 100644 security/manager/ssl/tests/unit/test_sss_resetState.js create mode 100644 security/manager/ssl/tests/unit/test_sss_sanitizeOnShutdown.js create mode 100644 security/manager/ssl/tests/unit/test_sss_savestate.js create mode 100644 security/manager/ssl/tests/unit/test_sts_fqdn.js create mode 100644 security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js create mode 100644 security/manager/ssl/tests/unit/test_sts_parser.js create mode 100644 security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js create mode 100644 security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js create mode 100644 security/manager/ssl/tests/unit/test_validity.js create mode 100644 security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem create mode 100644 security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem create mode 100644 security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key create mode 100644 security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key.keyspec create mode 100644 security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem create mode 100644 security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_validity/evroot.key create mode 100644 security/manager/ssl/tests/unit/test_validity/evroot.key.keyspec create mode 100644 security/manager/ssl/tests/unit/test_validity/evroot.pem create mode 100644 security/manager/ssl/tests/unit/test_validity/evroot.pem.certspec create mode 100644 security/manager/ssl/tests/unit/test_x509.js create mode 100644 security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp create mode 100644 security/manager/ssl/tests/unit/tlsserver/cmd/DelegatedCredentialsServer.cpp create mode 100644 security/manager/ssl/tests/unit/tlsserver/cmd/EncryptedClientHelloServer.cpp create mode 100644 security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp create mode 100644 security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp create mode 100644 security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp create mode 100644 security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp create mode 100644 security/manager/ssl/tests/unit/tlsserver/cmd/moz.build create mode 100644 security/manager/ssl/tests/unit/tlsserver/default-ee.der create mode 100644 security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp create mode 100644 security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h create mode 100644 security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp create mode 100644 security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h create mode 100644 security/manager/ssl/tests/unit/tlsserver/lib/moz.build create mode 100644 security/manager/ssl/tests/unit/tlsserver/moz.build create mode 100644 security/manager/ssl/tests/unit/xpcshell-smartcards.ini create mode 100644 security/manager/ssl/tests/unit/xpcshell.ini create mode 100644 security/manager/tools/.eslintrc.js create mode 100644 security/manager/tools/KnownRootHashes.json create mode 100644 security/manager/tools/PreloadedHPKPins.json create mode 100644 security/manager/tools/crtshToIdentifyingStruct/crtshToIdentifyingStruct.py create mode 100644 security/manager/tools/crtshToIdentifyingStruct/requirements.txt create mode 100644 security/manager/tools/dumpGoogleRoots.js create mode 100644 security/manager/tools/genRootCAHashes.js create mode 100755 security/manager/tools/getCTKnownLogs.py create mode 100644 security/manager/tools/log_list.json create mode 100644 security/manager/tools/mach_commands.py create mode 100755 security/manager/tools/pycert.py create mode 100755 security/manager/tools/pycms.py create mode 100644 security/manager/tools/pyct.py create mode 100755 security/manager/tools/pykey.py (limited to 'security/manager') diff --git a/security/manager/android_stub.h b/security/manager/android_stub.h new file mode 100644 index 0000000000..8e83f76568 --- /dev/null +++ b/security/manager/android_stub.h @@ -0,0 +1,31 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* This file allows NSS to build by stubbing out + * features that aren't provided by Android/Bionic */ + +#ifndef ANDROID_STUB_H +#define ANDROID_STUB_H + +/* sysinfo is defined but not implemented. + * we may be able to implement it ourselves. */ +#define _SYS_SYSINFO_H_ + +#include +#include +#include +#include + +#ifndef ANDROID_VERSION +# include +# define ANDROID_VERSION __ANDROID_API__ +#endif + +#if ANDROID_VERSION < 21 +# define RTLD_NOLOAD 0 +#endif + +#define sysinfo(foo) -1 + +#endif /* ANDROID_STUB_H */ diff --git a/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties b/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties new file mode 100644 index 0000000000..d698db12af --- /dev/null +++ b/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties @@ -0,0 +1,331 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +SSL_ERROR_EXPORT_ONLY_SERVER=Unable to communicate securely. Peer does not support high-grade encryption. +SSL_ERROR_US_ONLY_SERVER=Unable to communicate securely. Peer requires high-grade encryption which is not supported. +SSL_ERROR_NO_CYPHER_OVERLAP=Cannot communicate securely with peer: no common encryption algorithm(s). +SSL_ERROR_NO_CERTIFICATE=Unable to find the certificate or key necessary for authentication. +SSL_ERROR_BAD_CERTIFICATE=Unable to communicate securely with peer: peers’s certificate was rejected. +SSL_ERROR_BAD_CLIENT=The server has encountered bad data from the client. +SSL_ERROR_BAD_SERVER=The client has encountered bad data from the server. +SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE=Unsupported certificate type. +SSL_ERROR_UNSUPPORTED_VERSION=Peer using unsupported version of security protocol. +SSL_ERROR_WRONG_CERTIFICATE=Client authentication failed: private key in key database does not match public key in certificate database. +SSL_ERROR_BAD_CERT_DOMAIN=Unable to communicate securely with peer: requested domain name does not match the server’s certificate. +SSL_ERROR_POST_WARNING=Unrecognized SSL error code. +SSL_ERROR_SSL2_DISABLED=Peer only supports SSL version 2, which is locally disabled. +SSL_ERROR_BAD_MAC_READ=SSL received a record with an incorrect Message Authentication Code. +SSL_ERROR_BAD_MAC_ALERT=SSL peer reports incorrect Message Authentication Code. +SSL_ERROR_BAD_CERT_ALERT=SSL peer cannot verify your certificate. +SSL_ERROR_REVOKED_CERT_ALERT=SSL peer rejected your certificate as revoked. +SSL_ERROR_EXPIRED_CERT_ALERT=SSL peer rejected your certificate as expired. +SSL_ERROR_SSL_DISABLED=Cannot connect: SSL is disabled. +SSL_ERROR_FORTEZZA_PQG=Cannot connect: SSL peer is in another FORTEZZA domain. +SSL_ERROR_UNKNOWN_CIPHER_SUITE=An unknown SSL cipher suite has been requested. +SSL_ERROR_NO_CIPHERS_SUPPORTED=No cipher suites are present and enabled in this program. +SSL_ERROR_BAD_BLOCK_PADDING=SSL received a record with bad block padding. +SSL_ERROR_RX_RECORD_TOO_LONG=SSL received a record that exceeded the maximum permissible length. +SSL_ERROR_TX_RECORD_TOO_LONG=SSL attempted to send a record that exceeded the maximum permissible length. +SSL_ERROR_RX_MALFORMED_HELLO_REQUEST=SSL received a malformed Hello Request handshake message. +SSL_ERROR_RX_MALFORMED_CLIENT_HELLO=SSL received a malformed Client Hello handshake message. +SSL_ERROR_RX_MALFORMED_SERVER_HELLO=SSL received a malformed Server Hello handshake message. +SSL_ERROR_RX_MALFORMED_CERTIFICATE=SSL received a malformed Certificate handshake message. +SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH=SSL received a malformed Server Key Exchange handshake message. +SSL_ERROR_RX_MALFORMED_CERT_REQUEST=SSL received a malformed Certificate Request handshake message. +SSL_ERROR_RX_MALFORMED_HELLO_DONE=SSL received a malformed Server Hello Done handshake message. +SSL_ERROR_RX_MALFORMED_CERT_VERIFY=SSL received a malformed Certificate Verify handshake message. +SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH=SSL received a malformed Client Key Exchange handshake message. +SSL_ERROR_RX_MALFORMED_FINISHED=SSL received a malformed Finished handshake message. +SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER=SSL received a malformed Change Cipher Spec record. +SSL_ERROR_RX_MALFORMED_ALERT=SSL received a malformed Alert record. +SSL_ERROR_RX_MALFORMED_HANDSHAKE=SSL received a malformed Handshake record. +SSL_ERROR_RX_MALFORMED_APPLICATION_DATA=SSL received a malformed Application Data record. +SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST=SSL received an unexpected Hello Request handshake message. +SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO=SSL received an unexpected Client Hello handshake message. +SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO=SSL received an unexpected Server Hello handshake message. +SSL_ERROR_RX_UNEXPECTED_CERTIFICATE=SSL received an unexpected Certificate handshake message. +SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH=SSL received an unexpected Server Key Exchange handshake message. +SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST=SSL received an unexpected Certificate Request handshake message. +SSL_ERROR_RX_UNEXPECTED_HELLO_DONE=SSL received an unexpected Server Hello Done handshake message. +SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY=SSL received an unexpected Certificate Verify handshake message. +SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH=SSL received an unexpected Client Key Exchange handshake message. +SSL_ERROR_RX_UNEXPECTED_FINISHED=SSL received an unexpected Finished handshake message. +SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER=SSL received an unexpected Change Cipher Spec record. +SSL_ERROR_RX_UNEXPECTED_ALERT=SSL received an unexpected Alert record. +SSL_ERROR_RX_UNEXPECTED_HANDSHAKE=SSL received an unexpected Handshake record. +SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA=SSL received an unexpected Application Data record. +SSL_ERROR_RX_UNKNOWN_RECORD_TYPE=SSL received a record with an unknown content type. +SSL_ERROR_RX_UNKNOWN_HANDSHAKE=SSL received a handshake message with an unknown message type. +SSL_ERROR_RX_UNKNOWN_ALERT=SSL received an alert record with an unknown alert description. +SSL_ERROR_CLOSE_NOTIFY_ALERT=SSL peer has closed this connection. +SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT=SSL peer was not expecting a handshake message it received. +SSL_ERROR_DECOMPRESSION_FAILURE_ALERT=SSL peer was unable to successfully decompress an SSL record it received. +SSL_ERROR_HANDSHAKE_FAILURE_ALERT=SSL peer was unable to negotiate an acceptable set of security parameters. +SSL_ERROR_ILLEGAL_PARAMETER_ALERT=SSL peer rejected a handshake message for unacceptable content. +SSL_ERROR_UNSUPPORTED_CERT_ALERT=SSL peer does not support certificates of the type it received. +SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT=SSL peer had some unspecified issue with the certificate it received. +SSL_ERROR_GENERATE_RANDOM_FAILURE=SSL experienced a failure of its random number generator. +SSL_ERROR_SIGN_HASHES_FAILURE=Unable to digitally sign data required to verify your certificate. +SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE=SSL was unable to extract the public key from the peer’s certificate. +SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE=Unspecified failure while processing SSL Server Key Exchange handshake. +SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE=Unspecified failure while processing SSL Client Key Exchange handshake. +SSL_ERROR_ENCRYPTION_FAILURE=Bulk data encryption algorithm failed in selected cipher suite. +SSL_ERROR_DECRYPTION_FAILURE=Bulk data decryption algorithm failed in selected cipher suite. +SSL_ERROR_SOCKET_WRITE_FAILURE=Attempt to write encrypted data to underlying socket failed. +SSL_ERROR_MD5_DIGEST_FAILURE=MD5 digest function failed. +SSL_ERROR_SHA_DIGEST_FAILURE=SHA-1 digest function failed. +SSL_ERROR_MAC_COMPUTATION_FAILURE=MAC computation failed. +SSL_ERROR_SYM_KEY_CONTEXT_FAILURE=Failure to create Symmetric Key context. +SSL_ERROR_SYM_KEY_UNWRAP_FAILURE=Failure to unwrap the Symmetric key in Client Key Exchange message. +SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED=SSL Server attempted to use domestic-grade public key with export cipher suite. +SSL_ERROR_IV_PARAM_FAILURE=PKCS11 code failed to translate an IV into a param. +SSL_ERROR_INIT_CIPHER_SUITE_FAILURE=Failed to initialize the selected cipher suite. +SSL_ERROR_SESSION_KEY_GEN_FAILURE=Client failed to generate session keys for SSL session. +SSL_ERROR_NO_SERVER_KEY_FOR_ALG=Server has no key for the attempted key exchange algorithm. +SSL_ERROR_TOKEN_INSERTION_REMOVAL=PKCS#11 token was inserted or removed while operation was in progress. +SSL_ERROR_TOKEN_SLOT_NOT_FOUND=No PKCS#11 token could be found to do a required operation. +SSL_ERROR_NO_COMPRESSION_OVERLAP=Cannot communicate securely with peer: no common compression algorithm(s). +SSL_ERROR_HANDSHAKE_NOT_COMPLETED=Cannot initiate another SSL handshake until current handshake is complete. +SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE=Received incorrect handshakes hash values from peer. +SSL_ERROR_CERT_KEA_MISMATCH=The certificate provided cannot be used with the selected key exchange algorithm. +SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA=No certificate authority is trusted for SSL client authentication. +SSL_ERROR_SESSION_NOT_FOUND=Client’s SSL session ID not found in server’s session cache. +SSL_ERROR_DECRYPTION_FAILED_ALERT=Peer was unable to decrypt an SSL record it received. +SSL_ERROR_RECORD_OVERFLOW_ALERT=Peer received an SSL record that was longer than is permitted. +SSL_ERROR_UNKNOWN_CA_ALERT=Peer does not recognize and trust the CA that issued your certificate. +SSL_ERROR_ACCESS_DENIED_ALERT=Peer received a valid certificate, but access was denied. +SSL_ERROR_DECODE_ERROR_ALERT=Peer could not decode an SSL handshake message. +SSL_ERROR_DECRYPT_ERROR_ALERT=Peer reports failure of signature verification or key exchange. +SSL_ERROR_EXPORT_RESTRICTION_ALERT=Peer reports negotiation not in compliance with export regulations. +SSL_ERROR_PROTOCOL_VERSION_ALERT=Peer reports incompatible or unsupported protocol version. +SSL_ERROR_INSUFFICIENT_SECURITY_ALERT=Server requires ciphers more secure than those supported by client. +SSL_ERROR_INTERNAL_ERROR_ALERT=Peer reports it experienced an internal error. +SSL_ERROR_USER_CANCELED_ALERT=Peer user canceled handshake. +SSL_ERROR_NO_RENEGOTIATION_ALERT=Peer does not permit renegotiation of SSL security parameters. +SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED=SSL server cache not configured and not disabled for this socket. +SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT=SSL peer does not support requested TLS hello extension. +SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT=SSL peer could not obtain your certificate from the supplied URL. +SSL_ERROR_UNRECOGNIZED_NAME_ALERT=SSL peer has no certificate for the requested DNS name. +SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT=SSL peer was unable to get an OCSP response for its certificate. +SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT=SSL peer reported bad certificate hash value. +SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET=SSL received an unexpected New Session Ticket handshake message. +SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET=SSL received a malformed New Session Ticket handshake message. +SSL_ERROR_DECOMPRESSION_FAILURE=SSL received a compressed record that could not be decompressed. +SSL_ERROR_RENEGOTIATION_NOT_ALLOWED=Renegotiation is not allowed on this SSL socket. +SSL_ERROR_UNSAFE_NEGOTIATION=Peer attempted old style (potentially vulnerable) handshake. +SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD=SSL received an unexpected uncompressed record. +SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY=SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. +SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID=SSL received invalid NPN extension data. +SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2=SSL feature not supported for SSL 2.0 connections. +SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS=SSL feature not supported for servers. +SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_CLIENTS=SSL feature not supported for clients. +SSL_ERROR_INVALID_VERSION_RANGE=SSL version range is not valid. +SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION=SSL peer selected a cipher suite disallowed for the selected protocol version. +SSL_ERROR_RX_MALFORMED_HELLO_VERIFY_REQUEST=SSL received a malformed Hello Verify Request handshake message. +SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST=SSL received an unexpected Hello Verify Request handshake message. +SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION=SSL feature not supported for the protocol version. +SSL_ERROR_RX_UNEXPECTED_CERT_STATUS=SSL received an unexpected Certificate Status handshake message. +SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM=Unsupported hash algorithm used by TLS peer. +SSL_ERROR_DIGEST_FAILURE=Digest function failed. +SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM=Incorrect signature algorithm specified in a digitally-signed element. +SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK=The next protocol negotiation extension was enabled, but the callback was cleared prior to being needed. +SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL=The server supports no protocols that the client advertises in the ALPN extension. +SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT=The server rejected the handshake because the client downgraded to a lower TLS version than the server supports. +SSL_ERROR_WEAK_SERVER_CERT_KEY=The server certificate included a public key that was too weak. +SSL_ERROR_RX_SHORT_DTLS_READ=Not enough room in buffer for DTLS record. +SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM=No supported TLS signature algorithm was configured. +SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM=The peer used an unsupported combination of signature and hash algorithm. +SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET=The peer tried to resume without a correct extended_master_secret extension. +SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET=The peer tried to resume with an unexpected extended_master_secret extension. +SEC_ERROR_IO=An I/O error occurred during security authorization. +SEC_ERROR_LIBRARY_FAILURE=security library failure. +SEC_ERROR_BAD_DATA=security library: received bad data. +SEC_ERROR_OUTPUT_LEN=security library: output length error. +SEC_ERROR_INPUT_LEN=security library has experienced an input length error. +SEC_ERROR_INVALID_ARGS=security library: invalid arguments. +SEC_ERROR_INVALID_ALGORITHM=security library: invalid algorithm. +SEC_ERROR_INVALID_AVA=security library: invalid AVA. +SEC_ERROR_INVALID_TIME=Improperly formatted time string. +SEC_ERROR_BAD_DER=security library: improperly formatted DER-encoded message. +SEC_ERROR_BAD_SIGNATURE=Peer’s certificate has an invalid signature. +SEC_ERROR_EXPIRED_CERTIFICATE=Peer’s Certificate has expired. +SEC_ERROR_REVOKED_CERTIFICATE=Peer’s Certificate has been revoked. +SEC_ERROR_UNKNOWN_ISSUER=Peer’s Certificate issuer is not recognized. +SEC_ERROR_BAD_KEY=Peer’s public key is invalid. +SEC_ERROR_BAD_PASSWORD=The security password entered is incorrect. +SEC_ERROR_RETRY_PASSWORD=New password entered incorrectly. Please try again. +SEC_ERROR_NO_NODELOCK=security library: no nodelock. +SEC_ERROR_BAD_DATABASE=security library: bad database. +SEC_ERROR_NO_MEMORY=security library: memory allocation failure. +SEC_ERROR_UNTRUSTED_ISSUER=Peer’s certificate issuer has been marked as not trusted by the user. +SEC_ERROR_UNTRUSTED_CERT=Peer’s certificate has been marked as not trusted by the user. +SEC_ERROR_DUPLICATE_CERT=Certificate already exists in your database. +SEC_ERROR_DUPLICATE_CERT_NAME=Downloaded certificate’s name duplicates one already in your database. +SEC_ERROR_ADDING_CERT=Error adding certificate to database. +SEC_ERROR_FILING_KEY=Error refiling the key for this certificate. +SEC_ERROR_NO_KEY=The private key for this certificate cannot be found in key database +SEC_ERROR_CERT_VALID=This certificate is valid. +SEC_ERROR_CERT_NOT_VALID=This certificate is not valid. +SEC_ERROR_CERT_NO_RESPONSE=Cert Library: No Response +SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE=The certificate issuer’s certificate has expired. Check your system date and time. +SEC_ERROR_CRL_EXPIRED=The CRL for the certificate’s issuer has expired. Update it or check your system date and time. +SEC_ERROR_CRL_BAD_SIGNATURE=The CRL for the certificate’s issuer has an invalid signature. +SEC_ERROR_CRL_INVALID=New CRL has an invalid format. +SEC_ERROR_EXTENSION_VALUE_INVALID=Certificate extension value is invalid. +SEC_ERROR_EXTENSION_NOT_FOUND=Certificate extension not found. +SEC_ERROR_CA_CERT_INVALID=Issuer certificate is invalid. +SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID=Certificate path length constraint is invalid. +SEC_ERROR_CERT_USAGES_INVALID=Certificate usages field is invalid. +SEC_INTERNAL_ONLY=**Internal ONLY module** +SEC_ERROR_INVALID_KEY=The key does not support the requested operation. +SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION=Certificate contains unknown critical extension. +SEC_ERROR_OLD_CRL=New CRL is not later than the current one. +SEC_ERROR_NO_EMAIL_CERT=Not encrypted or signed: you do not yet have an email certificate. +SEC_ERROR_NO_RECIPIENT_CERTS_QUERY=Not encrypted: you do not have certificates for each of the recipients. +SEC_ERROR_NOT_A_RECIPIENT=Cannot decrypt: you are not a recipient, or matching certificate and private key not found. +SEC_ERROR_PKCS7_KEYALG_MISMATCH=Cannot decrypt: key encryption algorithm does not match your certificate. +SEC_ERROR_PKCS7_BAD_SIGNATURE=Signature verification failed: no signer found, too many signers found, or improper or corrupted data. +SEC_ERROR_UNSUPPORTED_KEYALG=Unsupported or unknown key algorithm. +SEC_ERROR_DECRYPTION_DISALLOWED=Cannot decrypt: encrypted using a disallowed algorithm or key size. +XP_SEC_FORTEZZA_BAD_CARD=Fortezza card has not been properly initialized. Please remove it and return it to your issuer. +XP_SEC_FORTEZZA_NO_CARD=No Fortezza cards Found +XP_SEC_FORTEZZA_NONE_SELECTED=No Fortezza card selected +XP_SEC_FORTEZZA_MORE_INFO=Please select a personality to get more info on +XP_SEC_FORTEZZA_PERSON_NOT_FOUND=Personality not found +XP_SEC_FORTEZZA_NO_MORE_INFO=No more information on that Personality +XP_SEC_FORTEZZA_BAD_PIN=Invalid Pin +XP_SEC_FORTEZZA_PERSON_ERROR=Couldn’t initialize Fortezza personalities. +SEC_ERROR_NO_KRL=No KRL for this site’s certificate has been found. +SEC_ERROR_KRL_EXPIRED=The KRL for this site’s certificate has expired. +SEC_ERROR_KRL_BAD_SIGNATURE=The KRL for this site’s certificate has an invalid signature. +SEC_ERROR_REVOKED_KEY=The key for this site’s certificate has been revoked. +SEC_ERROR_KRL_INVALID=New KRL has an invalid format. +SEC_ERROR_NEED_RANDOM=security library: need random data. +SEC_ERROR_NO_MODULE=security library: no security module can perform the requested operation. +SEC_ERROR_NO_TOKEN=The security card or token does not exist, needs to be initialized, or has been removed. +SEC_ERROR_READ_ONLY=security library: read-only database. +SEC_ERROR_NO_SLOT_SELECTED=No slot or token was selected. +SEC_ERROR_CERT_NICKNAME_COLLISION=A certificate with the same nickname already exists. +SEC_ERROR_KEY_NICKNAME_COLLISION=A key with the same nickname already exists. +SEC_ERROR_SAFE_NOT_CREATED=error while creating safe object +SEC_ERROR_BAGGAGE_NOT_CREATED=error while creating baggage object +XP_JAVA_REMOVE_PRINCIPAL_ERROR=Couldn’t remove the principal +XP_JAVA_DELETE_PRIVILEGE_ERROR=Couldn’t delete the privilege +XP_JAVA_CERT_NOT_EXISTS_ERROR=This principal doesn’t have a certificate +SEC_ERROR_BAD_EXPORT_ALGORITHM=Required algorithm is not allowed. +SEC_ERROR_EXPORTING_CERTIFICATES=Error attempting to export certificates. +SEC_ERROR_IMPORTING_CERTIFICATES=Error attempting to import certificates. +SEC_ERROR_PKCS12_DECODING_PFX=Unable to import. Decoding error. File not valid. +SEC_ERROR_PKCS12_INVALID_MAC=Unable to import. Invalid MAC. Incorrect password or corrupt file. +SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM=Unable to import. MAC algorithm not supported. +SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE=Unable to import. Only password integrity and privacy modes supported. +SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE=Unable to import. File structure is corrupt. +SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM=Unable to import. Encryption algorithm not supported. +SEC_ERROR_PKCS12_UNSUPPORTED_VERSION=Unable to import. File version not supported. +SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT=Unable to import. Incorrect privacy password. +SEC_ERROR_PKCS12_CERT_COLLISION=Unable to import. Same nickname already exists in database. +SEC_ERROR_USER_CANCELLED=The user pressed cancel. +SEC_ERROR_PKCS12_DUPLICATE_DATA=Not imported, already in database. +SEC_ERROR_MESSAGE_SEND_ABORTED=Message not sent. +SEC_ERROR_INADEQUATE_KEY_USAGE=Certificate key usage inadequate for attempted operation. +SEC_ERROR_INADEQUATE_CERT_TYPE=Certificate type not approved for application. +SEC_ERROR_CERT_ADDR_MISMATCH=Address in signing certificate does not match address in message headers. +SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY=Unable to import. Error attempting to import private key. +SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN=Unable to import. Error attempting to import certificate chain. +SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME=Unable to export. Unable to locate certificate or key by nickname. +SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY=Unable to export. Private Key could not be located and exported. +SEC_ERROR_PKCS12_UNABLE_TO_WRITE=Unable to export. Unable to write the export file. +SEC_ERROR_PKCS12_UNABLE_TO_READ=Unable to import. Unable to read the import file. +SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED=Unable to export. Key database corrupt or deleted. +SEC_ERROR_KEYGEN_FAIL=Unable to generate public/private key pair. +SEC_ERROR_INVALID_PASSWORD=Password entered is invalid. Please pick a different one. +SEC_ERROR_RETRY_OLD_PASSWORD=Old password entered incorrectly. Please try again. +SEC_ERROR_BAD_NICKNAME=Certificate nickname already in use. +SEC_ERROR_NOT_FORTEZZA_ISSUER=Peer FORTEZZA chain has a non-FORTEZZA Certificate. +SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY=A sensitive key cannot be moved to the slot where it is needed. +SEC_ERROR_JS_INVALID_MODULE_NAME=Invalid module name. +SEC_ERROR_JS_INVALID_DLL=Invalid module path/filename +SEC_ERROR_JS_ADD_MOD_FAILURE=Unable to add module +SEC_ERROR_JS_DEL_MOD_FAILURE=Unable to delete module +SEC_ERROR_OLD_KRL=New KRL is not later than the current one. +SEC_ERROR_CKL_CONFLICT=New CKL has different issuer than current CKL. Delete current CKL. +SEC_ERROR_CERT_NOT_IN_NAME_SPACE=The Certifying Authority for this certificate is not permitted to issue a certificate with this name. +SEC_ERROR_KRL_NOT_YET_VALID=The key revocation list for this certificate is not yet valid. +SEC_ERROR_CRL_NOT_YET_VALID=The certificate revocation list for this certificate is not yet valid. +SEC_ERROR_UNKNOWN_CERT=The requested certificate could not be found. +SEC_ERROR_UNKNOWN_SIGNER=The signer’s certificate could not be found. +SEC_ERROR_CERT_BAD_ACCESS_LOCATION=The location for the certificate status server has invalid format. +SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE=The OCSP response cannot be fully decoded; it is of an unknown type. +SEC_ERROR_OCSP_BAD_HTTP_RESPONSE=The OCSP server returned unexpected/invalid HTTP data. +SEC_ERROR_OCSP_MALFORMED_REQUEST=The OCSP server found the request to be corrupted or improperly formed. +SEC_ERROR_OCSP_SERVER_ERROR=The OCSP server experienced an internal error. +SEC_ERROR_OCSP_TRY_SERVER_LATER=The OCSP server suggests trying again later. +SEC_ERROR_OCSP_REQUEST_NEEDS_SIG=The OCSP server requires a signature on this request. +SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST=The OCSP server has refused this request as unauthorized. +SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS=The OCSP server returned an unrecognizable status. +SEC_ERROR_OCSP_UNKNOWN_CERT=The OCSP server has no status for the certificate. +SEC_ERROR_OCSP_NOT_ENABLED=You must enable OCSP before performing this operation. +SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER=You must set the OCSP default responder before performing this operation. +SEC_ERROR_OCSP_MALFORMED_RESPONSE=The response from the OCSP server was corrupted or improperly formed. +SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE=The signer of the OCSP response is not authorized to give status for this certificate. +SEC_ERROR_OCSP_FUTURE_RESPONSE=The OCSP response is not yet valid (contains a date in the future). +SEC_ERROR_OCSP_OLD_RESPONSE=The OCSP response contains out-of-date information. +SEC_ERROR_DIGEST_NOT_FOUND=The CMS or PKCS #7 Digest was not found in signed message. +SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE=The CMS or PKCS #7 Message type is unsupported. +SEC_ERROR_MODULE_STUCK=PKCS #11 module could not be removed because it is still in use. +SEC_ERROR_BAD_TEMPLATE=Could not decode ASN.1 data. Specified template was invalid. +SEC_ERROR_CRL_NOT_FOUND=No matching CRL was found. +SEC_ERROR_REUSED_ISSUER_AND_SERIAL=You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. +SEC_ERROR_BUSY=NSS could not shutdown. Objects are still in use. +SEC_ERROR_EXTRA_INPUT=DER-encoded message contained extra unused data. +SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE=Unsupported elliptic curve. +SEC_ERROR_UNSUPPORTED_EC_POINT_FORM=Unsupported elliptic curve point form. +SEC_ERROR_UNRECOGNIZED_OID=Unrecognized Object Identifier. +SEC_ERROR_OCSP_INVALID_SIGNING_CERT=Invalid OCSP signing certificate in OCSP response. +SEC_ERROR_REVOKED_CERTIFICATE_CRL=Certificate is revoked in issuer’s certificate revocation list. +SEC_ERROR_REVOKED_CERTIFICATE_OCSP=Issuer’s OCSP responder reports certificate is revoked. +SEC_ERROR_CRL_INVALID_VERSION=Issuer’s Certificate Revocation List has an unknown version number. +SEC_ERROR_CRL_V1_CRITICAL_EXTENSION=Issuer’s V1 Certificate Revocation List has a critical extension. +SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION=Issuer’s V2 Certificate Revocation List has an unknown critical extension. +SEC_ERROR_UNKNOWN_OBJECT_TYPE=Unknown object type specified. +SEC_ERROR_INCOMPATIBLE_PKCS11=PKCS #11 driver violates the spec in an incompatible way. +SEC_ERROR_NO_EVENT=No new slot event is available at this time. +SEC_ERROR_CRL_ALREADY_EXISTS=CRL already exists. +SEC_ERROR_NOT_INITIALIZED=NSS is not initialized. +SEC_ERROR_TOKEN_NOT_LOGGED_IN=The operation failed because the PKCS#11 token is not logged in. +SEC_ERROR_OCSP_RESPONDER_CERT_INVALID=Configured OCSP responder’s certificate is invalid. +SEC_ERROR_OCSP_BAD_SIGNATURE=OCSP response has an invalid signature. +SEC_ERROR_OUT_OF_SEARCH_LIMITS=Cert validation search is out of search limits +SEC_ERROR_INVALID_POLICY_MAPPING=Policy mapping contains anypolicy +SEC_ERROR_POLICY_VALIDATION_FAILED=Cert chain fails policy validation +SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE=Unknown location type in cert AIA extension +SEC_ERROR_BAD_HTTP_RESPONSE=Server returned bad HTTP response +SEC_ERROR_BAD_LDAP_RESPONSE=Server returned bad LDAP response +SEC_ERROR_FAILED_TO_ENCODE_DATA=Failed to encode data with ASN1 encoder +SEC_ERROR_BAD_INFO_ACCESS_LOCATION=Bad information access location in cert extension +SEC_ERROR_LIBPKIX_INTERNAL=Libpkix internal error occurred during cert validation. +SEC_ERROR_PKCS11_GENERAL_ERROR=A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred. +SEC_ERROR_PKCS11_FUNCTION_FAILED=A PKCS #11 module returned CKR_FUNCTION_FAILED, indicating that the requested function could not be performed. Trying the same operation again might succeed. +SEC_ERROR_PKCS11_DEVICE_ERROR=A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot. +SEC_ERROR_BAD_INFO_ACCESS_METHOD=Unknown information access method in certificate extension. +SEC_ERROR_CRL_IMPORT_FAILED=Error attempting to import a CRL. +SEC_ERROR_EXPIRED_PASSWORD=The password expired. +SEC_ERROR_LOCKED_PASSWORD=The password is locked. +SEC_ERROR_UNKNOWN_PKCS11_ERROR=Unknown PKCS #11 error. +SEC_ERROR_BAD_CRL_DP_URL=Invalid or unsupported URL in CRL distribution point name. +SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED=The certificate was signed using a signature algorithm that is disabled because it is not secure. +MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE=The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset. Key pinning violations cannot be overridden. +MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY=The server uses a certificate with a basic constraints extension identifying it as a certificate authority. For a properly-issued certificate, this should not be the case. +MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE=The server presented a certificate with a key size that is too small to establish a secure connection. +MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA=An X.509 version 1 certificate that is not a trust anchor was used to issue the server’s certificate. X.509 version 1 certificates are deprecated and should not be used to sign other certificates. +MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE=The server presented a certificate that is not yet valid. +MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE=A certificate that is not yet valid was used to issue the server’s certificate. +MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH=The signature algorithm in the signature field of the certificate does not match the algorithm in its signatureAlgorithm field. +MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING=The OCSP response does not include a status for the certificate being verified. +MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG=The server presented a certificate that is valid for too long. +MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING=A required TLS feature is missing. +MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING=The server presented a certificate that contains an invalid encoding of an integer. Common causes include negative serial numbers, negative RSA moduli, and encodings that are longer than necessary. +MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME=The server presented a certificate with an empty issuer distinguished name. +MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED=An additional policy constraint failed when validating this certificate. +MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT=The certificate is not trusted because it is self-signed. diff --git a/security/manager/locales/en-US/chrome/pipnss/pipnss.properties b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties new file mode 100644 index 0000000000..5e15e898c6 --- /dev/null +++ b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties @@ -0,0 +1,123 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +CertPasswordPrompt=Please enter the password for the PKCS#11 token %S. + +CertPasswordPromptDefault=Please enter your Primary Password. + +# The following strings have special requirements: they must fit in a 32 or 64 +# bytes buffer after being encoded to UTF-8. +# +# It's possible to verify the length of a translation using the Browser Console +# in Firefox and evaluating the following code: +# +# (new TextEncoder('utf-8').encode('YOURSTRING')).length +# +# Simply replace YOURSTRING with your translation. +# +# If it's not possible to produce an understandable translation within these +# limits, keeping the English text is an acceptable workaround. + +# LOCALIZATION NOTE (RootCertModuleName): string limit is 64 bytes after +# conversion to UTF-8. +# length_limit = 64 bytes +RootCertModuleName=Builtin Roots Module +# LOCALIZATION NOTE (ManufacturerID): string limit is 32 bytes after conversion +# to UTF-8. +# length_limit = 32 bytes +ManufacturerID=Mozilla.org +# LOCALIZATION NOTE (LibraryDescription): string limit is 32 bytes after +# conversion to UTF-8. +# length_limit = 32 bytes +LibraryDescription=PSM Internal Crypto Services +# LOCALIZATION NOTE (TokenDescription): string limit is 32 bytes after +# conversion to UTF-8. +# length_limit = 32 bytes +TokenDescription=Generic Crypto Services +# LOCALIZATION NOTE (PrivateTokenDescription): string limit is 32 bytes after +# conversion to UTF-8. +# length_limit = 32 bytes +PrivateTokenDescription=Software Security Device +# LOCALIZATION NOTE (SlotDescription): string limit is 64 bytes after conversion +# to UTF-8. +# length_limit = 64 bytes +SlotDescription=PSM Internal Cryptographic Services +# LOCALIZATION NOTE (PrivateSlotDescription): string limit is 64 bytes after +# conversion to UTF-8. +# length_limit = 64 bytes +PrivateSlotDescription=PSM Private Keys +# LOCALIZATION NOTE (Fips140TokenDescription): string limit is 32 bytes after +# conversion to UTF-8. +# length_limit = 32 bytes +Fips140TokenDescription=Software Security Device (FIPS) +# LOCALIZATION NOTE (Fips140SlotDescription): string limit is 64 bytes after +# conversion to UTF-8. +# length_limit = 64 bytes +Fips140SlotDescription=FIPS 140 Cryptographic, Key and Certificate Services + +# LOCALIZATION NOTE (nick_template): $1s is the common name from a cert (e.g. "Mozilla"), $2s is the CA name (e.g. VeriSign) +nick_template=%1$s’s %2$s ID + +CertDumpKUSign=Signing +CertDumpKUNonRep=Non-repudiation +CertDumpKUEnc=Key Encipherment +CertDumpKUDEnc=Data Encipherment +CertDumpKUKA=Key Agreement +CertDumpKUCertSign=Certificate Signer +CertDumpKUCRLSigner=CRL Signer + +PSMERR_SSL_Disabled=Can’t connect securely because the SSL protocol has been disabled. +PSMERR_SSL2_Disabled=Can’t connect securely because the site uses an older, insecure version of the SSL protocol. +PSMERR_HostReusedIssuerSerial=You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information:\n\nYour certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. + +# LOCALIZATION NOTE (SSLConnectionErrorPrefix2): %1$S is the host string, %2$S is more detailed information (localized as well). +SSLConnectionErrorPrefix2=An error occurred during a connection to %1$S. %2$S\n + +certErrorIntro=%S uses an invalid security certificate. + +certErrorTrust_SelfSigned=The certificate is not trusted because it is self-signed. +certErrorTrust_UnknownIssuer=The certificate is not trusted because the issuer certificate is unknown. +certErrorTrust_UnknownIssuer2=The server might not be sending the appropriate intermediate certificates. +certErrorTrust_UnknownIssuer3=An additional root certificate may need to be imported. +certErrorTrust_CaInvalid=The certificate is not trusted because it was issued by an invalid CA certificate. +certErrorTrust_Issuer=The certificate is not trusted because the issuer certificate is not trusted. +certErrorTrust_SignatureAlgorithmDisabled=The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure. +certErrorTrust_ExpiredIssuer=The certificate is not trusted because the issuer certificate has expired. +certErrorTrust_Untrusted=The certificate does not come from a trusted source. +certErrorTrust_MitM=Your connection is being intercepted by a TLS proxy. Uninstall it if possible or configure your device to trust its root certificate. + +certErrorMismatch=The certificate is not valid for the name %S. +# LOCALIZATION NOTE (certErrorMismatchSinglePrefix): %S is replaced by the domain for which the certificate is valid +certErrorMismatchSinglePrefix=The certificate is only valid for %S. +certErrorMismatchMultiple=The certificate is only valid for the following names: + +# LOCALIZATION NOTE (certErrorExpiredNow): Do not translate %1$S (date+time of expired certificate) or %2$S (current date+time) +certErrorExpiredNow=The certificate expired on %1$S. The current time is %2$S. + +# LOCALIZATION NOTE (certErrorNotYetValidNow): Do not translate %1$S (date+time certificate will become valid) or %2$S (current date+time) +certErrorNotYetValidNow=The certificate will not be valid until %1$S. The current time is %2$S. + +certErrorMitM=Websites prove their identity via certificates, which are issued by certificate authorities. +# LOCALIZATION NOTE (certErrorMitM2): %S is brandShortName +certErrorMitM2=%S is backed by the non-profit Mozilla, which administers a completely open certificate authority (CA) store. The CA store helps ensure that certificate authorities are following best practices for user security. +# LOCALIZATION NOTE (certErrorMitM3): %S is brandShortName +certErrorMitM3=%S uses the Mozilla CA store to verify that a connection is secure, rather than certificates supplied by the user’s operating system. So, if an antivirus program or a network is intercepting a connection with a security certificate issued by a CA that is not in the Mozilla CA store, the connection is considered unsafe. + +certErrorSymantecDistrustAdministrator=You may notify the website’s administrator about this problem. + +# LOCALIZATION NOTE (certErrorCodePrefix3): %S is replaced by the error code. +certErrorCodePrefix3=Error code: %S + +P12DefaultNickname=Imported Certificate +CertUnknown=Unknown +CertNoEmailAddress=(no email address) +CaCertExists=This certificate is already installed as a certificate authority. +NotACACert=This is not a certificate authority certificate, so it can’t be imported into the certificate authority list. +UserCertIgnoredNoPrivateKey=This personal certificate can’t be installed because you do not own the corresponding private key which was created when the certificate was requested. +UserCertImported=Your personal certificate has been installed. You should keep a backup copy of this certificate. +CertOrgUnknown=(Unknown) +CertNotStored=(Not Stored) +CertExceptionPermanent=Permanent +CertExceptionTemporary=Temporary diff --git a/security/manager/locales/en-US/chrome/pippki/pippki.properties b/security/manager/locales/en-US/chrome/pippki/pippki.properties new file mode 100644 index 0000000000..165fb3f650 --- /dev/null +++ b/security/manager/locales/en-US/chrome/pippki/pippki.properties @@ -0,0 +1,75 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# Download Cert dialog +# LOCALIZATION NOTE(newCAMessage1): +# %S is a string representative of the certificate being downloaded/imported. +newCAMessage1=Do you want to trust “%S†for the following purposes? +unnamedCA=Certificate Authority (unnamed) + +# PKCS#12 file dialogs +getPKCS12FilePasswordMessage=Please enter the password that was used to encrypt this certificate backup: + +# Client auth +clientAuthRemember=Remember this decision +# LOCALIZATION NOTE(clientAuthNickAndSerial): Represents a single cert when the +# user is choosing from a list of certificates. +# %1$S is the nickname of the cert. +# %2$S is the serial number of the cert in AA:BB:CC hex format. +clientAuthNickAndSerial=%1$S [%2$S] +# LOCALIZATION NOTE(clientAuthHostnameAndPort): +# %1$S is the hostname of the server. +# %2$S is the port of the server. +clientAuthHostnameAndPort=%1$S:%2$S +# LOCALIZATION NOTE(clientAuthMessage1): %S is the Organization of the server +# cert. +clientAuthMessage1=Organization: “%S†+# LOCALIZATION NOTE(clientAuthMessage2): %S is the Organization of the issuer +# cert of the server cert. +clientAuthMessage2=Issued Under: “%S†+# LOCALIZATION NOTE(clientAuthIssuedTo): %1$S is the Distinguished Name of the +# currently selected client cert, such as "CN=John Doe,OU=Example" (without +# quotes). +clientAuthIssuedTo=Issued to: %1$S +# LOCALIZATION NOTE(clientAuthSerial): %1$S is the serial number of the selected +# cert in AA:BB:CC hex format. +clientAuthSerial=Serial number: %1$S +# LOCALIZATION NOTE(clientAuthValidityPeriod): +# %1$S is the already localized notBefore date of the selected cert. +# %2$S is the already localized notAfter date of the selected cert. +clientAuthValidityPeriod=Valid from %1$S to %2$S +# LOCALIZATION NOTE(clientAuthKeyUsages): %1$S is a comma separated list of +# already localized key usages the selected cert is valid for. +clientAuthKeyUsages=Key Usages: %1$S +# LOCALIZATION NOTE(clientAuthEmailAddresses): %1$S is a comma separated list of +# e-mail addresses the selected cert is valid for. +clientAuthEmailAddresses=Email addresses: %1$S +# LOCALIZATION NOTE(clientAuthIssuedBy): %1$S is the Distinguished Name of the +# cert which issued the selected cert. +clientAuthIssuedBy=Issued by: %1$S +# LOCALIZATION NOTE(clientAuthStoredOn): %1$S is the name of the PKCS #11 token +# the selected cert is stored on. +clientAuthStoredOn=Stored on: %1$S + +# Page Info +pageInfo_NoEncryption=Connection Not Encrypted +pageInfo_Privacy_None1=The website %S does not support encryption for the page you are viewing. +pageInfo_Privacy_None2=Information sent over the Internet without encryption can be seen by other people while it is in transit. +pageInfo_Privacy_None4=The page you are viewing was not encrypted before being transmitted over the Internet. +# LOCALIZATION NOTE (pageInfo_EncryptionWithBitsAndProtocol and pageInfo_BrokenEncryption): +# %1$S is the name of the encryption standard, +# %2$S is the key size of the cipher. +# %3$S is protocol version like "SSL 3" or "TLS 1.2" +pageInfo_EncryptionWithBitsAndProtocol=Connection Encrypted (%1$S, %2$S bit keys, %3$S) +pageInfo_BrokenEncryption=Broken Encryption (%1$S, %2$S bit keys, %3$S) +pageInfo_Privacy_Encrypted1=The page you are viewing was encrypted before being transmitted over the Internet. +pageInfo_Privacy_Encrypted2=Encryption makes it difficult for unauthorized people to view information traveling between computers. It is therefore unlikely that anyone read this page as it traveled across the network. +pageInfo_MixedContent=Connection Partially Encrypted +pageInfo_MixedContent2=Parts of the page you are viewing were not encrypted before being transmitted over the Internet. +pageInfo_WeakCipher=Your connection to this website uses weak encryption and is not private. Other people can view your information or modify the website’s behavior. +pageInfo_CertificateTransparency_Compliant=This website complies with the Certificate Transparency policy. + +# Token Manager +password_not_set=(not set) +enable_fips=Enable FIPS diff --git a/security/manager/locales/en-US/security/certificates/certManager.ftl b/security/manager/locales/en-US/security/certificates/certManager.ftl new file mode 100644 index 0000000000..360bf9887b --- /dev/null +++ b/security/manager/locales/en-US/security/certificates/certManager.ftl @@ -0,0 +1,228 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +certmgr-title = + .title = Certificate Manager + +certmgr-tab-mine = + .label = Your Certificates + +certmgr-tab-remembered = + .label = Authentication Decisions + +certmgr-tab-people = + .label = People + +certmgr-tab-servers = + .label = Servers + +certmgr-tab-ca = + .label = Authorities + +certmgr-mine = You have certificates from these organizations that identify you +certmgr-remembered = These certificates are used to identify you to websites +certmgr-people = You have certificates on file that identify these people +certmgr-server = These entries identify server certificate error exceptions +certmgr-ca = You have certificates on file that identify these certificate authorities + +certmgr-edit-ca-cert2 = + .title = Edit CA certificate trust settings + .style = min-width: 48em; + +certmgr-edit-cert-edit-trust = Edit trust settings: + +certmgr-edit-cert-trust-ssl = + .label = This certificate can identify websites. + +certmgr-edit-cert-trust-email = + .label = This certificate can identify mail users. + +certmgr-delete-cert2 = + .title = Delete Certificate + .style = min-width: 48em; min-height: 24em; + +certmgr-cert-host = + .label = Host + +certmgr-cert-name = + .label = Certificate Name + +certmgr-cert-server = + .label = Server + +certmgr-override-lifetime = + .label = Lifetime + +certmgr-token-name = + .label = Security Device + +certmgr-begins-label = + .label = Begins On + +certmgr-expires-label = + .label = Expires On + +certmgr-email = + .label = E-Mail Address + +certmgr-serial = + .label = Serial Number + +certmgr-view = + .label = View… + .accesskey = V + +certmgr-edit = + .label = Edit Trust… + .accesskey = E + +certmgr-export = + .label = Export… + .accesskey = x + +certmgr-delete = + .label = Delete… + .accesskey = D + +certmgr-delete-builtin = + .label = Delete or Distrust… + .accesskey = D + +certmgr-backup = + .label = Backup… + .accesskey = B + +certmgr-backup-all = + .label = Backup All… + .accesskey = k + +certmgr-restore = + .label = Import… + .accesskey = m + +certmgr-add-exception = + .label = Add Exception… + .accesskey = x + +exception-mgr = + .title = Add Security Exception + +exception-mgr-extra-button = + .label = Confirm Security Exception + .accesskey = C + +exception-mgr-supplemental-warning = Legitimate banks, stores, and other public sites will not ask you to do this. + +exception-mgr-cert-location-url = + .value = Location: + +exception-mgr-cert-location-download = + .label = Get Certificate + .accesskey = G + +exception-mgr-cert-status-view-cert = + .label = View… + .accesskey = V + +exception-mgr-permanent = + .label = Permanently store this exception + .accesskey = P + +pk11-bad-password = The password entered was incorrect. +pkcs12-decode-err = Failed to decode the file. Either it is not in PKCS #12 format, has been corrupted, or the password you entered was incorrect. +pkcs12-unknown-err-restore = Failed to restore the PKCS #12 file for unknown reasons. +pkcs12-unknown-err-backup = Failed to create the PKCS #12 backup file for unknown reasons. +pkcs12-unknown-err = The PKCS #12 operation failed for unknown reasons. +pkcs12-info-no-smartcard-backup = It is not possible to back up certificates from a hardware security device such as a smart card. +pkcs12-dup-data = The certificate and private key already exist on the security device. + +## PKCS#12 file dialogs + +choose-p12-backup-file-dialog = File Name to Backup +file-browse-pkcs12-spec = PKCS12 Files +choose-p12-restore-file-dialog = Certificate File to Import + +## Import certificate(s) file dialog + +file-browse-certificate-spec = Certificate Files +import-ca-certs-prompt = Select File containing CA certificate(s) to import +import-email-cert-prompt = Select File containing somebody’s Email certificate to import + +## For editing certificates trust + +# Variables: +# $certName: the name of certificate +edit-trust-ca = The certificate “{ $certName }†represents a Certificate Authority. + +## For Deleting Certificates + +delete-user-cert-title = + .title = Delete your Certificates +delete-user-cert-confirm = Are you sure you want to delete these certificates? +delete-user-cert-impact = If you delete one of your own certificates, you can no longer use it to identify yourself. + + +delete-ssl-override-title = + .title = Delete Server Certificate Exception +delete-ssl-override-confirm = Are you sure you want to delete this server exception? +delete-ssl-override-impact = If you delete a server exception, you restore the usual security checks for that server and require it uses a valid certificate. + +delete-ca-cert-title = + .title = Delete or Distrust CA Certificates +delete-ca-cert-confirm = You have requested to delete these CA certificates. For built-in certificates all trust will be removed, which has the same effect. Are you sure you want to delete or distrust? +delete-ca-cert-impact = If you delete or distrust a certificate authority (CA) certificate, this application will no longer trust any certificates issued by that CA. + + +delete-email-cert-title = + .title = Delete E-Mail Certificates +delete-email-cert-confirm = Are you sure you want to delete these people’s e-mail certificates? +delete-email-cert-impact = If you delete a person’s e-mail certificate, you will no longer be able to send encrypted e-mail to that person. + +# Used for semi-uniquely representing a cert. +# +# Variables: +# $serialNumber : the serial number of the cert in AA:BB:CC hex format. +cert-with-serial = + .value = Certificate with serial number: { $serialNumber } + +# Used to indicate that the user chose not to send a client authentication certificate to a server that requested one in a TLS handshake. +send-no-client-certificate = Send no client certificate + +# Used when no cert is stored for an override +no-cert-stored-for-override = (Not Stored) + +# When a certificate is unavailable (for example, it has been deleted or the token it exists on has been removed). +certificate-not-available = (Unavailable) + +## Used to show whether an override is temporary or permanent + +permanent-override = Permanent +temporary-override = Temporary + +## Add Security Exception dialog + +add-exception-branded-warning = You are about to override how { -brand-short-name } identifies this site. +add-exception-invalid-header = This site attempts to identify itself with invalid information. +add-exception-domain-mismatch-short = Wrong Site +add-exception-domain-mismatch-long = The certificate belongs to a different site, which could mean that someone is trying to impersonate this site. +add-exception-expired-short = Outdated Information +add-exception-expired-long = The certificate is not currently valid. It may have been stolen or lost, and could be used by someone to impersonate this site. +add-exception-unverified-or-bad-signature-short = Unknown Identity +add-exception-unverified-or-bad-signature-long = The certificate is not trusted because it hasn’t been verified as issued by a trusted authority using a secure signature. +add-exception-valid-short = Valid Certificate +add-exception-valid-long = This site provides valid, verified identification. There is no need to add an exception. +add-exception-checking-short = Checking Information +add-exception-checking-long = Attempting to identify this site… +add-exception-no-cert-short = No Information Available +add-exception-no-cert-long = Unable to obtain identification status for this site. + +## Certificate export "Save as" and error dialogs + +save-cert-as = Save Certificate To File +cert-format-base64 = X.509 Certificate (PEM) +cert-format-base64-chain = X.509 Certificate with chain (PEM) +cert-format-der = X.509 Certificate (DER) +cert-format-pkcs7 = X.509 Certificate (PKCS#7) +cert-format-pkcs7-chain = X.509 Certificate with chain (PKCS#7) +write-file-failure = File Error diff --git a/security/manager/locales/en-US/security/certificates/deviceManager.ftl b/security/manager/locales/en-US/security/certificates/deviceManager.ftl new file mode 100644 index 0000000000..0e73acb813 --- /dev/null +++ b/security/manager/locales/en-US/security/certificates/deviceManager.ftl @@ -0,0 +1,132 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +## Strings used for device manager + +devmgr-window = + .title = Device Manager + .style = min-width: 67em; min-height: 32em; + +devmgr-devlist = + .label = Security Modules and Devices + +devmgr-header-details = + .label = Details + +devmgr-header-value = + .label = Value + +devmgr-button-login = + .label = Log In + .accesskey = n + +devmgr-button-logout = + .label = Log Out + .accesskey = O + +devmgr-button-changepw = + .label = Change Password + .accesskey = P + +devmgr-button-load = + .label = Load + .accesskey = L + +devmgr-button-unload = + .label = Unload + .accesskey = U + +devmgr-button-enable-fips = + .label = Enable FIPS + .accesskey = F + +devmgr-button-disable-fips = + .label = Disable FIPS + .accesskey = F + +## Strings used for load device + +load-device = + .title = Load PKCS#11 Device Driver + +load-device-info = Enter the information for the module you want to add. + +load-device-modname = + .value = Module Name + .accesskey = M + +load-device-modname-default = + .value = New PKCS#11 Module + +load-device-filename = + .value = Module filename + .accesskey = f + +load-device-browse = + .label = Browse… + .accesskey = B + +## Token Manager + +devinfo-status = + .label = Status + +devinfo-status-disabled = + .label = Disabled + +devinfo-status-not-present = + .label = Not Present + +devinfo-status-uninitialized = + .label = Uninitialized + +devinfo-status-not-logged-in = + .label = Not Logged In + +devinfo-status-logged-in = + .label = Logged In + +devinfo-status-ready = + .label = Ready + +devinfo-desc = + .label = Description + +devinfo-man-id = + .label = Manufacturer + +devinfo-hwversion = + .label = HW Version +devinfo-fwversion = + .label = FW Version + +devinfo-modname = + .label = Module + +devinfo-modpath = + .label = Path + +login-failed = Failed to Login + +devinfo-label = + .label = Label + +devinfo-serialnum = + .label = Serial Number + +fips-nonempty-primary-password-required = FIPS mode requires that you have a Primary Password set for each security device. Please set the password before trying to enable FIPS mode. +unable-to-toggle-fips = Unable to change the FIPS mode for the security device. It is recommended that you exit and restart this application. +load-pk11-module-file-picker-title = Choose a PKCS#11 device driver to load + +# Load Module Dialog +load-module-help-empty-module-name = + .value = The module name cannot be empty. + +# Do not translate 'Root Certs' +load-module-help-root-certs-module-name = + .value = ‘Root Certs‘ is reserved and cannot be used as the module name. + +add-module-failure = Unable to add module +del-module-warning = Are you sure you want to delete this security module? +del-module-error = Unable to delete module diff --git a/security/manager/locales/en-US/security/pippki/pippki.ftl b/security/manager/locales/en-US/security/pippki/pippki.ftl new file mode 100644 index 0000000000..b54e45409d --- /dev/null +++ b/security/manager/locales/en-US/security/pippki/pippki.ftl @@ -0,0 +1,79 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +password-quality-meter = Password quality meter + +## Change Password dialog + +change-device-password-window = + .title = Change Password + +# Variables: +# $tokenName (String) - Security device of the change password dialog +change-password-token = Security Device: { $tokenName } +change-password-old = Current password: +change-password-new = New password: +change-password-reenter = New password (again): + +pippki-failed-pw-change = Unable to change password. +pippki-incorrect-pw = You did not enter the correct current password. Please try again. +pippki-pw-change-ok = Password successfully changed. + +pippki-pw-empty-warning = Your stored passwords and private keys will not be protected. +pippki-pw-erased-ok = You have deleted your password. { pippki-pw-empty-warning } +pippki-pw-not-wanted = Warning! You have decided not to use a password. { pippki-pw-empty-warning } + +pippki-pw-change2empty-in-fips-mode = You are currently in FIPS mode. FIPS requires a non-empty password. + +## Reset Primary Password dialog + +reset-primary-password-window2 = + .title = Reset Primary Password + .style = min-width: 40em +reset-password-button-label = + .label = Reset +reset-primary-password-text = If you reset your Primary Password, all your stored web and e-mail passwords, personal certificates, and private keys will be forgotten. Are you sure you want to reset your Primary Password? + +pippki-reset-password-confirmation-title = Reset Primary Password +pippki-reset-password-confirmation-message = Your Primary Password has been reset. + +## Downloading cert dialog + +download-cert-window2 = + .title = Downloading Certificate + .style = min-width: 46em +download-cert-message = You have been asked to trust a new Certificate Authority (CA). +download-cert-trust-ssl = + .label = Trust this CA to identify websites. +download-cert-trust-email = + .label = Trust this CA to identify email users. +download-cert-message-desc = Before trusting this CA for any purpose, you should examine its certificate and its policy and procedures (if available). +download-cert-view-cert = + .label = View +download-cert-view-text = Examine CA certificate + +## Client Authorization Ask dialog + +client-auth-window = + .title = User Identification Request +client-auth-site-description = This site has requested that you identify yourself with a certificate: +client-auth-choose-cert = Choose a certificate to present as identification: +client-auth-cert-details = Details of selected certificate: + +## Set password (p12) dialog + +set-password-window = + .title = Choose a Certificate Backup Password +set-password-message = The certificate backup password you set here protects the backup file that you are about to create. You must set this password to proceed with the backup. +set-password-backup-pw = + .value = Certificate backup password: +set-password-repeat-backup-pw = + .value = Certificate backup password (again): +set-password-reminder = Important: If you forget your certificate backup password, you will not be able to restore this backup later. Please record it in a safe location. + +## Protected authentication alert + +# Variables: +# $tokenName (String) - The name of the token to authenticate to (for example, "OS Client Cert Token (Modern)") +protected-auth-alert = Please authenticate to the token “{ $tokenName }â€. How to do so depends on the token (for example, using a fingerprint reader or entering a code with a keypad). diff --git a/security/manager/locales/jar.mn b/security/manager/locales/jar.mn new file mode 100644 index 0000000000..a61529289a --- /dev/null +++ b/security/manager/locales/jar.mn @@ -0,0 +1,14 @@ +#filter substitution +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +[localization] @AB_CD@.jar: + security (%security/**/*.ftl) + +@AB_CD@.jar: +% locale pipnss @AB_CD@ %locale/@AB_CD@/pipnss/ +% locale pippki @AB_CD@ %locale/@AB_CD@/pippki/ + locale/@AB_CD@/pipnss/pipnss.properties (%chrome/pipnss/pipnss.properties) + locale/@AB_CD@/pipnss/nsserrors.properties (%chrome/pipnss/nsserrors.properties) + locale/@AB_CD@/pippki/pippki.properties (%chrome/pippki/pippki.properties) diff --git a/security/manager/locales/moz.build b/security/manager/locales/moz.build new file mode 100644 index 0000000000..d988c0ff9b --- /dev/null +++ b/security/manager/locales/moz.build @@ -0,0 +1,7 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +JAR_MANIFESTS += ["jar.mn"] diff --git a/security/manager/moz.build b/security/manager/moz.build new file mode 100644 index 0000000000..3890007503 --- /dev/null +++ b/security/manager/moz.build @@ -0,0 +1,13 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +with Files("**"): + BUG_COMPONENT = ("Core", "Security: PSM") + +DIRS += ["ssl", "locales"] + +if CONFIG["MOZ_BUILD_APP"] != "mobile/android": + DIRS += ["pki"] diff --git a/security/manager/pki/components.conf b/security/manager/pki/components.conf new file mode 100644 index 0000000000..e381806925 --- /dev/null +++ b/security/manager/pki/components.conf @@ -0,0 +1,21 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +Classes = [ + { + 'cid': '{518e071f-1dd2-11b2-937e-c45f14def778}', + 'contract_ids': [ + '@mozilla.org/nsCertificateDialogs;1', + '@mozilla.org/nsClientAuthDialogs;1', + '@mozilla.org/nsGeneratingKeypairInfoDialogs;1', + '@mozilla.org/nsTokenDialogs;1', + '@mozilla.org/nsTokenPasswordDialogs;1', + ], + 'type': 'nsNSSDialogs', + 'headers': ['/security/manager/pki/nsNSSDialogs.h'], + 'init_method': 'Init', + }, +] diff --git a/security/manager/pki/moz.build b/security/manager/pki/moz.build new file mode 100644 index 0000000000..73d3d09eba --- /dev/null +++ b/security/manager/pki/moz.build @@ -0,0 +1,36 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +DIRS += ["resources"] + +UNIFIED_SOURCES += [ + "nsNSSDialogHelper.cpp", + "nsNSSDialogs.cpp", +] + +XPCOM_MANIFESTS += [ + "components.conf", +] + +LOCAL_INCLUDES += [ + "!/dist/public/nss", +] + +FINAL_LIBRARY = "xul" + +if CONFIG["CC_TYPE"] in ("clang", "gcc"): + CXXFLAGS += [ + "-Wextra", + # -Wextra enables this warning, but it's too noisy to be useful. + "-Wno-missing-field-initializers", + ] + + # Gecko headers aren't warning-free enough for us to enable these warnings. + CXXFLAGS += [ + "-Wno-unused-parameter", + ] + +REQUIRES_UNIFIED_BUILD = True diff --git a/security/manager/pki/nsIASN1Tree.idl b/security/manager/pki/nsIASN1Tree.idl new file mode 100644 index 0000000000..b44362e5b2 --- /dev/null +++ b/security/manager/pki/nsIASN1Tree.idl @@ -0,0 +1,24 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" +#include "nsITreeView.idl" +#include "nsIX509Cert.idl" + +[scriptable, uuid(de142307-7b88-4e0a-b232-250f310e25d8)] +interface nsIASN1Tree : nsITreeView { + [must_use] + void loadASN1Structure(in nsIASN1Object asn1Object); + + [must_use] + AString getDisplayData(in unsigned long index); +}; + +%{C++ + +#define NS_ASN1TREE_CONTRACTID "@mozilla.org/security/nsASN1Tree;1" + +%} diff --git a/security/manager/pki/nsNSSDialogHelper.cpp b/security/manager/pki/nsNSSDialogHelper.cpp new file mode 100644 index 0000000000..4b204af85d --- /dev/null +++ b/security/manager/pki/nsNSSDialogHelper.cpp @@ -0,0 +1,44 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsNSSDialogHelper.h" + +#include "mozilla/dom/ScriptSettings.h" +#include "nsCOMPtr.h" +#include "nsIWindowWatcher.h" +#include "nsServiceManagerUtils.h" + +static const char kOpenDialogParam[] = "centerscreen,chrome,modal,titlebar"; +static const char kOpenWindowParam[] = "centerscreen,chrome,titlebar"; + +nsresult nsNSSDialogHelper::openDialog(mozIDOMWindowProxy* window, + const char* url, nsISupports* params, + bool modal) { + nsresult rv; + nsCOMPtr windowWatcher = + do_GetService(NS_WINDOWWATCHER_CONTRACTID, &rv); + if (NS_FAILED(rv)) return rv; + + nsCOMPtr parent = window; + + if (!parent) { + windowWatcher->GetActiveWindow(getter_AddRefs(parent)); + } + + // We're loading XUL into this window, and it's happening on behalf of the + // system, not on behalf of content. Make sure the initial about:blank window + // gets a system principal, otherwise we'll bork when trying to wrap the + // nsIKeyGenThread |arguments| property into the unprivileged scoope. + MOZ_ASSERT(!strncmp("chrome://", url, strlen("chrome://"))); + mozilla::dom::AutoNoJSAPI nojsapi; + + nsCOMPtr newWindow; + rv = windowWatcher->OpenWindow( + parent, nsDependentCString(url), "_blank"_ns, + nsDependentCString(modal ? kOpenDialogParam : kOpenWindowParam), params, + getter_AddRefs(newWindow)); + return rv; +} diff --git a/security/manager/pki/nsNSSDialogHelper.h b/security/manager/pki/nsNSSDialogHelper.h new file mode 100644 index 0000000000..a7f3d5e474 --- /dev/null +++ b/security/manager/pki/nsNSSDialogHelper.h @@ -0,0 +1,39 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsNSSDialogHelper_h +#define nsNSSDialogHelper_h + +#include "nsError.h" + +class mozIDOMWindowProxy; +class nsISupports; + +/** + * Helper class that uses the window watcher service to open a standard dialog, + * with or without a parent context. + */ +class nsNSSDialogHelper { + public: + /** + * Opens a XUL dialog. + * + * @param window + * Parent window of the dialog, or nullptr to signal no parent. + * @param url + * URL to the XUL dialog. + * @param params + * Parameters to pass to the dialog. Same semantics as the + * nsIWindowWatcher.openWindow() |aArguments| parameter. + * @param modal + * true if the dialog should be modal, false otherwise. + * @return The result of opening the dialog. + */ + static nsresult openDialog(mozIDOMWindowProxy* window, const char* url, + nsISupports* params, bool modal = true); +}; + +#endif // nsNSSDialogHelper_h diff --git a/security/manager/pki/nsNSSDialogs.cpp b/security/manager/pki/nsNSSDialogs.cpp new file mode 100644 index 0000000000..54705052da --- /dev/null +++ b/security/manager/pki/nsNSSDialogs.cpp @@ -0,0 +1,313 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * Dialog services for PIP. + */ + +#include "nsNSSDialogs.h" + +#include "mozIDOMWindow.h" +#include "nsArray.h" +#include "nsComponentManagerUtils.h" +#include "nsEmbedCID.h" +#include "nsHashPropertyBag.h" +#include "nsIDialogParamBlock.h" +#include "nsIInterfaceRequestor.h" +#include "nsIInterfaceRequestorUtils.h" +#include "nsIPK11Token.h" +#include "nsIPromptService.h" +#include "nsIWindowWatcher.h" +#include "nsIX509CertDB.h" +#include "nsIX509Cert.h" +#include "nsNSSDialogHelper.h" +#include "nsPromiseFlatString.h" +#include "nsString.h" +#include "nsVariant.h" + +#define PIPSTRING_BUNDLE_URL "chrome://pippki/locale/pippki.properties" + +nsNSSDialogs::nsNSSDialogs() = default; + +nsNSSDialogs::~nsNSSDialogs() = default; + +NS_IMPL_ISUPPORTS(nsNSSDialogs, nsITokenPasswordDialogs, nsICertificateDialogs, + nsIClientAuthDialogs) + +nsresult nsNSSDialogs::Init() { + nsresult rv; + + nsCOMPtr service = + do_GetService(NS_STRINGBUNDLE_CONTRACTID, &rv); + if (NS_FAILED(rv)) return rv; + + rv = service->CreateBundle(PIPSTRING_BUNDLE_URL, + getter_AddRefs(mPIPStringBundle)); + return rv; +} + +NS_IMETHODIMP +nsNSSDialogs::SetPassword(nsIInterfaceRequestor* ctx, nsIPK11Token* token, + /*out*/ bool* canceled) { + // |ctx| is allowed to be null. + NS_ENSURE_ARG(canceled); + + *canceled = false; + + // Get the parent window for the dialog + nsCOMPtr parent = do_GetInterface(ctx); + + nsCOMPtr block = + do_CreateInstance(NS_DIALOGPARAMBLOCK_CONTRACTID); + if (!block) return NS_ERROR_FAILURE; + + nsCOMPtr objects = nsArrayBase::Create(); + if (!objects) { + return NS_ERROR_FAILURE; + } + nsresult rv = objects->AppendElement(token); + if (NS_FAILED(rv)) { + return rv; + } + rv = block->SetObjects(objects); + if (NS_FAILED(rv)) { + return rv; + } + + rv = nsNSSDialogHelper::openDialog( + parent, "chrome://pippki/content/changepassword.xhtml", block); + + if (NS_FAILED(rv)) return rv; + + int32_t status; + + rv = block->GetInt(1, &status); + if (NS_FAILED(rv)) return rv; + + *canceled = (status == 0); + + return rv; +} + +NS_IMETHODIMP +nsNSSDialogs::ConfirmDownloadCACert(nsIInterfaceRequestor* ctx, + nsIX509Cert* cert, + /*out*/ uint32_t* trust, + /*out*/ bool* importConfirmed) { + // |ctx| is allowed to be null. + NS_ENSURE_ARG(cert); + NS_ENSURE_ARG(trust); + NS_ENSURE_ARG(importConfirmed); + + nsCOMPtr argArray = nsArrayBase::Create(); + if (!argArray) { + return NS_ERROR_FAILURE; + } + + nsresult rv = argArray->AppendElement(cert); + if (NS_FAILED(rv)) { + return rv; + } + + nsCOMPtr retVals = new nsHashPropertyBag(); + rv = argArray->AppendElement(retVals); + if (NS_FAILED(rv)) { + return rv; + } + + // Get the parent window for the dialog + nsCOMPtr parent = do_GetInterface(ctx); + rv = nsNSSDialogHelper::openDialog( + parent, "chrome://pippki/content/downloadcert.xhtml", argArray); + if (NS_FAILED(rv)) { + return rv; + } + + rv = retVals->GetPropertyAsBool(u"importConfirmed"_ns, importConfirmed); + if (NS_FAILED(rv)) { + return rv; + } + + *trust = nsIX509CertDB::UNTRUSTED; + if (!*importConfirmed) { + return NS_OK; + } + + bool trustForSSL = false; + rv = retVals->GetPropertyAsBool(u"trustForSSL"_ns, &trustForSSL); + if (NS_FAILED(rv)) { + return rv; + } + bool trustForEmail = false; + rv = retVals->GetPropertyAsBool(u"trustForEmail"_ns, &trustForEmail); + if (NS_FAILED(rv)) { + return rv; + } + + *trust |= trustForSSL ? nsIX509CertDB::TRUSTED_SSL : 0; + *trust |= trustForEmail ? nsIX509CertDB::TRUSTED_EMAIL : 0; + + return NS_OK; +} + +NS_IMETHODIMP +nsNSSDialogs::ChooseCertificate(const nsACString& hostname, int32_t port, + const nsACString& organization, + const nsACString& issuerOrg, nsIArray* certList, + /*out*/ uint32_t* selectedIndex, + /*out*/ bool* rememberClientAuthCertificate, + /*out*/ bool* certificateChosen) { + NS_ENSURE_ARG_POINTER(certList); + NS_ENSURE_ARG_POINTER(selectedIndex); + NS_ENSURE_ARG_POINTER(rememberClientAuthCertificate); + NS_ENSURE_ARG_POINTER(certificateChosen); + + *certificateChosen = false; + *rememberClientAuthCertificate = false; + + nsCOMPtr argArray = nsArrayBase::Create(); + if (!argArray) { + return NS_ERROR_FAILURE; + } + + nsCOMPtr hostnameVariant = new nsVariant(); + nsresult rv = hostnameVariant->SetAsAUTF8String(hostname); + if (NS_FAILED(rv)) { + return rv; + } + rv = argArray->AppendElement(hostnameVariant); + if (NS_FAILED(rv)) { + return rv; + } + + nsCOMPtr organizationVariant = new nsVariant(); + rv = organizationVariant->SetAsAUTF8String(organization); + if (NS_FAILED(rv)) { + return rv; + } + rv = argArray->AppendElement(organizationVariant); + if (NS_FAILED(rv)) { + return rv; + } + + nsCOMPtr issuerOrgVariant = new nsVariant(); + rv = issuerOrgVariant->SetAsAUTF8String(issuerOrg); + if (NS_FAILED(rv)) { + return rv; + } + rv = argArray->AppendElement(issuerOrgVariant); + if (NS_FAILED(rv)) { + return rv; + } + + nsCOMPtr portVariant = new nsVariant(); + rv = portVariant->SetAsInt32(port); + if (NS_FAILED(rv)) { + return rv; + } + rv = argArray->AppendElement(portVariant); + if (NS_FAILED(rv)) { + return rv; + } + + rv = argArray->AppendElement(certList); + if (NS_FAILED(rv)) { + return rv; + } + + nsCOMPtr retVals = new nsHashPropertyBag(); + rv = argArray->AppendElement(retVals); + if (NS_FAILED(rv)) { + return rv; + } + + rv = nsNSSDialogHelper::openDialog( + nullptr, "chrome://pippki/content/clientauthask.xhtml", argArray); + if (NS_FAILED(rv)) { + return rv; + } + + rv = retVals->GetPropertyAsBool(u"rememberSelection"_ns, + rememberClientAuthCertificate); + if (NS_FAILED(rv)) { + return rv; + } + + rv = retVals->GetPropertyAsBool(u"certChosen"_ns, certificateChosen); + if (NS_FAILED(rv)) { + return rv; + } + if (*certificateChosen) { + rv = retVals->GetPropertyAsUint32(u"selectedIndex"_ns, selectedIndex); + if (NS_FAILED(rv)) { + return rv; + } + } + + return NS_OK; +} + +NS_IMETHODIMP +nsNSSDialogs::SetPKCS12FilePassword(nsIInterfaceRequestor* ctx, + /*out*/ nsAString& password, + /*out*/ bool* confirmedPassword) { + // |ctx| is allowed to be null. + NS_ENSURE_ARG(confirmedPassword); + + // Get the parent window for the dialog + nsCOMPtr parent = do_GetInterface(ctx); + nsCOMPtr retVals = new nsHashPropertyBag(); + nsresult rv = nsNSSDialogHelper::openDialog( + parent, "chrome://pippki/content/setp12password.xhtml", retVals); + if (NS_FAILED(rv)) { + return rv; + } + + rv = retVals->GetPropertyAsBool(u"confirmedPassword"_ns, confirmedPassword); + if (NS_FAILED(rv)) { + return rv; + } + + if (!*confirmedPassword) { + return NS_OK; + } + + return retVals->GetPropertyAsAString(u"password"_ns, password); +} + +NS_IMETHODIMP +nsNSSDialogs::GetPKCS12FilePassword(nsIInterfaceRequestor* ctx, + nsAString& _password, bool* _retval) { + *_retval = false; + + nsCOMPtr promptSvc( + do_GetService(NS_PROMPTSERVICE_CONTRACTID)); + if (!promptSvc) { + return NS_ERROR_FAILURE; + } + + nsAutoString msg; + nsresult rv = + mPIPStringBundle->GetStringFromName("getPKCS12FilePasswordMessage", msg); + if (NS_FAILED(rv)) { + return rv; + } + + // Get the parent window for the dialog + nsCOMPtr parent = do_GetInterface(ctx); + char16_t* pwTemp = nullptr; + rv = promptSvc->PromptPassword(parent, nullptr, msg.get(), &pwTemp, _retval); + if (NS_FAILED(rv)) { + return rv; + } + + if (*_retval) { + _password.Assign(pwTemp); + free(pwTemp); + } + + return NS_OK; +} diff --git a/security/manager/pki/nsNSSDialogs.h b/security/manager/pki/nsNSSDialogs.h new file mode 100644 index 0000000000..3c687ac667 --- /dev/null +++ b/security/manager/pki/nsNSSDialogs.h @@ -0,0 +1,40 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef nsNSSDialogs_h +#define nsNSSDialogs_h + +#include "nsCOMPtr.h" +#include "nsICertificateDialogs.h" +#include "nsIClientAuthDialogs.h" +#include "nsIStringBundle.h" +#include "nsITokenPasswordDialogs.h" + +#define NS_NSSDIALOGS_CID \ + { \ + 0x518e071f, 0x1dd2, 0x11b2, { \ + 0x93, 0x7e, 0xc4, 0x5f, 0x14, 0xde, 0xf7, 0x78 \ + } \ + } + +class nsNSSDialogs : public nsICertificateDialogs, + public nsIClientAuthDialogs, + public nsITokenPasswordDialogs { + public: + NS_DECL_THREADSAFE_ISUPPORTS + NS_DECL_NSITOKENPASSWORDDIALOGS + NS_DECL_NSICERTIFICATEDIALOGS + NS_DECL_NSICLIENTAUTHDIALOGS + nsNSSDialogs(); + + nsresult Init(); + + protected: + virtual ~nsNSSDialogs(); + nsCOMPtr mPIPStringBundle; +}; + +#endif // nsNSSDialogs_h diff --git a/security/manager/pki/resources/content/certManager.css b/security/manager/pki/resources/content/certManager.css new file mode 100644 index 0000000000..e943c721da --- /dev/null +++ b/security/manager/pki/resources/content/certManager.css @@ -0,0 +1,31 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* Good enough support for equalsize=always for the cert manager use cases. + * You probably shouldn't use this as-is elsewhere, this selector is somewhat + * slow, it relies on stuff having display: -moz-box, and you probably can use + * something simpler if you need this */ +[equalsize="always"] > * { + -moz-box-flex: 1; + contain: inline-size; + /* contain: inline-size should be enough, unless you have a legacy XUL layout + * box, which don't support it. */ + width: 0; +} + +#certmanager { + /* This prevents horizontal scrollbars due to and non-XUL layout + * interactions */ + padding: 0; +} + +/* This matches the height from dialog.css */ +richlistbox { + height: 15em; +} + +richlistbox, +richlistitem { + min-height: 30px; +} diff --git a/security/manager/pki/resources/content/certManager.js b/security/manager/pki/resources/content/certManager.js new file mode 100644 index 0000000000..57d0075add --- /dev/null +++ b/security/manager/pki/resources/content/certManager.js @@ -0,0 +1,824 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* import-globals-from pippki.js */ +"use strict"; + +const gCertFileTypes = "*.p7b; *.crt; *.cert; *.cer; *.pem; *.der"; + +var { NetUtil } = ChromeUtils.import("resource://gre/modules/NetUtil.jsm"); + +var key; + +var certdialogs = Cc["@mozilla.org/nsCertificateDialogs;1"].getService( + Ci.nsICertificateDialogs +); + +/** + * List of certs currently selected in the active tab. + * + * @type {nsIX509Cert[]} + */ +var selected_certs = []; +var selected_tree_items = []; +var selected_index = []; +var certdb; + +/** + * Cert tree for the "Authorities" tab. + * + * @type {nsICertTree} + */ +var caTreeView; +/** + * Cert tree for the "Servers" tab. + * + * @type {nsICertTree} + */ +var serverTreeView; + +var overrideService; + +function createRichlistItem(item) { + let innerHbox = document.createXULElement("hbox"); + innerHbox.setAttribute("align", "center"); + innerHbox.setAttribute("flex", "1"); + + let row = document.createXULElement("label"); + row.setAttribute("flex", "1"); + row.setAttribute("crop", "right"); + row.setAttribute("style", "margin-inline-start: 15px;"); + if ("raw" in item) { + row.setAttribute("value", item.raw); + } else { + document.l10n.setAttributes(row, item.l10nid); + } + row.setAttribute("ordinal", "1"); + innerHbox.appendChild(row); + + return innerHbox; +} + +var serverRichList = { + richlist: undefined, + + buildRichList() { + let overrides = overrideService.getOverrides().map(item => { + let cert = null; + if (item.dbKey !== "") { + cert = certdb.findCertByDBKey(item.dbKey); + } + return { + hostPort: item.hostPort, + dbKey: item.dbKey, + asciiHost: item.asciiHost, + port: item.port, + originAttributes: item.originAttributes, + isTemporary: item.isTemporary, + displayName: cert !== null ? cert.displayName : "", + }; + }); + overrides.sort((a, b) => { + let criteria = ["hostPort", "displayName"]; + for (let c of criteria) { + let res = a[c].localeCompare(b[c]); + if (res !== 0) { + return res; + } + } + return 0; + }); + + this.richlist.textContent = ""; + this.richlist.clearSelection(); + + let frag = document.createDocumentFragment(); + for (let override of overrides) { + let richlistitem = this._richBoxAddItem(override); + frag.appendChild(richlistitem); + } + this.richlist.appendChild(frag); + + this._setButtonState(); + this.richlist.addEventListener("select", () => this._setButtonState()); + }, + + _richBoxAddItem(item) { + let richlistitem = document.createXULElement("richlistitem"); + + richlistitem.setAttribute("dbKey", item.dbKey); + richlistitem.setAttribute("host", item.asciiHost); + richlistitem.setAttribute("port", item.port); + richlistitem.setAttribute("hostPort", item.hostPort); + richlistitem.setAttribute( + "originAttributes", + JSON.stringify(item.originAttributes) + ); + + let hbox = document.createXULElement("hbox"); + hbox.setAttribute("flex", "1"); + hbox.setAttribute("equalsize", "always"); + + hbox.appendChild(createRichlistItem({ raw: item.hostPort })); + hbox.appendChild( + createRichlistItem( + item.displayName !== "" + ? { raw: item.displayName } + : { l10nid: "no-cert-stored-for-override" } + ) + ); + hbox.appendChild( + createRichlistItem({ + l10nid: item.isTemporary ? "temporary-override" : "permanent-override", + }) + ); + + richlistitem.appendChild(hbox); + + return richlistitem; + }, + + deleteSelectedRichListItem() { + let selectedItem = this.richlist.selectedItem; + if (!selectedItem) { + return; + } + + let retVals = { + deleteConfirmed: false, + }; + window.browsingContext.topChromeWindow.openDialog( + "chrome://pippki/content/deletecert.xhtml", + "", + "chrome,centerscreen,modal", + "websites_tab", + [ + { + hostPort: selectedItem.attributes.hostPort.value, + }, + ], + retVals + ); + + if (retVals.deleteConfirmed) { + overrideService.clearValidityOverride( + selectedItem.attributes.host.value, + selectedItem.attributes.port.value, + JSON.parse(selectedItem.attributes.originAttributes.value) + ); + this.buildRichList(); + } + }, + + viewSelectedRichListItem() { + let selectedItem = this.richlist.selectedItem; + if (!selectedItem) { + return; + } + + let dbKey = selectedItem.getAttribute("dbKey"); + if (dbKey) { + let cert = certdb.findCertByDBKey(dbKey); + viewCertHelper(window, cert); + } + }, + + exportSelectedRichListItem() { + let selectedItem = this.richlist.selectedItem; + if (!selectedItem) { + return; + } + + let dbKey = selectedItem.getAttribute("dbKey"); + if (dbKey) { + let cert = certdb.findCertByDBKey(dbKey); + exportToFile(window, cert); + } + }, + + addException() { + let retval = { + exceptionAdded: false, + }; + window.browsingContext.topChromeWindow.openDialog( + "chrome://pippki/content/exceptionDialog.xhtml", + "", + "chrome,centerscreen,modal", + retval + ); + if (retval.exceptionAdded) { + this.buildRichList(); + } + }, + + _setButtonState() { + let websiteViewButton = document.getElementById("websites_viewButton"); + let websiteExportButton = document.getElementById("websites_exportButton"); + let websiteDeleteButton = document.getElementById("websites_deleteButton"); + + let certKey = this.richlist.selectedItem?.getAttribute("dbKey"); + let cert = certKey && certdb.findCertByDBKey(certKey); + + websiteDeleteButton.disabled = this.richlist.selectedIndex < 0; + websiteExportButton.disabled = !cert; + websiteViewButton.disabled = websiteExportButton.disabled; + }, +}; +/** + * Cert tree for the "People" tab. + * + * @type {nsICertTree} + */ +var emailTreeView; +/** + * Cert tree for the "Your Certificates" tab. + * + * @type {nsICertTree} + */ +var userTreeView; + +var clientAuthRememberService; + +var rememberedDecisionsRichList = { + richlist: undefined, + + buildRichList() { + let rememberedDecisions = clientAuthRememberService.getDecisions(); + + let oldItems = this.richlist.querySelectorAll("richlistitem"); + for (let item of oldItems) { + item.remove(); + } + + let frag = document.createDocumentFragment(); + for (let decision of rememberedDecisions) { + let richlistitem = this._richBoxAddItem(decision); + frag.appendChild(richlistitem); + } + this.richlist.appendChild(frag); + + this.richlist.addEventListener("select", () => this.setButtonState()); + }, + + _richBoxAddItem(item) { + let richlistitem = document.createXULElement("richlistitem"); + + richlistitem.setAttribute("entryKey", item.entryKey); + richlistitem.setAttribute("dbKey", item.dbKey); + + let hbox = document.createXULElement("hbox"); + hbox.setAttribute("flex", "1"); + hbox.setAttribute("equalsize", "always"); + + hbox.appendChild(createRichlistItem({ raw: item.asciiHost })); + if (item.dbKey == "") { + hbox.appendChild( + createRichlistItem({ l10nid: "send-no-client-certificate" }) + ); + + hbox.appendChild(createRichlistItem({ raw: "" })); + } else { + let tmpCert = certdb.findCertByDBKey(item.dbKey); + // The certificate corresponding to this item's dbKey may not be + // available (for example, if it was stored on a token that's been + // removed, or if it was deleted). + if (tmpCert) { + hbox.appendChild(createRichlistItem({ raw: tmpCert.commonName })); + hbox.appendChild(createRichlistItem({ raw: tmpCert.serialNumber })); + } else { + hbox.appendChild( + createRichlistItem({ l10nid: "certificate-not-available" }) + ); + hbox.appendChild( + createRichlistItem({ l10nid: "certificate-not-available" }) + ); + } + } + + richlistitem.appendChild(hbox); + + return richlistitem; + }, + + deleteSelectedRichListItem() { + let selectedItem = this.richlist.selectedItem; + let index = this.richlist.selectedIndex; + if (index < 0) { + return; + } + + clientAuthRememberService.forgetRememberedDecision( + selectedItem.attributes.entryKey.value + ); + + this.buildRichList(); + this.setButtonState(); + }, + + viewSelectedRichListItem() { + let selectedItem = this.richlist.selectedItem; + let index = this.richlist.selectedIndex; + if (index < 0) { + return; + } + + if (selectedItem.attributes.dbKey.value != "") { + let cert = certdb.findCertByDBKey(selectedItem.attributes.dbKey.value); + viewCertHelper(window, cert); + } + }, + + setButtonState() { + let rememberedDeleteButton = document.getElementById( + "remembered_deleteButton" + ); + let rememberedViewButton = document.getElementById("remembered_viewButton"); + + rememberedDeleteButton.disabled = this.richlist.selectedIndex < 0; + rememberedViewButton.disabled = + this.richlist.selectedItem == null + ? true + : this.richlist.selectedItem.attributes.dbKey.value == ""; + }, +}; + +function LoadCerts() { + certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + var certcache = certdb.getCerts(); + + caTreeView = Cc["@mozilla.org/security/nsCertTree;1"].createInstance( + Ci.nsICertTree + ); + caTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.CA_CERT); + document.getElementById("ca-tree").view = caTreeView; + + emailTreeView = Cc["@mozilla.org/security/nsCertTree;1"].createInstance( + Ci.nsICertTree + ); + emailTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.EMAIL_CERT); + document.getElementById("email-tree").view = emailTreeView; + + userTreeView = Cc["@mozilla.org/security/nsCertTree;1"].createInstance( + Ci.nsICertTree + ); + userTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.USER_CERT); + document.getElementById("user-tree").view = userTreeView; + + clientAuthRememberService = Cc[ + "@mozilla.org/security/clientAuthRememberService;1" + ].getService(Ci.nsIClientAuthRememberService); + + overrideService = Cc["@mozilla.org/security/certoverride;1"].getService( + Ci.nsICertOverrideService + ); + + rememberedDecisionsRichList.richlist = document.getElementById( + "rememberedList" + ); + serverRichList.richlist = document.getElementById("serverList"); + + rememberedDecisionsRichList.buildRichList(); + serverRichList.buildRichList(); + + rememberedDecisionsRichList.setButtonState(); + + enableBackupAllButton(); +} + +function enableBackupAllButton() { + let backupAllButton = document.getElementById("mine_backupAllButton"); + backupAllButton.disabled = userTreeView.rowCount < 1; +} + +function getSelectedCerts() { + var ca_tab = document.getElementById("ca_tab"); + var mine_tab = document.getElementById("mine_tab"); + var others_tab = document.getElementById("others_tab"); + var items = null; + if (ca_tab.selected) { + items = caTreeView.selection; + } else if (mine_tab.selected) { + items = userTreeView.selection; + } else if (others_tab.selected) { + items = emailTreeView.selection; + } + selected_certs = []; + var cert = null; + var nr = 0; + if (items != null) { + nr = items.getRangeCount(); + } + if (nr > 0) { + for (let i = 0; i < nr; i++) { + var o1 = {}; + var o2 = {}; + items.getRangeAt(i, o1, o2); + var min = o1.value; + var max = o2.value; + for (let j = min; j <= max; j++) { + if (ca_tab.selected) { + cert = caTreeView.getCert(j); + } else if (mine_tab.selected) { + cert = userTreeView.getCert(j); + } else if (others_tab.selected) { + cert = emailTreeView.getCert(j); + } + if (cert) { + var sc = selected_certs.length; + selected_certs[sc] = cert; + selected_index[sc] = j; + } + } + } + } +} + +function getSelectedTreeItems() { + var ca_tab = document.getElementById("ca_tab"); + var mine_tab = document.getElementById("mine_tab"); + var others_tab = document.getElementById("others_tab"); + var items = null; + if (ca_tab.selected) { + items = caTreeView.selection; + } else if (mine_tab.selected) { + items = userTreeView.selection; + } else if (others_tab.selected) { + items = emailTreeView.selection; + } + selected_certs = []; + selected_tree_items = []; + selected_index = []; + var tree_item = null; + var nr = 0; + if (items != null) { + nr = items.getRangeCount(); + } + if (nr > 0) { + for (let i = 0; i < nr; i++) { + var o1 = {}; + var o2 = {}; + items.getRangeAt(i, o1, o2); + var min = o1.value; + var max = o2.value; + for (let j = min; j <= max; j++) { + if (ca_tab.selected) { + tree_item = caTreeView.getTreeItem(j); + } else if (mine_tab.selected) { + tree_item = userTreeView.getTreeItem(j); + } else if (others_tab.selected) { + tree_item = emailTreeView.getTreeItem(j); + } + if (tree_item) { + var sc = selected_tree_items.length; + selected_tree_items[sc] = tree_item; + selected_index[sc] = j; + } + } + } + } +} + +/** + * Returns true if nothing in the given cert tree is selected or if the + * selection includes a container. Returns false otherwise. + * + * @param {nsICertTree} certTree + * @returns {boolean} + */ +function nothingOrContainerSelected(certTree) { + var certTreeSelection = certTree.selection; + var numSelectionRanges = certTreeSelection.getRangeCount(); + + if (numSelectionRanges == 0) { + return true; + } + + for (var i = 0; i < numSelectionRanges; i++) { + var o1 = {}; + var o2 = {}; + certTreeSelection.getRangeAt(i, o1, o2); + var minIndex = o1.value; + var maxIndex = o2.value; + for (var j = minIndex; j <= maxIndex; j++) { + if (certTree.isContainer(j)) { + return true; + } + } + } + + return false; +} + +async function promptError(aErrorCode) { + if (aErrorCode != Ci.nsIX509CertDB.Success) { + let msgName = "pkcs12-unknown-err"; + switch (aErrorCode) { + case Ci.nsIX509CertDB.ERROR_PKCS12_NOSMARTCARD_EXPORT: + msgName = "pkcs12-info-no-smartcard-backup"; + break; + case Ci.nsIX509CertDB.ERROR_PKCS12_RESTORE_FAILED: + msgName = "pkcs12-unknown-err-restore"; + break; + case Ci.nsIX509CertDB.ERROR_PKCS12_BACKUP_FAILED: + msgName = "pkcs12-unknown-err-backup"; + break; + case Ci.nsIX509CertDB.ERROR_PKCS12_CERT_COLLISION: + case Ci.nsIX509CertDB.ERROR_PKCS12_DUPLICATE_DATA: + msgName = "pkcs12-dup-data"; + break; + case Ci.nsIX509CertDB.ERROR_BAD_PASSWORD: + msgName = "pk11-bad-password"; + break; + case Ci.nsIX509CertDB.ERROR_DECODE_ERROR: + msgName = "pkcs12-decode-err"; + break; + default: + break; + } + let [message] = await document.l10n.formatValues([{ id: msgName }]); + let prompter = Services.ww.getNewPrompter(window); + prompter.alert(null, message); + } +} + +/** + * Enables or disables buttons corresponding to a cert tree depending on what + * is selected in the cert tree. + * + * @param {nsICertTree} certTree + * @param {Array} idList A list of string identifiers for button elements to + * enable or disable. + */ +function enableButtonsForCertTree(certTree, idList) { + let disableButtons = nothingOrContainerSelected(certTree); + + for (let id of idList) { + document.getElementById(id).setAttribute("disabled", disableButtons); + } +} + +function ca_enableButtons() { + let idList = [ + "ca_viewButton", + "ca_editButton", + "ca_exportButton", + "ca_deleteButton", + ]; + enableButtonsForCertTree(caTreeView, idList); +} + +function mine_enableButtons() { + let idList = ["mine_viewButton", "mine_backupButton", "mine_deleteButton"]; + enableButtonsForCertTree(userTreeView, idList); +} + +function email_enableButtons() { + let idList = ["email_viewButton", "email_exportButton", "email_deleteButton"]; + enableButtonsForCertTree(emailTreeView, idList); +} + +async function backupCerts() { + getSelectedCerts(); + var numcerts = selected_certs.length; + if (numcerts == 0) { + return; + } + + var fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker); + let [backupFileDialog, filePkcs12Spec] = await document.l10n.formatValues([ + { id: "choose-p12-backup-file-dialog" }, + { id: "file-browse-pkcs12-spec" }, + ]); + fp.init(window, backupFileDialog, Ci.nsIFilePicker.modeSave); + fp.appendFilter(filePkcs12Spec, "*.p12"); + fp.appendFilters(Ci.nsIFilePicker.filterAll); + fp.defaultExtension = "p12"; + fp.open(rv => { + if ( + rv == Ci.nsIFilePicker.returnOK || + rv == Ci.nsIFilePicker.returnReplace + ) { + let password = {}; + if (certdialogs.setPKCS12FilePassword(window, password)) { + let errorCode = certdb.exportPKCS12File( + fp.file, + selected_certs, + password.value + ); + promptError(errorCode); + } + } + }); +} + +function backupAllCerts() { + // Select all rows, then call doBackup() + userTreeView.selection.selectAll(); + backupCerts(); +} + +function editCerts() { + getSelectedCerts(); + + for (let cert of selected_certs) { + window.browsingContext.topChromeWindow.openDialog( + "chrome://pippki/content/editcacert.xhtml", + "", + "chrome,centerscreen,modal", + cert + ); + } +} + +async function restoreCerts() { + var fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker); + let [ + restoreFileDialog, + filePkcs12Spec, + fileCertSpec, + ] = await document.l10n.formatValues([ + { id: "choose-p12-restore-file-dialog" }, + { id: "file-browse-pkcs12-spec" }, + { id: "file-browse-certificate-spec" }, + ]); + fp.init(window, restoreFileDialog, Ci.nsIFilePicker.modeOpen); + fp.appendFilter(filePkcs12Spec, "*.p12; *.pfx"); + fp.appendFilter(fileCertSpec, gCertFileTypes); + fp.appendFilters(Ci.nsIFilePicker.filterAll); + fp.open(rv => { + if (rv != Ci.nsIFilePicker.returnOK) { + return; + } + + // If this is an X509 user certificate, import it as one. + + var isX509FileType = false; + var fileTypesList = gCertFileTypes.slice(1).split("; *"); + for (var type of fileTypesList) { + if (fp.file.path.endsWith(type)) { + isX509FileType = true; + break; + } + } + + if (isX509FileType) { + let fstream = Cc[ + "@mozilla.org/network/file-input-stream;1" + ].createInstance(Ci.nsIFileInputStream); + fstream.init(fp.file, -1, 0, 0); + let dataString = NetUtil.readInputStreamToString( + fstream, + fstream.available() + ); + let dataArray = []; + for (let i = 0; i < dataString.length; i++) { + dataArray.push(dataString.charCodeAt(i)); + } + fstream.close(); + let prompter = Services.ww.getNewPrompter(window); + let interfaceRequestor = { + getInterface() { + return prompter; + }, + }; + certdb.importUserCertificate( + dataArray, + dataArray.length, + interfaceRequestor + ); + } else { + // Otherwise, assume it's a PKCS12 file and import it that way. + let password = {}; + let errorCode = Ci.nsIX509CertDB.ERROR_BAD_PASSWORD; + while ( + errorCode == Ci.nsIX509CertDB.ERROR_BAD_PASSWORD && + certdialogs.getPKCS12FilePassword(window, password) + ) { + errorCode = certdb.importPKCS12File(fp.file, password.value); + if ( + errorCode == Ci.nsIX509CertDB.ERROR_BAD_PASSWORD && + !password.value.length + ) { + // It didn't like empty string password, try no password. + errorCode = certdb.importPKCS12File(fp.file, null); + } + promptError(errorCode); + } + } + + var certcache = certdb.getCerts(); + userTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.USER_CERT); + userTreeView.selection.clearSelection(); + caTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.CA_CERT); + caTreeView.selection.clearSelection(); + enableBackupAllButton(); + }); +} + +async function exportCerts() { + getSelectedCerts(); + + for (let cert of selected_certs) { + await exportToFile(window, cert); + } +} + +/** + * Deletes the selected certs in the active tab. + */ +function deleteCerts() { + getSelectedTreeItems(); + let numcerts = selected_tree_items.length; + if (numcerts == 0) { + return; + } + + const treeViewMap = { + mine_tab: userTreeView, + ca_tab: caTreeView, + others_tab: emailTreeView, + }; + let selTab = document.getElementById("certMgrTabbox").selectedItem; + let selTabID = selTab.getAttribute("id"); + + if (!(selTabID in treeViewMap)) { + return; + } + + let retVals = { + deleteConfirmed: false, + }; + window.browsingContext.topChromeWindow.openDialog( + "chrome://pippki/content/deletecert.xhtml", + "", + "chrome,centerscreen,modal", + selTabID, + selected_tree_items, + retVals + ); + + if (retVals.deleteConfirmed) { + let treeView = treeViewMap[selTabID]; + + for (let t = numcerts - 1; t >= 0; t--) { + treeView.deleteEntryObject(selected_index[t]); + } + + selected_tree_items = []; + selected_index = []; + treeView.selection.clearSelection(); + if (selTabID == "mine_tab") { + enableBackupAllButton(); + } + } +} + +function viewCerts() { + getSelectedCerts(); + + for (let cert of selected_certs) { + viewCertHelper(window, cert); + } +} + +async function addCACerts() { + var fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker); + let [importCa, fileCertSpec] = await document.l10n.formatValues([ + { id: "import-ca-certs-prompt" }, + { id: "file-browse-certificate-spec" }, + ]); + fp.init(window, importCa, Ci.nsIFilePicker.modeOpen); + fp.appendFilter(fileCertSpec, gCertFileTypes); + fp.appendFilters(Ci.nsIFilePicker.filterAll); + fp.open(rv => { + if (rv == Ci.nsIFilePicker.returnOK) { + certdb.importCertsFromFile(fp.file, Ci.nsIX509Cert.CA_CERT); + let certcache = certdb.getCerts(); + caTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.CA_CERT); + caTreeView.selection.clearSelection(); + } + }); +} + +async function addEmailCert() { + var fp = Cc["@mozilla.org/filepicker;1"].createInstance(Ci.nsIFilePicker); + let [importEmail, fileCertSpec] = await document.l10n.formatValues([ + { id: "import-email-cert-prompt" }, + { id: "file-browse-certificate-spec" }, + ]); + fp.init(window, importEmail, Ci.nsIFilePicker.modeOpen); + fp.appendFilter(fileCertSpec, gCertFileTypes); + fp.appendFilters(Ci.nsIFilePicker.filterAll); + fp.open(rv => { + if (rv == Ci.nsIFilePicker.returnOK) { + certdb.importCertsFromFile(fp.file, Ci.nsIX509Cert.EMAIL_CERT); + var certcache = certdb.getCerts(); + emailTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.EMAIL_CERT); + emailTreeView.selection.clearSelection(); + caTreeView.loadCertsFromCache(certcache, Ci.nsIX509Cert.CA_CERT); + caTreeView.selection.clearSelection(); + } + }); +} diff --git a/security/manager/pki/resources/content/certManager.xhtml b/security/manager/pki/resources/content/certManager.xhtml new file mode 100644 index 0000000000..6e90b57b1d --- /dev/null +++ b/security/manager/pki/resources/content/certManager.xhtml @@ -0,0 +1,225 @@ + + + + + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/browser/intermediate.pem b/security/manager/ssl/tests/mochitest/browser/intermediate.pem new file mode 100644 index 0000000000..08d8d31c9f --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/intermediate.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWjCCAkKgAwIBAgIUFfVirSKu6HtZb2LYCmJb2aHMq0wwDQYJKoZIhvcNAQEL +BQAwajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY +MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl +ZCBPcHRpbWl6YXRpb24wIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAw +MFowQTEoMCYGA1UEAwwfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEV +MBMGA1UECwwMSW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc +BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC +a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg +uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK +9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP +mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG +A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAdKOLt5qF0rjrdg+yVRYeeFQM +wF2w3aYSqjFLC0pxjYxta3TZVYA8JsErqIefsaU+lvURUFpAZxBhocySXOOkjhdo +BtJDa5XpPmcRbLpj3YmL1TxBsgkyVJyWHg8RczxE2RckROAIrk/EoQU7yi4kjXxr +g/uaxekzGYq2dysPR4+Pm1HfnpBRXVQ20P77AJmYrB6HFGHTXR7FsU2CdXQU5D4K +UfmyBbJA2jfZZLl05rPkJNHCoI3WWdMDyGEMo+cuYJ3/lfPE7k7LGANrn1fUkC8u +RgXoGKW/UBpLGsluYwMDiSGrsUe2G3Iv63K0Z+HYEMs/Ez03ueph5R2aanVeHQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec b/security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec new file mode 100644 index 0000000000..a562814041 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec @@ -0,0 +1,4 @@ +issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization +subject:/CN=Temporary Certificate Authority/OU=Intermediate +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/mochitest/browser/invalid.pem b/security/manager/ssl/tests/mochitest/browser/invalid.pem new file mode 100644 index 0000000000..0fabf3e81c --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/invalid.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICwDCCAaigAwIBAgIUTcJUGOsO/pcSk2CcjS3L0FXun4swDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowEjEQMA4GA1UEAwwHaW52YWxpZDCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY +H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk +27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9 +0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM +kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL +L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMPMA0wCwYDVR0PBAQDAgEG +MA0GCSqGSIb3DQEBCwUAA4IBAQAHRQ4x0bpexE1zpa7fbvNqxmhR8ybYTMVEHveL +NxAhaxpvN2wjIRbB5VsAk38UunB3J3RvqkmOHYvGwCJZNQhe0RUsg+yCh+yK3bSe +30Q0uKXdqqtAsCyBhTBxp3hqFzaJgz9hzUUAqSHHCO8jZUugu+RNq2uv6bMYBY1S +YW2QiJG1yur2PLtQsG+NCd+S/4KDi+7N1w+5rD/CtDD0H0vAVvXXNuIjUjFuADlV +hghm2rF5N7i5T1mroDeQT2l89XEQghB+cGtdgbzOBucAI8v3rOV/Qg8xk1l61nYz +8xh7zBXdrByqd1mtTnyOBtzNIjLLveqgQxo1QIKh19vYrW3k +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/invalid.pem.certspec b/security/manager/ssl/tests/mochitest/browser/invalid.pem.certspec new file mode 100644 index 0000000000..71a1707c35 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/invalid.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:invalid +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/mochitest/browser/longOID.pem b/security/manager/ssl/tests/mochitest/browser/longOID.pem new file mode 100644 index 0000000000..d199f88a01 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/longOID.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIESjCCAzKgAwIBAgIUbSwzdRwYtipF7m7s7eZIseaX64wwDQYJKoZIhvcNAQEL +BQAwEzERMA8GA1UEAwwITG9uZyBPSUQwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0 +MDIwNTAwMDAwMFowEzERMA8GA1UEAwwITG9uZyBPSUQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk +e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg +KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI +YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi +lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL +HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjggGQMIIBjDAM +BgNVHRMEBTADAQH/MIIBegYDVR0gBIIBcTCCAW0wggFpBoIBZSqD3OuTf4Pc65N/ +g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zr +k3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D +3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuT +f4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc +65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/ +g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zr +k3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D3OuTf4Pc65N/g9zrk3+D +3OuTf4Pc65N/ATANBgkqhkiG9w0BAQsFAAOCAQEAbq2wf1RHXZAU9iD60DX8B52M +zz0n2Bv3R4rmqJeoFlvgRhnInb0c5N5ceqbjzGE2QTEmjgDhyy5wiU70yLblkyNz +IWxYxg3Qzjfcibt9AQYYoHXS8rEAKJ5oTWrVExPLCsSnmzL8TDwEb9v/noOwdilU +98BD3H+5hQMiYZIVo66Jq5uexLV69DH0+pI1n68pKtFtABpX1grjhEVC670mb5uO +YoMl4GGqFhkmFwpiOcFKcvESfHZdUhzTiPa86rU8LGfA5YyaQMStUWb6jFaCt+LK +bKyf4De9/3XZpsRoPX7VscBtBLhhnvZERkITAt1ovbZmX4IY9Yh6Jo7Z9urzqg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/longOID.pem.certspec b/security/manager/ssl/tests/mochitest/browser/longOID.pem.certspec new file mode 100644 index 0000000000..c3c08ac84b --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/longOID.pem.certspec @@ -0,0 +1,4 @@ +issuer:Long OID +subject:Long OID +extension:basicConstraints:cA, +extension:certificatePolicies:1.2.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.999999999.1 diff --git a/security/manager/ssl/tests/mochitest/browser/md5-ee.pem b/security/manager/ssl/tests/mochitest/browser/md5-ee.pem new file mode 100644 index 0000000000..b65bd1a9e9 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/md5-ee.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICrjCCAZagAwIBAgIUU6LuY45SDmIYSOVybKlfPm4PkDMwDQYJKoZIhvcNAQEE +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowETEPMA0GA1UEAwwGbWQ1LWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEBBAUAA4IB +AQCmzCGveXJAR75YgRtydRG1y2yxonzm5bKb1sdk4y0Oma7cMeibR7QAz8kCxu3J +jqc7B1f7G2RD0uWe7Am8diTfPiuDhTJY9kSFqiigrdFB7tpvWUYbfo+jSnfXK8+o +jhaNGAqz42yrcwxyUHTzUG1jSe6bQYoQu3evJTb31g6VYCHG+QcF5BUMKu3MkCQ6 +L5dK4+4m6ocLycTBGXkcjf0PEhYkyUN2rSYPykNMkEdYx3VVNLbnMqVkC1ozqA4U +AZuTAZmDeGPzOPtEm85x730nO1DH2MJClZcNHc5iEUiTD3B78EJAtPdgBRfvf6K/ +BCCj6SSNUceqcvU1DkB9tj4U +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/md5-ee.pem.certspec b/security/manager/ssl/tests/mochitest/browser/md5-ee.pem.certspec new file mode 100644 index 0000000000..279c158026 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/md5-ee.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:md5-ee +signature:md5WithRSAEncryption diff --git a/security/manager/ssl/tests/mochitest/browser/moz.build b/security/manager/ssl/tests/mochitest/browser/moz.build new file mode 100644 index 0000000000..67b1ac4bbb --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/moz.build @@ -0,0 +1,7 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +BROWSER_CHROME_MANIFESTS += ["browser.ini"] diff --git a/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem b/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem new file mode 100644 index 0000000000..8017659689 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgzCCAmugAwIBAgIUIVidj/ZVgLtZWGWK7cZ8hRvkLCIwDQYJKoZIhvcNAQEL +BQAwajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY +MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl +ZCBPcHRpbWl6YXRpb24wIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAw +MFowajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY +MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl +ZCBPcHRpbWl6YXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6 +iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr +4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP +8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI +Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ +77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J +I/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD +AgH+MA0GCSqGSIb3DQEBCwUAA4IBAQBbElkqm+Dtof/toa8F2jT0n4u+MSeVCV8v +uGzZb34g8j/VPNKqaX3KYFqKhRjQvG/ScFn2xQRVEaX402qCPZkrSFNI0+sGERBo +MydN0awvZEWn3AEMccbXH7ZzBXNAqu7iNtkUns0Gde9S362ejlEXhlEewFQhhlEs +LBzUrjiW8AiKG8keFiajEgO8yDbtEjy8z9MPkK23oLBgtVQtg1GO3X2rUxHGZwkE +Ck8ikXVoaw7olYchAhwFTYtbK7+Pwq1U6Rs/1CWSla++6SAh/uasDnnDziLJj3z+ +MBv2WVFfBpRTCr0IdF/fOqsC5utncdXZe8qwViS5/JzZbySctrbO +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem.certspec b/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem.certspec new file mode 100644 index 0000000000..4def496f67 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/pgo-ca-all-usages.pem.certspec @@ -0,0 +1,4 @@ +issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization +subject:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization +extension:basicConstraints:cA, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem b/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem new file mode 100644 index 0000000000..502632f5a3 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgzCCAmugAwIBAgIUU34Ahx5Y3OrxTZ8Zij+34BQHt4AwDQYJKoZIhvcNAQEL +BQAwajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY +MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl +ZCBPcHRpbWl6YXRpb24wIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAw +MFowajEoMCYGA1UEAxMfVGVtcG9yYXJ5IENlcnRpZmljYXRlIEF1dGhvcml0eTEY +MBYGA1UEChMPTW96aWxsYSBUZXN0aW5nMSQwIgYDVQQLExtQcm9maWxlIEd1aWRl +ZCBPcHRpbWl6YXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6 +iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr +4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP +8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI +Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ +77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J +I/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD +AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCqS4h6tvzNQUKlLt3gdUuOjviVTfOhc2qA +w0TmWZUY2DDfIo1jggqH2yIikPGByOfkEJ3VICRk0N6Ivk6Nh3EZyp/mmebpGOIV +Qz9itOzknvny33LwVFovwer4hnHXGKIrcGDIORNWt6BGJ0oREji6bZ8Py12ZuMJ3 +stXdKN3bOrVqrDbCBAmaXuqtngpob5TRCP5/6WJDaFE3JjKOpY+JIwXFSotA+/PO +aNRF5kGRyBsuESb3l5UNMckwMZedxYCndT4ntGxoA/YJ/lo0boqaP4lVqpbabIqp +G42FXocz+dpeWPZYFZEx/hNBQRqXNegIuzv7U4rdeHfbuyxDJhXo +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec b/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec new file mode 100644 index 0000000000..448e167bd0 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec @@ -0,0 +1,4 @@ +issuer:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization +subject:printableString/CN=Temporary Certificate Authority/O=Mozilla Testing/OU=Profile Guided Optimization +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/mochitest/browser/revoked.pem b/security/manager/ssl/tests/mochitest/browser/revoked.pem new file mode 100644 index 0000000000..db8fca458a --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/revoked.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICrzCCAZegAwIBAgIUOZGi7rHuV7JtJp8SD/Di7lbe3vkwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowEjEQMA4GA1UEAwwHcmV2b2tlZDCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY +H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk +27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9 +0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM +kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL +L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsFAAOC +AQEAYK8T1YdY7LQ42fkIm48FNnEduEul9ISTjgqpcGscFAEaUtlfb+LoYFXJJh1M +rcw1WtNaMoA7UMjnj6+18RXi6wTuJiCK9RiLdBFDbZUf8mbavbf69WAwgW1ekT5P +KNZ+OCQAbw2F41u3MTA4tEybPd9I/fkUiuHwVAFQh4seSOq5WGuu1INgEhHd27R9 +zLRVw37WZIo6DusMt+hmE0KyMNtpoBsGvtMBhnVTA/Hox7DyYoYTh2b8N7zDSda8 +nfon3Zw1ZvoHXw/0p0kfftdrychilcNjequSF1e0PvWC5TnGF7rRck0BHI0Mg00I +Nej1od23fhK305jDXk6oJ3VqJg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/revoked.pem.certspec b/security/manager/ssl/tests/mochitest/browser/revoked.pem.certspec new file mode 100644 index 0000000000..daf75c670f --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/revoked.pem.certspec @@ -0,0 +1,2 @@ +issuer:ca +subject:revoked diff --git a/security/manager/ssl/tests/mochitest/browser/some_content.html b/security/manager/ssl/tests/mochitest/browser/some_content.html new file mode 100644 index 0000000000..f591f32d3d --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/some_content.html @@ -0,0 +1,6 @@ + + + +

Some Content!

+ + diff --git a/security/manager/ssl/tests/mochitest/browser/some_content_framed.html b/security/manager/ssl/tests/mochitest/browser/some_content_framed.html new file mode 100644 index 0000000000..8f8194f9e7 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/some_content_framed.html @@ -0,0 +1,14 @@ + + + + + + diff --git a/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem b/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem new file mode 100644 index 0000000000..0ea778c9c3 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0TCCAbmgAwIBAgIUFRaHxC8q2vvr6gyB8AMvtVwPTeYwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowETEPMA0GA1UEAwwGc3NsLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyEwHzAdBgNVHSUEFjAUBggr +BgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAB0FoJO4EuzTF5o0 +mfFcJV3ORxRDTKUqrcE1cl0S0wcFJ7T8A+XEFnAP/YqxFgFCjbpAtJwxv4P3IOPv +b6dGhSG9rEHJUnVFoKcHnoajzFnn741J0/i6Lkux2tM/eF0sTnADVxmlklt7848h +0DWNrRY/NbouJjQy8yxVMIrJLSWR9G0fzXLemieXnVKA7MGXH7cbECC8gWYgsuEP +pTdJ0r9OsTfgLAoW34RxGFSl/l0gmFuinbbqLVGCUQ6TIeLfn9bmKgMxat+TdT6L +w5k/S3w1bm69naK1YdTGQVFIO4wrNPHOAUXxrcziMd56oMnXmcuG/Ef9N3zqB5/X +8Q5H9gE= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem.certspec b/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem.certspec new file mode 100644 index 0000000000..c4037675f1 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/ssl-ee.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ssl-ee +extension:extKeyUsage:serverAuth,clientAuth diff --git a/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem b/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem new file mode 100644 index 0000000000..5154c97ccd --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuzCCAaOgAwIBAgIUBdsczlklj8pHAhNbKaxiu+leXzMwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHdW5rbm93bjAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAZMRcwFQYDVQQDDA51bmtub3duLWlzc3VlcjCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs +9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8 +HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak +kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet +lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r +kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkq +hkiG9w0BAQsFAAOCAQEAFUiE73r6gX+NDLhNvEOHBxSFYVCdvMSJ3WSojaF6JKht +bXdx1/M/TqC0cKi/m4pNEW/2VVjOyibc3qRb/X+TRcHZz3PaSA5cYRfoJVPyH+k6 +LAkGmeGLlCNYFrtcfu9qQ+/ap2z5XzmrJa76KxEXW/RjR16sfCIfRP7HGJZ3fYsB +JC91LSzGtIMrqA5K97tolp09cC2cIojNXSlaXwQqVn+2uMQdLMcecFcth1P5Sp02 +rBbzlzCZUl0XVhmAOeEefhak2dnwTG6vRZlbim927/8DzPIEgwmZbvjIrpmYQMZx +GoVdCCgwSbC/uM8tI+LebrJCXqP0VRiZrc3PMbcUUw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem.certspec b/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem.certspec new file mode 100644 index 0000000000..c76a4e2c7b --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/unknown-issuer.pem.certspec @@ -0,0 +1,2 @@ +issuer:unknown +subject:unknown-issuer diff --git a/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem b/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem new file mode 100644 index 0000000000..4f09a837ae --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAgIUJ52B/yodNzE1jqzgJSkNIQMaj1swDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFzEVMBMGA1UEAwwMdW50cnVzdGVkLWNhMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME +BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAoZWuIsn8xdiC +OyqqSA4hpY0wVq6xutUD2WlV8zDLf4by2C8Tno7NMMC1a/+UuQlmfLs1ztb3RPgj +hJ/24fGuGnP/E71VwrZ/IR2mQBhRdo1ILZeHSDuTKqXGBds5SBHd77NIIMSmbU7w +dhy6bh6Qbh9WYIoHA5h/QGn5x7+b90I0yzTLPkpEV7/v++VWt6hIU/Xc+TvJ1g8M +uR9QKz9EQzbuVytTXGUzFaUattCtaPKxikf8xhHqcZypjU7r1FEa/JAqUlYWiEew +V+7I4IsgpPbOUZoUKU1R/KzHObVKHcmsxBhQ5FYIW8tiXqkFAxp9I4hgAuu9yOB0 +3EV9PsnIrQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem.certspec b/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem.certspec new file mode 100644 index 0000000000..04f4430574 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/browser/untrusted-ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:untrusted-ca +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/alloworigin.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/alloworigin.sjs new file mode 100644 index 0000000000..96c14f4e65 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/alloworigin.sjs @@ -0,0 +1,7 @@ +"use strict"; + +function handleRequest(request, response) { + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Access-Control-Allow-Origin", "*"); + response.write("hello!"); +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/backward.html b/security/manager/ssl/tests/mochitest/mixedcontent/backward.html new file mode 100644 index 0000000000..8699a07dda --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/backward.html @@ -0,0 +1,18 @@ + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/bug329869.js b/security/manager/ssl/tests/mochitest/mixedcontent/bug329869.js new file mode 100644 index 0000000000..9d67ba1f92 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/bug329869.js @@ -0,0 +1,11 @@ +/* import-globals-from mixedContentTest.js */ +"use strict"; + +document.open(); +// eslint-disable-next-line no-unsanitized/method +document.write("This is insecure XSS script " + document.cookie); +isSecurityState( + "broken", + "security broken after document write from unsecure script" +); +finish(); diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step2.html b/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step2.html new file mode 100644 index 0000000000..4bbf9bfe8c --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step2.html @@ -0,0 +1,28 @@ + + + + Bug 383369 test, step 2 + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step3.html b/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step3.html new file mode 100644 index 0000000000..276c2343fd --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/bug383369step3.html @@ -0,0 +1,29 @@ + + + + Bug 383369 test, final step + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/download.auto b/security/manager/ssl/tests/mochitest/mixedcontent/download.auto new file mode 100644 index 0000000000..4d2fb7d5ae --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/download.auto @@ -0,0 +1 @@ +Temporary file for security/mixedconent tests \ No newline at end of file diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/download.auto^headers^ b/security/manager/ssl/tests/mochitest/mixedcontent/download.auto^headers^ new file mode 100644 index 0000000000..9c3159e153 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/download.auto^headers^ @@ -0,0 +1,2 @@ +Content-disposition: "attachment" +Content-type: application/x-auto-download diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/emptyimage.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/emptyimage.sjs new file mode 100644 index 0000000000..9e34227f00 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/emptyimage.sjs @@ -0,0 +1,6 @@ +"use strict"; + +function handleRequest(request, response) { + response.setStatusLine(request.httpVersion, 200, "OK"); + //response.setHeader("Content-type", "image/gif"); +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs new file mode 100644 index 0000000000..5f78a806b4 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/hugebmp.sjs @@ -0,0 +1,17 @@ +"use strict"; + +function handleRequest(request, response) { + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-type", "image/bitmap"); + + let bmpheader = + "\x42\x4D\x36\x10\x0E\x00\x00\x00\x00\x00\x36\x00\x00\x00\x28\x00\x00\x00\x80\x02\x00\x00\xE0\x01\x00\x00\x01\x00\x18\x00\x00\x00\x00\x00\x00\x10\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; + let bmpdatapiece = + "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"; + + response.bodyOutputStream.write(bmpheader, 54); + // Fill 640*480*3 nulls + for (let i = 0; i < (640 * 480 * 3) / 64; ++i) { + response.bodyOutputStream.write(bmpdatapiece, 64); + } +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html b/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html new file mode 100644 index 0000000000..064783e0cb --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html @@ -0,0 +1,14 @@ + + + + + + + This is frame 1: + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframe2.html b/security/manager/ssl/tests/mochitest/mixedcontent/iframe2.html new file mode 100644 index 0000000000..37fc604ea6 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframe2.html @@ -0,0 +1,15 @@ + + + + + + + This is frame 2: + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframeMetaRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/iframeMetaRedirect.html new file mode 100644 index 0000000000..6c7a5473cb --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframeMetaRedirect.html @@ -0,0 +1,8 @@ + + + + + Redirecting by meta tag... + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframesecredirect.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/iframesecredirect.sjs new file mode 100644 index 0000000000..914391e8f5 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframesecredirect.sjs @@ -0,0 +1,9 @@ +"use strict"; + +function handleRequest(request, response) { + response.setStatusLine(request.httpVersion, 307, "Moved temporarly"); + response.setHeader( + "Location", + "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html" + ); +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs new file mode 100644 index 0000000000..32afc824ea --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/iframeunsecredirect.sjs @@ -0,0 +1,9 @@ +"use strict"; + +function handleRequest(request, response) { + response.setStatusLine(request.httpVersion, 307, "Moved temporarly"); + response.setHeader( + "Location", + "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/iframe.html" + ); +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/imgsecredirect.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/imgsecredirect.sjs new file mode 100644 index 0000000000..cb966a56d2 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/imgsecredirect.sjs @@ -0,0 +1,9 @@ +"use strict"; + +function handleRequest(request, response) { + response.setStatusLine(request.httpVersion, 307, "Moved temporarly"); + response.setHeader( + "Location", + "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" + ); +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs new file mode 100644 index 0000000000..d128ce2238 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/imgunsecredirect.sjs @@ -0,0 +1,9 @@ +"use strict"; + +function handleRequest(request, response) { + response.setStatusLine(request.httpVersion, 307, "Moved temporarly"); + response.setHeader( + "Location", + "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg" + ); +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/mixedContentTest.js b/security/manager/ssl/tests/mochitest/mixedcontent/mixedContentTest.js new file mode 100644 index 0000000000..6c300b7fc3 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/mixedContentTest.js @@ -0,0 +1,211 @@ +"use strict"; + +/** + * Helper script for mixed content testing. It opens a new top-level window + * from a secure origin and '?runtest' query. That tells us to run the test + * body, function runTest(). Then we wait for call of finish(). On its first + * call it loads helper page 'backward.html' that immediately navigates + * back to the test secure test. This checks the bfcache. We got second call + * to onload and this time we call afterNavigationTest() function to let the + * test check security state after re-navigation back. Then we again wait for + * finish() call, that this time finishes completelly the test. + */ + +// Tells the framework if to load the test in an insecure page (http://) +var loadAsInsecure = false; +// Set true to bypass the navigation forward/back test +var bypassNavigationTest = false; +// Set true to do forward/back navigation over an http:// page, test state leaks +var navigateToInsecure = false; +// Open the test in two separate windows, test requests sharing among windows +var openTwoWindows = false; +// Override the name of the test page to load, useful e.g. to prevent load +// of images or other content before the test starts; this is actually +// a 'redirect' to a different test page. +var testPage = ""; +// Assign a function to this variable to have a clean up at the end +var testCleanUp = null; +// Contains mixed active content that needs to load to run the test +var hasMixedActiveContent = false; + +// Internal variables +var _windowCount = 0; + +window.onload = async function onLoad() { + if (location.search == "?runtest") { + try { + if (history.length == 1) { + // Each test that includes this helper file is supposed to define + // runTest(). See the top level comment. + await runTest(); // eslint-disable-line no-undef + } else { + // Each test that includes this helper file is supposed to define + // afterNavigationTest(). See the top level comment. + await afterNavigationTest(); // eslint-disable-line no-undef + } + } catch (ex) { + ok(false, "Exception thrown during test: " + ex); + finish(); + } + } else { + window.addEventListener("message", onMessageReceived); + + let secureTestLocation = loadAsInsecure + ? "http://example.com" + : "https://example.com"; + secureTestLocation += location.pathname; + if (testPage != "") { + let array = secureTestLocation.split("/"); + array.pop(); + array.push(testPage); + secureTestLocation = array.join("/"); + } + secureTestLocation += "?runtest"; + + if (hasMixedActiveContent) { + SpecialPowers.pushPrefEnv( + { set: [["security.mixed_content.block_active_content", false]] }, + null + ); + } + if (openTwoWindows) { + _windowCount = 2; + window.open(secureTestLocation, "_new1", ""); + window.open(secureTestLocation, "_new2", ""); + } else { + _windowCount = 1; + window.open(secureTestLocation); + } + } +}; + +function onMessageReceived(event) { + switch (event.data) { + // Indication of all test parts finish (from any of the frames) + case "done": + if (--_windowCount == 0) { + if (testCleanUp) { + testCleanUp(); + } + if (hasMixedActiveContent) { + SpecialPowers.popPrefEnv(null); + } + + SimpleTest.finish(); + } + break; + + // Any other message is an error or success message of a test. + default: + SimpleTest.ok(!event.data.match(/^FAILURE/), event.data); + break; + } +} + +function postMsg(message) { + opener.postMessage(message, "http://mochi.test:8888"); +} + +function finish() { + if (history.length == 1 && !bypassNavigationTest) { + window.setTimeout(() => { + window.location.assign( + navigateToInsecure + ? "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/backward.html" + : "https://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/backward.html" + ); + }, 0); + } else { + postMsg("done"); + window.close(); + } +} + +function ok(a, message) { + if (!a) { + postMsg("FAILURE: " + message); + } else { + postMsg(message); + } +} + +function is(a, b, message) { + if (a != b) { + postMsg(`FAILURE: ${message}, expected ${b} got ${a}`); + } else { + postMsg(`${message}, expected ${b} got ${a}`); + } +} + +async function isSecurityState(expectedState, message, test) { + if (!test) { + test = ok; + } + + let state = await SpecialPowers.getSecurityState(window); + + let isInsecure = + state & SpecialPowers.Ci.nsIWebProgressListener.STATE_IS_INSECURE; + let isBroken = + state & SpecialPowers.Ci.nsIWebProgressListener.STATE_IS_BROKEN; + let isEV = + state & SpecialPowers.Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL; + + let gotState = "secure"; + if (isInsecure) { + gotState = "insecure"; + } else if (isBroken) { + gotState = "broken"; + } else if (isEV) { + gotState = "EV"; + } + + test( + gotState == expectedState, + (message || "") + ", expected " + expectedState + " got " + gotState + ); + + switch (expectedState) { + case "insecure": + test( + isInsecure && !isBroken && !isEV, + "for 'insecure' excpected flags [1,0,0], " + (message || "") + ); + break; + case "broken": + test( + !isInsecure && isBroken && !isEV, + "for 'broken' expected flags [0,1,0], " + (message || "") + ); + break; + case "secure": + test( + !isInsecure && !isBroken && !isEV, + "for 'secure' expected flags [0,0,0], " + (message || "") + ); + break; + case "EV": + test( + !isInsecure && !isBroken && isEV, + "for 'EV' expected flags [0,0,1], " + (message || "") + ); + break; + default: + throw new Error("Invalid isSecurityState state"); + } +} + +function waitForSecurityState(expectedState, callback) { + let roundsLeft = 200; // Wait for 20 seconds (=200*100ms) + let interval = window.setInterval(async () => { + await isSecurityState(expectedState, "", isok => { + if (isok) { + roundsLeft = 0; + } + }); + if (!roundsLeft--) { + window.clearInterval(interval); + callback(); + } + }, 100); +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/mochitest.ini b/security/manager/ssl/tests/mochitest/mixedcontent/mochitest.ini new file mode 100644 index 0000000000..b0392c298a --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/mochitest.ini @@ -0,0 +1,65 @@ +[DEFAULT] +prefs = + security.mixed_content.upgrade_display_content=false + dom.security.https_first=false +support-files = + alloworigin.sjs + backward.html + bug329869.js + bug383369step2.html + bug383369step3.html + download.auto + download.auto^headers^ + emptyimage.sjs + hugebmp.sjs + iframe.html + iframe2.html + iframeMetaRedirect.html + iframesecredirect.sjs + iframeunsecredirect.sjs + imgsecredirect.sjs + imgunsecredirect.sjs + mixedContentTest.js + moonsurface.jpg + nocontent.sjs + redirecttoemptyimage.sjs + somestyle.css + unsecureIframe.html + unsecurePictureDup.html + +[test_bug329869.html] +[test_bug383369.html] +skip-if = toolkit == 'android' +[test_bug455367.html] +[test_bug472986.html] +[test_bug477118.html] +[test_bug521461.html] +[test_cssBefore1.html] +[test_cssContent1.html] +[test_cssContent2.html] +[test_documentWrite1.html] +[test_documentWrite2.html] +[test_dynDelayedUnsecurePicture.html] +[test_dynDelayedUnsecureXHR.html] +[test_dynUnsecureBackground.html] +[test_dynUnsecureIframeRedirect.html] +[test_dynUnsecurePicture.html] +[test_dynUnsecurePicturePreload.html] +[test_dynUnsecureRedirect.html] +disabled=intermitently fails, quite often, bug 487402 +[test_innerHtmlDelayedUnsecurePicture.html] +[test_innerHtmlUnsecurePicture.html] +[test_javascriptPicture.html] +[test_secureAll.html] +[test_securePicture.html] +[test_unsecureBackground.html] +[test_unsecureCSS.html] +[test_unsecureIframe.html] +[test_unsecureIframe2.html] +[test_unsecureIframeMetaRedirect.html] +disabled=intermittently fails, less often, bug 487632 +[test_unsecureIframeRedirect.html] +[test_unsecurePicture.html] +[test_unsecurePictureDup.html] +[test_unsecurePictureInIframe.html] +[test_unsecureRedirect.html] diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg b/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg new file mode 100644 index 0000000000..c0ffca256a Binary files /dev/null and b/security/manager/ssl/tests/mochitest/mixedcontent/moonsurface.jpg differ diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/moz.build b/security/manager/ssl/tests/mochitest/mixedcontent/moz.build new file mode 100644 index 0000000000..7c990fbc62 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/moz.build @@ -0,0 +1,7 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +MOCHITEST_MANIFESTS += ["mochitest.ini"] diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/nocontent.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/nocontent.sjs new file mode 100644 index 0000000000..d5d65cf8a4 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/nocontent.sjs @@ -0,0 +1,5 @@ +"use strict"; + +function handleRequest(request, response) { + response.setStatusLine(request.httpVersion, 204, "No Content"); +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/redirecttoemptyimage.sjs b/security/manager/ssl/tests/mochitest/mixedcontent/redirecttoemptyimage.sjs new file mode 100644 index 0000000000..98ed0a2f52 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/redirecttoemptyimage.sjs @@ -0,0 +1,9 @@ +"use strict"; + +function handleRequest(request, response) { + response.setStatusLine(request.httpVersion, 307, "Moved temporarly"); + response.setHeader( + "Location", + "http://example.com/tests/security/manager/ssl/tests/mochitest/mixedcontent/emptyimage.sjs" + ); +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css b/security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css new file mode 100644 index 0000000000..9867e3c41e --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/somestyle.css @@ -0,0 +1,4 @@ +body +{ + background-color: lightBlue; +} diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug329869.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug329869.html new file mode 100644 index 0000000000..ccb9a8d9cf --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug329869.html @@ -0,0 +1,36 @@ + + + + dymanic script load + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug383369.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug383369.html new file mode 100644 index 0000000000..8341f83744 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug383369.html @@ -0,0 +1,89 @@ + + + + Bug 383369 test + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug455367.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug455367.html new file mode 100644 index 0000000000..d2ad64c454 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug455367.html @@ -0,0 +1,37 @@ + + + + No content image doesn't break security + + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug472986.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug472986.html new file mode 100644 index 0000000000..bd55a600ca --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug472986.html @@ -0,0 +1,46 @@ + + + + img.src replace + + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug477118.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug477118.html new file mode 100644 index 0000000000..90932790f0 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug477118.html @@ -0,0 +1,34 @@ + + + + Bug 477118 + + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_bug521461.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug521461.html new file mode 100644 index 0000000000..59085a5ec4 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_bug521461.html @@ -0,0 +1,39 @@ + + + + Bug 521461 + + + + + + + + + + + +This is an unsecure page! diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_cssBefore1.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssBefore1.html new file mode 100644 index 0000000000..98cee1bb53 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssBefore1.html @@ -0,0 +1,42 @@ + + + + CSS :before styling 1 + + + + + + + + + + + + + +

+ There is a moon surface left to this text +

+ + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent1.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent1.html new file mode 100644 index 0000000000..5c5019ca78 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent1.html @@ -0,0 +1,41 @@ + + + + CSS conent styling 1 + + + + + + + + + + + + + + +

+ + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent2.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent2.html new file mode 100644 index 0000000000..19e5784334 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_cssContent2.html @@ -0,0 +1,46 @@ + + + + CSS conent styling 2 + + + + + + + + + + + + +

+ + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite1.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite1.html new file mode 100644 index 0000000000..90eca5bcdb --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite1.html @@ -0,0 +1,38 @@ + + + + document.write('<img src="http://">') + + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite2.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite2.html new file mode 100644 index 0000000000..e009fd4f54 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_documentWrite2.html @@ -0,0 +1,40 @@ + + + + document.write('<iframe src="http://">') + + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecurePicture.html new file mode 100644 index 0000000000..514902d047 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecurePicture.html @@ -0,0 +1,47 @@ + + + + img.src changes to unsecure test + + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecureXHR.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecureXHR.html new file mode 100644 index 0000000000..d9a8cc8af7 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynDelayedUnsecureXHR.html @@ -0,0 +1,48 @@ + + + + unsecure XHR test + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureBackground.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureBackground.html new file mode 100644 index 0000000000..fd66b21a64 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureBackground.html @@ -0,0 +1,44 @@ + + + + body.background changes to unsecure test + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureIframeRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureIframeRedirect.html new file mode 100644 index 0000000000..8934de4b79 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureIframeRedirect.html @@ -0,0 +1,44 @@ + + + + iframe.src changes to unsecure redirect test + + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicture.html new file mode 100644 index 0000000000..5ef5a28b2c --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicture.html @@ -0,0 +1,46 @@ + + + + img.src changes to unsecure test + + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicturePreload.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicturePreload.html new file mode 100644 index 0000000000..d8506e8cc5 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecurePicturePreload.html @@ -0,0 +1,36 @@ + + + + img.src changes to unsecure test + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureRedirect.html new file mode 100644 index 0000000000..a73c7f8619 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_dynUnsecureRedirect.html @@ -0,0 +1,39 @@ + + + + img.src changes to unsecure redirect test + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlDelayedUnsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlDelayedUnsecurePicture.html new file mode 100644 index 0000000000..45bf140384 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlDelayedUnsecurePicture.html @@ -0,0 +1,42 @@ + + + + innerHTML changes to unsecure test + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlUnsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlUnsecurePicture.html new file mode 100644 index 0000000000..d8b3e5f6e0 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_innerHtmlUnsecurePicture.html @@ -0,0 +1,40 @@ + + + + innerHTML changes to unsecure test + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_javascriptPicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_javascriptPicture.html new file mode 100644 index 0000000000..66a28ce74e --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_javascriptPicture.html @@ -0,0 +1,34 @@ + + + + Secure img load + + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_secureAll.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_secureAll.html new file mode 100644 index 0000000000..efd754dd58 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_secureAll.html @@ -0,0 +1,42 @@ + + + + All secure anti-regression check + + + + + + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe2.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe2.html new file mode 100644 index 0000000000..8f49ecda51 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframe2.html @@ -0,0 +1,36 @@ + + + + Unsecure iframe load + + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeMetaRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeMetaRedirect.html new file mode 100644 index 0000000000..4eebbf5b22 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeMetaRedirect.html @@ -0,0 +1,36 @@ + + + + Unsecure redirect iframe load + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeRedirect.html new file mode 100644 index 0000000000..12a4233494 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureIframeRedirect.html @@ -0,0 +1,36 @@ + + + + Unsecure redirect iframe load + + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePicture.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePicture.html new file mode 100644 index 0000000000..3c19811db9 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePicture.html @@ -0,0 +1,34 @@ + + + + Unsecure img load + + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureDup.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureDup.html new file mode 100644 index 0000000000..81ed58ffde --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureDup.html @@ -0,0 +1,20 @@ + + + + Unsecure img load in two windows + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureInIframe.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureInIframe.html new file mode 100644 index 0000000000..21bcf5f810 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecurePictureInIframe.html @@ -0,0 +1,36 @@ + + + + Unsecure img in iframe load + + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureRedirect.html b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureRedirect.html new file mode 100644 index 0000000000..82611ff3fe --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/test_unsecureRedirect.html @@ -0,0 +1,36 @@ + + + + Redirect from secure to unsecure img + + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/unsecureIframe.html b/security/manager/ssl/tests/mochitest/mixedcontent/unsecureIframe.html new file mode 100644 index 0000000000..2282677418 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/unsecureIframe.html @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/mixedcontent/unsecurePictureDup.html b/security/manager/ssl/tests/mochitest/mixedcontent/unsecurePictureDup.html new file mode 100644 index 0000000000..7ce3701620 --- /dev/null +++ b/security/manager/ssl/tests/mochitest/mixedcontent/unsecurePictureDup.html @@ -0,0 +1,34 @@ + + + + Unsecure img load in two windows + + + + + + + + + + + + + + + diff --git a/security/manager/ssl/tests/mochitest/moz.build b/security/manager/ssl/tests/mochitest/moz.build new file mode 100644 index 0000000000..ddb344c83c --- /dev/null +++ b/security/manager/ssl/tests/mochitest/moz.build @@ -0,0 +1,10 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +TEST_DIRS += [ + "browser", + "mixedcontent", +] diff --git a/security/manager/ssl/tests/moz.build b/security/manager/ssl/tests/moz.build new file mode 100644 index 0000000000..d39ca0ff17 --- /dev/null +++ b/security/manager/ssl/tests/moz.build @@ -0,0 +1,17 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +DIRS += ["unit"] + +TEST_DIRS += [ + "gtest", + "mochitest", +] + +XPCSHELL_TESTS_MANIFESTS += ["unit/xpcshell.ini"] + +if not CONFIG["MOZ_NO_SMART_CARDS"]: + XPCSHELL_TESTS_MANIFESTS += ["unit/xpcshell-smartcards.ini"] diff --git a/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem new file mode 100644 index 0000000000..0887f60558 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6DCCAdCgAwIBAgIUAyI54Ss40HvhJFymYwne7lBQZJ8wDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAmMSQwIgYDVQQDDBtFRSB3aXRoIGJhZCBzdWJqZWN0QWx0TmFt +ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI +BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa +p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB +7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C +kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv +aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK +Ne2NAgMBAAGjHjAcMBoGA1UdEQQTMBGCDyouKi5leGFtcGxlLmNvbTANBgkqhkiG +9w0BAQsFAAOCAQEAMOjSTR1Tmp4baReRr6pvdH+HucpdIf5ZtH7Vn3h5e+Iuq9OO +Ugq9qquo3sR1IAIAsCxWA/HHZMQOU5X1BxmC5+CXMfHmC/+1vLsxjZozhizKzpMh +vtuJ33lgrwL30aTkF2IAPmqwu4akPFRdFGUtCL2LHeNGrO5UWQLDv7eDI8btkkm7 +AjV4u9y2/1W5um4KTQHWFzyl0iz1P5x/2MymBeiM4khRbQbfl8DmW6COLbhvPDEg +YPL4ibjmMwOuOUgZ6bCw5Ck/cR7Yz7vVIOMC21d7elqJKfQ5tg62ZGs3r7L+Ir5o +461gJUgzKhxT4MUQsLSCtKzSab9Rjg3pwfmHvQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem.certspec new file mode 100644 index 0000000000..1b368c26f1 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/badSubjectAltNames.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test CA +subject:EE with bad subjectAltNames +extension:subjectAlternativeName:*.*.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem new file mode 100644 index 0000000000..9faffde6d6 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDKzCCAhOgAwIBAgIUPU/rVUoMybyCeEAWx++fMAuZ6k0wDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8xOTQ2MDIxNDAwMDAwMFoYDzIwMzEw +MTAxMDAwMDAwWjAsMSowKAYDVQQDDCFCZWZvcmUgVU5JWCBFcG9jaCBUZXN0IEVu +ZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W +1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtq +ZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx +0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthV +t2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo +4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx +1QOs2hgKNe2NAgMBAAGjWzBZMCMGA1UdEQQcMBqCGGJlZm9yZS1lcG9jaC5leGFt +cGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2Nh +bGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBALocgfctX/9NDtkQ7zAkGl14 +UXkXBCq7vn5fKss2bCG7D6M/+Q4ZJ64/QXGK96tKqdJctiyIN3KArnk4/pWfYCQG +DgIHXFAgbKUQU0uiGmPwbPQnYq8la6VEarMrzWnGhqVPG1wsqiO1cnecycvm2W7W +9n7qvw3s2Gf0WZIQKqpNmuhouboeiK1xFxryLWiNaG087WPHb71e1C+1enVb/hJN +E1KD7dBtBh0sOC6bOFdc4BzhDHnDzPSznSqouotHf5U8YniKoPcDCml544msKwP8 +LCj3tG1VdMxL+p83ETDHG6GLUY20R0E6WJJfvfZ3hdxRUKgaAs+diT3xYXXYqTA= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem.certspec new file mode 100644 index 0000000000..ac97b2231a --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpoch.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Before UNIX Epoch Test End-entity +validity:19460214-20310101 +extension:subjectAlternativeName:before-epoch.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem new file mode 100644 index 0000000000..6cdfa86a25 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7zCCAdegAwIBAgIUL5tQyA2FR4V3eMcfGyWTxS4vmp0wDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8xOTQ2MDIxNDAwMDAwMFoYDzIwMzEw +MTAxMDAwMDAwWjAuMSwwKgYDVQQDDCNCZWZvcmUgVU5JWCBFcG9jaCBUZXN0IElu +dGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE +jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1 +a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p +GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW +2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO +p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR +xDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYw +DQYJKoZIhvcNAQELBQADggEBAGDlMbdxc1BHrn6l1svyskkHx68lSeTGVucIpClu +mJIT3rsTR5swYuyvrWe/gqkVqGRv2gIpMUYAJoHWjF4fRyWkIjJz5JnSP5qxFKKk +NFrjXFpGSqxJGtuMUNNGk7P30RLje5aE00bqrZHokfrokzChC3G3QJPOwvJtP1Gk +wldQ8AeoHu/u3oEB3caoC1QpFfgF5kunNETSIxX5bTmsjTSSJnJjnf46FQdbOWUh +P5Qkr6ZNK4ZAOIm+PRRyJ44JiHab+up/cEs17/T5dNcnHCy4TYXquNKwOe35qakm +iexwhKycaAEM0TcTI1OA5K4tCwFvaiOr4eTzxN28Cemd89E= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem.certspec new file mode 100644 index 0000000000..835e63f2b6 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochINT.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Before UNIX Epoch Test Intermediate +validity:19460214-20310101 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem new file mode 100644 index 0000000000..3c00353a49 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWjCCAkKgAwIBAgIUGeo1nKP85zWT0JhJqZ5K3WQBKx0wDQYJKoZIhvcNAQEL +BQAwLjEsMCoGA1UEAwwjQmVmb3JlIFVOSVggRXBvY2ggVGVzdCBJbnRlcm1lZGlh +dGUwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowODE2MDQGA1UE +AwwtVGVzdCBFbmQtZW50aXR5IHdpdGggQmVmb3JlIFVOSVggRXBvY2ggaXNzdWVy +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2 +ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF +h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n +cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv +OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj +tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt +jQIDAQABo2IwYDAqBgNVHREEIzAhgh9iZWZvcmUtZXBvY2gtaXNzdWVyLmV4YW1w +bGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2Fs +aG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAb3Nv1Hxi4XlvI6yMMgFGEKiU +gWk9TLQgIkjXbVlyfxhNrJs8WcY1V56sIC8EoBaCsMEgh3htvAhkVJ9v6HEZqgP8 +lwtUpta8sniuMRogVPehIIU53HB0Fp2LzoEQB0UzS7mD0LNCubK0BPMsNdT+LwSQ +1sA7df8nQVdmLbcoFchQ1CaaSzyf8aFEWNuBiUF46j9BvcQykG8BhpDJ3+lV/Wl7 +wEXaFsW+/cEb0XBLQS/N+2B43+7EZQ9ZVOr1834V+d5jAFOHpyYfjVCySBd+VrRi +NXq0j86M0RrhKYUzYNQ+bj5NIqHVG+TNYFc7TX6sqGW8S5HJ0v4/bYe33SuTdw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem.certspec new file mode 100644 index 0000000000..9aabe21628 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochIssuer.pem.certspec @@ -0,0 +1,4 @@ +issuer:Before UNIX Epoch Test Intermediate +subject:Test End-entity with Before UNIX Epoch issuer +extension:subjectAlternativeName:before-epoch-issuer.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem new file mode 100644 index 0000000000..69972591d4 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUCfV2HIsCkOeqHcXdhZf6ejBahIswDQYJKoZIhvcNAQEL +BQAwODE2MDQGA1UEAwwtU2VsZi1TaWduZWQgQmVmb3JlIFVOSVggRXBvY2ggVGVz +dCBFbmQtRW50aXR5MCIYDzE5NDYwMjE0MDAwMDAwWhgPMjAzMTAxMDEwMDAwMDBa +MDgxNjA0BgNVBAMMLVNlbGYtU2lnbmVkIEJlZm9yZSBVTklYIEVwb2NoIFRlc3Qg +RW5kLUVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE +jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1 +a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p +GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW +2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO +p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR +xDHVA6zaGAo17Y0CAwEAAaMzMDEwLwYDVR0RBCgwJoIkYmVmb3JlLWVwb2NoLXNl +bGYtc2lnbmVkLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBCrP9yopCm +BJSG6MIq3olV8meoQ2wIrCm2i1Ob2BI3JXW9CSjtnklmQaXzyEY6EnH7K/qzHMbz +prbtiM+e0GjwwYNDAe3Ad1kUjDUSVnMAYmtTJOYxhmGYztkmM2xkz9Tvn+M4U35A +GXimG82MDslBvDINDCPvwWsjst8oMwDAezpxZP2zZ/BrXbyUvOfCqyWQrRTNfSmF +Aub2UQBdjSCgwY5RpzJ2ib5IWmVm3vPQmhM69FwI3WzWsbOb6MYdyPpnVnlN626l +AwLjoaSP3F/lSgPzDqVKgx6rjqkYANPGaLLXdRH3ynJlxuW9JlamyuEypPIA0+Ml +rvaprkFh5rXU +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec new file mode 100644 index 0000000000..579e85e496 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/beforeEpochSelfSigned.pem.certspec @@ -0,0 +1,4 @@ +issuer:Self-Signed Before UNIX Epoch Test End-Entity +subject:Self-Signed Before UNIX Epoch Test End-Entity +validity:19460214-20310101 +extension:subjectAlternativeName:before-epoch-self-signed.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem new file mode 100644 index 0000000000..354741fc50 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRTCCAi2gAwIBAgIUAywOkzxiH/uWcwxb85Yy3OI46WgwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAvMS0wKwYDVQQDDCRUZXN0IEludGVybWVkaWF0ZSB1c2VkIGFz +IEVuZC1FbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo +RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a +dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t +aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n +FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX +Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py +UcQx1QOs2hgKNe2NAgMBAAGjcjBwMAwGA1UdEwQFMAMBAf8wMgYIKwYBBQUHAQEE +JjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMCwGA1UdEQQl +MCOCIWNhLXVzZWQtYXMtZW5kLWVudGl0eS5leGFtcGxlLmNvbTANBgkqhkiG9w0B +AQsFAAOCAQEAN+g9N3uhls8y70fGORVEyYVjBmMCFeQz3DQw3u1J7+aHe6efygSP +OKPXW3SbHSxlPFIsicVSHO3sso3zUGoedMw0KSyni4tR4yQ9jllrqijVCWorqRbU +tlseF5hfw7DsKcl6jGA5UN0Aiq9SwKArdkRL+0Ykk0a/rxMEiOjf/Ao3ImfJnsCa +frDKqziMWOmQtxrVTabpgRqCd1gtTg4cCsy7Yto8v4Gn1N/EL8FAXGWOieWDQ2Iv +UFd9p0eTReBbRNC/QuZa7nEEAh4JO+JCAW4rHI6+beSPCT+lFQbF8sAJYSMGf0lb +LAwyUGAPPLRx+SweIClb4EO+iVAFuR0Tug== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem.certspec new file mode 100644 index 0000000000..8e16705b50 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ca-used-as-end-entity.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Test Intermediate used as End-Entity +extension:basicConstraints:cA, +extension:authorityInformationAccess:http://localhost:8888/ +extension:subjectAlternativeName:ca-used-as-end-entity.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.key b/security/manager/ssl/tests/unit/bad_certs/default-ee.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.pem b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem new file mode 100644 index 0000000000..5dc7cf4ef8 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDiTCCAnGgAwIBAgIUOYwND1zpte36abEsvdvudfnxjHgwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow +gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp +bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu +ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs +ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo +b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBr5H7lb24bMQYGDFY5qeMDNcti +AI4rI7Nu0aMvZtDcxqHkIg/a7nr7WeQc3gCg8mUJ6xvreXxRswrudZzjjsGiTbym +qjEz7HYrbvdWh5bLtdL7aoP1KmFD722guwdXVYQ7tx65oHroH+UCU28VT/+WzsHc +5OjBqZvR928aWEXwIen9lhdk/5Rq2IrFqCTuUrNR5aiP6gJZoy4nIh3IFIxqWzsm +lOjqvzSQIuo+gLN7oduafrwetpp8ywSrDVTtp9yckIHuW8css+OZLfqbFPMSFRJo +Qee+FhxaGgDoRGk8oVGYyTJYUPIReZa5dtNPKs1JQvdqhIeUwA3GnJBTFCan +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec new file mode 100644 index 0000000000..554339ff52 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test End-entity +extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem new file mode 100644 index 0000000000..729808a76c --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/zCCAeegAwIBAgIUI58z0zygvl7soKf2Z7nS20tb80cwDQYJKoZIhvcNAQEL +BQAwHzEdMBsGA1UEAwwUTWlzc2luZyBJbnRlcm1lZGlhdGUwIhgPMjAyMTExMjcw +MDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowJzElMCMGA1UEAwwcZWUtZnJvbS1taXNz +aW5nLWludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG +8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V +gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3 +04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l +0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz +/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMnMCUwIwYDVR0RBBwwGoIJbG9jYWxob3N0 +gg0qLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAIik8evPkL8v8lNHey +GnsO5D21ZoBASKz5RQSiVrIUznEBnRpWSBUDbgIZWQCiP1TZBBpa9F2B6rA9VLM7 +HyetiyL2vEra2t9jH0zrHp0L+azwy1Keog2vFcuBmLEI9zOKvSyCLCAeQ0OlI6iS +wlNbbauU+UaPVffNk7g8yjM0SScktdA1Ve4/Dwu8OqJZ2XX+gb9pRlowFz4btCBL +Fo//5sz9CcagJN7c+Rpk2kOvomHe1pgnioNHYQmj6viGXN8AS7dPDXi8z08uxgJ/ +kCSUZeoZLVwRReEGCjhDOiLgCRx+/2mzs/xjuM+43g1hWfj7cce6iR4nfMRWAhsZ +3WRx +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem.certspec new file mode 100644 index 0000000000..48bb1c6e4a --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ee-from-missing-intermediate.pem.certspec @@ -0,0 +1,3 @@ +issuer:Missing Intermediate +subject:ee-from-missing-intermediate +extension:subjectAlternativeName:localhost,*.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem new file mode 100644 index 0000000000..141c88fe42 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPjCCAiagAwIBAgIUDUVlzgTWxF+qWP8tpQ3tfmThWikwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjArMSkwJwYDVQQDEyBJbW1pbmVudGx5IERpc3RydXN0ZWQgRW5k +IEVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAAaNvMG0wNwYDVR0RBDAwLoIJbG9jYWxob3N0giFpbW1pbmVu +dGx5LWRpc3RydXN0ZWQuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsG +AQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IB +AQAA9rWfwMwc5IIktzvNVAv67CAKcvNoxxuik5vnQk51qglv/k+buamFEpW5nPxS +Rp8g6TL6Bqppgk4txyLa6+ffbNYoTrMNs29Tj8TjTohvrahYGN4rusXEAmAz7dNj +hY3nPDVOXG3u90iYHIJOwr/5xlSfjUFFVRBEO0ypt2qaTtbXBbP8JbNiYDFkRVbc +QGlnq5QiZCzaAQPDG7bOZp4U2ZObu0Vc2jrKfHL1K4Z1tlZdeYJ5M810dEO9GAyj +TwSRtbiSosWfRjxTH7AyfMn7OGTjoTPukYilLusCmpXy7NI+DOFLDicrNZP4uZ+B +pG67V1YevJXG5D0nKoAFKNOX +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem.certspec new file mode 100644 index 0000000000..dd8c6707ce --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ee-imminently-distrusted.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:printableString/CN=Imminently Distrusted End Entity +extension:subjectAlternativeName:localhost,imminently-distrusted.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem new file mode 100644 index 0000000000..04c4f9f167 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDJTCCAg2gAwIBAgIUY+eX/gQmQBSMBZI1NjyBEpmUFYEwDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPVGVzdCBFbmQtZW50aXR5MCIYDzIwMjExMTI3MDAwMDAw +WhgPMjAyNDAyMDUwMDAwMDBaMB4xHDAaBgNVBAMME0VFIElzc3VlZCBieSBub24t +Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI +BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa +p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB +7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C +kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv +aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK +Ne2NAgMBAAGjWzBZMCMGA1UdEQQcMBqCCWxvY2FsaG9zdIINKi5leGFtcGxlLmNv +bTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6 +ODg4OC8wDQYJKoZIhvcNAQELBQADggEBAGG1ldwhUiaY+jVOyDZyQxN2tFCN3TOh +14tkKxzbx7o2awiLgNtOHAXMyb/6qwT+ktHwxtdA97wJGTYXMcAqAsD7ZtigINe3 +f63d/7uC7Ns7gnw++IFxGbjX7/cJSZMaqg35xMxcWtgt7pb7epXttz7hi2AD2LWu +jXwCQEVdoPmdOqMVvE4yg6VweKqepOKUoK4hrv8JUWRVT3mhGU53MZhCKNkQ+MiR +p/ECWX2XGtDKxp5KPYpmInYS2GN5XOpC/KhRAbssT4az0dgRNk1kFHsHUDd1xzq6 +BYhw+Bz+5poWVcf0IUsqjtYt/lOc+1LxXWF6vg443ARf1FXP6TEvLHs= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem.certspec new file mode 100644 index 0000000000..63c36d34b3 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByNonCA.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test End-entity +subject:EE Issued by non-CA +extension:subjectAlternativeName:localhost,*.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem new file mode 100644 index 0000000000..b1eedea530 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6jCCAdKgAwIBAgIUM7VyNhRBbWRLG2FoCiuqSMtzfOowDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVjEgQ2VydDAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAfMR0wGwYDVQQDDBRFRSBJc3N1ZWQgYnkgVjEgQ2VydDCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ +6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk +nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N +/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG +JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd +7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA +AaMnMCUwIwYDVR0RBBwwGoIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tMA0GCSqG +SIb3DQEBCwUAA4IBAQAXC7B3o4sVsRB3uopTCMVOxj/Doueqkh0u0QGSzB5JaA1L +ncJd8RNqfKpkwsSGF10ljmqYVU8yS2qWmswAIVU6tpGLMwqBgjqdpHtVUn/SLA3u +p67uFwvkj+k0nM9g/y1Uy5P2wnsq0FzAklApWVM2ePsCtDPEQ2M5tVggGYeHicEy +olOOWo28j1otCzACCJc11kBw80WmfGYl+/WUKWqHF3Mv4cBVJ53BRNm+ZTvzwBmK +wMulP4DX0NMNeS8vQkL3GBlBpGXDsz5yOkYizib/M+U1zalW7WYoSdmUT477iSFu +0NmUMXeRal7v+izGEVftwHFIRw2U80y9sCz7855c +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem.certspec new file mode 100644 index 0000000000..9ed9b33db7 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/eeIssuedByV1Cert.pem.certspec @@ -0,0 +1,3 @@ +issuer:V1 Cert +subject:EE Issued by V1 Cert +extension:subjectAlternativeName:localhost,*.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem new file mode 100644 index 0000000000..da9948c82e --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6TCCAdGgAwIBAgIUB4Wp0b3lv9F9ib3AeTvgSe1ehCIwDQYJKoZIhvcNAQEL +BQAwADAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAtMSswKQYD +VQQDDCJFbmQgZW50aXR5IHNpZ25lZCBieSBlbXB0eSBuYW1lIENBMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK +tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N +Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr +sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs +l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl +nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyow +KDAmBgNVHREEHzAdghtlbXB0eWlzc3Vlcm5hbWUuZXhhbXBsZS5jb20wDQYJKoZI +hvcNAQELBQADggEBAG7JkRGPBAyJMbMMYaHXWDUUxiJOc4yIPC7ykNhhHGpjD+Y5 +zTwxsasl1bmwfu7CY0Lv0dAwGLUkZvoEvKV/PH4NtFN8XVauT/Yq0Zc3ZaADUUFV +w2+HfFDIotGhLY1AFKqf4OCLzam5raYseTk5ogUu68ImPtxCC5HgE+EUpbfQurB7 +GQnxvXgfDPoBVYM8DKGAhkNJrhtO3naOH3181Au8fnYmaqvQeC7uXMPqph4pUZgl +i2wUpg1z5XeAEAZhs5qBfR7YvKrDh13cud94rSeoEEr7hSIOUfkXuxX4dLMDmjci +FqXlePARPBXNCbmdivysrKCZXocOS1aQiCOQHBo= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem.certspec new file mode 100644 index 0000000000..a99d84b79e --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/emptyIssuerName.pem.certspec @@ -0,0 +1,3 @@ +issuer: +subject:End entity signed by empty name CA +extension:subjectAlternativeName:emptyissuername.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem new file mode 100644 index 0000000000..7d4afb1d35 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICwTCCAamgAwIBAgIUfQaeKSLdERUr8AYc1REkbyViS6QwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohR +qESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+Kv +WnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+ +rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPv +JxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5 +Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6 +clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB +BjANBgkqhkiG9w0BAQsFAAOCAQEAnOQhNmRo+447vTeC4BzE03fSjmfV7RegozrU +ZHYOJzetUmNeOYZ2hJfgRA6ZBWbI67iCKfazjVP7aWg0yAOD/0Zua6jkkXB4plAi +O23XuUj3ZHMIRw//cuol7Aaiv4zkBQYCt6xJqnT/aXby6EANPqbMeO8GpemeZvfv +Q5VIeDN+1gTiinDQO84HELHqmefZkrSuafNzdWn9AlgciWPviAqhSdTpdjlKAHHJ +DP7dZ+vr94Z6stGkd74H6OqeGAAu4CXmlC4d2J+mBmbL6uVB4N7IXy4V0FSB9E+g +DlL4oJVqRs8f797Ks7o+nJHrl3/kkyYKbwL+A/tjke/OV5ST7A== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem.certspec new file mode 100644 index 0000000000..0a7cfdfd84 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/emptyNameCA.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject: +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem new file mode 100644 index 0000000000..b72b8bf238 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDOzCCAiOgAwIBAgIUUTQl0w6xynABX6J3RLxwd5dmb6cwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMB8xHTAbBgNVBAMMFGV2LXRlc3QtaW50ZXJtZWRpYXRlMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq +5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc +An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39 +ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk +zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u +JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB +o3kwdzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBHBggrBgEFBQcBAQQ7MDkw +NwYIKwYBBQUHMAGGK2h0dHA6Ly9sb2NhbGhvc3Q6ODg4OC9ldi10ZXN0LWludGVy +bWVkaWF0ZS8wEQYDVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEBCwUAA4IBAQAd +YtclCaPr3EvDHKCLyZq0UiH8AIOdFC4Ii8t6+N1kn49R/yDVH2vQVzGAUGeZ8wNF +x6WqNWOhzNuaWx3D+iOcg6wTM8l3HPphsxfltjaTccWCS+VU3DfLWK+BStdf2SwT +zZYzaOtqphaCjD+zCmpEq/CipM5htDsj+ijfpGMbgm7pQroOj4RfS03Y27uy6bLW +lNQ/LvmMnN9vOH4ahTdSf4TP6a7Q2rQqgwX4hSjLWqd2OJerVjrGc5xlwmh6FhQn +ykhoFJsfuz4d/3N5aSugct03S1iLNVeA9RbeVokNfKB5AMJgZwhmCC2GSxhDIHPb +V6NmrlAx9nedbGwRopc9 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec new file mode 100644 index 0000000000..d5b5859672 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:ev-test-intermediate +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://localhost:8888/ev-test-intermediate/ +extension:certificatePolicies:any diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test.pem b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem new file mode 100644 index 0000000000..4bf9681537 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQjCCAiqgAwIBAgIUL2uvkW2WStYLtuliwgT2ffxO85UwDQYJKoZIhvcNAQEL +BQAwHzEdMBsGA1UEAwwUZXYtdGVzdC1pbnRlcm1lZGlhdGUwIhgPMjAyMTExMjcw +MDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowEjEQMA4GA1UEAwwHZXYtdGVzdDCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ +6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk +nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N +/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG +JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd +7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA +AaN/MH0wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vbG9jYWxo +b3N0Ojg4ODgvZXYtdGVzdC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0 +CQEwHgYDVR0RBBcwFYITZXYtdGVzdC5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsF +AAOCAQEArR4O8KOT7AloCUSNOW7fCdaXfTOPjnCfXb+lA3UdnMOJYodXRGevmn9D ++A0/M84FzUyc+CqOww7Qv4VG203P1Km6JAajtN5E8WUf67uh0onYdtNquaQsTJ9+ +adib+uYK3b/8XSHk3m6CUz8dbuVAdM/VPv7wnbPk2iQe23CE6BO/vHwV2nBqbIa/ +veucNZF4W5Loelb8wwvx15ozXIWScZHuF9IYjQdXsweZ96h++d3QY+iLp8JGMhKN +Qtpfwo/XkvVbUeUhCpnUlx/oWzT/RjIRg8NoHUvX5rjQv8utRRTxju/yjnHh1HHM +NavCexSqWF0hX69JoniwAVZb6sGIHA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec new file mode 100644 index 0000000000..10f8022585 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec @@ -0,0 +1,5 @@ +issuer:ev-test-intermediate +subject:ev-test +extension:authorityInformationAccess:http://localhost:8888/ev-test/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.key b/security/manager/ssl/tests/unit/bad_certs/evroot.key new file mode 100644 index 0000000000..1d88a930d5 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/evroot.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh ++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU +dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H +cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y +1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t +oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ +5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB +0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+ ++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE +vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9 +HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE +MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V +vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV +7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH +lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V +jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv +nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui +p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ +zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v +4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA +hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C +pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV +bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3 +mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j +LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf +UVFRDKpassHG6z7+kpXRbowlyRY= +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec new file mode 100644 index 0000000000..1a3d76a550 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec @@ -0,0 +1 @@ +ev diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.pem b/security/manager/ssl/tests/unit/bad_certs/evroot.pem new file mode 100644 index 0000000000..13c3031905 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/evroot.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx +MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/ +EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN +RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s +33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd +Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX ++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw +AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+ +5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo +UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf +cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY +Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH +z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH +HmbOwao= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec new file mode 100644 index 0000000000..3121f3486e --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:evroot +subjectKey:ev +issuerKey:ev +validity:20150101-20350101 +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem new file mode 100644 index 0000000000..a7d657a970 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDHDCCAgSgAwIBAgIUY9ERAIKj0js/YbhJoMrcLnj++uowDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAwMDAwMFoYDzIwMTQw +MTAxMDAwMDAwWjAiMSAwHgYDVQQDDBdFeHBpcmVkIFRlc3QgRW5kLWVudGl0eTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9 +PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3 +HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg +Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7 +EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK +lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C +AwEAAaNWMFQwHgYDVR0RBBcwFYITZXhwaXJlZC5leGFtcGxlLmNvbTAyBggrBgEF +BQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJ +KoZIhvcNAQELBQADggEBAImiFuy275T6b+Ud6gl/El6qpgWHUXeYiv2sp7d+HVzf +T+ow5WVsxI/GMKhdA43JaKT9gfMsbnP1qiI2zel3U+F7IAMO1CEr5FVdCOVTma5h +mu/81rkJLmZ8RQDWWOhZKyn/7aD7TH1C1e768yCt5E2DDl8mHil9zR8BPsoXwuS3 +L9zJ2JqNc60+hB8l297ZaSl0nbKffb47ukvn5kSJ7tI9n/fSXdj1JrukwjZP+74V +kQyNobaFzDZ+Zr3QmfbejEsY2EYnq8XuENgIO4DuYrm80/p6bMO6laB0Uv5W6uXZ +gBZdRTe1WMdYWGhmvnFFQmf+naeOOl6ryFwWwtnoK7I= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem.certspec new file mode 100644 index 0000000000..0a03bc36f4 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/expired-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Expired Test End-entity +validity:20130101-20140101 +extension:subjectAlternativeName:expired.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem new file mode 100644 index 0000000000..e03d862761 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5TCCAc2gAwIBAgIUY9VlD+O8GH3DRfxtYTip4pS6eBYwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoYDzIwMTMw +MTAxMDAwMDAwWjAkMSIwIAYDVQQDDBlFeHBpcmVkIFRlc3QgSW50ZXJtZWRpYXRl +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2 +ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF +h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n +cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv +OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj +tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt +jQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B +AQsFAAOCAQEANf+C+WsnAgYfISDS37prll2DOGYWKajcVZNzkScDzNGkK2s0c/td +Mb+HXehqvYz20hT4wEwQZnPt9qMWH7bBEWiJfw85OINbKmG/i0gjZZDgbFMMdHvc +j6BXJoxL0gAy8fOQyTDuMNX0NBJzSmWhzBsL99BHAWdG6XXQTzSyumiekc8ip4GG +EhJvArbZwgIBigzdpbc/lQI0dR2qER0BUXamWU8fi2RuvQqtEi2ANjJHrWOillXU +PR3j0F2LyvoiYlhiNhE1g3JH4VYZ+3eboRCrjel4J3rZHksN17r6+Fla1/YZdz2l +nAGA5McLBKXYBVcARV4adXlBe1z79TiDeQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem.certspec new file mode 100644 index 0000000000..38a0abd8a4 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/expiredINT.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Expired Test Intermediate +validity:20110101-20130101 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem new file mode 100644 index 0000000000..b9d08b9795 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQDCCAiigAwIBAgIUI8ozCyw0+PlX8kSh6xCqm1S+kZwwDQYJKoZIhvcNAQEL +BQAwJDEiMCAGA1UEAwwZRXhwaXJlZCBUZXN0IEludGVybWVkaWF0ZTAiGA8yMDIx +MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAuMSwwKgYDVQQDDCNUZXN0IEVu +ZC1lbnRpdHkgd2l0aCBleHBpcmVkIGlzc3VlcjCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNcMFowJAYDVR0RBB0w +G4IZZXhwaXJlZGlzc3Vlci5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYI +KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQAD +ggEBADc3mhtwi4RO49fA5MWYiSDzLur0n6uvJFvLwrCFan5zb0GWCyJcvawUzxH3 +BpgNK7FmKeGPOE+mcjd35O3AgVeReWxy9RFXRAZsBThHZUGjEKi/D4kenNplg9I/ +x2DIjHlmjG9sDR2ibNo6pEOqWi2z+l3NcPpCvljJwz8FWms13AR4ns8c5mdjvBv2 +I3nvO/pezyaYVaAAV0h5EN/hQcTn1AuG/EAesigPAAg/ngm0QEJMfzvSX5z5M8Hg +s1wUbkPXIcNCkuQ/tibM4xBeOmd6+pcXyhWywl8Z0SbVHfLlRHb72t8YWgvwZjLY +YwAw1B7ii5wR+4I3ppmcdiKABok= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem.certspec new file mode 100644 index 0000000000..855f454221 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/expiredissuer.pem.certspec @@ -0,0 +1,4 @@ +issuer:Expired Test Intermediate +subject:Test End-entity with expired issuer +extension:subjectAlternativeName:expiredissuer.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem new file mode 100644 index 0000000000..d9af1411c0 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/TCCAeWgAwIBAgIUB1U85Lv+0j+a0CDGRThLAhFWSv0wDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAwwOVW5rbm93biBJc3N1ZXIwIhgPMjAyMTExMjcwMDAwMDBa +GA8yMDI0MDIwNTAwMDAwMFowGjEYMBYGA1UEAwwPSUROIENlcnRpZmljYXRlMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08 +E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc +1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP +DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ +gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV +YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID +AQABozgwNjA0BgNVHREELTArgilidWc0MTM5MDkueG4tLWh4YWpiaGVnMmF6M2Fs +LnhuLS1qeGFscGRscDANBgkqhkiG9w0BAQsFAAOCAQEAM0ukmmrbeVbEPB3KwnP2 +R1jHeTyVbRoQjQubHClDsoTQSD1evz3PWksfUE1D5e+jXC4DkQ8r9bgkYG1Hoy3A +g7i5hvROwGmp99vYP/xXX8n0EXn2aQXXyGWImAIiGiu9Obn+K86Cc53jGOOQMjIo +4cwvRdmVfxsPWupsbcW2RrZdyN1m+19SBAcGOH5jCwGfrEklUmmjxoMBYfFgBEiA +39RJKN/H8mHaaG/pVBObJtgimGMigYJU8E44fY8YloFc6NSfzgwwlVuwfnj9PSFU +/w2nZHpEwOZBdU4iUPydtAqUSEWZ8/GDzC2xg6SIzmQveFBp6BAQHg6udCTtZdSW +tQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec new file mode 100644 index 0000000000..b3d840fbd3 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec @@ -0,0 +1,3 @@ +issuer:Unknown Issuer +subject:IDN Certificate +extension:subjectAlternativeName:bug413909.xn--hxajbheg2az3al.xn--jxalpdlp diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key new file mode 100644 index 0000000000..d43495f851 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICcAIBADANBgkqhkiG9w0BAQEFAASCAlowggJWAgEAAoGAANKbsS+4T93NKbOl +GctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJaj7SBxZVNKqZ +BX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyvbXvmnZoIMTbh +WvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAQJ/PEllBwvzkMJR1aLFJ3xbX9C97oXK +1/4rJ5grsoURSlBwBANq4c+K5Usl5Ns5IVq9fpA/YYwtiy8IzGzRLbzNciBeSUW2 +s984nl5D3goUi7LITiQx/b5ZILBEuycvRez/ByG337YDl/xhOp6jXCIwBTDK6PkV +nFNN878JEJUZAQJAD58XWXyFuAUbnGmvtV71dsmW29CQR9DM3ludYOpcZ/5PrGe+ +gD9LasWj8FD3a5ZvsU9c8QV2HlrebdlgsYO6VQJADXtjcRLOYaVRaMD5yThvsnmr +QMug1Ukza7plJ3JjqseCYRosgdm2Nc94xAAYhZ4BjF6QBtEuPS7m80bnn6QzaQJA +Cf1smj6m6RrjIHD5/BwhD/k1L5e+XR7rlRuzloHp3FtnKlMiIbPYkAyanZm50KTh +AtxFDKG4ewsTid5lFsCuDQJAAUG4MkkbfdSoMwiSACTHnK5kvUR9+IO7TFZyqWur +SLcSOzTyYyRFLNzrF/IeVw40fL4v1MLY+ZEOrCy22JW4yQJABFjdau4YyIsvm4Hx +vDB1riDcH5lz0gck8gsGBD1hR8h4nUoHroi8gshDjIk+AXsTlH9i4LGJWKMetmSx +nmTT4A== +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key.keyspec new file mode 100644 index 0000000000..21ed73d60b --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.key.keyspec @@ -0,0 +1 @@ +rsa1016 diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem new file mode 100644 index 0000000000..6725f9e566 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtzCCAZ+gAwIBAgIUIREXOabfdCGvGyDuQgOBkzu20zEwDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMTExMjcwMDAw +MDBaGA8yMDI0MDIwNTAwMDAwMFowKTEnMCUGA1UEAwweSW5hZGVxdWF0ZSBLZXkg +U2l6ZSBFbmQtRW50aXR5MIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgADSm7Ev +uE/dzSmzpRnLZsQ7jY+L5UW6eThM5mPtA991mRYA65IHkNJTDOzlRNuZpx8FiWo+ +0gcWVTSqmQV+R8R+O8ga2m+h4S43JotQRqVSaPna18y0hdgaLhnVDU8LaFSsr217 +5p2aCDE24Vr6j1PByMhPxgdyed0OVdc2mlvdAgMBAAGjZTBjMC0GA1UdEQQmMCSC +ImluYWRlcXVhdGUta2V5LXNpemUtZWUuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEE +JjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3 +DQEBCwUAA4IBAQA0rIC1XkHz6blfEbgKH79ausj4LhJtZHWVSoV1bAHfeSHoc97S +Q1UMai44eoJVBNdSpzZKr5yIu4xXFGkHUxG8JQ+TWpfaABs9V3ZpfCNjHkgn9fM1 +aBX0+cnyKE/e9k3FkQaIXBEBzXC/FM+F8eOXCucPWAWJIml31/TIteh3FE0P4zUP +kK8oqiRdG0flBxXoc4ZL4lekpq6SmZTKSrCxNZbFGUkANgxmtfRMhHZKpA35BqCv +JhSqU4VuYlBNq6c37yNK/5XD1QV0UpmhofKVRscqBl7bPJP/vqskogU0U1/6EQcf +MadiPI0GKVvPEwaBKl10jxhFaCtvRSyLTQBB +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem.certspec new file mode 100644 index 0000000000..02b595dc9a --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/inadequateKeySizeEE.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test Intermediate +subject:Inadequate Key Size End-Entity +subjectKey:rsa1016 +extension:subjectAlternativeName:inadequate-key-size-ee.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem new file mode 100644 index 0000000000..8374c1399b --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQTCCAimgAwIBAgIUN1pxcl/u0+W9JsxKsrvr8nDaWdEwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAvMS0wKwYDVQQDDCRJbmFkZXF1YXRlIEtleSBVc2FnZSBUZXN0 +IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo +RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a +dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t +aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n +FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX +Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py +UcQx1QOs2hgKNe2NAgMBAAGjbjBsMAsGA1UdDwQEAwIBAjApBgNVHREEIjAggh5p +bmFkZXF1YXRla2V5dXNhZ2UuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIG +CCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUA +A4IBAQBWJJ77vwC6xBIh2ANYJ+kthp/f4Hz9YxZko5W0TSoeTwNNnQ5SorZ5h8nQ +9fr471N4RvK1knH2dCR8fqlyJmf3sW8QQuHpKHHq6AaDbxXABRIGKC/k+Ykc5xdG +G6bI/+AlUmjN6fiRCL5ffL5WNXVq4b3edkOvfeKUxiCwoamOy7F4/fMBf+SB/D0+ +05n9tPJcnhll0ah2J0Cw8jiMOpks7nvzU31biKx06gLFwFwAIKTt/xih/nQZAhbq +m8UP9q1l3UwGxnHZ2r1K+zpO7sYwXk6TAK+9lKcJTheuy4aK1GE/czU/9BrP9WR+ +N/9WVK3KTS8r4EtrybjHMKUaS00V +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem.certspec new file mode 100644 index 0000000000..4d553890b9 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/inadequatekeyusage-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Inadequate Key Usage Test End-entity +extension:keyUsage:cRLSign +extension:subjectAlternativeName:inadequatekeyusage.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem new file mode 100644 index 0000000000..2269f4676e --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0DCCAbigAwIBAgIUPT3TDbFEvyL6hxMsXXAnhbUEvXAwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAUMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk +e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg +KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI +YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi +lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL +HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGDAWMBQGA1Ud +EQQNMAuCCTEyNy4wLjAuMTANBgkqhkiG9w0BAQsFAAOCAQEArvYJZIHcejci3ZW9 +BhYUPn3jv/byMmAvSzPHxy9AJk9ZEITGceiEAB/G5MUaG86/tuSmK2x50kTjezll ++KF4PWKjdzgUHUbQD3tgG4gc74the675k6xWAH9cCn9e1ZYX9vi7zEUPxFlKQnAa +SsnQQRobrLNoZsqJQ6tqui6lPvZ66jpKFDSFLE7FMfTYKLJJhhTsROCX4OY4YkUb +zXmozzMk1yK0Gy91x1IoqWl8Eua42TeM5klGrt4r+U6pwA8JsMXMusdmvZXwZYJS +1LFqRQsSLFxDqFicpJDvXp6TT9Z7TG/z2gdFPH+e+G+pdNQmVnm66SHmfRpf5JiO +F9rdOA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem.certspec new file mode 100644 index 0000000000..7662338470 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/ipAddressAsDNSNameInSAN.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test CA +subject:127.0.0.1 +extension:subjectAlternativeName:127.0.0.1 diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem new file mode 100644 index 0000000000..3f373d09f7 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNjCCAh6gAwIBAgIUGUp8qIucVUZ0D+cPoEILDVfteu8wDQYJKoZIhvcNAQEE +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoYDzIwMTMw +MTAxMDAwMDAwWjAvMS0wKwYDVQQDDCRUZXN0IE1ENVNpZ25hdHVyZS1FeHBpcmVk +IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo +RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a +dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t +aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n +FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX +Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py +UcQx1QOs2hgKNe2NAgMBAAGjYzBhMCsGA1UdEQQkMCKCIG1kNXNpZ25hdHVyZS1l +eHBpcmVkLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQQFAAOCAQEAYMtZZk0A +c3xvnK0PSwNxsWidAdOEY5uOKJTPT1LZFUQsNHw/2f7csfDneTeLNoCNKH7LPF3t +J+zwUMzq1Ut0vIRSs5r84P7LK7KaBRrSwWPSnTP90X4VX3IVIQ7dbwTkrlUaRzfs +B4Pqa/p2GVuvrLmbtmd2SDw+52GubJYVOF6u2s4KKgUGhHWtegzQOsVKTFEOoqBr +X3yDEJhK7M82NMiGtq3Fr5F0sLD6DuGL0Mm7ei9junSLS4sH0M+Hac2BVmXwYNTS +ekKzyjmZ1TYRlo2sCgYyYfCLcTOswG7uVHLU+ie0+Dbaik2NcolUgFNnC7Uk3E+t +DhSRNeOtKglSxw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem.certspec new file mode 100644 index 0000000000..e4c2b7008d --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/md5signature-expired.pem.certspec @@ -0,0 +1,6 @@ +issuer:Test CA +subject:Test MD5Signature-Expired End-entity +validity:20110101-20130101 +signature:md5WithRSAEncryption +extension:subjectAlternativeName:md5signature-expired.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature.pem b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem new file mode 100644 index 0000000000..c71d1b4c02 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDLDCCAhSgAwIBAgIUF9VdXuc6cyMkwLE5QkiaA5XGPGgwDQYJKoZIhvcNAQEE +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAtMSswKQYDVQQDDCJUZXN0IEVuZC1lbnRpdHkgd2l0aCBNRDUg +c2lnbmF0dXJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO +FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr +amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka +sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY +VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n +aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE +MdUDrNoYCjXtjQIDAQABo1swWTAjBgNVHREEHDAaghhtZDVzaWduYXR1cmUuZXhh +bXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9j +YWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBBAUAA4IBAQAKDmz3Jd/rFPskUruCHHHb +GnWoyquul7YYH69Mxro9u8kfB0apfPzTUjdaXNVPmJn201NsMZQsooR3w7WvKw+O +WwZULevf5OBDuUUltHES6YDHZbUSPyzG9TDEruQUtFdhmAe+r0xrdacdkI391Pzv +ORdY3x2v3esRJY3DwbTdufKcqmQ0cmiMPRLGJsMBFjmvQdBFBB+iRtp9Jf+3shM2 +M2ZgKMw+gepEX23KXpJcdXI/s8SZhpO1xIzxwcH8sXM+JV7OpfecPfmrylTkA7BX +PgeD0Aj/BEtEQk4K+HgHZvriHNiukhCwGf/Hh7r5b+zothSAqAGD0iIwnXpja25B +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/md5signature.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem.certspec new file mode 100644 index 0000000000..02742d910e --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/md5signature.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Test End-entity with MD5 signature +signature:md5WithRSAEncryption +extension:subjectAlternativeName:md5signature.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem new file mode 100644 index 0000000000..d5782da2cd --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDKTCCAhGgAwIBAgIUXWNmi3NOMsq8iBKvohtG0kX2YFIwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDEzMDEwMTAwMDAwMFoYDzIwMTQw +MTAxMDAwMDAwWjArMSkwJwYDVQQDDCBNaXNtYXRjaC1FeHBpcmVkIFRlc3QgRW5k +LWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAAaNaMFgwIgYDVR0RBBswGYIXZG9lc250bWF0Y2guZXhhbXBs +ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo +b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCt7JzZlMgD/ZHZobiGxcfE/EPQ +/V405Xu7DGdTJh5cTiFF1h3sQl06BfrCEAo0yhOrpPyMtmhTI+rMyF7PvFWZMQ89 +bk9y4cZ7jG1NEd6B+jlYfD4mFbLR3AbMEbf6QVjYDK29+XnjnhvczT5NPPl8g7rF +6y1FhFcFMTGiGZCOyhCz0nXbG/LpP/alH+WucXRdpMLUQbEXEDzWOq5WJ1ZPS556 +2Ouurfr1mkydAlXCGc5RYPVLRY48CwX2z+kfHRnF4TCb3ck5oOlqabP+bc+HD7EE +UgEEdnE6zpUs1D7s8C8Mp89LUcXx+s51/ZUQvGE4btBMML0lNImwwbqxbv02 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem.certspec new file mode 100644 index 0000000000..262f08d6be --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-expired.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Mismatch-Expired Test End-entity +validity:20130101-20140101 +extension:subjectAlternativeName:doesntmatch.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem new file mode 100644 index 0000000000..b70a632693 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDLzCCAhegAwIBAgIUcYUtGOYg2nrx/OAYr+cxTZVbv34wDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDMzMDEwMTAwMDAwMFoYDzIwMzQw +MTAxMDAwMDAwWjAxMS8wLQYDVQQDDCZNaXNtYXRjaC1Ob3QgWWV0IFZhbGlkIFRl +c3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI +UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi +r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x +fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD +7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv +uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj ++nJRxDHVA6zaGAo17Y0CAwEAAaNaMFgwIgYDVR0RBBswGYIXZG9lc250bWF0Y2gu +ZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8v +bG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCu5v5Saw0htF59xmKf +CQJ7YI4M/TvuNJjhVdwq5phvEw3k+qweEdpLHERGu4nrzyDTMKqN8kXO6tXUspnh +LpXCvmaDLNxx/UyYofWslqYqFwM4vQ4l5QEUriR1ndMN256ELRSx2cEpWCi9xHMb +1cqB12ulLMCpitmK+NXpflViZy7HliTQOCdwhLPDNWRKsRF85EHOuFzcx4uqfWdw +5zwA0zVOYG21fyY51bhy4oy7HjTWUOrGi/klwzz2TEDTUX6nRHYagrFxO7C1GMlg +pe32InUfLU0rR8G9lP/tSug8HawSH/TCE+63jo2BGWaIYGSd+k11QzU+CsT15+A2 +tbAC +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem.certspec new file mode 100644 index 0000000000..947eb7d678 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-notYetValid.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Mismatch-Not Yet Valid Test End-entity +validity:20330101-20340101 +extension:subjectAlternativeName:doesntmatch.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem new file mode 100644 index 0000000000..4902855da5 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDOTCCAiGgAwIBAgIUO1bWrdrsbGfiDSe6i14vOA3vWsIwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoY +DzIwMTMwMTAxMDAwMDAwWjA1MTMwMQYDVQQDDCpNaXNtYXRjaC1VbnRydXN0ZWQt +RXhwaXJlZCBUZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9 +sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5 +TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7 +xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd +tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l +8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjWjBYMCIGA1UdEQQbMBmCF2Rv +ZXNudG1hdGNoLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw +AYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAlTFY +rHGARngEHz3XEngdY1E3hf2GdITTHssgVRvpW3IvNmUJDhk3zVqvjb2hIVDmxFRv +ad7yCKK7FQum2A1MKZh/Pl7ylWv6vkdtB8HSg9F5qYifyUD/XEjYp3uSrfAXW7Pp +XHZHgBR6nlOB1EpAqrLtpEjxMX6F0fcXClOlWf0UsPLv1M6JvPNns/4tbHBnrhfm +e0DqBMfZIJV7x633eZhpLQmOIA27rZtpElWZsA6Gtenl3szr8mpOgy3hxuEs9oFn +cigHg2ECzaOKM5ayTP0dc2OVbVgUX/2doF8pGHiIKdsThYNLNEOioBZjJhQlreZE +K67bzkMDhLQmMBUMtw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem.certspec new file mode 100644 index 0000000000..adc8ebaf8b --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted-expired.pem.certspec @@ -0,0 +1,5 @@ +issuer:Other test CA +subject:Mismatch-Untrusted-Expired Test End-entity +validity:20110101-20130101 +extension:subjectAlternativeName:doesntmatch.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem new file mode 100644 index 0000000000..bdbd0003c0 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMTCCAhmgAwIBAgIUI0pSyZahDeLfI4OrlVIzuliNY6owDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoY +DzIwMjQwMjA1MDAwMDAwWjAtMSswKQYDVQQDDCJNaXNtYXRjaC1VbnRydXN0ZWQg +VGVzdCBFbmQtZW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby +a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC +D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT +iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT +Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+ +SSP6clHEMdUDrNoYCjXtjQIDAQABo1owWDAiBgNVHREEGzAZghdkb2VzbnRtYXRj +aC5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6 +Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBABwg1CM4xUgHVS5v +VuYG6xH6YskAdK2L2G2E+M+4pp1+1vGt377o2B8PIhIpJ2lyf37PMn2DjpsgvB2T +lsl2IJpCa0WD0c6Wh+PzVF3B0rP7QtSdHGLIVbHYjRS6RtrC0tvleQaJF9KBTV2O +3mUSs5o4LW9brR2aFnoWBY6iENwdme/bttHZxivMnOXHK8nCC0LUVEO4lEqYPojo +oqFzGPHIdWNHF82u67zys6uZ4aVDZgPFeiOG/B62rhHivAv5am7FXWWpIJv1SKTR +SW6LElRNpgMxvjvjOfDfbGIpUw2H1QRIpWvygr7fdEYWr27x21UdaEwlZHE2yBeN +4OsHD8E= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem.certspec new file mode 100644 index 0000000000..91c5f548b6 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch-untrusted.pem.certspec @@ -0,0 +1,4 @@ +issuer:Other test CA +subject:Mismatch-Untrusted Test End-entity +extension:subjectAlternativeName:doesntmatch.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch.pem b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem new file mode 100644 index 0000000000..fe0a029e2b --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQDCCAiigAwIBAgIUQ8LmhXEMu/AAMhyTo605M/H4j2YwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAjMSEwHwYDVQQDDBhNaXNtYXRjaCBUZXN0IEVuZC1lbnRpdHkw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ +PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH +9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw +4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86 +exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0 +ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N +AgMBAAGjeTB3MEEGA1UdEQQ6MDiCF2RvZXNudG1hdGNoLmV4YW1wbGUuY29tgh0q +LmFsc29kb2VzbnRtYXRjaC5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYI +KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQAD +ggEBAEsOUlth9scSnOZ6d4h1kkf4G2bYfkStM+DHB45DYrAYr3a8l1oHfnPcXhvN +XMnT53sQ+BkTbx18OSlqo4ZSCbPPaJmHGNsqwqMMeCHDtE2do5uwimkT75Pwy9W+ +1LlTYOoRb5Ys4kY8ObpkhG8YM2W/mnQD6A70iusXaMyCiiP1fXdAPW8m2ltEeVne +mz8PxwI+opq8/9m+IBcX/cXyoec062cUU+FibhpoKXxPtSGSVEbxw2k8gbndHIj5 +DIbcyZwJvzb08dkYWKjwQ0tgGOUzzgvXTa8gEp179LaWQPsyxGRQdSmv/6WVijpR +7okOenn54XranHx+ObMSdNwKC24= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatch.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem.certspec new file mode 100644 index 0000000000..b93599fc88 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatch.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Mismatch Test End-entity +extension:subjectAlternativeName:doesntmatch.example.com,*.alsodoesntmatch.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem new file mode 100644 index 0000000000..2be28b8a9f --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxDCCAaygAwIBAgIUaRjrHyGMBM67Q2Yf0pUNtNJYgHAwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAiMSAwHgYDVQQDDBdkb2VzbnRtYXRjaC5leGFtcGxlLmNvbTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9 +PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3 +HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg +Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7 +EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK +lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C +AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAd0ZB7G4WhIDaiyYcP2quL3AoqbudHoo8 +0gHA9vAnoGDaOdjlcornKAXyyA0qrUNxmxKS3WavOZnyeCeu+2//nHJOOORRqUC9 +5b+8neKnuRFcTYGW4iS7+cTbHWWYdLH5Mmef/xfcEiGWsV/+pxNdCGVBf4eOK+mk +0UqqcaOaO4HlC0mUyP39GR/WBYNMbtswAwqryAyXcBuAI5sq9vh4u9n+s+RMWUmD +3/bBtz9Bff/9ClWTJJMZt8CQoZ4CoA7zowTbqLvf5NpQ96bzbX2Z5qTEh7sCb5zA +mebrXm/pOBI9zTFYxqUMIwtGAbRZRfwHQBkQhMO3m3gKXu6tbWX2sA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem.certspec new file mode 100644 index 0000000000..86ef45b7ce --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mismatchCN.pem.certspec @@ -0,0 +1,2 @@ +issuer:Test CA +subject:doesntmatch.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/mitm.pem b/security/manager/ssl/tests/unit/bad_certs/mitm.pem new file mode 100644 index 0000000000..29181ab095 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mitm.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+jCCAeKgAwIBAgIUU4/FdNL/Ag71+mAHWRYV1h6cRF8wDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAwwOVGVzdCBNSVRNIFJvb3QwIhgPMjAyMTExMjcwMDAwMDBa +GA8yMDI0MDIwNTAwMDAwMFowMDEuMCwGA1UEAwwlVGVzdCBlbmQtZW50aXR5IGlz +c3VlZCBmcm9tIE1JVE0gUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab +bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts +Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI +H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8 +rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX +Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMfMB0wGwYDVR0RBBQwEoIQbWl0bS5l +eGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEABA5ake5/3963f88QiBP87rs/ +2jnsI8uly83Jk7tw9xvAR7H6OAdcj/FCiTvYwlPPUcUKdEZVwrRk4YJnklAqtCiR +9Li+i1g9ZbP2m+bIjJhg6vxQkKM3UeM17xERM7RdZ9o7axGozAmMl09gBGvSUVbD +H2DsimUcD3iRjGyA9PH/IAOvCPK2Y5e6KyrrtqDgpgY4uMPMZq7P5spqf7DkLrW3 +TckaoxbyEiTy/EhwVmWS3AWHA7PJmD7BTUs6+m9AXnnHy4NjPQfAMALBhn6lCHe0 +QbxomBFUE/VvCk1mz9aPJvYRIl4zscMgCXTEbVqhnXck8b/GAs1xsrmvSUiVtw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/mitm.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/mitm.pem.certspec new file mode 100644 index 0000000000..1439391f1b --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/mitm.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test MITM Root +subject:Test end-entity issued from MITM Root +extension:subjectAlternativeName:mitm.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem new file mode 100644 index 0000000000..daba5ce3c2 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDAzCCAeugAwIBAgIUe4uQBKpHl7C9PFr1wsXlC3MT1N4wDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjApMScwJQYDVQQDDB5FbmQtZW50aXR5IHdpdGggbm8gdmFsaWQg +bmFtZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAGjNjA0MDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0 +cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAe1q3Kik/TDQW +xhdRwHXBY+H5vwT6oWRNHj3KPH/fOwjNpSy5yEO0UIKDPzGzwb8yso7HDk+W+SrO +n4Y+O6nRJbA+qU2ntCyzD5FfAuRqSuT0v6dVnzzgCOFtqwctr3W6CYAxMBm05shl +kJcvW0mU7sDvVTQLWU41AAHN7UBHHK57rJIqJEvBIJN2hGm3yhEfj/XceAuFx33a +fiZ4hUtYBlkrrbl/lVw3AwB0DDGIkngOShK+eSRmXtXd8anKtzKkMHAVDhn9/dFh +FNI0R/FLdKo8Jb7DSXdBCufRwnHeZjeyzm4hWIofI2x+ibByQDYTOphv0YcDDoR5 +zlyArDIhog== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem.certspec new file mode 100644 index 0000000000..87088e87e5 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/noValidNames.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test CA +subject:End-entity with no valid names +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem new file mode 100644 index 0000000000..79cc10aa68 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDJjCCAg6gAwIBAgIUH+AmYB0Pf6g+gBjtVqu94DStb3UwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDMxMDEwMTAwMDAwMFoYDzIwMzIw +MTAxMDAwMDAwWjAoMSYwJAYDVQQDDB1Ob3QgWWV0IFZhbGlkIFRlc3QgRW5kLWVu +dGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u +togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6 +pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL +KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq +fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv +Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za +GAo17Y0CAwEAAaNaMFgwIgYDVR0RBBswGYIXbm90eWV0dmFsaWQuZXhhbXBsZS5j +b20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0 +Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQB1xgChilLhS38NJG3FU3vyD8LN3uGV +wgzFB33egzO4s4GkPK5zjGpkyQG0ofYFmlbP8NpVrjKykbhbgusdvsZOknuPBBAJ +jgHDrt5fdT4ah7xlRr+o4KC8RpYOZ8pGy6eoheCZZdNvhV3cDVxYWrkFZbdbtvw9 +YqqgpgiFx/j85ZqFudq/ApdMwcueZWPjmc47Y2fsTtrqO7rVVtX9FrG4O3BWcrVH +5RJpwN5mBsC//zNhhuvaGNWZB3XGNH0wgxEweI+cpfufWHnshJFKoEESJBrdHywz ++kuH3ha9W3JwyorON9M7uduDBdUBsjwjwLpYLd+Saie6X+XjROrGYe8f +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem.certspec new file mode 100644 index 0000000000..5b60c29ebe --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/notYetValid.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Not Yet Valid Test End-entity +validity:20310101-20320101 +extension:subjectAlternativeName:notyetvalid.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem new file mode 100644 index 0000000000..0a111582bf --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6zCCAdOgAwIBAgIUW7kXNYkW5OLObAOtdMQ9uL8FHUkwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDMxMDEwMTAwMDAwMFoYDzIwMzMw +MTAxMDAwMDAwWjAqMSgwJgYDVQQDDB9Ob3QgWWV0IFZhbGlkIFRlc3QgSW50ZXJt +ZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB +/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRx +CHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMC +OosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdm +Wqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGz +ey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUD +rNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq +hkiG9w0BAQsFAAOCAQEAJgm8BvVnIEy9uGjgTxLcNnIoOZeLgQ9CPrNir6RHzGIK +1hIHcNCDdC2mDc9DvyQ8MQPzJvAiMAOvo1v8yHDijC/mmYi6hTGuC6hDxF2YHKXu +8VZZOSMdaE9pkKUQ8sckzKMS+Oxw8EJOV7VeW/WZsSLKSpba0qAioae7wEBMg0QS +0Mp72+l4nMMUG5T/gzea6gy/nGTb0ghV97K1r5jekFNuy1pZZbKun9lLd9KJNmEs +XiJCn2M7Ce3nEhJfaJcDmz9sde4HOlJ/BVLV9ljkOL2cQ3TxdEkLT9/Unp9dmcLo +1sdvWkwimWiKT3XAs6Df64uM4GYl3PqPH5tQmUyPFg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem.certspec new file mode 100644 index 0000000000..8a00f2ee23 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidINT.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Not Yet Valid Test Intermediate +validity:20310101-20330101 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem new file mode 100644 index 0000000000..1fb6797b43 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDUDCCAjigAwIBAgIUfcJn/g+oQNFi8fCskf4b5iUfOVQwDQYJKoZIhvcNAQEL +BQAwKjEoMCYGA1UEAwwfTm90IFlldCBWYWxpZCBUZXN0IEludGVybWVkaWF0ZTAi +GA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjA0MTIwMAYDVQQDDClU +ZXN0IEVuZC1lbnRpdHkgd2l0aCBub3QgeWV0IHZhbGlkIGlzc3VlcjCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1 +SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+ +zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL +K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc +bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW +JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNg +MF4wKAYDVR0RBCEwH4Idbm90eWV0dmFsaWRpc3N1ZXIuZXhhbXBsZS5jb20wMgYI +KwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgv +MA0GCSqGSIb3DQEBCwUAA4IBAQCBdqR1GuJPvGxqGIJ1LxBnXfO7hd7uwJhPavoD +8I9x+c7xy3avQat3GgC+IeWUTp7yr5VVNf/XXfi0nDo1RCiD10QsPVJ4FIXJi9VS +pIorZQBorqAYmpEzV57wTvoIAJGFZLqBrgLZjQQU9x3TmnH0rm30ZMKWNxQTflSt +PdqIw9twMtJ1SvYEFpaGHakCWng6bdwC31E4b8+6MD90vsA/8/p7T3HQ3CmDRa0c +3jTKZZ2QF+bqYzSxw3M190UE2hJVj61WHnFodkWUF0Zye/e3EsVlIt9nPmjPQVSS +BSMXf8JdX88ozxwbgDyzdBpKY+c7IEpow1EOwbTyG907vkFs +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem.certspec new file mode 100644 index 0000000000..d8420898e7 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/notYetValidIssuer.pem.certspec @@ -0,0 +1,4 @@ +issuer:Not Yet Valid Test Intermediate +subject:Test End-entity with not yet valid issuer +extension:subjectAlternativeName:notyetvalidissuer.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem new file mode 100644 index 0000000000..4f3dba1d61 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/zCCAeegAwIBAgIUX1ns5qA13/2mu4/kkB99AW7E32MwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAeMRwwGgYDVQQDDBNuc0NlcnRUeXBlIENyaXRpY2FsMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq +5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc +An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39 +ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk +zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u +JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB +oz0wOzAjBgNVHREEHDAagglsb2NhbGhvc3SCDSouZXhhbXBsZS5jb20wFAYJYIZI +AYb4QgEBAQH/BAQDAgZAMA0GCSqGSIb3DQEBCwUAA4IBAQAzZtCyx0wSezpVnRYF +stt0iAJyTPXPQNppz30cACWIEGPf88CvlYN/4LLFVRZ1Q1IuRghChDIYSv66qGt5 +D9RZRPzMhJ9FyQbh7UQ8pgSa6MoyaALLydACO7yZQgl3VCFEOzTsYwgasrJ0xK5I +670hkVIPEDlfUxs+afvq0uzdJnuFpI3BdlSmAs9+EK4t5Dh+1msuYmdjl2D+7BRS +SW7UTLB7EskZtWTNBGmhsIC7sUOamDlUYVbjV3Dt3Q/845sl/a9lsNZawzxzEn6X +oPorbWHwvplhtx8Z4xa/d7PgyN/11x0HB/wT/oNLfWkDuas73ObfiPS3ud0NuyTz +1VYg +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem.certspec new file mode 100644 index 0000000000..b236bdea47 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCritical.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:nsCertType Critical +extension:subjectAlternativeName:localhost,*.example.com +extension:nsCertType[critical]:sslServer diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem new file mode 100644 index 0000000000..58271b08ee --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMDCCAhigAwIBAgIUd+v+QT/3riqABXPmtHDCRIIxatYwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAvMS0wKwYDVQQDDCRuc0NlcnRUeXBlIENyaXRpY2FsIFdpdGgg +ZXh0S2V5VXNhZ2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo +RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a +dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t +aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n +FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX +Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py +UcQx1QOs2hgKNe2NAgMBAAGjXTBbMCMGA1UdEQQcMBqCCWxvY2FsaG9zdIINKi5l +eGFtcGxlLmNvbTAUBglghkgBhvhCAQEBAf8EBAMCBkAwCQYDVR0TBAIwADATBgNV +HSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEAKVajR2vlz1QcIzlK +B23stAjqBtcf+DJI0bwSNWjfJ02fugSDo2H1tTQlNjzA2ayqkMLKdB7Ku7GFrz3U +VX2Xx0iMeaCumQdETIdEz2MhtlStPQcTZ22t4Pb9sMFZQmyeTMH6cU831myosyGa +LvGDYQMHIpml9XIi4gqLzyLQI9rshlsgvKN8vp0nyAERQYjw26x3U9Od6jYZzeOm +73E8KJ2zLOMRbxzz0HjeEkxCMcSjW+AdXL15w/d0B7+Uw2ZdFRMOGtxnwf6F9bgM +l5uCj5D3hsdfhoAF6sPHZDKGK+TbO0ZGjpOXRAZsTEN/jsR5evRN0lIE0vJ6dSHA +N1uLVw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem.certspec new file mode 100644 index 0000000000..0ae63e20f2 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeCriticalWithExtKeyUsage.pem.certspec @@ -0,0 +1,6 @@ +issuer:Test CA +subject:nsCertType Critical With extKeyUsage +extension:subjectAlternativeName:localhost,*.example.com +extension:nsCertType[critical]:sslServer +extension:basicConstraints:, +extension:extKeyUsage:serverAuth diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem new file mode 100644 index 0000000000..3aa7d7c6c1 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDADCCAeigAwIBAgIUCQTyCes+6a+Y+69OlFxl12IzBpswDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAiMSAwHgYDVQQDDBduc0NlcnRUeXBlIE5vdCBDcml0aWNhbDCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9 +PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3 +HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg +Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7 +EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK +lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C +AwEAAaM6MDgwIwYDVR0RBBwwGoIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tMBEG +CWCGSAGG+EIBAQQEAwIGQDANBgkqhkiG9w0BAQsFAAOCAQEAqYcAU8y2+5/Wfl3F +ERZGxefQeivQXfa4pZg67fiN2Y0rNWodmTmOVlqFyBVwTO3q2Y63SBI/FyIB7dzV +wUPW0GHk3WaGO7mOXB5H2URqlrdXJh/Tn7hXUHq+85tr3TgysWsJJZ/2CCve2OtX +Jr1F3XiPvtHnHyKz8vONQrkIx93l+uSh/Jjr1M4Y+96XOgRLe3UBQ0KzWZVjeyP5 +i3yS4bZbNUyjk2uYvniY0nlJo0pSpD9tXLMiTrc0rSAj/0uvxI216YI0CptvypHY +/G/U2ZTvk96bmL/9zily1tmmjZT+tznnzTnsTSszPBzkU4gpJ3avWnbBxoC76JAN +bf9Uig== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem.certspec new file mode 100644 index 0000000000..a44a1feeef --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/nsCertTypeNotCritical.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:nsCertType Not Critical +extension:subjectAlternativeName:localhost,*.example.com +extension:nsCertType:sslServer diff --git a/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem new file mode 100644 index 0000000000..f4ee143e74 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDfzCCAmegAwIBAgIUUTjaq6eT9McB+Ix6ki/STTQfzwgwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoY +DzIwMjQwMjA1MDAwMDAwWjAnMSUwIwYDVQQDDBxXcm9uZyBDQSBQaW4gVGVzdCBF +bmQtRW50aXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwXXGUmYJ +n3cIKmeR8bh2w39c5TiwbErNIrHL1G+mWtoq3UHIwkmKxKOzwfYUh/QbaYlBvYCl +HDwSAkTFhKTESDMF5ROMAQbPCL6ahidguuai6PNvI8XZgxO53683g0XazlHU1tzS +pss8xwbrzTBw7JjM5AqlkdcpWn9xxb5maR0rLf7ISURZC8Wj6kn9k7HXU0BfF3N2 +mZWGZiVHl+1CaQiICBFCIGmYikP+5Izmh4HdIramnNKDdRMfkysSjOKG+n0lHAYq +0n7wFvGHzdVOgys1uJMPdLqQqovHYWckKrH9bWIUDRjEwLjGj8N0hFcyStfehuZV +Lx0eGR1xIWjTuwIDAQABo4GtMIGqMHQGA1UdEQRtMGuCKCouaW5jbHVkZS1zdWJk +b21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5z +LnBpbm5pbmcuZXhhbXBsZS5jb22CFSoucGlubmluZy5leGFtcGxlLmNvbTAyBggr +BgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8w +DQYJKoZIhvcNAQELBQADggEBACq2BJPXiEEa2S95CPlJuTxEZMyzrrWWhdEHsLHP +raOfY3Ct/XziwlYO3CJ7NrVGfrHmrBbROLqenbXLD0HwQp/WxY61fOIQeALVZmCU +sxsDYiLhdFTyT7K/vd33SW+Mq2+L6yWr8B6ElSidNCnQdExcnROkwy8mjPEitq3o +2iEDBeCfVG3aOo5AxW/JJFeusyRU6+Jo6voM2mpzpTVjEx22SoJBORon4knQsw42 +OjyD8SeU2n7Rwq5biDHQP+y8Gx7bZt5UFIaE/nLP7Hn+8NQau8bJihrK2yCdKJCK +VKx9rPxi9I6txANEx33WCzlxq5Bi8PZHH6aduLGofTFFNR8= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem.certspec new file mode 100644 index 0000000000..a905a66ac2 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/other-issuer-ee.pem.certspec @@ -0,0 +1,6 @@ +issuer:Other test CA +subject:Wrong CA Pin Test End-Entity +issuerKey:alternate +subjectKey:alternate +extension:subjectAlternativeName:*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com,*.pinning.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key new file mode 100644 index 0000000000..abde350c28 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBdcZSZgmfdwgq +Z5HxuHbDf1zlOLBsSs0iscvUb6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBIC +RMWEpMRIMwXlE4wBBs8IvpqGJ2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzH +BuvNMHDsmMzkCqWR1ylaf3HFvmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZm +JUeX7UJpCIgIEUIgaZiKQ/7kjOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW +8YfN1U6DKzW4kw90upCqi8dhZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4Z +HXEhaNO7AgMBAAECggEAfj9tfLg572auXX3ZL/VBC7NB3BRyjTkDRXDho3B5DzDw +aBNV//QeKtTpqdn86/vRJ736uMAK/7Hzzqcyfq1HqhYh8qwe4UygLwSzsnhgF5gL +GBpEnQOwPmnRErg1ceVUNPASBWV10oMu1nMdznmeN8g/bVHFWrcetYAVrwXhrxXH +R2A+9/J9A6b/BJ2Wu/hUweTlDvWwWND7CBgOCsf3vo8v8Wc9l/yeVduoOAd7v4p8 +/ylihXeFJpzZ1brStXRp5K/NM8TKLS9pnxHnyPvc1ITwjY77ijy4qXLrJL7Zcu+q +5LtxIJPkj+lKRutimodQeMQCGposk8mnA5Dp0KVEAQKBgQDmP8clprp2klp/+MtZ +xPVt1+yD/oW/H1PhHKyagSWLz8CugZB3sPLRR3qvho3mqOy+r3uyKxlvKprYLTKG +8NDMKd5xnl8r6OUJtyhNWWPt02L5J4h6TEqJeZ00DVGzAax2AasnF5Ak/KrdOL9l +Iq9j6xZGHsAqfyewb+Cd3afAoQKBgQDXGLH+n4+Z8A6DKuH73G/iqyfzTgScSYAQ ++g63CEhSGCNGCDtclsPu5VksAUpBDGuTCxZcE7XCaqMurG58klqFUcJRNPL0pyxk +IfGacxSKDt+rpdOmiIs1y6GMAP047lqvC1RXMdcgdhu8ze50SlLKQV6Y5N4Bzf52 +TBlns+jK2wKBgAHlrKJmyUqI0i4TwrkuokcRbGV6B2gXvf0w20s6nTCVuaS2dJZH +4vhOenhPx4OLCMhZcc96A2+jDjuRw8TQ3yePgMG26FnYRWrbE33vqp8fCsW6yakY +T9TqJ51yLqYm8WDXiq17yDhFzLKd8RXIP2G3YiuZvUOcYJtXkKY8WVGBAoGBAIDM +RdENJITuDRKX/Ae/gLO+/0Yeon4fOPNxeJw69mtKDt0hksIneR208cd64ka/NC8x +hWsPVlgbWKlbETHAxTltsqjDxvOeouM2vCBa5qKgs2hp/KmMu6czzwExmm+bsmt8 +oj0wF/xVHNjaiv3Rf2+i4w00hoeYHNYjTVcekLffAoGAb3fAwfKuesFpVhzKSZxS +vfvgTN3M29wSrsWoVpHoWUt+4pkI8w57lqpiVLgO1K7sm5k3gr38ebadjVjGiHD6 +S+G8DDUnKIxcgrtK668V7f8RBAP8eOas5qgoJ79C8M+nUeUHZRxWONuTk90j3R9r +KVFR3kS3f+Vaew3yceGaZcA= +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key.keyspec b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key.keyspec new file mode 100644 index 0000000000..cbd5f309c0 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.key.keyspec @@ -0,0 +1 @@ +alternate diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem new file mode 100644 index 0000000000..a2e264030a --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3zCCAcegAwIBAgIURym6o+VN9xgZXT/QLrvN/nv1ZN4wDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoY +DzIwMjUwMTAxMDAwMDAwWjAYMRYwFAYDVQQDDA1PdGhlciB0ZXN0IENBMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2w39c5Tiw +bErNIrHL1G+mWtoq3UHIwkmKxKOzwfYUh/QbaYlBvYClHDwSAkTFhKTESDMF5ROM +AQbPCL6ahidguuai6PNvI8XZgxO53683g0XazlHU1tzSpss8xwbrzTBw7JjM5Aql +kdcpWn9xxb5maR0rLf7ISURZC8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1CaQiICBFC +IGmYikP+5Izmh4HdIramnNKDdRMfkysSjOKG+n0lHAYq0n7wFvGHzdVOgys1uJMP +dLqQqovHYWckKrH9bWIUDRjEwLjGj8N0hFcyStfehuZVLx0eGR1xIWjTuwIDAQAB +ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC +AQEAtXplrvls6HSbbibpzfGxOPmSuh2TH05bE4vQk+d7Kz6EOAFvgTiZbLwTxbrQ +gfrM05t+67C2nAeiwAtW34nUnu6S8MYA6mJjURWICbl7cAvCHuNjg1atVr6f1Y+9 +VFFG6aUibw3bzKneREmDEVcxlEWUaMvv/JjfyMA5veSyX6iTJYkIBrEiVV5Alzg5 +yVHBi6+tpuJDO/YLlG8kmfzkYeJkTyAGx1EJ2yQHim7R232638yb0KrhS4zKsfFU +egHhM4c+MpiCLc9q2EgblbYGx5GM+2leuzXunj1KPClHFrnmkRRm3rcESG2pK9RN +/48Nd38VNofRojEbzDSCdOFmow== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem.certspec new file mode 100644 index 0000000000..3bc975aa22 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/other-test-ca.pem.certspec @@ -0,0 +1,7 @@ +issuer:Other test CA +subject:Other test CA +issuerKey:alternate +subjectKey:alternate +validity:20150101-20250101 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem new file mode 100644 index 0000000000..312d57f83f --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDeTCCAmGgAwIBAgIUO0qfW1Ku2EK6yQlpOYG16M3C88MwDQYJKoZIhvcNAQEL +BQAwMzExMC8GA1UEAwwoVGVzdCBTZWxmLXNpZ25lZCBFbmQtZW50aXR5IHdpdGgg +Q0EgdHJ1ZTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAzMTEw +LwYDVQQDDChUZXN0IFNlbGYtc2lnbmVkIEVuZC1lbnRpdHkgd2l0aCBDQSB0cnVl +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2 +ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF +h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n +cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv +OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj +tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt +jQIDAQABo4GAMH4wDAYDVR0TBAUwAwEB/zAyBggrBgEFBQcBAQQmMCQwIgYIKwYB +BQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wOgYDVR0RBDMwMYIvc2VsZi1z +aWduZWQtZW5kLWVudGl0eS13aXRoLWNBLXRydWUuZXhhbXBsZS5jb20wDQYJKoZI +hvcNAQELBQADggEBAKHo7nO705MnFJrD51zJX5feNUmVlItGBRK67CO777vGRqYA +YxBpKuugPxWvBVI7+P3SRvAQAL6vg9fUlf3OHkT4WISyQ06ru9V3kQXbJhS62fe8 +qKfom/iyDErkLEGojXqCoE13gsuQEXCbEKj1sLdKU1gpKA2iSooMkKvlJbhmlNjF +Hy77/zZ7AeOmUblRMfhm8wF/AeoXSB+/JonOZ5MBCsKrjjK8vzDWBXICR2t/Uwce +McvUFs5EiPJlveJ7POdUSQmQxnj0F9jdWF67tMLmktmMynEdSUv+9D++uUSSCbuS +KU3Y4z6ntndjkhiyTQim9vETxcB92sfkIp4fZC4= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem.certspec new file mode 100644 index 0000000000..0ca92d7fd1 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/self-signed-EE-with-cA-true.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test Self-signed End-entity with CA true +subject:Test Self-signed End-entity with CA true +extension:basicConstraints:cA, +extension:authorityInformationAccess:http://localhost:8888/ +extension:subjectAlternativeName:self-signed-end-entity-with-cA-true.example.com diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem new file mode 100644 index 0000000000..2ab5904543 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDhzCCAm+gAwIBAgIUdTEF+B9EJBrvwu6jqdZB5MXb5ogwDQYJKoZIhvcNAQEL +BQAwNTEzMDEGA1UEAwwqU2VsZi1zaWduZWQgSW5hZGVxdWF0ZSBFS1UgVGVzdCBF +bmQtZW50aXR5MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMDUx +MzAxBgNVBAMMKlNlbGYtc2lnbmVkIEluYWRlcXVhdGUgRUtVIFRlc3QgRW5kLWVu +dGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u +togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6 +pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL +KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq +fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv +Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za +GAo17Y0CAwEAAaOBijCBhzALBgNVHQ8EBAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUH +AwEwLwYDVR0RBCgwJoIkc2VsZnNpZ25lZC1pbmFkZXF1YXRlRUtVLmV4YW1wbGUu +Y29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9z +dDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAats49K5yDWP8zxxbODXI9VItMfOG +j2E8QdcFPYRVgkIcmM6chajB3IX0K9cua1fIyXaiFK4ZukXY5IClrNa3K4mchyrW +t/sL0hd1JNcSiFpYRXuKlmmTh/29PUP3sFo29p4fmXTlEGNmZG10r+RMlnh1/iWz +H0MmLqE7iabjD91IxR79bRNnaewvmB7p4ccVc/Oh2iJSdd1JhrHljYBL4vTBz8Jb +1+1zHqgCIf0+Bd9sTHnuu6+iB8hAqcoQVs9RqCjdisgx0+hzjGTmPummdF7xxDdt +meUKn8pbzUadJuna5SyRN0bXIRVicqi4/dw+gYgb80uA7BUYgqiXhzJnmQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem.certspec new file mode 100644 index 0000000000..477b90ce14 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned-inadequateEKU.pem.certspec @@ -0,0 +1,6 @@ +issuer:Self-signed Inadequate EKU Test End-entity +subject:Self-signed Inadequate EKU Test End-entity +extension:keyUsage:keyEncipherment,dataEncipherment +extension:extKeyUsage:serverAuth +extension:subjectAlternativeName:selfsigned-inadequateEKU.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem new file mode 100644 index 0000000000..a949efa150 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNzCCAh+gAwIBAgIUQx4TWJqQt0JuIih8qLKCOJxOUMkwDQYJKoZIhvcNAQEL +BQAwJjEkMCIGA1UEAwwbU2VsZi1zaWduZWQgVGVzdCBFbmQtZW50aXR5MCIYDzIw +MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCYxJDAiBgNVBAMMG1NlbGYt +c2lnbmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x +nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM +wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF +4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20 +yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx +j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNZMFcwIQYDVR0RBBowGIIWc2Vs +ZnNpZ25lZC5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGG +Fmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBAA8/4PSt +7wsHx00uSCMH+mDAwnI6YqmwoWQWg2qq6Ul4mXvupDqaGjXCi3LA+7wP+YXlzXz3 +GJzQopXQ0XObiXNK34GNlTL+8Sk3rvOO88y5hmRpqNxXNCqj0UNaTfqDApYhydET +/EoowMbObWWKUknQxxH4XxOgXfr11XBLOgmCWUF1ZUZRRxzhDNfeR7GIInw7Z+bP +a/ghCqgSqaqupQUky21bx6tT6Vte/NEGZSE0NptiatOwkdB3pTaN9ix3firArKhx +phEkGr2JxWcCAQY14+4Qg/gII2YRY0AMV3ruHjayItpe0SOTxPvJLa//InmUcsof +eNBIC56EPJcm2U8= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem.certspec new file mode 100644 index 0000000000..99a814be17 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/selfsigned.pem.certspec @@ -0,0 +1,4 @@ +issuer:Self-signed Test End-entity +subject:Self-signed Test End-entity +extension:subjectAlternativeName:selfsigned.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/test-ca.pem b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem new file mode 100644 index 0000000000..67e7ca56e8 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAgIUP5NBbozOXrtwcuQwu3pzUXbOl7owDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME +BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEABBSMkSBFq/bK +LpntIx6QJdqPtmnjdjwTpCbQyKKfQjjrazCfru5SheZq7ACtQ0uWFokUOQhB+Xvv +sqy9HqJhK4UN0zfNPjtkHOSbNefWXOseEzA6XxuaCzQXWOp1WNNPnfdtYZizy6hT +fKuKjhniKLmIQD61KNl7Ev1hWUhWC7R8U+IFztXusYYFUUmqqaZ/v7lNfY1sHu4k +zHQFp+xqeaXvkoRpTXhoSdwDQ7ldquwqMM0NIQXlhtcmg7IYwZBGlJgzoejN4k2H +2WycvxPW70I10NeAAhtie1+K4JHwr6/SLLwCCnJDoRMMpMhM9/853Ye/4PTDGhuK +fqhEoHH9Ig== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/test-ca.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem.certspec new file mode 100644 index 0000000000..5d2435d7bb --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/test-ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test CA +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/bad_certs/test-int.pem b/security/manager/ssl/tests/unit/bad_certs/test-int.pem new file mode 100644 index 0000000000..08249b863e --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/test-int.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25iBPOkIMwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMjUw +MTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1 +SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+ +zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL +K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc +bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW +JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMd +MBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEB +AILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC2BQF0kMEEB547p+Ms8zdJY00 +Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77TkfmnSnxvPi+0nlA+eM +8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22+AIU7w6wyA +IbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubjiMr3 +B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpyk +rGFLvocT/kym6r8galxCJUo= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/test-int.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/test-int.pem.certspec new file mode 100644 index 0000000000..33b42c2f41 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/test-int.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Test Intermediate +validity:20150101-20250101 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem new file mode 100644 index 0000000000..30143bb1ba --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDqTCCApGgAwIBAgIUP5JozopIN1u1syfEtUDb+7eHSs0wDQYJKoZIhvcNAQEL +BQAwJjEkMCIGA1UEAwwbVGVzdCBJbnRlcm1lZGlhdGUgdG8gZGVsZXRlMCIYDzIw +MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMC4xLDAqBgNVBAMMI1Rlc3Qg +RW5kLWVudGl0eSBmcm9tIHVua25vd24gaXNzdWVyMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4HCMIG/MIGIBgNV +HREEgYAwfoIZdW5rbm93bmlzc3Vlci5leGFtcGxlLmNvbYI0dW5rbm93bmlzc3Vl +ci5pbmNsdWRlLXN1YmRvbWFpbnMucGlubmluZy5leGFtcGxlLmNvbYIrdW5rbm93 +bmlzc3Vlci50ZXN0LW1vZGUucGlubmluZy5leGFtcGxlLmNvbTAyBggrBgEFBQcB +AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZI +hvcNAQELBQADggEBAI2lkdtGlY+mEsp+k/1OMPP14sB/Rn3OY6Y0FNKKIrugQXa4 +V53aA0Uiopb5O+dCp9t6O6qX8hmiZkqO/24FnpJyT9HKGZWCA95gBAduVK27+LKz +9a4HEnj5QuhtZw8oProRIukhgOr6AjJvzg1KNh0oJ67IIoqqwzZFFfOGNjoT3Rgu +Z8WyMFPMI+ZTP7cHriMSPhAOz7v0d4zfRHmSBS+j3nyOkzFBSrjk8i2ODDXjsxjP +RyCOAFXJRcoHUhY1E7WJ0qGGT3ckOD4gQ0NSJ8yGDtGqSCmoiQiGts9V7NVmnTfN +RD9Q8KYGkyiZ6LpnQIN08aNZkkuflirZnl5zP4k= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem.certspec new file mode 100644 index 0000000000..a735c730ca --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/unknownissuer.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test Intermediate to delete +subject:Test End-entity from unknown issuer +extension:subjectAlternativeName:unknownissuer.example.com,unknownissuer.include-subdomains.pinning.example.com,unknownissuer.test-mode.pinning.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem new file mode 100644 index 0000000000..921d14583f --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNjCCAh6gAwIBAgIUGTh5myT/JfbNsso9a1ZhGr8B11gwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDExMDEwMTAwMDAwMFoY +DzIwMTMwMTAxMDAwMDAwWjAsMSowKAYDVQQDDCFVbnRydXN0ZWQtRXhwaXJlZCBU +ZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6 +iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr +4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP +8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI +Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ +77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J +I/pyUcQx1QOs2hgKNe2NAgMBAAGjYDBeMCgGA1UdEQQhMB+CHXVudHJ1c3RlZC1l +eHBpcmVkLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAMktkDNyd +MHFk4K4dcOfi0McOkxvdZW6/Nqts51scx8A3q8sT5pdW3ftBjvN7O+3c1cNGoThG +9SA6uLDV2NT2EQp65yxMZe8j1OHX3qybqZ/RVY5r7VHF4JDsPHHXsgew5+CRGraj +MTIFUqmgAYLMcv74vB0OLIt3JL4XnHVP7atULMLJrOP8QUmkUhZ49MDqyslN0i6w +X7KwhdM00+JKadqUFqOAfhacMHsH5ErsQ3LXrQRMJiFoaVbElMy9e/jJmY7rg4pw +0EMnkt+Vj650FkWsCnLndBia+6z+81L4EZ7uwBeeks2fYhXt85qqkuzmZq2T2diu +ArcEblKIbUYlVg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem.certspec new file mode 100644 index 0000000000..3efd1ce677 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/untrusted-expired.pem.certspec @@ -0,0 +1,5 @@ +issuer:Other test CA +subject:Untrusted-Expired Test End-entity +validity:20110101-20130101 +extension:subjectAlternativeName:untrusted-expired.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem new file mode 100644 index 0000000000..44466870b7 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDODCCAiCgAwIBAgIUFTheHxum5x5zarr+9tuaXVyal6kwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoY +DzIwMjQwMjA1MDAwMDAwWjAwMS4wLAYDVQQDDCVUZXN0IEVuZC1lbnRpdHkgd2l0 +aCB1bnRydXN0ZWQgaXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu +Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO +7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf +qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt +HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx +uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo14wXDAmBgNVHREEHzAdght1bnRydXN0 +ZWRpc3N1ZXIuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB +hhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQA4nTja +7NV7jYhyX3eDGfoWyCHVM2PRIglZrHN1JsmzUOfyrw9T4jF2Jnuvl9lF0SyuBm+N +X1lXJK4z8VYfM3t1SlGe2qwl+nXiYwoCFl0mfbBuihQNxa3eLWAmjz5ZghStjFwz +QGwkgrsCaP8gKcU2j94KVhWaAXJJzBe1OPVJUhrjQjG4Q7mhon7qRrRYJaDR4GOe +bLhJvrZO14Embo81DejBzoIHYeONhz9RqrTjcH15qpxwU8mX/DAZfkPlR85LY3F9 +FTBy7wEGuvoPZbWjtQEZMTeMdyJ1DZyi7TNFkJksf8b5oXtCGzftOv3cJeZIUYQs +ZmUfzPtaDC9YkAeP +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem.certspec new file mode 100644 index 0000000000..5ba0bc2535 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/untrustedissuer.pem.certspec @@ -0,0 +1,4 @@ +issuer:Other test CA +subject:Test End-entity with untrusted issuer +extension:subjectAlternativeName:untrustedissuer.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem new file mode 100644 index 0000000000..8c24bc3d0b --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICrzCCAZcCFE8qjyl3WPAoW1Gpnx3TBAEyJJU6MA0GCSqGSIb3DQEBCwUAMBIx +EDAOBgNVBAMMB1Rlc3QgQ0EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowEjEQMA4GA1UEAwwHVjEgQ2VydDCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY +H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk +27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9 +0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM +kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL +L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsFAAOC +AQEAqUwUJ06FNvZWgq5++nr3wKmfEW/hOI2Mr3+xjDbuvYm8/Z+H+TtIDgqJ+Ryf +pxTL5/tGFmriX20DC9b+ZtZyEYVZFHbM/WmhKZlp6zfzxODErmX1JuPg+Ue0zCoz +zQXTda4jB1j39LT88Ci5CLSnNrWFcbHxEp5nmikC6N76Whcw/4OflP0ui/MPeAu7 +wH5Ql7PzL3+m4HtCgri9Jgd/6LWkSeK2mN8AmnLUbV2szXi63eTrYxQ0KcxjTcuN +4M2PuIXiI3c7V0jjfhIHc09lGUnLeh5pIQSQ17EMVMuh6sUjY26Gczj9CuWGZ+gS +6B5LY90vNcK+MYRMF2jyXEt1Lg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem.certspec b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem.certspec new file mode 100644 index 0000000000..7824630bbc --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/v1Cert.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test CA +subject:V1 Cert +version:1 diff --git a/security/manager/ssl/tests/unit/corrupted_crlite_helper.js b/security/manager/ssl/tests/unit/corrupted_crlite_helper.js new file mode 100644 index 0000000000..2587c5dad9 --- /dev/null +++ b/security/manager/ssl/tests/unit/corrupted_crlite_helper.js @@ -0,0 +1,103 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Helper file for tests that initialize CRLite with corrupted `security_state` +// files. +// +// Usage: +// Define nsILocalFile variables for the `crlite.filter`, `crlite.coverage`, +// and `crlite.enrollment` files that should be copied to the new profile, and +// then load this file. The variables should be called `filter`, `coverage`, +// and `enrollment`, respectively. To omit a file, leave the corresponding +// variable `undefined`. +// +// Example: +// let filter = do_get_file("some_test_dir/crlite.filter"); +// let coverage = undefined; +// let enrollment = do_get_file("some_test_dir/crlite.enrollment"); +// load("./corrupted_crlite_helper.js"); +// +// Note: +// The cert_storage library only attempts to read security_state once. So +// this task can only be included once per test file. + +"use strict"; + +/* eslint-disable no-undef */ + +add_task(async function test_crlite_corrupted() { + let securityStateDirectory = do_get_profile(); + securityStateDirectory.append("security_state"); + + Services.prefs.setIntPref( + "security.pki.crlite_mode", + CRLiteModeEnforcePrefValue + ); + + if (coverage != undefined) { + coverage.copyTo(securityStateDirectory, "crlite.coverage"); + } + if (enrollment != undefined) { + enrollment.copyTo(securityStateDirectory, "crlite.enrollment"); + } + if (filter != undefined) { + filter.copyTo(securityStateDirectory, "crlite.filter"); + } + + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + + let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + + // This certificate is revoked according to `test_crlite_filters/20201017-0-filter`. + // Its issuer is enrolled according to `test_crlite_preexisting/crlite.enrollment`, + // and it is covered according to `test_crlite_preexisting/crlite.coverage`. + let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem"); + + // The issuer's certificate needs to be available for path building. + let issuerCert = constructCertFromFile("test_crlite_filters/issuer.pem"); + ok(issuerCert, "issuer certificate should decode successfully"); + + // If we copied a corrupted file to security_state, then CRLite should not be + // initialized, and we should fall back to OCSP. By setting + // Ci.nsIX509CertDB.FLAG_LOCAL_ONLY here we skip the OCSP test, so there's no + // revocation checking, and the revoked certificate should pass inspection. + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + undefined, + "us-datarecovery.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + + // We should not have a filter or a stash. + let hasFilter = await new Promise(resolve => { + certStorage.hasPriorData( + Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_FULL, + (rv, result) => { + Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed"); + resolve(result); + } + ); + }); + Assert.equal(hasFilter, false, "CRLite should not have a filter"); + + let hasStash = await new Promise(resolve => { + certStorage.hasPriorData( + Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL, + (rv, result) => { + Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed"); + resolve(result); + } + ); + }); + Assert.equal(hasStash, false, "CRLite should not have a stash"); +}); diff --git a/security/manager/ssl/tests/unit/crlite_enrollment_id.py b/security/manager/ssl/tests/unit/crlite_enrollment_id.py new file mode 100755 index 0000000000..2deb5ad379 --- /dev/null +++ b/security/manager/ssl/tests/unit/crlite_enrollment_id.py @@ -0,0 +1,33 @@ +#!/usr/bin/python + +# Given a PEM encoded X.509 certificate, outputs +# base64(SHA256(subject || spki)) +# where `subject` is the RFC 5280 RDNSequence encoding +# the certificate's subject, and `spki` is the RFC 5280 +# SubjectPublicKeyInfo field encoding the certificate's +# public key. + +import sys +import base64 + +from cryptography import x509 +from cryptography.hazmat.primitives import serialization +from cryptography.hazmat.primitives import hashes + +if len(sys.argv) != 2: + print(f"Usage: {sys.argv[0]} ") + sys.exit(1) + +with open(sys.argv[1], "r") as f: + cert = x509.load_pem_x509_certificate(f.read().encode("utf-8"), backend=None) + +subj = cert.subject.public_bytes() +spki = cert.public_key().public_bytes( + format=serialization.PublicFormat.SubjectPublicKeyInfo, + encoding=serialization.Encoding.DER, +) + +digest = hashes.Hash(hashes.SHA256(), backend=None) +digest.update(subj) +digest.update(spki) +print(base64.b64encode(digest.finalize()).decode("utf-8")) diff --git a/security/manager/ssl/tests/unit/crlite_key.py b/security/manager/ssl/tests/unit/crlite_key.py new file mode 100755 index 0000000000..53d2b2aeaf --- /dev/null +++ b/security/manager/ssl/tests/unit/crlite_key.py @@ -0,0 +1,58 @@ +#!/usr/bin/python + +# Given PEM encoded X.509 certificates Issuer and Subscriber, +# outputs the urlsafe base64 encoding of the SHA256 hash of +# the Issuer's SubjectPublicKeyInfo, and the ascii hex encoding +# of the Subscriber's serial number. + +import sys +import base64 + +from cryptography import x509 +from cryptography.hazmat.primitives import serialization +from cryptography.hazmat.primitives import hashes + + +def uint_to_serial_bytes(a): + # Encode the non-negative integer |a| as a DER integer without the leading + # tag and length prefix. The DER encoding of |a| is the shortest octet + # string that encodes |a| in big endian two's complement form. + assert a >= 0 + + # Since |a| is non-negative, the shortest bit string that encodes it in + # big-endian two's complement form has a leading 0 bit. Positive python + # integers have a `bit_length` method that gives the index of the leading 1 + # bit. The minimal two's complement bit length is one more than this. + # + # NB: Python defines |int(0).bit_length() == 0|. The other cases are more + # intuitive; for integers x and k with x >= 0 and k > 0 with 2**k > x we + # have |int(2**k + x).bit_length() == k+1|. + bit_len = 1 + a.bit_length() + byte_len = (bit_len + 7) // 8 + return a.to_bytes(byte_len, byteorder="big", signed=False) + + +if len(sys.argv) != 3: + print(f"Usage: {sys.argv[0]} ") + sys.exit(1) + +with open(sys.argv[1], "r") as f: + issuer = x509.load_pem_x509_certificate(f.read().encode("utf-8"), backend=None) + +with open(sys.argv[2], "r") as f: + subscriber = x509.load_pem_x509_certificate(f.read().encode("utf-8"), backend=None) + +assert issuer.subject.public_bytes() == subscriber.issuer.public_bytes() + +issuer_spki = issuer.public_key().public_bytes( + format=serialization.PublicFormat.SubjectPublicKeyInfo, + encoding=serialization.Encoding.DER, +) +hasher = hashes.Hash(hashes.SHA256(), backend=None) +hasher.update(issuer_spki) +issuer_spki_hash = hasher.finalize() + +subscriber_serial = uint_to_serial_bytes(int(subscriber.serial_number)) + +print(base64.urlsafe_b64encode(issuer_spki_hash).decode("utf-8")) +print(subscriber_serial.hex()) diff --git a/security/manager/ssl/tests/unit/head_psm.js b/security/manager/ssl/tests/unit/head_psm.js new file mode 100644 index 0000000000..17f58ce62c --- /dev/null +++ b/security/manager/ssl/tests/unit/head_psm.js @@ -0,0 +1,1187 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ +"use strict"; + +const { AppConstants } = ChromeUtils.importESModule( + "resource://gre/modules/AppConstants.sys.mjs" +); +const { ctypes } = ChromeUtils.import("resource://gre/modules/ctypes.jsm"); +const { FileUtils } = ChromeUtils.importESModule( + "resource://gre/modules/FileUtils.sys.mjs" +); +const { HttpServer } = ChromeUtils.import("resource://testing-common/httpd.js"); +const { MockRegistrar } = ChromeUtils.importESModule( + "resource://testing-common/MockRegistrar.sys.mjs" +); +const { NetUtil } = ChromeUtils.import("resource://gre/modules/NetUtil.jsm"); +const { PromiseUtils } = ChromeUtils.importESModule( + "resource://gre/modules/PromiseUtils.sys.mjs" +); +const { XPCOMUtils } = ChromeUtils.importESModule( + "resource://gre/modules/XPCOMUtils.sys.mjs" +); + +const { X509 } = ChromeUtils.import("resource://gre/modules/psm/X509.jsm"); + +const isDebugBuild = Cc["@mozilla.org/xpcom/debug;1"].getService(Ci.nsIDebug2) + .isDebugBuild; + +// The test EV roots are only enabled in debug builds as a security measure. +const gEVExpected = isDebugBuild; + +const CLIENT_AUTH_FILE_NAME = "ClientAuthRememberList.txt"; +const SSS_STATE_FILE_NAME = "SiteSecurityServiceState.txt"; +const CERT_OVERRIDE_FILE_NAME = "cert_override.txt"; + +const SEC_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SEC_ERROR_BASE; +const SSL_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SSL_ERROR_BASE; +const MOZILLA_PKIX_ERROR_BASE = Ci.nsINSSErrorsService.MOZILLA_PKIX_ERROR_BASE; + +// This isn't really a valid PRErrorCode, but is useful for signalling that +// a test is expected to succeed. +const PRErrorCodeSuccess = 0; + +// Sort in numerical order +const SEC_ERROR_INVALID_TIME = SEC_ERROR_BASE + 8; +const SEC_ERROR_BAD_DER = SEC_ERROR_BASE + 9; +const SEC_ERROR_BAD_SIGNATURE = SEC_ERROR_BASE + 10; +const SEC_ERROR_EXPIRED_CERTIFICATE = SEC_ERROR_BASE + 11; +const SEC_ERROR_REVOKED_CERTIFICATE = SEC_ERROR_BASE + 12; +const SEC_ERROR_UNKNOWN_ISSUER = SEC_ERROR_BASE + 13; +const SEC_ERROR_UNTRUSTED_ISSUER = SEC_ERROR_BASE + 20; +const SEC_ERROR_UNTRUSTED_CERT = SEC_ERROR_BASE + 21; +const SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE = SEC_ERROR_BASE + 30; +const SEC_ERROR_CA_CERT_INVALID = SEC_ERROR_BASE + 36; +const SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION = SEC_ERROR_BASE + 41; +const SEC_ERROR_PKCS7_BAD_SIGNATURE = SEC_ERROR_BASE + 47; +const SEC_ERROR_INADEQUATE_KEY_USAGE = SEC_ERROR_BASE + 90; +const SEC_ERROR_INADEQUATE_CERT_TYPE = SEC_ERROR_BASE + 91; +const SEC_ERROR_CERT_NOT_IN_NAME_SPACE = SEC_ERROR_BASE + 112; +const SEC_ERROR_CERT_BAD_ACCESS_LOCATION = SEC_ERROR_BASE + 117; +const SEC_ERROR_OCSP_MALFORMED_REQUEST = SEC_ERROR_BASE + 120; +const SEC_ERROR_OCSP_SERVER_ERROR = SEC_ERROR_BASE + 121; +const SEC_ERROR_OCSP_TRY_SERVER_LATER = SEC_ERROR_BASE + 122; +const SEC_ERROR_OCSP_REQUEST_NEEDS_SIG = SEC_ERROR_BASE + 123; +const SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST = SEC_ERROR_BASE + 124; +const SEC_ERROR_OCSP_UNKNOWN_CERT = SEC_ERROR_BASE + 126; +const SEC_ERROR_OCSP_MALFORMED_RESPONSE = SEC_ERROR_BASE + 129; +const SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE = SEC_ERROR_BASE + 130; +const SEC_ERROR_OCSP_OLD_RESPONSE = SEC_ERROR_BASE + 132; +const SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE = SEC_ERROR_BASE + 141; +const SEC_ERROR_OCSP_INVALID_SIGNING_CERT = SEC_ERROR_BASE + 144; +const SEC_ERROR_POLICY_VALIDATION_FAILED = SEC_ERROR_BASE + 160; +const SEC_ERROR_OCSP_BAD_SIGNATURE = SEC_ERROR_BASE + 157; +const SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED = SEC_ERROR_BASE + 176; + +const SSL_ERROR_NO_CYPHER_OVERLAP = SSL_ERROR_BASE + 2; +const SSL_ERROR_BAD_CERT_DOMAIN = SSL_ERROR_BASE + 12; +const SSL_ERROR_BAD_CERT_ALERT = SSL_ERROR_BASE + 17; +const SSL_ERROR_WEAK_SERVER_CERT_KEY = SSL_ERROR_BASE + 132; +const SSL_ERROR_DC_INVALID_KEY_USAGE = SSL_ERROR_BASE + 184; + +const SSL_ERROR_ECH_RETRY_WITH_ECH = SSL_ERROR_BASE + 188; +const SSL_ERROR_ECH_RETRY_WITHOUT_ECH = SSL_ERROR_BASE + 189; +const SSL_ERROR_ECH_FAILED = SSL_ERROR_BASE + 190; +const SSL_ERROR_ECH_REQUIRED_ALERT = SSL_ERROR_BASE + 191; + +const MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = MOZILLA_PKIX_ERROR_BASE + 0; +const MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = + MOZILLA_PKIX_ERROR_BASE + 1; +const MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = MOZILLA_PKIX_ERROR_BASE + 2; +const MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA = MOZILLA_PKIX_ERROR_BASE + 3; +const MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE = + MOZILLA_PKIX_ERROR_BASE + 5; +const MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE = + MOZILLA_PKIX_ERROR_BASE + 6; +const MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING = + MOZILLA_PKIX_ERROR_BASE + 8; +const MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING = + MOZILLA_PKIX_ERROR_BASE + 10; +const MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME = MOZILLA_PKIX_ERROR_BASE + 12; +const MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED = + MOZILLA_PKIX_ERROR_BASE + 13; +const MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT = MOZILLA_PKIX_ERROR_BASE + 14; +const MOZILLA_PKIX_ERROR_MITM_DETECTED = MOZILLA_PKIX_ERROR_BASE + 15; + +// Supported Certificate Usages +const certificateUsageSSLClient = 0x0001; +const certificateUsageSSLServer = 0x0002; +const certificateUsageSSLCA = 0x0008; +const certificateUsageEmailSigner = 0x0010; +const certificateUsageEmailRecipient = 0x0020; + +// A map from the name of a certificate usage to the value of the usage. +// Useful for printing debugging information and for enumerating all supported +// usages. +const allCertificateUsages = { + certificateUsageSSLClient, + certificateUsageSSLServer, + certificateUsageSSLCA, + certificateUsageEmailSigner, + certificateUsageEmailRecipient, +}; + +const NO_FLAGS = 0; + +const CRLiteModeDisabledPrefValue = 0; +const CRLiteModeTelemetryOnlyPrefValue = 1; +const CRLiteModeEnforcePrefValue = 2; +const CRLiteModeConfirmRevocationsValue = 3; + +// Convert a string to an array of bytes consisting of the char code at each +// index. +function stringToArray(s) { + let a = []; + for (let i = 0; i < s.length; i++) { + a.push(s.charCodeAt(i)); + } + return a; +} + +// Converts an array of bytes to a JS string using fromCharCode on each byte. +function arrayToString(a) { + let s = ""; + for (let b of a) { + s += String.fromCharCode(b); + } + return s; +} + +// Commonly certificates are represented as PEM. The format is roughly as +// follows: +// +// -----BEGIN CERTIFICATE----- +// [some lines of base64, each typically 64 characters long] +// -----END CERTIFICATE----- +// +// However, nsIX509CertDB.constructX509FromBase64 and related functions do not +// handle input of this form. Instead, they require a single string of base64 +// with no newlines or BEGIN/END headers. This is a helper function to convert +// PEM to the format that nsIX509CertDB requires. +function pemToBase64(pem) { + return pem + .replace(/-----BEGIN CERTIFICATE-----/, "") + .replace(/-----END CERTIFICATE-----/, "") + .replace(/[\r\n]/g, ""); +} + +function build_cert_chain(certNames, testDirectory = "bad_certs") { + let certList = []; + certNames.forEach(function(certName) { + let cert = constructCertFromFile(`${testDirectory}/${certName}.pem`); + certList.push(cert); + }); + return certList; +} + +function areCertsEqual(certA, certB) { + let derA = certA.getRawDER(); + let derB = certB.getRawDER(); + if (derA.length != derB.length) { + return false; + } + for (let i = 0; i < derA.length; i++) { + if (derA[i] != derB[i]) { + return false; + } + } + return true; +} + +function areCertArraysEqual(certArrayA, certArrayB) { + if (certArrayA.length != certArrayB.length) { + return false; + } + + for (let i = 0; i < certArrayA.length; i++) { + const certA = certArrayA[i]; + const certB = certArrayB[i]; + if (!areCertsEqual(certA, certB)) { + return false; + } + } + return true; +} + +function readFile(file) { + let fstream = Cc["@mozilla.org/network/file-input-stream;1"].createInstance( + Ci.nsIFileInputStream + ); + fstream.init(file, -1, 0, 0); + let available = fstream.available(); + let data = + available > 0 ? NetUtil.readInputStreamToString(fstream, available) : ""; + fstream.close(); + return data; +} + +function addCertFromFile(certdb, filename, trustString) { + let certFile = do_get_file(filename, false); + let certBytes = readFile(certFile); + try { + return certdb.addCert(certBytes, trustString); + } catch (e) {} + // It might be PEM instead of DER. + return certdb.addCertFromBase64(pemToBase64(certBytes), trustString); +} + +function constructCertFromFile(filename) { + let certFile = do_get_file(filename, false); + let certBytes = readFile(certFile); + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + try { + return certdb.constructX509(stringToArray(certBytes)); + } catch (e) {} + // It might be PEM instead of DER. + return certdb.constructX509FromBase64(pemToBase64(certBytes)); +} + +function setCertTrust(cert, trustString) { + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + certdb.setCertTrustFromString(cert, trustString); +} + +function getXPCOMStatusFromNSS(statusNSS) { + let nssErrorsService = Cc["@mozilla.org/nss_errors_service;1"].getService( + Ci.nsINSSErrorsService + ); + return nssErrorsService.getXPCOMFromNSSError(statusNSS); +} + +// Helper for checkCertErrorGenericAtTime +class CertVerificationExpectedErrorResult { + constructor(certName, expectedError, expectedEVStatus, resolve) { + this.certName = certName; + this.expectedError = expectedError; + this.expectedEVStatus = expectedEVStatus; + this.resolve = resolve; + } + + verifyCertFinished(aPRErrorCode, aVerifiedChain, aHasEVPolicy) { + equal( + aPRErrorCode, + this.expectedError, + `verifying ${this.certName}: should get error ${this.expectedError}` + ); + if (this.expectedEVStatus != undefined) { + equal( + aHasEVPolicy, + this.expectedEVStatus, + `verifying ${this.certName}: ` + + `should ${this.expectedEVStatus ? "be" : "not be"} EV` + ); + } + this.resolve(); + } +} + +// certdb implements nsIX509CertDB. See nsIX509CertDB.idl for documentation. +// In particular, hostname is optional. +function checkCertErrorGenericAtTime( + certdb, + cert, + expectedError, + usage, + time, + /* optional */ isEVExpected, + /* optional */ hostname, + /* optional */ flags = NO_FLAGS +) { + return new Promise((resolve, reject) => { + let result = new CertVerificationExpectedErrorResult( + cert.commonName, + expectedError, + isEVExpected, + resolve + ); + certdb.asyncVerifyCertAtTime(cert, usage, flags, hostname, time, result); + }); +} + +// certdb implements nsIX509CertDB. See nsIX509CertDB.idl for documentation. +// In particular, hostname is optional. +function checkCertErrorGeneric( + certdb, + cert, + expectedError, + usage, + /* optional */ isEVExpected, + /* optional */ hostname +) { + let now = new Date().getTime() / 1000; + return checkCertErrorGenericAtTime( + certdb, + cert, + expectedError, + usage, + now, + isEVExpected, + hostname + ); +} + +function checkEVStatus(certDB, cert, usage, isEVExpected) { + return checkCertErrorGeneric( + certDB, + cert, + PRErrorCodeSuccess, + usage, + isEVExpected + ); +} + +function _getLibraryFunctionWithNoArguments( + functionName, + libraryName, + returnType +) { + // Open the NSS library. copied from services/crypto/modules/WeaveCrypto.js + let path = ctypes.libraryName(libraryName); + + // XXX really want to be able to pass specific dlopen flags here. + let nsslib; + try { + nsslib = ctypes.open(path); + } catch (e) { + // In case opening the library without a full path fails, + // try again with a full path. + let file = Services.dirsvc.get("GreBinD", Ci.nsIFile); + file.append(path); + nsslib = ctypes.open(file.path); + } + + let SECStatus = ctypes.int; + let func = nsslib.declare( + functionName, + ctypes.default_abi, + returnType || SECStatus + ); + return func; +} + +function clearOCSPCache() { + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + certdb.clearOCSPCache(); +} + +function clearSessionCache() { + let nssComponent = Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent); + nssComponent.clearSSLExternalAndInternalSessionCache(); +} + +function getSSLStatistics() { + let SSL3Statistics = new ctypes.StructType("SSL3Statistics", [ + { sch_sid_cache_hits: ctypes.long }, + { sch_sid_cache_misses: ctypes.long }, + { sch_sid_cache_not_ok: ctypes.long }, + { hsh_sid_cache_hits: ctypes.long }, + { hsh_sid_cache_misses: ctypes.long }, + { hsh_sid_cache_not_ok: ctypes.long }, + { hch_sid_cache_hits: ctypes.long }, + { hch_sid_cache_misses: ctypes.long }, + { hch_sid_cache_not_ok: ctypes.long }, + { sch_sid_stateless_resumes: ctypes.long }, + { hsh_sid_stateless_resumes: ctypes.long }, + { hch_sid_stateless_resumes: ctypes.long }, + { hch_sid_ticket_parse_failures: ctypes.long }, + ]); + let SSL3StatisticsPtr = new ctypes.PointerType(SSL3Statistics); + let SSL_GetStatistics = null; + try { + SSL_GetStatistics = _getLibraryFunctionWithNoArguments( + "SSL_GetStatistics", + "ssl3", + SSL3StatisticsPtr + ); + } catch (e) { + // On Windows, this is actually in the nss3 library. + SSL_GetStatistics = _getLibraryFunctionWithNoArguments( + "SSL_GetStatistics", + "nss3", + SSL3StatisticsPtr + ); + } + if (!SSL_GetStatistics) { + throw new Error("Failed to get SSL statistics"); + } + return SSL_GetStatistics(); +} + +// Set up a TLS testing environment that has a TLS server running and +// ready to accept connections. This async function starts the server and +// waits for the server to indicate that it is ready. +// +// Each test should have its own subdomain of example.com, for example +// my-first-connection-test.example.com. The server can use the server +// name (passed through the SNI TLS extension) to determine what behavior +// the server side of the text should exhibit. See TLSServer.h for more +// information on how to write the server side of tests. +// +// Create a new source file for your new server executable in +// security/manager/ssl/tests/unit/tlsserver/cmd similar to the other ones in +// that directory, and add a reference to it to the sources variable in that +// directory's moz.build. +// +// Modify TEST_HARNESS_BINS in +// testing/mochitest/Makefile.in and NO_PKG_FILES in +// toolkit/mozapps/installer/packager.mk to make sure the new executable +// gets included in the packages used for shipping the tests to the test +// runners in our build/test farm. (Things will work fine locally without +// these changes but will break on TBPL.) +// +// Your test script should look something like this: +/* + +// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// + +function run_test() { + do_get_profile(); + add_tls_server_setup("", ""); + + add_connection_test(".example.com", + SEC_ERROR_xxx, + function() { ... }, + function(aTransportSecurityInfo) { ... }, + function(aTransport) { ... }); + [...] + add_connection_test(".example.com", PRErrorCodeSuccess); + + run_next_test(); +} +*/ + +function add_tls_server_setup(serverBinName, certsPath, addDefaultRoot = true) { + add_test(function() { + _setupTLSServerTest(serverBinName, certsPath, addDefaultRoot); + }); +} + +/** + * Add a TLS connection test case. + * + * @param {string} aHost + * The hostname to pass in the SNI TLS extension; this should unambiguously + * identify which test is being run. + * @param {PRErrorCode} aExpectedResult + * The expected result of the connection. If an error is not expected, pass + * in PRErrorCodeSuccess. + * @param {Function} aBeforeConnect + * A callback function that takes no arguments that will be called before the + * connection is attempted. + * @param {Function} aWithSecurityInfo + * A callback function that takes an nsITransportSecurityInfo, which is called + * after the TLS handshake succeeds. + * @param {Function} aAfterStreamOpen + * A callback function that is called with the nsISocketTransport once the + * output stream is ready. + * @param {OriginAttributes} aOriginAttributes (optional) + * The origin attributes that the socket transport will have. This parameter + * affects OCSP because OCSP cache is double-keyed by origin attributes' first + * party domain. + * + * @param {OriginAttributes} aEchConfig (optional) + * A Base64-encoded ECHConfig. If non-empty, it will be configured to the client + * socket resulting in an Encrypted Client Hello extension being sent. The client + * keypair is ephermeral and generated within NSS. + */ +function add_connection_test( + aHost, + aExpectedResult, + aBeforeConnect, + aWithSecurityInfo, + aAfterStreamOpen, + /* optional */ aOriginAttributes, + /* optional */ aEchConfig +) { + add_test(function() { + if (aBeforeConnect) { + aBeforeConnect(); + } + asyncConnectTo( + aHost, + aExpectedResult, + aWithSecurityInfo, + aAfterStreamOpen, + aOriginAttributes, + aEchConfig + ).then(run_next_test); + }); +} + +async function asyncConnectTo( + aHost, + aExpectedResult, + /* optional */ aWithSecurityInfo = undefined, + /* optional */ aAfterStreamOpen = undefined, + /* optional */ aOriginAttributes = undefined, + /* optional */ aEchConfig = undefined +) { + const REMOTE_PORT = 8443; + + function Connection(host) { + this.host = host; + this.thread = Services.tm.currentThread; + this.defer = PromiseUtils.defer(); + let sts = Cc["@mozilla.org/network/socket-transport-service;1"].getService( + Ci.nsISocketTransportService + ); + this.transport = sts.createTransport( + ["ssl"], + host, + REMOTE_PORT, + null, + null + ); + if (aEchConfig) { + this.transport.setEchConfig(atob(aEchConfig)); + } + // See bug 1129771 - attempting to connect to [::1] when the server is + // listening on 127.0.0.1 causes frequent failures on OS X 10.10. + this.transport.connectionFlags |= Ci.nsISocketTransport.DISABLE_IPV6; + this.transport.setEventSink(this, this.thread); + if (aOriginAttributes) { + this.transport.originAttributes = aOriginAttributes; + } + this.inputStream = null; + this.outputStream = null; + this.connected = false; + } + + Connection.prototype = { + // nsITransportEventSink + onTransportStatus(aTransport, aStatus, aProgress, aProgressMax) { + if ( + !this.connected && + aStatus == Ci.nsISocketTransport.STATUS_CONNECTED_TO + ) { + this.connected = true; + this.outputStream.asyncWait(this, 0, 0, this.thread); + } + }, + + // nsIInputStreamCallback + onInputStreamReady(aStream) { + try { + // this will throw if the stream has been closed by an error + let str = NetUtil.readInputStreamToString(aStream, aStream.available()); + Assert.equal(str, "0", "Should have received ASCII '0' from server"); + this.inputStream.close(); + this.outputStream.close(); + this.result = Cr.NS_OK; + } catch (e) { + this.result = e.result; + } + this.defer.resolve(this); + }, + + // nsIOutputStreamCallback + onOutputStreamReady(aStream) { + if (aAfterStreamOpen) { + aAfterStreamOpen(this.transport); + } + this.outputStream.write("0", 1); + let inStream = this.transport + .openInputStream(0, 0, 0) + .QueryInterface(Ci.nsIAsyncInputStream); + this.inputStream = inStream; + this.inputStream.asyncWait(this, 0, 0, this.thread); + }, + + go() { + this.outputStream = this.transport + .openOutputStream(0, 0, 0) + .QueryInterface(Ci.nsIAsyncOutputStream); + return this.defer.promise; + }, + }; + + /* Returns a promise to connect to host that resolves to the result of that + * connection */ + function connectTo(host) { + Services.prefs.setCharPref("network.dns.localDomains", host); + let connection = new Connection(host); + return connection.go(); + } + + return connectTo(aHost).then(async function(conn) { + info("handling " + aHost); + let expectedNSResult = + aExpectedResult == PRErrorCodeSuccess + ? Cr.NS_OK + : getXPCOMStatusFromNSS(aExpectedResult); + Assert.equal( + conn.result, + expectedNSResult, + "Actual and expected connection result should match" + ); + if (aWithSecurityInfo) { + aWithSecurityInfo( + await conn.transport.tlsSocketControl.asyncGetSecurityInfo() + ); + } + }); +} + +function _getBinaryUtil(binaryUtilName) { + let utilBin = Services.dirsvc.get("GreD", Ci.nsIFile); + // On macOS, GreD is .../Contents/Resources, and most binary utilities + // are located there, but certutil is in GreBinD (or .../Contents/MacOS), + // so we have to change the path accordingly. + if (binaryUtilName === "certutil") { + utilBin = Services.dirsvc.get("GreBinD", Ci.nsIFile); + } + utilBin.append(binaryUtilName + mozinfo.bin_suffix); + // If we're testing locally, the above works. If not, the server executable + // is in another location. + if (!utilBin.exists()) { + utilBin = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + while (utilBin.path.includes("xpcshell")) { + utilBin = utilBin.parent; + } + utilBin.append("bin"); + utilBin.append(binaryUtilName + mozinfo.bin_suffix); + } + // But maybe we're on Android, where binaries are in /data/local/xpcb. + if (!utilBin.exists()) { + utilBin.initWithPath("/data/local/xpcb/"); + utilBin.append(binaryUtilName); + } + Assert.ok(utilBin.exists(), `Binary util ${binaryUtilName} should exist`); + return utilBin; +} + +// Do not call this directly; use add_tls_server_setup +function _setupTLSServerTest(serverBinName, certsPath, addDefaultRoot) { + asyncStartTLSTestServer(serverBinName, certsPath, addDefaultRoot).then( + run_next_test + ); +} + +async function asyncStartTLSTestServer( + serverBinName, + certsPath, + addDefaultRoot +) { + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + // The trusted CA that is typically used for "good" certificates. + if (addDefaultRoot) { + addCertFromFile(certdb, `${certsPath}/test-ca.pem`, "CTu,u,u"); + } + + const CALLBACK_PORT = 8444; + + let greBinDir = Services.dirsvc.get("GreBinD", Ci.nsIFile); + Services.env.set("DYLD_LIBRARY_PATH", greBinDir.path); + // TODO(bug 1107794): Android libraries are in /data/local/xpcb, but "GreBinD" + // does not return this path on Android, so hard code it here. + Services.env.set("LD_LIBRARY_PATH", greBinDir.path + ":/data/local/xpcb"); + Services.env.set("MOZ_TLS_SERVER_DEBUG_LEVEL", "3"); + Services.env.set("MOZ_TLS_SERVER_CALLBACK_PORT", CALLBACK_PORT); + + let httpServer = new HttpServer(); + let serverReady = new Promise(resolve => { + httpServer.registerPathHandler("/", function handleServerCallback( + aRequest, + aResponse + ) { + aResponse.setStatusLine(aRequest.httpVersion, 200, "OK"); + aResponse.setHeader("Content-Type", "text/plain"); + let responseBody = "OK!"; + aResponse.bodyOutputStream.write(responseBody, responseBody.length); + executeSoon(function() { + httpServer.stop(resolve); + }); + }); + httpServer.start(CALLBACK_PORT); + }); + + let serverBin = _getBinaryUtil(serverBinName); + let process = Cc["@mozilla.org/process/util;1"].createInstance(Ci.nsIProcess); + process.init(serverBin); + let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + certDir.append(`${certsPath}`); + Assert.ok(certDir.exists(), `certificate folder (${certsPath}) should exist`); + // Using "sql:" causes the SQL DB to be used so we can run tests on Android. + process.run(false, ["sql:" + certDir.path, Services.appinfo.processID], 2); + + registerCleanupFunction(function() { + process.kill(); + }); + + await serverReady; +} + +// Returns an Array of OCSP responses for a given ocspRespArray and a location +// for a nssDB where the certs and public keys are prepopulated. +// ocspRespArray is an array of arrays like: +// [ [typeOfResponse, certnick, extracertnick, thisUpdateSkew]...] +function generateOCSPResponses(ocspRespArray, nssDBlocation) { + let utilBinName = "GenerateOCSPResponse"; + let ocspGenBin = _getBinaryUtil(utilBinName); + let retArray = []; + + for (let i = 0; i < ocspRespArray.length; i++) { + let argArray = []; + let ocspFilepre = do_get_file(i.toString() + ".ocsp", true); + let filename = ocspFilepre.path; + // Using "sql:" causes the SQL DB to be used so we can run tests on Android. + argArray.push("sql:" + nssDBlocation); + argArray.push(ocspRespArray[i][0]); // ocsRespType; + argArray.push(ocspRespArray[i][1]); // nick; + argArray.push(ocspRespArray[i][2]); // extranickname + argArray.push(ocspRespArray[i][3]); // thisUpdate skew + argArray.push(filename); + info("argArray = " + argArray); + + let process = Cc["@mozilla.org/process/util;1"].createInstance( + Ci.nsIProcess + ); + process.init(ocspGenBin); + process.run(true, argArray, argArray.length); + Assert.equal(0, process.exitValue, "Process exit value should be 0"); + let ocspFile = do_get_file(i.toString() + ".ocsp", false); + retArray.push(readFile(ocspFile)); + ocspFile.remove(false); + } + return retArray; +} + +// Starts and returns an http responder that will cause a test failure if it is +// queried. The server identities are given by a non-empty array +// serverIdentities. +function getFailingHttpServer(serverPort, serverIdentities) { + let httpServer = new HttpServer(); + httpServer.registerPrefixHandler("/", function(request, response) { + Assert.ok(false, "HTTP responder should not have been queried"); + }); + httpServer.identity.setPrimary("http", serverIdentities.shift(), serverPort); + serverIdentities.forEach(function(identity) { + httpServer.identity.add("http", identity, serverPort); + }); + httpServer.start(serverPort); + return httpServer; +} + +// Starts an http OCSP responder that serves good OCSP responses and +// returns an object with a method stop that should be called to stop +// the http server. +// NB: Because generating OCSP responses inside the HTTP request +// handler can cause timeouts, the expected responses are pre-generated +// all at once before starting the server. This means that their producedAt +// times will all be the same. If a test depends on this not being the case, +// perhaps calling startOCSPResponder twice (at different times) will be +// necessary. +// +// serverPort is the port of the http OCSP responder +// identity is the http hostname that will answer the OCSP requests +// nssDBLocation is the location of the NSS database from where the OCSP +// responses will be generated (assumes appropiate keys are present) +// expectedCertNames is an array of nicks of the certs to be responsed +// expectedBasePaths is an optional array that is used to indicate +// what is the expected base path of the OCSP request. +// expectedMethods is an optional array of methods ("GET" or "POST") indicating +// by which HTTP method the server is expected to be queried. +// expectedResponseTypes is an optional array of OCSP response types to use (see +// GenerateOCSPResponse.cpp). +// responseHeaderPairs is an optional array of HTTP header (name, value) pairs +// to set in each response. +function startOCSPResponder( + serverPort, + identity, + nssDBLocation, + expectedCertNames, + expectedBasePaths, + expectedMethods, + expectedResponseTypes, + responseHeaderPairs = [] +) { + let ocspResponseGenerationArgs = expectedCertNames.map(function( + expectedNick + ) { + let responseType = "good"; + if (expectedResponseTypes && expectedResponseTypes.length >= 1) { + responseType = expectedResponseTypes.shift(); + } + return [responseType, expectedNick, "unused", 0]; + }); + let ocspResponses = generateOCSPResponses( + ocspResponseGenerationArgs, + nssDBLocation + ); + let httpServer = new HttpServer(); + httpServer.registerPrefixHandler("/", function handleServerCallback( + aRequest, + aResponse + ) { + info("got request for: " + aRequest.path); + let basePath = aRequest.path.slice(1).split("/")[0]; + if (expectedBasePaths.length >= 1) { + Assert.equal( + basePath, + expectedBasePaths.shift(), + "Actual and expected base path should match" + ); + } + Assert.ok( + expectedCertNames.length >= 1, + "expectedCertNames should contain >= 1 entries" + ); + if (expectedMethods && expectedMethods.length >= 1) { + Assert.equal( + aRequest.method, + expectedMethods.shift(), + "Actual and expected fetch method should match" + ); + } + aResponse.setStatusLine(aRequest.httpVersion, 200, "OK"); + aResponse.setHeader("Content-Type", "application/ocsp-response"); + for (let headerPair of responseHeaderPairs) { + aResponse.setHeader(headerPair[0], headerPair[1]); + } + aResponse.write(ocspResponses.shift()); + }); + httpServer.identity.setPrimary("http", identity, serverPort); + httpServer.start(serverPort); + return { + stop(callback) { + // make sure we consumed each expected response + Assert.equal( + ocspResponses.length, + 0, + "Should have 0 remaining expected OCSP responses" + ); + if (expectedMethods) { + Assert.equal( + expectedMethods.length, + 0, + "Should have 0 remaining expected fetch methods" + ); + } + if (expectedBasePaths) { + Assert.equal( + expectedBasePaths.length, + 0, + "Should have 0 remaining expected base paths" + ); + } + if (expectedResponseTypes) { + Assert.equal( + expectedResponseTypes.length, + 0, + "Should have 0 remaining expected response types" + ); + } + httpServer.stop(callback); + }, + }; +} + +// Given an OCSP responder (see startOCSPResponder), returns a promise that +// resolves when the responder has successfully stopped. +function stopOCSPResponder(responder) { + return new Promise((resolve, reject) => { + responder.stop(resolve); + }); +} + +// Utility functions for adding tests relating to certificate error overrides + +// Helper function for add_cert_override_test. Probably doesn't need to be +// called directly. +function add_cert_override(aHost, aSecurityInfo) { + let cert = aSecurityInfo.serverCert; + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.rememberValidityOverride(aHost, 8443, {}, cert, true); +} + +// Given a host and an expected error code, tests that an initial connection to +// the host fails with the expected error and that adding an override results +// in a subsequent connection succeeding. +function add_cert_override_test(aHost, aExpectedError) { + add_connection_test( + aHost, + aExpectedError, + null, + add_cert_override.bind(this, aHost) + ); + add_connection_test(aHost, PRErrorCodeSuccess, null, aSecurityInfo => { + Assert.ok( + aSecurityInfo.securityState & + Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN, + "Cert override flag should be set on the security state" + ); + }); +} + +// Helper function for add_prevented_cert_override_test. This is much like +// add_cert_override except it may not be the case that the connection has an +// SecInfo set on it. In this case, the error was not overridable anyway, so +// we consider it a success. +function attempt_adding_cert_override(aHost, aSecurityInfo) { + if (aSecurityInfo.serverCert) { + let cert = aSecurityInfo.serverCert; + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.rememberValidityOverride(aHost, 8443, {}, cert, true); + } +} + +// Given a host and an expected error code, tests that an initial connection to +// the host fails with the expected error and that adding an override does not +// result in a subsequent connection succeeding (i.e. the same error code is +// encountered). +// The idea here is that for HSTS hosts or hosts with key pins, no error is +// overridable, even if an entry is added to the override service. +function add_prevented_cert_override_test(aHost, aExpectedError) { + add_connection_test( + aHost, + aExpectedError, + null, + attempt_adding_cert_override.bind(this, aHost) + ); + add_connection_test(aHost, aExpectedError); +} + +// Helper for asyncTestCertificateUsages. +class CertVerificationResult { + constructor(certName, usageString, successExpected, resolve) { + this.certName = certName; + this.usageString = usageString; + this.successExpected = successExpected; + this.resolve = resolve; + } + + verifyCertFinished(aPRErrorCode, aVerifiedChain, aHasEVPolicy) { + if (this.successExpected) { + equal( + aPRErrorCode, + PRErrorCodeSuccess, + `verifying ${this.certName} for ${this.usageString} should succeed` + ); + } else { + notEqual( + aPRErrorCode, + PRErrorCodeSuccess, + `verifying ${this.certName} for ${this.usageString} should fail` + ); + } + this.resolve(); + } +} + +/** + * Asynchronously attempts to verify the given certificate for all supported + * usages (see allCertificateUsages). Verifies that the results match the + * expected successful usages. Returns a promise that will resolve when all + * verifications have been performed. + * Verification happens "now" with no specified flags or hostname. + * + * @param {nsIX509CertDB} certdb + * The certificate database to use to verify the certificate. + * @param {nsIX509Cert} cert + * The certificate to be verified. + * @param {number[]} expectedUsages + * A list of usages (as their integer values) that are expected to verify + * successfully. + * @returns {Promise} + * A promise that will resolve with no value when all asynchronous operations + * have completed. + */ +function asyncTestCertificateUsages(certdb, cert, expectedUsages) { + let now = new Date().getTime() / 1000; + let promises = []; + Object.keys(allCertificateUsages).forEach(usageString => { + let promise = new Promise((resolve, reject) => { + let usage = allCertificateUsages[usageString]; + let successExpected = expectedUsages.includes(usage); + let result = new CertVerificationResult( + cert.commonName, + usageString, + successExpected, + resolve + ); + let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY; + certdb.asyncVerifyCertAtTime(cert, usage, flags, null, now, result); + }); + promises.push(promise); + }); + return Promise.all(promises); +} + +/** + * Loads the pkcs11testmodule.cpp test PKCS #11 module, and registers a cleanup + * function that unloads it once the calling test completes. + * + * @param {nsIFile} libraryFile + * The dynamic library file that implements the module to + * load. + * @param {string} moduleName + * What to call the module. + * @param {boolean} expectModuleUnloadToFail + * Should be set to true for tests that manually unload the + * test module, so the attempt to auto unload the test module + * doesn't cause a test failure. Should be set to false + * otherwise, so failure to automatically unload the test + * module gets reported. + */ +function loadPKCS11Module(libraryFile, moduleName, expectModuleUnloadToFail) { + ok(libraryFile.exists(), "The PKCS11 module file should exist"); + + let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB + ); + registerCleanupFunction(() => { + try { + pkcs11ModuleDB.deleteModule(moduleName); + } catch (e) { + Assert.ok( + expectModuleUnloadToFail, + `Module unload should suceed only when expected: ${e}` + ); + } + }); + pkcs11ModuleDB.addModule(moduleName, libraryFile.path, 0, 0); +} + +/** + * @param {string} data + * @returns {string} + */ +function hexify(data) { + // |slice(-2)| chomps off the last two characters of a string. + // Therefore, if the Unicode value is < 0x10, we have a single-character hex + // string when we want one that's two characters, and unconditionally + // prepending a "0" solves the problem. + return Array.from(data, (c, i) => + ("0" + data.charCodeAt(i).toString(16)).slice(-2) + ).join(""); +} + +/** + * @param {string[]} lines + * Lines to write. Each line automatically has "\n" appended to it when + * being written. + * @param {nsIFileOutputStream} outputStream + */ +function writeLinesAndClose(lines, outputStream) { + for (let line of lines) { + line += "\n"; + outputStream.write(line, line.length); + } + outputStream.close(); +} + +/** + * @param {string} moduleName + * The name of the module that should not be loaded. + * @param {string} libraryName + * A unique substring of name of the dynamic library file of the module + * that should not be loaded. + */ +function checkPKCS11ModuleNotPresent(moduleName, libraryName) { + let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB + ); + let modules = moduleDB.listModules(); + ok( + modules.hasMoreElements(), + "One or more modules should be present with test module not present" + ); + for (let module of modules) { + notEqual( + module.name, + moduleName, + `Non-test module name shouldn't equal '${moduleName}'` + ); + ok( + !(module.libName && module.libName.includes(libraryName)), + `Non-test module lib name should not include '${libraryName}'` + ); + } +} + +/** + * Checks that the test module exists in the module list. + * Also checks various attributes of the test module for correctness. + * + * @param {string} moduleName + * The name of the module that should be present. + * @param {string} libraryName + * A unique substring of the name of the dynamic library file + * of the module that should be loaded. + * @returns {nsIPKCS11Module} + * The test module. + */ +function checkPKCS11ModuleExists(moduleName, libraryName) { + let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB + ); + let modules = moduleDB.listModules(); + ok( + modules.hasMoreElements(), + "One or more modules should be present with test module present" + ); + let testModule = null; + for (let module of modules) { + if (module.name == moduleName) { + testModule = module; + break; + } + } + notEqual(testModule, null, "Test module should have been found"); + notEqual(testModule.libName, null, "Test module lib name should not be null"); + ok( + testModule.libName.includes(ctypes.libraryName(libraryName)), + `Test module lib name should include lib name of '${libraryName}'` + ); + + return testModule; +} + +// Given an nsIX509Cert, return the bytes of its subject DN (as a JS string) and +// the sha-256 hash of its subject public key info, base64-encoded. +function getSubjectAndSPKIHash(nsCert) { + let certBytes = nsCert.getRawDER(); + let cert = new X509.Certificate(); + cert.parse(certBytes); + let subject = cert.tbsCertificate.subject._der._bytes; + let subjectString = arrayToString(subject); + let spkiHashString = nsCert.sha256SubjectPublicKeyInfoDigest; + return { subjectString, spkiHashString }; +} + +function run_certutil_on_directory(directory, args, expectSuccess = true) { + let greBinDir = Services.dirsvc.get("GreBinD", Ci.nsIFile); + Services.env.set("DYLD_LIBRARY_PATH", greBinDir.path); + // TODO(bug 1107794): Android libraries are in /data/local/xpcb, but "GreBinD" + // does not return this path on Android, so hard code it here. + Services.env.set("LD_LIBRARY_PATH", greBinDir.path + ":/data/local/xpcb"); + let certutilBin = _getBinaryUtil("certutil"); + let process = Cc["@mozilla.org/process/util;1"].createInstance(Ci.nsIProcess); + process.init(certutilBin); + args.push("-d"); + args.push(`sql:${directory}`); + process.run(true, args, args.length); + if (expectSuccess) { + Assert.equal(process.exitValue, 0, "certutil should succeed"); + } +} diff --git a/security/manager/ssl/tests/unit/moz.build b/security/manager/ssl/tests/unit/moz.build new file mode 100644 index 0000000000..561502dd51 --- /dev/null +++ b/security/manager/ssl/tests/unit/moz.build @@ -0,0 +1,10 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +DIRS += ["tlsserver", "test_signed_apps"] + +if not CONFIG["MOZ_NO_SMART_CARDS"]: + DIRS += ["pkcs11testmodule"] diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem new file mode 100644 index 0000000000..354741fc50 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRTCCAi2gAwIBAgIUAywOkzxiH/uWcwxb85Yy3OI46WgwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAvMS0wKwYDVQQDDCRUZXN0IEludGVybWVkaWF0ZSB1c2VkIGFz +IEVuZC1FbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo +RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a +dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t +aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n +FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX +Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py +UcQx1QOs2hgKNe2NAgMBAAGjcjBwMAwGA1UdEwQFMAMBAf8wMgYIKwYBBQUHAQEE +JjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMCwGA1UdEQQl +MCOCIWNhLXVzZWQtYXMtZW5kLWVudGl0eS5leGFtcGxlLmNvbTANBgkqhkiG9w0B +AQsFAAOCAQEAN+g9N3uhls8y70fGORVEyYVjBmMCFeQz3DQw3u1J7+aHe6efygSP +OKPXW3SbHSxlPFIsicVSHO3sso3zUGoedMw0KSyni4tR4yQ9jllrqijVCWorqRbU +tlseF5hfw7DsKcl6jGA5UN0Aiq9SwKArdkRL+0Ykk0a/rxMEiOjf/Ao3ImfJnsCa +frDKqziMWOmQtxrVTabpgRqCd1gtTg4cCsy7Yto8v4Gn1N/EL8FAXGWOieWDQ2Iv +UFd9p0eTReBbRNC/QuZa7nEEAh4JO+JCAW4rHI6+beSPCT+lFQbF8sAJYSMGf0lb +LAwyUGAPPLRx+SweIClb4EO+iVAFuR0Tug== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem.certspec new file mode 100644 index 0000000000..8e16705b50 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/ca-used-as-end-entity.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Test Intermediate used as End-Entity +extension:basicConstraints:cA, +extension:authorityInformationAccess:http://localhost:8888/ +extension:subjectAlternativeName:ca-used-as-end-entity.example.com diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key.keyspec b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem new file mode 100644 index 0000000000..5dc7cf4ef8 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDiTCCAnGgAwIBAgIUOYwND1zpte36abEsvdvudfnxjHgwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow +gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp +bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu +ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs +ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo +b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBr5H7lb24bMQYGDFY5qeMDNcti +AI4rI7Nu0aMvZtDcxqHkIg/a7nr7WeQc3gCg8mUJ6xvreXxRswrudZzjjsGiTbym +qjEz7HYrbvdWh5bLtdL7aoP1KmFD722guwdXVYQ7tx65oHroH+UCU28VT/+WzsHc +5OjBqZvR928aWEXwIen9lhdk/5Rq2IrFqCTuUrNR5aiP6gJZoy4nIh3IFIxqWzsm +lOjqvzSQIuo+gLN7oduafrwetpp8ywSrDVTtp9yckIHuW8css+OZLfqbFPMSFRJo +Qee+FhxaGgDoRGk8oVGYyTJYUPIReZa5dtNPKs1JQvdqhIeUwA3GnJBTFCan +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem.certspec new file mode 100644 index 0000000000..554339ff52 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/default-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test End-entity +extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem new file mode 100644 index 0000000000..f4fdae14e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4zCCAcugAwIBAgIUKXbCwsfJrBWAUYFNDXaeg/nfIPswDQYJKoZIhvcNAQEF +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAoMSYwJAYDVQQDDB1UZXN0IFNIQTEgRGVsZWdhdGVkIFJlc3Bv +bmRlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpn +kfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJE +xYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG +680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYl +R5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbx +h83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkd +cSFo07sCAwEAAaMXMBUwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQEF +BQADggEBAJuSur2pt9LuJ+4USQAyLvqDma1oSdkBaXbB/fjkCF/grTsJRZ4ibOaW +QN06nCHoqhML1Ygdief7unpXtIj9XQS2r7PT08tT3Dxr+2vJdJ4WQV6bb/hAorSp +K3ow3irQVUmcRFq6ef0SJuluddll4jlxfc0gfd7SLQSFF5QwXEwAeXs3iy0W51Kr +F47M/VMoTCFSa18x5omLBFx8SyGi4Ufmd+Pk2UW5vTP1S9RydAmZlzNT+v0IaRWD +SQikynGTO1HA0ev8+RRmjtpZH7S8yJgbbF2BQ0FvDRMvhetn+Au+wn/WAsAf5vBF +5/QwEp6OjNkmPPqOOyuQwMPrBhetPFM= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem.certspec new file mode 100644 index 0000000000..bdf3e2ee4d --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSHA1Signer.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Test SHA1 Delegated Responder +subjectKey:alternate +signature:sha1WithRSAEncryption +extension:extKeyUsage:OCSPSigning diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem new file mode 100644 index 0000000000..5be9b76540 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3jCCAcagAwIBAgIUAewwnrqZ1D+uII39v6YmAKyJvBkwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAjMSEwHwYDVQQDDBhUZXN0IERlbGVnYXRlZCBSZXNwb25kZXIw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBdcZSZgmfdwgqZ5HxuHbD +f1zlOLBsSs0iscvUb6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBICRMWEpMRI +MwXlE4wBBs8IvpqGJ2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzHBuvNMHDs +mMzkCqWR1ylaf3HFvmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZmJUeX7UJp +CIgIEUIgaZiKQ/7kjOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW8YfN1U6D +KzW4kw90upCqi8dhZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4ZHXEhaNO7 +AgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IB +AQBXSzxBevwLvKO1eCAbuJrNNXXY4Z816s/+Hlf8Ike2M5Zx9XuGmMRjimDksuip +Jq/iWpwPOAWtQSzdyHYtQT8eY9KAGxzdZL78P+VTLhQVOVdTxoPd/W3yBoHofnNF +xmJy2MS/3aRO8s8fIh3B/RwXrh18nFVc9zSwwHOjGeu3r3cbdgr2TuabDaxB7EFu +e2P6NEiAhbK3GzXrxx2P3SoAf08AznoU1ByQ2FxM9xLdSvvM0zLilDuMu1E/VPcB +7Qf7yLjlYJ/zj1rXGlJeNpDxUJS1hHUmv3csLPiYVPBIgDlnMPbZbEgZMByCLKvr +EYnk3LpYcUin64yag3fy8ND5 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem.certspec new file mode 100644 index 0000000000..19971eeb4d --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/delegatedSigner.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test Delegated Responder +subjectKey:alternate +extension:extKeyUsage:OCSPSigning diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem new file mode 100644 index 0000000000..82e866fb1d --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDAjCCAeqgAwIBAgIUTdVj/pzuxlxEfL7vEQpILaExEJowDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMTExMjcwMDAw +MDBaGA8yMDI0MDIwNTAwMDAwMFowPTE7MDkGA1UEAwwyVGVzdCBJbnZhbGlkIERl +bGVnYXRlZCBSZXNwb25kZXIgRnJvbSBJbnRlcm1lZGlhdGUwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDBdcZSZgmfdwgqZ5HxuHbDf1zlOLBsSs0iscvU +b6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBICRMWEpMRIMwXlE4wBBs8IvpqG +J2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzHBuvNMHDsmMzkCqWR1ylaf3HF +vmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZmJUeX7UJpCIgIEUIgaZiKQ/7k +jOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW8YfN1U6DKzW4kw90upCqi8dh +ZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4ZHXEhaNO7AgMBAAGjFzAVMBMG +A1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IBAQBsAeKHkIwoG0QZ +yLFd+txRTVP7Qetuipuvlk+n1/L1Nf1oGKrW66aJXgtdIerHnvLsODNqHHyhCY8e +2wI9sMcWQXMi+ceFZc8iqp+qE0GmDs9XLh26tW1GMLWb/BjEzHD+sOGaKNT61fhY +Y9FD19LU4P3ORbafT97TfkjGH+YublvdGVOtvRETnSrPfJgGeMYACVMFLaFFxzsg +JX2AH4zUIa4usme2gCOTgs7SjHXCOV/tAmoG672kvsaFswpd+CJUYf84CAqm3gvh +YWFoBO19lK40Je/eUYU3WvAUTKsnRh2xY29r7Pp91aspZFgTdGRttUl0s7WfutTc +HQlKG3tJ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem.certspec new file mode 100644 index 0000000000..be0d3e9e5f --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerFromIntermediate.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test Intermediate +subject:Test Invalid Delegated Responder From Intermediate +subjectKey:alternate +extension:extKeyUsage:OCSPSigning diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem new file mode 100644 index 0000000000..c0356e01ec --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8jCCAdqgAwIBAgIUMy0wGcubgpwZ35tXDgLmzbETHSEwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjA/MT0wOwYDVQQDDDRUZXN0IEludmFsaWQgRGVsZWdhdGVkIFJl +c3BvbmRlciBrZXlVc2FnZSBjcmxTaWduaW5nMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2w39c5TiwbErNIrHL1G+mWtoq3UHI +wkmKxKOzwfYUh/QbaYlBvYClHDwSAkTFhKTESDMF5ROMAQbPCL6ahidguuai6PNv +I8XZgxO53683g0XazlHU1tzSpss8xwbrzTBw7JjM5AqlkdcpWn9xxb5maR0rLf7I +SURZC8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1CaQiICBFCIGmYikP+5Izmh4HdIram +nNKDdRMfkysSjOKG+n0lHAYq0n7wFvGHzdVOgys1uJMPdLqQqovHYWckKrH9bWIU +DRjEwLjGj8N0hFcyStfehuZVLx0eGR1xIWjTuwIDAQABow8wDTALBgNVHQ8EBAMC +AQIwDQYJKoZIhvcNAQELBQADggEBAA3bDvQitwX8KjvlT11SuggsrbQvwWN4QMFr +Rqre+0XQexGsVPxBbo44T71AYSYOQHIaOje5yETj23Uw6aiH8eNYdt61mspkRQ68 +v6laay/+txJZFqByGpbK24saFVThj21WIVc9s7HCvVpeSoYWidfWtLIKlmsQ8qLi +XzBRqsbaRtfxDRrAW2WmmUfX34gL19ztHKOa84hnFyTahMIPFt9XVixWa1Tdg8Ny +bGGb8SpPNPXuDoBbnHRvlEWjANs5qKPzH2X3HzEkfQIG0o3+WwgXqZ+wzdruO+SP +LYcNF2gBvXBTfxN25r3G8DfHuaaPxfDLpc0E6+yWQzvIIsFSVqY= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem.certspec new file mode 100644 index 0000000000..2833ed9b52 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerKeyUsageCrlSigning.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test Invalid Delegated Responder keyUsage crlSigning +subjectKey:alternate +extension:keyUsage:cRLSign diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem new file mode 100644 index 0000000000..197aac8ba1 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3DCCAcSgAwIBAgIUR5DeATqHByZLzUBs0J6D5tz7veEwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjA6MTgwNgYDVQQDDC9UZXN0IEludmFsaWQgRGVsZWdhdGVkIFJl +c3BvbmRlciBObyBleHRLZXlVc2FnZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJisSj +s8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF2YMT +ud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElEWQvF +o+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzSg3UT +H5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0YxMC4 +xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA +XrKScU1DSiU4Wyk+16PPc8LW3nboaHG+GYOY615veGXsKwVx7OV3aaOvscU57Qng +2HFPJl8J7wX18aYqAwkIcE5yVtlzygGhVQoEZLo5VsTuJI5BNJ2hY0OgOI2J2yHR +IGgUp3ypjYxl3QvGKJ41l8lCtZbsvm5tc5uyek0hLqi1SNbMBqPMLlUj5jDYVfmw +CnqI4fGJ/Abhmv5RF9AfQTGSUNcHuHVmOkbJjRLXymdf2ugmxaDc/ub5TzecW0Bk +QM5tkGp8gylULaBG1arfGYiiBsHyB5g8aXkbPCF3JpdLw77KEaaecAodLADpolFl +ivwFQr1BpNeNOTML58CAbg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem.certspec new file mode 100644 index 0000000000..92444c94ad --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerNoExtKeyUsage.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test CA +subject:Test Invalid Delegated Responder No extKeyUsage +subjectKey:alternate diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem new file mode 100644 index 0000000000..0aeb81e4f7 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+DCCAeCgAwIBAgIUTYsUyQ3d/zW8mtQDOm0FSHaNj9owDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjA9MTswOQYDVQQDDDJUZXN0IEludmFsaWQgRGVsZWdhdGVkIFJl +c3BvbmRlciBXcm9uZyBleHRLZXlVc2FnZTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9RvplraKt1ByMJJ +isSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYnYLrmoujzbyPF +2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ZmkdKy3+yElE +WQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM5oeB3SK2ppzS +g3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2FnJCqx/W1iFA0Y +xMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMXMBUwEwYDVR0lBAwwCgYI +KwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEBAHpiUjR7ajUbQR7xFFMgOQ07scjM +nPo7lDUwtnbM7jFVtEAuSCeSkifDj4/ProqoQSU5fcLfKDScTbD1boxspjnoJXtQ +tHMwzQB+bldObBAgmolWGqPbTBAhCMajlOZrXBVMVZPRefP8+1OqnNLp9ZZMUyNk +thRWcRXaGbhJliVaynxxtNE4PBW7PxKgQ/apmXFyuqRPSJZ1E0VOX6z0VgXPdMX9 +BguPjLQP6k3LGZBWKdyHM6PgGcMmplvaE/96KeFat4fZ+75VstEuym1JffQe3iQ6 +uYyilCfdEAKyF87AlmB0EejnxyDNYXLR8QtAoCtdPJptUfbbESKPPnl8H/0= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem.certspec new file mode 100644 index 0000000000..bc704fbd41 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/invalidDelegatedSignerWrongExtKeyUsage.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test Invalid Delegated Responder Wrong extKeyUsage +subjectKey:alternate +extension:extKeyUsage:codeSigning diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem new file mode 100644 index 0000000000..4ff3d7f896 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDJDCCAgygAwIBAgIUP/7EjIlvsUJM2IjufQuGIZ0rkqUwDQYJKoZIhvcNAQEL +BQAwNzE1MDMGA1UEAwwsVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdWx0aXBsZSBU +TFMgRmVhdHVyZXMwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFow +LDEqMCgGA1UEAwwhTXVsdGkgVExTIEZlYXR1cmUgVGVzdCBFbmQtRW50aXR5MIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08 +E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc +1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP +DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ +gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV +YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID +AQABoy8wLTAYBgNVHREEETAPgg0qLmV4YW1wbGUuY29tMBEGCCsGAQUFBwEYBAUw +AwIBBTANBgkqhkiG9w0BAQsFAAOCAQEAt0ShK8cvzeMbCn9QkZMRzjYIWGXDSOr8 +05nKaKmumAGSp3ZYmVa3ux1TkVSJZ2TQuxiomUdv7tQabswMI8tW33QwjUsNv8zD +/6+3PyLyFJKsStn3wYxoL/3DAimkxGwBoruS1UD89oZrkkFJCk0RQ5cJPh32mgvh +p9vAB85TC1xRdr/VPkDoTFj1wIZrzwkcx9ReG1engf7fluaKy/duXP4WDDmiGP93 +ulBYr8HbvhAXbnaVSo4FcIe22lIqUoizzL3yoFLLqmu2IaQm9Oxt/+6rcLsOBTwD +lQtXGg3nayKap5GPXEkhN7PRAqQ5HwKMsdlQ9MEjDvjzvci0pJ2JAg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem.certspec new file mode 100644 index 0000000000..3fa2793b30 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-bad-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test Intermediate With Multiple TLS Features +subject:Multi TLS Feature Test End-Entity +extension:subjectAlternativeName:*.example.com +extension:TLSFeature:OCSPMustStaple diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem new file mode 100644 index 0000000000..470d99a725 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDJzCCAg+gAwIBAgIUXSCXXXLmmsba5ku37x7zJJ4isEEwDQYJKoZIhvcNAQEL +BQAwNzE1MDMGA1UEAwwsVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdWx0aXBsZSBU +TFMgRmVhdHVyZXMwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFow +LDEqMCgGA1UEAwwhTXVsdGkgVExTIEZlYXR1cmUgVGVzdCBFbmQtRW50aXR5MIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08 +E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc +1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP +DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ +gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV +YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID +AQABozIwMDAYBgNVHREEETAPgg0qLmV4YW1wbGUuY29tMBQGCCsGAQUFBwEYBAgw +BgIBBQIBBjANBgkqhkiG9w0BAQsFAAOCAQEAo5Z4o5AYQSGGGaTVTlbbthu9zFwg +Zvf9kqcEnq1HjAfs0zaOwX1M4VMbrzzfyiqqKVxTOmtwcW2yKVPE1ik3CKH8BVCj +o3VwRTrPMkBqBGjrOg15NTSwbNxknYB7HyokfNdH4ANQnCs0DYDZVBAt157rIG3K +oMYyK3aSlEDG2+GIX/fhDBXmkII2b8t7QS9ZT2lwzLxNXz+bKJ+HpAKYcgs7vMGt +ykZSsRuPEfq/5WnbKpjIc6E2/l1kkpFsR54582kjYPjSA1Y579IoYgbPsk5VHhSV +7Qg8SJopYa2yo69dFevXsDU2Tv2n4HcX0Cl3c6yermBS6wQUoN4Ek88IuQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem.certspec new file mode 100644 index 0000000000..7a8dd223d0 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/multi-tls-feature-good-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test Intermediate With Multiple TLS Features +subject:Multi TLS Feature Test End-Entity +extension:subjectAlternativeName:*.example.com +extension:TLSFeature:OCSPMustStaple,6 diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem new file mode 100644 index 0000000000..353301df55 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCDCCAfCgAwIBAgIUExI7fUz3GmcjMScLiiOCQIkXurQwDQYJKoZIhvcNAQEL +BQAwLTErMCkGA1UEAwwiVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdXN0LVN0YXBs +ZTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAaMRgwFgYDVQQD +DA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a +hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t +FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o +N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d +JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4 +s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjLzAtMBgGA1UdEQQRMA+CDSouZXhhbXBs +ZS5jb20wEQYIKwYBBQUHARgEBTADAgEFMA0GCSqGSIb3DQEBCwUAA4IBAQAZLyDW +Mx2MhSfaOkL1LUymUrWbyB97LRlg/6gj/V9KX0+lu1uKGCpAVkie70JY1kCmDZGY +PraE+08mqS2dakJAG8fF3G39nHBKOIHV6pgC1oFwdIQNji6Gfng+bW7wY2V/CvpF +kxvDti4zNqxWFeulyqVY+9HElVqUHaU6cwU3Jyp6F1JY9IXKmp/Qn9/qpc/jVYtg +hIzXC0ek4Idoun/g0xyPdvGSqV1xOqNQLln6VrDGVgTHY8MvhERdpobaGeCjcIr4 +dHy2QRXOZ9teBu99hjrUs5orw0cU3VrYqquZmkT5hlHzB88uCzCL9yanRiRu7sT6 +AT1rIoY65dulzXxu +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem.certspec new file mode 100644 index 0000000000..352a60675d --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee-with-must-staple-int.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test Intermediate With Must-Staple +subject:Test End-entity +extension:subjectAlternativeName:*.example.com +extension:TLSFeature:OCSPMustStaple diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem new file mode 100644 index 0000000000..9ef0a6cd32 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDITCCAgmgAwIBAgIUQTtN9ShJt1pBjl2mkQLi2h6ZarAwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjYzBh +MBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wEQYIKwYBBQUHARgEBTADAgEFMDIG +CCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4 +LzANBgkqhkiG9w0BAQsFAAOCAQEAOGWQ8cQnxcL3TyI+iGwT1QaoQKWZ73wNAfKM +5jOslqRAWYXa5wvSWs4U5EnNhL5BxTGQJodJX9nSTwLnG3UnFAORu/zong8A31tj +mEuKfsOr2AyLcldaIPGhSSbHkIh3lTOmsGavpBKCiOgTdZDJ0m9XmIWZQquPAUU5 +YrYpdYmE3uyduhz3yRJPpbMGjqUVBJ2JxNlJZKBe6rOksfbDqZOnAeFCDwMPmu5u +qKGU1ZdPftOd9kUjgDUL8VdfyJYQTalsCEOnwbfeeXVj3uQM+K7GKkIXpM65odyN +A2ixTwF+4F+O0Ud5gbsv6SRL2NuQ9QS8AWck5sFgNeXCp7lpxQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem.certspec new file mode 100644 index 0000000000..43edfff0d9 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Test End-entity +extension:subjectAlternativeName:*.example.com +extension:TLSFeature:OCSPMustStaple +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem new file mode 100644 index 0000000000..5224806264 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC9TCCAd2gAwIBAgIUBTqttZK9tUuSoydawQZiIsRJzMgwDQYJKoZIhvcNAQEL +BQAwLTErMCkGA1UEAwwiVGVzdCBJbnRlcm1lZGlhdGUgV2l0aCBNdXN0LVN0YXBs +ZTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAaMRgwFgYDVQQD +DA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a +hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t +FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o +N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d +JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4 +s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHDAaMBgGA1UdEQQRMA+CDSouZXhhbXBs +ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAGSfCLtcdh40aAmR7FuDlsEFNB6WCFiA +KZqgmPKAgwUxz06fzjRD6WKaUIu9EWc2EWOm33mT0ZxDCKveNH7PWaWncqiD+39e +ufBp/9wchIYRL20RnCjSyWgoY0q2GQcpce4VkKEMsvqVX9PawPHDtDtN83j26Bpt +ss+WaxmMPMr10M2mXiA4p7YxtyvMUC7mM0uz4oLMVy0zr6u+aYES24wFbMHtDSuv +luxEdukhgft60ZWRQ87WlLBXthPbF51DOQuMdJkaT9xgWXOQYAHSe9B9mJuHHgne +ldtJmEHhMY56HZnq5lCfH88HLQ3hjdkvW2C/s/cUTzmOg9K2v9dxehs= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem.certspec new file mode 100644 index 0000000000..8e4a6ac0c5 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/must-staple-missing-ee.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test Intermediate With Must-Staple +subject:Test End-entity +extension:subjectAlternativeName:*.example.com diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem new file mode 100644 index 0000000000..eeba74d122 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUa3IIjkCGtQbW1mfI5/tlV15JkwYwDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMTExMjcwMDAw +MDBaGA8yMDI0MDIwNTAwMDAwMFowLDEqMCgGA1UEAwwhVGVzdCBFbmQtZW50aXR5 +IHdpdGggSW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu +Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO +7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf +qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt +HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx +uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1swWTAjBgNVHREEHDAagglsb2NhbGhv +c3SCDSouZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZo +dHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBQdbi6gS1G +Dcd5PlWuNRCK9xO4hKNZWsLVtjomtwkGJ2rLlQzdjyOAOMMLBPAHwXr4/sL4XMfz +g4yw99gpcHViVXr1LZ/ARsatRU2EiGm9At3c2BeES9dxuY7E8TNOyh/JzD4aeBHB +IHji5+BfqWBNtX9KiuzKI1/rk9jNkqX43vlH+g0NDgRR+qzFZ7d+4cI9RCAjIn+l +tDq+SXHeE6qNVhgPVrusCJ2BCUYdTurQJlN6SexScXADVduOH/A6Wgn6wqBk590B +Pyo2uwGOQqPUdmZjuOZT3uEP3S/HZvU1CWhTolTngRU6hYYRUs/bOfa07YvnWfN+ +/pXB66XSWvAu +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem.certspec new file mode 100644 index 0000000000..ae3a51565a --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspEEWithIntermediate.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test Intermediate +subject:Test End-entity with Intermediate +extension:subjectAlternativeName:localhost,*.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem new file mode 100644 index 0000000000..ecba24b47e --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDFDCCAfygAwIBAgIUZfBhvLmi3hqAmDxDC+6crWnZTTYwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAVMRMwEQYDVQQDDApPdGhlciBDZXJ0MIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1swWTAjBgNV +HREEHDAagglsb2NhbGhvc3SCDSouZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAk +MCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEB +CwUAA4IBAQCLXvngvubhkgVriBewAl1S6mx6VygmmNBglPAXKZMn9z46bmdFmoAZ +oz6yV3/w0xO07EauQwZCdZesVpkLZYDmIgJdJT0qhXoke6hhBb05Lv9ybqPsNyWA +1ezX8ZevXX19GOBZCuasCQhLrzn838OIfD9VPPHYhPEjjbuHDzK9vCkJXdRtb8QL +jJxRQ2zrhyQAW83JdGhKKcERU+lcrwohKxEGnIMbjeaHkBhHAQqeQ/ZXS1ZXQREf +sU9w5OMAkmcHPbjQqsrBfW4JBZE17oan+dkDlLDD7tpKwDVtnTgcU4bn9l2Tkn8M +FE8s5Z7aVz2HVz5OeEkSs2tMubzFn8LO +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem.certspec new file mode 100644 index 0000000000..5756f6ab5f --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/ocspOtherEndEntity.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Other Cert +extension:subjectAlternativeName:localhost,*.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key new file mode 100644 index 0000000000..abde350c28 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBdcZSZgmfdwgq +Z5HxuHbDf1zlOLBsSs0iscvUb6Za2irdQcjCSYrEo7PB9hSH9BtpiUG9gKUcPBIC +RMWEpMRIMwXlE4wBBs8IvpqGJ2C65qLo828jxdmDE7nfrzeDRdrOUdTW3NKmyzzH +BuvNMHDsmMzkCqWR1ylaf3HFvmZpHSst/shJRFkLxaPqSf2TsddTQF8Xc3aZlYZm +JUeX7UJpCIgIEUIgaZiKQ/7kjOaHgd0itqac0oN1Ex+TKxKM4ob6fSUcBirSfvAW +8YfN1U6DKzW4kw90upCqi8dhZyQqsf1tYhQNGMTAuMaPw3SEVzJK196G5lUvHR4Z +HXEhaNO7AgMBAAECggEAfj9tfLg572auXX3ZL/VBC7NB3BRyjTkDRXDho3B5DzDw +aBNV//QeKtTpqdn86/vRJ736uMAK/7Hzzqcyfq1HqhYh8qwe4UygLwSzsnhgF5gL +GBpEnQOwPmnRErg1ceVUNPASBWV10oMu1nMdznmeN8g/bVHFWrcetYAVrwXhrxXH +R2A+9/J9A6b/BJ2Wu/hUweTlDvWwWND7CBgOCsf3vo8v8Wc9l/yeVduoOAd7v4p8 +/ylihXeFJpzZ1brStXRp5K/NM8TKLS9pnxHnyPvc1ITwjY77ijy4qXLrJL7Zcu+q +5LtxIJPkj+lKRutimodQeMQCGposk8mnA5Dp0KVEAQKBgQDmP8clprp2klp/+MtZ +xPVt1+yD/oW/H1PhHKyagSWLz8CugZB3sPLRR3qvho3mqOy+r3uyKxlvKprYLTKG +8NDMKd5xnl8r6OUJtyhNWWPt02L5J4h6TEqJeZ00DVGzAax2AasnF5Ak/KrdOL9l +Iq9j6xZGHsAqfyewb+Cd3afAoQKBgQDXGLH+n4+Z8A6DKuH73G/iqyfzTgScSYAQ ++g63CEhSGCNGCDtclsPu5VksAUpBDGuTCxZcE7XCaqMurG58klqFUcJRNPL0pyxk +IfGacxSKDt+rpdOmiIs1y6GMAP047lqvC1RXMdcgdhu8ze50SlLKQV6Y5N4Bzf52 +TBlns+jK2wKBgAHlrKJmyUqI0i4TwrkuokcRbGV6B2gXvf0w20s6nTCVuaS2dJZH +4vhOenhPx4OLCMhZcc96A2+jDjuRw8TQ3yePgMG26FnYRWrbE33vqp8fCsW6yakY +T9TqJ51yLqYm8WDXiq17yDhFzLKd8RXIP2G3YiuZvUOcYJtXkKY8WVGBAoGBAIDM +RdENJITuDRKX/Ae/gLO+/0Yeon4fOPNxeJw69mtKDt0hksIneR208cd64ka/NC8x +hWsPVlgbWKlbETHAxTltsqjDxvOeouM2vCBa5qKgs2hp/KmMu6czzwExmm+bsmt8 +oj0wF/xVHNjaiv3Rf2+i4w00hoeYHNYjTVcekLffAoGAb3fAwfKuesFpVhzKSZxS +vfvgTN3M29wSrsWoVpHoWUt+4pkI8w57lqpiVLgO1K7sm5k3gr38ebadjVjGiHD6 +S+G8DDUnKIxcgrtK668V7f8RBAP8eOas5qgoJ79C8M+nUeUHZRxWONuTk90j3R9r +KVFR3kS3f+Vaew3yceGaZcA= +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key.keyspec b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key.keyspec new file mode 100644 index 0000000000..cbd5f309c0 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.key.keyspec @@ -0,0 +1 @@ +alternate diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem new file mode 100644 index 0000000000..a2e264030a --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3zCCAcegAwIBAgIURym6o+VN9xgZXT/QLrvN/nv1ZN4wDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNT3RoZXIgdGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoY +DzIwMjUwMTAxMDAwMDAwWjAYMRYwFAYDVQQDDA1PdGhlciB0ZXN0IENBMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2w39c5Tiw +bErNIrHL1G+mWtoq3UHIwkmKxKOzwfYUh/QbaYlBvYClHDwSAkTFhKTESDMF5ROM +AQbPCL6ahidguuai6PNvI8XZgxO53683g0XazlHU1tzSpss8xwbrzTBw7JjM5Aql +kdcpWn9xxb5maR0rLf7ISURZC8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1CaQiICBFC +IGmYikP+5Izmh4HdIramnNKDdRMfkysSjOKG+n0lHAYq0n7wFvGHzdVOgys1uJMP +dLqQqovHYWckKrH9bWIUDRjEwLjGj8N0hFcyStfehuZVLx0eGR1xIWjTuwIDAQAB +ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC +AQEAtXplrvls6HSbbibpzfGxOPmSuh2TH05bE4vQk+d7Kz6EOAFvgTiZbLwTxbrQ +gfrM05t+67C2nAeiwAtW34nUnu6S8MYA6mJjURWICbl7cAvCHuNjg1atVr6f1Y+9 +VFFG6aUibw3bzKneREmDEVcxlEWUaMvv/JjfyMA5veSyX6iTJYkIBrEiVV5Alzg5 +yVHBi6+tpuJDO/YLlG8kmfzkYeJkTyAGx1EJ2yQHim7R232638yb0KrhS4zKsfFU +egHhM4c+MpiCLc9q2EgblbYGx5GM+2leuzXunj1KPClHFrnmkRRm3rcESG2pK9RN +/48Nd38VNofRojEbzDSCdOFmow== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem.certspec new file mode 100644 index 0000000000..3bc975aa22 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/other-test-ca.pem.certspec @@ -0,0 +1,7 @@ +issuer:Other test CA +subject:Other test CA +issuerKey:alternate +subjectKey:alternate +validity:20150101-20250101 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key new file mode 100644 index 0000000000..d43495f851 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICcAIBADANBgkqhkiG9w0BAQEFAASCAlowggJWAgEAAoGAANKbsS+4T93NKbOl +GctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJaj7SBxZVNKqZ +BX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyvbXvmnZoIMTbh +WvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAQJ/PEllBwvzkMJR1aLFJ3xbX9C97oXK +1/4rJ5grsoURSlBwBANq4c+K5Usl5Ns5IVq9fpA/YYwtiy8IzGzRLbzNciBeSUW2 +s984nl5D3goUi7LITiQx/b5ZILBEuycvRez/ByG337YDl/xhOp6jXCIwBTDK6PkV +nFNN878JEJUZAQJAD58XWXyFuAUbnGmvtV71dsmW29CQR9DM3ludYOpcZ/5PrGe+ +gD9LasWj8FD3a5ZvsU9c8QV2HlrebdlgsYO6VQJADXtjcRLOYaVRaMD5yThvsnmr +QMug1Ukza7plJ3JjqseCYRosgdm2Nc94xAAYhZ4BjF6QBtEuPS7m80bnn6QzaQJA +Cf1smj6m6RrjIHD5/BwhD/k1L5e+XR7rlRuzloHp3FtnKlMiIbPYkAyanZm50KTh +AtxFDKG4ewsTid5lFsCuDQJAAUG4MkkbfdSoMwiSACTHnK5kvUR9+IO7TFZyqWur +SLcSOzTyYyRFLNzrF/IeVw40fL4v1MLY+ZEOrCy22JW4yQJABFjdau4YyIsvm4Hx +vDB1riDcH5lz0gck8gsGBD1hR8h4nUoHroi8gshDjIk+AXsTlH9i4LGJWKMetmSx +nmTT4A== +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key.keyspec b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key.keyspec new file mode 100644 index 0000000000..21ed73d60b --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.key.keyspec @@ -0,0 +1 @@ +rsa1016 diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem new file mode 100644 index 0000000000..b454679f59 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICazCCAVOgAwIBAgIUeyDBOS9mtFv5N72V2YIHiWmPZdIwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjA1MTMwMQYDVQQDDCpSU0EgMTAxNiBLZXkgU2l6ZSBUZXN0IERl +bGVnYXRlZCBSZXNwb25kZXIwgZ4wDQYJKoZIhvcNAQEBBQADgYwAMIGIAoGAANKb +sS+4T93NKbOlGctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJ +aj7SBxZVNKqZBX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyv +bXvmnZoIMTbhWvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAaMXMBUwEwYDVR0lBAww +CgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggEBAINTMoS5aPwzfldv/8/emhhg +PWe+KWFgeyO1el82X0EsrazazEKLk1dtARBDYWCL5BnksnLGpWYZgW4/yqf0CUq+ +MQSxid5YA1/wNhleZV4j2zz+ztdjDMzp2bltPBJjczdck5k9BHBcJcYJ/lnysW+b +6w1ezHDbv2UfdCIch+W+W1NotJDR7DpZ6oXt9+q/sM7pmRPBaAsKWogXYbSPvPca +fqSgYlgkk3QCm1I4wjlGX4O9mIGwKPkdqpCKyQFkiK2nS1RX2TBzx+iRJhVFUXRF +OmVG+yNaEYHgD/SJWWmM6aN7sKSn4Ijr5IniPlhJkE2B+wSyikeEMBrRso8eoF0= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem.certspec new file mode 100644 index 0000000000..05f73368a8 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/rsa-1016-keysizeDelegatedSigner.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:RSA 1016 Key Size Test Delegated Responder +subjectKey:rsa1016 +extension:extKeyUsage:OCSPSigning diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem new file mode 100644 index 0000000000..67e7ca56e8 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAgIUP5NBbozOXrtwcuQwu3pzUXbOl7owDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME +BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEABBSMkSBFq/bK +LpntIx6QJdqPtmnjdjwTpCbQyKKfQjjrazCfru5SheZq7ACtQ0uWFokUOQhB+Xvv +sqy9HqJhK4UN0zfNPjtkHOSbNefWXOseEzA6XxuaCzQXWOp1WNNPnfdtYZizy6hT +fKuKjhniKLmIQD61KNl7Ev1hWUhWC7R8U+IFztXusYYFUUmqqaZ/v7lNfY1sHu4k +zHQFp+xqeaXvkoRpTXhoSdwDQ7ldquwqMM0NIQXlhtcmg7IYwZBGlJgzoejN4k2H +2WycvxPW70I10NeAAhtie1+K4JHwr6/SLLwCCnJDoRMMpMhM9/853Ye/4PTDGhuK +fqhEoHH9Ig== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem.certspec new file mode 100644 index 0000000000..5d2435d7bb --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/test-ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test CA +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem new file mode 100644 index 0000000000..08249b863e --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25iBPOkIMwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMjUw +MTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1 +SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+ +zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL +K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc +bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW +JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMd +MBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEB +AILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC2BQF0kMEEB547p+Ms8zdJY00 +Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77TkfmnSnxvPi+0nlA+eM +8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22+AIU7w6wyA +IbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubjiMr3 +B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpyk +rGFLvocT/kym6r8galxCJUo= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem.certspec new file mode 100644 index 0000000000..33b42c2f41 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/test-int.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Test Intermediate +validity:20150101-20250101 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem new file mode 100644 index 0000000000..1dc63c35df --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDDjCCAfagAwIBAgIURRwvssJseXcmi8J+DidsPsKTfhEwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjA3MTUwMwYDVQQDDCxUZXN0IEludGVybWVkaWF0ZSBXaXRoIE11 +bHRpcGxlIFRMUyBGZWF0dXJlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab +bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts +Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI +H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8 +rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX +Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMzMDEwDAYDVR0TBAUwAwEB/zALBgNV +HQ8EBAMCAQYwFAYIKwYBBQUHARgECDAGAgEFAgEGMA0GCSqGSIb3DQEBCwUAA4IB +AQARO+X9UxpurzrcJYzIVlqj5EB2i8Z3NFXat159KiOjX6AK58VtIAAWl8d+q1FU +s40sJ7wFks7h2f/WW9/Yu51nrrtUPIwy/G/gFU09Y9k4eRKLaE+Mi7pIkmp1txvd +DoZZ1tnxF48zer8jOWCQkuj3P0G0IGs2brHAapWoGlGvIec0jw864f6rj/5YCioi +BAAy8uRJUmrIq5F2vxl5DjbOzTvNVuG59vTGzFYVMYOWG4QppJVL2rh7zv4jf0z1 +PQj1yFceL34Xghpq9ZlKI6QuQepJDYZlQTiHHAvBl+cIqr59qXiIL0BV/0f4I3+E +Y7drz37LNNez8NejKWP0gArr +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem.certspec new file mode 100644 index 0000000000..3f0e925aae --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/test-multi-tls-feature-int.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Test Intermediate With Multiple TLS Features +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:TLSFeature:OCSPMustStaple,6 diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem new file mode 100644 index 0000000000..38f4fffd53 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDATCCAemgAwIBAgIUG5VJbCoDE3nEodUerxQAr2DeaFswDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAtMSswKQYDVQQDDCJUZXN0IEludGVybWVkaWF0ZSBXaXRoIE11 +c3QtU3RhcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO +FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr +amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka +sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY +VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n +aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE +MdUDrNoYCjXtjQIDAQABozAwLjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAR +BggrBgEFBQcBGAQFMAMCAQUwDQYJKoZIhvcNAQELBQADggEBAAxbb8Gv/Uq2Hz87 +midUQPnDCNSoBdHrZQfKDe9thI3K+U6sRleKFXHr/c3ZMNYIDKAx0viokFzBnGzS +sAdW+So5bFaL2TZWoW9dfxpKVk0bzesKYlovD+BCbSkIM+YLBSL47yGox2n1dgca +b293XtdBglEZcMaDhSGLt846OdFG6UdIWvO/VYd8cW+Ozqey/Boq6ZFihQkGKhqv +ifDOsvsCU1W75lhqz5kcdfB+iS7pwo9S5tXkguYlIKEQe71Wi6YXrux8D75o3Nbi +xwdp0yyuaKl58iKb3WntO0IquEhQzwpSURXEP+NNE1TacfKwvTSyD95tfFosfp1F +d6sL4wc= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem.certspec b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem.certspec new file mode 100644 index 0000000000..7c29aa0ad1 --- /dev/null +++ b/security/manager/ssl/tests/unit/ocsp_certs/test-must-staple-int.pem.certspec @@ -0,0 +1,5 @@ +issuer:Test CA +subject:Test Intermediate With Must-Staple +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:TLSFeature:OCSPMustStaple diff --git a/security/manager/ssl/tests/unit/pkcs11testmodule/moz.build b/security/manager/ssl/tests/unit/pkcs11testmodule/moz.build new file mode 100644 index 0000000000..0eef91b076 --- /dev/null +++ b/security/manager/ssl/tests/unit/pkcs11testmodule/moz.build @@ -0,0 +1,20 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +FINAL_TARGET = "_tests/xpcshell/security/manager/ssl/tests/unit/pkcs11testmodule" + +UNIFIED_SOURCES += [ + "pkcs11testmodule.cpp", +] + +SharedLibrary("pkcs11testmodule") + +# C_GetFunctionList needs to be exported. As it turns out, it's much easier to +# just export all the symbols. +NoVisibilityFlags() +SYMBOLS_FILE = "pkcs11testmodule.symbols" + +NO_PGO = True diff --git a/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.cpp b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.cpp new file mode 100644 index 0000000000..74c5620eb2 --- /dev/null +++ b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.cpp @@ -0,0 +1,597 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a testing PKCS #11 module that simulates a token being inserted and +// removed from a slot every 50ms. This is achieved mainly in +// Test_C_WaitForSlotEvent. If the application that loaded this module calls +// C_WaitForSlotEvent, this module waits for 50ms and returns, having changed +// its internal state to report that the token has either been inserted or +// removed, as appropriate. +// This module also provides an alternate token that is always present for tests +// that don't want the cyclic behavior described above. + +#include +#include +#include + +#if defined(WIN32) +# include // for Sleep +#else +# include // for usleep +#endif + +#include "pkcs11.h" + +CK_RV Test_C_Initialize(CK_VOID_PTR) { return CKR_OK; } + +CK_RV Test_C_Finalize(CK_VOID_PTR) { return CKR_OK; } + +static const CK_VERSION CryptokiVersion = {2, 2}; +static const CK_VERSION TestLibraryVersion = {0, 0}; +static const char TestLibraryDescription[] = "Test PKCS11 Library"; +static const char TestManufacturerID[] = "Test PKCS11 Manufacturer ID"; + +/* The dest buffer is one in the CK_INFO or CK_TOKEN_INFO structs. + * Those buffers are padded with spaces. DestSize corresponds to the declared + * size for those buffers (e.g. 32 for `char foo[32]`). + * The src buffer is a string literal. SrcSize includes the string + * termination character (e.g. 4 for `const char foo[] = "foo"` */ +template +void CopyString(unsigned char (&dest)[DestSize], const char (&src)[SrcSize]) { + static_assert(DestSize >= SrcSize - 1, "DestSize >= SrcSize - 1"); + memcpy(dest, src, SrcSize - 1); + memset(dest + SrcSize - 1, ' ', DestSize - SrcSize + 1); +} + +CK_RV Test_C_GetInfo(CK_INFO_PTR pInfo) { + if (!pInfo) { + return CKR_ARGUMENTS_BAD; + } + + pInfo->cryptokiVersion = CryptokiVersion; + CopyString(pInfo->manufacturerID, TestManufacturerID); + pInfo->flags = 0; // must be 0 + CopyString(pInfo->libraryDescription, TestLibraryDescription); + pInfo->libraryVersion = TestLibraryVersion; + return CKR_OK; +} + +CK_RV Test_C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR) { return CKR_OK; } + +static int tokenPresent = 0; + +CK_RV Test_C_GetSlotList(CK_BBOOL limitToTokensPresent, + CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) { + if (!pulCount) { + return CKR_ARGUMENTS_BAD; + } + + // We always return slot 2 + CK_ULONG slotCount = 1; + if (!limitToTokensPresent) { + // If we want empty slots, we also return slots 1 and 3 + slotCount += 2; + } else if (tokenPresent) { + // If we don't want empty slots, but token 1 is present, return that (but + // not slot 3) + slotCount++; + } + + if (pSlotList) { + if (*pulCount < slotCount) { + return CKR_BUFFER_TOO_SMALL; + } + // apparently CK_SLOT_IDs are integers [1,N] because + // who likes counting from 0 all the time? + switch (slotCount) { + case 1: + pSlotList[0] = 2; + break; + case 2: + if (tokenPresent) { + pSlotList[0] = 1; + pSlotList[1] = 2; + } else { + pSlotList[0] = 2; + pSlotList[1] = 3; + } + break; + case 3: + pSlotList[0] = 1; + pSlotList[1] = 2; + pSlotList[2] = 3; + break; + default: + assert("Unexpected slot count in Test_C_GetSlotList" == NULL); + return CKR_GENERAL_ERROR; + } + } + + *pulCount = slotCount; + return CKR_OK; +} + +static const char TestSlotDescription[] = "Test PKCS11 Slot"; +static const char TestSlot2Description[] = "Test PKCS11 Slot 二"; +static const char TestSlot3Description[] = "Empty PKCS11 Slot"; + +CK_RV Test_C_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { + if (!pInfo) { + return CKR_ARGUMENTS_BAD; + } + + switch (slotID) { + case 1: + CopyString(pInfo->slotDescription, TestSlotDescription); + pInfo->flags = + (tokenPresent ? CKF_TOKEN_PRESENT : 0) | CKF_REMOVABLE_DEVICE; + break; + case 2: + CopyString(pInfo->slotDescription, TestSlot2Description); + pInfo->flags = CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE; + break; + case 3: + CopyString(pInfo->slotDescription, TestSlot3Description); + pInfo->flags = CKF_REMOVABLE_DEVICE; + break; + default: + return CKR_ARGUMENTS_BAD; + } + + CopyString(pInfo->manufacturerID, TestManufacturerID); + pInfo->hardwareVersion = TestLibraryVersion; + pInfo->firmwareVersion = TestLibraryVersion; + return CKR_OK; +} + +// Deliberately include énye to ensure we're handling encoding correctly. +// The PKCS #11 base specification v2.20 specifies that strings be encoded +// as UTF-8. +static const char TestTokenLabel[] = "Test PKCS11 Tokeñ Label"; +static const char TestToken2Label[] = "Test PKCS11 Tokeñ 2 Label"; +static const char TestTokenModel[] = "Test Model"; + +std::atomic sLoggedIn = false; + +CK_RV Test_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) { + if (!pInfo) { + return CKR_ARGUMENTS_BAD; + } + + switch (slotID) { + case 1: + CopyString(pInfo->label, TestTokenLabel); + break; + case 2: + CopyString(pInfo->label, TestToken2Label); + break; + default: + return CKR_ARGUMENTS_BAD; + } + + CopyString(pInfo->manufacturerID, TestManufacturerID); + CopyString(pInfo->model, TestTokenModel); + memset(pInfo->serialNumber, 0, sizeof(pInfo->serialNumber)); + pInfo->flags = CKF_TOKEN_INITIALIZED; + if (slotID == 2) { + pInfo->flags |= CKF_PROTECTED_AUTHENTICATION_PATH | + CKF_USER_PIN_INITIALIZED | CKF_LOGIN_REQUIRED; + } + pInfo->ulMaxSessionCount = 1; + pInfo->ulSessionCount = 0; + pInfo->ulMaxRwSessionCount = 1; + pInfo->ulRwSessionCount = 0; + pInfo->ulMaxPinLen = 4; + pInfo->ulMinPinLen = 4; + pInfo->ulTotalPublicMemory = 1024; + pInfo->ulFreePublicMemory = 1024; + pInfo->ulTotalPrivateMemory = 1024; + pInfo->ulFreePrivateMemory = 1024; + pInfo->hardwareVersion = TestLibraryVersion; + pInfo->firmwareVersion = TestLibraryVersion; + memset(pInfo->utcTime, 0, sizeof(pInfo->utcTime)); + + return CKR_OK; +} + +CK_RV Test_C_GetMechanismList(CK_SLOT_ID, CK_MECHANISM_TYPE_PTR, + CK_ULONG_PTR pulCount) { + if (!pulCount) { + return CKR_ARGUMENTS_BAD; + } + + *pulCount = 0; + return CKR_OK; +} + +CK_RV Test_C_GetMechanismInfo(CK_SLOT_ID, CK_MECHANISM_TYPE, + CK_MECHANISM_INFO_PTR) { + return CKR_OK; +} + +CK_RV Test_C_InitToken(CK_SLOT_ID, CK_UTF8CHAR_PTR, CK_ULONG, CK_UTF8CHAR_PTR) { + return CKR_OK; +} + +CK_RV Test_C_InitPIN(CK_SESSION_HANDLE, CK_UTF8CHAR_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SetPIN(CK_SESSION_HANDLE, CK_UTF8CHAR_PTR, CK_ULONG, + CK_UTF8CHAR_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS, CK_VOID_PTR, CK_NOTIFY, + CK_SESSION_HANDLE_PTR phSession) { + switch (slotID) { + case 1: + *phSession = 1; + break; + case 2: + *phSession = 2; + break; + default: + return CKR_ARGUMENTS_BAD; + } + + return CKR_OK; +} + +CK_RV Test_C_CloseSession(CK_SESSION_HANDLE) { return CKR_OK; } + +CK_RV Test_C_CloseAllSessions(CK_SLOT_ID) { return CKR_OK; } + +CK_RV Test_C_GetSessionInfo(CK_SESSION_HANDLE hSession, + CK_SESSION_INFO_PTR pInfo) { + if (!pInfo) { + return CKR_ARGUMENTS_BAD; + } + + switch (hSession) { + case 1: + pInfo->slotID = 1; + pInfo->state = CKS_RO_PUBLIC_SESSION; + break; + case 2: + pInfo->slotID = 2; + pInfo->state = sLoggedIn ? CKS_RO_USER_FUNCTIONS : CKS_RO_PUBLIC_SESSION; + break; + default: + return CKR_ARGUMENTS_BAD; + } + + pInfo->flags = CKF_SERIAL_SESSION; + + return CKR_OK; +} + +CK_RV Test_C_GetOperationState(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SetOperationState(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_OBJECT_HANDLE, CK_OBJECT_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_Login(CK_SESSION_HANDLE, CK_USER_TYPE, CK_UTF8CHAR_PTR, CK_ULONG) { + // Sleep for 3 seconds to simulate the user using a protected auth path. +#ifdef WIN32 + Sleep(3000); // Sleep takes the duration argument as milliseconds +#else + usleep(3000000); // usleep takes the duration argument as microseconds +#endif + sLoggedIn = true; + return CKR_OK; +} + +CK_RV Test_C_Logout(CK_SESSION_HANDLE) { + sLoggedIn = false; + return CKR_OK; +} + +CK_RV Test_C_CreateObject(CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG, + CK_OBJECT_HANDLE_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_CopyObject(CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ATTRIBUTE_PTR, + CK_ULONG, CK_OBJECT_HANDLE_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DestroyObject(CK_SESSION_HANDLE, CK_OBJECT_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_GetObjectSize(CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_GetAttributeValue(CK_SESSION_HANDLE, CK_OBJECT_HANDLE, + CK_ATTRIBUTE_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SetAttributeValue(CK_SESSION_HANDLE, CK_OBJECT_HANDLE, + CK_ATTRIBUTE_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_FindObjectsInit(CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG) { + return CKR_OK; +} + +CK_RV Test_C_FindObjects(CK_SESSION_HANDLE, CK_OBJECT_HANDLE_PTR, CK_ULONG, + CK_ULONG_PTR pulObjectCount) { + *pulObjectCount = 0; + return CKR_OK; +} + +CK_RV Test_C_FindObjectsFinal(CK_SESSION_HANDLE) { return CKR_OK; } + +CK_RV Test_C_EncryptInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, + CK_OBJECT_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_Encrypt(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_EncryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_EncryptFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DecryptInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, + CK_OBJECT_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_Decrypt(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DecryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DecryptFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DigestInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_Digest(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DigestUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DigestKey(CK_SESSION_HANDLE, CK_OBJECT_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DigestFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SignInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_Sign(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SignUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SignFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SignRecoverInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, + CK_OBJECT_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SignRecover(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_VerifyInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_Verify(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_VerifyUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_VerifyFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_VerifyRecoverInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, + CK_OBJECT_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_VerifyRecover(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DigestEncryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DecryptDigestUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SignEncryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DecryptVerifyUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_GenerateKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_ATTRIBUTE_PTR, + CK_ULONG, CK_OBJECT_HANDLE_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_GenerateKeyPair(CK_SESSION_HANDLE, CK_MECHANISM_PTR, + CK_ATTRIBUTE_PTR, CK_ULONG, CK_ATTRIBUTE_PTR, + CK_ULONG, CK_OBJECT_HANDLE_PTR, + CK_OBJECT_HANDLE_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_WrapKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE, + CK_OBJECT_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_UnwrapKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE, + CK_BYTE_PTR, CK_ULONG, CK_ATTRIBUTE_PTR, CK_ULONG, + CK_OBJECT_HANDLE_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_DeriveKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE, + CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_SeedRandom(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_GenerateRandom(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_GetFunctionStatus(CK_SESSION_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_CancelFunction(CK_SESSION_HANDLE) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV Test_C_WaitForSlotEvent(CK_FLAGS, CK_SLOT_ID_PTR pSlot, CK_VOID_PTR) { +#ifdef WIN32 + Sleep(50); // Sleep takes the duration argument as milliseconds +#else + usleep(50000); // usleep takes the duration argument as microseconds +#endif + *pSlot = 1; + tokenPresent = !tokenPresent; + return CKR_OK; +} + +static CK_FUNCTION_LIST FunctionList = {{2, 2}, + Test_C_Initialize, + Test_C_Finalize, + Test_C_GetInfo, + Test_C_GetFunctionList, + Test_C_GetSlotList, + Test_C_GetSlotInfo, + Test_C_GetTokenInfo, + Test_C_GetMechanismList, + Test_C_GetMechanismInfo, + Test_C_InitToken, + Test_C_InitPIN, + Test_C_SetPIN, + Test_C_OpenSession, + Test_C_CloseSession, + Test_C_CloseAllSessions, + Test_C_GetSessionInfo, + Test_C_GetOperationState, + Test_C_SetOperationState, + Test_C_Login, + Test_C_Logout, + Test_C_CreateObject, + Test_C_CopyObject, + Test_C_DestroyObject, + Test_C_GetObjectSize, + Test_C_GetAttributeValue, + Test_C_SetAttributeValue, + Test_C_FindObjectsInit, + Test_C_FindObjects, + Test_C_FindObjectsFinal, + Test_C_EncryptInit, + Test_C_Encrypt, + Test_C_EncryptUpdate, + Test_C_EncryptFinal, + Test_C_DecryptInit, + Test_C_Decrypt, + Test_C_DecryptUpdate, + Test_C_DecryptFinal, + Test_C_DigestInit, + Test_C_Digest, + Test_C_DigestUpdate, + Test_C_DigestKey, + Test_C_DigestFinal, + Test_C_SignInit, + Test_C_Sign, + Test_C_SignUpdate, + Test_C_SignFinal, + Test_C_SignRecoverInit, + Test_C_SignRecover, + Test_C_VerifyInit, + Test_C_Verify, + Test_C_VerifyUpdate, + Test_C_VerifyFinal, + Test_C_VerifyRecoverInit, + Test_C_VerifyRecover, + Test_C_DigestEncryptUpdate, + Test_C_DecryptDigestUpdate, + Test_C_SignEncryptUpdate, + Test_C_DecryptVerifyUpdate, + Test_C_GenerateKey, + Test_C_GenerateKeyPair, + Test_C_WrapKey, + Test_C_UnwrapKey, + Test_C_DeriveKey, + Test_C_SeedRandom, + Test_C_GenerateRandom, + Test_C_GetFunctionStatus, + Test_C_CancelFunction, + Test_C_WaitForSlotEvent}; + +CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) { + *ppFunctionList = &FunctionList; + return CKR_OK; +} diff --git a/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.symbols b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.symbols new file mode 100644 index 0000000000..562ecea21d --- /dev/null +++ b/security/manager/ssl/tests/unit/pkcs11testmodule/pkcs11testmodule.symbols @@ -0,0 +1 @@ +C_GetFunctionList diff --git a/security/manager/ssl/tests/unit/requirements.txt b/security/manager/ssl/tests/unit/requirements.txt new file mode 100644 index 0000000000..095fcb04fc --- /dev/null +++ b/security/manager/ssl/tests/unit/requirements.txt @@ -0,0 +1,6 @@ +lxml +pyasn1 == 0.3.7 +pyasn1_modules == 0.1.5 +ecc +mock +rsa diff --git a/security/manager/ssl/tests/unit/sign_app.py b/security/manager/ssl/tests/unit/sign_app.py new file mode 100755 index 0000000000..a2767c54eb --- /dev/null +++ b/security/manager/ssl/tests/unit/sign_app.py @@ -0,0 +1,426 @@ +#!/usr/bin/env python3 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +""" +Given a directory of files, packages them up and signs the +resulting zip file. Mainly for creating test inputs to the +nsIX509CertDB.openSignedAppFileAsync API. +""" +from base64 import b64encode +from cbor2 import dumps +from cbor2.types import CBORTag +from hashlib import sha1, sha256 +import argparse +from io import StringIO +import os +import re +import six +import sys +import zipfile + +# These libraries moved to security/manager/tools/ in bug 1699294. +sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "tools")) +import pycert +import pycms +import pykey + +ES256 = -7 +ES384 = -35 +ES512 = -36 +KID = 4 +ALG = 1 +COSE_Sign = 98 + + +def coseAlgorithmToPykeyHash(algorithm): + """Helper function that takes one of (ES256, ES384, ES512) + and returns the corresponding pykey.HASH_* identifier.""" + if algorithm == ES256: + return pykey.HASH_SHA256 + if algorithm == ES384: + return pykey.HASH_SHA384 + if algorithm == ES512: + return pykey.HASH_SHA512 + raise UnknownCOSEAlgorithmError(algorithm) + + +# COSE_Signature = [ +# protected : serialized_map, +# unprotected : {}, +# signature : bstr +# ] + + +def coseSignature(payload, algorithm, signingKey, signingCertificate, bodyProtected): + """Returns a COSE_Signature structure. + payload is a string representing the data to be signed + algorithm is one of (ES256, ES384, ES512) + signingKey is a pykey.ECKey to sign the data with + signingCertificate is a byte string + bodyProtected is the serialized byte string of the protected body header + """ + protected = {ALG: algorithm, KID: signingCertificate} + protectedEncoded = dumps(protected) + # Sig_structure = [ + # context : "Signature" + # body_protected : bodyProtected + # sign_protected : protectedEncoded + # external_aad : nil + # payload : bstr + # ] + sigStructure = [u"Signature", bodyProtected, protectedEncoded, None, payload] + sigStructureEncoded = dumps(sigStructure) + pykeyHash = coseAlgorithmToPykeyHash(algorithm) + signature = signingKey.signRaw(sigStructureEncoded, pykeyHash) + return [protectedEncoded, {}, signature] + + +# COSE_Sign = [ +# protected : serialized_map, +# unprotected : {}, +# payload : nil, +# signatures : [+ COSE_Signature] +# ] + + +def coseSig(payload, intermediates, signatures): + """Returns the entire (tagged) COSE_Sign structure. + payload is a string representing the data to be signed + intermediates is an array of byte strings + signatures is an array of (algorithm, signingKey, + signingCertificate) triplets to be passed to + coseSignature + """ + protected = {KID: intermediates} + protectedEncoded = dumps(protected) + coseSignatures = [] + for (algorithm, signingKey, signingCertificate) in signatures: + coseSignatures.append( + coseSignature( + payload, algorithm, signingKey, signingCertificate, protectedEncoded + ) + ) + tagged = CBORTag(COSE_Sign, [protectedEncoded, {}, None, coseSignatures]) + return dumps(tagged) + + +def walkDirectory(directory): + """Given a relative path to a directory, enumerates the + files in the tree rooted at that location. Returns a list + of pairs of paths to those files. The first in each pair + is the full path to the file. The second in each pair is + the path to the file relative to the directory itself.""" + paths = [] + for path, _dirs, files in os.walk(directory): + for f in files: + fullPath = os.path.join(path, f) + internalPath = re.sub(r"^/", "", fullPath.replace(directory, "")) + paths.append((fullPath, internalPath)) + return paths + + +def addManifestEntry(filename, hashes, contents, entries): + """Helper function to fill out a manifest entry. + Takes the filename, a list of (hash function, hash function name) + pairs to use, the contents of the file, and the current list + of manifest entries.""" + entry = "Name: %s\n" % filename + for (hashFunc, name) in hashes: + base64hash = b64encode(hashFunc(contents).digest()).decode("ascii") + entry += "%s-Digest: %s\n" % (name, base64hash) + entries.append(entry) + + +def getCert(subject, keyName, issuerName, ee, issuerKey="", validity=""): + """Helper function to create an X509 cert from a specification. + Takes the subject, the subject key name to use, the issuer name, + a bool whether this is an EE cert or not, and optionally an issuer key + name.""" + certSpecification = ( + "issuer:%s\n" % issuerName + + "subject:" + + subject + + "\n" + + "subjectKey:%s\n" % keyName + ) + if ee: + certSpecification += "extension:keyUsage:digitalSignature" + else: + certSpecification += ( + "extension:basicConstraints:cA,\n" + + "extension:keyUsage:cRLSign,keyCertSign" + ) + if issuerKey: + certSpecification += "\nissuerKey:%s" % issuerKey + if validity: + certSpecification += "\nvalidity:%s" % validity + certSpecificationStream = StringIO() + print(certSpecification, file=certSpecificationStream) + certSpecificationStream.seek(0) + return pycert.Certificate(certSpecificationStream) + + +def coseAlgorithmToSignatureParams(coseAlgorithm, issuerName, certValidity): + """Given a COSE algorithm ('ES256', 'ES384', 'ES512') and an issuer + name, returns a (algorithm id, pykey.ECCKey, encoded certificate) + triplet for use with coseSig. + """ + if coseAlgorithm == "ES256": + keyName = "secp256r1" + algId = ES256 + elif coseAlgorithm == "ES384": + keyName = "secp384r1" + algId = ES384 + elif coseAlgorithm == "ES512": + keyName = "secp521r1" # COSE uses the hash algorithm; this is the curve + algId = ES512 + else: + raise UnknownCOSEAlgorithmError(coseAlgorithm) + key = pykey.ECCKey(keyName) + # The subject must differ to avoid errors when importing into NSS later. + ee = getCert( + "xpcshell signed app test signer " + keyName, + keyName, + issuerName, + True, + "default", + certValidity, + ) + return (algId, key, ee.toDER()) + + +def signZip( + appDirectory, + outputFile, + issuerName, + rootName, + certValidity, + manifestHashes, + signatureHashes, + pkcs7Hashes, + coseAlgorithms, + emptySignerInfos, + headerPaddingFactor, +): + """Given a directory containing the files to package up, + an output filename to write to, the name of the issuer of + the signing certificate, the name of trust anchor, a list of hash algorithms + to use in the manifest file, a similar list for the signature file, + a similar list for the pkcs#7 signature, a list of COSE signature algorithms + to include, whether the pkcs#7 signer info should be kept empty, and how + many MB to pad the manifests by (to test handling large manifest files), + packages up the files in the directory and creates the output as + appropriate.""" + # The header of each manifest starts with the magic string + # 'Manifest-Version: 1.0' and ends with a blank line. There can be + # essentially anything after the first line before the blank line. + mfEntries = ["Manifest-Version: 1.0"] + if headerPaddingFactor > 0: + # In this format, each line can only be 72 bytes long. We make + # our padding 50 bytes per line (49 of content and one newline) + # so the math is easy. + singleLinePadding = "a" * 49 + # 1000000 / 50 = 20000 + allPadding = [singleLinePadding] * (headerPaddingFactor * 20000) + mfEntries.extend(allPadding) + # Append the blank line. + mfEntries.append("") + + with zipfile.ZipFile(outputFile, "w", zipfile.ZIP_DEFLATED) as outZip: + for (fullPath, internalPath) in walkDirectory(appDirectory): + with open(fullPath, "rb") as inputFile: + contents = inputFile.read() + outZip.writestr(internalPath, contents) + + # Add the entry to the manifest we're building + addManifestEntry(internalPath, manifestHashes, contents, mfEntries) + + if len(coseAlgorithms) > 0: + coseManifest = "\n".join(mfEntries) + outZip.writestr("META-INF/cose.manifest", coseManifest) + coseManifest = six.ensure_binary(coseManifest) + addManifestEntry( + "META-INF/cose.manifest", manifestHashes, coseManifest, mfEntries + ) + intermediates = [] + coseIssuerName = issuerName + if rootName: + coseIssuerName = "xpcshell signed app test issuer" + intermediate = getCert( + coseIssuerName, + "default", + rootName, + False, + "", + certValidity, + ) + intermediate = intermediate.toDER() + intermediates.append(intermediate) + signatures = [ + coseAlgorithmToSignatureParams( + coseAlgorithm, + coseIssuerName, + certValidity, + ) + for coseAlgorithm in coseAlgorithms + ] + coseSignatureBytes = coseSig(coseManifest, intermediates, signatures) + outZip.writestr("META-INF/cose.sig", coseSignatureBytes) + addManifestEntry( + "META-INF/cose.sig", manifestHashes, coseSignatureBytes, mfEntries + ) + + if len(pkcs7Hashes) != 0 or emptySignerInfos: + mfContents = "\n".join(mfEntries) + sfContents = "Signature-Version: 1.0\n" + for (hashFunc, name) in signatureHashes: + hashed = hashFunc(six.ensure_binary(mfContents)).digest() + base64hash = b64encode(hashed).decode("ascii") + sfContents += "%s-Digest-Manifest: %s\n" % (name, base64hash) + + cmsSpecification = "" + for name in pkcs7Hashes: + hashFunc, _ = hashNameToFunctionAndIdentifier(name) + cmsSpecification += "%s:%s\n" % ( + name, + hashFunc(six.ensure_binary(sfContents)).hexdigest(), + ) + cmsSpecification += ( + "signer:\n" + + "issuer:%s\n" % issuerName + + "subject:xpcshell signed app test signer\n" + + "extension:keyUsage:digitalSignature" + ) + if certValidity: + cmsSpecification += "\nvalidity:%s" % certValidity + cmsSpecificationStream = StringIO() + print(cmsSpecification, file=cmsSpecificationStream) + cmsSpecificationStream.seek(0) + cms = pycms.CMS(cmsSpecificationStream) + p7 = cms.toDER() + outZip.writestr("META-INF/A.RSA", p7) + outZip.writestr("META-INF/A.SF", sfContents) + outZip.writestr("META-INF/MANIFEST.MF", mfContents) + + +class Error(Exception): + """Base class for exceptions in this module.""" + + pass + + +class UnknownHashAlgorithmError(Error): + """Helper exception type to handle unknown hash algorithms.""" + + def __init__(self, name): + super(UnknownHashAlgorithmError, self).__init__() + self.name = name + + def __str__(self): + return "Unknown hash algorithm %s" % repr(self.name) + + +class UnknownCOSEAlgorithmError(Error): + """Helper exception type to handle unknown COSE algorithms.""" + + def __init__(self, name): + super(UnknownCOSEAlgorithmError, self).__init__() + self.name = name + + def __str__(self): + return "Unknown COSE algorithm %s" % repr(self.name) + + +def hashNameToFunctionAndIdentifier(name): + if name == "sha1": + return (sha1, "SHA1") + if name == "sha256": + return (sha256, "SHA256") + raise UnknownHashAlgorithmError(name) + + +def main(outputFile, appPath, *args): + """Main entrypoint. Given an already-opened file-like + object, a path to the app directory to sign, and some + optional arguments, signs the contents of the directory and + writes the resulting package to the 'file'.""" + parser = argparse.ArgumentParser(description="Sign an app.") + parser.add_argument( + "-i", + "--issuer", + action="store", + help="Issuer name", + default="xpcshell signed apps test root", + ) + parser.add_argument("-r", "--root", action="store", help="Root name", default="") + parser.add_argument( + "--cert-validity", + action="store", + help="Certificate validity; YYYYMMDD-YYYYMMDD or duration in days", + default="", + ) + parser.add_argument( + "-m", + "--manifest-hash", + action="append", + help="Hash algorithms to use in manifest", + default=[], + ) + parser.add_argument( + "-s", + "--signature-hash", + action="append", + help="Hash algorithms to use in signature file", + default=[], + ) + parser.add_argument( + "-c", + "--cose-sign", + action="append", + help="Append a COSE signature with the given " + + "algorithms (out of ES256, ES384, and ES512)", + default=[], + ) + parser.add_argument( + "-z", + "--pad-headers", + action="store", + default=0, + help="Pad the header sections of the manifests " + + "with X MB of repetitive data", + ) + group = parser.add_mutually_exclusive_group() + group.add_argument( + "-p", + "--pkcs7-hash", + action="append", + help="Hash algorithms to use in PKCS#7 signature", + default=[], + ) + group.add_argument( + "-e", + "--empty-signerInfos", + action="store_true", + help="Emit pkcs#7 SignedData with empty signerInfos", + ) + parsed = parser.parse_args(args) + if len(parsed.manifest_hash) == 0: + parsed.manifest_hash.append("sha256") + if len(parsed.signature_hash) == 0: + parsed.signature_hash.append("sha256") + signZip( + appPath, + outputFile, + parsed.issuer, + parsed.root, + parsed.cert_validity, + [hashNameToFunctionAndIdentifier(h) for h in parsed.manifest_hash], + [hashNameToFunctionAndIdentifier(h) for h in parsed.signature_hash], + parsed.pkcs7_hash, + parsed.cose_sign, + parsed.empty_signerInfos, + int(parsed.pad_headers), + ) diff --git a/security/manager/ssl/tests/unit/test_add_preexisting_cert.js b/security/manager/ssl/tests/unit/test_add_preexisting_cert.js new file mode 100644 index 0000000000..1f1a7825f2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_add_preexisting_cert.js @@ -0,0 +1,46 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// Tests that adding a certificate already present in the certificate database +// with different trust bits than those stored in the database does not result +// in the new trust bits being ignored. + +do_get_profile(); +var certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function load_cert(cert, trust) { + let file = "test_intermediate_basic_usage_constraints/" + cert + ".pem"; + return addCertFromFile(certDB, file, trust); +} + +add_task(async function() { + load_cert("ca", "CTu,CTu,CTu"); + let int_cert = load_cert("int-limited-depth", "CTu,CTu,CTu"); + let file = + "test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem"; + let cert_pem = readFile(do_get_file(file)); + let ee = certDB.constructX509FromBase64(pemToBase64(cert_pem)); + await checkCertErrorGeneric( + certDB, + ee, + PRErrorCodeSuccess, + certificateUsageSSLServer + ); + // Change the already existing intermediate certificate's trust using + // addCertFromBase64(). + notEqual(int_cert, null, "Intermediate cert should be in the cert DB"); + let base64_cert = int_cert.getBase64DERString(); + let returnedEE = certDB.addCertFromBase64(base64_cert, "p,p,p"); + notEqual(returnedEE, null, "addCertFromBase64 should return a certificate"); + await checkCertErrorGeneric( + certDB, + ee, + SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageSSLServer + ); +}); diff --git a/security/manager/ssl/tests/unit/test_allow_all_cert_errors.js b/security/manager/ssl/tests/unit/test_allow_all_cert_errors.js new file mode 100644 index 0000000000..e9f1b6c9db --- /dev/null +++ b/security/manager/ssl/tests/unit/test_allow_all_cert_errors.js @@ -0,0 +1,25 @@ +/* -*- tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ +"use strict"; + +function run_test() { + do_get_profile(); + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData( + true + ); + + add_tls_server_setup("BadCertAndPinningServer", "bad_certs"); + add_connection_test("expired.example.com", PRErrorCodeSuccess); + add_test(function() { + certOverrideService.setDisableAllSecurityChecksAndLetAttackersInterceptMyData( + false + ); + run_next_test(); + }); + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem new file mode 100644 index 0000000000..161ce88377 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIUXwklABFZn09Yj1azSdQ4kpuizxYwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEwMTAw +MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD +VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCdpP06UqpAnAAak/i4+LShrIG/ +DdjHLQ8qLChBdPkT6Gxx1XVoNfG3GJsIGCoOf6isORMfBlBXiR5kmLFTE3kJhA/I +pDxDGYDqt9DNb0fxeMpOJxwQ+mBMZIKLPu+nk4jTqUrOX8bLwDMiXTbFeY91SUr8 +4b43YzXVorVQSlYOfcsmrnEfmfJNauHBrzak5BQhsEXHqAI7qV9TCQA1+cGwH8jb +Aw2SyVu1usAyHkM2wCisHXeidf3qR6PxmfLMAgHKXBLz3DsXY30xDI4jJS9MySu9 +lhrs1IJf5PdJk5z5viYqZQemuv0R+R7ItbpCHpreUXh2GutiAY4Xsgrhfcer +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem.certspec new file mode 100644 index 0000000000..9c21e7adcf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:ca +validity:20100101-20500101 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem new file mode 100644 index 0000000000..a13b0cbcd1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIUS00fexo4Y4FagP1oiKQiGCJKd/swDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw +MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL +BQADggEBAGjMx1NAs2guKp3wRRAWdiAw9NCeX+qCsxxkr4jUdgQ14wZwU2fZ/2rK +7Z/StpwlWN+G4dWwCRCjibKvjauQs+XLT9wMO3U/1VBcQda36duX70ss2SAF9crs +dmZdISevFItTn+W6JNyr1Wt2sSiD4buXpW1UzNwuxnWGpo/a++bMEYaM8KDdz73t +KA9VShYNbcrUZgf70bvCbc8BR3vYUwyIp3fP7TngD/dRLYJyv5ayo9VXVJxOzYU7 +/aRrBvAdAL2w8eQzzYm6uyHlOE+imWYix2QOGNFJIiRXFRTii9Rr0o4geW7x2wZJ ++TzO4XPVlax1h6KDPRLsmwhbJDAMuUU= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem.certspec new file mode 100644 index 0000000000..7a34d0758f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-old.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:example.com +validity:20160724-20160924 diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem new file mode 100644 index 0000000000..f2bb8c97d9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIUZ3gdKZRvWFYArMRStT2zAGE6JDQwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw +MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL +BQADggEBABERZmWOEZAI2dQHbpXo7BJFw8eigDs8xWGtnu5UbNFs7zGnXzta0L8T +RBoaWeEbsaVpuGQ648eorgQRGwNdL3JkJb0qHtaSl5/raAOvv+YqmGzZhFWcj3ib +WUOWODdFlY3oUzpPjA+IeRzULya6//s8DhEKfVi2mJXc/sS6fE9J234IhKBysyr1 +cRIApw6OCr0V78TbHzEPh1z0QuMKY8hH0lz3JvQqGD59oTEdSJ5VVbmDLxqqmVtA +/i4j2lYkDos2HvHGP7a/LC20FI0lOcSqazSeKc+y2Mand9tDXCU/dEEYMj1IW5rM +z2+96XzCbJBesYFEEfWXG6XysP3UtE0= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem.certspec new file mode 100644 index 0000000000..aa682a7afd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-older.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:example.com +validity:20150724-20160924 diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem new file mode 100644 index 0000000000..7ac56a0689 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIUWxGwhSb8roUQoLNpJajl0X8jk10wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA4MjQwMDAwMDBaGA8yMDE2MDkyNDAw +MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL +BQADggEBAKxEoWUrHht8zENUlC/3tj/KbDSeaIy5nVE49aJRqHwuSczG5PTDn7sD +rjl6Qq2rx3Z3ftZxJNIdpS3BUeUJ+FsQ2fK3ckDyeWkzxADlWp2l2bgKDtnW5Xjw +lfzFt1Z/4PUmz0JyNGqijvpT/YYM9uM5OOKmKvy6C/6HiIMI2f5pVHM2bFWLuHLI +p9yqp056EKPWCEQbkqseXLS0O8ZyxAyW4kHezUQzn1KFq9IGZu5sBZ8Imop0xnal +2wXCuEisuAIOQNb1l9t+hf/P53+oRLjPbJzuzLZGSNA5PzoTbmZOqOdJS+kCNGCX +IahLlU3dPILDlvl8DLFhk+lz9mA8x90= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem.certspec new file mode 100644 index 0000000000..e38478165c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/no-san-recent.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:example.com +validity:20160824-20160924 diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem new file mode 100644 index 0000000000..ba11dcc152 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5TCCAc2gAwIBAgIUOWkKeR6blD0zzhElEnCm4eSqLTAwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw +MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMDAuMCwGA1UdEQQl +MCOkITAfMR0wGwYDVQQKDBRFeGFtcGxlIE9yZ2FuaXphdGlvbjANBgkqhkiG9w0B +AQsFAAOCAQEACPZ4Ed3iONrIIKtg3865taT5TUj4Ts3tnYn4riFqojr6h/CHEDPR +LStAJ4yYGQoTTzQzaxYjEZXHIEI/bCZ1VpGNpZt8DXWsJWwJgt8QUNeYT0eFFE2M +CjrLJC1OIQRvlR89WEbk/q45KBQC0faeizqkAn+YUSG8mjHHbmSO8PWbh4z0YYlg +BjwhTRFWUmWfQKC+mHyWblbYyFKlsFWf6cGOd4qE8N/hIz7oPzI4IPN1EQ/IfaQy +WOOyxPZeu+J5VPlPE10nV5afoRcPLh/6vTwH85tPGzxWU4Jo4NDtFOtZAZR/S7sO +OB/ST8Dbvs7qQFfRtgCtpEMicG7kxO1F+Q== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem.certspec new file mode 100644 index 0000000000..41817bde75 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-old.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:example.com +validity:20160724-20160924 +extension:subjectAlternativeName:/O=Example Organization diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem new file mode 100644 index 0000000000..6882ba0554 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5TCCAc2gAwIBAgIUG1q3+RCKIizPHadkamCYLL7cp2swDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw +MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMDAuMCwGA1UdEQQl +MCOkITAfMR0wGwYDVQQKDBRFeGFtcGxlIE9yZ2FuaXphdGlvbjANBgkqhkiG9w0B +AQsFAAOCAQEAqa/ayP8zXODUJJmuZLTJsdT2VaqbOh2WWk2bC2A82feGvCevLuL0 +0gPk+001Zx49Y1erMmt2M1cKtf2Lob8SGLNGUlJf2K7SNJTk7nyog+4UIlK4Hsxo +CQ9sqKGJjkwHTDK1rB9gSW4e27Taj6tudnsUfgKWVzERxipebtLsCvz8Jfa0YLRI +bGr6L4LoWiN2RNiK7/IOycfJ8VLDlBRouHD2Xfu0pFcvymMvfOC7GG4oBAacCKGn +muUfoODgKw2yCIOSe7jsJOQ9yOp03sRipISfO0TALFzJX0V5+7CYDLZYR8vs/F/4 +0cIqkhwyCfUWYsGI4gPPR/nVxNvTRZhiFw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem.certspec new file mode 100644 index 0000000000..65acf0b024 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-older.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:example.com +validity:20150724-20160924 +extension:subjectAlternativeName:/O=Example Organization diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem new file mode 100644 index 0000000000..cd87acfe48 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5TCCAc2gAwIBAgIUD1kNqQ0aKQ2TJjGUYztUh8I7j4AwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA4MjQwMDAwMDBaGA8yMDE2MDkyNDAw +MDAwMFowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMDAuMCwGA1UdEQQl +MCOkITAfMR0wGwYDVQQKDBRFeGFtcGxlIE9yZ2FuaXphdGlvbjANBgkqhkiG9w0B +AQsFAAOCAQEAU9n5I/Hdfod2fPBYWHZA/5/SabHkOBUHfrg6UUQYeHagVbqmoTQD +M5F/DcDna+w6nHagIC/GRHBHkgY3Syh8QK5LnL3zi5tC0u4dzysDUjWtEAEgIcWA +/pYtp6qZwJzxvn68PTnYnFDL61+LDLxlUBa2iRieRkCUOokCLL4ce3jsSTuJ+mGk +XoaRrRREgtG5loYK8hFXM1RDkzyCa82DF/qD+iYgUJS9LMXrsksIRHP7Lqzhnwba +Q4N8rgsBDFkNTEAmGcnTLMTlfO+SyKdHZI4n9VHdUQ1n38qFn70jj1YjcqEOFKXb +wldSrYMedEOFVWyXaVWmxMwMTiDIKWMoxg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem.certspec b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem.certspec new file mode 100644 index 0000000000..140c201434 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements/san-contains-no-hostnames-recent.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:example.com +validity:20160824-20160924 +extension:subjectAlternativeName:/O=Example Organization diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js b/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js new file mode 100644 index 0000000000..d33ad8b275 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js @@ -0,0 +1,78 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB +const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function certFromFile(certName) { + return constructCertFromFile(`test_baseline_requirements/${certName}.pem`); +} + +function loadCertWithTrust(certName, trustString) { + addCertFromFile( + gCertDB, + `test_baseline_requirements/${certName}.pem`, + trustString + ); +} + +function checkCertOn25August2016(cert, expectedResult) { + // (new Date("2016-08-25T00:00:00Z")).getTime() / 1000 + const VALIDATION_TIME = 1472083200; + return checkCertErrorGenericAtTime( + gCertDB, + cert, + expectedResult, + certificateUsageSSLServer, + VALIDATION_TIME, + false, + "example.com" + ); +} + +add_task(async function() { + registerCleanupFunction(() => { + Services.prefs.clearUserPref("privacy.reduceTimerPrecision"); + }); + + Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false); + + loadCertWithTrust("ca", "CTu,,"); + + // At one time there was a preference security.pki.name_matching_mode that + // controlled whether or not mozilla::pkix would fall back to using a + // certificate's subject common name during name matching. This no longer + // exists, and certificates that previously required the fallback should fail + // to verify. + + await checkCertOn25August2016( + certFromFile("no-san-recent"), + SSL_ERROR_BAD_CERT_DOMAIN + ); + await checkCertOn25August2016( + certFromFile("no-san-old"), + SSL_ERROR_BAD_CERT_DOMAIN + ); + await checkCertOn25August2016( + certFromFile("no-san-older"), + SSL_ERROR_BAD_CERT_DOMAIN + ); + await checkCertOn25August2016( + certFromFile("san-contains-no-hostnames-recent"), + SSL_ERROR_BAD_CERT_DOMAIN + ); + await checkCertOn25August2016( + certFromFile("san-contains-no-hostnames-old"), + SSL_ERROR_BAD_CERT_DOMAIN + ); + await checkCertOn25August2016( + certFromFile("san-contains-no-hostnames-older"), + SSL_ERROR_BAD_CERT_DOMAIN + ); +}); diff --git a/security/manager/ssl/tests/unit/test_blocklist_onecrl.js b/security/manager/ssl/tests/unit/test_blocklist_onecrl.js new file mode 100644 index 0000000000..618964c46b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_blocklist_onecrl.js @@ -0,0 +1,182 @@ +"use strict"; + +do_get_profile(); + +const { Utils } = ChromeUtils.import("resource://services-settings/Utils.jsm"); +const { RemoteSettings } = ChromeUtils.import( + "resource://services-settings/remote-settings.js" +); +const { RemoteSecuritySettings } = ChromeUtils.import( + "resource://gre/modules/psm/RemoteSecuritySettings.jsm" +); +const { OneCRLBlocklistClient } = RemoteSecuritySettings.init(); + +add_task(async function test_uses_a_custom_signer() { + Assert.notEqual( + OneCRLBlocklistClient.signerName, + RemoteSettings("not-specified").signerName + ); +}); + +add_task(async function test_has_initial_dump() { + Assert.ok( + await Utils.hasLocalDump( + OneCRLBlocklistClient.bucketName, + OneCRLBlocklistClient.collectionName + ) + ); +}); + +add_task(async function test_default_jexl_filter_is_used() { + Assert.deepEqual( + OneCRLBlocklistClient.filterFunc, + RemoteSettings("not-specified").filterFunc + ); +}); + +add_task( + async function test_revocations_are_updated_on_sync_with_cert_storage() { + const certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + const has_revocations = () => + new Promise(resolve => { + certStorage.hasPriorData( + Ci.nsICertStorage.DATA_TYPE_REVOCATION, + (rv, hasPriorData) => { + if (rv == Cr.NS_OK) { + return resolve(hasPriorData); + } + return resolve(false); + } + ); + }); + + Assert.ok(!(await has_revocations())); + + await OneCRLBlocklistClient.emit("sync", { + data: { + current: [], + created: [ + { + issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=", + serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=", + }, + ], + updated: [], + deleted: [], + }, + }); + + Assert.ok(await has_revocations()); + } +); + +add_task(async function test_updated_entry() { + // Revoke a particular issuer/serial number. + await OneCRLBlocklistClient.emit("sync", { + data: { + current: [], + created: [ + { + issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=", + serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=", + }, + ], + updated: [], + deleted: [], + }, + }); + const certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + let issuerArray = [ + 0x30, + 0x12, + 0x31, + 0x10, + 0x30, + 0xe, + 0x6, + 0x3, + 0x55, + 0x4, + 0x3, + 0xc, + 0x7, + 0x54, + 0x65, + 0x73, + 0x74, + 0x20, + 0x43, + 0x41, + ]; + let serialArray = [ + 0x6b, + 0x45, + 0xfb, + 0xff, + 0xb0, + 0xe5, + 0x4d, + 0xa7, + 0x9d, + 0xa6, + 0xa, + 0xc8, + 0x26, + 0xd, + 0xb9, + 0x88, + 0x13, + 0xce, + 0x90, + 0x83, + ]; + let revocationState = certStorage.getRevocationState( + issuerArray, + serialArray, + [], + [] + ); + Assert.equal(revocationState, Ci.nsICertStorage.STATE_ENFORCE); + + // Update the revocation to be a different serial number; the original + // (issuer, serial) pair should now not be revoked. + await OneCRLBlocklistClient.emit("sync", { + data: { + current: [], + created: [], + updated: [ + { + old: { + issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=", + serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=", + }, + new: { + issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=", + serialNumber: "ALtF+/+w5U0=", + }, + }, + ], + deleted: [], + }, + }); + let oldRevocationState = certStorage.getRevocationState( + issuerArray, + serialArray, + [], + [] + ); + Assert.equal(oldRevocationState, Ci.nsICertStorage.STATE_UNSET); + + let newSerialArray = [0x00, 0xbb, 0x45, 0xfb, 0xff, 0xb0, 0xe5, 0x4d]; + let newRevocationState = certStorage.getRevocationState( + issuerArray, + newSerialArray, + [], + [] + ); + Assert.equal(newRevocationState, Ci.nsICertStorage.STATE_ENFORCE); +}); diff --git a/security/manager/ssl/tests/unit/test_broken_fips.js b/security/manager/ssl/tests/unit/test_broken_fips.js new file mode 100644 index 0000000000..2aac2496f7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_broken_fips.js @@ -0,0 +1,61 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// Tests that if Firefox attempts and fails to load a PKCS#11 module DB that was +// in FIPS mode, Firefox can still make use of keys in the key database. +// secomd.db can be created via `certutil -N -d `. Putting it in FIPS mode +// involves running `modutil -fips true -dbdir `. key4.db is from +// test_sdr_preexisting/key4.db. + +function run_test() { + // Append a single quote and non-ASCII characters to the profile path. + let profd = Services.env.get("XPCSHELL_TEST_PROFILE_DIR"); + let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile); + file.initWithPath(profd); + file.append("'÷1"); + Services.env.set("XPCSHELL_TEST_PROFILE_DIR", file.path); + + let profile = do_get_profile(); // must be called before getting nsIX509CertDB + Assert.ok( + /[^\x20-\x7f]/.test(profile.path), + "the profile path should contain a non-ASCII character" + ); + + let keyDBName = "key4.db"; + let keyDBFile = do_get_file(`test_broken_fips/${keyDBName}`); + keyDBFile.copyTo(profile, keyDBName); + + let pkcs11modDBName = "pkcs11.txt"; + let pkcs11modDBFile = do_get_file(`test_broken_fips/${pkcs11modDBName}`); + pkcs11modDBFile.copyTo(profile, pkcs11modDBName); + + let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB + ); + ok(!moduleDB.isFIPSEnabled, "FIPS should not be enabled"); + + let sdr = Cc["@mozilla.org/security/sdr;1"].getService( + Ci.nsISecretDecoderRing + ); + + const encrypted = + "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGeDHwVfyFqzBBAYvqMq/kDMsrARVNdC1C8d"; + const expectedResult = "password"; + let decrypted = sdr.decryptString(encrypted); + equal( + decrypted, + expectedResult, + "decrypted ciphertext should match expected plaintext" + ); + + let pkcs11modDBFileFIPS = do_get_profile(); + pkcs11modDBFileFIPS.append(`${pkcs11modDBName}.fips`); + ok( + pkcs11modDBFileFIPS.exists(), + "backed-up PKCS#11 module db should now exist" + ); +} diff --git a/security/manager/ssl/tests/unit/test_broken_fips/key4.db b/security/manager/ssl/tests/unit/test_broken_fips/key4.db new file mode 100644 index 0000000000..8f320dfdbd Binary files /dev/null and b/security/manager/ssl/tests/unit/test_broken_fips/key4.db differ diff --git a/security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt b/security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt new file mode 100644 index 0000000000..78a11f5fa7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_broken_fips/pkcs11.txt @@ -0,0 +1,5 @@ +library= +name=NSS Internal FIPS PKCS #11 Module +parameters=configdir='.' certPrefix='' keyPrefix='' secmod='' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=slotParams={0x00000003=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,RANDOM ] } Flags=internal,FIPS,critical + diff --git a/security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js new file mode 100644 index 0000000000..04fa1c655c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12.js @@ -0,0 +1,56 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests exporting a certificate and key as a PKCS#12 blob and importing it +// again with a new password set. + +do_get_profile(); + +const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const PKCS12_FILE = "test_certDB_import/cert_from_windows.pfx"; +const CERT_COMMON_NAME = "test_cert_from_windows"; +const TEST_CERT_PASSWORD = "é»’ã„"; + +function findCertByCommonName(commonName) { + for (let cert of gCertDB.getCerts()) { + if (cert.commonName == commonName) { + return cert; + } + } + return null; +} + +function run_test() { + // Import the certificate and key so we have something to export. + let cert = findCertByCommonName(CERT_COMMON_NAME); + equal(cert, null, "cert should not be found before import"); + let certFile = do_get_file(PKCS12_FILE); + ok(certFile, `${PKCS12_FILE} should exist`); + let errorCode = gCertDB.importPKCS12File(certFile, TEST_CERT_PASSWORD); + equal(errorCode, Ci.nsIX509CertDB.Success, "cert should be imported"); + cert = findCertByCommonName(CERT_COMMON_NAME); + notEqual(cert, null, "cert should be found now"); + + // Export the certificate and key. + let output = do_get_tempdir(); + output.append("output.p12"); + ok(!output.exists(), "output shouldn't exist before exporting PKCS12 file"); + errorCode = gCertDB.exportPKCS12File(output, [cert], TEST_CERT_PASSWORD); + equal(errorCode, Ci.nsIX509CertDB.Success, "cert should be exported"); + ok(output.exists(), "output should exist after exporting PKCS12 file"); + + // We should be able to import the exported blob again using the new password. + errorCode = gCertDB.importPKCS12File(output, TEST_CERT_PASSWORD); + equal(errorCode, Ci.nsIX509CertDB.Success, "cert should be imported"); + output.remove(false /* not a directory; recursive doesn't apply */); + + // Ideally there would be some way to confirm that this actually did anything. + // Unfortunately, since deleting a certificate currently doesn't actually do + // anything until the platform is restarted, we can't confirm that we + // successfully re-imported the certificate. +} diff --git a/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js new file mode 100644 index 0000000000..25f4ab58bf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js @@ -0,0 +1,117 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests exporting a certificate and key as a PKCS#12 blob if the user has a +// primary password set. + +do_get_profile(); + +const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const PKCS12_FILE = "test_certDB_import/cert_from_windows.pfx"; +const CERT_COMMON_NAME = "test_cert_from_windows"; +const TEST_CERT_PASSWORD = "é»’ã„"; + +var gPrompt = { + password: "password", + clickOk: true, + + QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]), + + // This intentionally does not use arrow function syntax to avoid an issue + // where in the context of the arrow function, |this != gPrompt| due to + // how objects get wrapped when going across xpcom boundaries. + alert(title, text) { + info(`alert('${text}')`); + ok(false, "not expecting alert() to be called"); + }, + + promptPassword(dialogTitle, text, password, checkMsg, checkValue) { + equal( + text, + "Please enter your Primary Password.", + "password prompt text should be as expected" + ); + equal(checkMsg, null, "checkMsg should be null"); + password.value = this.password; + return this.clickOk; + }, +}; + +const gPromptFactory = { + QueryInterface: ChromeUtils.generateQI(["nsIPromptFactory"]), + getPrompt: (aWindow, aIID) => gPrompt, +}; + +function findCertByCommonName(commonName) { + for (let cert of gCertDB.getCerts()) { + if (cert.commonName == commonName) { + return cert; + } + } + return null; +} + +function run_test() { + let promptFactoryCID = MockRegistrar.register( + "@mozilla.org/prompter;1", + gPromptFactory + ); + + registerCleanupFunction(() => { + MockRegistrar.unregister(promptFactoryCID); + }); + + // Set a primary password. + let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService( + Ci.nsIPK11TokenDB + ); + let token = tokenDB.getInternalKeyToken(); + token.initPassword("password"); + token.logoutSimple(); + + // Import the certificate and key so we have something to export. + let cert = findCertByCommonName(CERT_COMMON_NAME); + equal(cert, null, "cert should not be found before import"); + let certFile = do_get_file(PKCS12_FILE); + ok(certFile, `${PKCS12_FILE} should exist`); + let errorCode = gCertDB.importPKCS12File(certFile, TEST_CERT_PASSWORD); + equal(errorCode, Ci.nsIX509CertDB.Success, "cert should import"); + cert = findCertByCommonName(CERT_COMMON_NAME); + notEqual(cert, null, "cert should be found now"); + + // Log out so we're prompted for the password. + token.logoutSimple(); + + // Export the certificate and key (and don't cancel the password request + // dialog). + let output = do_get_tempdir(); + output.append("output.p12"); + ok(!output.exists(), "output shouldn't exist before exporting PKCS12 file"); + errorCode = gCertDB.exportPKCS12File(output, [cert], TEST_CERT_PASSWORD); + equal(errorCode, Ci.nsIX509CertDB.Success, "cert should export"); + ok(output.exists(), "output should exist after exporting PKCS12 file"); + output.remove(false /* not a directory; recursive doesn't apply */); + + // Log out again so we're prompted for the password. + token.logoutSimple(); + + // Attempt to export the certificate and key, but this time cancel the + // password request dialog. The export operation should also be canceled. + gPrompt.clickOk = false; + let output2 = do_get_tempdir(); + output2.append("output2.p12"); + ok(!output2.exists(), "output2 shouldn't exist before exporting PKCS12 file"); + errorCode = gCertDB.exportPKCS12File(output, [cert], TEST_CERT_PASSWORD); + equal( + errorCode, + Ci.nsIX509CertDB.ERROR_PKCS12_BACKUP_FAILED, + "cert should not export" + ); + + ok(!output2.exists(), "output2 shouldn't exist after failing to export"); +} diff --git a/security/manager/ssl/tests/unit/test_certDB_import.js b/security/manager/ssl/tests/unit/test_certDB_import.js new file mode 100644 index 0000000000..76bf968970 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_import.js @@ -0,0 +1,217 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests the various nsIX509CertDB import methods. + +do_get_profile(); + +const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const CA_CERT_COMMON_NAME = "importedCA"; +const TEST_EMAIL_ADDRESS = "test@example.com"; + +let gCACertImportDialogCount = 0; + +// Mock implementation of nsICertificateDialogs. +const gCertificateDialogs = { + confirmDownloadCACert: (ctx, cert, trust) => { + gCACertImportDialogCount++; + equal( + cert.commonName, + CA_CERT_COMMON_NAME, + "CA cert to import should have the correct CN" + ); + trust.value = Ci.nsIX509CertDB.TRUSTED_EMAIL; + return true; + }, + setPKCS12FilePassword: (ctx, password) => { + // This is only relevant to exporting. + ok(false, "setPKCS12FilePassword() should not have been called"); + }, + getPKCS12FilePassword: (ctx, password) => { + // We don't test anything that calls this method yet. + ok(false, "getPKCS12FilePassword() should not have been called"); + }, + + QueryInterface: ChromeUtils.generateQI(["nsICertificateDialogs"]), +}; + +// Implements nsIInterfaceRequestor. Mostly serves to mock nsIPrompt. +const gInterfaceRequestor = { + alert: (title, text) => { + // We don't test anything that calls this method yet. + ok(false, `alert() should not have been called: ${text}`); + }, + + getInterface: iid => { + if (iid.equals(Ci.nsIPrompt)) { + return this; + } + + throw Components.Exception("", Cr.NS_ERROR_NO_INTERFACE); + }, +}; + +function getCertAsByteArray(certPath) { + let certFile = do_get_file(certPath, false); + let certBytes = readFile(certFile); + + let byteArray = []; + for (let i = 0; i < certBytes.length; i++) { + byteArray.push(certBytes.charCodeAt(i)); + } + + return byteArray; +} + +function commonFindCertBy(propertyName, value) { + for (let cert of gCertDB.getCerts()) { + if (cert[propertyName] == value) { + return cert; + } + } + return null; +} + +function findCertByCommonName(commonName) { + return commonFindCertBy("commonName", commonName); +} + +function findCertByEmailAddress(emailAddress) { + return commonFindCertBy("emailAddress", emailAddress); +} + +function testImportCACert() { + // Sanity check the CA cert is missing. + equal( + findCertByCommonName(CA_CERT_COMMON_NAME), + null, + "CA cert should not be in the database before import" + ); + + // Import and check for success. + let caArray = getCertAsByteArray("test_certDB_import/importedCA.pem"); + gCertDB.importCertificates( + caArray, + caArray.length, + Ci.nsIX509Cert.CA_CERT, + gInterfaceRequestor + ); + equal( + gCACertImportDialogCount, + 1, + "Confirmation dialog for the CA cert should only be shown once" + ); + + let caCert = findCertByCommonName(CA_CERT_COMMON_NAME); + notEqual(caCert, null, "CA cert should now be found in the database"); + ok( + gCertDB.isCertTrusted( + caCert, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.TRUSTED_EMAIL + ), + "CA cert should be trusted for e-mail" + ); +} + +function testImportEmptyCertPackage() { + // Because this is an empty cert package, nothing will be imported. We know it succeeded if no errors are thrown. + let byteArray = [ + 0x30, + 0x0f, + 0x06, + 0x09, + 0x60, + 0x86, + 0x48, + 0x01, + 0x86, + 0xf8, + 0x42, + 0x02, + 0x05, + 0xa0, + 0x02, + 0x30, + 0x00, + ]; + gCertDB.importCertificates( + byteArray, + byteArray.length, + Ci.nsIX509Cert.CA_CERT, + gInterfaceRequestor + ); +} + +function testImportEmptyUserCert() { + // Because this is an empty cert package, nothing will be imported. We know it succeeded if no errors are thrown. + let byteArray = [ + 0x30, + 0x0f, + 0x06, + 0x09, + 0x60, + 0x86, + 0x48, + 0x01, + 0x86, + 0xf8, + 0x42, + 0x02, + 0x05, + 0xa0, + 0x02, + 0x30, + 0x00, + ]; + gCertDB.importUserCertificate( + byteArray, + byteArray.length, + gInterfaceRequestor + ); +} + +function run_test() { + let certificateDialogsCID = MockRegistrar.register( + "@mozilla.org/nsCertificateDialogs;1", + gCertificateDialogs + ); + registerCleanupFunction(() => { + MockRegistrar.unregister(certificateDialogsCID); + }); + + // Sanity check the e-mail cert is missing. + equal( + findCertByEmailAddress(TEST_EMAIL_ADDRESS), + null, + "E-mail cert should not be in the database before import" + ); + + // Import the CA cert so that the e-mail import succeeds. + testImportCACert(); + testImportEmptyCertPackage(); + testImportEmptyUserCert(); + + // Import the e-mail cert and check for success. + let emailArray = getCertAsByteArray("test_certDB_import/emailEE.pem"); + gCertDB.importEmailCertificate( + emailArray, + emailArray.length, + gInterfaceRequestor + ); + let emailCert = findCertByEmailAddress(TEST_EMAIL_ADDRESS); + notEqual(emailCert, null, "E-mail cert should now be found in the database"); + let bundle = Services.strings.createBundle( + "chrome://pipnss/locale/pipnss.properties" + ); + equal( + emailCert.tokenName, + bundle.GetStringFromName("PrivateTokenDescription"), + "cert's tokenName should be the expected localized value" + ); +} diff --git a/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfx b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfx new file mode 100644 index 0000000000..e969d672d7 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfx differ diff --git a/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfx b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfx new file mode 100644 index 0000000000..879d424b85 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfx differ diff --git a/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfx b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfx new file mode 100644 index 0000000000..7dcd668121 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfx differ diff --git a/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem new file mode 100644 index 0000000000..a3e58933f0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxjCCAa6gAwIBAgIUO3XveEEK2bu0gx8Lu8vi1NxEGdIwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKaW1wb3J0ZWRDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw +MjQwMjA1MDAwMDAwWjAhMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29t +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2 +ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF +h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n +cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv +OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj +tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt +jQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAnhH0WY14SMcVDXj6OvvxHuaRRO8lA +A6vDrn/AmWg0gN7e0aQgvonedXY4OgefAj17X345yZj8VpPFgOjUIb7PYErMxdeB +biKGv/psCB1uDk68Gn1KrFMZ2BtlLeYRWRejgSo53GYH1PBpZZ6owjicqIKKo9cW +Y/EFyauQCQGhWub+tshNFbucSrNDk1Q0uu1Ogs8QFve3x+YbdceAwK835XzLROvS +pWBeWDK1Eqvqun1yWUHVn6aAbZZgKn9yUG7kZqWoBc1InRwaZcImttQF//OJw08y +b0KVWoM5qo2c20qaxNW66GW/tpWnDfUvSTIHZuaDiar4mlSK/0O2aGa8 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec new file mode 100644 index 0000000000..0528bc624a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec @@ -0,0 +1,2 @@ +issuer:importedCA +subject:/emailAddress=test@example.com diff --git a/security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12 b/security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12 new file mode 100644 index 0000000000..105f918782 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12 differ diff --git a/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem new file mode 100644 index 0000000000..e45812f786 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICzDCCAbSgAwIBAgIUd0wCxJoXOgEeMrd0+AIGybyqYgEwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKaW1wb3J0ZWRDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw +MjQwMjA1MDAwMDAwWjAVMRMwEQYDVQQDDAppbXBvcnRlZENBMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1 +aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we +adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS +pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W +YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR +CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxAwDjAM +BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB5N5HCphrUqEmwLj+1graV +zneZbDyL2nb1ooITiJj+i+NaOg383Sr/lvWyhw+51o5qx1hnBu8JZ/HlBhFsz/OH +mujJmot+jVg/MRpaTdxZNfpxVZqfroyx1qzr7TC8wgHggxI/DWeCifQmEgNdKIgI +JL0BvVLasGOMhmprRRK3DabjzOjW5xMbY1B3+msbtQtxB6eCXa4byNIZ7vAUdg8L +x2+TovO4c1cs8AzLdpgECImdcHaBFyOYd5sK7f6gcJHtiEx+7JkIF+53wHbFIFlp +s7zkbDA4v97bm5oYMmaW4JEZ8rW07a62ILrNOezvEZCccOnfo+miHcr1AwuJSx9z +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec new file mode 100644 index 0000000000..b168253544 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec @@ -0,0 +1,3 @@ +issuer:importedCA +subject:importedCA +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js b/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js new file mode 100644 index 0000000000..9ddba36c4e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js @@ -0,0 +1,126 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests import PKCS12 file by nsIX509CertDB. + +do_get_profile(); + +const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const PKCS12_FILE = "test_certDB_import/cert_from_windows.pfx"; +const PKCS12_FILE_EMPTY_PASS = + "test_certDB_import/cert_from_windows_emptypass.pfx"; +const PKCS12_FILE_NO_PASS = "test_certDB_import/cert_from_windows_nopass.pfx"; +const CERT_COMMON_NAME = "test_cert_from_windows"; +const TEST_CERT_PASSWORD = "é»’ã„"; + +let gTestcases = [ + // Test that importing a PKCS12 file with the wrong password fails. + { + name: "import using incorrect password", + filename: PKCS12_FILE, + passwordToUse: "this is the wrong password", + successExpected: false, + errorCode: Ci.nsIX509CertDB.ERROR_BAD_PASSWORD, + checkCertExist: true, + certCommonName: CERT_COMMON_NAME, + }, + // Test that importing something that isn't a PKCS12 file fails. + { + name: "import non-PKCS12 file", + filename: "test_certDB_import_pkcs12.js", + passwordToUse: TEST_CERT_PASSWORD, + successExpected: false, + errorCode: Ci.nsIX509CertDB.ERROR_DECODE_ERROR, + checkCertExist: true, + certCommonName: CERT_COMMON_NAME, + }, + // Test that importing a PKCS12 file with the correct password succeeds. + // This needs to be last because currently there isn't a way to delete the + // imported certificate (and thus reset the test state) that doesn't depend on + // the garbage collector running. + { + name: "import PKCS12 file", + filename: PKCS12_FILE, + passwordToUse: TEST_CERT_PASSWORD, + successExpected: true, + errorCode: Ci.nsIX509CertDB.Success, + checkCertExist: true, + certCommonName: CERT_COMMON_NAME, + }, + // Same cert file protected with empty string password + { + name: "import PKCS12 file empty password", + filename: PKCS12_FILE_EMPTY_PASS, + passwordToUse: "", + successExpected: true, + errorCode: Ci.nsIX509CertDB.Success, + checkCertExist: false, + certCommonName: CERT_COMMON_NAME, + }, + // Same cert file protected with no password + { + name: "import PKCS12 file no password", + filename: PKCS12_FILE_NO_PASS, + passwordToUse: null, + successExpected: true, + errorCode: Ci.nsIX509CertDB.Success, + checkCertExist: false, + certCommonName: CERT_COMMON_NAME, + }, + // Test a PKCS12 file encrypted using AES + { + name: "import PKCS12 file using AES", + filename: "test_certDB_import/encrypted_with_aes.p12", + passwordToUse: "password", + successExpected: true, + errorCode: Ci.nsIX509CertDB.Success, + checkCertExist: true, + certCommonName: "John Doe", + }, +]; + +function doesCertExist(commonName) { + let allCerts = gCertDB.getCerts(); + for (let cert of allCerts) { + if (cert.isBuiltInRoot) { + continue; + } + if (cert.commonName == commonName) { + return true; + } + } + + return false; +} + +function runOneTestcase(testcase) { + info(`running ${testcase.name}`); + if (testcase.checkCertExist) { + ok( + !doesCertExist(testcase.certCommonName), + "cert should not be in the database before import" + ); + } + + // Import and check for failure. + let certFile = do_get_file(testcase.filename); + ok(certFile, `${testcase.filename} should exist`); + let errorCode = gCertDB.importPKCS12File(certFile, testcase.passwordToUse); + equal(errorCode, testcase.errorCode, `verifying error code`); + equal( + doesCertExist(testcase.certCommonName), + testcase.successExpected, + `cert should${testcase.successExpected ? "" : " not"} be found now` + ); +} + +function run_test() { + for (let testcase of gTestcases) { + runOneTestcase(testcase); + } +} diff --git a/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js b/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js new file mode 100644 index 0000000000..ab1ad36fd2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js @@ -0,0 +1,148 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests that a CA certificate can still be imported if the user has a primary +// password set. + +do_get_profile(); + +const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const CA_CERT_COMMON_NAME = "importedCA"; + +let gCACertImportDialogCount = 0; + +// Mock implementation of nsICertificateDialogs. +const gCertificateDialogs = { + confirmDownloadCACert: (ctx, cert, trust) => { + gCACertImportDialogCount++; + equal( + cert.commonName, + CA_CERT_COMMON_NAME, + "CA cert to import should have the correct CN" + ); + trust.value = Ci.nsIX509CertDB.TRUSTED_EMAIL; + return true; + }, + setPKCS12FilePassword: (ctx, password) => { + // This is only relevant to exporting. + ok(false, "setPKCS12FilePassword() should not have been called"); + }, + getPKCS12FilePassword: (ctx, password) => { + // We don't test anything that calls this method yet. + ok(false, "getPKCS12FilePassword() should not have been called"); + }, + + QueryInterface: ChromeUtils.generateQI(["nsICertificateDialogs"]), +}; + +var gMockPrompter = { + passwordToTry: "password", + numPrompts: 0, + + // This intentionally does not use arrow function syntax to avoid an issue + // where in the context of the arrow function, |this != gMockPrompter| due to + // how objects get wrapped when going across xpcom boundaries. + promptPassword(dialogTitle, text, password, checkMsg, checkValue) { + this.numPrompts++; + if (this.numPrompts > 1) { + // don't keep retrying a bad password + return false; + } + equal( + text, + "Please enter your Primary Password.", + "password prompt text should be as expected" + ); + equal(checkMsg, null, "checkMsg should be null"); + ok(this.passwordToTry, "passwordToTry should be non-null"); + password.value = this.passwordToTry; + return true; + }, + + QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]), + + // Again with the arrow function issue. + getInterface(iid) { + if (iid.equals(Ci.nsIPrompt)) { + return this; + } + + throw Components.Exception("", Cr.NS_ERROR_NO_INTERFACE); + }, +}; + +function getCertAsByteArray(certPath) { + let certFile = do_get_file(certPath, false); + let certBytes = readFile(certFile); + + let byteArray = []; + for (let i = 0; i < certBytes.length; i++) { + byteArray.push(certBytes.charCodeAt(i)); + } + + return byteArray; +} + +function findCertByCommonName(commonName) { + for (let cert of gCertDB.getCerts()) { + if (cert.commonName == commonName) { + return cert; + } + } + return null; +} + +function run_test() { + let certificateDialogsCID = MockRegistrar.register( + "@mozilla.org/nsCertificateDialogs;1", + gCertificateDialogs + ); + registerCleanupFunction(() => { + MockRegistrar.unregister(certificateDialogsCID); + }); + + // Set a primary password. + let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService( + Ci.nsIPK11TokenDB + ); + let token = tokenDB.getInternalKeyToken(); + token.initPassword("password"); + token.logoutSimple(); + + // Sanity check the CA cert is missing. + equal( + findCertByCommonName(CA_CERT_COMMON_NAME), + null, + "CA cert should not be in the database before import" + ); + + // Import and check for success. + let caArray = getCertAsByteArray("test_certDB_import/importedCA.pem"); + gCertDB.importCertificates( + caArray, + caArray.length, + Ci.nsIX509Cert.CA_CERT, + gMockPrompter + ); + equal( + gCACertImportDialogCount, + 1, + "Confirmation dialog for the CA cert should only be shown once" + ); + + let caCert = findCertByCommonName(CA_CERT_COMMON_NAME); + notEqual(caCert, null, "CA cert should now be found in the database"); + ok( + gCertDB.isCertTrusted( + caCert, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.TRUSTED_EMAIL + ), + "CA cert should be trusted for e-mail" + ); +} diff --git a/security/manager/ssl/tests/unit/test_cert_chains.js b/security/manager/ssl/tests/unit/test_cert_chains.js new file mode 100644 index 0000000000..fbbe85245d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_chains.js @@ -0,0 +1,394 @@ +// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// We hard-code the following certificates for the pkcs7 export tests so that we +// don't have to change the test data when the certificates change each year. +// Luckily these tests don't depend on the certificates being valid, so it's ok +// to let them expire. +const gDefaultEEPEM = `-----BEGIN CERTIFICATE----- +MIIDiTCCAnGgAwIBAgIUDUo/9G0rz7fJiWTw0hY6TIyPRSIwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAwMDAwMFoYDzIwMjAw +MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow +gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp +bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu +ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs +ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo +b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCkguNhMyVCYhyYXfE22wNvlaob +K2YRb4OGMxySIKuQ80N0XlO+xpLJTs9YzFVY1+JTHNez1QfwP9KJeZznTzVzLh4s +v0swx/+oUxCfLb0VIl/kdUqLkbGYrAmtjeOKZLaqVtRH0BnmbPowLak1pi6nQYOU ++aL9QOuvT/j3rXoimcdo6X3TK1SN2/64fGMyG/pwas+JXehbReUf4n1ewk84ADtb ++ew8tRAKf/uxzKUj5t/UgqDsnTWq5wUc5IJKwoHT41sQnNqPg12x4+WGWiAsWCpR +/hKYHFGr7rb4JTGEPAJpWcv9WtZYAvwT78a2xpHp5XNglj16IjWEukvJuU1W +-----END CERTIFICATE-----`; + +const gTestCAPEM = `-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAgIUKaFwIwCwHXUgKRuOhAX4pjYsmbgwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAwMDAwMFoYDzIwMjAw +MjA1MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME +BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAIMgnywHFbPzJ +BEcbpx/aWQOI2tUFlo7MUoPSoACHzoI/HOUTx25eKHlpNK2jSljLufhUd//eCCXg ++OQt4f2N/tRw8gumbs3YDF7+t3ZNGt+iQxZTwN7MKsGIZy+6R523XHw8lpzFX5iz +XgIS+0APlX+XyZk7MRCcBWh6PSaSqEOOvUXVp6Omh3it034kBWnm809TEWmwiVw3 +ssPDmpUCArdDNMMdvQehzaH96cdjcSsguqpX9NcMDUmmiG7HLQ2iy+WSzek9S46S +bKKDLw8Ebevfkl6PEpg+GDulq+EPXayN3AsFXkF8MaFLgfeprkENjN1g4jM+WSyN +6DC7vCkj7A== +-----END CERTIFICATE-----`; + +const gUnknownIssuerPEM = ` +-----BEGIN CERTIFICATE----- +MIIDqTCCApGgAwIBAgIUMRiJ9TrwqTOoVFU+j5FDWDWS1X8wDQYJKoZIhvcNAQEL +BQAwJjEkMCIGA1UEAwwbVGVzdCBJbnRlcm1lZGlhdGUgdG8gZGVsZXRlMCIYDzIw +MTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMC4xLDAqBgNVBAMMI1Rlc3Qg +RW5kLWVudGl0eSBmcm9tIHVua25vd24gaXNzdWVyMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4HCMIG/MIGIBgNV +HREEgYAwfoIZdW5rbm93bmlzc3Vlci5leGFtcGxlLmNvbYI0dW5rbm93bmlzc3Vl +ci5pbmNsdWRlLXN1YmRvbWFpbnMucGlubmluZy5leGFtcGxlLmNvbYIrdW5rbm93 +bmlzc3Vlci50ZXN0LW1vZGUucGlubmluZy5leGFtcGxlLmNvbTAyBggrBgEFBQcB +AQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZI +hvcNAQELBQADggEBALAnJjBJ+MOc7kMRzmESYZRSxKak7A1K67xBXWzWmK3t3WXv +e/RLjV/RhbyTN20h2ZjSVcuDzgNYC/RJ/z3Xd5Q9QEGoi1ly84HeaeHw/3kUSHxv +J3JnbPu2lk96U5y7tXEVfbEVZYpx4Us72fuURPWriVldILH2lgrEg+iKZWbY/wcT +vfu1j/flMkGEOpc1HytlmR9fkCDnqzFfcmv7Eh3X1BiSBOIemGnUHxONwlthSE68 +IItE5l3c82G8oQGmve6r0N9h7t6opIjH1koFWMck/pzDA01FmWey4ASdlmjE8NSJ +Al1zsF8EiLOZeI1rvurcXwVOd0Olk9/QT5hwTkk= +-----END CERTIFICATE-----`; + +const gOCSPEEWithIntermediatePEM = ` +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUZ67hS7lHVnCQtXx7oXFlzihqh0cwDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAxNzExMjcwMDAw +MDBaGA8yMDIwMDIwNTAwMDAwMFowLDEqMCgGA1UEAwwhVGVzdCBFbmQtZW50aXR5 +IHdpdGggSW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu +Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO +7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf +qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt +HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx +uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo1swWTAjBgNVHREEHDAagglsb2NhbGhv +c3SCDSouZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZo +dHRwOi8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQAo043hM4Gi +UtoXKOQB2v0C8nF4Yyzpf+i0LlxQCFZkiLYu9pIuQu16I3TbLQRBwhCC0ml7TqJB +AbryzILTorCQP8A1WQa1kt6cb30jCyXLcWnDA/ULPexn9cYm6I0YyLFlnkcVzMGL +Fc+LyWTAPEW5rMauu5iOOp/6L5rBF0M9bg5yXSGNDv8gk3Jc+opJbBDTrAuKDNLp +JSEp4rqovNFnirzlJWDS+ScAsWHtoLcrH6gnQRPsEV1WFQnYr3HkAakYQok9xs5A +ikBS6mgz4/cFBts8bSGSuXxctkN2Ss7Y5l3YmTYKCxPz6retVfrhi/islH4W3z9H +pu3ZqyACO6Lb +-----END CERTIFICATE-----`; + +const gTestIntPEM = ` +-----BEGIN CERTIFICATE----- +MIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25iBPOkIMwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMjUw +MTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1 +SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+ +zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL +K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc +bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW +JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMd +MBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEB +AILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC2BQF0kMEEB547p+Ms8zdJY00 +Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77TkfmnSnxvPi+0nlA+eM +8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22+AIU7w6wyA +IbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubjiMr3 +B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpyk +rGFLvocT/kym6r8galxCJUo= +-----END CERTIFICATE-----`; + +function build_cert_list_from_pem_list(pemList) { + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + let certList = []; + for (let pem of pemList) { + let cert = certdb.constructX509FromBase64(pemToBase64(pem)); + certList.push(cert); + } + return certList; +} + +function test_cert_pkcs7_export() { + // This was generated by running BadCertAndPinningServer locally on the bad_certs + // directory and visiting: + // https://good.include-subdomains.pinning.example.com:8443/ + // and then viewing the certificate chain presented (in the page info dialog) + // and exporting it. + // (NB: test-ca must be imported and trusted for the connection to succeed) + const expectedPKCS7ForDefaultEE = + "MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCCBmQwggLTMIIBu6ADAgE" + + "CAhQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZX" + + "N0IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB" + + "1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI" + + "BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xz" + + "VJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCy" + + "uwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW" + + "7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE" + + "LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8" + + "wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAgyCfLAcVs/MkERxunH9pZA4ja1Q" + + "WWjsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR3/94IJeD45C3h/Y3+1HDyC6ZuzdgMX" + + "v63dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmLNeAhL7QA+Vf5fJmTsxEJwFaHo9JpKo" + + "Q469RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8OalQICt0M0wx29B6HNof3px2NxKyC6qlf" + + "01wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+SXo8SmD4YO6Wr4Q9drI3cCwVeQXwxoU" + + "uB96muQQ2M3WDiMz5ZLI3oMLu8KSPsMIIDiTCCAnGgAwIBAgIUDUo/9G0rz7fJiWTw0hY6T" + + "IyPRSIwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE3MTEyNzAw" + + "MDAwMFoYDzIwMjAwMjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggE" + + "iMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNU" + + "q07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0" + + "DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ" + + "sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJH" + + "dtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFz" + + "G4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcowgccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob" + + "3N0gg0qLmV4YW1wbGUuY29tghUqLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1z" + + "dWJkb21haW5zLnBpbm5pbmcuZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnB" + + "pbm5pbmcuZXhhbXBsZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi" + + "8vbG9jYWxob3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQCkguNhMyVCYhyYXfE22wNvl" + + "aobK2YRb4OGMxySIKuQ80N0XlO+xpLJTs9YzFVY1+JTHNez1QfwP9KJeZznTzVzLh4sv0sw" + + "x/+oUxCfLb0VIl/kdUqLkbGYrAmtjeOKZLaqVtRH0BnmbPowLak1pi6nQYOU+aL9QOuvT/j" + + "3rXoimcdo6X3TK1SN2/64fGMyG/pwas+JXehbReUf4n1ewk84ADtb+ew8tRAKf/uxzKUj5t" + + "/UgqDsnTWq5wUc5IJKwoHT41sQnNqPg12x4+WGWiAsWCpR/hKYHFGr7rb4JTGEPAJpWcv9W" + + "tZYAvwT78a2xpHp5XNglj16IjWEukvJuU1WMQAAAAAAAAA="; + let certListDefaultEE = build_cert_list_from_pem_list([ + gDefaultEEPEM, + gTestCAPEM, + ]); + + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + let pkcs7DefaultEE = certdb.asPKCS7Blob(certListDefaultEE); + + equal( + btoa(pkcs7DefaultEE), + expectedPKCS7ForDefaultEE, + "PKCS7 export should work as expected for default-ee chain" + ); + + // This was generated by running BadCertAndPinningServer locally on the bad_certs + // directory and visiting: + // https://unknownissuer.example.com:8443/ + // and then viewing the certificate presented (in the add certificate + // exception dialog) and exporting it. + const expectedPKCS7ForUnknownIssuer = + "MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCCA60wggOpMIICkaADAgE" + + "CAhQxGIn1OvCpM6hUVT6PkUNYNZLVfzANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtUZX" + + "N0IEludGVybWVkaWF0ZSB0byBkZWxldGUwIhgPMjAxNzExMjcwMDAwMDBaGA8yMDIwMDIwN" + + "TAwMDAwMFowLjEsMCoGA1UEAwwjVGVzdCBFbmQtZW50aXR5IGZyb20gdW5rbm93biBpc3N1" + + "ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTw" + + "T2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs" + + "1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkf" + + "bmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA" + + "dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/" + + "l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcIwgb8wgYgGA1UdEQSBgDB+ghl1bm" + + "tub3duaXNzdWVyLmV4YW1wbGUuY29tgjR1bmtub3duaXNzdWVyLmluY2x1ZGUtc3ViZG9tY" + + "Wlucy5waW5uaW5nLmV4YW1wbGUuY29tgit1bmtub3duaXNzdWVyLnRlc3QtbW9kZS5waW5u" + + "aW5nLmV4YW1wbGUuY29tMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2x" + + "vY2FsaG9zdDo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAsCcmMEn4w5zuQxHOYRJhlFLEpq" + + "TsDUrrvEFdbNaYre3dZe979EuNX9GFvJM3bSHZmNJVy4POA1gL9En/Pdd3lD1AQaiLWXLzg" + + "d5p4fD/eRRIfG8ncmds+7aWT3pTnLu1cRV9sRVlinHhSzvZ+5RE9auJWV0gsfaWCsSD6Ipl" + + "Ztj/BxO9+7WP9+UyQYQ6lzUfK2WZH1+QIOerMV9ya/sSHdfUGJIE4h6YadQfE43CW2FITrw" + + "gi0TmXdzzYbyhAaa97qvQ32Hu3qikiMfWSgVYxyT+nMMDTUWZZ7LgBJ2WaMTw1IkCXXOwXw" + + "SIs5l4jWu+6txfBU53Q6WT39BPmHBOSTEAAAAAAAAA"; + let certListUnknownIssuer = build_cert_list_from_pem_list([ + gUnknownIssuerPEM, + ]); + let pkcs7UnknownIssuer = certdb.asPKCS7Blob(certListUnknownIssuer); + equal( + btoa(pkcs7UnknownIssuer), + expectedPKCS7ForUnknownIssuer, + "PKCS7 export should work as expected for unknown issuer" + ); + + // This was generated by running OCSPStaplingServer locally on the ocsp_certs + // directory and visiting: + // https://ocsp-stapling-with-intermediate.example.com:8443/ + // and then viewing the certificate chain presented (in the page info dialog) + // and exporting it. + // (NB: test-ca must be imported and trusted for the connection to succeed) + const expectedPKCS7WithIntermediate = + "MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCCCPEwggLTMIIBu6ADAgE" + + "CAhQpoXAjALAddSApG46EBfimNiyZuDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZX" + + "N0IENBMCIYDzIwMTcxMTI3MDAwMDAwWhgPMjAyMDAyMDUwMDAwMDBaMBIxEDAOBgNVBAMMB" + + "1Rlc3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI" + + "BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xz" + + "VJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCy" + + "uwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW" + + "7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE" + + "LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8" + + "wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAgyCfLAcVs/MkERxunH9pZA4ja1Q" + + "WWjsxSg9KgAIfOgj8c5RPHbl4oeWk0raNKWMu5+FR3/94IJeD45C3h/Y3+1HDyC6ZuzdgMX" + + "v63dk0a36JDFlPA3swqwYhnL7pHnbdcfDyWnMVfmLNeAhL7QA+Vf5fJmTsxEJwFaHo9JpKo" + + "Q469RdWno6aHeK3TfiQFaebzT1MRabCJXDeyw8OalQICt0M0wx29B6HNof3px2NxKyC6qlf" + + "01wwNSaaIbsctDaLL5ZLN6T1LjpJsooMvDwRt69+SXo8SmD4YO6Wr4Q9drI3cCwVeQXwxoU" + + "uB96muQQ2M3WDiMz5ZLI3oMLu8KSPsMIIC3TCCAcWgAwIBAgIUa0X7/7DlTaedpgrIJg25i" + + "BPOkIMwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDE1MDEwMTAw" + + "MDAwMFoYDzIwMjUwMTAxMDAwMDAwWjAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTC" + + "CASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6u" + + "Q1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8H" + + "mnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh" + + "eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaM" + + "Mkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5" + + "kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EB" + + "AMCAQYwDQYJKoZIhvcNAQELBQADggEBAILNZM9yT9ylMpjyi0tXaDORzpHiJ8vEoVKk98bC" + + "2BQF0kMEEB547p+Ms8zdJY00Bxe9qigT8rQwKprXq5RvgIZ32QLn/yMPiCp/e6zBdsx77Tk" + + "fmnSnxvPi+0nlA+eM8JYN0UST4vWD4vPPX9GgZDVoGQTiF3hUivJ5R8sHb/ozcSukMKQQ22" + + "+AIU7w6wyAIbCAG7Pab4k2XFAeEnUZsl9fCym5jsPN9Pnv9rlBi6h8shHw1R2ROXjgxubji" + + "Mr3B456vFTJImLJjyA1iTSlr/+VXGUYg6Z0/HYnsO00+8xUKM71dPxGAfIFNaSscpykrGFL" + + "vocT/kym6r8galxCJUowggM1MIICHaADAgECAhRnruFLuUdWcJC1fHuhcWXOKGqHRzANBgk" + + "qhkiG9w0BAQsFADAcMRowGAYDVQQDDBFUZXN0IEludGVybWVkaWF0ZTAiGA8yMDE3MTEyNz" + + "AwMDAwMFoYDzIwMjAwMjA1MDAwMDAwWjAsMSowKAYDVQQDDCFUZXN0IEVuZC1lbnRpdHkgd" + + "2l0aCBJbnRlcm1lZGlhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo" + + "RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHE" + + "IeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7q" + + "dw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCAB" + + "iTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd" + + "q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjWzBZMCMGA1U" + + "dEQQcMBqCCWxvY2FsaG9zdIINKi5leGFtcGxlLmNvbTAyBggrBgEFBQcBAQQmMCQwIgYIKw" + + "YBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6ODg4OC8wDQYJKoZIhvcNAQELBQADggEBACjTj" + + "eEzgaJS2hco5AHa/QLycXhjLOl/6LQuXFAIVmSIti72ki5C7XojdNstBEHCEILSaXtOokEB" + + "uvLMgtOisJA/wDVZBrWS3pxvfSMLJctxacMD9Qs97Gf1xibojRjIsWWeRxXMwYsVz4vJZMA" + + "8Rbmsxq67mI46n/ovmsEXQz1uDnJdIY0O/yCTclz6iklsENOsC4oM0uklISniuqi80WeKvO" + + "UlYNL5JwCxYe2gtysfqCdBE+wRXVYVCdivceQBqRhCiT3GzkCKQFLqaDPj9wUG2zxtIZK5f" + + "Fy2Q3ZKztjmXdiZNgoLE/Pqt61V+uGL+KyUfhbfP0em7dmrIAI7otsxAAAAAAAAAA=="; + let certListWithIntermediate = build_cert_list_from_pem_list([ + gOCSPEEWithIntermediatePEM, + gTestIntPEM, + gTestCAPEM, + ]); + let pkcs7WithIntermediate = certdb.asPKCS7Blob(certListWithIntermediate); + equal( + btoa(pkcs7WithIntermediate), + expectedPKCS7WithIntermediate, + "PKCS7 export should work as expected for chain with intermediate" + ); +} + +function test_cert_pkcs7_empty_array() { + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + + throws( + () => certdb.asPKCS7Blob([]), + /NS_ERROR_ILLEGAL_VALUE/, + "trying to convert an empty array to pkcs7 should throw" + ); +} + +function run_test() { + do_get_profile(); + add_tls_server_setup("BadCertAndPinningServer", "bad_certs"); + + add_test(function() { + test_cert_pkcs7_export(); + run_next_test(); + }); + + add_test(function() { + test_cert_pkcs7_empty_array(); + run_next_test(); + }); + + // Test successful connection (failedCertChain should be null) + add_connection_test( + // re-use pinning certs (keeler) + "good.include-subdomains.pinning.example.com", + PRErrorCodeSuccess, + null, + function withSecurityInfo(aTransportSecurityInfo) { + equal( + aTransportSecurityInfo.failedCertChain.length, + 0, + "failedCertChain for a successful connection should be null" + ); + } + ); + + // Test overrideable connection failure (failedCertChain should be non-null) + add_connection_test( + "expired.example.com", + SEC_ERROR_EXPIRED_CERTIFICATE, + null, + function withSecurityInfo(securityInfo) { + notEqual( + securityInfo.failedCertChain, + null, + "failedCertChain should not be null for an overrideable" + + " connection failure" + ); + let originalCertChain = build_cert_chain(["expired-ee", "test-ca"]); + ok( + areCertArraysEqual(originalCertChain, securityInfo.failedCertChain), + "failedCertChain should equal the original cert chain for an" + + " overrideable connection failure" + ); + } + ); + + // Test overrideable connection failure (failedCertChain should be non-null) + add_connection_test( + "unknownissuer.example.com", + SEC_ERROR_UNKNOWN_ISSUER, + null, + function withSecurityInfo(securityInfo) { + notEqual( + securityInfo.failedCertChain, + null, + "failedCertChain should not be null for an overrideable" + + " connection failure" + ); + let originalCertChain = build_cert_chain(["unknownissuer"]); + ok( + areCertArraysEqual(originalCertChain, securityInfo.failedCertChain), + "failedCertChain should equal the original cert chain for an" + + " overrideable connection failure" + ); + } + ); + + // Test non-overrideable error (failedCertChain should be non-null) + add_connection_test( + "inadequatekeyusage.example.com", + SEC_ERROR_INADEQUATE_KEY_USAGE, + null, + function withSecurityInfo(securityInfo) { + notEqual( + securityInfo.failedCertChain, + null, + "failedCertChain should not be null for a non-overrideable" + + " connection failure" + ); + let originalCertChain = build_cert_chain([ + "inadequatekeyusage-ee", + "test-ca", + ]); + ok( + areCertArraysEqual(originalCertChain, securityInfo.failedCertChain), + "failedCertChain should equal the original cert chain for a" + + " non-overrideable connection failure" + ); + } + ); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_cert_dbKey.js b/security/manager/ssl/tests/unit/test_cert_dbKey.js new file mode 100644 index 0000000000..78a14b6679 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_dbKey.js @@ -0,0 +1,263 @@ +// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// This test tests that the nsIX509Cert.dbKey and nsIX509CertDB.findCertByDBKey +// APIs work as expected. That is, getting a certificate's dbKey and using it +// in findCertByDBKey should return the same certificate. Also, for backwards +// compatibility, findCertByDBKey should ignore any whitespace in its input +// (even though now nsIX509Cert.dbKey will never have whitespace in it). + +function hexStringToBytes(hex) { + let bytes = []; + for (let hexByteStr of hex.split(":")) { + bytes.push(parseInt(hexByteStr, 16)); + } + return bytes; +} + +function encodeCommonNameAsBytes(commonName) { + // The encoding will look something like this (in hex): + // 30 (SEQUENCE) + // 31 (SET) + // 30 (SEQUENCE) + // 06 (OID) 03 (length) + // 55 04 03 (id-at-commonName) + // 0C (UTF8String) + // + // To make things simple, it would be nice to have the length of each + // component be less than 128 bytes (so we can have single-byte lengths). + // For this to hold, the maximum length of the contents of the outermost + // SEQUENCE must be 127. Everything not in the contents of the common name + // will take up 11 bytes, so the value of the common name itself can be at + // most 116 bytes. + ok( + commonName.length <= 116, + "test assumption: common name can't be longer than 116 bytes (makes " + + "DER encoding easier)" + ); + let commonNameOIDBytes = [0x06, 0x03, 0x55, 0x04, 0x03]; + let commonNameBytes = [0x0c, commonName.length]; + for (let i = 0; i < commonName.length; i++) { + commonNameBytes.push(commonName.charCodeAt(i)); + } + let bytes = commonNameOIDBytes.concat(commonNameBytes); + bytes.unshift(bytes.length); + bytes.unshift(0x30); // SEQUENCE + bytes.unshift(bytes.length); + bytes.unshift(0x31); // SET + bytes.unshift(bytes.length); + bytes.unshift(0x30); // SEQUENCE + return bytes; +} + +function testInvalidDBKey(certDB, dbKey) { + throws( + () => certDB.findCertByDBKey(dbKey), + /NS_ERROR_ILLEGAL_INPUT/, + `findCertByDBKey(${dbKey}) should raise NS_ERROR_ILLEGAL_INPUT` + ); +} + +function testDBKeyForNonexistentCert(certDB, dbKey) { + let cert = certDB.findCertByDBKey(dbKey); + ok(!cert, "shouldn't find cert for given dbKey"); +} + +function byteArrayToByteString(bytes) { + let byteString = ""; + for (let b of bytes) { + byteString += String.fromCharCode(b); + } + return byteString; +} + +function run_test() { + do_get_profile(); + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + let cert = constructCertFromFile("bad_certs/test-ca.pem"); + equal( + cert.issuerName, + "CN=" + cert.issuerCommonName, + "test assumption: this certificate's issuer distinguished name " + + "consists only of a common name" + ); + let issuerBytes = encodeCommonNameAsBytes(cert.issuerCommonName); + ok( + issuerBytes.length < 256, + "test assumption: length of encoded issuer is less than 256 bytes" + ); + let serialNumberBytes = hexStringToBytes(cert.serialNumber); + ok( + serialNumberBytes.length < 256, + "test assumption: length of encoded serial number is less than 256 bytes" + ); + let dbKeyHeader = [ + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + serialNumberBytes.length, + 0, + 0, + 0, + issuerBytes.length, + ]; + let expectedDbKeyBytes = dbKeyHeader.concat(serialNumberBytes, issuerBytes); + let expectedDbKey = btoa(byteArrayToByteString(expectedDbKeyBytes)); + equal( + cert.dbKey, + expectedDbKey, + "actual and expected dbKey values should match" + ); + + let certFromDbKey = certDB.findCertByDBKey(expectedDbKey); + ok( + areCertsEqual(certFromDbKey, cert), + "nsIX509CertDB.findCertByDBKey should find the right certificate" + ); + + ok( + expectedDbKey.length > 64, + "test assumption: dbKey should be longer than 64 characters" + ); + let expectedDbKeyWithCRLF = expectedDbKey.replace(/(.{64})/, "$1\r\n"); + ok( + expectedDbKeyWithCRLF.indexOf("\r\n") == 64, + "test self-check: adding CRLF to dbKey should succeed" + ); + certFromDbKey = certDB.findCertByDBKey(expectedDbKeyWithCRLF); + ok( + areCertsEqual(certFromDbKey, cert), + "nsIX509CertDB.findCertByDBKey should work with dbKey with CRLF" + ); + + let expectedDbKeyWithSpaces = expectedDbKey.replace(/(.{64})/, "$1 "); + ok( + expectedDbKeyWithSpaces.indexOf(" ") == 64, + "test self-check: adding spaces to dbKey should succeed" + ); + certFromDbKey = certDB.findCertByDBKey(expectedDbKeyWithSpaces); + ok( + areCertsEqual(certFromDbKey, cert), + "nsIX509CertDB.findCertByDBKey should work with dbKey with spaces" + ); + + // Test some invalid dbKey values. + testInvalidDBKey(certDB, "AAAA"); // Not long enough. + // No header. + testInvalidDBKey( + certDB, + btoa( + byteArrayToByteString( + [0, 0, 0, serialNumberBytes.length, 0, 0, 0, issuerBytes.length].concat( + serialNumberBytes, + issuerBytes + ) + ) + ) + ); + testInvalidDBKey( + certDB, + btoa( + byteArrayToByteString([ + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 255, + 255, + 255, + 255, // serial number length is way too long + 255, + 255, + 255, + 255, // issuer length is way too long + 0, + 0, + 0, + 0, + ]) + ) + ); + // Truncated issuer. + testInvalidDBKey( + certDB, + btoa( + byteArrayToByteString([ + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 1, + 0, + 0, + 0, + 10, + 1, + 1, + 2, + 3, + ]) + ) + ); + // Issuer doesn't decode to valid common name. + testDBKeyForNonexistentCert( + certDB, + btoa( + byteArrayToByteString([ + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 1, + 0, + 0, + 0, + 3, + 1, + 1, + 2, + 3, + ]) + ) + ); + + // zero-length serial number and issuer -> no such certificate + testDBKeyForNonexistentCert( + certDB, + btoa( + byteArrayToByteString([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]) + ) + ); +} diff --git a/security/manager/ssl/tests/unit/test_cert_eku.js b/security/manager/ssl/tests/unit/test_cert_eku.js new file mode 100644 index 0000000000..d185407243 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku.js @@ -0,0 +1,189 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that the extended key usage extension is properly processed by the +// platform when verifying certificates. There are already comprehensive tests +// in mozilla::pkix itself, but these tests serve as integration tests to ensure +// that the cases we're particularly concerned about are correctly handled. + +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function certFromFile(certName) { + return constructCertFromFile(`test_cert_eku/${certName}.pem`); +} + +function loadCertWithTrust(certName, trustString) { + addCertFromFile(certdb, `test_cert_eku/${certName}.pem`, trustString); +} + +function checkEndEntity(cert, expectedResult) { + return checkCertErrorGeneric( + certdb, + cert, + expectedResult, + certificateUsageSSLServer + ); +} + +function checkCertOn25August2016(cert, expectedResult) { + // (new Date("2016-08-25T00:00:00Z")).getTime() / 1000 + const VALIDATION_TIME = 1472083200; + return checkCertErrorGenericAtTime( + certdb, + cert, + expectedResult, + certificateUsageSSLServer, + VALIDATION_TIME + ); +} + +add_task(async function() { + registerCleanupFunction(() => { + Services.prefs.clearUserPref("privacy.reduceTimerPrecision"); + }); + Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false); + + loadCertWithTrust("ca", "CTu,,"); + // end-entity has id-kp-serverAuth => success + await checkEndEntity(certFromFile("ee-SA"), PRErrorCodeSuccess); + // end-entity has id-kp-serverAuth => success + await checkEndEntity(certFromFile("ee-SA-CA"), PRErrorCodeSuccess); + // end-entity has extended key usage, but id-kp-serverAuth is not present => + // failure + await checkEndEntity(certFromFile("ee-CA"), SEC_ERROR_INADEQUATE_CERT_TYPE); + // end-entity has id-kp-serverAuth => success + await checkEndEntity(certFromFile("ee-SA-nsSGC"), PRErrorCodeSuccess); + + // end-entity has extended key usage, but id-kp-serverAuth is not present => + // failure (in particular, Netscape Server Gated Crypto (also known as + // Netscape Step Up) is not an acceptable substitute for end-entity + // certificates). + // Verify this for all Netscape Step Up policy configurations. + // 0 = "always accept nsSGC in place of serverAuth for CA certificates" + Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0); + await checkEndEntity( + certFromFile("ee-nsSGC"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + // 1 = "accept nsSGC before 23 August 2016" + Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1); + await checkEndEntity( + certFromFile("ee-nsSGC"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + // 2 = "accept nsSGC before 23 August 2015" + Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2); + await checkEndEntity( + certFromFile("ee-nsSGC"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + // 3 = "never accept nsSGC" + Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3); + await checkEndEntity( + certFromFile("ee-nsSGC"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + + // end-entity has id-kp-OCSPSigning, which is not acceptable for end-entity + // certificates being verified as TLS server certificates => failure + await checkEndEntity( + certFromFile("ee-SA-OCSP"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + + // intermediate has id-kp-serverAuth => success + loadCertWithTrust("int-SA", ",,"); + await checkEndEntity(certFromFile("ee-int-SA"), PRErrorCodeSuccess); + // intermediate has id-kp-serverAuth => success + loadCertWithTrust("int-SA-CA", ",,"); + await checkEndEntity(certFromFile("ee-int-SA-CA"), PRErrorCodeSuccess); + // intermediate has extended key usage, but id-kp-serverAuth is not present + // => failure + loadCertWithTrust("int-CA", ",,"); + await checkEndEntity( + certFromFile("ee-int-CA"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + // intermediate has id-kp-serverAuth => success + loadCertWithTrust("int-SA-nsSGC", ",,"); + await checkEndEntity(certFromFile("ee-int-SA-nsSGC"), PRErrorCodeSuccess); + + // Intermediate has Netscape Server Gated Crypto. Success will depend on the + // Netscape Step Up policy configuration and the notBefore property of the + // intermediate. + loadCertWithTrust("int-nsSGC-recent", ",,"); + loadCertWithTrust("int-nsSGC-old", ",,"); + loadCertWithTrust("int-nsSGC-older", ",,"); + // 0 = "always accept nsSGC in place of serverAuth for CA certificates" + Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0); + info("Netscape Step Up policy: always accept"); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-recent"), + PRErrorCodeSuccess + ); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-old"), + PRErrorCodeSuccess + ); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-older"), + PRErrorCodeSuccess + ); + // 1 = "accept nsSGC before 23 August 2016" + info("Netscape Step Up policy: accept before 23 August 2016"); + Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-recent"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-old"), + PRErrorCodeSuccess + ); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-older"), + PRErrorCodeSuccess + ); + // 2 = "accept nsSGC before 23 August 2015" + info("Netscape Step Up policy: accept before 23 August 2015"); + Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-recent"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-old"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-older"), + PRErrorCodeSuccess + ); + // 3 = "never accept nsSGC" + info("Netscape Step Up policy: never accept"); + Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-recent"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-old"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + await checkCertOn25August2016( + certFromFile("ee-int-nsSGC-older"), + SEC_ERROR_INADEQUATE_CERT_TYPE + ); + + // intermediate has id-kp-OCSPSigning, which is acceptable for CA + // certificates => success + loadCertWithTrust("int-SA-OCSP", ",,"); + await checkEndEntity(certFromFile("ee-int-SA-OCSP"), PRErrorCodeSuccess); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ca.pem b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem new file mode 100644 index 0000000000..790e942fbd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICvDCCAaSgAwIBAgIUbYeck7JVOWdVm1AGwsw/DzdRnaYwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTAxMDEwMDAwMDBaGA8yMDM1MDEwMTAw +MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBAI0AO+ZBY1oImSrpifcmQZTE/C4xIu7Uu5GX/A7ApQU7 +8UAXivMgRDbtrjOie1HNH9DIxHBCFY/Y7f0VRXxWmPEmT+5LpHrLoi+YF0h2wh/1 +RuiJV1AfaEdVJyNCVDSQrS8BQG5O3LebBq00gjSJSQ4+DHu7YHWkyMIZk+lbBiO1 +GsD0FWBDlOtiMpL/CQWjyiskiqQjrDCs5m0NayqgzYAMtdlEd+pAKEMNO8Fr8xSI +tAlcG4frvH0kLJ2scX9ayvKTZrAiAxJz9CjmmnXOyL78yyr/hkJbzYTvk0+1cClg +J2aGnsFIHgUxEx7sApOqlmG8g1lqL7UPqpi8ItVNl48= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec new file mode 100644 index 0000000000..c6e443f5d8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ca +extension:basicConstraints:cA, +validity:20150101-20350101 diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem new file mode 100644 index 0000000000..3cb03da8f7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxjCCAa6gAwIBAgIUC03diwvrB4IClE/zsjnrM/hOwWQwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowEDEOMAwGA1UEAwwFZWUtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9 +sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5 +TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7 +xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd +tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l +8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsG +AQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQAnfkwf3dUtHoAqV8RNSvFz7KJ0RQui +nIvnUmKUtzbVoIyC4rJQjVbjOPlh+//Qq7UjLdOicvePiu5kK5lzckaKieFcp8Mh +IYvhiK0awUMH6Xs5sZbjwcUwWkWr1/7LuuZZa1k54vj5M4XwSQ4snrRQkzibUL7X +kRKaDfIG2GTKQiK3Snl8o0X9nlTdGUVstAT6QtzkvwDRbs/vcjJUPkW0E8RZitkP +E8n/QuW6+7Lf/zSO9wKUQdCa/m4dFlIzEDwUPGdk+BHbHOkEfd3+al+zmXwayBn0 +apP+bXWRBMPEZ6eXvdSrYx7bYFvJBiZX3WyGXzOQg+aOXnHebQjfDpvo +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem.certspec new file mode 100644 index 0000000000..d49cabaa2f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-CA.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-CA +extension:extKeyUsage:clientAuth diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem new file mode 100644 index 0000000000..ede5b867bd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAgIUSfuClZeHYlvEYfPk7WTIXpRXbM0wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowEzERMA8GA1UEAwwIZWUtU0EtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg +2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ +5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ +PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj +DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W +iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjITAfMB0GA1UdJQQWMBQG +CCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAc1UdQZONXBiW +PHmGb+irQkZK7cET3oPn2iuHlHGgs4rgeXzbZkxFF6/wp84iSf7Svb7pWVmW/FaI +iigoRROXBwssvrfz2yqYF+5uPrZst7OzyQ5iDEzOc+tXC2051sdPNOXNJDQeE4ac +sr+e39xBMUwcOVIJE5bMtlcYhQGppTZA9PMfz137aQHdzV4g+1Io0pT851rhPP3p +EhehyM2GyqwIP7KcHG1p4ncPD6Ninge6ar7nv1WV81vc8SkOUIBfD5JcjRobe80F +AeSTTqRmlkFVbvOtnLctYdXWCIKg1GRUwk/89Xnhg3DdIANEhCW1jRxKsFwVTM7e +D2TMbbw0aw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem.certspec new file mode 100644 index 0000000000..5250cc4a84 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-CA.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-SA-CA +extension:extKeyUsage:serverAuth,clientAuth diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem new file mode 100644 index 0000000000..9c195b89bb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1TCCAb2gAwIBAgIUE6Hbt6pxuVOgduBB/3H+COBki0owDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFTETMBEGA1UEAwwKZWUtU0EtT0NTUDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMhMB8wHQYDVR0lBBYw +FAYIKwYBBQUHAwEGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IBAQBR2xe6V/V9 +jEBWS4Vyx9xsi3B9I44I85iQZKVMQARWJg24MBcPw6P0gNnv2n2VUHsA6XED9R0a +naYxCzXRm/UPHUbJp+GQpX4khsTA4Vf5NfyaUMyvnrmVQnfXEISmVS3aoPZUyDrJ +F6+v3hqNllT9Ub1VaszCybRjxGvjyMqlGQ9Cc8okeDdw2k0B6w2/61DEkQ8ZEQHQ +Z+jzGCAeEyVC3UsASL4qSeXQYCkjKHPzwK3co8tyX/YuEZFrRz0wUNvSwx0Byp6t +2egt51hgnO8mCEzfrEA37vEkzsmv/gFzoSSJvh0WttKLMgHVAIhP4e1K6tkGNTqN +QXkdhBwi53N4 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem.certspec new file mode 100644 index 0000000000..3b3eff9ae4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-OCSP.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-SA-OCSP +extension:extKeyUsage:serverAuth,OCSPSigning diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem new file mode 100644 index 0000000000..2b3c805a5b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1zCCAb+gAwIBAgIUSWceP1hy2YehKHlNAGJTud5AQBEwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFjEUMBIGA1UEAwwLZWUtU0EtbnNTR0MwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjIjAgMB4GA1UdJQQX +MBUGCCsGAQUFBwMBBglghkgBhvhCBAEwDQYJKoZIhvcNAQELBQADggEBADR8iLp+ +wdwL+F6xHrZoRZ0twse/VXPZdCtYiII93zZnkT5/Kw9L0jPqSrXkAPECCyRAArFE +M1sggTtgmDZqSegcihlFIQwwcKmEtvGy47IxgQ8M0r2N+2Tt1LLnQ5lyaxvaRLRk +P7wRsVJMdzX9lhF9gIo5j+YJPjK68EXxLceDyfz1M9PNQIqjGz3efoAmsVry2HoS +j10B53rKh/UcwpYv+++qVZwzZrfFK6bRGoRzO4zapDRmsXKWmEJZWL7EFYh85SXO +J35mFJJDnswKajLpPdNrzc5Dvki/XM/50Yshli96S5uQeEKSfYBIWXS9yKq8VOXJ +FXCbtkWVe+B8fOQ= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem.certspec new file mode 100644 index 0000000000..4c51425ce7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA-nsSGC.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-SA-nsSGC +extension:extKeyUsage:serverAuth,nsSGC diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem new file mode 100644 index 0000000000..6975921b9d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxjCCAa6gAwIBAgIULzA2uHt40mZircmlebIa0o2nR0MwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowEDEOMAwGA1UEAwwFZWUtU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9 +sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5 +TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7 +xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd +tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l +8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsG +AQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQCb+rwpPNCs9bg0lFWJLo9YzubV9eM3 +ktSIWubXVwjRnXrd9rwKU7OSpcD8LkJTMLqLHlBhsu32hWd3EEgBwpEpPDTcoHNH +4zDWAc8I+5gpFdB6IEeM2CIOcpA+52PAo02mafj/WDfIcyKTbtK/DJfKSg+I6TpC +mwYwwKQYw8CW+BuAIFP39f+000oEuf7rPfAeZIvF4YV3pWnZ9wuXhW+4+SYO0+KD +B0EI41phP/wOmG7+haKZ1AG/H0j+/SMBS1ErByw9VvW2Y3Wd440wrhBHeXI7Wx2W +qIrd2k4ksd4pM4m+yojtc4vSS2P+At6rvdWL7NvIKgfhAFzqfqZoAGLQ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem.certspec new file mode 100644 index 0000000000..690f579afa --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-SA.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-SA +extension:extKeyUsage:serverAuth diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem new file mode 100644 index 0000000000..039b1f6f6f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtTCCAZ2gAwIBAgIUdUT/GdLxD1B7t8/7+yrahnifL1MwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMBQxEjAQBgNVBAMMCWVlLWludC1DQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7 +wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp +k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh +eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW +EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc +JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B +AQsFAAOCAQEAhJfneO1hs5/bpWCTWgYIEzWsjD/hAFaEaokmyM7mvgt2ZGSqWnyE +qJ4fQ08cdfuHHv1mjTcLs8V77ahdar+9alW8Z5t+rZYhgOiu9LJo8O9BThd64JxO +1MJ6HSdtdyJcfwSW+OsVWotFZtSRI2fIX7ent0rujJX5GMZpiP32KhCjqxQtcf1x +HFiTgzro+n7umZDLd3jH1e+Y5dn0EY4Y9vwAQ4YYXsJIFl0lhLACjG+mZj29hMct +hxO3DYLrKFlfZTUrz+KZtx6etN0I7M0ChBpMWHmPECfXhg/ffkJqFZtl94oCr5hB +gi6ZhjoAaGyxVKxuujtVpRaYIRT5B9OZXw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem.certspec new file mode 100644 index 0000000000..670973930d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-CA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-CA +subject:ee-int-CA diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem new file mode 100644 index 0000000000..50c26d7ba3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuzCCAaOgAwIBAgIUB8K+R7AzVbDqn7RA4hMZWP9Kbf8wDQYJKoZIhvcNAQEL +BQAwFDESMBAGA1UEAwwJaW50LVNBLUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAy +NDAyMDUwMDAwMDBaMBcxFTATBgNVBAMMDGVlLWludC1TQS1DQTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs +9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8 +HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak +kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet +lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r +kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkq +hkiG9w0BAQsFAAOCAQEAmiDm0St0AQ9a+RPBC95ycM8cHDsSiY8aRdfIEojLUCwJ +3BSMAWh65tSSy59YFM/+hZquxW6mFKenKsvcVghBTUVxKONJKr8pnrpJiK1rkZxe +euN3VOuv+nio4byTol9AQGKOg5GUtDtFsYIXrDH2wd6aUxGbi2cuD8q+YyjLpOr2 +1galNh18R9vXXlec/59Jp3hkSzgMs07RlbS8+G6qGRiSE5T6Yjf3vnv2rqQKE7xn +Wiw+enu/RjPoZeXq6pzBupSo8FiunxT3dXESvjGxamG38T2w1n0NEz6jNs0E90/V +R34SITuc+/Hk6AQUy04U9AiOx0Kb7DRNlXXb6/rZdQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem.certspec new file mode 100644 index 0000000000..bd012ab712 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-CA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-SA-CA +subject:ee-int-SA-CA diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem new file mode 100644 index 0000000000..68d799dfd4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICvzCCAaegAwIBAgIUZQ9IB4KTIRfOUcb3bOGwbFEnUI4wDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLaW50LVNBLU9DU1AwIhgPMjAyMTExMjcwMDAwMDBaGA8y +MDI0MDIwNTAwMDAwMFowGTEXMBUGA1UEAwwOZWUtaW50LVNBLU9DU1AwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk +NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC +fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m +CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM +HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m +1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEw +DQYJKoZIhvcNAQELBQADggEBAHLWWm2bWrApkz4OyZNVTyNNFHgcAGQPsAOAv4BO +tm6DppAewakqHOEOJ+DBvTmyVvx66tpl48IHW5am2e0zoV3N6VTZhfZ1zzavS2h5 +SF4xMUWeJSjtmkjAxHFnz9JcR53CselhMj2ZRXQVMyr1W6QxBi1AfMtR96hWcY3f +v4nBtIz/FkIFjTN/GU+vt5Rtc0Gns/kbl21ifuRM0QaXOj8u81gAQ3wEh0NLmy8Z +ACTcy787xTRspMB3WOCJFHY2GqxrG5t7bS2EeUYu6xq1fnnRCfvemKUEALpCzzZn +t8zmO7PVgNbBfXta0cXGFn5WNRSpOZGxXiQoBqnYWLStXFI= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem.certspec new file mode 100644 index 0000000000..2374d248f6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-OCSP.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-SA-OCSP +subject:ee-int-SA-OCSP diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem new file mode 100644 index 0000000000..8722e2f71c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICwTCCAamgAwIBAgIUG/gIwkS6ibsfvsd3knsfZ5AkaEswDQYJKoZIhvcNAQEL +BQAwFzEVMBMGA1UEAwwMaW50LVNBLW5zU0dDMCIYDzIwMjExMTI3MDAwMDAwWhgP +MjAyNDAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD2VlLWludC1TQS1uc1NHQzCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ +6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk +nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N +/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG +JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd +7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA +ATANBgkqhkiG9w0BAQsFAAOCAQEADKzVNVhzBer5Tt4j61bsP8UL5/bJ6KPL9oHR +WSgBGoaamfyn1gG9vOFKTI1/GjEzCrbIQPfsJypWj2MAER/msMiuucnzdjD9iUpK +tkzTPFeO4hwAR9rImy0C4MiEXlY51Z2Ir+GH7DDVqVu5OPSDeuYUEF2mrL8T0Y/Q +f7UTfbCinecnznWTgvC8EhXCUwMMnPjHqpJGVKwXuPjqVYA83htZ6m5kvg9/MWpZ +YeRa4HO9A1Ui5OXsWnk4Uzp4cX5cMlc5VhnaMQV0gCPrcYw4x34t75Pu2VZPKlO4 +XmDiy90kfGat0wuOzqOGb9FEPkmvrbRhc6+LLCBHbHSIXlKWLA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem.certspec new file mode 100644 index 0000000000..6c3cb64730 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA-nsSGC.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-SA-nsSGC +subject:ee-int-SA-nsSGC diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem new file mode 100644 index 0000000000..2af207eed6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtTCCAZ2gAwIBAgIUc1s5H7wRuokI6INDaqXAJUUghNIwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGaW50LVNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMBQxEjAQBgNVBAMMCWVlLWludC1TQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7 +wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp +k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh +eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW +EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc +JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B +AQsFAAOCAQEANXVEEPwO3d4e8tBtwYHr78z3X1Fmtrjwb594Zp4xxx79mAUmAXnr ++SHJKfInLgdr0f85Pml5EAR7dlvqC0RMmkoljmlsPOLkEgiRxc/++ohEf2rn1QLL +6+4tXjuHZ5u1qFa/tgdNqWzNqeGHA1y/+5KAB80mTiytFMBieKgVdv7ijvbClJRg +V4vybtDD8RZMveGrOd1i+nPR5TLI5OnEmwP8duVLdq5eB/M2CYa+uPg8WgM8BlFP +B4e9w99MW39z86MAwzw+tpgBT03uSQeV9UxcQVwLm+gjcxaHFPaKhRnqUaVH7A4F +ZFMb168XWz34MCjJ3AWt4FfP6UwGn8L+nA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem.certspec new file mode 100644 index 0000000000..72ddb78dfd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-SA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-SA +subject:ee-int-SA diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem new file mode 100644 index 0000000000..8e8d4c2c04 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICwzCCAaugAwIBAgIUB/nCi+kTmIkobMVqQFtJnevhGwEwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNaW50LW5zU0dDLW9sZDAiGA8yMDE2MDcyNDAwMDAwMFoY +DzIwMTYwOTI0MDAwMDAwWjAbMRkwFwYDVQQDDBBlZS1pbnQtbnNTR0Mtb2xkMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08 +E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc +1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP +DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ +gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV +YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID +AQABMA0GCSqGSIb3DQEBCwUAA4IBAQBcxzg5hx9tQ57Jv3wibAhPktjmqapB2suH +eGE253Xn5haGq+0E3Qkmn7oF1ou6QyLvP+qbElhkx7+eEvhMhzRZFU8XmxzHRqbb +dZ0/MQw+aLEOc4Utl+1n3pDbVhBjoG3yVxyErndHfyXg+hNPMBEPvtfMYnSkKHX1 +3w3pJSs8HtUNMG3jecwXOJic0kUu6V5npNC0KTeZq4OOzp48WCpEfsQ6W5MzR4PN +mrCVU2t1GzCKRNA8E8a9unOcxnukz8FaY9RCkeW3cTwRNt0VaFprX32d1C4mz5rV +vNz/TGA0jy2b4Mg/dpGXrxqyRy1mG3zfs7sDhEoCxLsd/7ytu/bs +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem.certspec new file mode 100644 index 0000000000..a21b49b783 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-old.pem.certspec @@ -0,0 +1,3 @@ +issuer:int-nsSGC-old +subject:ee-int-nsSGC-old +validity:20160724-20160924 diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem new file mode 100644 index 0000000000..4acdf7b59d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxzCCAa+gAwIBAgIUYfx/2lyIWKMRlK/zS6/kmkp+t/MwDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPaW50LW5zU0dDLW9sZGVyMCIYDzIwMTUwNzI0MDAwMDAw +WhgPMjAxNjA5MjQwMDAwMDBaMB0xGzAZBgNVBAMMEmVlLWludC1uc1NHQy1vbGRl +cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG +NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn +RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu +p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ +Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p +47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1 +7Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAbCqK5OcHMj28V1PKiL4CHeN2oTCj +pObUJrAUqsHJbqS2Q+huzzoSsL+yT4uKeiuDMZnKOm8OIZMtM7M4zQb6b5H1Wqm+ +fM5384kUubmSG+CzUd4adK8NjSwgYhgdvAecbzhPS1GUlai9qDJU+elQVIrNZCL4 +6B634koCQkarYybibdXgoum9zzcla0TRXe9rHjb8VYe+BH7tLAnWGpUqw4x36Buz +gv605ApVb+QDAB9NH4/EZ1TXuKby6I9I19EkfADHL5XUKHGFH2EE+6Fsqihgu3QG +NRYMU2GL79bZcwOm2t2v+ZB2fp+UlEs8nykWY7PgwbJ+ObgSauNHhKi5DA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem.certspec new file mode 100644 index 0000000000..93e1831a32 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-older.pem.certspec @@ -0,0 +1,3 @@ +issuer:int-nsSGC-older +subject:ee-int-nsSGC-older +validity:20150724-20160924 diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem new file mode 100644 index 0000000000..557c8276e8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIUE/PT07mikR8SeEYcqdLT8IL5vMIwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQaW50LW5zU0dDLXJlY2VudDAiGA8yMDE2MDgyNDAwMDAw +MFoYDzIwMTcwODI0MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1pbnQtbnNTR0MtcmVj +ZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62 +iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql +WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq +Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ +ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i +b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY +CjXtjQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAKnYtenyuUSykB8EP4IkEeeVPo +PeZpLKEHHr9CnjIC8b0lHhTsFQhIiNsCWt8xh+JS273QJi/A2rdo1M4KiMZyURne +RZvTBpFu5F8E+VixDP9xmpAffrgqPqgNRyN+co7tUQZgsJHhb8LSKKMHQTMTBOgW +nrVlMR+MwXBBQx7Yc7KkVob8DMWmIAAXlv0JY6ID2lRb4haBVS1gsPIj24mVF8XG +dRJIgtVUvey49/PvErG6FNA32QPDCyv9UOkX9mtpnu9dT+v6mAkbRcSDYAsTTWh2 +seog8fOBA8WoqO+EtTIY2VLiO2G8pTp8MftYVc1Mhd5Kh/ZT+PtdngloPnDM +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec new file mode 100644 index 0000000000..4a3ad8ec05 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-int-nsSGC-recent.pem.certspec @@ -0,0 +1,3 @@ +issuer:int-nsSGC-recent +subject:ee-int-nsSGC-recent +validity:20160824-20170824 diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem new file mode 100644 index 0000000000..10bae6542e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyjCCAbKgAwIBAgIUTe5MT0p0so5MFykddr1kBAMk1J4wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowEzERMA8GA1UEAwwIZWUtbnNTR0MwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg +2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ +5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ +PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj +DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W +iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGDAWMBQGA1UdJQQNMAsG +CWCGSAGG+EIEATANBgkqhkiG9w0BAQsFAAOCAQEAcGPEiH/hfb1EbEuv66X9c3fD +g71Pe3qqOJ6QEW5S6Y1qwmVNOA0e7awGKj0i9MCMMb6sw0bWxmPJyR4QTsEG4lbi +SazRgS2n6FAnaQMyU/qE8jG2epIJRWECEbhuviv88Rci2/w7/N3ED1mu2/f/19Zo +UPNydVnAU5M1xRiV/lqlo2ZzNJHOw8raezoedrh15jUwcFs1WAqcxAUTearZYjr4 +GMYqOiDY0AzndK9XHHTyuj4rrHd+XgLRbHP/JPfAGzWyTa3Yqwe0fD2mORBtEDT8 +Y+nZIhKzM5Hra+TeeDs5jNFC9JH5ZMQgos4l6N5UeyqB1H+J0owl7VuvqLxrHQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem.certspec new file mode 100644 index 0000000000..43d58ab6d4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/ee-nsSGC.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-nsSGC +extension:extKeyUsage:nsSGC diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem new file mode 100644 index 0000000000..2195a06582 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1TCCAb2gAwIBAgIUYf8P4Z0RmA/uflirA4xHoKNqtHUwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowETEPMA0GA1UEAwwGaW50LUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyUwIzAMBgNVHRMEBTADAQH/ +MBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQA/izUgZ12n +DeYVPwvRzgoQ6oZNoZNGwSip5AKfpdC/RtFsDMH5AjaUMrSGvJjSCgcEXSey1fTV +wdkQs1gYOdDTu935Gg0K13kHZSN0bGEwBA7Gh8gBaOrA/PElx6q8FEG1+qg20GQB +vN174zjsSy9M6lXu90jApAh4whwgSTOO8JJ4VR9k9jnTzb+5lL5DTvWjFaR0M0zE ++XCDMUr90pGtg/qLzfSiaLaHEBMZu1cpVwtg3lLmMZhQXm067jP/nNZpe0yvPwz5 +HLFA7vrHAZkmtuKg22Le3FLyhtgQRLd6KT92pg33yhD5jqJskI0jq8EGvNvUKLbV +cZbtU1Px/vOt +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem.certspec new file mode 100644 index 0000000000..e5bc18198c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-CA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-CA +extension:basicConstraints:cA, +extension:extKeyUsage:clientAuth diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem new file mode 100644 index 0000000000..3dbec3ad5a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4jCCAcqgAwIBAgIUK2ufphp0ShP+8H3RzpTFrZY/NrQwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFDESMBAGA1UEAwwJaW50LVNBLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo +4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD +SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX +kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx +owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/ +Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoy8wLTAMBgNVHRMEBTAD +AQH/MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsF +AAOCAQEAOclvzLUjmZihoAVTCzyH04vhIEfzSl3gbZsooUdY1CZ05+i95YhA8IOM +Q9YDkIYGsLyMaX/X5OV96KKMRsfSldEWNiNMqXJamqHh1ZalfVFtmmI+k5P/pWX9 +hOzCm12CcxGpaklkyrJ1zQ9CE3Upil34X/Wfmzwiz88zUjc+jpfWU7/VQASoGNku +AiOswyAuuTSWQ89GBzwH06Q6Ty4sICDdD+69RFnY9sBKPCiTDO1W85d/A/QqnCkj ++Be27/lFmpHV64u6vIa6WUdJ5FA8b/ernVvdZJc42jyTPy8Cwh/l7Onphy0cmHe8 +fm5lAou5Gh6pc3UB4haso1ib5hdkVw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem.certspec new file mode 100644 index 0000000000..94e9a42d48 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-CA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-SA-CA +extension:basicConstraints:cA, +extension:extKeyUsage:serverAuth,clientAuth diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem new file mode 100644 index 0000000000..b4642e5e09 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5DCCAcygAwIBAgIUHyOa9EUn1y5E6yT4ne+opcI/RbwwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFjEUMBIGA1UEAwwLaW50LVNBLU9DU1AwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjLzAtMAwGA1UdEwQF +MAMBAf8wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMJMA0GCSqGSIb3DQEB +CwUAA4IBAQC2VSyElSFe/z7BdCgAot834Eer4HgxBtimrb1YNZgsaZjjU8v9Cv9h +yBvs4M3J5ZuikyU5AyYiOF+YH9FouWbrsFnJezSpNI1MBqR8QDxdAwBCMqpHPsjT +7Bw7N0ajkvWHA1PzzphFXthjNTYiIWQHLly6D/MQYHetyv3WvOevNQjl56B9uMdc +pf5N/JDbxh23euSHuBTGICxMAOg4JkgqXlxVbTAXfQhLVmnvGY6/cjtyhz7tbfEC +2fL9hnDPOciusR8WIYYi3TF8TWrZL5vhImQZimETuSQBMm5cygsaPFy3J28P2bPe +lk6ehrv5e8pAHUak+OrbaWtyP4bh3tiK +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem.certspec new file mode 100644 index 0000000000..c38a640b9b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-OCSP.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-SA-OCSP +extension:basicConstraints:cA, +extension:extKeyUsage:serverAuth,OCSPSigning diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem new file mode 100644 index 0000000000..d0c8b0f89a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAc6gAwIBAgIUYeEyTSJzsgBm34At1b54YQbcruYwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFzEVMBMGA1UEAwwMaW50LVNBLW5zU0dDMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozAwLjAMBgNVHRME +BTADAQH/MB4GA1UdJQQXMBUGCCsGAQUFBwMBBglghkgBhvhCBAEwDQYJKoZIhvcN +AQELBQADggEBACQdyOExX0WnOgZHDOcJFSxGXQ5B4d7DxdH5EKRYtCgq7zbqolvE +qzi4fsDxbeRCrzVsCKDYqU69fO4sTAJRhBsEsz5Ybzi1Djfm3awjoCGl/kMJDZ8h +trRh3pUlmwh6NXbF6IBlNrw2EqRR8TS+w71VDqFbvF0J2AKYSD9Fu44ArwLlPN2q ++nAKZnh1PDEW+jsKrZ6lKoft1A6894bp5g34wx2W5LR6RDk3xRGGoMFQXi//OQG1 +YWthV2tBPOWd8pJ7KJJBkliidsg3/vJzsGZXvd6bzd34LjJxNZfG3UNKP0RfHX4q +El1zBn59yclrtG7vYKGITSJLbwv7E8vdBLQ= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem.certspec new file mode 100644 index 0000000000..c84201d874 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA-nsSGC.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-SA-nsSGC +extension:basicConstraints:cA, +extension:extKeyUsage:serverAuth,nsSGC diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem new file mode 100644 index 0000000000..43e5d861b9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1TCCAb2gAwIBAgIUE7YXyGbnrzogbe8A8yh1856yWAAwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowETEPMA0GA1UEAwwGaW50LVNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyUwIzAMBgNVHRMEBTADAQH/ +MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQAhGBv+d4uZ +qUeJf7MoPJhW+aN9BzuOpzvo12DbAdQNOTEgzpx/OmpwOQq7+8QTKgusYvn6+O/l +U4MxwKhXWPD5kZXXIPdYKiGmClxhAszP6jfhpaIyjfw04Bhj50uSv41fAastSygm +rxUv95dc4K4PbyWxu+Yhz67bZ69wcU/wV6GPrkm4dlRPtTCZy6Y59mdlskfky7g9 +/jpfS0E7zZgjLRRCgk3QGeCvNV9aPHxbGZwVCZ4M7wNkFx+P/rhVDj2x6aAFTSaB +acAkLEek+eY9tgmfTMEY9iZ80dUZV5XHTaQGRuoQNtSjJEkk0mjGTvG56xV1bP8f +yv/QLk/RFMfi +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem.certspec new file mode 100644 index 0000000000..74bec2b21c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-SA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-SA +extension:basicConstraints:cA, +extension:extKeyUsage:serverAuth diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem new file mode 100644 index 0000000000..e0deef7c3f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3TCCAcWgAwIBAgIUbXK8dZ2kTHVUtKZ1Uamdr5h27tQwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw +MDAwMFowGDEWMBQGA1UEAwwNaW50LW5zU0dDLW9sZDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7 +wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp +k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh +eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW +EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc +JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMmMCQwDAYDVR0T +BAUwAwEB/zAUBgNVHSUEDTALBglghkgBhvhCBAEwDQYJKoZIhvcNAQELBQADggEB +AK/99QYaWy5/SG7iKiGwSgJ49hobsVUf4DTN9+4FIesvXNUtXc+vmPVNwgy8S4Kn +23zOUmp2LaRBQ3VxaiQ0o/RN3ZjULhPhGi3cHsjDTKXH3U0snAloUYONx1JCFOif +RWwLeiyps1oW9ARfUQrbQRtw87ospU5aJ7JSPoVgbCMXubmEpRSeTMv0SHdOs6g7 +ahSaoT7BBRuHDnCb8+ZR509H9Dc4M2Dv4lQ9vlWGZjXnfM1ImIeUBTWQ0fngyoZW +neTStGeL5MmCjjMMupJYbjNsenQXd9doD08+voOfmKgaMQDH0fgEACJHjmmt+eQ4 +j8WZP3lRZHZm/s23xNl+6S4= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem.certspec new file mode 100644 index 0000000000..35f61671ed --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-old.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-nsSGC-old +extension:basicConstraints:cA, +extension:extKeyUsage:nsSGC +validity:20160724-20160924 diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem new file mode 100644 index 0000000000..dd709c343d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3zCCAcegAwIBAgIUITNR+z5zrXNAq+3y9u3et1fNp6YwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNTA3MjQwMDAwMDBaGA8yMDE2MDkyNDAw +MDAwMFowGjEYMBYGA1UEAwwPaW50LW5zU0dDLW9sZGVyMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyYwJDAMBgNV +HRMEBTADAQH/MBQGA1UdJQQNMAsGCWCGSAGG+EIEATANBgkqhkiG9w0BAQsFAAOC +AQEAtkFQHiG8UeleNMgvJVneYQzIQt8wiZwudAH2FdiyeCtYUp95z19IzPlZeYq0 +FXlMJJ+SOn2wSZ9jHshV5VF8S4Rb3ou0EVJcu+X7cs3jOuLtV/KwFDKXrncWpF7L +sH1yGVkAUNMQlE52MgPxg7P6yd+lbU9MlqD5rpifsAecrXzctzi8l3qb2UJvkHku +BLE+ViTnn9RFDQFQ/1AAF9cbSJaUF0rwWznXpB0PAu+v9lBpn9a83/GXZc1SO2mE +MIdgRpuB1Lr+wZq5ulXHAeBJ+kH8lrG2CIXSQPFQjPfiS2D5hM1cdd7GSEh4BoZv +AbTKG12NXN9AG7RpG7upSBG4mQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem.certspec new file mode 100644 index 0000000000..f7a870c0f1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-older.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-nsSGC-older +extension:basicConstraints:cA, +extension:extKeyUsage:nsSGC +validity:20150724-20160924 diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem new file mode 100644 index 0000000000..c5c8e724c2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4DCCAcigAwIBAgIUec5AldPAXDY+y1Q7RfO4SfvteiEwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjA4MjQwMDAwMDBaGA8yMDE3MDgyNDAw +MDAwMFowGzEZMBcGA1UEAwwQaW50LW5zU0dDLXJlY2VudDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX +bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ +OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 +uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb +t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMmMCQwDAYD +VR0TBAUwAwEB/zAUBgNVHSUEDTALBglghkgBhvhCBAEwDQYJKoZIhvcNAQELBQAD +ggEBAJO1C5eYEk2/+xvgWsCsUZi7PMoZLhb5Jb2V61JMWREfCozmYepqlamR6IZV +fn5Q9OClLtAzSybeia40nsW/xb/o+5zJn0rPzk6JIsMToJk07fqp+uG9LbAM82IV +RnHzmCS4/3n4fl1k1GGL0A/NYBUsilY9oKhVl1zukB/z3ALp9LyProNLsEZmWkl7 +F07+lR9PPMOqA1SuDJmZMyZ4cKDyYYF7NYKGi57xpgpUXGq8IPOKKGq4XlYqQhOQ +sVSuc+16A+NlPwMogczcgTgy7QD6DF4WNOCDGwuF0YB7uROEbYvh4lkKJfhnAtb7 +1/xnmTVssnCTsbppIiXtKs8zzu0= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec new file mode 100644 index 0000000000..f421ddc1a8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_eku/int-nsSGC-recent.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-nsSGC-recent +extension:basicConstraints:cA, +extension:extKeyUsage:nsSGC +validity:20160824-20170824 diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null.js b/security/manager/ssl/tests/unit/test_cert_embedded_null.js new file mode 100644 index 0000000000..c1b20c1664 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null.js @@ -0,0 +1,54 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that a certificate with a clever subject common name like +// 'www.bank1.com[NUL]www.bad-guy.com' (where [NUL] is a single byte with +// value 0) will not be treated as valid for www.bank1.com. +// Includes a similar test case but for the subject alternative name extension. + +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +async function do_testcase(certname, checkCommonName) { + let cert = constructCertFromFile(`test_cert_embedded_null/${certname}.pem`); + // Where applicable, check that the testcase is meaningful (i.e. that the + // certificate's subject common name has an embedded NUL in it). + if (checkCommonName) { + equal( + cert.commonName, + "www.bank1.com\\00www.bad-guy.com", + "certificate subject common name should have an embedded NUL byte" + ); + } + await checkCertErrorGeneric( + certdb, + cert, + SSL_ERROR_BAD_CERT_DOMAIN, + certificateUsageSSLServer, + undefined, + "www.bank1.com" + ); + await checkCertErrorGeneric( + certdb, + cert, + SSL_ERROR_BAD_CERT_DOMAIN, + certificateUsageSSLServer, + undefined, + "www.bad-guy.com" + ); +} + +add_task(async function() { + addCertFromFile(certdb, "test_cert_embedded_null/ca.pem", "CTu,,"); + + await do_testcase("embeddedNull", true); + await do_testcase("embeddedNullSAN", false); + await do_testcase("embeddedNullCNAndSAN", true); + await do_testcase("embeddedNullSAN2", false); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem new file mode 100644 index 0000000000..91233a79dd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIUW0tAkXslaf5AkE2ROwvnEvMo79MwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD +VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQA/1uiRtJJ6gASZfaGdmjTgHNnG +OX3VBb8CGbu7yrmlUU0/oiH9BHb9/gq+Gwwcjg++2AEmUWd4damMXKUtRzouP6dV +Z02jnExdXqq3xLDP71/bY3eneqg/KVIv3wDaHhatmVqWB4oy4itNmvVbbtCjUOyX +DF3RM5HPQEDjMJO0TjKZMXp5HbyggAvGTbyw6kz+6EVuxxhFqVq1bti1CU4tGBdk +b6ZOVQhxgJljogn70syXX+CUuUtu9+ufklWQjMtITjBKTSP5cg/NMnKrAL7dF30n +aUcXz8fpmzjseQjk6uzkDYSFW2HiQtMHKhpCOXAoZ0hGtQ4BXhyhScK2sSB8 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem.certspec new file mode 100644 index 0000000000..6660f5d478 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ca +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem new file mode 100644 index 0000000000..d1e1dc03b4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxTCCAa2gAwIBAgIUdfhUzL690DlZ9ozJDIeI+5x3M4cwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowKDEmMCQGA1UEAwwdd3d3LmJhbmsxLmNvbQB3d3cuYmFkLWd1eS5jb20w +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ +PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH +9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw +4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86 +exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0 +ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N +AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGL6BtraqvvOT9jKF7MGo6Q36s9ZX1E0 +N8D0PJnsexXKWOrnqGOT1rrp+YN0zgLc783pqH+pOkYHMKk88L9FKDeZeK8zo6j5 +E/X609Bdo+S89EW0qBqEvpWCAsF9I/F/sbuTf49hS8kE9mwMW0dbqcBuQYviCN4Y +AEQCACkjdrI8KBG54Q4iVzvUP4+Ub+/QGuDEZC6n9yeiYQjw4LnY/uNO22dGKgU1 +wJbTRSsTsT7iXQkhag/3/pCMHURzJ3jWlNZMa+lhvm30Af/AqAqIrcidP1QwdifS +QcNZlY0cSlqwqYe8By10B3oLKLu9ChutTerw7p0j3H3WDSAbmOiSfQI= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem.certspec new file mode 100644 index 0000000000..d1a32349a2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNull.pem.certspec @@ -0,0 +1,2 @@ +issuer:ca +subject:www.bank1.com\0www.bad-guy.com diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem new file mode 100644 index 0000000000..60672695da --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8zCCAdugAwIBAgIUFUHbA2Pa/0TJflA2QO7eNc/EC1gwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowKDEmMCQGA1UEAwwdd3d3LmJhbmsxLmNvbQB3d3cuYmFkLWd1eS5jb20w +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ +PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH +9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw +4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86 +exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0 +ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N +AgMBAAGjLDAqMCgGA1UdEQQhMB+CHXd3dy5iYW5rMS5jb20Ad3d3LmJhZC1ndXku +Y29tMA0GCSqGSIb3DQEBCwUAA4IBAQATiTRzyQxrGnwWmRATYy3TWChqhzFECBSU +iVrdAZ2bFJxb4FJWRbwPI6d67GK0C6DLtdtNt9q2jWxdfDZCkpR7rFH2hj0sW1hm +knYaQKmNmd64FS4nH26FMD5YxgykxQAEJzXSCYHUwM0UX72ebLaFn55wdA+onc/g +JijC3UI62fYYUzEu8TwbAnqfzclevWBHpZJgZxdUK/tk2RRPz4MAWrKOL1R1jX2i +57CDGXOC3fQtu7pKjMLcZv3T/vkttJNqmSD4YeA6+xd117ig5d0OqLzFxrwA83Ls +ltkxkS4rsphX9zkgcAb1x0/VgoZbmeLTZM6INyWOkE4W+IXYh7kN +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem.certspec new file mode 100644 index 0000000000..1029d6cdd0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullCNAndSAN.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:www.bank1.com\0www.bad-guy.com +extension:subjectAlternativeName:www.bank1.com\0www.bad-guy.com diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem new file mode 100644 index 0000000000..fc3b0ad73a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6TCCAdGgAwIBAgIUDzUDem23kK14+ubqJMXuQR5ZhjUwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowHjEcMBoGA1UEAwwTZW1iZWRkZWQgTlVMIGluIFNBTjCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs +9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8 +HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak +kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet +lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r +kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMsMCow +KAYDVR0RBCEwH4Idd3d3LmJhbmsxLmNvbQB3d3cuYmFkLWd1eS5jb20wDQYJKoZI +hvcNAQELBQADggEBAHkWUv8gAyNjRQyOlWm9JetvuBKy6d446LbaSQdEoDZAK6Oa +WAAQ2ao1d5/dIWJLZPHCJYLUjBWj1EOS/no96FjTK+xg99zdweMPUAyK2uzKmsNS +lfrwTktv21xT6QamLhFXMspTwPV6VYcIgQpUI8wuhAEN858xPcbO+bLQtQ+XvklP +ZReejgox6quiKEw5qFbX9jDeZDq713dnnUqwL1FczdFjTm1uP1o3SoUGHsGH3FPJ +p6LsyKiUfaTBglFNN+iasl50e/MDJZmCIjqVvv/tCVCN2VPpWNYeyP1e2DxPL+yb +nVqbdSGVqOMWz4sRSjEnb9Xf9Uy1EigO8rb48VA= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem.certspec new file mode 100644 index 0000000000..f224888eee --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:embedded NUL in SAN +extension:subjectAlternativeName:www.bank1.com\0www.bad-guy.com diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem new file mode 100644 index 0000000000..3aea7c6b5c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7jCCAdagAwIBAgIURTMxPbOwfgpUVoSWuyXAKlS8e00wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFjEUMBIGA1UEAwwLYmFkLWd1eS5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOTA3MDUGA1UdEQQu +MCyCC2JhZC1ndXkuY29tgh13d3cuYmFuazEuY29tAHd3dy5iYWQtZ3V5LmNvbTAN +BgkqhkiG9w0BAQsFAAOCAQEAoMSmJIxxm9N/qNkADdIYDwEByibG4CLYD7EqtclQ +gTKUW5RWLcF1xkAfqSKsRkfE0965SofgH31J7sGnL02ROEdPK3Tc1/R7INS05yCp +QHAYLwz9rWhJaF42tfn06cOpaoAVvU/0reOLUwwCg4j+0bDTErkZZyY0QX4i+ou0 +f2I/oGK0HfdkxiKjCExz5qsgdAVfPk8Kp5sJ7S/kJzkKQbQ58qAD9ObiF4zl5wtR +5KveoFUckVXrznd9haqMlyj/kd3s4hKNl7n/kbXdiaxxvSh57c7K1O+mugREiwCA +Oa57wZV4F6N2FpJrwlsvYH+J5ejNTCU1VJqWffqJbdPpdg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem.certspec b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem.certspec new file mode 100644 index 0000000000..d352d034b6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null/embeddedNullSAN2.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:bad-guy.com +extension:subjectAlternativeName:bad-guy.com,www.bank1.com\0www.bad-guy.com diff --git a/security/manager/ssl/tests/unit/test_cert_expiration_canary.js b/security/manager/ssl/tests/unit/test_cert_expiration_canary.js new file mode 100644 index 0000000000..4519dd3935 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_expiration_canary.js @@ -0,0 +1,40 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Attempts to verify a certificate for a time a few weeks into the future in +// the hopes of avoiding mass test failures when the certificates all expire. +// If this test fails, the certificates probably need to be regenerated. +// See bug 1525191. + +// If this test and only this test fails, do the following: +// 1. Create a bug for the issue in "Core :: Security: PSM". +// 2. Write a patch to temporarily disable the test. +// 3. Land the patch. +// 4. Write a patch to reenable the test but don't land it. +// 5. Needinfo the triage owner of Bugzilla's "Core :: Security: PSM" component +// in the bug. +// 6. Patches to update certificates get created. +// 7. Test the patches with a Try push. +// 8. Land the patches on all trees whose code will still be used when the +// certificates expire in 3 weeks. +add_task(async function() { + do_get_profile(); + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + addCertFromFile(certDB, "bad_certs/test-ca.pem", "CTu,,"); + let threeWeeksFromNowInSeconds = Date.now() / 1000 + 3 * 7 * 24 * 60 * 60; + let ee = constructCertFromFile("bad_certs/default-ee.pem"); + await checkCertErrorGenericAtTime( + certDB, + ee, + PRErrorCodeSuccess, + certificateUsageSSLServer, + threeWeeksFromNowInSeconds, + false, + "test.example.com" + ); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot.js b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot.js new file mode 100644 index 0000000000..13ae5e31e2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot.js @@ -0,0 +1,89 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that nsIX509Cert.isBuiltInRoot works as expected. + +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +// This is a certificate that (currently) ships with the platform. +// It should be considered a built-in root. +const sNaverBase64 = + "" + + "MIIFojCCA4qgAwIBAgIUAZQwHqIL3fXFMyqxQ0Rx+NZQTQ0wDQYJKoZIhvcNAQEM" + + "BQAwaTELMAkGA1UEBhMCS1IxJjAkBgNVBAoMHU5BVkVSIEJVU0lORVNTIFBMQVRG" + + "T1JNIENvcnAuMTIwMAYDVQQDDClOQVZFUiBHbG9iYWwgUm9vdCBDZXJ0aWZpY2F0" + + "aW9uIEF1dGhvcml0eTAeFw0xNzA4MTgwODU4NDJaFw0zNzA4MTgyMzU5NTlaMGkx" + + "CzAJBgNVBAYTAktSMSYwJAYDVQQKDB1OQVZFUiBCVVNJTkVTUyBQTEFURk9STSBD" + + "b3JwLjEyMDAGA1UEAwwpTkFWRVIgR2xvYmFsIFJvb3QgQ2VydGlmaWNhdGlvbiBB" + + "dXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC21PGTXLVA" + + "iQqrDZBbUGOukJR0F0Vy1ntlWilLp1agS7gvQnXp2XskWjFlqxcX0TM62RHcQDaH" + + "38dq6SZeWYp34+hInDEW+j6RscrJo+KfziFTowI2MMtSAuXaMl3Dxeb57hHHi8lE" + + "HoSTGEq0n+USZGnQJoViAbbJAh2+g1G7XNr4rRVqmfeSVPc0W+m/6imBEtRTkZaz" + + "kVrd/pBzKPswRrXKCAfHcXLJZtM0l/aM9BhK4dA9WkW2aacp+yPOiNgSnABIqKYP" + + "szuSjXEOdMWLyEz59JuOuDxp7W87UC9Y7cSw0BwbagzivESq2M0UXZR4Yb8Obtoq" + + "vC8MC3GmsxY/nOb5zJ9TNeIDoKAYv7vxvvTWjIcNQvcGufFt7QSUqP620wbGQGHf" + + "nZ3zVHbOUzoBppJB7ASjjw2i1QnK1sua8e9DXcCrpUHPXFNwcMmIpi3Ua2FzUCaG" + + "YQ5fG8Ir4ozVu53BA0K6lNpfqbDKzE0K70dpAy8i+/Eozr9dUGWokG2zdLAIx6yo" + + "0es+nPxdGoMuK8u180SdOqcXYZaicdNwlhVNt0xz7hlcxVs+Qf6sdWA7G2POAN3a" + + "CJBitOUt7kinaxeZVL6HSuOpXgRM6xBtVNbv8ejyYhbLgGvtPe31HzClrkvJE+2K" + + "AQHJuFFYwGY6sWZLxNUxAmLpdIQM201GLQIDAQABo0IwQDAdBgNVHQ4EFgQU0p+I" + + "36HNLL3s9TsBAZMzJ7LrYEswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB" + + "Af8wDQYJKoZIhvcNAQEMBQADggIBADLKgLOdPVQG3dLSLvCkASELZ0jKbY7gyKoN" + + "qo0hV4/GPnrK21HUUrPUloSlWGB/5QuOH/XcChWB5Tu2tyIvCZwTFrFsDDUIbatj" + + "cu3cvuzHV+YwIHHW1xDBE1UBjCpD5EHxzzp6U5LOogMFDTjfArsQLtk70pt6wKGm" + + "+LUx5vR1yblTmXVHIloUFcd4G7ad6Qz4G3bxhYTeodoS76TiEJd6eN4MUZeoIUCL" + + "hr0N8F5OSza7OyAfikJW4Qsav3vQIkMsRIz75Sq0bBwcupTgE34h5prCy8VCZLQe" + + "lHsIJchxzIdFV4XTnyliIoNRlwAYl3dqmJLJfGBs32x9SuRwTMKeuB330DTHD8z7" + + "p/8Dvq1wkNoL3chtl1+afwkyQf3NosxabUzyqkn+Zvjp2DXrDige7kgvOtB5CTh8" + + "piKCk5XQA76+AqAF3SAi428diDRgxuYKuQl1C/AH6GmWNcf7I4GOODm4RStDeKLR" + + "LBT/DShycpWbXgnbiUSYqqFJu3FS8r/2/yehNq+4tneI3TqkbZs0kNwUXTC/t+sX" + + "5Ie3cdCh13cV1ELX8vMxmV2b3RZtP+oGI/hGoiLtk/bdmuYqh7GYVPEi92tF4+KO" + + "dh2ajcQGjTa3FPOdVGm3jjzVpG2Tgbet9r1ke8LJaDmgkpzNNIaRkPpkUZ3+/uul" + + "9XXeifdy"; + +// This is a certificate that does not ship with the platform. +// It should not be considered a built-in root. +const sLetsEncryptBase64 = + "" + + "MIIEqDCCA5CgAwIBAgIRAJgT9HUT5XULQ+dDHpceRL0wDQYJKoZIhvcNAQELBQAw" + + "PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD" + + "Ew5EU1QgUm9vdCBDQSBYMzAeFw0xNTEwMTkyMjMzMzZaFw0yMDEwMTkyMjMzMzZa" + + "MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD" + + "ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTCCASIwDQYJKoZIhvcNAQEBBQAD" + + "ggEPADCCAQoCggEBAJzTDPBa5S5Ht3JdN4OzaGMw6tc1Jhkl4b2+NfFwki+3uEtB" + + "BaupnjUIWOyxKsRohwuj43Xk5vOnYnG6eYFgH9eRmp/z0HhncchpDpWRz/7mmelg" + + "PEjMfspNdxIknUcbWuu57B43ABycrHunBerOSuu9QeU2mLnL/W08lmjfIypCkAyG" + + "dGfIf6WauFJhFBM/ZemCh8vb+g5W9oaJ84U/l4avsNwa72sNlRZ9xCugZbKZBDZ1" + + "gGusSvMbkEl4L6KWTyogJSkExnTA0DHNjzE4lRa6qDO4Q/GxH8Mwf6J5MRM9LTb4" + + "4/zyM2q5OTHFr8SNDR1kFjOq+oQpttQLwNh9w5MCAwEAAaOCAZIwggGOMBIGA1Ud" + + "EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMH8GCCsGAQUFBwEBBHMwcTAy" + + "BggrBgEFBQcwAYYmaHR0cDovL2lzcmcudHJ1c3RpZC5vY3NwLmlkZW50cnVzdC5j" + + "b20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9hcHBzLmlkZW50cnVzdC5jb20vcm9vdHMv" + + "ZHN0cm9vdGNheDMucDdjMB8GA1UdIwQYMBaAFMSnsaR7LHH62+FLkHX/xBVghYkQ" + + "MFQGA1UdIARNMEswCAYGZ4EMAQIBMD8GCysGAQQBgt8TAQEBMDAwLgYIKwYBBQUH" + + "AgEWImh0dHA6Ly9jcHMucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcwPAYDVR0fBDUw" + + "MzAxoC+gLYYraHR0cDovL2NybC5pZGVudHJ1c3QuY29tL0RTVFJPT1RDQVgzQ1JM" + + "LmNybDATBgNVHR4EDDAKoQgwBoIELm1pbDAdBgNVHQ4EFgQUqEpqYwR93brm0Tm3" + + "pkVl7/Oo7KEwDQYJKoZIhvcNAQELBQADggEBANHIIkus7+MJiZZQsY14cCoBG1hd" + + "v0J20/FyWo5ppnfjL78S2k4s2GLRJ7iD9ZDKErndvbNFGcsW+9kKK/TnY21hp4Dd" + + "ITv8S9ZYQ7oaoqs7HwhEMY9sibED4aXw09xrJZTC9zK1uIfW6t5dHQjuOWv+HHoW" + + "ZnupyxpsEUlEaFb+/SCI4KCSBdAsYxAcsHYI5xxEI4LutHp6s3OT2FuO90WfdsIk" + + "6q78OMSdn875bNjdBYAqxUp2/LEIHfDBkLoQz0hFJmwAbYahqKaLn73PAAm1X2kj" + + "f1w8DdnkabOLGeOVcj9LQ+s67vBykx4anTjURkbqZslUEUsn2k5xeua2zUk="; + +function run_test() { + let builtInCert = certdb.constructX509FromBase64(sNaverBase64); + ok(builtInCert, "should be able to decode base-64 of built-in cert"); + ok(builtInCert.isBuiltInRoot, "cert should be considered built-in"); + + let notBuiltInCert = certdb.constructX509FromBase64(sLetsEncryptBase64); + ok(notBuiltInCert, "should be able to decode base-64 of built-in cert"); + ok(!notBuiltInCert.isBuiltInRoot, "cert should not be considered built-in"); +} diff --git a/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload.js b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload.js new file mode 100644 index 0000000000..deb6ba914a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload.js @@ -0,0 +1,143 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that nsIX509Cert.isBuiltInRoot works as expected. Differs from +// test_cert_isBuiltInRoot.js in that this test uses a preexisting NSS +// certificate DB that already contains some of the certificates in question. +// +// To create the necessary preexisting files, obtain the "NAVER Global Root +// Certification Authority" certificate and the "Let's Encrypt Authority +// X1" certificate (copied below for reference) and perform the following steps: +// +// `certutil -d . -N` (use an empty password) +// `certutil -d . -A -n "NAVER Global Root Certification Authority" -t ,, \ +// -a -i naverrc1.pem` +// `certutil -d . -A -n "Let's Encrypt Authority X1" -t ,, -a \ +// -i LetsEncrypt.pem` +// +// This should create the cert9.db and key4.db files. +// +// To determine the new DBKey associated to the replacement root, +// one can print builtInRoot.dbKey in test_cert_isBuiltInRoot.js. +// +// (The crucial property of the first certificate is that it is a built-in trust +// anchor, so any replacement must also have this property. The second +// certificate is not a built-in trust anchor, so any replacement must not be a +// built-in trust anchor.) +// +// +// NAVER Global Root Certification Authority: +// -----BEGIN CERTIFICATE----- +// MIIFojCCA4qgAwIBAgIUAZQwHqIL3fXFMyqxQ0Rx+NZQTQ0wDQYJKoZIhvcNAQEM +// BQAwaTELMAkGA1UEBhMCS1IxJjAkBgNVBAoMHU5BVkVSIEJVU0lORVNTIFBMQVRG +// T1JNIENvcnAuMTIwMAYDVQQDDClOQVZFUiBHbG9iYWwgUm9vdCBDZXJ0aWZpY2F0 +// aW9uIEF1dGhvcml0eTAeFw0xNzA4MTgwODU4NDJaFw0zNzA4MTgyMzU5NTlaMGkx +// CzAJBgNVBAYTAktSMSYwJAYDVQQKDB1OQVZFUiBCVVNJTkVTUyBQTEFURk9STSBD +// b3JwLjEyMDAGA1UEAwwpTkFWRVIgR2xvYmFsIFJvb3QgQ2VydGlmaWNhdGlvbiBB +// dXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC21PGTXLVA +// iQqrDZBbUGOukJR0F0Vy1ntlWilLp1agS7gvQnXp2XskWjFlqxcX0TM62RHcQDaH +// 38dq6SZeWYp34+hInDEW+j6RscrJo+KfziFTowI2MMtSAuXaMl3Dxeb57hHHi8lE +// HoSTGEq0n+USZGnQJoViAbbJAh2+g1G7XNr4rRVqmfeSVPc0W+m/6imBEtRTkZaz +// kVrd/pBzKPswRrXKCAfHcXLJZtM0l/aM9BhK4dA9WkW2aacp+yPOiNgSnABIqKYP +// szuSjXEOdMWLyEz59JuOuDxp7W87UC9Y7cSw0BwbagzivESq2M0UXZR4Yb8Obtoq +// vC8MC3GmsxY/nOb5zJ9TNeIDoKAYv7vxvvTWjIcNQvcGufFt7QSUqP620wbGQGHf +// nZ3zVHbOUzoBppJB7ASjjw2i1QnK1sua8e9DXcCrpUHPXFNwcMmIpi3Ua2FzUCaG +// YQ5fG8Ir4ozVu53BA0K6lNpfqbDKzE0K70dpAy8i+/Eozr9dUGWokG2zdLAIx6yo +// 0es+nPxdGoMuK8u180SdOqcXYZaicdNwlhVNt0xz7hlcxVs+Qf6sdWA7G2POAN3a +// CJBitOUt7kinaxeZVL6HSuOpXgRM6xBtVNbv8ejyYhbLgGvtPe31HzClrkvJE+2K +// AQHJuFFYwGY6sWZLxNUxAmLpdIQM201GLQIDAQABo0IwQDAdBgNVHQ4EFgQU0p+I +// 36HNLL3s9TsBAZMzJ7LrYEswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB +// Af8wDQYJKoZIhvcNAQEMBQADggIBADLKgLOdPVQG3dLSLvCkASELZ0jKbY7gyKoN +// qo0hV4/GPnrK21HUUrPUloSlWGB/5QuOH/XcChWB5Tu2tyIvCZwTFrFsDDUIbatj +// cu3cvuzHV+YwIHHW1xDBE1UBjCpD5EHxzzp6U5LOogMFDTjfArsQLtk70pt6wKGm +// +LUx5vR1yblTmXVHIloUFcd4G7ad6Qz4G3bxhYTeodoS76TiEJd6eN4MUZeoIUCL +// hr0N8F5OSza7OyAfikJW4Qsav3vQIkMsRIz75Sq0bBwcupTgE34h5prCy8VCZLQe +// lHsIJchxzIdFV4XTnyliIoNRlwAYl3dqmJLJfGBs32x9SuRwTMKeuB330DTHD8z7 +// p/8Dvq1wkNoL3chtl1+afwkyQf3NosxabUzyqkn+Zvjp2DXrDige7kgvOtB5CTh8 +// piKCk5XQA76+AqAF3SAi428diDRgxuYKuQl1C/AH6GmWNcf7I4GOODm4RStDeKLR +// LBT/DShycpWbXgnbiUSYqqFJu3FS8r/2/yehNq+4tneI3TqkbZs0kNwUXTC/t+sX +// 5Ie3cdCh13cV1ELX8vMxmV2b3RZtP+oGI/hGoiLtk/bdmuYqh7GYVPEi92tF4+KO +// dh2ajcQGjTa3FPOdVGm3jjzVpG2Tgbet9r1ke8LJaDmgkpzNNIaRkPpkUZ3+/uul +// 9XXeifdy +// -----END CERTIFICATE----- +// +// Let's Encrypt Authority X1: +// -----BEGIN CERTIFICATE----- +// MIIEqDCCA5CgAwIBAgIRAJgT9HUT5XULQ+dDHpceRL0wDQYJKoZIhvcNAQELBQAw +// PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD +// Ew5EU1QgUm9vdCBDQSBYMzAeFw0xNTEwMTkyMjMzMzZaFw0yMDEwMTkyMjMzMzZa +// MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD +// ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTCCASIwDQYJKoZIhvcNAQEBBQAD +// ggEPADCCAQoCggEBAJzTDPBa5S5Ht3JdN4OzaGMw6tc1Jhkl4b2+NfFwki+3uEtB +// BaupnjUIWOyxKsRohwuj43Xk5vOnYnG6eYFgH9eRmp/z0HhncchpDpWRz/7mmelg +// PEjMfspNdxIknUcbWuu57B43ABycrHunBerOSuu9QeU2mLnL/W08lmjfIypCkAyG +// dGfIf6WauFJhFBM/ZemCh8vb+g5W9oaJ84U/l4avsNwa72sNlRZ9xCugZbKZBDZ1 +// gGusSvMbkEl4L6KWTyogJSkExnTA0DHNjzE4lRa6qDO4Q/GxH8Mwf6J5MRM9LTb4 +// 4/zyM2q5OTHFr8SNDR1kFjOq+oQpttQLwNh9w5MCAwEAAaOCAZIwggGOMBIGA1Ud +// EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMH8GCCsGAQUFBwEBBHMwcTAy +// BggrBgEFBQcwAYYmaHR0cDovL2lzcmcudHJ1c3RpZC5vY3NwLmlkZW50cnVzdC5j +// b20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9hcHBzLmlkZW50cnVzdC5jb20vcm9vdHMv +// ZHN0cm9vdGNheDMucDdjMB8GA1UdIwQYMBaAFMSnsaR7LHH62+FLkHX/xBVghYkQ +// MFQGA1UdIARNMEswCAYGZ4EMAQIBMD8GCysGAQQBgt8TAQEBMDAwLgYIKwYBBQUH +// AgEWImh0dHA6Ly9jcHMucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcwPAYDVR0fBDUw +// MzAxoC+gLYYraHR0cDovL2NybC5pZGVudHJ1c3QuY29tL0RTVFJPT1RDQVgzQ1JM +// LmNybDATBgNVHR4EDDAKoQgwBoIELm1pbDAdBgNVHQ4EFgQUqEpqYwR93brm0Tm3 +// pkVl7/Oo7KEwDQYJKoZIhvcNAQELBQADggEBANHIIkus7+MJiZZQsY14cCoBG1hd +// v0J20/FyWo5ppnfjL78S2k4s2GLRJ7iD9ZDKErndvbNFGcsW+9kKK/TnY21hp4Dd +// ITv8S9ZYQ7oaoqs7HwhEMY9sibED4aXw09xrJZTC9zK1uIfW6t5dHQjuOWv+HHoW +// ZnupyxpsEUlEaFb+/SCI4KCSBdAsYxAcsHYI5xxEI4LutHp6s3OT2FuO90WfdsIk +// 6q78OMSdn875bNjdBYAqxUp2/LEIHfDBkLoQz0hFJmwAbYahqKaLn73PAAm1X2kj +// f1w8DdnkabOLGeOVcj9LQ+s67vBykx4anTjURkbqZslUEUsn2k5xeua2zUk= +// -----END CERTIFICATE----- + +"use strict"; + +function run_test() { + const certDBName = "cert9.db"; + const keyDBName = "key4.db"; + let profile = do_get_profile(); + let certDBFile = do_get_file(`test_cert_isBuiltInRoot_reload/${certDBName}`); + certDBFile.copyTo(profile, certDBName); + let keyDBFile = do_get_file(`test_cert_isBuiltInRoot_reload/${keyDBName}`); + keyDBFile.copyTo(profile, keyDBName); + + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + + // This is a built-in root, but not one that was added to the preexisting + // certificate DB. + // Verisign Class 1 Public Primary Certification Authority - G3 + // Certificate fingerprint (SHA1): 204285DCF7EB764195578E136BD4B7D1E98E46A5 + // https://crt.sh/?id=8984570 + const veriSignCertDBKey = `AAAAAAAAAAAAAAARAAAAzQCLW3VWhFSFCwDPrzhI + zrGkMIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdB + gNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IF + ZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAM + TPFZlcmlTaWduIENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBB + dXRob3JpdHkgLSBHMw==`; + let veriSignCert = certdb.findCertByDBKey(veriSignCertDBKey); + ok(veriSignCert, "Should be able to find VeriSign root"); + ok(veriSignCert.isBuiltInRoot, "VeriSign root is a built-in"); + + // This is a built-in root. It was added to the preexisting certificate DB. It + // should still be considered a built-in. + const naverCertDBKey = `AAAAAAAAAAAAAAAUAAAAawGUMB6iC93 + 1xTMqsUNEcfjWUE0NMGkxCzAJBgNVBAYTAktSMSYwJAYDVQQKDB1OQVZFUiBCVVN + JTkVTUyBQTEFURk9STSBDb3JwLjEyMDAGA1UEAwwpTkFWRVIgR2xvYmFsIFJvb3Q + gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHk=`; + let naverCert = certdb.findCertByDBKey(naverCertDBKey); + ok(naverCert, "Should be able to find NAVER root"); + ok(naverCert.isBuiltInRoot, "NAVER root is a built-in"); + + // This is not a built-in root. It was added to the preexisting certificate + // DB. It should not be considered a built-in root. + const letsEncryptCertDBKey = `AAAAAAAAAAAAAAARAAAAQQCYE + /R1E+V1C0PnQx6XHkS9MD8xJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRyd + XN0IENvLjEXMBUGA1UEAxMORFNUIFJvb3QgQ0EgWDM=`; + let letsEncryptCert = certdb.findCertByDBKey(letsEncryptCertDBKey); + ok(letsEncryptCert, "Should be able to find LetsEncrypt root"); + ok(!letsEncryptCert.isBuiltInRoot, "LetsEncrypt root is not a built-in"); +} diff --git a/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/cert9.db b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/cert9.db new file mode 100644 index 0000000000..7d48c6b133 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/cert9.db differ diff --git a/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/key4.db b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/key4.db new file mode 100644 index 0000000000..e41477dfd9 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload/key4.db differ diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage.js b/security/manager/ssl/tests/unit/test_cert_keyUsage.js new file mode 100644 index 0000000000..a32be6152d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage.js @@ -0,0 +1,76 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB +var certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const caList = [ + "ca-no-keyUsage-extension", + "ca-missing-keyCertSign", + "ca-all-usages", +]; +const eeList = [ + "ee-no-keyUsage-extension", + "ee-keyCertSign-only", + "ee-keyEncipherment-only", + "ee-keyCertSign-and-keyEncipherment", +]; + +const caUsage = [certificateUsageSSLCA]; +const allEEUsages = [ + certificateUsageSSLClient, + certificateUsageSSLServer, + certificateUsageEmailSigner, + certificateUsageEmailRecipient, +]; +const serverEEUsages = [ + certificateUsageSSLServer, + certificateUsageEmailRecipient, +]; + +const expectedUsagesMap = { + "ca-no-keyUsage-extension": caUsage, + "ca-missing-keyCertSign": [], + "ca-all-usages": caUsage, + + "ee-no-keyUsage-extension-ca-no-keyUsage-extension": allEEUsages, + "ee-no-keyUsage-extension-ca-missing-keyCertSign": [], + "ee-no-keyUsage-extension-ca-all-usages": allEEUsages, + + "ee-keyCertSign-only-ca-no-keyUsage-extension": [], + "ee-keyCertSign-only-ca-missing-keyCertSign": [], + "ee-keyCertSign-only-ca-all-usages": [], + + "ee-keyEncipherment-only-ca-no-keyUsage-extension": serverEEUsages, + "ee-keyEncipherment-only-ca-missing-keyCertSign": [], + "ee-keyEncipherment-only-ca-all-usages": serverEEUsages, + + "ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension": serverEEUsages, + "ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign": [], + "ee-keyCertSign-and-keyEncipherment-ca-all-usages": serverEEUsages, +}; + +add_task(async function() { + for (let ca of caList) { + addCertFromFile(certdb, "test_cert_keyUsage/" + ca + ".pem", "CTu,CTu,CTu"); + let caCert = constructCertFromFile("test_cert_keyUsage/" + ca + ".pem"); + await asyncTestCertificateUsages(certdb, caCert, expectedUsagesMap[ca]); + for (let ee of eeList) { + let eeFullName = ee + "-" + ca; + let eeCert = constructCertFromFile( + "test_cert_keyUsage/" + eeFullName + ".pem" + ); + await asyncTestCertificateUsages( + certdb, + eeCert, + expectedUsagesMap[eeFullName] + ); + } + } +}); diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem new file mode 100644 index 0000000000..7ef812e4c9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3zCCAcegAwIBAgIUE5r8LYaA73SA25Y8MhWmudWklrowDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIxMTEyNzAwMDAwMFoY +DzIwMjQwMjA1MDAwMDAwWjAYMRYwFAYDVQQDDA1jYS1hbGwtdXNhZ2VzMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq +5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc +An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39 +ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk +zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u +JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB +ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB/jANBgkqhkiG9w0BAQsFAAOC +AQEAbfCeYrdUfCn8yN8rtt69olTC8huRW7dWFr8LcRgoU+jQO5myXPvZc6r4Kig7 +SuXueQCvX7IRipDf6lB8t911vHwvvZATTvXB4MJ0QZTSjn2P61bekoAVfexFfM1n +QE4ONlo/3f/p/RtP6VKJnErdwSFyNzIuEBdSNPUwyJIOgBge3qi5BMM7Lm0oiTIw +L1E++BcBffAEociBiCaB1nd6jbIUtnTY8jyWIr/trzG5BmIKjZGzzrS8zCI8brq6 +M7lT7oOXwD5Q0aP+OUPrtLPC3norMKVuyo4HJdT1XZVjc/15GbwbSeTI3jiYGxWv +RY288eAkTXZvXxwQvT7W7q1Owg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem.certspec new file mode 100644 index 0000000000..2ca523c74e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-all-usages.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca-all-usages +subject:ca-all-usages +extension:basicConstraints:cA, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem new file mode 100644 index 0000000000..cb8d04ae3f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8TCCAdmgAwIBAgIUCaFrRP9EdV/s2molg6t0aH4/M9QwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIxMTEy +NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAhMR8wHQYDVQQDDBZjYS1taXNzaW5n +LWtleUNlcnRTaWduMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohR +qESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+Kv +WnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+ +rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPv +JxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5 +Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6 +clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB ++jANBgkqhkiG9w0BAQsFAAOCAQEAMT30/3FlLT0SRLla9/6nUnhM18/h5te+HEew +3PwtcRv0JwUBdYXxNK/MVIMDaL9GC/6S9zqlGw4N86tP2E3s8giwbLcNWelou8Zu +nmnz8BU4MtfW+lkF/0ZNhDRBFXFWTNM7pdKDfVHJhMvzZdk0tEgU2hCZwMu4PGRs +6oJTrBacjc27s3mVRaxi6NdGZIJQBlfakn7FXI2RcP/+WYgTNNBzvFyRO1pvJdTq +cGR1fykBoiFZrKOO+MSAWEXke3w/U/lQCM5odDAFngxsHrSftc44XgP2DG08vovH +wl3MGpr2RDqovYSWKJSv2VeLqSdpeIG/y4ixFBXwmRF/YVUyrQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem.certspec new file mode 100644 index 0000000000..26e0158ebe --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-missing-keyCertSign.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca-missing-keyCertSign +subject:ca-missing-keyCertSign +extension:basicConstraints:cA, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem new file mode 100644 index 0000000000..29a39ee751 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6DCCAdCgAwIBAgIUaZMM8r1k443E+DQLRBc1j34OAGYwDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjEx +MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCMxITAfBgNVBAMMGGNhLW5vLWtl +eVVzYWdlLWV4dGVuc2lvbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG +8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V +gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3 +04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l +0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz +/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG +9w0BAQsFAAOCAQEAPBRfUuVZulBelyNkd9A9UP5svL4sM8HjbYfggMGh8wHudlH9 +mghp/up5ZEuqyfrwJ8G2yCRC8pvZv4BcBvtlUngWsuBuGKJ0+8OMFdGk5gLhjiDm +tVQR99o2MFzG8fCjqpNwB+MfSrt2Mbu5hV66UjSvjar6qVcwjWpdKmDnJGgvs6Ib +t2mZIyoV1pSJNkDai7o1GtXj2WFL9VwjYhi4EDfdUz5xOuLWdBMMRlnfDq1pDpub +LZ+8FqHJCbFL6G9q3RXPjRhmWIePc/gZLEkVd9S092ePb18gs62UHxK68n+4DOQp +BdFdrTMeqehtapMkO5G2RMCa7seL6hStoTsxJQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem.certspec new file mode 100644 index 0000000000..d32e6a6496 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ca-no-keyUsage-extension.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-no-keyUsage-extension +subject:ca-no-keyUsage-extension +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem new file mode 100644 index 0000000000..393380d981 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAc6gAwIBAgIUGWYB9e9ARnyr9cvrxtuO7gAvALIwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIxMTEyNzAwMDAwMFoY +DzIwMjQwMjA1MDAwMDAwWjAtMSswKQYDVQQDDCJlZS1rZXlDZXJ0U2lnbi1hbmQt +a2V5RW5jaXBoZXJtZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby +a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC +D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT +iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT +Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+ +SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAiQwDQYJKoZIhvcN +AQELBQADggEBADQMLlcZMsXMKfScNpZZ4KSSWr20vhhXerUk9hK6QqCSUjxlD/QH +Bib9+T3w0qfEL9QBt5ic/BIN9V9Z5bfLW5IuCT1Gq4yL9aQNkRtTNEtXPZjsAyP5 +OBcsWcsqdNvPn7DOCE4DSo7Omqx1QOGGD3F9ico1NykgUZNN/xdK3kstrugY9Gnv +FpHvrlkpMxFEmKzxx2AKgsdr4ZxiZnzu87Cv0ICWYjRTTOflJmwKkfO+hR6K5XrP +TWbyoX2AYkWXWlierE5nTDWAG4Z2fi5FFQfGbGBxdBU/febJZwLBghRCLFQRjkYK +GOThHpemmJV2UPxfbWXX1pqQkEGb+a4Aqis= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem.certspec new file mode 100644 index 0000000000..0bb2721a31 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-all-usages.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-all-usages +subject:ee-keyCertSign-and-keyEncipherment +extension:keyUsage:keyEncipherment,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem new file mode 100644 index 0000000000..6f9425e546 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7zCCAdegAwIBAgIULaOT+liPEeD1woYhMEmcCYf8h4IwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIxMTEy +NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAtMSswKQYDVQQDDCJlZS1rZXlDZXJ0 +U2lnbi1hbmQta2V5RW5jaXBoZXJtZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAiQw +DQYJKoZIhvcNAQELBQADggEBACbwD8VRRCFLZFSp31okFWXBJLTqilYjzZChoQVS +/rbz6ae8P8ScX8ppi2eGFNB2vVETTtKwpI8bdncmtInk/JtUncnmU5wjqKsG1gmI +Lzz3ZC+x62R/6ocCRw0FfEa9C87BYHy3oRHa6qpSv+ZjNWMc9Me15WIt9JPFrENs +SWWTF005OXT6/SN9Db3DL2yOGn9cB6GbwsbNptBd9joBFbhpZNY7XMakkVDKGL/W +JeKZEzeyiR2EGxFYxOn4lNuJty3DOjClP8++iQFClBO5E6c+9jV0Rsew3aL7Q87y +JWouTF7sYRjwBf+lWsRJ4sZCe6yEhNkGQKXGBAOiWtxeuUI= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem.certspec new file mode 100644 index 0000000000..567ab0ce2d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-missing-keyCertSign.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-missing-keyCertSign +subject:ee-keyCertSign-and-keyEncipherment +extension:keyUsage:keyEncipherment,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem new file mode 100644 index 0000000000..8344820c66 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8TCCAdmgAwIBAgIULe9oCGYjHMm9s2kUkeaGeYDfkYowDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjEx +MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMC0xKzApBgNVBAMMImVlLWtleUNl +cnRTaWduLWFuZC1rZXlFbmNpcGhlcm1lbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg +2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ +5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ +PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj +DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W +iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQEAwIC +JDANBgkqhkiG9w0BAQsFAAOCAQEAbvM/6pDn9yYnnEKzEoEC5rSpQVZkgunP2WNc +dJ9s0zkZeT5HCnPbcntHfjbK217iwja9k/eSg8ukDofstkExjRswRS4F4rCb3ciB +yEsb5QX2mFAFnFE4b/i3XFDlYSzw2hWOOB2+WXmYNu82eZOvfiM4UvSV2wwFQiOf +XAYbW5rd7umW5YS8K6heBuFbS1aJLFasDgPb7bHCCYJH/GyLcvDn45e0Y89m3us9 +e2OHLsVN6Mjaq1UO0zXwsSb0GwoYxagHy8h5c3m8tNpe254X6f6jnKbVNUK6SJ2Q +293EF9vGzv0q1FUZDP/y/qiVlbFJ1QT4cos7Ryzg1KVQSDqL1Q== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem.certspec new file mode 100644 index 0000000000..c48ef66126 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-and-keyEncipherment-ca-no-keyUsage-extension.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-no-keyUsage-extension +subject:ee-keyCertSign-and-keyEncipherment +extension:keyUsage:keyEncipherment,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem new file mode 100644 index 0000000000..92e5f92177 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1zCCAb+gAwIBAgIUCWQJroNopActb60dEoJJYUXC6YQwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIxMTEyNzAwMDAwMFoY +DzIwMjQwMjA1MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1rZXlDZXJ0U2lnbi1vbmx5 +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2 +ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF +h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n +cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv +OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj +tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt +jQIDAQABow8wDTALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQADggEBAGU/zN/j +eXCJzlYjTcRRZF8/3kDauNwfQMHFD2ftNcdsTDHBZt+8ZN7aGau8038f0tw3//CL +C2VJNkhy9DvizdzgITO315HIM9wYaITDxpLob+z27/Wb7NPfYFb26Z9mY91l89ku +umemthFmh4oHRDmEbDa1tUD0bcqmdg5zChemA/LuKV3nw6oZsHEy5NUESXicNhSx +9zm8F32/SyTur75mJ4a2AHqFr8fbLAgYCtj7RWmAI4sPGgk1C689Aj4oGWkkFkgE +uifRyiui2GRiTH82wvzWh3UNYyJZEOnKE4jxGljE9I5BjK95vyU13d3IkIvJJ1pH +tfQSjzOe6SsNvP4= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem.certspec new file mode 100644 index 0000000000..c495ca6d0e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-all-usages.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-all-usages +subject:ee-keyCertSign-only +extension:keyUsage:keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem new file mode 100644 index 0000000000..74a3be06df --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4DCCAcigAwIBAgIUWbCPLRav9EW2uQgTKqbUCxb/sUAwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIxMTEy +NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1rZXlDZXJ0 +U2lnbi1vbmx5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO +FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr +amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka +sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY +VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n +aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE +MdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQAD +ggEBADXuaMRmW0SKcP3hLgeoE5J/Sw7cm+ffo9j192akaHTnI/H/pD+j6JkEOsw/ +2gyrKPQdcKqWNqSIDpZMEcQrCi2LnYgJEZFGRHol7oS7FnQaZ5Bp+cx5wnz37Ig5 +UkYHoBoa2JYD6HmibtsB9d83CG/b9B7ulEE4pYJga+0nRcIRLIbEP87mRFPmMAe9 +i8yvZI1FbzFYILehOYcIBVUT1O4U1Xyt/k1lPGOlKs8VUQ66XY+7+iLu53pxv9ja +dIgPcFer+dRC7GVtneOnggHQ3aYxrnSBlOFd54Y+O7QfESSZsrXbrZmzhd617UeW +7spMsdHfI1rsc8aQ6gVFqlXd6mw= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem.certspec new file mode 100644 index 0000000000..23ddd0eb8a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-missing-keyCertSign.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-missing-keyCertSign +subject:ee-keyCertSign-only +extension:keyUsage:keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem new file mode 100644 index 0000000000..086f2ac5d1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4jCCAcqgAwIBAgIUfcLeIvoPPBJMolgBDz+v3K8mAEEwDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjEx +MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMB4xHDAaBgNVBAMME2VlLWtleUNl +cnRTaWduLW9ubHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo +RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a +dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t +aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n +FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX +Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py +UcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQEAwICBDANBgkqhkiG9w0BAQsF +AAOCAQEAq9eg9Xq7glTjKJtItaRt8PPhXeVZIbMoabIuDdHMq7hT4YXS5vWysT8V +M6oNOsvnSuwAm+9Y1fTsB/mR8l0BpaYadLizagIHSFZ57bPZzzfEQngu2NkGd+v2 +wxQIrp1KkZCHzYRenT6sZGuAxqqX0KVsEnwen0N93UIrOn3D6T2EE1QT5IMI9IPU +3OX3UtOVYzUOia+IV0VEpQ0r1o8BmZopx1dkMFvsj7rciF4pR9UQQDzkCs8z60iK +oG1zzqnwW0ZA9PAmB0pAJbHf3gKOka6I137QvYhCWlFUr5LqVKY/A2IACbIeBQJG +WKib6YiVMFSI0vdEqNgH38F5c+SaFg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem.certspec new file mode 100644 index 0000000000..a5a2d62a7d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyCertSign-only-ca-no-keyUsage-extension.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-no-keyUsage-extension +subject:ee-keyCertSign-only +extension:keyUsage:keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem new file mode 100644 index 0000000000..321ceca492 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC2zCCAcOgAwIBAgIUYfQJjxnw4OD0vXwmpPInpoGAILowDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIxMTEyNzAwMDAwMFoY +DzIwMjQwMjA1MDAwMDAwWjAiMSAwHgYDVQQDDBdlZS1rZXlFbmNpcGhlcm1lbnQt +b25seTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u +togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6 +pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL +KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq +fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv +Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za +GAo17Y0CAwEAAaMPMA0wCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBCwUAA4IBAQAc +KoBdffm/erD9x/k7jvpq99n6AYDeWpIfLdAA3FUTLZItlNNjEYZGDaLd2NRYB0ay +mbJgYnwdnuac0pylWfTxDMQfcC1ztsXeB8DF/H3v3/iWXUoHbtmCFa3OBac6PJQQ +K4+ssbipWUaCTP+79lT6e0cs7PXnLLxEyLYlLJFxO6t3Y3knsH3/UEu/86ZWJs5F +e6BamdM26itAfe30rzTzSr0WxiHZYGX3K5mSZ0+p/FD4Up0MFALukn1xZ6+WLd8c +gsi0li246g2aUf+rjjKlg4wmx2JndYL5vUP2SJJfFxulvzgDtHw2RfsgA2eN9Zvi +5a/1QH9m39qO6LXZxwVu +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem.certspec new file mode 100644 index 0000000000..08154a53ee --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-all-usages.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-all-usages +subject:ee-keyEncipherment-only +extension:keyUsage:keyEncipherment diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem new file mode 100644 index 0000000000..8e45895208 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5DCCAcygAwIBAgIUf2jeIliw8Hs+4yN24J1B9he7DEIwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIxMTEy +NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAiMSAwHgYDVQQDDBdlZS1rZXlFbmNp +cGhlcm1lbnQtb25seTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI +UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi +r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x +fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD +7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv +uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj ++nJRxDHVA6zaGAo17Y0CAwEAAaMPMA0wCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEB +CwUAA4IBAQAto3rwCaozt9tPSju24aTGvGPQwoiZ1uJzp9PJGKTMKpm2jobT1c1o +RLjpfa5P2TM6vUCOS7M+uLkzlYsr8aW5WrD0ehJX3Ge1oOFA2A/xwHbffwPpUXgS +euBMN/RV5Oq9pPLlI5FCG2nWTNjG1u2oEx9Lxf0iMs4YpPwFU1w/mbgFqdnQNn5N +54DWg3MFNMeNXpGJZrJnKZj7iPFpDtGbTVAKe9tsR4wu5EbReOxa4LvN79BP2Z44 +jivHsnId2SMu1xbaqXLg8ZoTTNX8zL9Mls6kQkjf7vunGrK968x6wDffhz+FTafZ +qx0xbp/j82UxSPGnj+MYe3dPKU+yZaAZ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem.certspec new file mode 100644 index 0000000000..9bdcf4b7b8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-missing-keyCertSign.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-missing-keyCertSign +subject:ee-keyEncipherment-only +extension:keyUsage:keyEncipherment diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem new file mode 100644 index 0000000000..2cf8010b45 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAc6gAwIBAgIUOXP432q/p9DYN1yjp9TtbUn7sCMwDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjEx +MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCIxIDAeBgNVBAMMF2VlLWtleUVu +Y2lwaGVybWVudC1vbmx5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby +a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC +D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT +iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT +Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+ +SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCBSAwDQYJKoZIhvcN +AQELBQADggEBAJ/fbi3UftOoyyTSyNPq2zRMDDpEkHx7jcmSDB72wVVfiIDD0tYW +BaI0zVBHa7PtePCWorCc1SR9rzMKRLl4jpKmfBdmFWDKBrzA+Yd6s2eN+G7zQw9R +CN0BTou7vHPqAdVeT8e0XhQPBB4IyPw0Zk/8KO3kin5g5Dyf2Eaqc1CY63PzS0F7 +U9MAGwHo8o1ikA6gdKM/vi282sd2Nqa/HaYR4TXgFOCe3zzkq1DKAm+26lfWznmO +L2KINdoqRhtEEc69NAsoJa5xKXm5+aemk5YNA5JpUH3NgACaUomIseU1JwSgJauk +3BreCw1pwCuWG/ArNgCkMG4bNJA7I5nc49E= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem.certspec new file mode 100644 index 0000000000..a2383ecfdd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-keyEncipherment-only-ca-no-keyUsage-extension.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca-no-keyUsage-extension +subject:ee-keyEncipherment-only +extension:keyUsage:keyEncipherment diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem new file mode 100644 index 0000000000..3c8fd4266e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyzCCAbOgAwIBAgIUE3y2+REalJVr9BJgRHvD/0X6kggwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNY2EtYWxsLXVzYWdlczAiGA8yMDIxMTEyNzAwMDAwMFoY +DzIwMjQwMjA1MDAwMDAwWjAjMSEwHwYDVQQDDBhlZS1uby1rZXlVc2FnZS1leHRl +bnNpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAH710Q5yUWJdwRYPAucysm6E +cJtzX5CD2fs8pJkKtFY4CTofI7rKdU+dIuTsfX/xrnIhdknMAit8kbkQzRsyk0c3 +Am1qgD8pBbrBtNkzHD1cWvNIQGuntI8+4CWqSNkgFtDEmhNH4N3gr4I7ozNfeZKy +vaZQCqrDpZ6hJdrFbkKeuivZisCXT6OMkhCtJmUz1g2Vlzq1JD5Jffj6nz5u88+G +gYQ8oJ//R3+AkYmdbF1SzL3XAGFKgJ752UowrCVRTWhe7jj7qqgjMTLwHd7WbRfW +eyPcDf8l8Fx40I8W4mv7SYArfYpSBohHHMA2ajD2ZglVmkYweK8vO3V3as62lXw= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem.certspec new file mode 100644 index 0000000000..6d2e672961 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-all-usages.pem.certspec @@ -0,0 +1,2 @@ +issuer:ca-all-usages +subject:ee-no-keyUsage-extension diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem new file mode 100644 index 0000000000..ca06b96af7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1DCCAbygAwIBAgIUN3Gtxz6p1g5APefpvRImgppez0gwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWY2EtbWlzc2luZy1rZXlDZXJ0U2lnbjAiGA8yMDIxMTEy +NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAjMSEwHwYDVQQDDBhlZS1uby1rZXlV +c2FnZS1leHRlbnNpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6 +iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr +4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP +8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI +Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ +77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J +I/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJ5tsZ2pBNLa +SQyu952+mbY0McHswPvp34q9ihKtUAaZiwusSnVDGP09FTzu6ejRO857Mjqk4oCf +C77FyXsWhAVSEqZyYeKwn+UZyZONA3ZY6plx5rpn5CFVZleh5G0TC6eAVmUcJ13J +x2mmhgPyU2LvHxIRFOaWhTJ9r0qikIDr+96Vti6qDdBeroKuSi2eWUKyofwgV3zK +FsXauOjGzzLZT3va4c0NUdC4+/qppAoC6ejma0iqj3A1gm00DnYU3GMsBXtSSHAH +iZGsbtiuZtCZXxgf2os0NLl5demKOcOzKAHs1No2KwVcxonE6t5uqbKsQFbC47x+ +mT2WDtwpQSo= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem.certspec new file mode 100644 index 0000000000..3cba2f0d81 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-missing-keyCertSign.pem.certspec @@ -0,0 +1,2 @@ +issuer:ca-missing-keyCertSign +subject:ee-no-keyUsage-extension diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem new file mode 100644 index 0000000000..c667430b40 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1jCCAb6gAwIBAgIUcUkpEkAlszLM+q9hdNYNVNbjhhQwDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYY2Etbm8ta2V5VXNhZ2UtZXh0ZW5zaW9uMCIYDzIwMjEx +MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCMxITAfBgNVBAMMGGVlLW5vLWtl +eVVzYWdlLWV4dGVuc2lvbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG +8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V +gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3 +04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l +0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz +/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcX+eZ5QZ +2ji/0gf+sLsw5M/OGw6LMqCKUd5X36XybPCbY1xx8D9Z9dGMV1kzq5TkCSpLOg6f +1qBqUCIQa/Cpeg1ScHJC9zgmo9XFIniX2ZhiT0o33dDXvTn7l6AuKA4hicbdTcx2 +aGI2MoNpIFINwrNnr6gKQMrBUCBPkWYuCOANqhH8jV9BYgVvYuqK1ecmll5/Cgxp +ikQ6dzmpUHXFgN46UokyFfaudvt/PVqnukiYfjarKltAH5sfFjCQzrkXrK4QjWUW +vjd2AJSsxJb6N3wQgfjEI2WTxLfr2DzhNSFB/SdB2tOcJTxIaIkHbS65aimhNXOx +mppJ0lp9HXjpeg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem.certspec b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem.certspec new file mode 100644 index 0000000000..c850725a63 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_keyUsage/ee-no-keyUsage-extension-ca-no-keyUsage-extension.pem.certspec @@ -0,0 +1,2 @@ +issuer:ca-no-keyUsage-extension +subject:ee-no-keyUsage-extension diff --git a/security/manager/ssl/tests/unit/test_cert_override_read.js b/security/manager/ssl/tests/unit/test_cert_override_read.js new file mode 100644 index 0000000000..4dc3cbff0e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_override_read.js @@ -0,0 +1,207 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// This test checks parsing of the the certificate override file + +function run_test() { + // These are hard-coded to avoid initialization of NSS before setup is complete + // bad_certs/mitm.pem + let cert1 = { + sha256Fingerprint: + "E9:3A:91:F6:15:11:FB:DD:02:76:DD:45:8C:4B:F4:9B:D1:14:13:91:2E:96:4B:EC:D2:4F:90:D5:F4:BB:29:5C", + dbKey: "This isn't relevant for this test.", + }; + // bad_certs/selfsigned.pem + let cert2 = { + sha256Fingerprint: + "51:BC:41:90:C1:FD:6E:73:18:19:B0:60:08:DD:A3:3D:59:B2:5B:FB:D0:3D:DD:89:19:A5:BB:C6:2B:5A:72:A7", + dbKey: "This isn't relevant for this test.", + }; + // bad_certs/noValidNames.pem + let cert3 = { + sha256Fingerprint: + "C3:A3:61:02:CA:64:CC:EC:45:1D:24:B6:A0:69:DB:DB:F0:D8:58:76:FC:50:36:52:5A:E8:40:4C:55:72:08:F4", + dbKey: "This isn't relevant for this test.", + }; + + let profileDir = do_get_profile(); + let overrideFile = profileDir.clone(); + overrideFile.append(CERT_OVERRIDE_FILE_NAME); + // Assuming we're working with a clean slate, the file shouldn't exist + // until we create it. + ok(!overrideFile.exists()); + let outputStream = FileUtils.openFileOutputStream(overrideFile); + let lines = [ + "# PSM Certificate Override Settings file", + "# This is a generated file! Do not edit.", + "test.example.com:443:^privateBrowsingId=1\tOID.2.16.840.1.101.3.4.2.1\t" + + cert1.sha256Fingerprint + + "\t\t" + + cert1.dbKey, + "test.example.com:443:^privateBrowsingId=2\tOID.2.16.840.1.101.3.4.2.1\t" + + cert1.sha256Fingerprint + + "\t\t" + + cert1.dbKey, + "test.example.com:443:^privateBrowsingId=3\tOID.2.16.840.1.101.3.4.2.1\t" + // includes bits (now obsolete) + cert1.sha256Fingerprint + + "\tM\t" + + cert1.dbKey, + "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + + cert2.sha256Fingerprint + + "\t\t" + + cert2.dbKey, + "[::1]:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // IPv6 + cert2.sha256Fingerprint + + "\t\t" + + cert2.dbKey, + "old.example.com:443\tOID.2.16.840.1.101.3.4.2.1\t" + // missing attributes (defaulted) + cert1.sha256Fingerprint + + "\t\t" + + cert1.dbKey, + ":443:\tOID.2.16.840.1.101.3.4.2.1\t" + // missing host name + cert3.sha256Fingerprint + + "\t\t" + + cert3.dbKey, + "example.com::\tOID.2.16.840.1.101.3.4.2.1\t" + // missing port + cert3.sha256Fingerprint + + "\t\t" + + cert3.dbKey, + "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // wrong fingerprint/dbkey + cert2.sha256Fingerprint + + "\t\t" + + cert3.dbKey, + "example.com:443:\tOID.0.00.000.0.000.0.0.0.0\t" + // bad OID + cert3.sha256Fingerprint + + "\t\t" + + cert3.dbKey, + "example.com:443:\t.0.0.0.0\t" + // malformed OID + cert3.sha256Fingerprint + + "\t\t" + + cert3.dbKey, + "example.com:443:\t\t" + // missing OID + cert3.sha256Fingerprint + + "\t\t" + + cert3.dbKey, + "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // missing fingerprint + "\t\t" + + cert3.dbKey, + "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // missing dbkey + cert3.sha256Fingerprint + + "\t\t", + ]; + writeLinesAndClose(lines, outputStream); + let overrideService = Cc["@mozilla.org/security/certoverride;1"].getService( + Ci.nsICertOverrideService + ); + notEqual(overrideService, null); + + // Now that the override service is initialized we can actually read the certificates + cert1 = constructCertFromFile("bad_certs/mitm.pem"); + info( + `if this test fails, try updating cert1.sha256Fingerprint to "${cert1.sha256Fingerprint}"` + ); + cert2 = constructCertFromFile("bad_certs/selfsigned.pem"); + info( + `if this test fails, try updating cert2.sha256Fingerprint to "${cert2.sha256Fingerprint}"` + ); + cert3 = constructCertFromFile("bad_certs/noValidNames.pem"); + info( + `if this test fails, try updating cert3.sha256Fingerprint to "${cert3.sha256Fingerprint}"` + ); + + const OVERRIDES = [ + { + host: "test.example.com", + port: 443, + cert: cert1, + attributes: { privateBrowsingId: 1 }, + }, + { + host: "test.example.com", + port: 443, + cert: cert1, + attributes: { privateBrowsingId: 2 }, + }, + { + host: "test.example.com", + port: 443, + cert: cert1, + attributes: { privateBrowsingId: 3 }, + }, + { + host: "example.com", + port: 443, + cert: cert2, + attributes: {}, + }, + { + host: "::1", + port: 443, + cert: cert2, + attributes: {}, + }, + { + host: "example.com", + port: 443, + cert: cert2, + attributes: { userContextId: 1 }, // only privateBrowsingId is used + }, + { + host: "old.example.com", + port: 443, + cert: cert1, + attributes: {}, + }, + ]; + const BAD_OVERRIDES = [ + { + host: "test.example.com", + port: 443, + cert: cert1, + attributes: { privateBrowsingId: 4 }, // wrong attributes + }, + { + host: "test.example.com", + port: 443, + cert: cert3, // wrong certificate + attributes: { privateBrowsingId: 1 }, + }, + { + host: "example.com", + port: 443, + cert: cert3, + attributes: {}, + }, + ]; + + for (let override of OVERRIDES) { + let temp = {}; + ok( + overrideService.hasMatchingOverride( + override.host, + override.port, + override.attributes, + override.cert, + temp + ), + `${JSON.stringify(override)} should have an override` + ); + equal(temp.value, false); + } + + for (let override of BAD_OVERRIDES) { + let temp = {}; + ok( + !overrideService.hasMatchingOverride( + override.host, + override.port, + override.attributes, + override.cert, + temp + ), + `${override} should not have an override` + ); + } +} diff --git a/security/manager/ssl/tests/unit/test_cert_overrides.js b/security/manager/ssl/tests/unit/test_cert_overrides.js new file mode 100644 index 0000000000..bd4a4b96d8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_overrides.js @@ -0,0 +1,734 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Tests the certificate overrides we allow. +// add_cert_override_test will queue a test that does the following: +// 1. Attempt to connect to the given host. This should fail with the +// given error. +// 2. Add an override for that host/port/certificate. +// 3. Connect again. This should succeed. + +do_get_profile(); + +function check_telemetry() { + let histogram = Services.telemetry + .getHistogramById("SSL_CERT_ERROR_OVERRIDES") + .snapshot(); + equal(histogram.values[0], 0, "Should have 0 unclassified values"); + equal( + histogram.values[2], + 9, + "Actual and expected SEC_ERROR_UNKNOWN_ISSUER values should match" + ); + equal( + histogram.values[3], + 1, + "Actual and expected SEC_ERROR_CA_CERT_INVALID values should match" + ); + equal( + histogram.values[4] || 0, + 0, + "Actual and expected SEC_ERROR_UNTRUSTED_ISSUER values should match" + ); + equal( + histogram.values[5], + 1, + "Actual and expected SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE values should match" + ); + equal( + histogram.values[6] || 0, + 0, + "Actual and expected SEC_ERROR_UNTRUSTED_CERT values should match" + ); + equal( + histogram.values[7] || 0, + 0, + "Actual and expected SEC_ERROR_INADEQUATE_KEY_USAGE values should match" + ); + equal( + histogram.values[8], + 2, + "Actual and expected SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED values should match" + ); + equal( + histogram.values[9], + 9, + "Actual and expected SSL_ERROR_BAD_CERT_DOMAIN values should match" + ); + equal( + histogram.values[10], + 1, + "Actual and expected SEC_ERROR_EXPIRED_CERTIFICATE values should match" + ); + equal( + histogram.values[11], + 2, + "Actual and expected MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY values should match" + ); + equal( + histogram.values[12], + 1, + "Actual and expected MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA values should match" + ); + equal( + histogram.values[13], + 1, + "Actual and expected MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE values should match" + ); + equal( + histogram.values[14], + 1, + "Actual and expected MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE values should match" + ); + equal( + histogram.values[15], + 1, + "Actual and expected MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE values should match" + ); + equal( + histogram.values[16], + 2, + "Actual and expected SEC_ERROR_INVALID_TIME values should match" + ); + equal( + histogram.values[17], + 1, + "Actual and expected MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME values should match" + ); + equal( + histogram.values[19], + 4, + "Actual and expected MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT values should match" + ); + equal( + histogram.values[20], + 1, + "Actual and expected MOZILLA_PKIX_ERROR_MITM_DETECTED values should match" + ); + + let keySizeHistogram = Services.telemetry + .getHistogramById("CERT_CHAIN_KEY_SIZE_STATUS") + .snapshot(); + equal( + keySizeHistogram.values[0], + 0, + "Actual and expected unchecked key size values should match" + ); + equal( + keySizeHistogram.values[1], + 16, + "Actual and expected successful verifications of 2048-bit keys should match" + ); + equal( + keySizeHistogram.values[2] || 0, + 0, + "Actual and expected successful verifications of 1024-bit keys should match" + ); + equal( + keySizeHistogram.values[3], + 70, + "Actual and expected verification failures unrelated to key size should match" + ); + + run_next_test(); +} + +// Internally, specifying "port" -1 is the same as port 443. This tests that. +function run_port_equivalency_test(inPort, outPort) { + Assert.ok( + (inPort == 443 && outPort == -1) || (inPort == -1 && outPort == 443), + "The two specified ports must be -1 and 443 (in any order)" + ); + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + let cert = constructCertFromFile("bad_certs/default-ee.pem"); + let expectedTemporary = true; + certOverrideService.rememberValidityOverride( + "example.com", + inPort, + {}, + cert, + expectedTemporary + ); + let actualTemporary = {}; + Assert.ok( + certOverrideService.hasMatchingOverride( + "example.com", + outPort, + {}, + cert, + actualTemporary + ), + `override set on port ${inPort} should match port ${outPort}` + ); + equal( + actualTemporary.value, + expectedTemporary, + "input override temporary value should match output temporary value" + ); + Assert.ok( + !certOverrideService.hasMatchingOverride("example.com", 563, {}, cert, {}), + `override set on port ${inPort} should not match port 563` + ); + certOverrideService.clearValidityOverride("example.com", inPort, {}); + Assert.ok( + !certOverrideService.hasMatchingOverride( + "example.com", + outPort, + {}, + cert, + {} + ), + `override cleared on port ${inPort} should match port ${outPort}` + ); +} + +function run_test() { + run_port_equivalency_test(-1, 443); + run_port_equivalency_test(443, -1); + + Services.prefs.setIntPref("security.OCSP.enabled", 1); + add_tls_server_setup("BadCertAndPinningServer", "bad_certs"); + + let fakeOCSPResponder = new HttpServer(); + fakeOCSPResponder.registerPrefixHandler("/", function(request, response) { + response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); + }); + fakeOCSPResponder.start(8888); + + add_simple_tests(); + add_localhost_tests(); + add_combo_tests(); + add_distrust_tests(); + + add_test(function() { + fakeOCSPResponder.stop(check_telemetry); + }); + + run_next_test(); +} + +function add_simple_tests() { + add_cert_override_test("expired.example.com", SEC_ERROR_EXPIRED_CERTIFICATE); + add_cert_override_test( + "notyetvalid.example.com", + MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE + ); + add_cert_override_test("before-epoch.example.com", SEC_ERROR_INVALID_TIME); + add_cert_override_test( + "before-epoch-self-signed.example.com", + MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT + ); + add_cert_override_test( + "selfsigned.example.com", + MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT + ); + add_cert_override_test("unknownissuer.example.com", SEC_ERROR_UNKNOWN_ISSUER); + add_cert_override_test( + "expiredissuer.example.com", + SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE + ); + add_cert_override_test( + "notyetvalidissuer.example.com", + MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE + ); + add_cert_override_test( + "before-epoch-issuer.example.com", + SEC_ERROR_INVALID_TIME + ); + add_cert_override_test( + "md5signature.example.com", + SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED + ); + add_cert_override_test( + "emptyissuername.example.com", + MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME + ); + // This has name information in the subject alternative names extension, + // but not the subject common name. + add_cert_override_test("mismatch.example.com", SSL_ERROR_BAD_CERT_DOMAIN); + // This has name information in the subject common name but not the subject + // alternative names extension. + add_cert_override_test("mismatch-CN.example.com", SSL_ERROR_BAD_CERT_DOMAIN); + + // A Microsoft IIS utility generates self-signed certificates with + // properties similar to the one this "host" will present. + add_cert_override_test( + "selfsigned-inadequateEKU.example.com", + MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT + ); + + add_prevented_cert_override_test( + "inadequatekeyusage.example.com", + SEC_ERROR_INADEQUATE_KEY_USAGE + ); + + // Test triggering the MitM detection. We don't set-up a proxy here. Just + // set the pref. Without the pref set we expect an unkown issuer error. + add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER); + add_test(function() { + Services.prefs.setStringPref( + "security.pki.mitm_canary_issuer", + "CN=Test MITM Root" + ); + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.clearValidityOverride("mitm.example.com", 8443, {}); + run_next_test(); + }); + add_cert_override_test("mitm.example.com", MOZILLA_PKIX_ERROR_MITM_DETECTED); + add_test(function() { + Services.prefs.setStringPref( + "security.pki.mitm_canary_issuer", + "CN=Other MITM Root" + ); + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.clearValidityOverride("mitm.example.com", 8443, {}); + run_next_test(); + }); + // If the canary issuer doesn't match the one we see, we exepct and unknown + // issuer error. + add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER); + // If security.pki.mitm_canary_issuer.enabled is false, there should always + // be an unknown issuer error. + add_test(function() { + Services.prefs.setBoolPref( + "security.pki.mitm_canary_issuer.enabled", + false + ); + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.clearValidityOverride("mitm.example.com", 8443, {}); + run_next_test(); + }); + add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER); + add_test(function() { + Services.prefs.clearUserPref("security.pki.mitm_canary_issuer"); + run_next_test(); + }); + + // This is intended to test the case where a verification has failed for one + // overridable reason (e.g. unknown issuer) but then, in the process of + // reporting that error, a non-overridable error is encountered. The + // non-overridable error should be prioritized. + add_test(function() { + let rootCert = constructCertFromFile("bad_certs/test-ca.pem"); + setCertTrust(rootCert, ",,"); + run_next_test(); + }); + add_prevented_cert_override_test( + "nsCertTypeCritical.example.com", + SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION + ); + add_test(function() { + let rootCert = constructCertFromFile("bad_certs/test-ca.pem"); + setCertTrust(rootCert, "CTu,,"); + run_next_test(); + }); + + // Bug 990603: Apache documentation has recommended generating a self-signed + // test certificate with basic constraints: CA:true. For compatibility, this + // is a scenario in which an override is allowed. + add_cert_override_test( + "self-signed-end-entity-with-cA-true.example.com", + MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT + ); + + add_cert_override_test( + "ca-used-as-end-entity.example.com", + MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY + ); + + // If an X.509 version 1 certificate is not a trust anchor, we will + // encounter an overridable error. + add_cert_override_test( + "end-entity-issued-by-v1-cert.example.com", + MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA + ); + // If we make that certificate a trust anchor, the connection will succeed. + add_test(function() { + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.clearValidityOverride( + "end-entity-issued-by-v1-cert.example.com", + 8443, + {} + ); + let v1Cert = constructCertFromFile("bad_certs/v1Cert.pem"); + setCertTrust(v1Cert, "CTu,,"); + clearSessionCache(); + run_next_test(); + }); + add_connection_test( + "end-entity-issued-by-v1-cert.example.com", + PRErrorCodeSuccess + ); + // Reset the trust for that certificate. + add_test(function() { + let v1Cert = constructCertFromFile("bad_certs/v1Cert.pem"); + setCertTrust(v1Cert, ",,"); + clearSessionCache(); + run_next_test(); + }); + + // Due to compatibility issues, we allow overrides for certificates issued by + // certificates that are not valid CAs. + add_cert_override_test( + "end-entity-issued-by-non-CA.example.com", + SEC_ERROR_CA_CERT_INVALID + ); + + // This host presents a 1016-bit RSA key. + add_cert_override_test( + "inadequate-key-size-ee.example.com", + MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE + ); + + add_cert_override_test( + "ipAddressAsDNSNameInSAN.example.com", + SSL_ERROR_BAD_CERT_DOMAIN + ); + add_cert_override_test("noValidNames.example.com", SSL_ERROR_BAD_CERT_DOMAIN); + add_cert_override_test( + "badSubjectAltNames.example.com", + SSL_ERROR_BAD_CERT_DOMAIN + ); + + add_cert_override_test( + "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_test(function() { + // At this point, the override for bug413909.xn--hxajbheg2az3al.xn--jxalpdlp + // is still valid. Do some additional tests relating to IDN handling. + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + let uri = Services.io.newURI( + "https://bug413909.xn--hxajbheg2az3al.xn--jxalpdlp" + ); + let cert = constructCertFromFile("bad_certs/idn-certificate.pem"); + Assert.ok( + certOverrideService.hasMatchingOverride( + uri.asciiHost, + 8443, + {}, + cert, + {} + ), + "IDN certificate should have matching override using ascii host" + ); + Assert.throws( + () => + !certOverrideService.hasMatchingOverride( + uri.displayHost, + 8443, + {}, + cert, + {} + ), + /NS_ERROR_ILLEGAL_VALUE/, + "IDN certificate should not have matching override using (non-ascii) host" + ); + let invalidHost = uri.asciiHost.replace(/./g, c => + String.fromCharCode(c.charCodeAt(0) | 0x100) + ); + Assert.throws( + () => + !certOverrideService.hasMatchingOverride( + invalidHost, + 8443, + {}, + cert, + {} + ), + /NS_ERROR_ILLEGAL_VALUE/, + "hasMatchingOverride should not truncate high-bytes" + ); + run_next_test(); + }); + + add_test(function() { + // Add a bunch of overrides... + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + let cert = constructCertFromFile("bad_certs/default-ee.pem"); + certOverrideService.rememberValidityOverride( + "example.com", + 443, + {}, + cert, + false + ); + Assert.ok( + certOverrideService.hasMatchingOverride("example.com", 443, {}, cert, {}), + "Should have added override for example.com:443" + ); + certOverrideService.rememberValidityOverride( + "example.com", + 80, + {}, + cert, + false + ); + certOverrideService.rememberValidityOverride("::1", 80, {}, cert, false); + Assert.ok( + certOverrideService.hasMatchingOverride("example.com", 80, {}, cert, {}), + "Should have added override for example.com:80" + ); + certOverrideService.rememberValidityOverride( + "example.org", + 443, + {}, + cert, + false + ); + Assert.ok( + certOverrideService.hasMatchingOverride("example.org", 443, {}, cert, {}), + "Should have added override for example.org:443" + ); + Assert.ok( + certOverrideService.hasMatchingOverride("::1", 80, {}, cert, {}), + "Should have added override for [::1]:80" + ); + // When in a private browsing context, overrides added in non-private + // contexts should match (but not vice-versa). + Assert.ok( + certOverrideService.hasMatchingOverride( + "example.org", + 443, + { privateBrowsingId: 1 }, + cert, + {} + ), + "Should have override for example.org:443 with privateBrowsingId 1" + ); + Assert.ok( + certOverrideService.hasMatchingOverride( + "example.org", + 443, + { privateBrowsingId: 2 }, + cert, + {} + ), + "Should have override for example.org:443 with privateBrowsingId 2" + ); + Assert.ok( + certOverrideService.hasMatchingOverride( + "example.org", + 443, + { firstPartyDomain: "example.org", userContextId: 1 }, + cert, + {} + ), + "Should ignore firstPartyDomain and userContextId when checking overrides" + ); + certOverrideService.rememberValidityOverride( + "example.org", + 80, + {}, + cert, + true + ); + Assert.ok( + certOverrideService.hasMatchingOverride("example.org", 80, {}, cert, {}), + "Should have added override for example.org:80" + ); + certOverrideService.rememberValidityOverride( + "test.example.org", + 443, + { firstPartyDomain: "example.org", userContextId: 1 }, + cert, + false + ); + Assert.ok( + certOverrideService.hasMatchingOverride( + "test.example.org", + 443, + {}, + cert, + {} + ), + "Should ignore firstPartyDomain and userContextId when adding overrides" + ); + Assert.ok( + certOverrideService.hasMatchingOverride( + "test.example.org", + 443, + { firstPartyDomain: "example.com", userContextId: 2 }, + cert, + {} + ), + "Should ignore firstPartyDomain and userContextId when checking overrides" + ); + certOverrideService.rememberValidityOverride( + "example.test", + 443, + { privateBrowsingId: 1 }, + cert, + false + ); + Assert.ok( + certOverrideService.hasMatchingOverride( + "example.test", + 443, + { privateBrowsingId: 1 }, + cert, + {} + ), + "Should have added override for example.test:443 with privateBrowsingId 1" + ); + Assert.ok( + !certOverrideService.hasMatchingOverride( + "example.test", + 443, + { privateBrowsingId: 2 }, + cert, + {} + ), + "Should not have override for example.test:443 with privateBrowsingId 2" + ); + Assert.ok( + !certOverrideService.hasMatchingOverride( + "example.test", + 443, + {}, + cert, + {} + ), + "Should not have override for example.test:443 with non-private OriginAttributes" + ); + // Clear them all... + certOverrideService.clearAllOverrides(); + + // And ensure they're all gone. + Assert.ok( + !certOverrideService.hasMatchingOverride( + "example.com", + 443, + {}, + cert, + {} + ), + "Should have removed override for example.com:443" + ); + Assert.ok( + !certOverrideService.hasMatchingOverride("example.com", 80, {}, cert, {}), + "Should have removed override for example.com:80" + ); + Assert.ok( + !certOverrideService.hasMatchingOverride( + "example.org", + 443, + {}, + cert, + {} + ), + "Should have removed override for example.org:443" + ); + Assert.ok( + !certOverrideService.hasMatchingOverride("example.org", 80, {}, cert, {}), + "Should have removed override for example.org:80" + ); + Assert.ok( + !certOverrideService.hasMatchingOverride( + "example.org", + 443, + { privateBrowsingId: 1 }, + cert, + {} + ), + "Should have removed override for example.org:443 with privateBrowsingId 1" + ); + + run_next_test(); + }); +} + +function add_localhost_tests() { + add_cert_override_test("localhost", SEC_ERROR_UNKNOWN_ISSUER); + add_cert_override_test("127.0.0.1", SSL_ERROR_BAD_CERT_DOMAIN); + add_cert_override_test("::1", SSL_ERROR_BAD_CERT_DOMAIN); +} + +function add_combo_tests() { + add_cert_override_test( + "mismatch-expired.example.com", + SSL_ERROR_BAD_CERT_DOMAIN + ); + add_cert_override_test( + "mismatch-notYetValid.example.com", + SSL_ERROR_BAD_CERT_DOMAIN + ); + add_cert_override_test( + "mismatch-untrusted.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_cert_override_test( + "untrusted-expired.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_cert_override_test( + "mismatch-untrusted-expired.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + + add_cert_override_test( + "md5signature-expired.example.com", + SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED + ); + + add_cert_override_test( + "ca-used-as-end-entity-name-mismatch.example.com", + MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY + ); +} + +function add_distrust_tests() { + // Before we specifically distrust this certificate, it should be trusted. + add_connection_test("untrusted.example.com", PRErrorCodeSuccess); + + add_distrust_test( + "bad_certs/default-ee.pem", + "untrusted.example.com", + SEC_ERROR_UNTRUSTED_CERT + ); + + add_distrust_test( + "bad_certs/other-test-ca.pem", + "untrustedissuer.example.com", + SEC_ERROR_UNTRUSTED_ISSUER + ); + + add_distrust_test( + "bad_certs/test-ca.pem", + "ca-used-as-end-entity.example.com", + SEC_ERROR_UNTRUSTED_ISSUER + ); +} + +function add_distrust_test(certFileName, hostName, expectedResult) { + let certToDistrust = constructCertFromFile(certFileName); + + add_test(function() { + // Add an entry to the NSS certDB that says to distrust the cert + setCertTrust(certToDistrust, "pu,,"); + clearSessionCache(); + run_next_test(); + }); + add_prevented_cert_override_test(hostName, expectedResult); + add_test(function() { + setCertTrust(certToDistrust, "u,,"); + run_next_test(); + }); +} diff --git a/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js b/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js new file mode 100644 index 0000000000..80fa27a5d4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_overrides_read_only.js @@ -0,0 +1,94 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Tests that permanent certificate error overrides can be added even if the +// certificate/key databases are in read-only mode. + +// Helper function for add_read_only_cert_override_test. Probably doesn't need +// to be called directly. +function add_read_only_cert_override(aHost, aSecurityInfo) { + let cert = aSecurityInfo.serverCert; + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + // Setting the last argument to false here ensures that we attempt to store a + // permanent override (which is what was failing in bug 1427273). + certOverrideService.rememberValidityOverride(aHost, 8443, {}, cert, false); +} + +// Given a host and an expected error code, tests that an initial connection to +// the host fails with the expected errors and that adding an override results +// in a subsequent connection succeeding. +function add_read_only_cert_override_test(aHost, aExpectedError) { + add_connection_test( + aHost, + aExpectedError, + null, + add_read_only_cert_override.bind(this, aHost) + ); + add_connection_test(aHost, PRErrorCodeSuccess, null, aSecurityInfo => { + Assert.ok( + aSecurityInfo.securityState & + Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN, + "Cert override flag should be set on the security state" + ); + }); +} + +function run_test() { + let profile = do_get_profile(); + const KEY_DB_NAME = "key4.db"; + const CERT_DB_NAME = "cert9.db"; + let srcKeyDBFile = do_get_file( + `test_cert_overrides_read_only/${KEY_DB_NAME}` + ); + srcKeyDBFile.copyTo(profile, KEY_DB_NAME); + let srcCertDBFile = do_get_file( + `test_cert_overrides_read_only/${CERT_DB_NAME}` + ); + srcCertDBFile.copyTo(profile, CERT_DB_NAME); + + // set the databases to read-only + let keyDBFile = do_get_profile(); + keyDBFile.append(KEY_DB_NAME); + keyDBFile.permissions = 0o400; + let certDBFile = do_get_profile(); + certDBFile.append(CERT_DB_NAME); + certDBFile.permissions = 0o400; + + Services.prefs.setIntPref("security.OCSP.enabled", 1); + // Specifying false as the last argument means we don't try to add the default + // test root CA (which would fail). + add_tls_server_setup("BadCertAndPinningServer", "bad_certs", false); + + let fakeOCSPResponder = new HttpServer(); + fakeOCSPResponder.registerPrefixHandler("/", function(request, response) { + response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); + }); + fakeOCSPResponder.start(8888); + + // Since we can't add the root CA to the (read-only) trust db, all of these + // will result in an "unknown issuer error" and need the "untrusted" error bit + // set in addition to whatever other specific error bits are necessary. + add_read_only_cert_override_test( + "expired.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_read_only_cert_override_test( + "selfsigned.example.com", + MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT + ); + add_read_only_cert_override_test( + "mismatch.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + + add_test(function() { + fakeOCSPResponder.stop(run_next_test); + }); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_cert_overrides_read_only/cert9.db b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/cert9.db new file mode 100644 index 0000000000..3d452f335c Binary files /dev/null and b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/cert9.db differ diff --git a/security/manager/ssl/tests/unit/test_cert_overrides_read_only/key4.db b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/key4.db new file mode 100644 index 0000000000..44d0cb1728 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_cert_overrides_read_only/key4.db differ diff --git a/security/manager/ssl/tests/unit/test_cert_sha1.js b/security/manager/ssl/tests/unit/test_cert_sha1.js new file mode 100644 index 0000000000..9513102b56 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1.js @@ -0,0 +1,53 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests the rejection of SHA-1 certificates. + +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +// (new Date("2016-03-01")).getTime() / 1000 +const VALIDATION_TIME = 1456790400; + +function certFromFile(certName) { + return constructCertFromFile("test_cert_sha1/" + certName + ".pem"); +} + +function loadCertWithTrust(certName, trustString) { + addCertFromFile(certdb, "test_cert_sha1/" + certName + ".pem", trustString); +} + +function checkEndEntity(cert, expectedResult) { + return checkCertErrorGenericAtTime( + certdb, + cert, + expectedResult, + certificateUsageSSLServer, + VALIDATION_TIME + ); +} + +add_task(async function() { + loadCertWithTrust("ca", "CTu,,"); + loadCertWithTrust("int-pre", ",,"); + loadCertWithTrust("int-post", ",,"); + + await checkEndEntity( + certFromFile("ee-pre_int-pre"), + SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED + ); + await checkEndEntity( + certFromFile("ee-post_int-pre"), + SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED + ); + await checkEndEntity( + certFromFile("ee-post_int-post"), + SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED + ); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem new file mode 100644 index 0000000000..60140056de --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIUUbC4F7yPobFDd+B73iWKejQ3THkwDQYJKoZIhvcNAQEF +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDUwMDEwMTAw +MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAsGA1UdDwQEAwIBBjAMBgNV +HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCU+Y0AeMXFIfX4/L2aX37uSR70 +pGpPrh0FPOwBO2ETUc4j7Whol9wOSPnUwuPIpiDhar5qRuhY6aCPGTIJbRZrVeXv +T5uFQXq+3CQdIyI55AkFDh9tO7wX7p3pRgzma47mBxIH082Uwy7+eEeQfhuJ5cU4 +e/zyHf6FEdkSrDjgwDip+dn8Q7tnjdaN3WYQjOFRXkHyYCIFkORDPTbYSYZ6DAqq +Q/loKTdrcbyeEwFVBZxQu4Nb6mjhkfk8U+8TIGMCTQXhoQhgMWMeMo2E0kWvYbjc +YDiRzmnsdvPu2LKnTvH28M9ODi3ZzcOuLs6jAKAiXISq0CbmwaddV/oAMoF2 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem.certspec new file mode 100644 index 0000000000..7e65e9ee30 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/ca.pem.certspec @@ -0,0 +1,6 @@ +issuer:ca +subject:ca +validity:20100101-20500101 +extension:keyUsage:keyCertSign,cRLSign +extension:basicConstraints:cA, +signature:sha1WithRSAEncryption diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem new file mode 100644 index 0000000000..8fb93e69e3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtTCCAZ2gAwIBAgIUJWQl8gkrLL7gPn47YYMdN7qBP5wwDQYJKoZIhvcNAQEF +BQAwEzERMA8GA1UEAwwIaW50LXBvc3QwIhgPMjAxNjAxMDIwMDAwMDBaGA8yMDE3 +MDIwMTAwMDAwMFowEjEQMA4GA1UEAwwHZWUtcG9zdDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7 +wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp +k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh +eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW +EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc +JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B +AQUFAAOCAQEAVOPvLS8zwos/RdClnabdxMh5g1WN5T1BsIMExE6oU6sJ7n4HyIXt +RnFTFe0t2CdXBCQPK6qG8ymeLQFNKykYlQxVZb8m5YgUK3k4IeMS/EoX4g7taREI +IwK9/n7+oKZYlz2Q/ro/R2HFmLXsCIUrsxV3vAWQCm8rSeCKzEVNlDaQ5FEMVAM7 +VlNhNNKtUnXkzZ3SRj6O4eOq3G4azr5DNo5kAQPaIbAI3k/3AHyPqIjHcoSiG1Ug +aqzIK6fNNCIAxIKAY2ERJfxA4fPlBZXono2sCOgCdFfF7QAo+o9SO8v3B+djuHgb +flbfdyEnN+y32UpYe3qV8LnFmRqGAe/vbQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem.certspec new file mode 100644 index 0000000000..76834f8447 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-post.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-post +subject:ee-post +validity:20160102-20170201 +signature:sha1WithRSAEncryption diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem new file mode 100644 index 0000000000..2385322a64 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtDCCAZygAwIBAgIUIVsTCuql4BDO2r4O5zePBEoHg3QwDQYJKoZIhvcNAQEF +BQAwEjEQMA4GA1UEAwwHaW50LXByZTAiGA8yMDE2MDEwMTAwMDAwMFoYDzIwMTcw +MjAxMDAwMDAwWjASMRAwDgYDVQQDDAdlZS1wb3N0MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB +BQUAA4IBAQCW5zeJg+LzGn07GtdBprRLarL7aLNFSr+s+3yzphq9kN43prElX6eD +gdggPWicZozTm3IFLfJfsuhiodBZjWmkF/dsvvT3W77AcKzNWjShCnnA/Vf5IF6k +U01ROfjmgcX0mMuhVUB7b9Fl6G5DFxJgny2jYehZcJIzWUBLiwu41TIxj5Cv5F9p ++XIHEyygqm8rYzbW8F49FRbsDD9nvhmdVqXsoTaKxY8bsKKu1EpBSBXozRbLKcAn +/zrLy0HHS4qfXTHm0UKt+RCYVylL5I5YGR6rapXHChkBTBHFXdkPVsW5uHKBdBqY +98zoAAMWRvJ3xOuqAbtKG6DKadiOpz6l +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem.certspec new file mode 100644 index 0000000000..1e8bb35b34 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-post_int-pre.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-pre +subject:ee-post +validity:20160101-20170201 +signature:sha1WithRSAEncryption diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem new file mode 100644 index 0000000000..11a5e41e99 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIUOU+CyYnf3GRRgGHvbeJB8HTUvJ4wDQYJKoZIhvcNAQEF +BQAwEjEQMA4GA1UEAwwHaW50LXByZTAiGA8yMDE1MDEwMTAwMDAwMFoYDzIwMTcw +MjAxMDAwMDAwWjARMQ8wDQYDVQQDDAZlZS1wcmUwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEF +BQADggEBACWLcVnT0nNyU/qFZNDZPGDFPuZCXuodBf3sgz1XDmcp5wlH+IjW3J8H +3HH6ZwIUpTtppqVxuvo2y9GP+GNyeXhxmokHTVdKDj8HqYl5lV+reO1UmzEH0AU8 +x3hd2Fkzv/h3N3EPVETWuPiFSB0oAN/xwsXC/7Yi4AY0s/I/4q/vkS76Oa2RyL3f +gbaa80+nR73BX+0wRqyg+Sgo2hOzjkCQchtZPUFYsRLhsHHBnokD8GJlT7NBKSN1 +TFt6uXpfEmqDICoyZoAw6rtnFfdEsZNo+PU6NDN3T0fkolBQPvuzfqcqAl85dpJK +ow8mFKkb2t6qQH98yabi/172l03/P34= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem.certspec new file mode 100644 index 0000000000..0f4a6ec257 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/ee-pre_int-pre.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-pre +subject:ee-pre +validity:20150101-20170201 +signature:sha1WithRSAEncryption diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem new file mode 100644 index 0000000000..94ab4f5b15 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzzCCAbegAwIBAgIUYQ6xulHM0FrQ0sKMdbPI2ecC3PcwDQYJKoZIhvcNAQEF +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxNjAxMDEwMDAwMDBaGA8yMDI2MDEwMTAw +MDAwMFowEzERMA8GA1UEAwwIaW50LXBvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg +2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ +5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ +PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj +DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W +iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAsGA1UdDwQEAwIB +BjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCJN8/XexXMusXYbhVW +uYA1YpaSTrz96CXlckIuABnzCrGD5iHkfFoB0LPKd+EZ80fdHIvS1zQTYohy6O95 +JageOaTY9HsOEqsgr1BA9VKZW4QlGp7csQzNMa52WRetimv6XY/lrfPf4qAhomWG +/ImmLJpGTVPhEdz6Pl4Kvmf9zNf/BcXtBTWLSGWUC5UItC58WTopqcr5kLg3DmXB +Qr7DjqA7DT92N6qefFkTYspDZJzv0nL9OfqkdCj/s6bm3iisTQq3aek6IP6OEkXF +4TWUF3RDBsyRpG8jt/XsOsrwJDOGZGFPmMTz2uZPsZkeZhU+sfFDWL7wojl7kHV1 +c7f5 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem.certspec new file mode 100644 index 0000000000..50156c9f6e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-post.pem.certspec @@ -0,0 +1,6 @@ +issuer:ca +subject:int-post +validity:20160101-20260101 +extension:keyUsage:keyCertSign,cRLSign +extension:basicConstraints:cA, +signature:sha1WithRSAEncryption diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem new file mode 100644 index 0000000000..0b916d5755 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzjCCAbagAwIBAgIUYW27TGzVOIbjpG1ADx7m7mZnrNQwDQYJKoZIhvcNAQEF +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAxMDAxMDEwMDAwMDBaGA8yMDIwMDEwMTAw +MDAwMFowEjEQMA4GA1UEAwwHaW50LXByZTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY +H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk +27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9 +0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM +kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL +L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswCwYDVR0PBAQDAgEG +MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAESNgcKkxBwkaBykKo2Q +GzgimnI3eNw8O8GrhefL+r3Ek/CH4/oBHGvfvrz6D19uemdOyHxo5QNW2iWEq0No +pE6Hhm504P1fdkfQvjqjIhu/h3y5QjO3zdMGeVE/39TWAGrGsNFKE+jSxm8IbycF +Ue6165agasf+PhQdorjFca48iLcowKYs5Df0SAhY7zbw1fM1HTr1YGAXc1K9aCA5 +fTmu8Nd0fNKc1NcbNDpdCG2YEj1nox1iMN5A4nY1ve88zJsnlpfsoJkHJqo2Cy+M +mpQSnkTlf3Gfpl8NO3UW9FTcnK8L4Ix2DSNBDe8Yg2YL5w/VIxecFwlmwV0wWdg6 +vl0= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem.certspec b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem.certspec new file mode 100644 index 0000000000..9f0a59ee99 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem.certspec @@ -0,0 +1,6 @@ +issuer:ca +subject:int-pre +validity:20100101-20200101 +extension:keyUsage:keyCertSign,cRLSign +extension:basicConstraints:cA, +signature:sha1WithRSAEncryption diff --git a/security/manager/ssl/tests/unit/test_cert_signatures.js b/security/manager/ssl/tests/unit/test_cert_signatures.js new file mode 100644 index 0000000000..e92b5a4ab8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures.js @@ -0,0 +1,140 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// Tests that certificates cannot be tampered with without being detected. +// Tests a combination of cases: RSA signatures, ECDSA signatures, certificate +// chains where the intermediate has been tampered with, chains where the +// end-entity has been tampered, tampering of the signature, and tampering in +// the rest of the certificate. + +do_get_profile(); // must be called before getting nsIX509CertDB +var certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +// Reads a PEM-encoded certificate, modifies the nth byte (0-indexed), and +// returns the base64-encoded bytes of the certificate. Negative indices may be +// specified to modify a byte from the end of the certificate. +function readAndTamperWithNthByte(certificatePath, n) { + let pem = readFile(do_get_file(certificatePath, false)); + let der = atob(pemToBase64(pem)); + if (n < 0) { + // remember, n is negative at this point + n = der.length + n; + } + let replacement = "\x22"; + if (der.charCodeAt(n) == replacement) { + replacement = "\x23"; + } + der = der.substring(0, n) + replacement + der.substring(n + 1); + return btoa(der); +} + +// The signature on certificates appears last. This should modify the contents +// of the signature such that it no longer validates correctly while still +// resulting in a structurally valid certificate. +const BYTE_IN_SIGNATURE = -8; +function addSignatureTamperedCertificate(certificatePath) { + let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SIGNATURE); + certdb.addCertFromBase64(base64, ",,"); +} + +function ensureSignatureVerificationFailure(certificatePath) { + let cert = constructCertFromFile(certificatePath); + return checkCertErrorGeneric( + certdb, + cert, + SEC_ERROR_BAD_SIGNATURE, + certificateUsageSSLServer + ); +} + +function tamperWithSignatureAndEnsureVerificationFailure(certificatePath) { + let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SIGNATURE); + let cert = certdb.constructX509FromBase64(base64); + return checkCertErrorGeneric( + certdb, + cert, + SEC_ERROR_BAD_SIGNATURE, + certificateUsageSSLServer + ); +} + +// The beginning of a certificate looks like this (in hex, using DER): +// 30 XX XX XX [the XX encode length - there are probably 3 bytes here] +// 30 XX XX XX [length again] +// A0 03 +// 02 01 +// 02 +// 02 XX [length again - 1 byte as long as we're using pycert] +// XX XX ... [serial number - 20 bytes as long as we're using pycert] +// Since we want to modify the serial number, we need to change something from +// byte 15 to byte 34 (0-indexed). If it turns out that the two length sections +// we assumed were 3 bytes are shorter (they can't be longer), modifying +// something from byte 15 to byte 30 will still get us what we want. Since the +// serial number is a DER INTEGER and because it must be positive, it's best to +// skip the first two bytes of the serial number so as to not run into any +// issues there. Thus byte 17 is a good byte to modify. +const BYTE_IN_SERIAL_NUMBER = 17; +function addSerialNumberTamperedCertificate(certificatePath) { + let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SERIAL_NUMBER); + certdb.addCertFromBase64(base64, ",,"); +} + +function tamperWithSerialNumberAndEnsureVerificationFailure(certificatePath) { + let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SERIAL_NUMBER); + let cert = certdb.constructX509FromBase64(base64); + return checkCertErrorGeneric( + certdb, + cert, + SEC_ERROR_BAD_SIGNATURE, + certificateUsageSSLServer + ); +} + +add_task(async function() { + addCertFromFile(certdb, "test_cert_signatures/ca-rsa.pem", "CTu,,"); + addCertFromFile(certdb, "test_cert_signatures/ca-secp384r1.pem", "CTu,,"); + + // Tamper with the signatures on intermediate certificates and ensure that + // end-entity certificates issued by those intermediates do not validate + // successfully. + addSignatureTamperedCertificate("test_cert_signatures/int-rsa.pem"); + addSignatureTamperedCertificate("test_cert_signatures/int-secp384r1.pem"); + await ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem"); + await ensureSignatureVerificationFailure( + "test_cert_signatures/ee-secp384r1.pem" + ); + + // Tamper with the signatures on end-entity certificates and ensure that they + // do not validate successfully. + await tamperWithSignatureAndEnsureVerificationFailure( + "test_cert_signatures/ee-rsa-direct.pem" + ); + await tamperWithSignatureAndEnsureVerificationFailure( + "test_cert_signatures/ee-secp384r1-direct.pem" + ); + + // Tamper with the serial numbers of intermediate certificates and ensure + // that end-entity certificates issued by those intermediates do not validate + // successfully. + addSerialNumberTamperedCertificate("test_cert_signatures/int-rsa.pem"); + addSerialNumberTamperedCertificate("test_cert_signatures/int-secp384r1.pem"); + await ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem"); + await ensureSignatureVerificationFailure( + "test_cert_signatures/ee-secp384r1.pem" + ); + + // Tamper with the serial numbers of end-entity certificates and ensure that + // they do not validate successfully. + await tamperWithSerialNumberAndEnsureVerificationFailure( + "test_cert_signatures/ee-rsa-direct.pem" + ); + await tamperWithSerialNumberAndEnsureVerificationFailure( + "test_cert_signatures/ee-secp384r1-direct.pem" + ); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem new file mode 100644 index 0000000000..60fb8c8280 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0TCCAbmgAwIBAgIUT8jfl072RlfOreJkjWraanVZqnUwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGY2EtcnNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMBExDzANBgNVBAMMBmNhLXJzYTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUw +AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBACAWVqoxSxIyJ0Am +28SrJn1ussg8npP2ETHrTfoynoV5bz8qNIoK0draCheU4gKNut8dZ68mkj8gMSoj +vxGfXMRW3FNIrAKbn/Asuyjz2MD9LHRvf4ELypEIywS0bBDdV1sWSbek9XU7uobz +mQMvn/HzTo4PW2+N9M+V0SEj2WV8fY7j1YHmggnmDy2TJrgrviXeJC9StlifNQy8 +GwN7EDctuJ0epoKzpKJGTdSLOty4FyuAEfY2MKQcvvP5xk6u8rEWCbbEq7gW4Voo +F8EbC8AauuFRyXgD3hN3YHgFvRatXMF0y/w/g6RH3Phl+1P5kxTz702UJradTjzo +zRHh5Pc= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem.certspec new file mode 100644 index 0000000000..5890d2db60 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca-rsa +subject:ca-rsa +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem new file mode 100644 index 0000000000..7a6421456b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBjzCCARSgAwIBAgIUU56dEINjI+b83xJvJn1PQt/p41YwCgYIKoZIzj0EAwIw +FzEVMBMGA1UEAwwMY2Etc2VjcDM4NHIxMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAy +NDAyMDUwMDAwMDBaMBcxFTATBgNVBAMMDGNhLXNlY3AzODRyMTB2MBAGByqGSM49 +AgEGBSuBBAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMt +qM6Y6DFTTmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC +8Fr3Gh/dzIN0qm6pzqMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYI +KoZIzj0EAwIDaQAwZgIxAO0GJz6haDpUtNgaQ3SESJY85j6+gRcD7Nc9cvCiVAZZ +1OxFRuhW515lVbeTqfcA8wIxAIr+3diKqPT5EEiOXgoswSP8CwuLNe4pc6AjdCV+ +dnE9Ibr64s45zjHfjcRLja/Z+w== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem.certspec new file mode 100644 index 0000000000..0701c23c1e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ca-secp384r1.pem.certspec @@ -0,0 +1,7 @@ +issuer:ca-secp384r1 +subject:ca-secp384r1 +issuerKey:secp384r1 +subjectKey:secp384r1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem new file mode 100644 index 0000000000..46e6e5ceae --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuTCCAaGgAwIBAgIUGzRGmvrzu+NFvnMfZjX1GG3QF4gwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGY2EtcnNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMBgxFjAUBgNVBAMMDWVlLXJzYS1kaXJlY3QwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo +V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p +0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk +fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh +W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI +TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZI +hvcNAQELBQADggEBAHtV0do2QpXEzm8OwnFt1LVlNqxaVCRKFENCc9nOKBHODbhS +/6YZcvI/CNn1JNFhDgHKiTdiiYdu2aqy0Y6WbnSzHqfHmGrvLBskMH+6xDK+6qSp +bvTR6iWyUql7X4K/J1VGeXAZHFysbxlvrhONSkRHZBDv+4nu3zEB6euIFeCMfGNH +sxgp9I51d3vb8JiRqvB0FA5FcN7Od2MHv008rcXRAcCfKvm7DX25ZLVX9hSmPD/4 +KiJFK6nidDiguIkaD558IFp0Oc/5zOP0iGpynzICRuuAOdO5lAXMpzRrJzftvQiP +B3+ED28z7nuI0nkSMBWlpIy/uL7s4VaChR/uSEo= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem.certspec new file mode 100644 index 0000000000..4e25ddcf94 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa-direct.pem.certspec @@ -0,0 +1,2 @@ +issuer:ca-rsa +subject:ee-rsa-direct diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem new file mode 100644 index 0000000000..1eafd948f2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIUSTmi0SZM0FZ2whVeqfymGPKOiZ8wDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHaW50LXJzYTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjARMQ8wDQYDVQQDDAZlZS1yc2EwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL +BQADggEBAIFbfCcJOg5Q4wsfmHgwyx4P80o11WKLC6UytwA17yc47sCGx8+df/Ac +KxrG4j0pVqee/61NxpwvIozJV8k2aoj8pDmECa4CfbHpikSU6Gd0xWX3zl/z6gAl +6w0LIrIFk5edWlcLwrH3zX5FmukXcXb5oiEubSoaO2F78ws1UXzA7AzMoY5yZEbM +0fAJr3f1KMpdOY8nNLIctzD23oFxeiN/HuzE4KI2FLXjYsMFYGXo8cMJlwnRxr05 +L5Po1VCe6lzFAZpC62S4l9BKlPHOOtBL77RNVz07KDxKyzoTMWRw7EgYp5HyvBa6 +lG8GpcFyJcMN5eq2PTKxrEaZKu73PQ8= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem.certspec new file mode 100644 index 0000000000..b974a0a0a8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-rsa.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-rsa +subject:ee-rsa diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem new file mode 100644 index 0000000000..d66fd61ef5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBdjCB/KADAgECAhRFwdFDhUYutDxj04OT4wqoqfIMRTAKBggqhkjOPQQDAjAX +MRUwEwYDVQQDDAxjYS1zZWNwMzg0cjEwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0 +MDIwNTAwMDAwMFowHjEcMBoGA1UEAwwTZWUtc2VjcDM4NHIxLWRpcmVjdDB2MBAG +ByqGSM49AgEGBSuBBAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22CO +JS3ktxMtqM6Y6DFTTmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXED +viiIz/AC8Fr3Gh/dzIN0qm6pzjAKBggqhkjOPQQDAgNpADBmAjEA7QYnPqFoOlS0 +2BpDdIRIljzmPr6BFwPs1z1y8KJUBlnU7EVG6FbnXmVVt5Op9wDzAjEAu7C/bumy +Dq9mke/MI7TCi3WKCJ5jFXDA2qErfTjJQ2FvSVk4970Vd78vSR8e7xZ3 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem.certspec new file mode 100644 index 0000000000..386ab95f78 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1-direct.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca-secp384r1 +subject:ee-secp384r1-direct +issuerKey:secp384r1 +subjectKey:secp384r1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem new file mode 100644 index 0000000000..b3a310303a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBbzCB9qADAgECAhRHCf3/9aTW4X0AHQfxJGe+P2tNazAKBggqhkjOPQQDAjAY +MRYwFAYDVQQDDA1pbnQtc2VjcDM4NHIxMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAy +NDAyMDUwMDAwMDBaMBcxFTATBgNVBAMMDGVlLXNlY3AzODRyMTB2MBAGByqGSM49 +AgEGBSuBBAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMt +qM6Y6DFTTmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC +8Fr3Gh/dzIN0qm6pzjAKBggqhkjOPQQDAgNoADBlAjEA7QYnPqFoOlS02BpDdIRI +ljzmPr6BFwPs1z1y8KJUBlnU7EVG6FbnXmVVt5Op9wDzAjBtn1PwZNY1ZR//hvpP +r6deQnBTAS/f09KRS1DnuZypQdLFxlHVuGb3U5PL5bF298A= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem.certspec new file mode 100644 index 0000000000..b8f7993be8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/ee-secp384r1.pem.certspec @@ -0,0 +1,5 @@ +issuer:int-secp384r1 +subject:ee-secp384r1 +issuerKey:secp384r1 +subjectKey:secp384r1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem new file mode 100644 index 0000000000..f886a9a3a6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0jCCAbqgAwIBAgIUActQ49AIBGNcpw2ugrUFaaE2qMIwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGY2EtcnNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMBIxEDAOBgNVBAMMB2ludC1yc2EwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQF +MAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBskZ1Lc1PHuC2r +Jk317zOhzQlXtGCx7EbKq+wd4kdb/1dnjEiLqgASktBIaNd2249DZC1bpiF+DGYR +k1D7DBfduygiukI3/MY19+tvUaM0C2RCo+H69pjFKGS0y9mVSxm15iwk4+DzAOpC +Q/duzYUflOQJVDL6adPWubRAlAk9p1n4LDD9JQhuGIE5Tt4MytjxN6aGSNb6erFd +mDgRS4dLN8JdwyI0b1AVIFulCpimnS/jf9PSEKD63xZmL/ofqXGe/V5OA3LsmHkw +rIocCL7q/F4wImI2hELlEVsT9O6hAFSC6yVtvSCsh1421+QR1xqrfqY6luO4rMK2 +AdB34jUa +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem.certspec new file mode 100644 index 0000000000..a86d28b44a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-rsa.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca-rsa +subject:int-rsa +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem new file mode 100644 index 0000000000..5a62aaf50a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBjzCCARWgAwIBAgIUKebpNrQIc1+bS1ss5l/kfaGctGwwCgYIKoZIzj0EAwIw +FzEVMBMGA1UEAwwMY2Etc2VjcDM4NHIxMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAy +NDAyMDUwMDAwMDBaMBgxFjAUBgNVBAMMDWludC1zZWNwMzg0cjEwdjAQBgcqhkjO +PQIBBgUrgQQAIgNiAAShaHJDNitcexiJ83kVRhWhxz+0je6GPgIpFdtgjiUt5LcT +LajOmOgxU05qnAwLCcjWOa3oMgbluoE0c6EfozDgXajJbkOD/ieHPalxA74oiM/w +AvBa9xof3cyDdKpuqc6jHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG +CCqGSM49BAMCA2gAMGUCMQDtBic+oWg6VLTYGkN0hEiWPOY+voEXA+zXPXLwolQG +WdTsRUboVudeZVW3k6n3APMCMD4MFMoR0AN/qV8Z7nT39tgi0LNpH8s05ltV61rc +qqcPR+e8kOLUxDV29JfJM4icfg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem.certspec b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem.certspec new file mode 100644 index 0000000000..e002a1569a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_signatures/int-secp384r1.pem.certspec @@ -0,0 +1,7 @@ +issuer:ca-secp384r1 +subject:int-secp384r1 +issuerKey:secp384r1 +subjectKey:secp384r1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_cert_storage.js b/security/manager/ssl/tests/unit/test_cert_storage.js new file mode 100644 index 0000000000..7cb61e2b6a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage.js @@ -0,0 +1,258 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// This test checks a number of things: +// * it ensures that data loaded from revocations.txt on startup is present +// * it ensures that data served from OneCRL are persisted correctly +// * it ensures that items in the CertBlocklist are seen as revoked by the +// cert verifier +// * it does a sanity check to ensure other cert verifier behavior is +// unmodified + +const { RemoteSecuritySettings } = ChromeUtils.import( + "resource://gre/modules/psm/RemoteSecuritySettings.jsm" +); + +// First, we need to setup appInfo for the blocklist service to work +var id = "xpcshell@tests.mozilla.org"; +var appName = "XPCShell"; +var version = "1"; +var platformVersion = "1.9.2"; +const { updateAppInfo } = ChromeUtils.importESModule( + "resource://testing-common/AppInfo.sys.mjs" +); +updateAppInfo({ + name: appName, + ID: id, + version, + platformVersion: platformVersion ? platformVersion : "1.0", + crashReporter: true, +}); + +// we need to ensure we setup revocation data before certDB, or we'll start with +// no revocation.txt in the profile +var gProfile = do_get_profile(); + +var gRevocations = gProfile.clone(); +gRevocations.append("revocations.txt"); +if (!gRevocations.exists()) { + let existing = do_get_file("test_onecrl/sample_revocations.txt", false); + existing.copyTo(gProfile, "revocations.txt"); +} + +var certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const certBlocklist = [ + // test with some bad data ... + { + issuerName: "Some nonsense in issuer", + serialNumber: "AkHVNA==", + }, + { + issuerName: "MA0xCzAJBgNVBAMMAmNh", + serialNumber: "some nonsense in serial", + }, + { + issuerName: "and serial", + serialNumber: "some nonsense in both issuer", + }, + // some mixed + // In these case, the issuer name and the valid serialNumber correspond + // to test-int.pem in bad_certs/ + { + issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=", + serialNumber: "oops! more nonsense.", + }, + { + issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=", + serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=", + }, + // ... and some good + // In this case, the issuer name and the valid serialNumber correspond + // to other-test-ca.pem in bad_certs/ (for testing root revocation) + { + issuerName: "MBgxFjAUBgNVBAMMDU90aGVyIHRlc3QgQ0E=", + serialNumber: "Rym6o+VN9xgZXT/QLrvN/nv1ZN4=", + }, + // These items correspond to an entry in sample_revocations.txt where: + // isser name is the base-64 encoded subject DN for the shared Test + // Intermediate and the serialNumbers are base-64 encoded 78 and 31, + // respectively. + // We need this to ensure that existing items are retained if they're + // also in the blocklist + { + issuerName: "MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl", + serialNumber: "Tg==", + }, + { + issuerName: "MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl", + serialNumber: "Hw==", + }, + // This item revokes same-issuer-ee.pem by subject and pubKeyHash. + { + subject: "MCIxIDAeBgNVBAMMF0Fub3RoZXIgVGVzdCBFbmQtZW50aXR5", + pubKeyHash: "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=", + }, +]; + +function verify_cert(file, expectedError) { + let ee = constructCertFromFile(file); + return checkCertErrorGeneric( + certDB, + ee, + expectedError, + certificateUsageSSLServer + ); +} + +// The certificate blocklist currently only applies to TLS server certificates. +async function verify_non_tls_usage_succeeds(file) { + let ee = constructCertFromFile(file); + await checkCertErrorGeneric( + certDB, + ee, + PRErrorCodeSuccess, + certificateUsageSSLClient + ); + await checkCertErrorGeneric( + certDB, + ee, + PRErrorCodeSuccess, + certificateUsageEmailSigner + ); + await checkCertErrorGeneric( + certDB, + ee, + PRErrorCodeSuccess, + certificateUsageEmailRecipient + ); +} + +function load_cert(cert, trust) { + let file = "bad_certs/" + cert + ".pem"; + addCertFromFile(certDB, file, trust); +} + +async function update_blocklist() { + const { OneCRLBlocklistClient } = RemoteSecuritySettings.init(); + + const fakeEvent = { + current: certBlocklist, // with old .txt revocations. + deleted: [], + created: certBlocklist, // with new cert storage. + updated: [], + }; + await OneCRLBlocklistClient.emit("sync", { data: fakeEvent }); + // Save the last check timestamp, used by cert_storage to assert + // if the blocklist is «fresh». + Services.prefs.setIntPref( + OneCRLBlocklistClient.lastCheckTimePref, + Math.floor(Date.now() / 1000) + ); +} + +function run_test() { + // import the certificates we need + load_cert("test-ca", "CTu,CTu,CTu"); + load_cert("test-int", ",,"); + load_cert("other-test-ca", "CTu,CTu,CTu"); + + add_task(async function() { + // check some existing items in revocations.txt are blocked. + // This test corresponds to: + // issuer: MBIxEDAOBgNVBAMMB1Rlc3QgQ0E= (CN=Test CA) + // serial: Kg== (42) + let file = "test_onecrl/ee-revoked-by-revocations-txt.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + + // This test corresponds to: + // issuer: MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl (CN=Test Intermediate) + // serial: Tg== (78) + file = "test_onecrl/another-ee-revoked-by-revocations-txt.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + + // And this test corresponds to: + // issuer: MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl (CN=Test Intermediate) + // serial: Hw== (31) + // (we test this issuer twice to ensure we can read multiple serials) + file = "test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + + // Test that a certificate revoked by subject and public key hash in + // revocations.txt is revoked + // subject: MCsxKTAnBgNVBAMMIEVFIFJldm9rZWQgQnkgU3ViamVjdCBhbmQgUHViS2V5 + // (CN=EE Revoked By Subject and PubKey) + // pubkeyhash: VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8 (this is the + // shared RSA SPKI) + file = "test_onecrl/ee-revoked-by-subject-and-pubkey.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + + // Soon we'll load a blocklist which revokes test-int.pem, which issued + // test-int-ee.pem. + // Check the cert validates before we load the blocklist + file = "test_onecrl/test-int-ee.pem"; + await verify_cert(file, PRErrorCodeSuccess); + + // The blocklist also revokes other-test-ca.pem, which issued + // other-ca-ee.pem. Check the cert validates before we load the blocklist + file = "bad_certs/other-issuer-ee.pem"; + await verify_cert(file, PRErrorCodeSuccess); + + // The blocklist will revoke same-issuer-ee.pem via subject / pubKeyHash. + // Check the cert validates before we load the blocklist + file = "test_onecrl/same-issuer-ee.pem"; + await verify_cert(file, PRErrorCodeSuccess); + }); + + // blocklist load is async so we must use add_test from here + add_task(update_blocklist); + + add_task(async function() { + // The blocklist will be loaded now. Let's check the data is sane. + // In particular, we should still have the revoked issuer / serial pair + // that was in revocations.txt but not the blocklist. + let file = "test_onecrl/ee-revoked-by-revocations-txt.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + + // We should also still have the revoked issuer / serial pairs that were in + // revocations.txt and are also in the blocklist. + file = "test_onecrl/another-ee-revoked-by-revocations-txt.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + file = "test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + + // The cert revoked by subject and pubkeyhash should still be revoked. + file = "test_onecrl/ee-revoked-by-subject-and-pubkey.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + + // Check the blocklisted intermediate now causes a failure + file = "test_onecrl/test-int-ee.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + await verify_non_tls_usage_succeeds(file); + + // Check the ee with the blocklisted root also causes a failure + file = "bad_certs/other-issuer-ee.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + await verify_non_tls_usage_succeeds(file); + + // Check the ee blocked by subject / pubKey causes a failure + file = "test_onecrl/same-issuer-ee.pem"; + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + await verify_non_tls_usage_succeeds(file); + + // Check a non-blocklisted chain still validates OK + file = "bad_certs/default-ee.pem"; + await verify_cert(file, PRErrorCodeSuccess); + + // Check a bad cert is still bad (unknown issuer) + file = "bad_certs/unknownissuer.pem"; + await verify_cert(file, SEC_ERROR_UNKNOWN_ISSUER); + }); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_cert_storage_broken_db.js b/security/manager/ssl/tests/unit/test_cert_storage_broken_db.js new file mode 100644 index 0000000000..185f7cff00 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_broken_db.js @@ -0,0 +1,72 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// This file tests cert_storage's automatic database recreation mechanism. If +// opening the database for the first time fails, cert_storage will re-create +// it. + +function call_has_prior_data(certStorage, type) { + return new Promise(resolve => { + certStorage.hasPriorData(type, (rv, hasPriorData) => { + Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed"); + resolve(hasPriorData); + }); + }); +} + +async function check_has_prior_revocation_data(certStorage, expectedResult) { + let hasPriorRevocationData = await call_has_prior_data( + certStorage, + Ci.nsICertStorage.DATA_TYPE_REVOCATION + ); + Assert.equal( + hasPriorRevocationData, + expectedResult, + `should ${expectedResult ? "have" : "not have"} prior revocation data` + ); +} + +async function check_has_prior_cert_data(certStorage, expectedResult) { + let hasPriorCertData = await call_has_prior_data( + certStorage, + Ci.nsICertStorage.DATA_TYPE_CERTIFICATE + ); + Assert.equal( + hasPriorCertData, + expectedResult, + `should ${expectedResult ? "have" : "not have"} prior cert data` + ); +} + +add_task(async function() { + // Create an invalid database. + let fileToCopy = do_get_file("test_cert_storage_broken_db.js"); + let dbDirectory = do_get_profile(); + dbDirectory.append("security_state"); + fileToCopy.copyTo(dbDirectory, "data.mdb"); + + let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + check_has_prior_revocation_data(certStorage, false); + check_has_prior_cert_data(certStorage, false); + + let result = await new Promise(resolve => { + certStorage.setRevocations([], resolve); + }); + Assert.equal(result, Cr.NS_OK, "setRevocations should succeed"); + + check_has_prior_revocation_data(certStorage, true); + check_has_prior_cert_data(certStorage, false); + + result = await new Promise(resolve => { + certStorage.addCerts([], resolve); + }); + Assert.equal(result, Cr.NS_OK, "addCerts should succeed"); + + check_has_prior_revocation_data(certStorage, true); + check_has_prior_cert_data(certStorage, true); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct.js b/security/manager/ssl/tests/unit/test_cert_storage_direct.js new file mode 100644 index 0000000000..a1ba818dd9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_direct.js @@ -0,0 +1,417 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// This file consists of unit tests for cert_storage (whereas test_cert_storage.js is more of an +// integration test). + +do_get_profile(); + +this.certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage +); + +async function addCerts(certInfos) { + let result = await new Promise(resolve => { + certStorage.addCerts(certInfos, resolve); + }); + Assert.equal(result, Cr.NS_OK, "addCerts should succeed"); +} + +async function removeCertsByHashes(hashesBase64) { + let result = await new Promise(resolve => { + certStorage.removeCertsByHashes(hashesBase64, resolve); + }); + Assert.equal(result, Cr.NS_OK, "removeCertsByHashes should succeed"); +} + +function getLongString(uniquePart, length) { + return String(uniquePart).padStart(length, "0"); +} + +class CertInfo { + constructor(cert, subject) { + this.cert = btoa(cert); + this.subject = btoa(subject); + this.trust = Ci.nsICertStorage.TRUST_INHERIT; + } +} +CertInfo.prototype.QueryInterface = ChromeUtils.generateQI(["nsICertInfo"]); + +add_task(async function test_common_subject() { + let someCert1 = new CertInfo( + "some certificate bytes 1", + "some common subject" + ); + let someCert2 = new CertInfo( + "some certificate bytes 2", + "some common subject" + ); + let someCert3 = new CertInfo( + "some certificate bytes 3", + "some common subject" + ); + await addCerts([someCert1, someCert2, someCert3]); + let storedCerts = certStorage.findCertsBySubject( + stringToArray("some common subject") + ); + let storedCertsAsStrings = storedCerts.map(arrayToString); + let expectedCerts = [ + "some certificate bytes 1", + "some certificate bytes 2", + "some certificate bytes 3", + ]; + Assert.deepEqual( + storedCertsAsStrings.sort(), + expectedCerts.sort(), + "should find expected certs" + ); + + await addCerts([ + new CertInfo("some other certificate bytes", "some other subject"), + ]); + storedCerts = certStorage.findCertsBySubject( + stringToArray("some common subject") + ); + storedCertsAsStrings = storedCerts.map(arrayToString); + Assert.deepEqual( + storedCertsAsStrings.sort(), + expectedCerts.sort(), + "should still find expected certs" + ); + + let storedOtherCerts = certStorage.findCertsBySubject( + stringToArray("some other subject") + ); + let storedOtherCertsAsStrings = storedOtherCerts.map(arrayToString); + let expectedOtherCerts = ["some other certificate bytes"]; + Assert.deepEqual( + storedOtherCertsAsStrings, + expectedOtherCerts, + "should have other certificate" + ); +}); + +add_task(async function test_many_entries() { + const NUM_CERTS = 500; + const CERT_LENGTH = 3000; + const SUBJECT_LENGTH = 40; + let certs = []; + for (let i = 0; i < NUM_CERTS; i++) { + certs.push( + new CertInfo( + getLongString(i, CERT_LENGTH), + getLongString(i, SUBJECT_LENGTH) + ) + ); + } + await addCerts(certs); + for (let i = 0; i < NUM_CERTS; i++) { + let subject = stringToArray(getLongString(i, SUBJECT_LENGTH)); + let storedCerts = certStorage.findCertsBySubject(subject); + Assert.equal( + storedCerts.length, + 1, + "should have 1 certificate (lots of data test)" + ); + let storedCertAsString = arrayToString(storedCerts[0]); + Assert.equal( + storedCertAsString, + getLongString(i, CERT_LENGTH), + "certificate should be as expected (lots of data test)" + ); + } +}); + +add_task(async function test_removal() { + // As long as cert_storage is given valid base64, attempting to delete some nonexistent + // certificate will "succeed" (it'll do nothing). + await removeCertsByHashes([btoa("thishashisthewrongsize")]); + + let removalCert1 = new CertInfo( + "removal certificate bytes 1", + "common subject to remove" + ); + let removalCert2 = new CertInfo( + "removal certificate bytes 2", + "common subject to remove" + ); + let removalCert3 = new CertInfo( + "removal certificate bytes 3", + "common subject to remove" + ); + await addCerts([removalCert1, removalCert2, removalCert3]); + + let storedCerts = certStorage.findCertsBySubject( + stringToArray("common subject to remove") + ); + let storedCertsAsStrings = storedCerts.map(arrayToString); + let expectedCerts = [ + "removal certificate bytes 1", + "removal certificate bytes 2", + "removal certificate bytes 3", + ]; + Assert.deepEqual( + storedCertsAsStrings.sort(), + expectedCerts.sort(), + "should find expected certs before removing them" + ); + + // echo -n "removal certificate bytes 2" | sha256sum | xxd -r -p | base64 + await removeCertsByHashes(["2nUPHwl5TVr1mAD1FU9FivLTlTb0BAdnVUhsYgBccN4="]); + storedCerts = certStorage.findCertsBySubject( + stringToArray("common subject to remove") + ); + storedCertsAsStrings = storedCerts.map(arrayToString); + expectedCerts = [ + "removal certificate bytes 1", + "removal certificate bytes 3", + ]; + Assert.deepEqual( + storedCertsAsStrings.sort(), + expectedCerts.sort(), + "should only have first and third certificates now" + ); + + // echo -n "removal certificate bytes 1" | sha256sum | xxd -r -p | base64 + await removeCertsByHashes(["8zoRqHYrklr7Zx6UWpzrPuL+ol8KL1Ml6XHBQmXiaTY="]); + storedCerts = certStorage.findCertsBySubject( + stringToArray("common subject to remove") + ); + storedCertsAsStrings = storedCerts.map(arrayToString); + expectedCerts = ["removal certificate bytes 3"]; + Assert.deepEqual( + storedCertsAsStrings.sort(), + expectedCerts.sort(), + "should only have third certificate now" + ); + + // echo -n "removal certificate bytes 3" | sha256sum | xxd -r -p | base64 + await removeCertsByHashes(["vZn7GwDSabB/AVo0T+N26nUsfSXIIx4NgQtSi7/0p/w="]); + storedCerts = certStorage.findCertsBySubject( + stringToArray("common subject to remove") + ); + Assert.equal(storedCerts.length, 0, "shouldn't have any certificates now"); + + // echo -n "removal certificate bytes 3" | sha256sum | xxd -r -p | base64 + // Again, removing a nonexistent certificate should "succeed". + await removeCertsByHashes(["vZn7GwDSabB/AVo0T+N26nUsfSXIIx4NgQtSi7/0p/w="]); +}); + +add_task(async function test_batched_removal() { + let removalCert1 = new CertInfo( + "batch removal certificate bytes 1", + "batch subject to remove" + ); + let removalCert2 = new CertInfo( + "batch removal certificate bytes 2", + "batch subject to remove" + ); + let removalCert3 = new CertInfo( + "batch removal certificate bytes 3", + "batch subject to remove" + ); + await addCerts([removalCert1, removalCert2, removalCert3]); + let storedCerts = certStorage.findCertsBySubject( + stringToArray("batch subject to remove") + ); + let storedCertsAsStrings = storedCerts.map(arrayToString); + let expectedCerts = [ + "batch removal certificate bytes 1", + "batch removal certificate bytes 2", + "batch removal certificate bytes 3", + ]; + Assert.deepEqual( + storedCertsAsStrings.sort(), + expectedCerts.sort(), + "should find expected certs before removing them" + ); + // echo -n "batch removal certificate bytes 1" | sha256sum | xxd -r -p | base64 + // echo -n "batch removal certificate bytes 2" | sha256sum | xxd -r -p | base64 + // echo -n "batch removal certificate bytes 3" | sha256sum | xxd -r -p | base64 + await removeCertsByHashes([ + "EOEEUTuanHZX9NFVCoMKVT22puIJC6g+ZuNPpJgvaa8=", + "Xz6h/Kvn35cCLJEZXkjPqk1GG36b56sreLyAXpO+0zg=", + "Jr7XdiTT8ZONUL+ogNNMW2oxKxanvYOLQPKBPgH/has=", + ]); + storedCerts = certStorage.findCertsBySubject( + stringToArray("batch subject to remove") + ); + Assert.equal(storedCerts.length, 0, "shouldn't have any certificates now"); +}); + +class CRLiteCoverage { + constructor(ctLogID, minTimestamp, maxTimestamp) { + this.b64LogID = ctLogID; + this.minTimestamp = minTimestamp; + this.maxTimestamp = maxTimestamp; + } +} +CRLiteCoverage.prototype.QueryInterface = ChromeUtils.generateQI([ + "nsICRLiteCoverage", +]); + +add_task(async function test_crlite_filter() { + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + addCertFromFile( + certdb, + "test_cert_storage_direct/valid-cert-issuer.pem", + ",," + ); + let validCert = constructCertFromFile( + "test_cert_storage_direct/valid-cert.pem" + ); + addCertFromFile( + certdb, + "test_cert_storage_direct/revoked-cert-issuer.pem", + ",," + ); + let revokedCert = constructCertFromFile( + "test_cert_storage_direct/revoked-cert.pem" + ); + let filterFile = do_get_file( + "test_cert_storage_direct/test-filter.crlite", + false + ); + ok(filterFile.exists(), "test filter file should exist"); + let enrollment = []; + let coverage = []; + let filterBytes = stringToArray(readFile(filterFile)); + // First simualte a filter that does not cover any certificates. With CRLite + // enabled, none of the certificates should appear to be revoked. + let setFullCRLiteFilterResult = await new Promise(resolve => { + certStorage.setFullCRLiteFilter(filterBytes, enrollment, coverage, resolve); + }); + Assert.equal( + setFullCRLiteFilterResult, + Cr.NS_OK, + "setFullCRLiteFilter should succeed" + ); + + Services.prefs.setIntPref( + "security.pki.crlite_mode", + CRLiteModeEnforcePrefValue + ); + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2019-11-04T00:00:00Z").getTime() / 1000, + false, + "skynew.jp", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2019-11-04T00:00:00Z").getTime() / 1000, + false, + "schunk-group.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + + // Now replace the filter with one that covers the "valid" and "revoked" + // certificates. CRLite should flag the revoked certificate. + coverage.push( + new CRLiteCoverage( + "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=", + 0, + 1641612275000 + ) + ); + + // crlite_enrollment_id.py test_crlite_filters/issuer.pem + enrollment.push("UbH9/ZAnjuqf79Xhah1mFOWo6ZvgQCgsdheWfjvVUM8="); + // crlite_enrollment_id.py test_crlite_filters/no-sct-issuer.pem + enrollment.push("Myn7EasO1QikOtNmo/UZdh6snCAw0BOY6wgU8OsUeeY="); + // crlite_enrollment_id.py test_cert_storage_direct/revoked-cert-issuer.pem + enrollment.push("HTvSp2263dqBYtgYA2fldKAoTYcEVLPVTlRia9XaoCQ="); + + setFullCRLiteFilterResult = await new Promise(resolve => { + certStorage.setFullCRLiteFilter(filterBytes, enrollment, coverage, resolve); + }); + Assert.equal( + setFullCRLiteFilterResult, + Cr.NS_OK, + "setFullCRLiteFilter should succeed" + ); + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2019-11-04T00:00:00Z").getTime() / 1000, + false, + "skynew.jp", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2019-11-04T00:00:00Z").getTime() / 1000, + false, + "schunk-group.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + + // If we're only collecting telemetry, none of the certificates should appear to be revoked. + Services.prefs.setIntPref( + "security.pki.crlite_mode", + CRLiteModeTelemetryOnlyPrefValue + ); + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2019-11-04T00:00:00Z").getTime() / 1000, + false, + "skynew.jp", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2019-11-04T00:00:00Z").getTime() / 1000, + false, + "schunk-group.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + + // If CRLite is disabled, none of the certificates should appear to be revoked. + Services.prefs.setIntPref( + "security.pki.crlite_mode", + CRLiteModeDisabledPrefValue + ); + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2019-11-04T00:00:00Z").getTime() / 1000, + false, + "skynew.jp", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2019-11-04T00:00:00Z").getTime() / 1000, + false, + "schunk-group.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert-issuer.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert-issuer.pem new file mode 100644 index 0000000000..d775817b33 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert-issuer.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEoDCCA4igAwIBAgIQBpaPlkroI1bHThfCtTZbADANBgkqhkiG9w0BAQsFADBs +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j +ZSBFViBSb290IENBMB4XDTE3MTEwNjEyMjI1N1oXDTI3MTEwNjEyMjI1N1owXzEL +MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 +LmRpZ2ljZXJ0LmNvbTEeMBwGA1UEAxMVVGhhd3RlIEVWIFJTQSBDQSAyMDE4MIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp0Cu52zmdJFnSezXMKvL0rso +WgA/1X7OxjMQHsAllID1eDG836ptJXSTPg+DoEenHfkKyw++wXobgahr0cU/2v8R +WR3fID53ZDhEGHzS+Ol7V+HRtZG5teMWCY7gldtBQH0r7xUEp/3ISVsZUVBqtUmL +VJlf9nxJD6Cxp4LBlcJJ8+N6kSkV+fA+WdQc0HYhXSg3PxJP7XSU28Wc7gf6y9kZ +zQhK4WrZLRrHHbHC2QXdqQYUxR927QV+UCNXnlbTcZy2QpxWTPLzK+/cKXX4cwP6 +MGF7+8RnUgHlij/5V2k/tIF9ep4B72ucqaS/UhEPpIN/T7A3OAw995yrB38glQID +AQABo4IBSTCCAUUwHQYDVR0OBBYEFOcB/AwWGMp9sozshyejb2GBO4Q5MB8GA1Ud +IwQYMBaAFLE+w2kD+L9HAdSYJhoIAu9jZCvDMA4GA1UdDwEB/wQEAwIBhjAdBgNV +HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0 +BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0 +LmNvbTBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsMy5kaWdpY2VydC5jb20v +RGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZSb290Q0EuY3JsMD0GA1UdIAQ2MDQwMgYE +VR0gADAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT +MA0GCSqGSIb3DQEBCwUAA4IBAQAWGka+5ffLpfFuzT+WlwDRwhyTZSunnvecZWZT +PPKXipynjpXx5dK8YG+2XoH74285GR1UABuvHMFV94XeDET9Pzz5s/NHS1/eAr5e +GdwfBl80XwPkwXaYqzRtw6J4RAxeLqcbibhUQv9Iev9QcP0kNPyJu413Xov76mSu +JlGThKzcurJPive2eLmwmoIgTPH11N/IIO9nHLVe8KTkt+FGgZCOWHA3kbFBZR39 +Mn2hFS974rhUkM+VS9KbCiQQ5OwkfbZ/6BINkE1CMtiESZ2WkbxJKPsF3dN7p9DF +YWiQSbYjFP+rCT0/MkaHHYUkEvLNPgyJ6z29eMf0DjLu/SXJ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert.pem new file mode 100644 index 0000000000..81e01bd783 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert.pem @@ -0,0 +1,41 @@ +-----BEGIN CERTIFICATE----- +MIIHOzCCBiOgAwIBAgIQBi31aKBRMQgg1+xDJ+G6/TANBgkqhkiG9w0BAQsFADBf +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMR4wHAYDVQQDExVUaGF3dGUgRVYgUlNBIENBIDIwMTgw +HhcNMTgwNTI4MDAwMDAwWhcNMjAwNTIxMTIwMDAwWjCB6zEdMBsGA1UEDwwUUHJp +dmF0ZSBPcmdhbml6YXRpb24xEzARBgsrBgEEAYI3PAIBAxMCREUxFjAUBgsrBgEE +AYI3PAIBAhMFSGVzc2UxGDAWBgsrBgEEAYI3PAIBAQwHR2llw59lbjERMA8GA1UE +BRMISFJCIDY5MDIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xFDASBgNV +BAcTC0hldWNoZWxoZWltMRQwEgYDVQQKEwtTY2h1bmsgR21iSDELMAkGA1UECxMC +SVQxGTAXBgNVBAMTEHNjaHVuay1ncm91cC5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQCvkuQZz2ExPv9paJb622OOk+o4bWnjDe1zHGK6qnK25mMT +Zldk74sXF+Wfr9lbwqHTcjGhQFwmVDqvtr55KVX8FOv0CSqNaewOrnNrFz8Xg4rn +OlIs3+MmqD5CIK+el0rA+xltEY8WvNlwZKG7yeJYrdsr+5DAThDuwCVe8bU7it4h +sjsMsof5ocee9zDkFThNVGR4sMk5EgBxb1Gt4n9wXUj4OBT78whhlkLH/pVZrrhs +tQwC3q90MOPC5RJcEolSCNjGdHCKRbexmRqJgbJj/qZ9JT+fQ+Ko6a+UAWvc2BUc +POnzGV2GzCdFFGOubJb6RjU0nuPG4Lmdc/BuS9kFAgMBAAGjggNkMIIDYDAfBgNV +HSMEGDAWgBTnAfwMFhjKfbKM7Icno29hgTuEOTAdBgNVHQ4EFgQUNb1SY8Bkil98 +tD8zoxE30jBA1NIwZwYDVR0RBGAwXoIQc2NodW5rLWdyb3VwLmNvbYIUd3d3LnNj +aHVuay1ncm91cC5jb22CG3NjaHVuay1jYXJib250ZWNobm9sb2d5LmNvbYIXc2No +dW5rLXNpbnRlcm1ldGFscy5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG +CCsGAQUFBwMBBggrBgEFBQcDAjA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY2Rw +LnRoYXd0ZS5jb20vVGhhd3RlRVZSU0FDQTIwMTguY3JsMEsGA1UdIAREMEIwNwYJ +YIZIAYb9bAIBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNv +bS9DUFMwBwYFZ4EMAQEwcQYIKwYBBQUHAQEEZTBjMCQGCCsGAQUFBzABhhhodHRw +Oi8vc3RhdHVzLnRoYXd0ZS5jb20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jYWNlcnRz +LnRoYXd0ZS5jb20vVGhhd3RlRVZSU0FDQTIwMTguY3J0MAkGA1UdEwQCMAAwggF7 +BgorBgEEAdZ5AgQCBIIBawSCAWcBZQB1AKS5CZC0GFgUh7sTosxncAo8NZgE+Rvf +uON3zQ7IDdwQAAABY6Ze9XAAAAQDAEYwRAIgNUeXL3GwlpGQtTS/wKBlOkHJvHR5 +knSop0OPumeCfQECIEdxY7qr/WRVbWkQFvP48fgWkZHkd4vTq70Y0aaSZTbPAHUA +VhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFjpl71tQAABAMARjBE +AiAtxKdc/wum3TE7r9BoRd/gkrjYLWyqeLuL/opRBRy9xwIgPF6uEZxyhEoLZ+9G +AFBAP+X89zjZphVALjIXu0RRea4AdQC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQ +lmQ2jh7RhQAAAWOmXvY1AAAEAwBGMEQCIHc04ERlUbIkVrlC+I89C9xtugvRCwbR +a7qZzSdqHltUAiBRVwTacf1dnO9AgLSgrxft5LV32DvH3qNT7pWYh8dFNjANBgkq +hkiG9w0BAQsFAAOCAQEARJ+tbnM+yS6chgpyzfB3e7IWPq2Den46Ja1H6/4qaKrd +nsbElcvd4cCQf1zYY6jlQkO6qtfMUChKrEar5aqqnyX8x/8T9PkpHp8XyUxgGlmT +hrnHML0gDJFS8O4MB5pFnGkgoOQa+OIQokWCXr4/a4AwsTG3Ms+lC+R+vRYz90lg +TEJLNHB2fSvQyvpXDUL9aAjACBp/9pKxfM9iq06MFO5jP483xJUfdqtVteHMw75w +1mb8IrM9R1dP47GsblTrf2rZYdaoxdyLjtJQG2aaOdU5unE6QeFrXbz0qeTPePs8 +ftuXSW9xb053HjAkCcVo48j07b2cHfU1hxzGGptVbQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/test-filter.crlite b/security/manager/ssl/tests/unit/test_cert_storage_direct/test-filter.crlite new file mode 100644 index 0000000000..34ced4b840 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_cert_storage_direct/test-filter.crlite differ diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert-issuer.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert-issuer.pem new file mode 100644 index 0000000000..705827a85e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert-issuer.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEkDCCA3igAwIBAgIJIrmxUyPlrv3NMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV +BAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScw +JQYDVQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTIwHhcNMTgwODIy +MDczMjI0WhcNMjgwODIyMDczMjI0WjBQMQswCQYDVQQGEwJKUDElMCMGA1UEChMc +U0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEaMBgGA1UEAxMRQ3Jvc3NUcnVz +dCBEViBDQTUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnTNi5Kgrt +FL8qBuEmpL2gvLFY7f9MEgjzClvic/45ebM+DxZ2CMuqtMtImgf8XPIpLaFFbozx +3VgqH41cmGHbpAoDRKpwfF1f53peHYhRxpOVgcnsiVCPZJPBPCUM9St+cuEjfo0d +YGbr3aG5urdT2zeKIFyxKbggdkU0LVRHwvLFsIpXCn/YK/8Rmx87yW9VB80OXkzf +IQoZop83+aebq1VwzjNCN3u4bWSFLYDyJGqE40WlZ53NZh+TwBsa6gld9YXPGQfx +k8x38zkFXberlMQOYhX9KyuTOMdlFkbx6LfIUqVKJavpcr54+XPzVyeroNPpKxtZ +mEqUYiFjAqUVAgMBAAGjggFeMIIBWjAdBgNVHQ4EFgQUT4twz6lAHJbllF13rNZv +TS2b8ncwHwYDVR0jBBgwFoAUCoWpd2UFmHxAgfgPlyw48QrsPM8wEgYDVR0TAQH/ +BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwSQYDVR0fBEIwQDA+oDygOoY4aHR0 +cDovL3JlcG9zaXRvcnkuc2Vjb210cnVzdC5uZXQvU0MtUm9vdDIvU0NSb290MkNS +TC5jcmwwUgYDVR0gBEswSTBHBgoqgwiMmxtkhwUEMDkwNwYIKwYBBQUHAgEWK2h0 +dHBzOi8vcmVwb3NpdG9yeS5zZWNvbXRydXN0Lm5ldC9TQy1Sb290Mi8wQAYIKwYB +BQUHAQEENDAyMDAGCCsGAQUFBzABhiRodHRwOi8vc2Nyb290Y2EyLm9jc3Auc2Vj +b210cnVzdC5uZXQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQAD +ggEBABEDSrrhhR+Js5q45yih2Ne4cMLZmrH0AZwU3eM+7HZplzi1EhppgvcYk/2k +LM9haQGWnAZ5wiixLqKu7WlWrHgblZbXyCxALmMBK1rqeP0omxXExqKVqWNHU8KZ +t3jahH1wDYSzfetM7guWR+PAPpb9oQCtAx8DVyI/3Ocswvti/uWb517Bdo6Nd0+9 +mf0LiphNKcSzSFX0s1Cb47cJROYHGBe2J6NUSWR7wE0asPtKsznGyNO+NJCUR+0h +OLN2cA2KJwPhZjYJt8UkucAF/EE7qC0Fc8B9Q/gttQ52en5BZxdkDrHCi4qnsSvi +gueQme/RzYkEaQlNT1WCZ9AIgVE= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert.pem b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert.pem new file mode 100644 index 0000000000..195d2d8ca2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_direct/valid-cert.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF4DCCBMigAwIBAgIQC3d196+a5UJlyc0yVxB3jjANBgkqhkiG9w0BAQsFADBQ +MQswCQYDVQQGEwJKUDElMCMGA1UEChMcU0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4s +TFRELjEaMBgGA1UEAxMRQ3Jvc3NUcnVzdCBEViBDQTUwHhcNMTkwNjExMDUyMjEy +WhcNMjEwNjMwMTQ1OTU5WjAUMRIwEAYDVQQDEwlza3luZXcuanAwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeciw7C297026HA4oIwc29vL2h29GVrRF7 +HGdeXzAJA7kh+qwo8rTBFfdX7sgHy6nnE1+flEtFt91Ss8i3BZMEqoFUZFb1jGXd +DbQtmIWxz7O5skkjR1gdKwt9GImy1hEPt8dwU52mwVsSUEKvlZlsjeofUPAEbnYY ++iA/nYaYXiXyCxJzk6Y09VlzghyMIhkLwDa7rL3S9FgUQI6tSUwsiNYNoQzlYgXF +yPfQfd57LbBwZJtqVPC6rjPOZZd0sw7uvrDNuxnAM2k2mzlML9Vwt8EvSlZX60xD +oGQCsQQ/ZgjEQTA8WRZ+fxW/LqQNYYm70KU/1M+e8o4MKmA9xkH5AgMBAAGjggLw +MIIC7DAfBgNVHSMEGDAWgBRPi3DPqUAcluWUXXes1m9NLZvydzA8BggrBgEFBQcB +AQQwMC4wLAYIKwYBBQUHMAGGIGh0dHA6Ly9kdmNhNS5vY3NwLnNlY29tdHJ1c3Qu +bmV0MCMGA1UdEQQcMBqCCXNreW5ldy5qcIINd3d3LnNreW5ldy5qcDBaBgNVHSAE +UzBRMEUGCiqDCIybG26BVQIwNzA1BggrBgEFBQcCARYpaHR0cHM6Ly9yZXBvMS5z +ZWNvbXRydXN0Lm5ldC9zcHBjYS94dGR2NS8wCAYGZ4EMAQIBMBMGA1UdJQQMMAoG +CCsGAQUFBwMBMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9yZXBvMS5zZWNvbXRy +dXN0Lm5ldC9zcHBjYS94dGR2NS9mdWxsY3JsLmNybDAdBgNVHQ4EFgQUuj9305tQ +JIeVAQtsz9JHx3PTqaQwDgYDVR0PAQH/BAQDAgWgMIIBfgYKKwYBBAHWeQIEAgSC +AW4EggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWtF +Bb6pAAAEAwBHMEUCIHUQkmFzUh01r1Px/zWMZSL21dNNQwM+rN1z0gutxV3JAiEA +jSb2/GAm4+2qiNWDtx1EkHsMXjNW+5S4GhJePexjJR8AdgDuS723dc5guuFCaR+r +4Z5mow9+X7By2IMAxHuJeqj9ywAAAWtFBcdeAAAEAwBHMEUCIDVHdfP9wnVgz45l +eX80DpRCRNEV/OCDwfW+B0g/dveYAiEArbpLQb5Z9hul3r00kF2LrivNuI7kwEBy +MpkYsLtSPJoAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAWtF +BdCQAAAEAwBHMEUCIE2GUo6x3qDrIhacnCmjikBCHF2yT6Fv5GAehZB569YCAiEA +vXwMXV8+y3xNFys+A6u9EjKiy8CTKv+SQxqsJ4s6jK0wDQYJKoZIhvcNAQELBQAD +ggEBAAzlm9W+N5fviTJ9wDsc5nXKYur3744V/cm75+8dUM61Rko1isK6IZt5aNPN +wOfhBsTzHHSYmAFMR9Xjoq8iDYZtIk01IGI6LEWuls9F2hVcERiHMWJOLTiH35xN +vRNTG0AbBdIpTX2sURsoCPJ+8DTnVUr3pTzXnIY4EQ4UXfANuYwceOHShF6UJo/L +PK0uRdHcd5SmMa03gFUdkTc9gU6PIEO/UgubazGh9xDBHtHECeleL+gpSfOP3SkF +7W1RgmbE6WJdVPlto7FRQtl2xIzHs/gNaPezqNKPHgFlx4c+ECTjPLqoW8LdeXu+ +N8dueJg1+h+lQifkmgl23DqEIiI= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting.js b/security/manager/ssl/tests/unit/test_cert_storage_preexisting.js new file mode 100644 index 0000000000..744cc7fc37 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting.js @@ -0,0 +1,48 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// This file tests that cert_storage correctly persists its "has prior data" +// information across runs of the browser. +// (The test DB files for this test were created by running the test +// `test_cert_storage_broken_db.js` and copying them from that test's profile +// directory.) + +/* eslint-disable no-unused-vars */ +add_task(async function() { + let dbDirectory = do_get_profile(); + dbDirectory.append("security_state"); + let dbFile = do_get_file("test_cert_storage_preexisting/data.safe.bin"); + dbFile.copyTo(dbDirectory, "data.safe.bin"); + + let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + let hasPriorRevocationData = await new Promise(resolve => { + certStorage.hasPriorData( + Ci.nsICertStorage.DATA_TYPE_REVOCATION, + (rv, hasPriorData) => { + Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed"); + resolve(hasPriorData); + } + ); + }); + Assert.equal( + hasPriorRevocationData, + true, + "should have prior revocation data" + ); + + let hasPriorCertData = await new Promise(resolve => { + certStorage.hasPriorData( + Ci.nsICertStorage.DATA_TYPE_CERTIFICATE, + (rv, hasPriorData) => { + Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed"); + resolve(hasPriorData); + } + ); + }); + Assert.equal(hasPriorCertData, true, "should have prior cert data"); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.mdb b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.mdb new file mode 100644 index 0000000000..df4cb182a7 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.mdb differ diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.safe.bin b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.safe.bin new file mode 100644 index 0000000000..011ed93484 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/data.safe.bin differ diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting/lock.mdb b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/lock.mdb new file mode 100644 index 0000000000..dc4b50fdfc Binary files /dev/null and b/security/manager/ssl/tests/unit/test_cert_storage_preexisting/lock.mdb differ diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js new file mode 100644 index 0000000000..e94cbbfb0c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js @@ -0,0 +1,83 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// This file tests that cert_storage correctly persists its information across +// runs of the browser specifically in the case of CRLite. +// (The test DB files for this test were created by running the test +// `test_cert_storage_direct.js` and copying them from that test's profile +// directory.) + +/* eslint-disable no-unused-vars */ +add_task(async function() { + Services.prefs.setIntPref( + "security.pki.crlite_mode", + CRLiteModeEnforcePrefValue + ); + + let dbDirectory = do_get_profile(); + dbDirectory.append("security_state"); + let crliteFile = do_get_file( + "test_cert_storage_preexisting_crlite/crlite.filter" + ); + crliteFile.copyTo(dbDirectory, "crlite.filter"); + let coverageFile = do_get_file( + "test_cert_storage_preexisting_crlite/crlite.coverage" + ); + coverageFile.copyTo(dbDirectory, "crlite.coverage"); + let enrollmentFile = do_get_file( + "test_cert_storage_preexisting_crlite/crlite.enrollment" + ); + enrollmentFile.copyTo(dbDirectory, "crlite.enrollment"); + + let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + + // Add an empty stash to ensure the filter is considered to be fresh. + await new Promise(resolve => { + certStorage.addCRLiteStash(new Uint8Array([]), (rv, _) => { + Assert.equal(rv, Cr.NS_OK, "marked filter as fresh"); + resolve(); + }); + }); + + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + let validCertIssuer = constructCertFromFile( + "test_cert_storage_direct/valid-cert-issuer.pem" + ); + let validCert = constructCertFromFile( + "test_cert_storage_direct/valid-cert.pem" + ); + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2019-10-28T00:00:00Z").getTime() / 1000, + false, + "skynew.jp", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + + let revokedCertIssuer = constructCertFromFile( + "test_cert_storage_direct/revoked-cert-issuer.pem" + ); + let revokedCert = constructCertFromFile( + "test_cert_storage_direct/revoked-cert.pem" + ); + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2019-11-04T00:00:00Z").getTime() / 1000, + false, + "schunk-group.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.coverage b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.coverage new file mode 100644 index 0000000000..2bd13319e5 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.coverage differ diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.enrollment b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.enrollment new file mode 100644 index 0000000000..aac0238188 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.enrollment @@ -0,0 +1 @@ +3)û«Õ¤:Óf£õv¬œ 0ИëðëyæQ±ýý'ŽêŸïÕájfå¨é›à@(,v–~;ÕPÏ;Ò§mºÝÚbØgåt (M‡T³ÕNTbkÕÚ $ \ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.filter b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.filter new file mode 100644 index 0000000000..34ced4b840 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/crlite.filter differ diff --git a/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/data.safe.bin b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/data.safe.bin new file mode 100644 index 0000000000..d96571f128 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite/data.safe.bin differ diff --git a/security/manager/ssl/tests/unit/test_cert_trust.js b/security/manager/ssl/tests/unit/test_cert_trust.js new file mode 100644 index 0000000000..43fbaa6174 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_trust.js @@ -0,0 +1,324 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function load_cert(cert_name, trust_string) { + let cert_filename = cert_name + ".pem"; + return addCertFromFile( + certdb, + "test_cert_trust/" + cert_filename, + trust_string + ); +} + +function setup_basic_trusts(ca_cert, int_cert) { + certdb.setCertTrust( + ca_cert, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.TRUSTED_SSL | Ci.nsIX509CertDB.TRUSTED_EMAIL + ); + + certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0); +} + +async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) { + // On reset most usages are successful + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageSSLServer + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageSSLClient + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageEmailSigner + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageEmailRecipient + ); + + // Test of active distrust. No usage should pass. + setCertTrust(cert_to_modify_trust, "p,p,p"); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageSSLServer + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageSSLClient + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageEmailSigner + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageEmailRecipient + ); + + // Trust set to T - trusted CA to issue client certs, where client cert is + // usageSSLClient. + setCertTrust(cert_to_modify_trust, "T,T,T"); + await checkCertErrorGeneric( + certdb, + ee_cert, + isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, + certificateUsageSSLServer + ); + + // XXX(Bug 982340) + await checkCertErrorGeneric( + certdb, + ee_cert, + isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, + certificateUsageSSLClient + ); + + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA + ); + + await checkCertErrorGeneric( + certdb, + ee_cert, + isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, + certificateUsageEmailSigner + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, + certificateUsageEmailRecipient + ); + + // Now tests on the SSL trust bit + setCertTrust(cert_to_modify_trust, "p,C,C"); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageSSLServer + ); + + // XXX(Bug 982340) + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageSSLClient + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageEmailSigner + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageEmailRecipient + ); + + // Inherited trust SSL + setCertTrust(cert_to_modify_trust, ",C,C"); + await checkCertErrorGeneric( + certdb, + ee_cert, + isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, + certificateUsageSSLServer + ); + // XXX(Bug 982340) + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageSSLClient + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageEmailSigner + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageEmailRecipient + ); + + // Now tests on the EMAIL trust bit + setCertTrust(cert_to_modify_trust, "C,p,C"); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageSSLServer + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageSSLClient + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageEmailSigner + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageEmailRecipient + ); + + // inherited EMAIL Trust + setCertTrust(cert_to_modify_trust, "C,,C"); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageSSLServer + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, + certificateUsageSSLClient + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, + certificateUsageEmailSigner + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, + certificateUsageEmailRecipient + ); +} + +add_task(async function() { + let certList = ["ca", "int", "ee"]; + let loadedCerts = []; + for (let certName of certList) { + loadedCerts.push(load_cert(certName, ",,")); + } + + let ca_cert = loadedCerts[0]; + notEqual(ca_cert, null, "CA cert should have successfully loaded"); + let int_cert = loadedCerts[1]; + notEqual(int_cert, null, "Intermediate cert should have successfully loaded"); + let ee_cert = loadedCerts[2]; + notEqual(ee_cert, null, "EE cert should have successfully loaded"); + + setup_basic_trusts(ca_cert, int_cert); + await test_ca_distrust(ee_cert, ca_cert, true); + + setup_basic_trusts(ca_cert, int_cert); + await test_ca_distrust(ee_cert, int_cert, false); + + // Reset trust to default ("inherit trust") + setCertTrust(ca_cert, ",,"); + setCertTrust(int_cert, ",,"); + + // End-entities can be trust anchors for interoperability with users who + // prefer not to build a hierarchy and instead directly trust a particular + // server certificate. + setCertTrust(ee_cert, "CTu,CTu,CTu"); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageSSLServer + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageSSLClient + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageEmailSigner + ); + await checkCertErrorGeneric( + certdb, + ee_cert, + PRErrorCodeSuccess, + certificateUsageEmailRecipient + ); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ca.pem b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem new file mode 100644 index 0000000000..54b436cdab --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIUbd6irDfViDg0hGYGrBFpSOiAgmswDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD +VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBa/UJSVAkS4R5UUprUZ+VETh+G +TbLf+xbhyhpXn39i7Rk0/U7IelYJN3qalF3eIL7ab4qij3jWLrdOJz1ERkxVWXeX +a9rjQC7nQQqnOrdcEPvq297cHuwtKb+jTTKDI4ATy7UVeE3DDW6VWewmAz8VA7FH +SxAwdLWgqKzAqLEhhrg6l0JtpDmCfoBZ5yVA9gPdcSouaQ+6WnL0TFmNtriZPZI5 +Sq7Ua1aM1X/Ca3kQLo1DD06lgR7bJbjH+2j0uRYbB7NeB5aeYYnnxRdXcbXtM2Wl +dPg/8WETAK3hjbaY0Xq5UFP9tLkLbq3a1lew5BEz9xFz7P+offg8hSAONOZu +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec new file mode 100644 index 0000000000..d809dbd635 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ca +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ee.pem b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem new file mode 100644 index 0000000000..82e6a30f34 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4jCCAcqgAwIBAgIUMdajt4X/9IBhgxXiQsm9Bu84o80wDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw +MDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc +BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC +a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg +uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK +9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP +mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozUwMzAxBgNVHSUEKjAoBggrBgEF +BQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMEBggrBgEFBQcDAzANBgkqhkiG9w0BAQsF +AAOCAQEAA7nG4h3CGUtm2eS08c0e+mROnPPpkOMaOS0McOFIDOamQlKtxuzl6md7 +CmZtQfckTwVxy8KaEtVhcJ5Dj4w+HJJ2uwun8PspBkgEaVJAMxhm8CAOBHO72vee +1WU1K2lxcGz1tTFzyvGi7b+frWWaeoTM4/4qUQkKEBTbJannKqmKSHdawNNeJ7XB +yxyO+Pf5JlWMDpSoFY3IEG2j01ALdWcI4T63TFLB0lEmuMRGZ6o2EnNOFvg2bDkg ++peiKONSzIVqiVHkJjgMDGOdXfeei2pFyQz+1ESWYl3+LuxHbxXauyKV5tAjXL8n +RbN+Ds8/8RpSFhDOTRLVCVrQiFqNag== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec new file mode 100644 index 0000000000..9666c18062 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:ee +extension:extKeyUsage:serverAuth,clientAuth,emailProtection,codeSigning diff --git a/security/manager/ssl/tests/unit/test_cert_trust/int.pem b/security/manager/ssl/tests/unit/test_cert_trust/int.pem new file mode 100644 index 0000000000..f12ebf91fd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_trust/int.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyjCCAbKgAwIBAgIUS7UFd8kviZT6AzkUw+zBza2WxxcwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowDjEMMAoGA1UEAwwDaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc +BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC +a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg +uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK +9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP +mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG +A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAXr6DXGOqX+xkzyNm1YZc+wtm +6yFQo2jgeCMxgOv4j07wEEgGPP4adgyHjAhqTtYNbdBCuPtEbMInVRHdJooWNGk7 +MeoyTmJLlEJlnzVHdCUDi0mb+E7w2vVWNeirXnUSBN8qStok8vNoHJDT7pX3QEQs +zRRNHw5qs/xxZKxzxeBiljYlh1d1zVgqNWTx9LP5IOEKOQ9OzxpzsCpJtPZRxh/d +gip6TZT9srCndY2jCFUEYdSFRWOjsb6ni9TGC2o4SUxxJvC8jmrLjgGqPGNdTMiX +DOxuAjt1gue4kqK6r6nMqxOZ04TEe0c/M5+hF4dhQaxqga6vvGBl0oF2QMxXGA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec b/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec new file mode 100644 index 0000000000..a7f6d81419 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_cert_utf8.js b/security/manager/ssl/tests/unit/test_cert_utf8.js new file mode 100644 index 0000000000..caeddd8158 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_utf8.js @@ -0,0 +1,79 @@ +// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +do_get_profile(); + +const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function run_test() { + // This certificate has a number of placeholder byte sequences that we can + // replace with invalid UTF-8 to ensure that we handle these cases safely. + let certificateToAlterFile = do_get_file( + "test_cert_utf8/certificateToAlter.pem", + false + ); + let certificateBytesToAlter = atob( + pemToBase64(readFile(certificateToAlterFile)) + ); + testUTF8InField("issuerName", "ISSUER CN", certificateBytesToAlter); + testUTF8InField("issuerOrganization", "ISSUER O", certificateBytesToAlter); + testUTF8InField( + "issuerOrganizationUnit", + "ISSUER OU", + certificateBytesToAlter + ); + testUTF8InField("issuerCommonName", "ISSUER CN", certificateBytesToAlter); + testUTF8InField("organization", "SUBJECT O", certificateBytesToAlter); + testUTF8InField("organizationalUnit", "SUBJECT OU", certificateBytesToAlter); + testUTF8InField("subjectName", "SUBJECT CN", certificateBytesToAlter); + testUTF8InField("displayName", "SUBJECT CN", certificateBytesToAlter); + testUTF8InField("commonName", "SUBJECT CN", certificateBytesToAlter); + testUTF8InField( + "emailAddress", + "SUBJECT EMAILADDRESS", + certificateBytesToAlter + ); +} + +// Every (issuer, serial number) pair must be unique. If NSS ever encounters two +// different (in terms of encoding) certificates with the same values for this +// pair, it will refuse to import it (even as a temporary certificate). Since +// we're creating a number of different certificates, we need to ensure this +// pair is always unique. The easiest way to do this is to change the issuer +// distinguished name each time. To make sure this doesn't introduce additional +// UTF8 issues, always use a printable ASCII value. +var gUniqueIssuerCounter = 32; + +function testUTF8InField(field, replacementPrefix, certificateBytesToAlter) { + let toReplace = `${replacementPrefix} REPLACE ME`; + let replacement = ""; + for (let i = 0; i < toReplace.length; i++) { + replacement += "\xEB"; + } + let bytes = certificateBytesToAlter.replace(toReplace, replacement); + let uniqueIssuerReplacement = + "ALWAYS MAKE ME UNIQU" + String.fromCharCode(gUniqueIssuerCounter); + bytes = bytes.replace("ALWAYS MAKE ME UNIQUE", uniqueIssuerReplacement); + ok( + gUniqueIssuerCounter < 127, + "should have enough ASCII replacements to make a unique issuer DN" + ); + gUniqueIssuerCounter++; + let cert = gCertDB.constructX509(stringToArray(bytes)); + notEqual(cert[field], null, `accessing nsIX509Cert.${field} shouldn't fail`); + notEqual( + cert.getEmailAddresses(), + null, + "calling nsIX509Cert.getEmailAddresses() shouldn't assert" + ); + ok( + !cert.containsEmailAddress("test@test.test"), + "calling nsIX509Cert.containsEmailAddress() shouldn't assert" + ); +} diff --git a/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem new file mode 100644 index 0000000000..344858e1fe --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID7zCCAtegAwIBAgIUBd/A9SPEdfUGTxKTRoSskwSi2UYwDQYJKoZIhvcNAQEL +BQAwfDEcMBoGA1UECgwTSVNTVUVSIE8gUkVQTEFDRSBNRTEdMBsGA1UECwwUSVNT +VUVSIE9VIFJFUExBQ0UgTUUxHTAbBgNVBAMMFElTU1VFUiBDTiBSRVBMQUNFIE1F +MR4wHAYDVQQHDBVBTFdBWVMgTUFLRSBNRSBVTklRVUUwIhgPMjAyMTExMjcwMDAw +MDBaGA8yMDI0MDIwNTAwMDAwMFowgY8xHTAbBgNVBAoMFFNVQkpFQ1QgTyBSRVBM +QUNFIE1FMR4wHAYDVQQLDBVTVUJKRUNUIE9VIFJFUExBQ0UgTUUxHjAcBgNVBAMM +FVNVQkpFQ1QgQ04gUkVQTEFDRSBNRTEuMCwGCSqGSIb3DQEJARYfU1VCSkVDVCBF +TUFJTEFERFJFU1MgUkVQTEFDRSBNRTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x +nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM +wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF +4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20 +yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx +j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNRME8wTQYDVR0RBEYwRIIeU1VC +SkVDVCBBTFQgRE5TTkFNRSBSRVBMQUNFIE1FgSJTVUJKRUNUIEFMVCBSRkM4MjJA +TkFNRSBSRVBMQUNFIE1FMA0GCSqGSIb3DQEBCwUAA4IBAQAKUSa8BdHwFUeuwcIx +zjUMm3VfByLFQ1bGMPzH8oZ2iYPEuna+2yWgMt1PyqKlRu6LUFbxDhS1zyNdHmTE +IgZ5L7AqA92pi1NNHJdMPJx5Pm2S0YzvTGoJMiU+btqykWq1YA4qviVFJC41V7mF +ykgLl31W+5EOT6H3kPwFOa80s5u7PdtNZ18M9rRX36fP1W3vBLd9QUlEyKlJBwNf ++bLIQF8LbG4R5DbvinZufeMa6CQLQI1eot9WzBYddIzJVVJy04RBiCnZhZjdow1t +j3daswBkJDX0kEPlW707yXHrLQhlI8imTYrEXCO0u9+n1NmRqD0eNhNEqdjAAgpC +5PAD +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem.certspec b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem.certspec new file mode 100644 index 0000000000..6579ac5550 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_utf8/certificateToAlter.pem.certspec @@ -0,0 +1,3 @@ +issuer:/O=ISSUER O REPLACE ME/OU=ISSUER OU REPLACE ME/CN=ISSUER CN REPLACE ME/L=ALWAYS MAKE ME UNIQUE +subject:/O=SUBJECT O REPLACE ME/OU=SUBJECT OU REPLACE ME/CN=SUBJECT CN REPLACE ME/emailAddress=SUBJECT EMAILADDRESS REPLACE ME +extension:subjectAlternativeName:SUBJECT ALT DNSNAME REPLACE ME,SUBJECT ALT RFC822@NAME REPLACE ME diff --git a/security/manager/ssl/tests/unit/test_cert_version.js b/security/manager/ssl/tests/unit/test_cert_version.js new file mode 100644 index 0000000000..73b0f458f7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version.js @@ -0,0 +1,304 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests the interaction between the basic constraints extension and the +// certificate version field. In general, the testcases consist of verifying +// certificate chains of the form: +// +// end-entity (issued by) intermediate (issued by) trusted X509v3 root +// +// where the intermediate is one of X509 v1, v2, v3, or v4, and either does or +// does not have the basic constraints extension. If it has the extension, it +// either does or does not specify that it is a CA. +// +// To test cases where the trust anchor has a different version and/or does or +// does not have the basic constraint extension, there are testcases where the +// intermediate is trusted as an anchor and the verification is repeated. +// (Loading a certificate with trust "CTu,," means that it is a trust anchor +// for SSL. Loading a certificate with trust ",," means that it inherits its +// trust.) +// +// There are also testcases for end-entities issued by a trusted X509v3 root +// where the end-entities similarly cover the range of versions and basic +// constraint extensions. +// +// Finally, there are testcases for self-signed certificates that, again, cover +// the range of versions and basic constraint extensions. + +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function certFromFile(certName) { + return constructCertFromFile("test_cert_version/" + certName + ".pem"); +} + +function loadCertWithTrust(certName, trustString) { + addCertFromFile( + certdb, + "test_cert_version/" + certName + ".pem", + trustString + ); +} + +function checkEndEntity(cert, expectedResult) { + return checkCertErrorGeneric( + certdb, + cert, + expectedResult, + certificateUsageSSLServer + ); +} + +function checkIntermediate(cert, expectedResult) { + return checkCertErrorGeneric( + certdb, + cert, + expectedResult, + certificateUsageSSLCA + ); +} + +add_task(async function() { + loadCertWithTrust("ca", "CTu,,"); + + // Section for CAs lacking the basicConstraints extension entirely: + loadCertWithTrust("int-v1-noBC_ca", ",,"); + await checkIntermediate( + certFromFile("int-v1-noBC_ca"), + MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA + ); + await checkEndEntity( + certFromFile("ee_int-v1-noBC"), + MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA + ); + // A v1 certificate with no basicConstraints extension may issue certificates + // if it is a trust anchor. + loadCertWithTrust("int-v1-noBC_ca", "CTu,,"); + await checkIntermediate(certFromFile("int-v1-noBC_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v1-noBC"), PRErrorCodeSuccess); + + loadCertWithTrust("int-v2-noBC_ca", ",,"); + await checkIntermediate( + certFromFile("int-v2-noBC_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v2-noBC"), + SEC_ERROR_CA_CERT_INVALID + ); + loadCertWithTrust("int-v2-noBC_ca", "CTu,,"); + await checkIntermediate( + certFromFile("int-v2-noBC_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v2-noBC"), + SEC_ERROR_CA_CERT_INVALID + ); + + loadCertWithTrust("int-v3-noBC_ca", ",,"); + await checkIntermediate( + certFromFile("int-v3-noBC_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v3-noBC"), + SEC_ERROR_CA_CERT_INVALID + ); + loadCertWithTrust("int-v3-noBC_ca", "CTu,,"); + await checkIntermediate( + certFromFile("int-v3-noBC_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v3-noBC"), + SEC_ERROR_CA_CERT_INVALID + ); + + loadCertWithTrust("int-v4-noBC_ca", ",,"); + await checkIntermediate( + certFromFile("int-v4-noBC_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v4-noBC"), + SEC_ERROR_CA_CERT_INVALID + ); + loadCertWithTrust("int-v4-noBC_ca", "CTu,,"); + await checkIntermediate( + certFromFile("int-v4-noBC_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v4-noBC"), + SEC_ERROR_CA_CERT_INVALID + ); + + // Section for CAs with basicConstraints not specifying cA: + loadCertWithTrust("int-v1-BC-not-cA_ca", ",,"); + await checkIntermediate( + certFromFile("int-v1-BC-not-cA_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v1-BC-not-cA"), + SEC_ERROR_CA_CERT_INVALID + ); + loadCertWithTrust("int-v1-BC-not-cA_ca", "CTu,,"); + await checkIntermediate( + certFromFile("int-v1-BC-not-cA_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v1-BC-not-cA"), + SEC_ERROR_CA_CERT_INVALID + ); + + loadCertWithTrust("int-v2-BC-not-cA_ca", ",,"); + await checkIntermediate( + certFromFile("int-v2-BC-not-cA_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v2-BC-not-cA"), + SEC_ERROR_CA_CERT_INVALID + ); + loadCertWithTrust("int-v2-BC-not-cA_ca", "CTu,,"); + await checkIntermediate( + certFromFile("int-v2-BC-not-cA_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v2-BC-not-cA"), + SEC_ERROR_CA_CERT_INVALID + ); + + loadCertWithTrust("int-v3-BC-not-cA_ca", ",,"); + await checkIntermediate( + certFromFile("int-v3-BC-not-cA_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v3-BC-not-cA"), + SEC_ERROR_CA_CERT_INVALID + ); + loadCertWithTrust("int-v3-BC-not-cA_ca", "CTu,,"); + await checkIntermediate( + certFromFile("int-v3-BC-not-cA_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v3-BC-not-cA"), + SEC_ERROR_CA_CERT_INVALID + ); + + loadCertWithTrust("int-v4-BC-not-cA_ca", ",,"); + await checkIntermediate( + certFromFile("int-v4-BC-not-cA_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v4-BC-not-cA"), + SEC_ERROR_CA_CERT_INVALID + ); + loadCertWithTrust("int-v4-BC-not-cA_ca", "CTu,,"); + await checkIntermediate( + certFromFile("int-v4-BC-not-cA_ca"), + SEC_ERROR_CA_CERT_INVALID + ); + await checkEndEntity( + certFromFile("ee_int-v4-BC-not-cA"), + SEC_ERROR_CA_CERT_INVALID + ); + + // Section for CAs with basicConstraints specifying cA: + loadCertWithTrust("int-v1-BC-cA_ca", ",,"); + await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess); + loadCertWithTrust("int-v1-BC-cA_ca", "CTu,,"); + await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess); + + loadCertWithTrust("int-v2-BC-cA_ca", ",,"); + await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess); + loadCertWithTrust("int-v2-BC-cA_ca", "CTu,,"); + await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess); + + loadCertWithTrust("int-v3-BC-cA_ca", ",,"); + await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess); + loadCertWithTrust("int-v3-BC-cA_ca", "CTu,,"); + await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess); + + loadCertWithTrust("int-v4-BC-cA_ca", ",,"); + await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess); + loadCertWithTrust("int-v4-BC-cA_ca", "CTu,,"); + await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess); + + // Section for end-entity certificates with various basicConstraints: + await checkEndEntity(certFromFile("ee-v1-noBC_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v2-noBC_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v3-noBC_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v4-noBC_ca"), PRErrorCodeSuccess); + + await checkEndEntity(certFromFile("ee-v1-BC-not-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v2-BC-not-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v3-BC-not-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v4-BC-not-cA_ca"), PRErrorCodeSuccess); + + await checkEndEntity( + certFromFile("ee-v1-BC-cA_ca"), + MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY + ); + await checkEndEntity( + certFromFile("ee-v2-BC-cA_ca"), + MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY + ); + await checkEndEntity( + certFromFile("ee-v3-BC-cA_ca"), + MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY + ); + await checkEndEntity( + certFromFile("ee-v4-BC-cA_ca"), + MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY + ); + + // Section for self-signed certificates: + await checkEndEntity(certFromFile("ss-v1-noBC"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v2-noBC"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v3-noBC"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v4-noBC"), SEC_ERROR_UNKNOWN_ISSUER); + + await checkEndEntity( + certFromFile("ss-v1-BC-not-cA"), + SEC_ERROR_UNKNOWN_ISSUER + ); + await checkEndEntity( + certFromFile("ss-v2-BC-not-cA"), + SEC_ERROR_UNKNOWN_ISSUER + ); + await checkEndEntity( + certFromFile("ss-v3-BC-not-cA"), + SEC_ERROR_UNKNOWN_ISSUER + ); + await checkEndEntity( + certFromFile("ss-v4-BC-not-cA"), + SEC_ERROR_UNKNOWN_ISSUER + ); + + await checkEndEntity(certFromFile("ss-v1-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v2-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v3-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v4-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER); +}); diff --git a/security/manager/ssl/tests/unit/test_cert_version/ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ca.pem new file mode 100644 index 0000000000..e640e32bbf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIUR09v04QlrQMgLL9A9x5Lis3g49EwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAsGA1UdDwQEAwIBBjAMBgNV +HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBYoi35Dp3gNfLJAi4Gk2GwxCie +kk5hUcWiM7wAttc1NTH3PU7lzcnmkL4Fn0urD8DpYr17Fzd3LMvPTcvc/fHgl2R9 +uxXEvS38SCuAq8gfEraHy9m7w+J11SBA8PsnZqNJSDdGblAjNXbv3yeAIjI22+rE ++gUEd+62kObnUYoPC6tX/kq7uJU1h10jjoR1nYrghij6yRM5ozeqbl/AEam1YgnU +RZWRSnsP5g2QDrpwlpOxAQZxpwW2KYk+Jr1uFROsbn/cUbMRLg8pwAw3DasmIJlS +31oldY5nuSACsBWcJW1Cck5h2+PJqT9SfP9AqtPWF1BMUjC4xiCV0W3NVKLf +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ca.pem.certspec new file mode 100644 index 0000000000..8689ef9ea1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ca +extension:keyUsage:keyCertSign,cRLSign +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem new file mode 100644 index 0000000000..f5ba3ee376 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICwDCCAagCFC+ZWtAQE8lVz0D4wb40yUfGwCkNMA0GCSqGSIb3DQEBCwUAMA0x +CzAJBgNVBAMMAmNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa +MBYxFDASBgNVBAMMC2VlLXYxLUJDLWNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxAwDjAMBgNVHRMEBTADAQH/ +MA0GCSqGSIb3DQEBCwUAA4IBAQAcgP1lvoA0169HURGT56n+WBBbjkGXuH5cmkhg +BHZxU8AsonQl5T+IXRWNT/iyWVNlfvYTOZeWga5G42tvQxYsJ3nOg4Tg16b+Ny7p ++F9QFv/ggvVdiV9EF9ofy+0gY8Kp6h7sIfjqqjkRUquPkuFmsucYbpKHV66XB0z3 +VKHwZxBWkOgmHOeCuY8+7eVrhntDOuLD5SHwN/NPBQy0CLppN0T9rPJ8rMZ4BGsk +NCakLrw2hISVBajKmcFtdEYPZ65PCuJI24ziDPhGlc2lTkjocf8Ixg4V881Lqy3x +rWkR5qu1OoMM6oWzXw+0YunB8bRuP4/tBJDVpvu6xBqkgGKv +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem.certspec new file mode 100644 index 0000000000..4570e6e3ff --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-cA_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ee-v1-BC-cA +version:1 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem new file mode 100644 index 0000000000..9815e5e13c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICwTCCAakCFCXWLDfdUshis2BR2AOx1Wx0Pe4/MA0GCSqGSIb3DQEBCwUAMA0x +CzAJBgNVBAMMAmNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa +MBoxGDAWBgNVBAMMD2VlLXYxLUJDLW5vdC1jQTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMNMAswCQYDVR0TBAIw +ADANBgkqhkiG9w0BAQsFAAOCAQEAmOBNxj3ggsPlL425Fdsnlwg9xe+YGYrQ+qDx +gXgQypAf9+A6PzJde3x0todPYShaItrpUkkqq+65y3PFQ5/Cx4JTSuLZowx1US3D +TVCTr8zPkx44+pFsPpVo/H46ntgTdJzeGxy4CLwRuzfCwE7xDXu4RGWG6HJ0H4H0 +BQQQoY+PZwjQKzV8ac+mO7zXxEA9KG+J0whj89x6Ps31Oj5wsQb6mt5M1KzihzLe +yJMc2J/d0xj0NN/mxjFyeu2gg5efJgByZgCs1oGImlvrV8mll6zNazGwIzAEjOv7 +qFlzeX8fnowEZkYjt655nzH6qV51D5Ml2KPanMUdwXwttsgJ9w== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem.certspec new file mode 100644 index 0000000000..f4257841fe --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-BC-not-cA_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ee-v1-BC-not-cA +version:1 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem new file mode 100644 index 0000000000..276596cf8f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICrTCCAZUCFDfaJVmc86Op+Njp91sQs3VibqnjMA0GCSqGSIb3DQEBCwUAMA0x +CzAJBgNVBAMMAmNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa +MBUxEzARBgNVBAMMCmVlLXYxLW5vQkMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9 +sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5 +TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7 +xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHd +tMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l +8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEB +AKNZOtDY6VR1afUmrbxsYNmSlbJfDH1Wf1yW1mGlEaaAt+2jCwq4XQe+WydH+XNY +1hF6qB8Dfv6BjHtz3mDlEurO8OQLzbEsCjoHTsC2k7xBX5AqjgLOd7VXTw+nkWpl +KS16AGoFwWwJoRiqvRIN7QmrL4+VTy9qiMjW/xQZpJRjgclghsyD1ftuS8MO6CFA +Xl8H10FX+iLrQ1vVZEpFvawJsaPqpP1Q/aaUbuVFOdl9FdO/AoYg9T4OoNMuVAri +1EdM0PJ2fLuBZEfGu0Xzfx3DQMGTGY3b+rbXXsAvKDY7Lz2uH3QQ3dV8u/A/ziXR +4CuNiCfPf9ln9nYZryvPhTo= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem.certspec new file mode 100644 index 0000000000..48fe9e5416 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v1-noBC_ca.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-v1-noBC +version:1 diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem new file mode 100644 index 0000000000..d0f8108576 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxTCCAa2gAwIBAQIUSfJg0GeqJHFEX50dYSwtSQ3bMKowDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFjEUMBIGA1UEAwwLZWUtdjItQkMtY0EwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQF +MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAA+oYLQRft2MQcjzbocFjcHuOtGLN2zd +h/VRTr6kdHVUlTWGxPAlbbMQebdqxrkOs7z7AUdXND4ByKTtNEuQPr+wXwwXSTE3 +iYjViklkaO/90FwPXCY0cKPP3Wlr+dU//+ae8MHxUgITiz1pSaCxpn+aWNuT0YEh +OyPHJp604kUXsaS/tnh9Gs+PcUnbzDdajbsCgKHoxtjMJWvYzr7AbHxmZdNJj5+s +oayWjkj57NlX3fSRPLwcLoLanp7stBFXQuYdUdHBxPo4NJvCePu+qX9dKRfs8iOh +QX/C7/hznhGYCmr+bwA5vDP2/hlaXVY3Y86QVtSxjfzAR8FipCk7Csw= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem.certspec new file mode 100644 index 0000000000..f714725d2b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-cA_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ee-v2-BC-cA +version:2 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem new file mode 100644 index 0000000000..70137183e2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxjCCAa6gAwIBAQIUDxDa2ifUgdQYpJ8MdfEeYRaJsdMwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowGjEYMBYGA1UEAwwPZWUtdjItQkMtbm90LWNBMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNV +HRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCddjVLxryXnecJPMqSm0jUBYLnM+AK +Rq6/2mzN4RpEVWZp6GNnWYzmONMwJ6wtGVgARfg0FuBONBzNtHxpdLcbia6wajf0 +/A9FZ2IA6TmEDt9iBQQYphczJquzzrPU1ST472ueH9ugSWm6CV2a8tWZTqpADewy +waivrK76PCatnMHWZy+h0QlMStf5j9mvEXydnDVZtyqH28THAHOfTyseEBdkl+VI +rJ/mnuK6toyJRJOEajDPfhJveAu8Xc139qWrC79P9Tp82eqNLZxfIEBh20eNYxSk +PFkDwGE+pmEQEpGuIrFBR/e2vZTQJ6OTNhWxG8JriY58UlIQ1kACWw7y +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem.certspec new file mode 100644 index 0000000000..db72288814 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-BC-not-cA_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ee-v2-BC-not-cA +version:2 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem new file mode 100644 index 0000000000..f2c644ce6f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICsjCCAZqgAwIBAQIUXbeigSj410bH6jRhgrqYja0GpzowDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFTETMBEGA1UEAwwKZWUtdjItbm9CQzCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsF +AAOCAQEAuDsqRa2nVMQ97V4Tf2WevBu+k7ZhcIaW68a5tlKLEKhx6/eGSSGeij4m +OeBOyFOr885Y/Kkhd+aHEefJV61HcgHYNDkRAcEFg6WRDwoto3u06wlqDt4hWr5x +I/gRPudZ702Mw4trcwXljvm8lKYOL1O79Ic9kbqpCoIdFRbf2n+mMwqf/z17Lis/ +TSQTmYwO4lMDqv2XJ4a+DAyCItLvlAUsWukWEyHY9RUaKS+flqwLB6w5nkM8enI0 +oiqxEeSgn0DwnSEyLzb8bjybErM+qnDjmRPXN/w9lkpzs6LhhP+YY1eUhlw7JRJO +EHESM9OVGl3i60Ed9U2vNPgwqciqbw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem.certspec new file mode 100644 index 0000000000..cc304ab87e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v2-noBC_ca.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-v2-noBC +version:2 diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem new file mode 100644 index 0000000000..8b9056a167 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxTCCAa2gAwIBAgIUc98+jTM4qNvfdiHHTt3xeTnklo0wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFjEUMBIGA1UEAwwLZWUtdjMtQkMtY0EwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQF +MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGPnZLZtuRfQew8WQGlkkLGRBVLTqudE +eGIVRcAMToZ8clV5nFTRJd8TDPJtEnJq7JuVzKXwYyibfd1jGixewFSs1NVZqshN +Twx+FSQCoWNTrH1g09hhJDKDYZAIl940Jfp3tI9dmLDAT6eJK7MtfocJcnfJT++X +6OXE9CzwA+jNoqEhPXjmPa41SMpAgr0lLviONqy0sUjUy6Wwd/Awi3BsV7pgkInb +59hTTWaxwsIVXr8d5uXvxNvXiTFRmxAsF4EgF/OR413gel2cR8ERy4GLp7y044AE +7NaFQoeto9yW3IpYr3fvmyYbMLPXdQcv7OPvolLgN9756qU73BaYhwA= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem.certspec new file mode 100644 index 0000000000..6f69c35743 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-cA_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ee-v3-BC-cA +version:3 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem new file mode 100644 index 0000000000..c909ceae66 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxjCCAa6gAwIBAgIUZbMh4u0fW5ML6yh8z8pbXjOe1VEwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowGjEYMBYGA1UEAwwPZWUtdjMtQkMtbm90LWNBMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNV +HRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCYkQCEZnA8CNk3m3GRWOmmfSHggAEg +DPhdb/lD5HPuwk7mZvlmVWuLzL7KkbNe71lGcDxH9/az8loi/3F+qPtTAQm0dIv6 ++PMeJ9M81FrrL9QOlt1g6oD2H3CpeBmPXTZhw8BrY8G5vOazqng8BHv5HhDu64U2 +tG0uCynb/9DP0JyZykV9l8r8c4Tsz2xFAMfbowricN3kNoeV0WLY9NL7T3iBa22+ +mSVUVfVb6JgX59hkupfq6ykSWy90aHpHvOYGvnxAp+r31ddwGAix9FyebSNNQn80 +YfMR6qlPWwTqe5nVGqEdQ4fTg+qC93OqWtcDJrXshB3j415ubudwKN59 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem.certspec new file mode 100644 index 0000000000..4a9de06358 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-BC-not-cA_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ee-v3-BC-not-cA +version:3 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem new file mode 100644 index 0000000000..b5c0319790 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICsjCCAZqgAwIBAgIUAQDoVGw+r6lNT2b+jJm2+epsWHcwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFTETMBEGA1UEAwwKZWUtdjMtbm9CQzCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsF +AAOCAQEAGpZrWuH+x+qgSsl+EtFBQ6dlKN1w481HZlxA9UEXLqcV4ePHpdu0gb2p +nIlDxJDCIbPmsmh2NkiwrxtW+UO7Gee2qSJx+HzTbDU4Zf61AdzrSLy7UXeAa/Db +HoVqGZ6SY7HRfUZSwHhNjUhxemp7b98HCQWn8lIvkcDrkXRpaQUWd1slyEA3VNem +EXVbjybmuoO60Xka65CSSg3B8+UY/fhYONh6UvpyWLc5N+qoMEywqvSCB8vNPcmw +fVr8AFzvWQ0XKT5YxUtPZvAcreC0lUZXIF41us5JVbx7eX9GU5/viguxOUTj5W4B +jyLS9tyap1ysIq3sPPlXW7S1i1pmXA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem.certspec new file mode 100644 index 0000000000..9d385900f0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v3-noBC_ca.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-v3-noBC +version:3 diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem new file mode 100644 index 0000000000..d780e80fcd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxTCCAa2gAwIBAwIUCd37312Tb5EZpix3723WyR6xMJUwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFjEUMBIGA1UEAwwLZWUtdjQtQkMtY0EwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQF +MAMBAf8wDQYJKoZIhvcNAQELBQADggEBALC4++IlQxFJcpwHvCdfQ7DjwM579Sn2 +/QRXYfA4UnHWzx5GCggoMPnyvI70hbYXNZvsOg4fkk/wY4vLYblGPYY3NRB51DAr +2udwFlqnMhHLwzGntRWb7Fvnug0f9GCjD6+CI8sfamlTBg33JDT/LQUB0+7Pwih7 +6kxSr+D4TXxDZkCcn+imjA2y6t90jl09Gyaxj2fGya1Tz3O4F2dhUlhD+Z1VyGSO +WeMCDMJq0HlHymc2C9NJa+l8mxP3ZhAhCkquz98l9iNi8feKET3Mor1QkZQrw4iX +EztBsqyMP7TZJrzgzNVQgdM67gj670qOOlYDG0fftJkPhvwUtUzGJIQ= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem.certspec new file mode 100644 index 0000000000..1f44c1dd27 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-cA_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ee-v4-BC-cA +version:4 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem new file mode 100644 index 0000000000..580730ead1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxjCCAa6gAwIBAwIUf14/9bHAT4wfeg67o/l7Z6hx1RIwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowGjEYMBYGA1UEAwwPZWUtdjQtQkMtbm90LWNBMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNV +HRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBa8RvfZI03C2soSzVOamYtjem/rQ9c +sCUr5b/twKBFUxFWPPeM+zQbLjKwCVMKfhOrBddqxiWtBEXoeDgGN4Hz7dYtedQY +yZXrBHFx8NTkP1hu7ZLH6/Wmq8pIY1clVkCW9BaN/VrooivYDVT9FAQ3Olmb7ndY +WpG/HAJtvLI0IvFq4AzMXa0zJJFOzWd+zeYFkizdEIeWTd9blb70czeru3hf5NwO +zxE4bsKgWXO9hRaJwdb6STlit2BVtx8mMOibJn852IZ0tECKRGlTLJSC2Pz2kk67 +dqRTLC4ys09cGT/wQbE9nBYqdRD46LeSYnxBLlPaJZ8tJ3p82VK8I+ob +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem.certspec new file mode 100644 index 0000000000..e9659153e5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-BC-not-cA_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ee-v4-BC-not-cA +version:4 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem new file mode 100644 index 0000000000..685d2da6b6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICsjCCAZqgAwIBAwIUaR0hFbbBz1XsN9CW31yoUhYk7k0wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFTETMBEGA1UEAwwKZWUtdjQtbm9CQzCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsF +AAOCAQEAcWHh1vTXippkY8F4flCD4/4S7e6X0hr/WKPPpQGWKMDUyTBp5bvlSlJo +CQnceIqJ7PW48tEhSv7XjCFYAtrJaN+I5ttP+RvhWk7CY8bZFH469PWMKiEZQrR7 +CJyk1LBX3zDRbRRweT8h0DuzqcHqFXE9J+DEfYue/Y0ZMlly3u9NAFiFj+etyrX7 +zm9cG3cc1AVbnQMC0tAyJnbepwj1QHDbxDGN1UBI9SlUW9FolPBJzgtNuLMiY/VX +B8SfNGvTm5nvHGrL+tp0jp32ufCtwT/DGp4jasa4vG3gpD7l91SoIx3W0cKJuclB +/dTVAfLtVNFvJWV6J5FdrHiPzufHNw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem.certspec new file mode 100644 index 0000000000..19229ba766 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee-v4-noBC_ca.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ee-v4-noBC +version:4 diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem new file mode 100644 index 0000000000..e7c3b79420 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtDCCAZygAwIBAgIUVWOyeMgSib4O1LKG1AJMZEOfA5EwDQYJKoZIhvcNAQEL +BQAwFzEVMBMGA1UEAwwMaW50LXYxLUJDLWNBMCIYDzIwMjExMTI3MDAwMDAwWhgP +MjAyNDAyMDUwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB +CwUAA4IBAQBhWnPGcosA9XFiil1ODUfKcRa6J5Pp3R/n/tdp7XZFauH6q512f4wy +23L0zJhhov7dJdnI+spAuXcsKR9rDFYximIGUSjYPoJmGTdemTW60ddF3DjLYZvf +BJJQyZMn1zvlJE73G24vZK1FNP0u0zRQvKVPt3/OFwE906AysPk8waodm0fMjCgu +rRWcX0HJcnYj+LCic8/hiNypu/z4eES136pkpzegh08fOS9NmTERXovIMOEGKLzq +2nGX4qR/q78kbM1T79Qv0RAqz/BWTrrf3HOwtguQ4LqM8wRN4xeyEqfvzw2I5tSt +pGJtVfIXSwWoC7oVw1rgRdPOmzVyXMI2 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem.certspec new file mode 100644 index 0000000000..6a7dc5c436 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-cA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v1-BC-cA +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem new file mode 100644 index 0000000000..41206cae7b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuDCCAaCgAwIBAgIUQxRBwJhxMEAFMa7BzkaZKbkhuoQwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQaW50LXYxLUJDLW5vdC1jQTAiGA8yMDIxMTEyNzAwMDAw +MFoYDzIwMjQwMjA1MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX +bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ +OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 +uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb +t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG +9w0BAQsFAAOCAQEAVNqzFe5ctks0XWw8TEF8pasaXlMvpB8KTAJAr2Qamo3eyS+r +Sj9di81UA6ty83yKcUQgxaAcE+1K39vynS2/uMdOycbOLrfA/bEDqtTYxL86LvRS +5nzbk1gfq2HfMt5Y1EpRAJ+loOKynLGnuJ07Q62unUtMf5G9BXKbkQ90s4tAhVh5 +EWTdV8Yj9loI1TqkjXMFGUAMhMh/dSvdbQib1z0ikJtGHmeIwbs6sZzLt+9IHABj +xFBgjrveLBD5vKvGmno3BN3lqzlU+KaQ8HJmYRX1VP1sancFbGFWWhdJpcBPVRkV +0uiOvCLHBfGA6TN1XhRwgMwSUr+1Qh36sov0jQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem.certspec new file mode 100644 index 0000000000..639f83d660 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-BC-not-cA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v1-BC-not-cA +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem new file mode 100644 index 0000000000..31f154b29b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIUSZxrSB1ASCb/9OLKTfbXvWhu8oMwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLaW50LXYxLW5vQkMwIhgPMjAyMTExMjcwMDAwMDBaGA8y +MDI0MDIwNTAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL +BQADggEBAF2GVw1iaU9gHhCPgZVZlAOb6O5k507/xrT2SdYiRkFQaHfH9iL2l5aL +tQ+gQNH4BY3fUyxIR0wOKR2WUiBKBFPzvgZYzdajTzd1Cwy8F4v4hvCkx8T9dY16 +UE0TRSM7M2D+UpelJ/c8k2EzbBdeeNs1LR1XEGqVFUoTb0voFVgPb4ZnpSw+36wc +v2kZaZjxPJOkoNcif3kuGbp0RVZW9zG0LVfgsZTyfczWmMdpdVCXVdXe4cJ1wAxy +kQUGPMjv6xUXMcawgOLvT7JmX+9hQFkqidP2oR7eU8bGX8Kc9mFtJEG3I+xmcig6 +TbgPEBsnRfM8KxHcZpnxeKsRAP3msoo= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem.certspec new file mode 100644 index 0000000000..d704f3086d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v1-noBC.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v1-noBC +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem new file mode 100644 index 0000000000..3948a89f26 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtDCCAZygAwIBAgIUU/Jvq3MSz1uQv7XntCtIuprX+bMwDQYJKoZIhvcNAQEL +BQAwFzEVMBMGA1UEAwwMaW50LXYyLUJDLWNBMCIYDzIwMjExMTI3MDAwMDAwWhgP +MjAyNDAyMDUwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB +CwUAA4IBAQBFv3t9QETpW/vJYCDwA6xAUS3h68J+0pwHhq/dVsart/cgsC8LzHhG +bOJUKseHitl0gHjHiH50dkuzKzjH2bfrG8a+t3J46WnmxDEJP09viwRZYyxufSzt +eX4+P+Z83ByRdqoIPFzd5ytWRo97oyZemNz3a3pU7bsbytYq2nIjCOAVAWxnIS2Z +LPaQhEaQTeZ8hkHOlgQzAWAo5ncgVtmlgy4B6ObxDrHMMRG76rG96enCkrtxmqTm +CjNyMC0Kim0q5rli6V7CV5hyF4V8/k+0uAeYFPboTHXOC7qY/1Kuer7BMejwEYOh +uaYfipGohEbIYJGPgqf7wVFsZH+rsECZ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem.certspec new file mode 100644 index 0000000000..5d3a65e650 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-cA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v2-BC-cA +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem new file mode 100644 index 0000000000..b8161aa201 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuDCCAaCgAwIBAgIUQ0aSCvyN3w9lBlcjtfY7MI+9znEwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQaW50LXYyLUJDLW5vdC1jQTAiGA8yMDIxMTEyNzAwMDAw +MFoYDzIwMjQwMjA1MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX +bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ +OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 +uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb +t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG +9w0BAQsFAAOCAQEAPFTPXlcnxZn3v2lA4XKkBMjgz6ofD2k3Q+9CBIPAQ8adsr2U +k6J5bDHr0hZs3OTSjm4MvnkDPUXnz0TEaCkGPaMDJSm5Pc+QNz8mtFZ3LCU7kaXk +eye/mgUyA6kzp9m+beI2bPFgs6yfNF1hJwmFLprfr8tAfhSRdG0Be1n2ZlxD5+JK +m2VRUXuWfZk9zG2XEVH7aiIsdvsvP2LvisfpPVWG1UaMv+RytnGT3bwHB1qaTeEz +QUriOWNRevenmHzRBAsepSUlNvejPrGh8kiGaQXA2TVUHMFxhn3nrG081cZnlBpB +8MJmJXvgAciIbuOwA3EofUzjIgvRCbl6YoGIhw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem.certspec new file mode 100644 index 0000000000..591a16aca0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-BC-not-cA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v2-BC-not-cA +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem new file mode 100644 index 0000000000..e1f66e9e51 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIUX0FaQnSAZBS9om1VZNfOrAUkAe0wDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLaW50LXYyLW5vQkMwIhgPMjAyMTExMjcwMDAwMDBaGA8y +MDI0MDIwNTAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL +BQADggEBAKwAvSfgc83j7dwYrrblbKrMEi/+XVeMuFNHnBh2HYvSInBbRA4Opflg +EgGkh8X3X6cHemjTzNRqQAI1dsODNRgjigY1KJ3voiRWdasd4em/qBHtUr8yL3H2 +E8AAQKtHNzDimP5bYcf4ABibTVw9n6fRsmsP9WsQPafiyBOfqpu95ZBrc5xSCi/I +z7QEO90pPoBmvmb0vDQnAZ2qrqXXRmMes+wDceWTQRz4aHErlmriyCbqI8jsFqDg +IcuydsUzZXUxa9Jw2LAUEQ4uNnNXycOZrZYG3Y6EW9AmwkTT5mHGWdBlVVUfgPyy +T7tC1iWYC10v6b2QqW6E5AlRjEMMa74= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem.certspec new file mode 100644 index 0000000000..7f99393cf2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v2-noBC.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v2-noBC +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem new file mode 100644 index 0000000000..6c037d9e29 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtDCCAZygAwIBAgIUZ4+j89wGn7o9vFoh7xjDTNgsTikwDQYJKoZIhvcNAQEL +BQAwFzEVMBMGA1UEAwwMaW50LXYzLUJDLWNBMCIYDzIwMjExMTI3MDAwMDAwWhgP +MjAyNDAyMDUwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB +CwUAA4IBAQANK4s2ijXn8xh45oXq0QjgiWMF1QnA6egTC7uKlDk1BYHtW+hztq4i +71dkmot4SOL6Qf7ar3HSmRl8HzFfD0uasf8uobH5zFfn9wImjs2k0ZFMl9rc2NVj +adNi0fqZ6x6sAN49QAZzkwx9nwnUj7larBg7F0KYNEpQ3li44l7W9ZYR6A39pCmJ +QSUOJLH2OZEelAn/Ys8gQBz6od6Csa3sYYZGxvzfe3XEsGGFKktZjJzlwrZq0wqn +1hPXy9cj5LbwB28F1OuO9Xwqt2pNdNI6oMW0N/SnGL9bcJs6zH0HFO4o6oRtNUFn +4uaz1Oxe4NjHmU1p3UEXwzuUs2eAOl9H +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem.certspec new file mode 100644 index 0000000000..13af934f29 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-cA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v3-BC-cA +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem new file mode 100644 index 0000000000..386d5a0b6a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuDCCAaCgAwIBAgIUM0bo32+v9wg+ySb7JNgS9bNERjQwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQaW50LXYzLUJDLW5vdC1jQTAiGA8yMDIxMTEyNzAwMDAw +MFoYDzIwMjQwMjA1MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX +bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ +OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 +uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb +t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG +9w0BAQsFAAOCAQEAoZ1c9YGZvP5LfhC/PkgXr+ASbbfXpAs2ku/vLcVCx83/tf4H +suQhyjyIJxwh73C4MvJLwhjhRN7wTbsGjcQdmFRsR4bFnFPSmtXbbkG9ZETo/fdX +dRp8tOS73ZoqFNaO5f+9+CWFcMIE2WznMVruBXK3AfNZ2pxmT6hvYngpvoulHaab +kTsAZhtGIlKZ50UgTfW9xo7vEREgFXU5aRptA20zjHC/jlzlrYA5FJNnT8Kb3h2d +yVtan28mbtC8Chaytfhg/olwNyXmlugid1wZ1MyKq2aRXE4phvubhHhfVE19EQ7x +0KAx2S5LmSIM6kPVX2A87G8asDPRIdE8JGq/OQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem.certspec new file mode 100644 index 0000000000..8539715a03 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-BC-not-cA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v3-BC-not-cA +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem new file mode 100644 index 0000000000..e9a5dbc060 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIUYwcJlTtvWVYPYl8zRS5OIB6KHyMwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLaW50LXYzLW5vQkMwIhgPMjAyMTExMjcwMDAwMDBaGA8y +MDI0MDIwNTAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL +BQADggEBAAZLo88i5xTVqbh2Q0eIlYQ3U/2wiCEt31iTlWIBegfemPs47yZszm6Z +H/TEl6pw4sBBUmRRD8R/kFwqruJ3I83m83XgVv8wV6rxgQy+l/7vgS+9aRzwJ4rE +I+jsYxtrCab/rQB+1ExmLfLM+SlyBu+pwyrJrhMCxfQ3YXftWdJ/OnuHF7HOQSgO +N9mskwjAiJLgZkW4ncsJ9yqlmCMSCL954P+gZP+a7vh7t52/+Ye3QgqrzdW4njGw +RTVXZv9WT0nutkzz2UN1LXe2YPACVC15Z2jAx0NE+soF/cv7+ABLbNi3cJ4xT2ub +NJpF2DU/rhqYqRCNXKthPm+/HgxuygA= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem.certspec new file mode 100644 index 0000000000..a65e41cea5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v3-noBC.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v3-noBC +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem new file mode 100644 index 0000000000..68597d3617 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtDCCAZygAwIBAgIUJQnuCvzn6Cptf7mbf5euO8tqA6QwDQYJKoZIhvcNAQEL +BQAwFzEVMBMGA1UEAwwMaW50LXY0LUJDLWNBMCIYDzIwMjExMTI3MDAwMDAwWhgP +MjAyNDAyMDUwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3DQEB +CwUAA4IBAQA2iunDwwbF7DjKjXfY8TagUVcuYRlM0aR0NOWDJht7HGQ165jGvlbD +tGFiV8LCttQ7mHIkM5petJQOijZ/WOE+TBOPdwOlGKI7LK64Dx0jD+STXeR8funZ +C9oxou7BQTguKsDL8e+Vx3CiduJ//82yCvoiSOWKZNt2/XzMJVkXe2zwqjWJ1mZy +eFM1R+HhmeTiElWHylyNmZu1rMQEvM8cRVT9T07BkUwe/Q1YNC2pssg8zWvsXlJe +uyEKxd+rtbxXfZ2Ca5K6zoc03Da92DF/ZYeA1rr2jLfWlekcUUWyytQ1tvFpXX28 +wB9+G2j4ghLch847KX6jFvLloB4XAUsZ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem.certspec new file mode 100644 index 0000000000..35a3a9ff36 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-cA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v4-BC-cA +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem new file mode 100644 index 0000000000..6459172a25 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuDCCAaCgAwIBAgIUP4CbTDW2dlD720iPom3sJdQk4i4wDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQaW50LXY0LUJDLW5vdC1jQTAiGA8yMDIxMTEyNzAwMDAw +MFoYDzIwMjQwMjA1MDAwMDAwWjANMQswCQYDVQQDDAJlZTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX +bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ +OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 +uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb +t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG +9w0BAQsFAAOCAQEAADRGeHq/tJLPiJSuPdGLKRV06gwvSqynXeTGxuLouD37GAf0 +IH0JKP6zMKAo06am7YJxThwQSj+cdyEmR5fPcZXeJW25s05YP+CyY76J8Zevxu7I +1E/lEPg9D0xOiwbN4LtlK8UXCCgkVJEkqqtcxaa2QNvUsdu9C4tpGz9NdYbfSFtu +ItcfOH0mX0JqSwnYjaYys8FuP2xCTvCIY0iqUw3bJw8X5kvUrC/tOURl/vvAo5JE +x/qqoJCZi8zYkF6FQ2ore2XH4WrovFRr0QHEO6iSPJwFFuBmHLBSZN+Qcb6lf0AY +Im7gb1hJdEOqnICcEgwqRslVm6WduwjbrzQ9Nw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem.certspec new file mode 100644 index 0000000000..7627d3a8a2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-BC-not-cA.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v4-BC-not-cA +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem new file mode 100644 index 0000000000..e7ca4d52cb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICszCCAZugAwIBAgIUMQUX3zZT021FdxR9n54rCz06Yq8wDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLaW50LXY0LW5vQkMwIhgPMjAyMTExMjcwMDAwMDBaGA8y +MDI0MDIwNTAwMDAwMFowDTELMAkGA1UEAwwCZWUwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZIhvcNAQEL +BQADggEBAC4Z3DsSJU8p7V/8G++ImlrraGiZgr1ORJkDA3CpOkWkPftYlQoY+fvD +1GoJs5kLnhrhhchOatRvWVR+/y6QZPV5SVNydDzPl+c7vVesxjnN2sQmekCt5olS +GI/UnTCFUNUA1Tdsi8rYN9wHjJuhbq82+1kvxPBT69rJ7YxEvQYi9qiEj1/6k5n8 +QSMImyp4wvr2QXgO8PcfThZEq4f62jH/tqqkk4UhN839N+R5v7n12GcS+/OfArDT +XNr2KxiSZoApP3gDrEU4HEcltszfkBxhc/fjvHLqJdJvVlbNeY4TJxXHOtCEuG1p +hGLFa63QwhnIaYfHRn8G1Oy+H2SZepk= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem.certspec new file mode 100644 index 0000000000..a780337539 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ee_int-v4-noBC.pem.certspec @@ -0,0 +1,2 @@ +issuer:int-v4-noBC +subject:ee diff --git a/security/manager/ssl/tests/unit/test_cert_version/generate.py b/security/manager/ssl/tests/unit/test_cert_version/generate.py new file mode 100755 index 0000000000..2afaace3b9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/generate.py @@ -0,0 +1,93 @@ +#!/usr/bin/env python +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python + +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# This file generates the certspec files for test_cert_version.js. The naming +# convention for those files is generally of the form +# "_.pem.certspec". End-entity +# certificates are generally called "ee". Intermediates are called +# "int". The root CA is called "ca" and self-signed certificates are called +# "ss". +# In the case that the subject and issuer are the same, the redundant part is +# not repeated. +# If there is nothing particularly special about a certificate, it has no +# description ("nothing particularly special" meaning the certificate is X509v3 +# and has or does not have the basic constraints extension as expected by where +# it is in the hierarchy). Otherwise, the description includes its version and +# details about the extension. If the extension is not present, the string +# "noBC" is used. If it is present but the cA bit is not asserted, the string +# "BC-not-cA" is used. If it is present with the cA bit asserted, the string +# "BC-cA" is used. +# For example, a v1 intermediate that does not have the extension that was +# issued by the root CA has the name "int-v1-noBC_ca.pem.certspec". +# A v4 end-entity that does have the extension but does not assert the cA bit +# that was issued by the root CA has the name +# "ee-v4-BC-not-cA_ca.pem.certspec". +# An end-entity issued by a v3 intermediate with the extension that asserts the +# cA bit has the name "ee_int-v3-BC-cA.pem.certspec". + +versions = {"v1": 1, "v2": 2, "v3": 3, "v4": 4} + +basicConstraintsTypes = { + "noBC": "", + "BC-not-cA": "extension:basicConstraints:,", + "BC-cA": "extension:basicConstraints:cA,", +} + + +def writeCertspec(issuer, subject, fields): + filename = "%s_%s.pem.certspec" % (subject, issuer) + if issuer == subject: + filename = "%s.pem.certspec" % subject + with open(filename, "w") as f: + f.write("issuer:%s\n" % issuer) + f.write("subject:%s\n" % subject) + for field in fields: + if len(field) > 0: + f.write("%s\n" % field) + + +keyUsage = "extension:keyUsage:keyCertSign,cRLSign" +basicConstraintsCA = "extension:basicConstraints:cA," + +writeCertspec("ca", "ca", [keyUsage, basicConstraintsCA]) + +for versionStr, versionVal in versions.iteritems(): + # intermediates + versionText = "version:%s" % versionVal + for ( + basicConstraintsType, + basicConstraintsExtension, + ) in basicConstraintsTypes.iteritems(): + intermediateName = "int-%s-%s" % (versionStr, basicConstraintsType) + writeCertspec( + "ca", intermediateName, [keyUsage, versionText, basicConstraintsExtension] + ) + writeCertspec(intermediateName, "ee", []) + + # end-entities + versionText = "version:%s" % versionVal + for ( + basicConstraintsType, + basicConstraintsExtension, + ) in basicConstraintsTypes.iteritems(): + writeCertspec( + "ca", + "ee-%s-%s" % (versionStr, basicConstraintsType), + [versionText, basicConstraintsExtension], + ) + + # self-signed certificates + versionText = "version:%s" % versionVal + for ( + basicConstraintsType, + basicConstraintsExtension, + ) in basicConstraintsTypes.iteritems(): + selfSignedName = "ss-%s-%s" % (versionStr, basicConstraintsType) + writeCertspec( + selfSignedName, selfSignedName, [versionText, basicConstraintsExtension] + ) diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem new file mode 100644 index 0000000000..4713680eab --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzjCCAbYCFE/Qhor9ec3ELTS4N1BGKhj1nEShMA0GCSqGSIb3DQEBCwUAMA0x +CzAJBgNVBAMMAmNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa +MBcxFTATBgNVBAMMDGludC12MS1CQy1jQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODY +H72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk +27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A9 +0jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMM +kd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaL +L+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswCwYDVR0PBAQDAgEG +MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJCQfexxdv7+4MqcTMOj +1keHx0hdsqx6lvRPatw3YgAyuaT6ZPWLfFZk+LF5uK6CpkMY9v5Cq3x0Le42vQZH +5ekERe6JA87bJuDgndHUAde7UKYb1JIdomBBISQjS1yP46asX2a9s7Tbaa6rLrRH +CCvGI6Gk6KK8l9CMUuMqWb0TxoZosfhz+Wn+Jw/gthcZXjxc+cM2XRCUe6G+NNa1 +EtvEujaOBlzF+XMESgm9MSp3E4tc0uWHcp+K0sA2Cq1CtC/NULUS0RgdFKfE7sc4 +5a9MpamgJ/EiCOiwoNGVwd0CxJEforr8nsRBT5Wlbkla6Q4VjFlYjiqTJ1QSXoOr +Spc= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem.certspec new file mode 100644 index 0000000000..77f3ae9147 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-cA_ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-v1-BC-cA +extension:keyUsage:keyCertSign,cRLSign +version:1 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem new file mode 100644 index 0000000000..d566d59e30 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzzCCAbcCFDmurlX239tmJzMSwE2yWclnP/YTMA0GCSqGSIb3DQEBCwUAMA0x +CzAJBgNVBAMMAmNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa +MBsxGTAXBgNVBAMMEGludC12MS1CQy1ub3QtY0EwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGjAYMAsGA1UdDwQE +AwIBBjAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQA2sZIPc4usxnbGoqze +dBE+p3d+XcbH9gMfNBbmUl6XfKf+RZFcZuE7Jml1Uv+6Jd+nZdJDJaYJMPzbRRn6 +E8lTi7Ml5dCkmyRVJfmjuaec3IegrNcInau7ApNCidM6wPfcd+P7b3doh1qYD7l2 +NYOdNGik4yFqDgYVH7RghAYGKmJ1yvejqB0ulfNCJCXz2e+jxbgvMVm176wDxhi4 +yCmwvRWRi9byXpMmI6PqC2za4aZL3Ztb7uqyoa/CYEJQVZtS8OtDmpjru4bq9wlV +RGhgg2zygpRsmBGim9LVIgWZVDehvJ8fP8cFsndVEQ03OrQohq827x2SkKoWurzU +x1Qp +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem.certspec new file mode 100644 index 0000000000..2a366535b6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-BC-not-cA_ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-v1-BC-not-cA +extension:keyUsage:keyCertSign,cRLSign +version:1 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem new file mode 100644 index 0000000000..2d63a43993 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICvzCCAacCFFlMGtxn81zLZeWwYjryulK7jFX7MA0GCSqGSIb3DQEBCwUAMA0x +CzAJBgNVBAMMAmNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBa +MBYxFDASBgNVBAMMC2ludC12MS1ub0JDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow8wDTALBgNVHQ8EBAMCAQYw +DQYJKoZIhvcNAQELBQADggEBABIkDbeDGKocP3t3H8pcicHy57lHkPUqzOV5Qz4k +K1py+SKGY7dn08rfts6L5GsNB4euv7TXt4CJvUxZfyv6V87ZfP5hN0si3YwDaBRq +WmHtOQuyoEu3Gjagq5rvnM32YVV+2luA2LH3uKRyD+WWyY8OKekxCnNGpgG5CH/t +tKujd2VQPZ++74rzI4zFLDEohdPJ+V/zYWHFcIAIXbKFnaFXOiDdps3+Wjm83uLO +t8103w1lFRl4si1ilr++cnZdWw7KGY5pSi+XM5f3X7O+tF01QTBTB4oYHpR7aLMr +KSun8GxhvE5N/im6BHW7MlwWg7/dCBcWFdVvoahLtpbTtEM= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem.certspec new file mode 100644 index 0000000000..63bf6ed737 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v1-noBC_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-v1-noBC +extension:keyUsage:keyCertSign,cRLSign +version:1 diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem new file mode 100644 index 0000000000..ab3de4239d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAQIUdRNyE5Q7FT2TnlhkA3MFGPl8kHMwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFzEVMBMGA1UEAwwMaW50LXYyLUJDLWNBMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E +BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAeTnN/gKQj4Ke +OTTweVvVugkfTU9BKBrqNGwarLQCznA7RHo+FvVKLjoY3Q+baHcK4EtO0u6SG9p5 +wP77QcvAmf2Zr3cnU5thgEPhn6GD3hpxDTH1Ai1i+5Y+kD+0AoDyXcAoDYYSOL8J +XoTDeWFlKwUchWcVqr6T23dQk1ugYX2jSvozQJ92uTdk3xFqj3glhPEY/KmsiGGd +WX9CWt9df/sw2fkCHWDTx4Uwa4f6bnu0YL/rHV5F/J3iHM0PN++vtLifyEJmwWh9 +pkLR79Pvd7eQelrdt+vcnUbvT9L/KdlUptcO4FWtlPE+hfkQdlSL0M9Wo+bsJTeG +CekrPZWLOw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem.certspec new file mode 100644 index 0000000000..ca1bf67a7d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-cA_ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-v2-BC-cA +extension:keyUsage:keyCertSign,cRLSign +version:2 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem new file mode 100644 index 0000000000..e18ee2c0cb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1DCCAbygAwIBAQIUZbO+K3eIJS/mMdcdqWTFhjTgZYswDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowGzEZMBcGA1UEAwwQaW50LXYyLUJDLW5vdC1jQTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX +bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ +OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 +uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb +t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCwYD +VR0PBAQDAgEGMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAHPwO/Xglbd7 +0tOHcMV5fgQOIPY1qXyG3DM/dYNYJ1+Ma+2F09nZjaOtJpUeSNJReTD6TNWFuNbH +pcDge8qlQImjjM1CN7TIgefwY1riWqryJniX9mL0oGaZsRMWH8Ad2e44vAbG9yRv +2t933F9LC9MjEHMhrLCaY/DRtA3Hbao1l+ykAOl/Y8M7AVQmscsyw+BKtAv10lxR +ktTz0ksevwxGIBgx6MTJRFreY3JbCraJBdkM4RjiKhmXhmEjQS2+TRWTp0do030N +FO9ELuo59+DMCf8hZi33IlekAfda6qmtuIxBg4USLKhoF0KAa+KnIIVY3G17zO94 +VnA8/fR5uJ8= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem.certspec new file mode 100644 index 0000000000..fc28ff150e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-BC-not-cA_ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-v2-BC-not-cA +extension:keyUsage:keyCertSign,cRLSign +version:2 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem new file mode 100644 index 0000000000..8ef8e505bf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxDCCAaygAwIBAQIUUQLaY8ipGIlTLB/nSbAqMeW6VScwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFjEUMBIGA1UEAwwLaW50LXYyLW5vQkMwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQE +AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAioRpOtyrsMKsL6Hty1aZ71A8VK6rccVF +87ONK3VlT2PqrT9QW4RnVpyBgghPNqFTup9i/5SmC8Onva8beyRFj0zXThw0R4dg +jEssH8l0a/kHZL/WYhrgIEjddoyoghcNKEldlzTjystlwSF19vjaAjIuyMXkz6vB +sxZPybLUsku/Vadr6q+IgVQfbAnnKi4nlmju4Y7qcBDHSMNRyiSQ+UvCLYRqBp4P +eJmNQ6CIveosdZHN0GL5TA2wwLaZPeg2dSIMyZZkJ3wZ8f9rUo+K3djlhBlsNbb8 +tnXTtF+V0Cuw1K27sUDwcpzGkW3KZOyTNChnNGeTRuRvL8atnovoiQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem.certspec new file mode 100644 index 0000000000..2d3fe59ffa --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v2-noBC_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-v2-noBC +extension:keyUsage:keyCertSign,cRLSign +version:2 diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem new file mode 100644 index 0000000000..020f8c95a0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAgIUI1ybSEPY2poauHkhPwser00Xp/MwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFzEVMBMGA1UEAwwMaW50LXYzLUJDLWNBMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E +BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAOGTAs8e845vz +QlLoD0fleQQZ2MXLA+/OrpWyzsN5ACv3PMShQs7TBl+/xxAu8lt2AvGso5lFsV8b +0URtUP/X+nSrrKDFDx9g6A47q4XNpWeDESAWxJzigH2JYszzg/YtEdTcf78cIIIF +rLvoohH3zobR95yMXsfbs2JSvYH3vzWDZV+cz0FyaUXw16e2KS0MnmIwP+37t6xk +sJQ5bCoWQhg2vuanikOUoqvr3aFgoLJ0HjArk5rDAi7fX8/JuAWc3cIJufHUTlXD +Q9t8x8dbmGk02IcNDqyzpTzyht8vWEkx3NeA+xalUdC7Q7ERK5RfnTGZE61NCP2t +Hc/W4GT9Jg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem.certspec new file mode 100644 index 0000000000..56fcb21a03 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-cA_ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-v3-BC-cA +extension:keyUsage:keyCertSign,cRLSign +version:3 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem new file mode 100644 index 0000000000..84a3cb5aa9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1DCCAbygAwIBAgIUD4qSXNFu/c46+734YKWQ34JSbYwwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowGzEZMBcGA1UEAwwQaW50LXYzLUJDLW5vdC1jQTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX +bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ +OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 +uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb +t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCwYD +VR0PBAQDAgEGMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAGScr4E0l8ED +DTvqNg3LofHZhzXbcjnIMCtF0Lsm+bgD/lcakGq36EHfRe5lzYkCUJNYZdzhoEPA +vusoj+SxXvmvGf0a58yW6m3Qm1nwIS3g93AA5QakNeMAKNqwNubLK2LCeaI7BUzh +Q8rMOwskLjPe9dTVFWQc+w8xFwM3okYQQbwtwm8xJ/246RTCsN0bNDX3+stMy9q9 +cIJe3Qn4Ts/1MRdk3h9xmpY3gxP7Z1pAoVGR4rkw90ZHQgyVKZeewEl3FSH2MUNA +0pAwdNCudoSrsVzWyd5/B8cdLzbaZX5K3+6/O2b7EYSxcLTwSxbhFFrzBchdr7gW +6h1ZkGIuZ54= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem.certspec new file mode 100644 index 0000000000..a2def8d323 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-BC-not-cA_ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-v3-BC-not-cA +extension:keyUsage:keyCertSign,cRLSign +version:3 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem new file mode 100644 index 0000000000..95da1f083f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxDCCAaygAwIBAgIUI2KYUx6IdZc7V+QOkPrR6lb8mB0wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFjEUMBIGA1UEAwwLaW50LXYzLW5vQkMwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQE +AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAaeXb3bAjhYr/PTWrfsPEbafwF60e9iMB +SIvCE4EgFkk4jVmnSsQ3x9gipx1j+7M0xIMPSvkC/wdK9G1gdUVg64xjIUoBy38h +YP9Mla/4vThWkkOt/0LDqtVio26R89GKR0v1tLwOfSBGJtZIpzZmZeGfYhFQDKc6 +MioBkNO/2QGABwyTtzRBhirgm3Sr39mLO1LiAeX/9kZ8kx+RQ+rhb5zxkwh1J5Fu +c53sY4bfssi1PZTCiqv1TunBNfCnUexSsryFVpt66nUmTFpxAFTF4LB0o2nxesN0 +MB6t/FCjQB4ohAjsDZFuvay20i39QeOdn1giiq8WKxkJ/1gJEJoghQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem.certspec new file mode 100644 index 0000000000..b336397ab6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v3-noBC_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-v3-noBC +extension:keyUsage:keyCertSign,cRLSign +version:3 diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem new file mode 100644 index 0000000000..3a70fcb59f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAwIUf4EySk0lSBQJqR+4lgqvertC0zYwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFzEVMBMGA1UEAwwMaW50LXY0LUJDLWNBMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E +BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAaZBJSMK66toq +1l0vfxuY8w6uwbged4tuAEZPtl8hA2I/E70HwcaFpphKZGC5W1HeCrUsooZpRJPb +UZntyARmXdaTD3tUi85VUX2LnZ4OjmfATAcEHZixItQSmRrXRQrDOk2hwADrLRD0 +aH8dR23aE+pbZSvPt8Oj/0M0PMeyfYLjPwacyspMKBOKB2psAISnRqiRJidprhuy +XDmYPaCMzw+cB5nFK3w6UJagxR6n9p70BQXaj5vodHpAsYDKHNmJzoUTewQhDjvu +8IZ7IwwIQCkzBYD1hzgyv3iwos1Fdruo3HlUG3QrTlKRJWTg+uy22mjz2LkQTASs +GtMjAMQoXg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem.certspec new file mode 100644 index 0000000000..12b94e63a5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-cA_ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-v4-BC-cA +extension:keyUsage:keyCertSign,cRLSign +version:4 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem new file mode 100644 index 0000000000..258edfd30b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC1DCCAbygAwIBAwIUaRagMmDSJscXn/t4Oc6wCFBRsAswDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowGzEZMBcGA1UEAwwQaW50LXY0LUJDLW5vdC1jQTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX +bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ +OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 +uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb +t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCwYD +VR0PBAQDAgEGMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBALc+XVxkZhVz +jUck7fZy1tMh8WoDXjeVEg1nLC/ZR7RSKyJrsvqiz3lVgI5PHKEJTdX4GGUIduaV +cqF5NegfOEIxbz1e4TIETyr6+bZpSyEY9+yRZlXViXYu3RN/06D7iRs+GiCRalD6 +LqWGka40hU2RnfTJMQl5vdKYRsEkgKJdDcy9siqtyy+N0q99qrjdgmEp9frvFOeK +n+Z2A0q2dd4SvNJMjBuWOSDkf7OWe8ikG9a6/LuqvKTLKbSGPcn3kBBRWa50fhXF +VD7zNYCEenOUkKtSEuOLjfCXkclq5E+2x6xevQzLhaq+YEn9eWIB1lkUKlIKRctH +mMxi6abwwmo= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem.certspec new file mode 100644 index 0000000000..43a04f70fd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-BC-not-cA_ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-v4-BC-not-cA +extension:keyUsage:keyCertSign,cRLSign +version:4 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem new file mode 100644 index 0000000000..eb04abd1ac --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxDCCAaygAwIBAwIUHQVqHNDgKUKfLlJSssV/DtzK7n8wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFjEUMBIGA1UEAwwLaW50LXY0LW5vQkMwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjDzANMAsGA1UdDwQE +AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAOlKR1lHnYxbIL/rDMu7L9iOV/r1rz2X9 +hD5cIsB21vlgGyX2Mgp5FqnzqdEwspUDkK37R0rKQx1RSERbgFSoGomTmkcoGcxw +eZu7uURGGkhHCUxGa58LgDsbsRTJ8z6M61fC9bax9rTTSNdmwMoQ6RVNTeTcPBC0 +FuzC0IkKpTSRlkZiRiGsGmOboDdyJepopFNBdiiF4TP6h6R1VuG36wxWkuVjpmo7 +EjQATtHKW3hA2OUeG7MZ3uXfA9LB6J0YLeQx6RAtxJz3l8h1H6FLQqjHzZdpaqlz +TiZK2iVAFwysASY934d3960AVXf6w7sTcm+VATUJ6FeyZqv+MHLzrw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem.certspec new file mode 100644 index 0000000000..4970d1e945 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/int-v4-noBC_ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-v4-noBC +extension:keyUsage:keyCertSign,cRLSign +version:4 diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem new file mode 100644 index 0000000000..26d1e24ab8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbECFEm03vqIwHzrulQ6ThsgNEQPGQ1pMA0GCSqGSIb3DQEBCwUAMBYx +FDASBgNVBAMMC3NzLXYxLUJDLWNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMBYxFDASBgNVBAMMC3NzLXYxLUJDLWNBMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxAwDjAMBgNV +HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCxarz9SPSE3MKd2HcoDsHx66Cj +VpIgwPpGRCNoagkknbjSunYdIIi2NDnMHIzQBD0ldQWh6up2fdXGeVVyvKfs9Nt4 +c8oodt2JpOh8F3HHYeXy3xCr/5CA7t+MUamcMrE7xsZ36ozbVMKHR6FmgQ+J62ht +onoprRvwvwh/Q9RFC+oG4hC+M+PzDH+XXVXJ9tVsuOEPElb27sQATNr/msGfwNV3 +ly2KUdrexprB03HC/WxrkW82vJEqWBx2AtQ5p1VpczAcKW6hxknIE3aW/T8BAk+u +BrVWnL/Dm2WWMAiMYLdp0/yB0qCVwBLbWxr1pyzvvI71ht/rQ2cLuFaMaWGV +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem.certspec new file mode 100644 index 0000000000..731396f034 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-cA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ss-v1-BC-cA +subject:ss-v1-BC-cA +version:1 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem new file mode 100644 index 0000000000..58e32058f1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzjCCAbYCFB2XtG2qFhxdho3Q01DnHGTK3Mn4MA0GCSqGSIb3DQEBCwUAMBox +GDAWBgNVBAMMD3NzLXYxLUJDLW5vdC1jQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw +MjQwMjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9zcy12MS1CQy1ub3QtY0EwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk +NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC +fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m +CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM +HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m +1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj +DTALMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAEfB+j9e5x5l1ucXYQwj +bIB2mGM0OmgN7gWjknyMNO7G48cydDPSay6OgX7yulT3TPNE+/p447hOo5LOeUSx +om+pLouQ6YejxgFzmfpNyOz3E2wJpLhMTis0S2z/YlyHQ+jKPawgH80pgPMcWdIJ +X/yz4whWW5XyELYsMR/M3wAhRK1KWgdDruZ/TvDhUkKmZWb5R2Q9fp1hqj88E8vI +0tW74SjrTVRO+N8r9SvaXxtzJgKl3lBKE54JUTaCCCgNZfDFw4qJNy46KkbX9nQF +rBCc5W7Ol3UvFRXCXFgvKWjKZNIs4+hHtKze9BnTN6P7qojv//6YPILPvtxRLBQu +OSE= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem.certspec new file mode 100644 index 0000000000..20d716d494 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-BC-not-cA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ss-v1-BC-not-cA +subject:ss-v1-BC-not-cA +version:1 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem new file mode 100644 index 0000000000..897b2929d9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtTCCAZ0CFCtTEqIZaepqohtlFuKdl2gKmSgLMA0GCSqGSIb3DQEBCwUAMBUx +EzARBgNVBAMMCnNzLXYxLW5vQkMwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIw +NTAwMDAwMFowFTETMBEGA1UEAwwKc3MtdjEtbm9CQzCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7 +wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCAp +k6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhh +eZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KW +EsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONssc +JAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAATANBgkqhkiG9w0B +AQsFAAOCAQEAl3uPUlywKxXEyN2YufvSbOK1YUXV0U50+Y7ForOzz4fkGagQ3JnJ +0kxPSyKBv49f+NKPWQXpTQI18vhJCAsuKu91h26iPVmNpIpur9c80J0MuB9h7d/N +OvnjU+mOZERvNjiMREKmf/iXc9muxD8m768uXLx9fD/TlVnNSGg3EB01xGdIYUVb +4OeiYdRveU7tTHRYQm+7fDpvz0bsushAC/IP+gMVKr9L0cOi9Sm8kXYofF6KE9OP +uqZubzychgdd8NeDFiZV+gKuzrFo+KDfZXgv7uPLsLXJTPrF4oa8K0f2o/7eodzy +dCqgcGAMiG8RY99fj/wkr53PTeoyjmH8JA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem.certspec new file mode 100644 index 0000000000..58d2f0d7f5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v1-noBC.pem.certspec @@ -0,0 +1,3 @@ +issuer:ss-v1-noBC +subject:ss-v1-noBC +version:1 diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem new file mode 100644 index 0000000000..a9698fa84b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzjCCAbagAwIBAQIUccKKmvoyz83s/BA7Se0cmdaDyA4wDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLc3MtdjItQkMtY0EwIhgPMjAyMTExMjcwMDAwMDBaGA8y +MDI0MDIwNTAwMDAwMFowFjEUMBIGA1UEAwwLc3MtdjItQkMtY0EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAO +MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKCYVHe7DQRTQ8bGEkSf +WFzWfcbVaijFx7fxDP7bSQ8odxLQ6HL9+qFY7YFAdlYNtzxnd1/7Lq91nmRn0yqV +W7KVCLMld9OsXMtrGZoA8BQ7AeiaC+UHjpdvNNkPVm4rMqutTTXzEfhlJ6sIYUFg +CTmRpBrAHZiQy0KoUAyu+mAEYgoZoBITapgj150ScwHYDrZZRMHQyBmWtS9Y/vkL +4mlU1k2x3vGp1OzEZ7ha/W6UKGj11vKYNH0wTJ7CFFOMWOybLnr47GkGvqYpM4AX +baIDecJcHu83EIVbVolkEhPyxGpdKd6ooSulOx4kqvOUfpa3qmtK8L1mG0GhtB8m +8EY= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem.certspec new file mode 100644 index 0000000000..8dbb3a65ad --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-cA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ss-v2-BC-cA +subject:ss-v2-BC-cA +version:2 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem new file mode 100644 index 0000000000..3962a757d6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAQIUJfSgjF/arNqPCRg7D0Wxb4V09DEwDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPc3MtdjItQkMtbm90LWNBMCIYDzIwMjExMTI3MDAwMDAw +WhgPMjAyNDAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3NzLXYyLUJDLW5vdC1jQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9 +PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3 +HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg +Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7 +EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK +lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C +AwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAEj9uU+SGjK3L +BX2rRLlAmmY2gqpFPvVaPyxFlmqsLOnr/1LYzT5oWGP0TA57WLNv5KG1oJK+Jgcy +8kzVQvV3y/nMjYLF+JmPiNwkhZgHtjLuEpymjGtmqPQ1xyPRHz9tJwpw06HTcSZB +QgOY8gbAThJUyXS4/2ScOnSCyHXA/vOD2b11LPD+N3YWqsSg8DwMGoD2NoeoOlB/ +E3f7/oC4o/t17dRaivcruajM2BtAgG2hxWDXacNw1CuM19aCK2WFczP5bC20jwFT +a0G++6UnUD9VtnuZqSpPAUy57sddBavoLAhBe/CqSCgRAsPdNxyg1xBrZ6+We3O3 +r7Lsq4PH4Q== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem.certspec new file mode 100644 index 0000000000..2b8f4bcc55 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-BC-not-cA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ss-v2-BC-not-cA +subject:ss-v2-BC-not-cA +version:2 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem new file mode 100644 index 0000000000..a8fa3cf4ee --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICujCCAaKgAwIBAQIUQdBy+4wdhpohAMac8EXVk4wUnPkwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKc3MtdjItbm9CQzAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw +MjQwMjA1MDAwMDAwWjAVMRMwEQYDVQQDDApzcy12Mi1ub0JDMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1 +aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we +adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS +pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W +YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR +CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqG +SIb3DQEBCwUAA4IBAQCW9HCqtoNi0A4JKT5I/zdq3m5e7gBPXxA1ZKdN0mqkkrhS +nqH+QvQmQrX/k53N/h3j/E/Dim9UYg26M+avN4/hfU/cx6AS5oHBHUwT4FVktktg +Qi7LCVnEop0GfRh37F3ELH2CP4/dPQCtVv1SUzMyJluKxnxjSfMHZtdzysGrAmRR +5cZKkaEBhqRPhfbhcb9zg6aE8Zkz/wJDERbQPNm64zUnvCok+Odzd9k1LiEeVcZ6 +f9BHkfij47T1v0thdmPFt7nEj7K2NslaTu1F9fvt8Km8d6RYYyb7LPROaW9vCvpa +O8RjTqqO5WuhaTG8Dm5JKWdv7sI7Y5idy9BcJ5V/ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem.certspec new file mode 100644 index 0000000000..7656115a84 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v2-noBC.pem.certspec @@ -0,0 +1,3 @@ +issuer:ss-v2-noBC +subject:ss-v2-noBC +version:2 diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem new file mode 100644 index 0000000000..a86689c286 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzjCCAbagAwIBAgIUV3RPQ09ejjSXQuMvUHp+zUtwebkwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLc3MtdjMtQkMtY0EwIhgPMjAyMTExMjcwMDAwMDBaGA8y +MDI0MDIwNTAwMDAwMFowFjEUMBIGA1UEAwwLc3MtdjMtQkMtY0EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAO +MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJOBJL+9cOC3goHK5Koy +QtMAovGwLK/6C79HM3rmAm/sKgc1fKNR6HKSN+dHT20n7DbNNLs0Yi0vxREqe77Q +tc57OM99Qa4AHDKyKM7C/dLNjvhedDJUGQx9Z6BdmvnsplPJ0mLE0Q/Tfvv/ptDV +frUiJtHAytpSQdIHex6pTn1duw9C6077MeOFWTFBhN46ofaWX7CJ/VFmo3cFe4w2 +81W2l4OY47KOMShPOulWegPoD7F5n7RLxCJmglgc3YqNKU0ZmjIbGd0pxBwA3hJ6 +RJYABAgFt4vWHiR681o92EdrvGxynQrt+rNua7vnbd15mpdlWhOzf2TpH6Eb1xQJ +xh0= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem.certspec new file mode 100644 index 0000000000..df822e99b9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-cA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ss-v3-BC-cA +subject:ss-v3-BC-cA +version:3 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem new file mode 100644 index 0000000000..50cb38c511 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAgIUe6vAs3LdMkG/SJQc7W2Z2nK0BhQwDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPc3MtdjMtQkMtbm90LWNBMCIYDzIwMjExMTI3MDAwMDAw +WhgPMjAyNDAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3NzLXYzLUJDLW5vdC1jQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9 +PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3 +HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg +Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7 +EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK +lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C +AwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAucdyWJ2AEXtX +Q39648iG6PVW1J3wcnGX8qzmgFATl6bJAnW4kvUIJPx7Giuwr5FXiU0+4iH1UjvF +BorUywDb3H8R8PawAeNZK2pgbhy1aar1sAGINhJHq6ezyJzBHo/Kc6VHaHT2CHLa +3++MB9afCWa5+mUKfXbwQErCoI66N+ft6CEFRMtEvgLdqNNjoXrtW8Nag0elXwCs +dLBlErXmUnms8qXm4qnYu4bmw1fTbhpEmWYTZVEFpjcukKceOsK9g0HcuCzIKRTc +XH09WTxYiic5b2czUkCFA7LLwlslk6wzUZ/7ZwzR/+g/m+09ov/LkSPaacFIoOn0 +zaDYXSF1aw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem.certspec new file mode 100644 index 0000000000..0b2b575573 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-BC-not-cA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ss-v3-BC-not-cA +subject:ss-v3-BC-not-cA +version:3 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem new file mode 100644 index 0000000000..088bb2090b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICujCCAaKgAwIBAgIUaVRk3sXNmaUjSjJv3jBL0P0UTWIwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKc3MtdjMtbm9CQzAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw +MjQwMjA1MDAwMDAwWjAVMRMwEQYDVQQDDApzcy12My1ub0JDMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1 +aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we +adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS +pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W +YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR +CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqG +SIb3DQEBCwUAA4IBAQCyXkVIdklwHrjupe3kra+HJFuVX4YmH1aPmTmbZ6lcbjue +4s3N4B6vMko1EpSLTkURaXptwIqTXepJW408wvq/I90AS41yFZdJWIqA4Ja660wo +GPiAg2pXYrRkJF3EuHywZBnAwW2ofvHfrWorZILvDuJHzV5ATwZq3Ol/h+Y0A/5m +tSD0nX3HsQzP12vJGe49MDcns/KZ/EjM2OYjES/0RaKO0RlsjcNwMRumDzONIQuy +nK/fqLUb3Kr85TUszug43hYLxggthGtQPABoKe3SWZdcUw436BcVajALLooIvPL2 +hWOvLzNaoTe/s0hstVlQA+w4A7gXBJ/ObXEig8Ug +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem.certspec new file mode 100644 index 0000000000..96314e51a7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v3-noBC.pem.certspec @@ -0,0 +1,3 @@ +issuer:ss-v3-noBC +subject:ss-v3-noBC +version:3 diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem new file mode 100644 index 0000000000..ac28f2a876 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzjCCAbagAwIBAwIUKQWpRSl3Uj/ocXqC2oi769nb2qcwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLc3MtdjQtQkMtY0EwIhgPMjAyMTExMjcwMDAwMDBaGA8y +MDI0MDIwNTAwMDAwMFowFjEUMBIGA1UEAwwLc3MtdjQtQkMtY0EwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAO +MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKlNt44BoIpzXgsZi0C7 +OIzkY4K3S7sa16Y+yyTlLNmUFSWd2LlFsecbqF5hsfQpGr4VGZ2qiRMMp/58SN6x +ZcIooVxuoPzrgmAsi88+oIg8/3y44rMYXTzUDEtT8qdCj+ZPFDJ+kXCQJgZg073/ +7Ds6gZrssJ7522Srneba/UCqpULVh3L7GCirWi9l55fWARGDpzzqx6jQ0VgKX51M +5h9F+xtqN1AauQwIszYR5Hayd31isphb3Xi+QHKkDu0hLeUIoYL+R3wrK3v66PsQ +UN3vP5uFlPSTytFyxHxznq/XK7PQTKJtDEsw83w1Zf/eC/OQqhpp5CQRIqhp4uvc +6fM= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem.certspec new file mode 100644 index 0000000000..54269184ed --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-cA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ss-v4-BC-cA +subject:ss-v4-BC-cA +version:4 +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem new file mode 100644 index 0000000000..513c923439 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAwIUIeyKT44j1c2KJk9pttBpbzR9ZSYwDQYJKoZIhvcNAQEL +BQAwGjEYMBYGA1UEAwwPc3MtdjQtQkMtbm90LWNBMCIYDzIwMjExMTI3MDAwMDAw +WhgPMjAyNDAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3NzLXY0LUJDLW5vdC1jQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9 +PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3 +HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg +Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7 +EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK +lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C +AwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAmotdMTHJSzQd +7qW3zeMmT8LJrfAcYBH6mG0akuU+qI6DJyhxPZ1+WAg/WaDA9RxIBPX2kiWf3M6P +KPNlVQpenRuMVBpRGmkpdZVZzliM0Fy5GASUppXYwkUsXCDRD0bAOhvFR7c4JnSN +9jcE6GBJ0uMg06+YU5iAAX9G2WraWzp7Pk+xjqP8mbwda1xeNzj17jQ+byH+uYD6 +06l4yVrc5tEhvaLNQ4kj6WfwH2McfH8QKmTcKc4Hrurpy1DoIvhiPUXgjWRh10mY +hK2cyYKxOLkARC9rZyNC+Gs49QPNIvP8hx0bcBt2155KCyq+maY2z89V+4GDniCb +cotpFITaQQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem.certspec new file mode 100644 index 0000000000..3d65335316 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-BC-not-cA.pem.certspec @@ -0,0 +1,4 @@ +issuer:ss-v4-BC-not-cA +subject:ss-v4-BC-not-cA +version:4 +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem new file mode 100644 index 0000000000..21c3e5ab41 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICujCCAaKgAwIBAwIUY9VIv+NEAO2/Qp7CbzKTT7ZFeIwwDQYJKoZIhvcNAQEL +BQAwFTETMBEGA1UEAwwKc3MtdjQtbm9CQzAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw +MjQwMjA1MDAwMDAwWjAVMRMwEQYDVQQDDApzcy12NC1ub0JDMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1 +aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we +adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS +pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W +YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR +CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqG +SIb3DQEBCwUAA4IBAQC167h5gNohDcvc3rNzNfzoEVyRnF9dxUkqjJRoNZ+LG+SQ +5zpkmFbbztbh+lto9oKNaLZre6ZKIVortL5zuKIaL7wl5D/V4sww/PDE7As8bWen +GR5ayqzq1jtOdVS0rbE11phIrnRciT6poZ8OQjasD1PYU/vYn1p8n8bEKqFR5uzq +g0nHMvGrVBPoe0fHYC1XIhIxFzJly0iDG2mObdgA4lusktAPBdXTbQElkQBuLVnE +yoL1lqt1jDPaOBhptIMuJC1yOqQcdlFPHdqRAd2xTur/ZwVOGSD2K+a0fqIyfFDl +hI+MT6xYiExzrkfQ+FV5wGQ95omzeVweeqhUCcbw +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem.certspec b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem.certspec new file mode 100644 index 0000000000..d02e04de51 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_version/ss-v4-noBC.pem.certspec @@ -0,0 +1,3 @@ +issuer:ss-v4-noBC +subject:ss-v4-noBC +version:4 diff --git a/security/manager/ssl/tests/unit/test_constructX509FromBase64.js b/security/manager/ssl/tests/unit/test_constructX509FromBase64.js new file mode 100644 index 0000000000..7a4f3915af --- /dev/null +++ b/security/manager/ssl/tests/unit/test_constructX509FromBase64.js @@ -0,0 +1,90 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Checks that ConstructX509FromBase64() accepts valid input and rejects invalid +// input. + +do_get_profile(); // Must be called before getting nsIX509CertDB +const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function excMessage(e) { + if (e.message) { + let msg = e.message; + if (e.data) { + msg = msg + ": " + e.data; + } + return msg; + } + + return e.toString(); +} + +function testGood(data) { + try { + let cert = certDB.constructX509FromBase64(data.cert); + equal( + cert.commonName, + data.cn, + "Actual and expected commonName should match" + ); + } catch (e) { + info(`Exception: ${excMessage(e)}`); + ok(false, `Should not have gotten an exception for "CN=${data.cn}"`); + } +} + +function testBad(data) { + throws( + () => certDB.constructX509FromBase64(data.input), + data.result, + `Should get "${data.result}" for "${data.input}"` + ); +} + +function run_test() { + const badCases = [ + // Wrong type or too short + { input: null, result: /NS_ERROR_ILLEGAL_VALUE/ }, + { input: "", result: /NS_ERROR_ILLEGAL_VALUE/ }, + { input: "=", result: /NS_ERROR_ILLEGAL_VALUE/ }, + { input: "==", result: /NS_ERROR_ILLEGAL_VALUE/ }, + // Not base64 + { input: "forty-four dead stone lions", result: /NS_ERROR_ILLEGAL_VALUE/ }, + // Not a cert + { + input: "Zm9ydHktZm91ciBkZWFkIHN0b25lIGxpb25z", + result: /NS_ERROR_FAILURE/, + }, + ]; + + // Real certs with all three padding levels + const goodCases = [ + { + cn: "A", + cert: + "MIHhMIGcAgEAMA0GCSqGSIb3DQEBBQUAMAwxCjAIBgNVBAMTAUEwHhcNMTEwMzIzMjMyNTE3WhcNMTEwNDIyMjMyNTE3WjAMMQowCAYDVQQDEwFBMEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxANFm7ZCfYNJViaDWTFuMClX3+9u18VFGiyLfM6xJrxir4QVtQC7VUC/WUGoBUs9COQIDAQABMA0GCSqGSIb3DQEBBQUAAzEAx2+gIwmuYjJO5SyabqIm4lB1MandHH1HQc0y0tUFshBOMESTzQRPSVwPn77a6R9t", + }, + { + cn: "Bo", + cert: + "MIHjMIGeAgEAMA0GCSqGSIb3DQEBBQUAMA0xCzAJBgNVBAMTAkJvMB4XDTExMDMyMzIzMjYwMloXDTExMDQyMjIzMjYwMlowDTELMAkGA1UEAxMCQm8wTDANBgkqhkiG9w0BAQEFAAM7ADA4AjEA1FoSl9w9HqMqVgk2K0J3OTiRsgHeNsQdPUl6S82ME33gH+E56PcWZA3nse+fpS3NAgMBAAEwDQYJKoZIhvcNAQEFBQADMQAo/e3BvQAmygiATljQ68tWPoWcbMwa1xxAvpWTEc1LOvMqeDBinBUqbAbSmPhGWb4=", + }, + { + cn: "Cid", + cert: + "MIHlMIGgAgEAMA0GCSqGSIb3DQEBBQUAMA4xDDAKBgNVBAMTA0NpZDAeFw0xMTAzMjMyMzI2MzJaFw0xMTA0MjIyMzI2MzJaMA4xDDAKBgNVBAMTA0NpZDBMMA0GCSqGSIb3DQEBAQUAAzsAMDgCMQDUUxlF5xKN+8KCSsR83sN+SRwJmZdliXsnBB7PU0OgbmOWN0u8yehRkmu39kN9tzcCAwEAATANBgkqhkiG9w0BAQUFAAMxAJ3UScNqRcjHFrNu4nuwRldZLJlVJvRYXp982V4/kYodQEGN4gJ+Qyj+HTsaXy5x/w==", + }, + ]; + + for (let badCase of badCases) { + testBad(badCase); + } + for (let goodCase of goodCases) { + testGood(goodCase); + } +} diff --git a/security/manager/ssl/tests/unit/test_content_signing.js b/security/manager/ssl/tests/unit/test_content_signing.js new file mode 100644 index 0000000000..7e96ea2df6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing.js @@ -0,0 +1,431 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// These tests ensure content signatures are working correctly. + +const TEST_DATA_DIR = "test_content_signing/"; + +const ONECRL_NAME = "oneCRL-signer.mozilla.org"; +const ABOUT_NEWTAB_NAME = "remotenewtab.content-signature.mozilla.org"; +var VERIFICATION_HISTOGRAM = Services.telemetry.getHistogramById( + "CONTENT_SIGNATURE_VERIFICATION_STATUS" +); +var ERROR_HISTOGRAM = Services.telemetry.getKeyedHistogramById( + "CONTENT_SIGNATURE_VERIFICATION_ERRORS" +); + +function getSignatureVerifier() { + return Cc["@mozilla.org/security/contentsignatureverifier;1"].getService( + Ci.nsIContentSignatureVerifier + ); +} + +function getCertHash(name) { + let cert = constructCertFromFile(`test_content_signing/${name}.pem`); + return cert.sha256Fingerprint.replace(/:/g, ""); +} + +function loadChain(prefix, names) { + let chain = []; + for (let name of names) { + let filename = `${prefix}_${name}.pem`; + chain.push(readFile(do_get_file(filename))); + } + return chain; +} + +function check_telemetry(expected_index, expected, expectedId) { + for (let i = 0; i < 10; i++) { + let expected_value = 0; + if (i == expected_index) { + expected_value = expected; + } + let errorSnapshot = ERROR_HISTOGRAM.snapshot(); + for (let k in errorSnapshot) { + // We clear the histogram every time so there should be only this one + // category. + equal(k, expectedId); + equal(errorSnapshot[k].values[i] || 0, expected_value); + } + equal( + VERIFICATION_HISTOGRAM.snapshot().values[i] || 0, + expected_value, + "count " + + i + + ": " + + VERIFICATION_HISTOGRAM.snapshot().values[i] + + " expected " + + expected_value + ); + } + VERIFICATION_HISTOGRAM.clear(); + ERROR_HISTOGRAM.clear(); +} + +add_task(async function run_test() { + // set up some data + const DATA = readFile(do_get_file(TEST_DATA_DIR + "test.txt")); + const GOOD_SIGNATURE = + "p384ecdsa=" + + readFile(do_get_file(TEST_DATA_DIR + "test.txt.signature")).trim(); + + const BAD_SIGNATURE = + "p384ecdsa=WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2r" + + "UWM4GJke4pE8ecHiXoi-7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1G" + + "q25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L"; + + let remoteNewTabChain = loadChain(TEST_DATA_DIR + "content_signing", [ + "remote_newtab_ee", + "int", + ]); + + let oneCRLChain = loadChain(TEST_DATA_DIR + "content_signing", [ + "onecrl_ee", + "int", + ]); + + let oneCRLBadKeyChain = loadChain(TEST_DATA_DIR + "content_signing", [ + "onecrl_wrong_key_ee", + "int", + ]); + + let noSANChain = loadChain(TEST_DATA_DIR + "content_signing", [ + "onecrl_no_SAN_ee", + "int", + ]); + + let expiredOneCRLChain = loadChain(TEST_DATA_DIR + "content_signing", [ + "onecrl_ee_expired", + "int", + ]); + + let notValidYetOneCRLChain = loadChain(TEST_DATA_DIR + "content_signing", [ + "onecrl_ee_not_valid_yet", + "int", + ]); + + // Check signature verification works without throwing when using the wrong + // root + VERIFICATION_HISTOGRAM.clear(); + let chain1 = oneCRLChain.join("\n"); + let verifier = getSignatureVerifier(); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chain1, + ONECRL_NAME, + Ci.nsIContentSignatureVerifier.ContentSignatureProdRoot + )), + "using the wrong root, signatures should fail to verify but not throw." + ); + // Check for generic chain building error. + check_telemetry(6, 1, getCertHash("content_signing_onecrl_ee")); + + // Check good signatures from good certificates with the correct SAN + ok( + await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chain1, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + ), + "A OneCRL signature should verify with the OneCRL chain" + ); + let chain2 = remoteNewTabChain.join("\n"); + ok( + await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chain2, + ABOUT_NEWTAB_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + ), + "A newtab signature should verify with the newtab chain" + ); + // Check for valid signature + check_telemetry(0, 2, getCertHash("content_signing_remote_newtab_ee")); + + // Check a bad signature when a good chain is provided + chain1 = oneCRLChain.join("\n"); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + BAD_SIGNATURE, + chain1, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A bad signature should not verify" + ); + // Check for invalid signature + check_telemetry(1, 1, getCertHash("content_signing_onecrl_ee")); + + // Check a good signature from cert with good SAN but a different key than the + // one used to create the signature + let badKeyChain = oneCRLBadKeyChain.join("\n"); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + badKeyChain, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A signature should not verify if the signing key is wrong" + ); + // Check for wrong key in cert. + check_telemetry(9, 1, getCertHash("content_signing_onecrl_wrong_key_ee")); + + // Check a good signature from cert with good SAN but a different key than the + // one used to create the signature (this time, an RSA key) + let rsaKeyChain = oneCRLBadKeyChain.join("\n"); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + rsaKeyChain, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A signature should not verify if the signing key is wrong (RSA)" + ); + // Check for wrong key in cert. + check_telemetry(9, 1, getCertHash("content_signing_onecrl_wrong_key_ee")); + + // Check a good signature from cert with good SAN but with no path to root + let missingInt = [oneCRLChain[0], oneCRLChain[2]].join("\n"); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + missingInt, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A signature should not verify if the chain is incomplete (missing int)" + ); + // Check for generic chain building error. + check_telemetry(6, 1, getCertHash("content_signing_onecrl_ee")); + + // Check good signatures from good certificates with the wrong SANs + chain1 = oneCRLChain.join("\n"); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chain1, + ABOUT_NEWTAB_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A OneCRL signature should not verify if we require the newtab SAN" + ); + // Check for invalid EE cert. + check_telemetry(7, 1, getCertHash("content_signing_onecrl_ee")); + + chain2 = remoteNewTabChain.join("\n"); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chain2, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A newtab signature should not verify if we require the OneCRL SAN" + ); + // Check for invalid EE cert. + check_telemetry(7, 1, getCertHash("content_signing_remote_newtab_ee")); + + // Check good signatures with good chains with some other invalid names + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chain1, + "", + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A signature should not verify if the SANs do not match an empty name" + ); + // Check for invalid EE cert. + check_telemetry(7, 1, getCertHash("content_signing_onecrl_ee")); + + // Test expired certificate. + let chainExpired = expiredOneCRLChain.join("\n"); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chainExpired, + "", + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A signature should not verify if the signing certificate is expired" + ); + // Check for expired cert. + check_telemetry(4, 1, getCertHash("content_signing_onecrl_ee_expired")); + + // Test not valid yet certificate. + let chainNotValidYet = notValidYetOneCRLChain.join("\n"); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chainNotValidYet, + "", + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A signature should not verify if the signing certificate is not valid yet" + ); + // Check for not yet valid cert. + check_telemetry(5, 1, getCertHash("content_signing_onecrl_ee_not_valid_yet")); + + let relatedName = "subdomain." + ONECRL_NAME; + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chain1, + relatedName, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A signature should not verify if the SANs do not match a related name" + ); + + let randomName = + "\xb1\x9bU\x1c\xae\xaa3\x19H\xdb\xed\xa1\xa1\xe0\x81\xfb" + + "\xb2\x8f\x1cP\xe5\x8b\x9c\xc2s\xd3\x1f\x8e\xbbN"; + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chain1, + randomName, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A signature should not verify if the SANs do not match a random name" + ); + + // check good signatures with chains that have strange or missing SANs + chain1 = noSANChain.join("\n"); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + chain1, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A signature should not verify if the SANs do not match a supplied name" + ); + + // Check malformed signature data + chain1 = oneCRLChain.join("\n"); + let bad_signatures = [ + // wrong length + "p384ecdsa=WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2rUWM4GJke4pE8ecHiXoi-" + + "7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1Gq25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L==", + // incorrectly encoded + "p384ecdsa='WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2rUWM4GJke4pE8ecHiXoi" + + "-7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1Gq25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L=", + // missing directive + "other_directive=WqRXFQ7tnlVufpg7A-ZavXvWd2Zln0o4woHBy26C2rUWM4GJke4pE8ec" + + "HiXoi-7KnZXty6Pe3s4o3yAIyKDP9jUC52Ek1Gq25j_X703nP5rk5gM1qz5Fe-qCWakPPl6L", + // actually sha256 with RSA + "p384ecdsa=XS_jiQsS5qlzQyUKaA1nAnQn_OvxhvDfKybflB8Xe5gNH1wNmPGK1qN-jpeTfK" + + "6ob3l3gCTXrsMnOXMeht0kPP3wLfVgXbuuO135pQnsv0c-ltRMWLe56Cm4S4Z6E7WWKLPWaj" + + "jhAcG5dZxjffP9g7tuPP4lTUJztyc4d1z_zQZakEG7R0vN7P5_CaX9MiMzP4R7nC3H4Ba6yi" + + "yjlGvsZwJ_C5zDQzWWs95czUbMzbDScEZ_7AWnidw91jZn-fUK3xLb6m-Zb_b4GAqZ-vnXIf" + + "LpLB1Nzal42BQZn7i4rhAldYdcVvy7rOMlsTUb5Zz6vpVW9LCT9lMJ7Sq1xbU-0g==", + ]; + for (let badSig of bad_signatures) { + await Assert.rejects( + verifier.asyncVerifyContentSignature( + DATA, + badSig, + chain1, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + ), + /NS_ERROR/, + `Bad or malformed signature "${badSig}" should be rejected` + ); + } + + // Check malformed and missing certificate chain data + let chainSuffix = [oneCRLChain[1], oneCRLChain[2]].join("\n"); + let badChains = [ + // no data + "", + // completely wrong data + "blah blah \n blah", + ]; + + let badSections = [ + // data that looks like PEM but isn't + "-----BEGIN CERTIFICATE-----\nBSsPRlYp5+gaFMRIczwUzaioRfteCjr94xyz0g==\n", + // data that will start to parse but won't base64decode + "-----BEGIN CERTIFICATE-----\nnon-base64-stuff\n-----END CERTIFICATE-----", + // data with garbage outside of PEM sections + "this data is garbage\n-----BEGIN CERTIFICATE-----\nnon-base64-stuff\n" + + "-----END CERTIFICATE-----", + ]; + + for (let badSection of badSections) { + // ensure we test each bad section on its own... + badChains.push(badSection); + // ... and as part of a chain with good certificates + badChains.push(badSection + "\n" + chainSuffix); + } + + for (let badChain of badChains) { + await Assert.rejects( + verifier.asyncVerifyContentSignature( + DATA, + GOOD_SIGNATURE, + badChain, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + ), + /NS_ERROR/, + `Bad chain data starting "${badChain.substring(0, 80)}" ` + + "should be rejected" + ); + } + + ok( + !(await verifier.asyncVerifyContentSignature( + DATA + "appended data", + GOOD_SIGNATURE, + chain1, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A good signature should not verify if the data is tampered with (append)" + ); + ok( + !(await verifier.asyncVerifyContentSignature( + "prefixed data" + DATA, + GOOD_SIGNATURE, + chain1, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A good signature should not verify if the data is tampered with (prefix)" + ); + ok( + !(await verifier.asyncVerifyContentSignature( + DATA.replace(/e/g, "i"), + GOOD_SIGNATURE, + chain1, + ONECRL_NAME, + Ci.nsIX509CertDB.AppXPCShellRoot + )), + "A good signature should not verify if the data is tampered with (modify)" + ); +}); diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem new file mode 100644 index 0000000000..d615eccf22 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8TCCAdmgAwIBAgIUNZb51bNpKyzQtWTCj5zrdME7cKYwDQYJKoZIhvcNAQEL +BQAwKTEnMCUGA1UEAwweeHBjc2hlbGwgc2lnbmVkIGFwcHMgdGVzdCByb290MCIY +DzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMBExDzANBgNVBAMMBmlu +dC1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u +togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6 +pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL +KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq +fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv +Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za +GAo17Y0CAwEAAaMlMCMwDAYDVR0TBAUwAwEB/zATBgNVHSUEDDAKBggrBgEFBQcD +AzANBgkqhkiG9w0BAQsFAAOCAQEAefvKJnF/4qRY9sf/jYCPhWyngBx6JhWFJKiy +IUHmejn9q/LUX3nskHXA4gAt+KF9hfk9Nx5naL5DaYOkvETawdrSw55Hvphi4MB2 +yHManuj+yplqr8rtDh8Tb2Wm/AeiBqKMTa4AFN9xPbKOrUAVgU+VsXlEIUmOzEI+ +E0HeeIoPCCa6vWPpwhKb4LUlVupe3toJHVbFSp2KcD4gCRsgK60lyqZBosAG8Sat +Vk7XLPv152/jl7j+pYqnlwabF/LEyVSqegVvvr481kgX8RyEjiPx2wNYYqUF3CPG +SE2lDXWy629KUGwTH9rUpayMqbfL5bQ9fSGA5vE9pT7vlbBaRg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem.certspec new file mode 100644 index 0000000000..fc9dfd47ae --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_int.pem.certspec @@ -0,0 +1,4 @@ +issuer:xpcshell signed apps test root +subject:int-CA +extension:basicConstraints:cA, +extension:extKeyUsage:codeSigning diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem new file mode 100644 index 0000000000..041fa0ebc1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8TCCAdmgAwIBAgIUfVErdg1uvVM/D2oapMLb9gSeabswDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMBExDzANBgNVBAMMBmVlLVJTQTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaM9MDswEwYDVR0lBAww +CgYIKwYBBQUHAwMwJAYDVR0RBB0wG4IZb25lQ1JMLXNpZ25lci5tb3ppbGxhLm9y +ZzANBgkqhkiG9w0BAQsFAAOCAQEAOLPmVQpsFu7rL6Tc6TUQdS1/wnBDZeO3Q8uq +x7FSm7tyvrMwCx2pGGJATWIdH33amhRDe3fH5IB7dvFiQx0qDewROnE900ooOQCu +dsjKDzYurpGmlpYsBHtdFz8tEVgN2CUzfFLRTrJK0wAio5OqbyuZQwb8QBl/HMyk +aqG33hm/1t8gR7NLn4c03XtaK/xbBGC07aCijsWTj09UB5wgtB12p9Wt7IWrkh2B +9omSirPYgCWaD0wWJP1d1PlheeNeOYweNbEncjQlH+ukYjMzzZ3IVm7zFN1kit/W +M7enx5fdED/84092ZzuDheLYKaA63ysJhQvCCzOovWr0PuOnLg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem.certspec new file mode 100644 index 0000000000..7b2a02bdaf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_RSA_ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-CA +subject:ee-RSA +extension:extKeyUsage:codeSigning +extension:subjectAlternativeName:oneCRL-signer.mozilla.org diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem new file mode 100644 index 0000000000..6f15597b6a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICPzCCASegAwIBAgIUSRecknZ3alfumVeo6yV/3O5nvrswDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE +oWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXbYI4lLeS3Ey2ozpjoMVNOapwMCwnI +1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2pcQO+KIjP8ALwWvcaH93Mg3SqbqnO +oz0wOzATBgNVHSUEDDAKBggrBgEFBQcDAzAkBgNVHREEHTAbghlvbmVDUkwtc2ln +bmVyLm1vemlsbGEub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQBElZXLzQGRPdygDJ33 +2LuNJiDU8lFXdDulPXcZAQjVXo5gy9XQfMtbTLzf07dpPuQntzJNbGuS4ypboEal +ixi2jYZHy/Q3CCxFk8jWi18auKES+uRF6qI3PK9RsXXxm7Xt0vk9akYwmmnuAJl9 +eYTCNZ0VaXANvv5GjuFczMHF08XTW1j2x81s0epmblgagcaMIcaq5nKSNuFt/2j/ +hXtGzNfI1njHIT8X6Fp4QeGqQiSlW90WVPoDPxfUHh8VvE/9Y0fnnHcDwGICb7LH +on1mz76mcXNwOgA+dBmHKS/5t7/PBT/F7+UuORfYdoFKrnc7npVYhQmH06ENKHMS +9Bmv +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem.certspec new file mode 100644 index 0000000000..ab22807b9e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:int-CA +subject:ee +subjectKey:secp384r1 +extension:extKeyUsage:codeSigning +extension:subjectAlternativeName:oneCRL-signer.mozilla.org diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem new file mode 100644 index 0000000000..ef22669f4d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICTjCCATagAwIBAgIUOQNrYQz01j0SirgoHMLKbtGL9RowDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMTMwMTAxMDAwMDAwWhgPMjAxNDAx +MDEwMDAwMDBaMBwxGjAYBgNVBAMMEWVlLWludC1DQS1leHBpcmVkMHYwEAYHKoZI +zj0CAQYFK4EEACIDYgAEoWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXbYI4lLeS3 +Ey2ozpjoMVNOapwMCwnI1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2pcQO+KIjP +8ALwWvcaH93Mg3SqbqnOoz0wOzATBgNVHSUEDDAKBggrBgEFBQcDAzAkBgNVHREE +HTAbghlvbmVDUkwtc2lnbmVyLm1vemlsbGEub3JnMA0GCSqGSIb3DQEBCwUAA4IB +AQBZJPo4llgMe5588+BnRLnFguspIiwMWmTeqCfi8VQBx/tUwRiTizbU7J2Yh9bo +yZEPKfPSP2o8J0eSUgvXdVOxU1fNRuocsVfXUlveq5x10ddjXBT9X4AY1mtR7HJw +hl/7269N8b4itfrfvZmCBToJayjv0I2N84bqjpOnXJ/iB5YVdk8oZIJDXWi4SR3B +E9IejwA1fikpt++RjpJSZ1BSNU7FfiyGGUonxHDoP/29znaOJnpAqaH5LVJCRkfN +H12vePBbunZd+ay5r+mMJPaXR+V2sY8OaOfcrPSHQLa8Eb/EEhBuITMKkOucohjx +zqvM6S2iOI9GbwHClybEHRO7 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem.certspec new file mode 100644 index 0000000000..48fd9c8cc7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_expired.pem.certspec @@ -0,0 +1,6 @@ +issuer:int-CA +subject:ee-int-CA-expired +subjectKey:secp384r1 +validity:20130101-20140101 +extension:extKeyUsage:codeSigning +extension:subjectAlternativeName:oneCRL-signer.mozilla.org diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem new file mode 100644 index 0000000000..6cf5c6a312 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICVDCCATygAwIBAgIUbV+rBAfhGRv/bU22A92xneoAy3owDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwNTAwMTAxMDAwMDAwWhgPMjA1MTAx +MDEwMDAwMDBaMCIxIDAeBgNVBAMMF2VlLWludC1DQS1ub3QteWV0LXZhbGlkMHYw +EAYHKoZIzj0CAQYFK4EEACIDYgAEoWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXb +YI4lLeS3Ey2ozpjoMVNOapwMCwnI1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2p +cQO+KIjP8ALwWvcaH93Mg3SqbqnOoz0wOzATBgNVHSUEDDAKBggrBgEFBQcDAzAk +BgNVHREEHTAbghlvbmVDUkwtc2lnbmVyLm1vemlsbGEub3JnMA0GCSqGSIb3DQEB +CwUAA4IBAQAjXmLNn2kLa/FzNp7F3PqcSXuAO2jT31Y2g4pZnVqCDfMqplsl2ZFn +oam3wyQnepm3q9DD4BOAW9JFYR3wqnl9cBRNHlSGyjGM4qBpuSD6WxAz7EdFcRO6 +fcA50245fAuB45UJeYJ58QvIBv7AwoBGnqAI7ZDN3eIGopZIL56jiH7vO9WyQPWj +XZAWrXTG68rEf0RxXRtjUv9coFiuInT8+oyXB3NwK2EbaI5IeR+x3qIDEgNKk+t+ +PlE3NrtaAiK19p0s9RtQQilBKNmo+5irrUq/OD2H1aurDaAXpLTM5vLUpfyN3/qD +HzuZujaUIeMsRiXsIRDNql1S+nq4oNRy +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem.certspec new file mode 100644 index 0000000000..b2926dfc42 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_ee_not_valid_yet.pem.certspec @@ -0,0 +1,6 @@ +issuer:int-CA +subject:ee-int-CA-not-yet-valid +subjectKey:secp384r1 +validity:20500101-20510101 +extension:extKeyUsage:codeSigning +extension:subjectAlternativeName:oneCRL-signer.mozilla.org diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem new file mode 100644 index 0000000000..6c35f2f377 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICIDCCAQigAwIBAgIUI9ZQ+lOT4QPSefKaSaGvSm4BzikwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMBQxEjAQBgNVBAMMCWVlLW5vLVNBTjB2MBAGByqGSM49AgEGBSuB +BAAiA2IABKFockM2K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMtqM6Y6DFT +TmqcDAsJyNY5regyBuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC8Fr3Gh/d +zIN0qm6pzqMXMBUwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQAD +ggEBABwtpcPoXa4bLLw8WCuLPMPm7RiWrj7ifWqeyNoQO+xIxIefZhFTxhs6yM0Y +H+B2jSzrCmfslRaX0eZPQ3BOPPI0CCo4eZOlq7oNaltXCLP3NwPodLfxd8pGlOIK +xpRB/+iyXu5bKHfG1v4XJ+g+yXPh8p0ykVJeH/hc/+kAhq4vey+0PB/KjIcpAsGo +S7Yvbal7pSr0CQCxDB4mTWJeE1/FeTQpeFiIiCtvkEyLD+igxRlP5lbLOd6Lt5Oh +BSJ6TnUdMajalOku3BufB5j4ynDBGNi9h935ZCOKWu3qgbFlIE1qZIJS+u7+2PTN +vIlU3orErRSmuAlusdo6Z9YtxbQ= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem.certspec new file mode 100644 index 0000000000..4a9b9a3ceb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_no_SAN_ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-CA +subject:ee-no-SAN +subjectKey:secp384r1 +extension:extKeyUsage:codeSigning diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem new file mode 100644 index 0000000000..d76f4501cb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICLDCCARSgAwIBAgIUV+E6VhJoKZrnCV22wV/aVW9aglwwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMBcxFTATBgNVBAMMDGVlLXdyb25nLWtleTBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABE+/u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnS +M0VsNsQRnQcG4A7tyNGTkNeZG3stB6ME6qBKpsCjPTA7MBMGA1UdJQQMMAoGCCsG +AQUFBwMDMCQGA1UdEQQdMBuCGW9uZUNSTC1zaWduZXIubW96aWxsYS5vcmcwDQYJ +KoZIhvcNAQELBQADggEBAFOgIZXl0sf1hEH0H5fqGPshlMemqjhFZKPBgLlWl+3W +wSIcuBPw5GSDkoQOdAxE/iIsLfZoC0PfYdee+twANQ13MMbwP0NmR78qJKLPOO4b +yWRiQFaIU6fTleU7wSD6tcDtIsKAfTDNF6EiC3czw3XuOiNh4r7A2EJ3GyGuUq7d +YgpwA5I2s3VjG/2lhRKP06UH/YGCpBTio23NUyzS2NINPhTnrLjyY2IWIp9EiXXj +d6QRQ8ytp6wU/rI3HAueWOWEQ6dDWR5hfe0Y/QDB0n9hEBgf+lUOtuqpTs/ZK0eM +HPC6swGdKVnJ1DCcfyzMsDIvGZKUyj8v6E2E7x8AdLk= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem.certspec new file mode 100644 index 0000000000..fbc8e603f4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_onecrl_wrong_key_ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:int-CA +subject:ee-wrong-key +subjectKey:secp256r1 +extension:extKeyUsage:codeSigning +extension:subjectAlternativeName:oneCRL-signer.mozilla.org diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem new file mode 100644 index 0000000000..b2e7d3cdbb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUDCCATigAwIBAgIUd9FOUg8KGZnunc6wzwp+21rSdVswDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGaW50LUNBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMA0xCzAJBgNVBAMMAmVlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE +oWhyQzYrXHsYifN5FUYVocc/tI3uhj4CKRXbYI4lLeS3Ey2ozpjoMVNOapwMCwnI +1jmt6DIG5bqBNHOhH6Mw4F2oyW5Dg/4nhz2pcQO+KIjP8ALwWvcaH93Mg3SqbqnO +o04wTDATBgNVHSUEDDAKBggrBgEFBQcDAzA1BgNVHREELjAsgipyZW1vdGVuZXd0 +YWIuY29udGVudC1zaWduYXR1cmUubW96aWxsYS5vcmcwDQYJKoZIhvcNAQELBQAD +ggEBAJvuDgm64Fca8XKLPxCSaANEFXIQy3I0lvPqmRRFtkP8cNpgjaRQTNNwyRPL +eI6VZv9IfecgjMNMcSbrdUPSmETA5M0kzH0lVBPsgzcv1EO6FFS+B9uwip52nKot +HsWYhDIVKYFYLrFcBHS0qSaoPWUpRZ+igI0uBgzmSIBuZYLDbe0xcXzZmpdPnGYt +pjRmTuNtJ8R/Qvbp37aTpN279AwhOP/uF+x3HdPgI4M1pQKjZ/Oxk9JHIeSafjG5 +58D1rGivjWYq6Yl1vwzBWwlPJvDAgADWCQR4wWjlXc0Hzn/393QRs3rvbkCFWZfi +1GMOoGuxmHzb7VL+1Kf4igjHXcQ= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem.certspec b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem.certspec new file mode 100644 index 0000000000..81e1eefe1d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/content_signing_remote_newtab_ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:int-CA +subject:ee +subjectKey:secp384r1 +extension:extKeyUsage:codeSigning +extension:subjectAlternativeName:remotenewtab.content-signature.mozilla.org diff --git a/security/manager/ssl/tests/unit/test_content_signing/pysign.py b/security/manager/ssl/tests/unit/test_content_signing/pysign.py new file mode 100644 index 0000000000..23c6128aa2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/pysign.py @@ -0,0 +1,36 @@ +#!/usr/bin/env python +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +""" +Create an ECDSA signature on the P-384 curve using the SHA-384 hash of data from +stdin. The key used for the signature is the secp384r1Encoded key used in pykey +and pycert. + +The certificates for the content signature tests make use of this program. +You can use pysign.py like this: + +cat test.txt | python pysign.py > test.txt.signature +""" + +import base64 +import binascii +import hashlib +import pathlib +import six +import sys + +import ecdsa + +# For pykey, find the relative file location and add it to path +toolsDir = (pathlib.Path(__file__).parents[4] / "tools").resolve() +sys.path.append(str(toolsDir)) +import pykey + +data = sys.stdin.buffer.read() + +key = pykey.ECCKey("secp384r1") +sig = key.signRaw(b"Content-Signature:\00" + data, pykey.HASH_SHA384) +print(str(base64.b64encode(sig)).replace("+", "-").replace("/", "_")) diff --git a/security/manager/ssl/tests/unit/test_content_signing/test.txt b/security/manager/ssl/tests/unit/test_content_signing/test.txt new file mode 100644 index 0000000000..2daac1cb00 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/test.txt @@ -0,0 +1 @@ +This is a test file to test content-signature verification with a PKI. diff --git a/security/manager/ssl/tests/unit/test_content_signing/test.txt.signature b/security/manager/ssl/tests/unit/test_content_signing/test.txt.signature new file mode 100644 index 0000000000..e613981473 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_content_signing/test.txt.signature @@ -0,0 +1 @@ +hSvmvvA7_QLedDsjRJGBevqLwjPILx1EtWSPP4A0fepaWWPuuZRB8VfDT2j07bKDacRsbmJjmvg_R4CpKmnoWF8-2w5lSszlFFDqYSvQVQxpKhu-HMM_qquu_l0KecQ2 diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/bad.stash b/security/manager/ssl/tests/unit/test_crlite_corrupted/bad.stash new file mode 100644 index 0000000000..7bde8641b9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/bad.stash @@ -0,0 +1 @@ +ÿÿÿÿ \ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/hash-alg-0.filter b/security/manager/ssl/tests/unit/test_crlite_corrupted/hash-alg-0.filter new file mode 100644 index 0000000000..f76dd238ad Binary files /dev/null and b/security/manager/ssl/tests/unit/test_crlite_corrupted/hash-alg-0.filter differ diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-issuer-id.enrollment b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-issuer-id.enrollment new file mode 100644 index 0000000000..119fd67098 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-issuer-id.enrollment @@ -0,0 +1,2 @@ + +  \ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-log-id.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-log-id.coverage new file mode 100644 index 0000000000..119fd67098 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-log-id.coverage @@ -0,0 +1,2 @@ + +  \ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-max-timestamp.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-max-timestamp.coverage new file mode 100644 index 0000000000..787a2bdfc7 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-max-timestamp.coverage differ diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-min-timestamp.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-min-timestamp.coverage new file mode 100644 index 0000000000..c76b47cac6 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_crlite_corrupted/trunc-min-timestamp.coverage differ diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.coverage b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.coverage new file mode 100644 index 0000000000..d08c818596 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.coverage differ diff --git a/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.enrollment b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.enrollment new file mode 100644 index 0000000000..3ef70ac188 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_crlite_corrupted/version-0.enrollment differ diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_missing.js b/security/manager/ssl/tests/unit/test_crlite_coverage_missing.js new file mode 100644 index 0000000000..2b71c3dfe2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_coverage_missing.js @@ -0,0 +1,17 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite is left in the uninitialized state when the profile +// contains a corrupted coverage file. Specifically, this handles the case +// where the coverage file is missing. + +"use strict"; + +/* eslint-disable no-unused-vars */ +let coverage = undefined; +let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment"); +let filter = do_get_file("test_crlite_filters/20201017-0-filter"); + +load("./corrupted_crlite_helper.js"); diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_trunc1.js b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc1.js new file mode 100644 index 0000000000..1782885964 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc1.js @@ -0,0 +1,17 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite is left in the uninitialized state when the profile +// contains a corrupted coverage file. Specifically, this handles the case +// where the coverage file is truncated in a LogID field. + +"use strict"; + +/* eslint-disable no-unused-vars */ +let coverage = do_get_file("test_crlite_corrupted/trunc-log-id.coverage"); +let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment"); +let filter = do_get_file("test_crlite_filters/20201017-0-filter"); + +load("./corrupted_crlite_helper.js"); diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_trunc2.js b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc2.js new file mode 100644 index 0000000000..0eed16bac3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc2.js @@ -0,0 +1,19 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite is left in the uninitialized state when the profile +// contains a corrupted coverage file. Specifically, this handles the case +// where the coverage file is truncated in a MinTimestamp field. + +"use strict"; + +/* eslint-disable no-unused-vars */ +let coverage = do_get_file( + "test_crlite_corrupted/trunc-min-timestamp.coverage" +); +let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment"); +let filter = do_get_file("test_crlite_filters/20201017-0-filter"); + +load("./corrupted_crlite_helper.js"); diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_trunc3.js b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc3.js new file mode 100644 index 0000000000..419a639b07 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_coverage_trunc3.js @@ -0,0 +1,19 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite is left in the uninitialized state when the profile +// contains a corrupted coverage file. Specifically, this handles the case +// where the coverage file is truncated in a MaxTimestamp field. + +"use strict"; + +/* eslint-disable no-unused-vars */ +let coverage = do_get_file( + "test_crlite_corrupted/trunc-max-timestamp.coverage" +); +let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment"); +let filter = do_get_file("test_crlite_filters/20201017-0-filter"); + +load("./corrupted_crlite_helper.js"); diff --git a/security/manager/ssl/tests/unit/test_crlite_coverage_version.js b/security/manager/ssl/tests/unit/test_crlite_coverage_version.js new file mode 100644 index 0000000000..1764e5abaf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_coverage_version.js @@ -0,0 +1,17 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite is left in the uninitialized state when the profile +// contains a corrupted coverage file. Specifically, this handles the case +// where the coverage file's version is not recognized. + +"use strict"; + +/* eslint-disable no-unused-vars */ +let coverage = do_get_file("test_crlite_corrupted/version-0.coverage"); +let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment"); +let filter = do_get_file("test_crlite_filters/20201017-0-filter"); + +load("./corrupted_crlite_helper.js"); diff --git a/security/manager/ssl/tests/unit/test_crlite_enrollment_trunc1.js b/security/manager/ssl/tests/unit/test_crlite_enrollment_trunc1.js new file mode 100644 index 0000000000..5f259f28a2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_enrollment_trunc1.js @@ -0,0 +1,19 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite is left in the uninitialized state when the profile +// contains a corrupted enrollment file. Specifically, this handles the case +// where the enrollment file is truncated in an issuer ID field. + +"use strict"; + +/* eslint-disable no-unused-vars */ +let coverage = do_get_file("test_crlite_preexisting/crlite.coverage"); +let enrollment = do_get_file( + "test_crlite_corrupted/trunc-issuer-id.enrollment" +); +let filter = do_get_file("test_crlite_filters/20201017-0-filter"); + +load("./corrupted_crlite_helper.js"); diff --git a/security/manager/ssl/tests/unit/test_crlite_enrollment_version.js b/security/manager/ssl/tests/unit/test_crlite_enrollment_version.js new file mode 100644 index 0000000000..8c673a47d5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_enrollment_version.js @@ -0,0 +1,17 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite is left in the uninitialized state when the profile +// contains a corrupted enrollment file. Specifically, this handles the case +// where the enrollment file's version is not recognized. + +"use strict"; + +/* eslint-disable no-unused-vars */ +let coverage = do_get_file("test_crlite_preexisting/crlite.coverage"); +let enrollment = do_get_file("test_crlite_corrupted/version-0.enrollment"); +let filter = do_get_file("test_crlite_filters/20201017-0-filter"); + +load("./corrupted_crlite_helper.js"); diff --git a/security/manager/ssl/tests/unit/test_crlite_filter_corrupted.js b/security/manager/ssl/tests/unit/test_crlite_filter_corrupted.js new file mode 100644 index 0000000000..cc947d287f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filter_corrupted.js @@ -0,0 +1,21 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite is left in the uninitialized state when the profile +// contains a corrupted filter file. +// +// There are many ways that a filter file could be corrupted, but the parsing +// is done in rust-cascade, not cert_storage, so it is sufficient for us to +// test any form of corruption here. For simplicity we just try to load a +// single \x00 byte as the filter. + +"use strict"; + +/* eslint-disable no-unused-vars */ +let coverage = do_get_file("test_crlite_preexisting/crlite.coverage"); +let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment"); +let filter = do_get_file("test_crlite_corrupted/hash-alg-0.filter"); + +load("./corrupted_crlite_helper.js"); diff --git a/security/manager/ssl/tests/unit/test_crlite_filters.js b/security/manager/ssl/tests/unit/test_crlite_filters.js new file mode 100644 index 0000000000..9e43f8928b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters.js @@ -0,0 +1,880 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite filter downloading works correctly. + +// The file `test_crlite_filters/20201017-0-filter` can be regenerated using +// the rust-create-cascade program from https://github.com/mozilla/crlite. +// +// The input to this program is a list of known serial numbers and a list of +// revoked serial numbers. The lists are presented as directories of files in +// which each file holds serials for one issuer. The file names are +// urlsafe-base64 encoded SHA256 hashes of issuer SPKIs. The file contents are +// ascii hex encoded serial numbers. The program crlite_key.py in this directory +// can generate these values for you. +// +// The test filter was generated as follows: +// +// $ ./crlite_key.py test_crlite_filters/issuer.pem test_crlite_filters/valid.pem +// 8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8= +// 00da4f392bfd8bcea8 +// +// $ ./crlite_key.py test_crlite_filters/issuer.pem test_crlite_filters/revoked.pem +// 8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8= +// 2d35ca6503fb1ba3 +// +// $ mkdir known revoked +// $ echo "00da4f392bfd8bcea8" > known/8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8\= +// $ echo "2d35ca6503fb1ba3" >> known/8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8\= +// $ echo "2d35ca6503fb1ba3" > revoked/8Rw90Ej3Ttt8RRkrg-WYDS9n7IS03bk5bjP_UXPtaY8\= +// +// $ rust-create-cascade --known ./known/ --revoked ./revoked/ +// + +"use strict"; +do_get_profile(); // must be called before getting nsIX509CertDB + +const { RemoteSecuritySettings } = ChromeUtils.import( + "resource://gre/modules/psm/RemoteSecuritySettings.jsm" +); +const { TestUtils } = ChromeUtils.importESModule( + "resource://testing-common/TestUtils.sys.mjs" +); + +const { CRLiteFiltersClient } = RemoteSecuritySettings.init(); + +const CRLITE_FILTERS_ENABLED_PREF = + "security.remote_settings.crlite_filters.enabled"; +const INTERMEDIATES_ENABLED_PREF = + "security.remote_settings.intermediates.enabled"; +const INTERMEDIATES_DL_PER_POLL_PREF = + "security.remote_settings.intermediates.downloads_per_poll"; + +// crlite_enrollment_id.py test_crlite_filters/issuer.pem +const ISSUER_PEM_UID = "UbH9/ZAnjuqf79Xhah1mFOWo6ZvgQCgsdheWfjvVUM8="; +// crlite_enrollment_id.py test_crlite_filters/no-sct-issuer.pem +const NO_SCT_ISSUER_PEM_UID = "Myn7EasO1QikOtNmo/UZdh6snCAw0BOY6wgU8OsUeeY="; + +function getHashCommon(aStr, useBase64) { + let hasher = Cc["@mozilla.org/security/hash;1"].createInstance( + Ci.nsICryptoHash + ); + hasher.init(Ci.nsICryptoHash.SHA256); + let stringStream = Cc["@mozilla.org/io/string-input-stream;1"].createInstance( + Ci.nsIStringInputStream + ); + stringStream.data = aStr; + hasher.updateFromStream(stringStream, -1); + + return hasher.finish(useBase64); +} + +// Get a hexified SHA-256 hash of the given string. +function getHash(aStr) { + return hexify(getHashCommon(aStr, false)); +} + +// Get the name of the file in the test directory to serve as the attachment +// for the given filter. +function getFilenameForFilter(filter) { + if (filter.type == "full") { + return "20201017-0-filter"; + } + if (filter.id == "0001") { + return "20201017-1-filter.stash"; + } + // The addition of another stash file was written more than a month after + // other parts of this test. As such, the second stash file for October 17th, + // 2020 was not readily available. Since the structure of stash files don't + // depend on each other, though, any two stash files are compatible, and so + // this stash from December 1st is used instead. + return "20201201-3-filter.stash"; +} + +/** + * Simulate a Remote Settings synchronization by filling up the local data with + * fake records. + * + * @param {*} filters List of filters for which we will create records. + * @param {boolean} clear Whether or not to clear the local DB first. Defaults + * to true. + */ +async function syncAndDownload(filters, clear = true) { + const localDB = await CRLiteFiltersClient.client.db; + if (clear) { + await localDB.clear(); + } + + for (let filter of filters) { + const filename = getFilenameForFilter(filter); + const file = do_get_file(`test_crlite_filters/${filename}`); + const fileBytes = readFile(file); + + const record = { + details: { + name: `${filter.timestamp}-${filter.type}`, + }, + attachment: { + hash: getHash(fileBytes), + size: fileBytes.length, + filename, + location: `security-state-workspace/cert-revocations/test_crlite_filters/${filename}`, + mimetype: "application/octet-stream", + }, + incremental: filter.type == "diff", + effectiveTimestamp: new Date(filter.timestamp).getTime(), + parent: filter.type == "diff" ? filter.parent : undefined, + id: filter.id, + coverage: filter.type == "full" ? filter.coverage : undefined, + enrolledIssuers: + filter.type == "full" ? filter.enrolledIssuers : undefined, + }; + + await localDB.create(record); + } + // This promise will wait for the end of downloading. + let promise = TestUtils.topicObserved( + "remote-security-settings:crlite-filters-downloaded" + ); + // Simulate polling for changes, trigger the download of attachments. + Services.obs.notifyObservers(null, "remote-settings:changes-poll-end"); + let results = await promise; + return results[1]; // topicObserved gives back a 2-array +} + +add_task(async function test_crlite_filters_disabled() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, false); + + let result = await syncAndDownload([ + { + timestamp: "2019-01-01T00:00:00Z", + type: "full", + id: "0000", + coverage: [ + { + logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=", + minTimestamp: 0, + maxTimestamp: 9999999999999, + }, + ], + }, + ]); + equal(result, "disabled", "CRLite filter download should not have run"); +}); + +add_task(async function test_crlite_no_filters() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + + let result = await syncAndDownload([]); + equal( + result, + "unavailable", + "CRLite filter download should have run, but nothing was available" + ); +}); + +add_task(async function test_crlite_only_incremental_filters() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + + let result = await syncAndDownload([ + { + timestamp: "2019-01-01T06:00:00Z", + type: "diff", + id: "0001", + parent: "0000", + }, + { + timestamp: "2019-01-01T18:00:00Z", + type: "diff", + id: "0002", + parent: "0001", + }, + { + timestamp: "2019-01-01T12:00:00Z", + type: "diff", + id: "0003", + parent: "0002", + }, + ]); + equal( + result, + "unavailable", + "CRLite filter download should have run, but no full filters were available" + ); +}); + +add_task(async function test_crlite_incremental_filters_with_wrong_parent() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + + let result = await syncAndDownload([ + { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" }, + { + timestamp: "2019-01-01T06:00:00Z", + type: "diff", + id: "0001", + parent: "0000", + }, + { + timestamp: "2019-01-01T12:00:00Z", + type: "diff", + id: "0003", + parent: "0002", + }, + { + timestamp: "2019-01-01T18:00:00Z", + type: "diff", + id: "0004", + parent: "0003", + }, + ]); + let [status, filters] = result.split(";"); + equal(status, "finished", "CRLite filter download should have run"); + let filtersSplit = filters.split(","); + deepEqual( + filtersSplit, + ["2019-01-01T00:00:00Z-full", "2019-01-01T06:00:00Z-diff"], + "Should have downloaded the expected CRLite filters" + ); +}); + +add_task(async function test_crlite_incremental_filter_too_early() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + + let result = await syncAndDownload([ + { timestamp: "2019-01-02T00:00:00Z", type: "full", id: "0000" }, + { + timestamp: "2019-01-01T00:00:00Z", + type: "diff", + id: "0001", + parent: "0000", + }, + ]); + equal( + result, + "finished;2019-01-02T00:00:00Z-full", + "CRLite filter download should have run" + ); +}); + +add_task(async function test_crlite_filters_basic() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + + let result = await syncAndDownload([ + { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" }, + ]); + equal( + result, + "finished;2019-01-01T00:00:00Z-full", + "CRLite filter download should have run" + ); +}); + +add_task(async function test_crlite_filters_not_cached() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + let filters = [ + { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" }, + ]; + let result = await syncAndDownload(filters); + equal( + result, + "finished;2019-01-01T00:00:00Z-full", + "CRLite filter download should have run" + ); + + let records = await CRLiteFiltersClient.client.db.list(); + + // `syncAndDownload` should not cache the attachment, so this download should + // get the attachment from the source. + let attachment = await CRLiteFiltersClient.client.attachments.download( + records[0] + ); + equal(attachment._source, "remote_match"); + await CRLiteFiltersClient.client.attachments.deleteDownloaded(records[0]); +}); + +add_task(async function test_crlite_filters_full_and_incremental() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + + let result = await syncAndDownload([ + // These are deliberately listed out of order. + { + timestamp: "2019-01-01T06:00:00Z", + type: "diff", + id: "0001", + parent: "0000", + }, + { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" }, + { + timestamp: "2019-01-01T18:00:00Z", + type: "diff", + id: "0003", + parent: "0002", + }, + { + timestamp: "2019-01-01T12:00:00Z", + type: "diff", + id: "0002", + parent: "0001", + }, + ]); + let [status, filters] = result.split(";"); + equal(status, "finished", "CRLite filter download should have run"); + let filtersSplit = filters.split(","); + deepEqual( + filtersSplit, + [ + "2019-01-01T00:00:00Z-full", + "2019-01-01T06:00:00Z-diff", + "2019-01-01T12:00:00Z-diff", + "2019-01-01T18:00:00Z-diff", + ], + "Should have downloaded the expected CRLite filters" + ); +}); + +add_task(async function test_crlite_filters_multiple_days() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + + let result = await syncAndDownload([ + // These are deliberately listed out of order. + { + timestamp: "2019-01-02T06:00:00Z", + type: "diff", + id: "0011", + parent: "0010", + }, + { + timestamp: "2019-01-03T12:00:00Z", + type: "diff", + id: "0022", + parent: "0021", + }, + { + timestamp: "2019-01-02T12:00:00Z", + type: "diff", + id: "0012", + parent: "0011", + }, + { + timestamp: "2019-01-03T18:00:00Z", + type: "diff", + id: "0023", + parent: "0022", + }, + { + timestamp: "2019-01-02T18:00:00Z", + type: "diff", + id: "0013", + parent: "0012", + }, + { timestamp: "2019-01-02T00:00:00Z", type: "full", id: "0010" }, + { timestamp: "2019-01-03T00:00:00Z", type: "full", id: "0020" }, + { + timestamp: "2019-01-01T06:00:00Z", + type: "diff", + id: "0001", + parent: "0000", + }, + { + timestamp: "2019-01-01T18:00:00Z", + type: "diff", + id: "0003", + parent: "0002", + }, + { + timestamp: "2019-01-01T12:00:00Z", + type: "diff", + id: "0002", + parent: "0001", + }, + { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" }, + { + timestamp: "2019-01-03T06:00:00Z", + type: "diff", + id: "0021", + parent: "0020", + }, + ]); + let [status, filters] = result.split(";"); + equal(status, "finished", "CRLite filter download should have run"); + let filtersSplit = filters.split(","); + deepEqual( + filtersSplit, + [ + "2019-01-03T00:00:00Z-full", + "2019-01-03T06:00:00Z-diff", + "2019-01-03T12:00:00Z-diff", + "2019-01-03T18:00:00Z-diff", + ], + "Should have downloaded the expected CRLite filters" + ); +}); + +add_task(async function test_crlite_confirm_revocations_mode() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + Services.prefs.setIntPref( + "security.pki.crlite_mode", + CRLiteModeConfirmRevocationsValue + ); + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true); + + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + addCertFromFile(certdb, "test_crlite_filters/issuer.pem", ",,"); + addCertFromFile(certdb, "test_crlite_filters/no-sct-issuer.pem", ",,"); + + let result = await syncAndDownload([ + { + timestamp: "2020-10-17T00:00:00Z", + type: "full", + id: "0000", + coverage: [ + { + logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=", + minTimestamp: 0, + maxTimestamp: 9999999999999, + }, + { + logID: "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=", + minTimestamp: 0, + maxTimestamp: 9999999999999, + }, + ], + enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID], + }, + ]); + equal( + result, + "finished;2020-10-17T00:00:00Z-full", + "CRLite filter download should have run" + ); + + // The CRLite result should be enforced for this certificate and + // OCSP should not be consulted. + let validCert = constructCertFromFile("test_crlite_filters/valid.pem"); + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + undefined, + "vpn.worldofspeed.org", + 0 + ); + + // OCSP should be consulted for this certificate, but OCSP is disabled by + // Ci.nsIX509CertDB.FLAG_LOCAL_ONLY so this will be treated as a soft-failure + // and the CRLite result will be used. + let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem"); + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + undefined, + "us-datarecovery.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + + // Reload the filter w/o coverage and enrollment metadata. + result = await syncAndDownload([ + { + timestamp: "2020-10-17T00:00:00Z", + type: "full", + id: "0000", + coverage: [], + enrolledIssuers: [], + }, + ]); + equal( + result, + "finished;2020-10-17T00:00:00Z-full", + "CRLite filter download should have run" + ); + + // OCSP will be consulted for the revoked certificate, but a soft-failure + // should now result in a Success return. + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + undefined, + "us-datarecovery.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); +}); + +add_task(async function test_crlite_filters_and_check_revocation() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + Services.prefs.setIntPref( + "security.pki.crlite_mode", + CRLiteModeEnforcePrefValue + ); + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true); + + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + addCertFromFile(certdb, "test_crlite_filters/issuer.pem", ",,"); + addCertFromFile(certdb, "test_crlite_filters/no-sct-issuer.pem", ",,"); + + let result = await syncAndDownload([ + { + timestamp: "2020-10-17T00:00:00Z", + type: "full", + id: "0000", + coverage: [ + { + logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=", + minTimestamp: 0, + maxTimestamp: 9999999999999, + }, + { + logID: "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=", + minTimestamp: 0, + maxTimestamp: 9999999999999, + }, + ], + enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID], + }, + ]); + equal( + result, + "finished;2020-10-17T00:00:00Z-full", + "CRLite filter download should have run" + ); + + let validCert = constructCertFromFile("test_crlite_filters/valid.pem"); + // NB: by not specifying Ci.nsIX509CertDB.FLAG_LOCAL_ONLY, this tests that + // the implementation does not fall back to OCSP fetching, because if it + // did, the implementation would attempt to connect to a server outside the + // test infrastructure, which would result in a crash in the test + // environment, which would be treated as a test failure. + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "vpn.worldofspeed.org", + 0 + ); + + let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem"); + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "us-datarecovery.com", + 0 + ); + + // Before any stashes are downloaded, this should verify successfully. + let revokedInStashCert = constructCertFromFile( + "test_crlite_filters/revoked-in-stash.pem" + ); + await checkCertErrorGenericAtTime( + certdb, + revokedInStashCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "stokedmoto.com", + 0 + ); + + result = await syncAndDownload( + [ + { + timestamp: "2020-10-17T03:00:00Z", + type: "diff", + id: "0001", + parent: "0000", + }, + ], + false + ); + equal( + result, + "finished;2020-10-17T03:00:00Z-diff", + "Should have downloaded the expected CRLite filters" + ); + + // After downloading the first stash, this should be revoked. + await checkCertErrorGenericAtTime( + certdb, + revokedInStashCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "stokedmoto.com", + 0 + ); + + // Before downloading the second stash, this should not be revoked. + let revokedInStash2Cert = constructCertFromFile( + "test_crlite_filters/revoked-in-stash-2.pem" + ); + await checkCertErrorGenericAtTime( + certdb, + revokedInStash2Cert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "icsreps.com", + 0 + ); + + result = await syncAndDownload( + [ + { + timestamp: "2020-10-17T06:00:00Z", + type: "diff", + id: "0002", + parent: "0001", + }, + ], + false + ); + equal( + result, + "finished;2020-10-17T06:00:00Z-diff", + "Should have downloaded the expected CRLite filters" + ); + + // After downloading the second stash, this should be revoked. + await checkCertErrorGenericAtTime( + certdb, + revokedInStash2Cert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "icsreps.com", + 0 + ); + + // The other certificates should still get the same results as they did before. + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "vpn.worldofspeed.org", + 0 + ); + + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "us-datarecovery.com", + 0 + ); + + await checkCertErrorGenericAtTime( + certdb, + revokedInStashCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "stokedmoto.com", + 0 + ); + + // This certificate has no embedded SCTs, so it is not guaranteed to be in + // CT, so CRLite can't be guaranteed to give the correct answer, so it is + // not consulted, and the implementation falls back to OCSP. Since the real + // OCSP responder can't be reached, this results in a + // SEC_ERROR_OCSP_SERVER_ERROR. + let noSCTCert = constructCertFromFile("test_crlite_filters/no-sct.pem"); + // NB: this will cause an OCSP request to be sent to localhost:80, but + // since an OCSP responder shouldn't be running on that port, this should + // fail safely. + Services.prefs.setCharPref("network.dns.localDomains", "ocsp.digicert.com"); + Services.prefs.setBoolPref("security.OCSP.require", true); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + await checkCertErrorGenericAtTime( + certdb, + noSCTCert, + SEC_ERROR_OCSP_SERVER_ERROR, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "mail233.messagelabs.com", + 0 + ); + Services.prefs.clearUserPref("network.dns.localDomains"); + Services.prefs.clearUserPref("security.OCSP.require"); + Services.prefs.clearUserPref("security.OCSP.enabled"); + + // The revoked certificate example has one SCT from the log with ID "9ly...=" + // at time 1598140096613 and another from the log with ID "XNx...=" at time + // 1598140096917. The filter we construct here fails to cover it by one + // millisecond in each case. The implementation will fall back to OCSP + // fetching. Since this would result in a crash and test failure, the + // Ci.nsIX509CertDB.FLAG_LOCAL_ONLY is used. + result = await syncAndDownload([ + { + timestamp: "2020-10-17T00:00:00Z", + type: "full", + id: "0000", + coverage: [ + { + logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=", + minTimestamp: 0, + maxTimestamp: 1598140096612, + }, + { + logID: "XNxDkv7mq0VEsV6a1FbmEDf71fpH3KFzlLJe5vbHDso=", + minTimestamp: 1598140096917, + maxTimestamp: 9999999999999, + }, + ], + enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID], + }, + ]); + equal( + result, + "finished;2020-10-17T00:00:00Z-full", + "CRLite filter download should have run" + ); + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "us-datarecovery.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); +}); + +add_task(async function test_crlite_filters_avoid_reprocessing_filters() { + Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); + + let result = await syncAndDownload([ + { + timestamp: "2019-01-01T00:00:00Z", + type: "full", + id: "0000", + coverage: [ + { + logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=", + minTimestamp: 0, + maxTimestamp: 9999999999999, + }, + ], + enrolledIssuers: [ISSUER_PEM_UID, NO_SCT_ISSUER_PEM_UID], + }, + { + timestamp: "2019-01-01T06:00:00Z", + type: "diff", + id: "0001", + parent: "0000", + }, + { + timestamp: "2019-01-01T12:00:00Z", + type: "diff", + id: "0002", + parent: "0001", + }, + { + timestamp: "2019-01-01T18:00:00Z", + type: "diff", + id: "0003", + parent: "0002", + }, + ]); + let [status, filters] = result.split(";"); + equal(status, "finished", "CRLite filter download should have run"); + let filtersSplit = filters.split(","); + deepEqual( + filtersSplit, + [ + "2019-01-01T00:00:00Z-full", + "2019-01-01T06:00:00Z-diff", + "2019-01-01T12:00:00Z-diff", + "2019-01-01T18:00:00Z-diff", + ], + "Should have downloaded the expected CRLite filters" + ); + // This simulates another poll without clearing the database first. The + // filter and stashes should not be re-downloaded. + result = await syncAndDownload([], false); + equal(result, "finished;"); + + // If a new stash is added, only it should be downloaded. + result = await syncAndDownload( + [ + { + timestamp: "2019-01-02T00:00:00Z", + type: "diff", + id: "0004", + parent: "0003", + }, + ], + false + ); + equal(result, "finished;2019-01-02T00:00:00Z-diff"); +}); + +let server; + +function run_test() { + server = new HttpServer(); + server.start(-1); + registerCleanupFunction(() => server.stop(() => {})); + + server.registerDirectory( + "/cdn/security-state-workspace/cert-revocations/", + do_get_file(".") + ); + + server.registerPathHandler("/v1/", (request, response) => { + response.write( + JSON.stringify({ + capabilities: { + attachments: { + base_url: `http://localhost:${server.identity.primaryPort}/cdn/`, + }, + }, + }) + ); + response.setHeader("Content-Type", "application/json; charset=UTF-8"); + response.setStatusLine(null, 200, "OK"); + }); + + Services.prefs.setCharPref( + "services.settings.server", + `http://localhost:${server.identity.primaryPort}/v1` + ); + + // Set intermediate preloading to download 0 intermediates at a time. + Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 0); + + Services.prefs.setCharPref("browser.policies.loglevel", "debug"); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/20201017-0-filter b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-0-filter new file mode 100644 index 0000000000..151cac41a9 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-0-filter differ diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/20201017-1-filter.stash b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-1-filter.stash new file mode 100644 index 0000000000..d43193a78c Binary files /dev/null and b/security/manager/ssl/tests/unit/test_crlite_filters/20201017-1-filter.stash differ diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/20201201-3-filter.stash b/security/manager/ssl/tests/unit/test_crlite_filters/20201201-3-filter.stash new file mode 100644 index 0000000000..52c9ee8d51 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_crlite_filters/20201201-3-filter.stash differ diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/issuer.pem b/security/manager/ssl/tests/unit/test_crlite_filters/issuer.pem new file mode 100644 index 0000000000..ead19e3c14 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters/issuer.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx +EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT +EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp +ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3 +MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH +EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE +CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD +EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD +BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv +K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e +cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY +pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n +eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB +AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV +HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv +9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v +b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n +b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG +CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv +MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz +91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2 +RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi +DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11 +GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x +LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/no-sct-issuer.pem b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct-issuer.pem new file mode 100644 index 0000000000..70b86dfd71 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct-issuer.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD +QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT +MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg +U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83 +nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd +KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f +/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX +kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0 +/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C +AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY +aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6 +Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1 +oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD +QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v +d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh +xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB +CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl +5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA +8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC +2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit +c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0 +j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/no-sct.pem b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct.pem new file mode 100644 index 0000000000..a690a0ad0d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters/no-sct.pem @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFpDCCBIygAwIBAgIQDVHBpbd6yyk2LgPoPr9QyjANBgkqhkiG9w0BAQsFADBN +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E +aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkxMTE4MDAwMDAwWhcN +MjExMTE4MTIwMDAwWjCBlDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju +aWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxHTAbBgNVBAoTFFN5bWFudGVjIENv +cnBvcmF0aW9uMRcwFQYDVQQLEw5TeW1hbnRlYy5jbG91ZDEgMB4GA1UEAxMXbWFp +bDIzMy5tZXNzYWdlbGFicy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCyM1Fy9hAlahRqqeEnPKDWgUmsxofivWEWKNeSMEKcnXX3TCQOGbLQTthN +xfNU7IWY8ViTPwQ8JBWWDxNhd6dTYLNnytKrNRG8qDQ3rFMKJY4p0dZImMp55X3W +1xcKMxSOkPv0YUCGp7qlAHq6+N3YY1ILw6MRdJ75Njh4Kw8qe5F3rHLwD+AyYQmx +3WsMCRp5NZtWUcU5Vbc9ca/osrh9xBF7U3ZYR6GoPXQlizrNjXv7/BaKWWO5ChbD +iRI4Nj8d3HhWUHsJoGvYDof5Iudgtbubz3c5cwp6+VNNMas7izpvbixqW8zXdUug +8v5v47IkRNYnlma/zvv2IDC1dVlxAgMBAAGjggI2MIICMjAfBgNVHSMEGDAWgBQP +gGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUZnBdWwGQjkPX/+A2ZEYdUdnw +lN8wfQYDVR0RBHYwdIIbY2x1c3RlcjguZXUubWVzc2FnZWxhYnMuY29tgh5jbHVz +dGVyOG91dC5ldS5tZXNzYWdlbGFicy5jb22CHGNsdXN0ZXI4YS5ldS5tZXNzYWdl +bGFicy5jb22CF21haWwyMzMubWVzc2FnZWxhYnMuY29tMA4GA1UdDwEB/wQEAwIF +oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2g +K4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwL6At +oCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLXNoYTItZzYuY3JsMEwG +A1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3 +LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMHwGCCsGAQUFBwEBBHAwbjAkBggr +BgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEYGCCsGAQUFBzAChjpo +dHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyU2VjdXJlU2Vy +dmVyQ0EuY3J0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAK7vS/qDcGKb +QYu26+jGtBemopT3+2YJjtALeR62eNhF9LoHu+mnmNLvPI0M0NMhz56Ss/6sUHOz +hJgB98SLAQ5ElSWXrnZThLIjsiH5X5MYTD0Y8MqzoJSi2Lf2Muy/UpyrD3wB14E1 +kUYhvUnaWDDPIN81DCFzEosBmnsRqr5zlcZSKs0e1LVQ8cNkt8svVkiwFgeOIhwo +QF22GJAZPtRceSGlbRTFBYKh+u3KN8eNS/X+C935y+F4J/grufDCzRSGtRRseTcd +1QW49+QME/rx1mBb7id4iXNKxvGuJTivBlxaHWBQLh/RGk39DSdHfjAhYvt2gmxh +C3gxXMNrymE= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/notcovered.pem b/security/manager/ssl/tests/unit/test_crlite_filters/notcovered.pem new file mode 100644 index 0000000000..bac70a76bc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters/notcovered.pem @@ -0,0 +1,38 @@ +-----BEGIN CERTIFICATE----- +MIIGpzCCBY+gAwIBAgIIfLPIa/Mc/f4wDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV +BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow +GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz +LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1 +cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjIwMTA2MDA1MTI5WhcN +MjMwMjA0MTUxNjQwWjAeMRwwGgYDVQQDExNwZWVrYWJvb3Bob25pY3MuY29tMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuCKkB+36Yd/mBwwlq/F+B2R/ +ibNdUncADG1+xCB21TB6H0UWR1Aj92ZsIKXwXIyhj02VT58y0Oh4eycsMtEi/lLq +KXhpWjRAMZaxjdyIrSJxpQVXC3v8Taej6PG2RewGMA3uXj+oWfl7t25JnEes1l2n +JOnDXs5w4K0aDD1+r7wqCgZA7evmmdK3WJMWD/GSeF2hYcXFgb5dM2TiSRBGkv/9 +jMAvOSuJO8/kxKHLtLfM4I3O0gugB5Uyxtn5a6+P4vOphozsYgHqnSapCV8eAEN2 +SWRhFpfwsbt6/Dw/k38F2A5axSF0n+IQ49ejtWjs+f/GNTloieTsDbcpKkDSEwID +AQABo4IDUDCCA0wwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI +KwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6 +Ly9jcmwuZ29kYWRkeS5jb20vZ2RpZzJzMS0zNzEwLmNybDBdBgNVHSAEVjBUMEgG +C2CGSAGG/W0BBxcBMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMu +Z29kYWRkeS5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGow +aDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUF +BzAChjRodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv +Z2RpZzIuY3J0MB8GA1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMDcGA1Ud +EQQwMC6CE3BlZWthYm9vcGhvbmljcy5jb22CF3d3dy5wZWVrYWJvb3Bob25pY3Mu +Y29tMB0GA1UdDgQWBBRElZlefxDT9BFjvpeq7zP6TlVv+TCCAYEGCisGAQQB1nkC +BAIEggFxBIIBbQFrAHcA6D7Q2j71BjUy51covIlryQPTy9ERa+zraeF3fW0GvW4A +AAF+LN6rOQAABAMASDBGAiEAssjNEfjNFhpQmiFRCFZSr1zZk7ISWHqPIzoghyZ+ +UbgCIQDB6iKxtMkpx1I9P9uL40M93xynsb/3DVl1OX8pSO1n9gB3ADXPGRu/sWxX +vw+tTG1Cy7u2JyAmUeo/4SrvqAPDO9ZMAAABfizerPwAAAQDAEgwRgIhANUhPyqm +inLVPy1zUqikc64dwi0P/nvCoNtC1gO2cDHgAiEAjv1Gw04htq5OyTP3XYQTHsZW +h35omGu+WCS68t8LnIEAdwB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1Lr +UgAAAX4s3q2BAAAEAwBIMEYCIQDqxot9iMPghZbHZSegX98g1o5dvSsG1azMv290 +Cp+sBgIhALiMl5lj1A3nWkHTQKF9bF3ops5/ZxxJYE7XwBxlkZYYMA0GCSqGSIb3 +DQEBCwUAA4IBAQAOfIC7VLhn3oBYQKTzX4CN+249JN7l5tbSMqC2zjKRjOWOF3p/ +yNb2gk/v6EW0xN024E2yo8K4XF+QJMfzlwpsed1yuziYHIpjeiad7JGUs/57jdCo +EUQrvwkuIeR5CZrGcXKG8nlVM5SaNhmId8XixnJz7XfEWiCxszlRkXIZ4Uhpwz2D +XhQ8RE1DhwX3x6oO5y9Eu6o6+bz2Y14E0lL4hCng09UmrOFEUzVcO4bK8qsSp9oe +1NNPlMQ3SD6RlGBy+2O5Iy8Kj4BRv2US2stuDeZWSvxp6N2RwLGBnDTyT08VAFD5 +SkulqE2/r6AHWNMe649z1clhq14i1+kQjEq5 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash-2.pem b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash-2.pem new file mode 100644 index 0000000000..9550453493 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash-2.pem @@ -0,0 +1,36 @@ +-----BEGIN CERTIFICATE----- +MIIGNTCCBR2gAwIBAgIIFn0oGKdatdgwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV +BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow +GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz +LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1 +cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAwOTI3MTE0MzI0WhcN +MjExMDI5MTE0MzI0WjA5MSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0 +ZWQxFDASBgNVBAMTC2ljc3JlcHMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAydMKPhCqRWjy5h1aPUNdRb80kt0hP/g55ytjlSF04PG+1CbIcId1 +GJg1qkbTR1vqZyvaI8wjv3zdfvsvYbka9OQFJiOasJfeqmiA+sDd9AvFiD2EF5zN +D9uKHi+sF8Ut4JMl7jqaRAu/gbjBvY/9ammkz4sUiTlp1x4rteda3tuX9O7yMO7U +ldnyfabHgGmmm8KU3nvRAjNbHCq3J/V/zw8YeolXU5OpOeZMhI8KAGKpxk8tRiIb +LkdSdCTWoKgXO60extYcGTxIT8c8zfY6OoN0VaQY8HA1VyBZQIw2RTWivmI8le0J +ypXYxNcUtInS0ivO4ymiNnCjYR9pgQ6+tQIDAQABo4ICwzCCAr8wDAYDVR0TAQH/ +BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD +AgWgMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Rp +ZzJzMS0yMzM0LmNybDBdBgNVHSAEVjBUMEgGC2CGSAGG/W0BBxcBMDkwNwYIKwYB +BQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9y +eS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDov +L29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRwOi8vY2VydGlmaWNh +dGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0MB8GA1UdIwQYMBaA +FEDCvSeOzDSDMKIz1/tss/C0LIDOMCcGA1UdEQQgMB6CC2ljc3JlcHMuY29tgg93 +d3cuaWNzcmVwcy5jb20wHQYDVR0OBBYEFEgqFQnM5zH3cKFGtFanJxxD9zdPMIIB +BAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98M +LyALzE7xZOMAAAF0z1/40gAABAMARjBEAiADSOnqg/I15y+dJDSWta8NzBwE6Xti +UzyBKMT2OYHCYwIgb1aFpZxlkhx6XCCuniBLTcr5JbhigoM/lAfUmvvUqrIAdwBc +3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXTPX/oBAAAEAwBIMEYC +IQD6WvavTba+Lydf6uhaaxcRmhuuPeddzSmC8t4+tBLGGgIhANJPxhRl1pGYm6WX +ay9jPCM2SqtBraOJYncaV6k37zGYMA0GCSqGSIb3DQEBCwUAA4IBAQA0IknIoU51 +FCBqpksgo7zR9OJj5MoQmlsQbzSFppdRKgyHhk8rW6IrBi3yrtWjo3HxcwihZlJQ +2AbinRTNnHvBpiiiXXxR5u9yVly+9l3KfF/uHIGMnIqsahaKXNOy5h98uq4o4N0+ +YCGu9wSeDwtaCzdT+V447Fq63nmW629pjwin8FYCz2S8RdztranPZuOgwYqBNlWu +u3Mi9DWIV2hP6eFwMZh7BWgbvnhWiI37TE74YQ+3cEVaLxLHJH9jkBjsel+ZwVIo +9xeE6kGsh5+D0uHS5NWf9zu+fvW0iTgsB8J4VX5OihAa1v4FS4IaF3snkaMa0PCd +MJMOgY5VkZiw +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash.pem b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash.pem new file mode 100644 index 0000000000..1073159662 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters/revoked-in-stash.pem @@ -0,0 +1,36 @@ +-----BEGIN CERTIFICATE----- +MIIGPTCCBSWgAwIBAgIJAJeW47AXop8NMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD +VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa +MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0 +cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj +dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTIwMDgyMjIzMDI0NVoX +DTIxMDkyMTIxMTYxMVowPDEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh +dGVkMRcwFQYDVQQDEw5zdG9rZWRtb3RvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBANLX8D4Cin6x2bmoSdgnuw9O+tGcD1x1S++3110NJVXUlpSc +3uSUwqpU4rMOkJlRnuaBtHXYUFG8NMMnbTJYY9JuuhAlnHzVqoRWmcTNRp72fpDA +XoD3U20spJeGQZXuQnGfe/k9EouvXt5du029YqItkFbjdbub4FP5MbIz1CWeelEn +fEwpe/peLVYEfKSyYf325tFI9wZhuIM/zTe9DE6lauznM8hg1ioiBujxzeWWSstZ +K2uJKaI8nlWkSr6vwPqJEBvvoShcWHFEmG8SWqPBy1tsNsLNjJkaHfD7gvG/J1Rc +G21D0XO2IA0rEo6lo8MNEkWoHZA/oHO1eHrCjNkCAwEAAaOCAscwggLDMAwGA1Ud +EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB +/wQEAwIFoDA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmdvZGFkZHkuY29t +L2dkaWcyczEtMjIzNy5jcmwwXQYDVR0gBFYwVDBIBgtghkgBhv1tAQcXATA5MDcG +CCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9z +aXRvcnkvMAgGBmeBDAECATB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0 +dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEFBQcwAoY0aHR0cDovL2NlcnRp +ZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkaWcyLmNydDAfBgNVHSME +GDAWgBRAwr0njsw0gzCiM9f7bLPwtCyAzjAtBgNVHREEJjAkgg5zdG9rZWRtb3Rv +LmNvbYISd3d3LnN0b2tlZG1vdG8uY29tMB0GA1UdDgQWBBTP8YI0WwVBgvg5GABQ +fUksbk6evjCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1APZclC/RdzAiFFQYCDCU +Vo7jTRMZM7/fDC8gC8xO8WTjAAABdBhpJtAAAAQDAEYwRAIgcrebTXyuMk/ciVyg +LMbbd6qbkyB3yRAY1QnBs5sGK1ICIGw6EpH/NMXcOfYdkuSmhSYgUx0AIDdT9QWH +rRIT50D3AHUAXNxDkv7mq0VEsV6a1FbmEDf71fpH3KFzlLJe5vbHDsoAAAF0GGko +AwAABAMARjBEAiBtzQQHVVML3yZhZRsLLhJkYcc11nXeU/S/rouOZCCZQQIgVYKY +jgjCU5HQyY6R5PZQTsCQGWiaOm1VguAIgPbvKzYwDQYJKoZIhvcNAQELBQADggEB +AH6jCZU9+5TMaR5XThGL/z8EYQ1uFVN0hlXXB+gP3IDQLmyxkqrk9cOSf1D6fLRT +5T4tGzPLvmReBLfrzQEkuqkXpUieortbpi116V82K+zBDT5s9Dol6+MxhwIZyZ7K +DkHSbcFyiV9hkr2bf8JZzjvpCOfw9kYZTcYv8M8kheIOQsONdfe/rqNQnMRy56UZ +OGZmxqDT2RwbewHEMAEb5ZsZ55/UHq08vZSVSA8qIqX/BU+7frwwt4vmv4WQ7AoJ +YNml0TdV4R27NlnvhbAclucuqEMBcBg8gNylvKD3Mid7O4c5gCX5Wuml6rLpOr05 +vpJJqSf0uy73EtNcyTqfwUQ= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/revoked.pem b/security/manager/ssl/tests/unit/test_crlite_filters/revoked.pem new file mode 100644 index 0000000000..ece7360def --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters/revoked.pem @@ -0,0 +1,42 @@ +-----BEGIN CERTIFICATE----- +MIIHTjCCBjagAwIBAgIILTXKZQP7G6MwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV +BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow +GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz +LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1 +cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAwODIyMjM0ODE1WhcN +MjEwMTE0MjEwMzAxWjBDMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0 +ZWQxHjAcBgNVBAMMFSoudXMtZGF0YXJlY292ZXJ5LmNvbTCCAiIwDQYJKoZIhvcN +AQEBBQADggIPADCCAgoCggIBAKzuSr8LaH2Aw/G1aKN4URo0RwaFv4+7MzM0RVTB +189BdE8rgNRfxskoAVfte+iftO7P5qjg+1Jx8SCE1ZCNT2TGtcYwlsjyNLnbP3xV +Cq514bODlwimOKLhpUFH1/ofO4/enbU8E4hlxS4DPtOGbsjouTiRHAOLsi7D+WT3 +3pZelFa5Hgmed5dL/CCJTiwbF10lbTXNwLgI7efUqiwvHRwf/CXEW9IvKJ9HG2We +tT9ouQGOHfz4fyGOMN268dHqP89K+auCcf9b3BzzWOsknhmDisl+06WaIJe/W7Dn ++eG07nAuJLhE6nH9KLYiU2X5CHnLPvBTOPDdm/hzH84hnHkX2pSbst4d1aNtU4uP +hyQcE5aMfnV7Yr1ZQUlLreCKzwIAb6BKqF/gHMASXUX7Fw5OFUHxV1xcPbcHQLs6 +D3XAoLBzopTR4YjxIDqhS3pkxHu5u9OEzFfaeP5zYnrj69Bke3lrdbrKV8aXIxHn +xh9xJV4zAaPoHe8ze03zvdBXfu69DU+TTQkRfzJSZx/sXV6BHe15WGSHZxe0i61z +wA1Oi7QgySMKIKSs6dsPOqppmePc3seMJy7y0FSxF1Kq6a1tR+W3j2WT9nY1c4Wb +4LWc+0gDK3nvibJbFqCfnPznq/Q+q0V6m9BqBNjvqyyWXbgzCVn7qcT4apiP47IV ++MiBAgMBAAGjggLSMIICzjAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF +BwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwOAYDVR0fBDEwLzAtoCugKYYn +aHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZGlnMnMxLTIyMzcuY3JsMF0GA1UdIARW +MFQwSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmlj +YXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUH +AQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYI +KwYBBQUHMAKGNGh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3Np +dG9yeS9nZGlnMi5jcnQwHwYDVR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4w +NQYDVR0RBC4wLIIVKi51cy1kYXRhcmVjb3ZlcnkuY29tghN1cy1kYXRhcmVjb3Zl +cnkuY29tMB0GA1UdDgQWBBTooRcQfblnnD7pJFCZfGGcf4kD4jCCAQUGCisGAQQB +1nkCBAIEgfYEgfMA8QB3APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTj +AAABdBiSoGUAAAQDAEgwRgIhAI4Cd+FhKsWdUZkBugaburD9dzdlVHSxKq6oYNyI +vmIIAiEAwlmkvAiPb9nwDirqe7MZud5nu/lmq/Ip7M1xSKuraykAdgBc3EOS/uar +RUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXQYkqGUAAAEAwBHMEUCIQCpYqq+ +Uc881tR+ikvsR97FRl6jBfxG50Sum+cdHEQkYQIgZJbGaeNoDS9+LAKI88NNRiCK +vtQZkwWigDYr+2dWguYwDQYJKoZIhvcNAQELBQADggEBAD+sj44+86AvdVUrAN9h +cU6kt4I6K1TM0KBmKg3rG8JEY7+Ec4Rztls3uviLR0ajH5tkQPwD7vRBVrLVDtQS +Ndt2StR38AXiBRWwewy/sPMz11YzOPLyHaTl4pJVfyzHJ+rPdWuFZLtpTras/MIK +IFnnbInlh5XtRhDCv6UEkAmGu5BeftA+9XxTuZlbwQlO5U1yg9Hqor9zANMqX9Ad +3omIZrPtBkTdVOwHRU8SoaS6XxQ9jxcmWRgNTVAhU1/J7Bgvg3CPSpcHyV78sXkS +D9bb1f4jdadaMKuJc0mTHBAxZenr3IFV8upf2FRTJnrCiS0jX8kKobN/+04Gbev6 +Tr0= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_crlite_filters/valid.pem b/security/manager/ssl/tests/unit/test_crlite_filters/valid.pem new file mode 100644 index 0000000000..6769ba3d37 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_filters/valid.pem @@ -0,0 +1,39 @@ +-----BEGIN CERTIFICATE----- +MIIGyTCCBbGgAwIBAgIJANpPOSv9i86oMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD +VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa +MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0 +cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj +dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE4MTAxNTE5NTQxNFoX +DTIwMTAyNDE4MzczOFowQjEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh +dGVkMR0wGwYDVQQDExR2cG4ud29ybGRvZnNwZWVkLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAKb1cjhtYv6yiyZa1feabWaSBOCmN0JuqXIMkX3r +4g+5heKAwPFlPFbZ3vZ3DQXiliV7jb5nhlx0O6nYG+MoGFmj6hEHDptCASAfdd3j +4tCxg0FlilXgrgMkJCg+SjW0npZ86jMkfc0WzufUyMjxv2pUUicPNXyWbaQr+PCq +zs6AsOkmuQ8RUUAqZ+Q0EJfQnjuhql7NCdByNui9S2LmrPcV6TAHHeTwKX733edv +zsNzaLNgE6TLGXSSRvsW/eZ/uNScPHLybE4wdxxCDwSYCPwaQq34csc3a8SUTWfS +4UkdbOn7j5sZPx7Jj0uUlm20ZDsj2FUi/0SXNvz5flFQbVsCAwEAAaOCA00wggNJ +MAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4G +A1UdDwEB/wQEAwIFoDA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3JsLmdvZGFk +ZHkuY29tL2dkaWcyczEtODc4LmNybDBdBgNVHSAEVjBUMEgGC2CGSAGG/W0BBxcB +MDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20v +cmVwb3NpdG9yeS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcw +AYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRwOi8v +Y2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0MB8G +A1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMDkGA1UdEQQyMDCCFHZwbi53 +b3JsZG9mc3BlZWQub3Jnghh3d3cudnBuLndvcmxkb2ZzcGVlZC5vcmcwHQYDVR0O +BBYEFGjmOgodY5yPX19UPVcACFpVExz1MIIBfQYKKwYBBAHWeQIEAgSCAW0EggFp +AWcAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWZ5SxEeAAAE +AwBHMEUCIEL5OLHwBpIALbEnLFQntFlGBe8Oko6U/arr15jU4sLDAiEA6uy8DEnh +PFLOxXDC3ZaeOlK2+cdx76IAr6M6As74ETEAdgDuS723dc5guuFCaR+r4Z5mow9+ +X7By2IMAxHuJeqj9ywAAAWZ5SxMzAAAEAwBHMEUCIFWIeePa6jdf6y9o/YYxoqWr +Je3j8W94e4f5bixaGPiyAiEA7aJRZI+aWCE/zz5DpvcyRgkIoSKS3+dKS2irf/mp +qx0AdQBep3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAAAWZ5SxPjAAAE +AwBGMEQCIEkYw6g/cIZBdOUh+ETwl2XX2S0Bv8iGGiaOKOoXqVK6AiAh3eqABfMc +9b/wLJZo186YgbzmbZB0N3y5TUJKK1oMYDANBgkqhkiG9w0BAQsFAAOCAQEAPEwx +d597oqiP9/TN8RDrZqhn4uLZ9K5mXOD93RorUN8T8O1kV0B4UcXM1CkU2zxv4a9S +tG3diHjmfJgcrhpa4i19sZD7+QpTU8j0e82JlsB3MpbtuaiBwqb979c5qNPixQlJ +kDs4DWf8kV+4B9/DWWLDKvs+FtL8ST8n+LfwstZqi2EyK+1ZyM0p9hkUAzrT/M2h +Ou1DYELbCt2HaKMHMPSlrkESG7Q9v9Ba23EXElG+oFXxgnPwk4n84rYG8lI8pPyA +clunJNqc2cISUTDMdgGctCFdSVGyEq+8VVG5Y6Od5LMwtOLKcv+VPi17+iGfxNt/ ++dAMbzGIlDuJELwn0g== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting.js b/security/manager/ssl/tests/unit/test_crlite_preexisting.js new file mode 100644 index 0000000000..c788a11b54 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_preexisting.js @@ -0,0 +1,208 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that starting a profile with a preexisting CRLite filter and stash +// works correctly. + +"use strict"; + +add_task(async function test_preexisting_crlite_data() { + Services.prefs.setIntPref( + "security.pki.crlite_mode", + CRLiteModeEnforcePrefValue + ); + + let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + // These need to be available to be able to find them during path building + // for certificate verification. + let issuerCert = constructCertFromFile("test_crlite_filters/issuer.pem"); + ok(issuerCert, "issuer certificate should decode successfully"); + let noSCTCertIssuer = constructCertFromFile( + "test_crlite_filters/no-sct-issuer.pem" + ); + ok( + noSCTCertIssuer, + "issuer certificate for certificate without SCTs should decode successfully" + ); + + let validCert = constructCertFromFile("test_crlite_filters/valid.pem"); + let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem"); + + // We didn't load a data.bin file, so the filter is not considered fresh and + // we should get a "no filter" result. We later test that CRLite considers + // this cert to be revoked. So success here shows that CRLite is not + // consulted when the filter is stale. + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "us-datarecovery.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); + + // Add an empty stash to ensure the filter is considered to be fresh. + await new Promise(resolve => { + certStorage.addCRLiteStash(new Uint8Array([]), (rv, _) => { + Assert.equal(rv, Cr.NS_OK, "marked filter as fresh"); + resolve(); + }); + }); + + // NB: by not specifying Ci.nsIX509CertDB.FLAG_LOCAL_ONLY, this tests that + // the implementation does not fall back to OCSP fetching, because if it + // did, the implementation would attempt to connect to a server outside the + // test infrastructure, which would result in a crash in the test + // environment, which would be treated as a test failure. + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "vpn.worldofspeed.org", + 0 + ); + + // NB: by not specifying Ci.nsIX509CertDB.FLAG_LOCAL_ONLY, this tests that + // the implementation does not fall back to OCSP fetching, because if it + // did, the implementation would attempt to connect to a server outside the + // test infrastructure, which would result in a crash in the test + // environment, which would be treated as a test failure. + await checkCertErrorGenericAtTime( + certdb, + validCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "vpn.worldofspeed.org", + 0 + ); + + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "us-datarecovery.com", + 0 + ); + + let revokedInStashCert = constructCertFromFile( + "test_crlite_filters/revoked-in-stash.pem" + ); + // The stash may not have loaded yet, so await a task that ensures the stash + // loading task has completed. + await new Promise(resolve => { + certStorage.hasPriorData( + Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL, + (rv, _) => { + Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed"); + resolve(); + } + ); + }); + await checkCertErrorGenericAtTime( + certdb, + revokedInStashCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "stokedmoto.com", + 0 + ); + + let revokedInStash2Cert = constructCertFromFile( + "test_crlite_filters/revoked-in-stash-2.pem" + ); + await checkCertErrorGenericAtTime( + certdb, + revokedInStash2Cert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "icsreps.com", + 0 + ); + + // This certificate has no embedded SCTs, so it is not guaranteed to be in + // CT, so CRLite can't be guaranteed to give the correct answer, so it is + // not consulted, and the implementation falls back to OCSP. Since the real + // OCSP responder can't be reached, this results in a + // SEC_ERROR_OCSP_SERVER_ERROR. + let noSCTCert = constructCertFromFile("test_crlite_filters/no-sct.pem"); + // NB: this will cause an OCSP request to be sent to localhost:80, but + // since an OCSP responder shouldn't be running on that port, this should + // fail safely. + Services.prefs.setCharPref("network.dns.localDomains", "ocsp.digicert.com"); + Services.prefs.setBoolPref("security.OCSP.require", true); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + await checkCertErrorGenericAtTime( + certdb, + noSCTCert, + SEC_ERROR_OCSP_SERVER_ERROR, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + false, + "mail233.messagelabs.com", + 0 + ); + Services.prefs.clearUserPref("network.dns.localDomains"); + Services.prefs.clearUserPref("security.OCSP.require"); + Services.prefs.clearUserPref("security.OCSP.enabled"); + + let notCoveredCert = constructCertFromFile( + "test_crlite_filters/notcovered.pem" + ); + await checkCertErrorGenericAtTime( + certdb, + notCoveredCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + new Date("2022-01-07T00:00:00Z").getTime() / 1000, + false, + "peekaboophonics.com", + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY + ); +}); + +function run_test() { + let securityStateDirectory = do_get_profile(); + securityStateDirectory.append("security_state"); + // For simplicity, re-use the filter from test_crlite_filters.js. + let crilteFile = do_get_file("test_crlite_filters/20201017-0-filter"); + crilteFile.copyTo(securityStateDirectory, "crlite.filter"); + // This stash file and the following cert storage file were obtained by + // running just the task `test_crlite_filters_and_check_revocation` in + // test_crlite_filters.js, causing it to hang (by adding something like + // `add_test(() => {});`), and then copying the files from the temporary + // profile directory. + let stashFile = do_get_file("test_crlite_preexisting/crlite.stash"); + stashFile.copyTo(securityStateDirectory, "crlite.stash"); + let coverageFile = do_get_file("test_crlite_preexisting/crlite.coverage"); + coverageFile.copyTo(securityStateDirectory, "crlite.coverage"); + let enrollmentFile = do_get_file("test_crlite_preexisting/crlite.enrollment"); + enrollmentFile.copyTo(securityStateDirectory, "crlite.enrollment"); + let certStorageFile = do_get_file( + "test_crlite_preexisting/crlite.enrollment" + ); + certStorageFile.copyTo(securityStateDirectory, "crlite.enrollment"); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.coverage b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.coverage new file mode 100644 index 0000000000..2bd13319e5 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.coverage differ diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.enrollment b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.enrollment new file mode 100644 index 0000000000..7f34283ded --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.enrollment @@ -0,0 +1 @@ +3)û«Õ¤:Óf£õv¬œ 0ИëðëyæQ±ýý'ŽêŸïÕájfå¨é›à@(,v–~;ÕPÏ \ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.stash b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.stash new file mode 100644 index 0000000000..25bd87d8eb Binary files /dev/null and b/security/manager/ssl/tests/unit/test_crlite_preexisting/crlite.stash differ diff --git a/security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js b/security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js new file mode 100644 index 0000000000..707e2f400b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js @@ -0,0 +1,91 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// Tests that CRLite is left in the uninitialized state when the profile +// contains a corrupted stash file. + +"use strict"; + +add_task(async function test_crlite_stash_corrupted() { + let securityStateDirectory = do_get_profile(); + securityStateDirectory.append("security_state"); + + Services.prefs.setIntPref( + "security.pki.crlite_mode", + CRLiteModeEnforcePrefValue + ); + + let coverage = do_get_file("test_crlite_preexisting/crlite.coverage"); + coverage.copyTo(securityStateDirectory, "crlite.coverage"); + + let enrollment = do_get_file("test_crlite_preexisting/crlite.enrollment"); + enrollment.copyTo(securityStateDirectory, "crlite.enrollment"); + + let filter = do_get_file("test_crlite_filters/20201017-0-filter"); + filter.copyTo(securityStateDirectory, "crlite.filter"); + + let stash = do_get_file("test_crlite_corrupted/bad.stash"); + stash.copyTo(securityStateDirectory, "crlite.stash"); + + let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + + let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + + // Add an empty stash to ensure the filter is considered to be fresh. + await new Promise(resolve => { + certStorage.addCRLiteStash(new Uint8Array([]), (rv, _) => { + Assert.equal(rv, Cr.NS_OK, "marked filter as fresh"); + resolve(); + }); + }); + + // Await a task that ensures the stash loading task has completed. + await new Promise(resolve => { + certStorage.hasPriorData( + Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL, + (rv, _) => { + Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed"); + resolve(); + } + ); + }); + + // This certificate is revoked according to `test_crlite_filters/20201017-0-filter`. + // Its issuer is enrolled according to `test_crlite_preexisting/crlite.enrollment`, + // and it is covered according to `test_crlite_preexisting/crlite.coverage`. + let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem"); + + // The issuer's certificate needs to be available for path building. + let issuerCert = constructCertFromFile("test_crlite_filters/issuer.pem"); + ok(issuerCert, "issuer certificate should decode successfully"); + + // Loading the stash should not have caused any problems, and `revokedCert` + // should be marked as revoked. + await checkCertErrorGenericAtTime( + certdb, + revokedCert, + SEC_ERROR_REVOKED_CERTIFICATE, + certificateUsageSSLServer, + new Date("2020-10-20T00:00:00Z").getTime() / 1000, + undefined, + "us-datarecovery.com", + 0 + ); + + let hasFilter = await new Promise(resolve => { + certStorage.hasPriorData( + Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_FULL, + (rv, result) => { + Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed"); + resolve(result); + } + ); + }); + Assert.equal(hasFilter, true, "CRLite should have a filter"); +}); diff --git a/security/manager/ssl/tests/unit/test_ct.js b/security/manager/ssl/tests/unit/test_ct.js new file mode 100644 index 0000000000..1f436eb44d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct.js @@ -0,0 +1,72 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB + +function expectCT(value) { + return securityInfo => { + Assert.equal( + securityInfo.certificateTransparencyStatus, + value, + "actual and expected CT status should match" + ); + }; +} + +registerCleanupFunction(() => { + Services.prefs.clearUserPref("security.pki.certificate_transparency.mode"); + let cert = constructCertFromFile("test_ct/ct-valid.example.com.pem"); + setCertTrust(cert, ",,"); +}); + +function run_test() { + Services.prefs.setIntPref("security.pki.certificate_transparency.mode", 1); + add_tls_server_setup("BadCertAndPinningServer", "test_ct"); + // These certificates have a validity period of 800 days, which is a little + // over 2 years and 2 months. This gets rounded down to 2 years (since it's + // less than 2 years and 3 months). Our policy requires N + 1 embedded SCTs, + // where N is 2 in this case. So, a policy-compliant certificate would have at + // least 3 SCTs. + add_connection_test( + "ct-valid.example.com", + PRErrorCodeSuccess, + null, + expectCT( + Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT + ) + ); + // This certificate has only 2 embedded SCTs, and so is not policy-compliant. + add_connection_test( + "ct-insufficient-scts.example.com", + PRErrorCodeSuccess, + null, + expectCT( + Ci.nsITransportSecurityInfo + .CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS + ) + ); + + // Test that if an end-entity is marked as a trust anchor, CT verification + // returns a "not enough SCTs" result. + add_test(() => { + let cert = constructCertFromFile("test_ct/ct-valid.example.com.pem"); + setCertTrust(cert, "CTu,,"); + clearSessionCache(); + run_next_test(); + }); + add_connection_test( + "ct-valid.example.com", + PRErrorCodeSuccess, + null, + expectCT( + Ci.nsITransportSecurityInfo + .CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS + ) + ); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem new file mode 100644 index 0000000000..dc5ba854a8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEsjCCA5qgAwIBAgIUO1A7IKB0sCUgXosbjKr2+i1ynO0wDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjArMSkwJwYDVQQDDCBjdC1pbnN1ZmZpY2llbnQtc2N0cy5leGFt +cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAAaOCAeEwggHdMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20w +ggG/BgorBgEEAdZ5AgQCBIIBrwSCAasBqQB2ACq4MEQzuRTe0vMeQgfyUcF6N6CS +aFLZCAIG+F5XORYqAAABUfp73AAAAAQDAEcwRQIgXHVRnxMRUM1dit4go7wGMJH/ +snN1XzFk7P3LQoAKcOYCIQCukSzwRcH5LaZUGjQQswNOAf0giSm/7LC6Awq+EMMD +jAEvADEI9rbdchgH8BaVhE2FAla2cZNgg9u9OTSgUFJQGiiSAAABUfp73AAAAAQB +AQBfrqR5eXq3/2XT6FUWtKVv8DHpP6VnLw8rARRr3GJM8nd4SMk/ds+1nWLFT+Uu +CNm2wcVImCmumIi9zWoaWbh5xWpO2SN4KX85vZVhhsyPH27iR9M9PZ/OEblBJdIz +W/QFLBKRmFe06GyLq0LuW5aQun+tjGx//dm0LB4Sug1NixnEUYUhCt4uGdcEyohj +Hk95Gv89hAtiz2O6GS2fMzoe78IoN2d7XaCXNWTz4JkMCwTUwkxbpn76f/kGyD1K ++usjemQdVBOhZ8KE46+wZiI3BgqugHrmWY2xpr6oZxYbKzrVC3+BuKMI4sDDsX64 +pR88XkOqvluKcfxtTnVjhKmyMA0GCSqGSIb3DQEBCwUAA4IBAQAjm3TIr026oz6N +DZyj2+9PqoOYsngraVhZlogvwWK/GIkcNUGupczij7JdoCA5b4szCcaYqSC/gTMl +kp9YmrUzYjbI8OU7KIwPazx/3QZzZDmmUUvTlM5cfDhDPJX0MmwypzM+klmRJKh4 +2hyE6TiKmoARMLDSrHxLaU43Ph8Q9PDricAdUk+r87Xq/z2785l32XJUeXFFbM1A +ZrD059jjQX+oWucVxdql9+SM/ZnHC5gnZS+UOIYY9USu1FhSyX8OqwlrLzl0GeI1 +GLrgvHPBLYhbl6NtdVHxXrAy6ueL89wPZevBkAZ6G5GXDhtbrdLQuXIvluWyRfRu +PjrboP8a +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem.certspec b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem.certspec new file mode 100644 index 0000000000..c40f26d5d8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/ct-insufficient-scts.example.com.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:ct-insufficient-scts.example.com +extension:subjectAlternativeName:*.example.com +extension:embeddedSCTList:secp256r1:20160101,alternate:20160101 diff --git a/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem new file mode 100644 index 0000000000..539a558f4a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF1zCCBL+gAwIBAgIUVcPTyId6kLmdmBE+lvZPcEuHWWowDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAfMR0wGwYDVQQDDBRjdC12YWxpZC5leGFtcGxlLmNvbTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ +6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk +nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N +/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG +JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd +7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA +AaOCAxIwggMOMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5jb20wggLwBgorBgEEAdZ5 +AgQCBIIC4ASCAtwC2gEvAFQiJZjzPTZIBULa7ODmuU3hXA7ujFkUykjXXjxIToA/ +AAABUfp73AAAAAQBAQApU8txbrW74luVlVcqhBmSPgDDrO1DJwJD5Nh0AFi+IHUp +1HGttD5v4631GMKg6YQurbxBjIyf2XoIEcz0ItvcH6JAn5DQ+hnNVN38CFy2LKvQ +fZ5+YMmbQQICUZvNaknC5QDD04CmfcJBNtE6f2NOsw2ssUOEy37fnHIQNqb68YWG +HMJDHdhhN/PdPA55ew79w1Q8l5+ShU0sewGQkXMsWiNVPJwf/YZ9ZwglcVZMTU7S +w00EntzeShcDb8XVsCNvuw/7R10cW9XEnFxC+/aIZp/MnbagJctiKpuEioPpkJtz +UHa2G8j98u21W4ZRYpzUjuhtZMXg4WrAt2kMQtKEAHYAKrgwRDO5FN7S8x5CB/JR +wXo3oJJoUtkIAgb4Xlc5FioAAAFR+nvcAAAABAMARzBFAiBcdVGfExFQzV2K3iCj +vAYwkf+yc3VfMWTs/ctCgApw5gIhAKuTtYDsjlbPaI0qWB+4k+jdEMRWTLeoLyGe +0OFrQx5lAS8AMQj2tt1yGAfwFpWETYUCVrZxk2CD2705NKBQUlAaKJIAAAFR+nvc +AAAABAEBAEBwuP6rrIG0L8/cMl/TNSQBumJtza2IzHNGQ8Y1nrhzYebNwrcrm+gB +ur+EalPi7JucxOehxiiRvWNVhQ5gk1TG78GWnrWQMHCAiISGGNRru5MyIlu+VqY4 +dae1sKb9jiuQ1zm1PnZnpIfUxr2Q4oKVwkCMPl0m+ddbAaNBbuhfqdd8vCY9GeAf +tfRq3Zm7Zrwj3nqQduAMErRbZ3ief6vUGmJR4JY6pHfhf9xE65LpsPbWo2DSI5br +2jTojixZ6B6ECtHTvZWohypMbbb2tMEdVPCRRwuWar0mhfQ9w/EaDkd3smVfuxJp +hfFTN2pvqKHAMkQMj7Q1wOWZC1Y/cREwDQYJKoZIhvcNAQELBQADggEBAGeXrpKU +mMhXj+8NlmQFd5GoqUHEWIz6Ryz4esAznDDphASxRSnzzYzzRoti3M6Dk3QvHvUG +d/cU2pmhZBonKBeGbAkXIHkv1jGQfzr0/KrTPALl61RUFZ9xxp4UXGH8fJUtMIko +sg4YMvsMsgobX6PozctO+teNWG4fsOfSRJACFbqGzOEJh/lVA0VWDbABHOBoNRw4 +m254+oECn39t4WAenTAbqueF3fKN18WvWNYiY2OIYyfolipg9/YnZwhGXOlPVIzQ +xpcKKBaRYWgmHRZlm5r34ywxYrG2MqkvK9D6eBB5EVGJQg2ClvgnO+GRbFjNG602 +sSp/9KiOM6Z4HiQ= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem.certspec b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem.certspec new file mode 100644 index 0000000000..0ecf46d89c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/ct-valid.example.com.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:ct-valid.example.com +extension:subjectAlternativeName:*.example.com +extension:embeddedSCTList:default:20160101,secp256r1:20160101,alternate:20160101 diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.key b/security/manager/ssl/tests/unit/test_ct/default-ee.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/default-ee.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_ct/default-ee.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/default-ee.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.pem b/security/manager/ssl/tests/unit/test_ct/default-ee.pem new file mode 100644 index 0000000000..5dc7cf4ef8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/default-ee.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDiTCCAnGgAwIBAgIUOYwND1zpte36abEsvdvudfnxjHgwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow +gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp +bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu +ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs +ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo +b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBr5H7lb24bMQYGDFY5qeMDNcti +AI4rI7Nu0aMvZtDcxqHkIg/a7nr7WeQc3gCg8mUJ6xvreXxRswrudZzjjsGiTbym +qjEz7HYrbvdWh5bLtdL7aoP1KmFD722guwdXVYQ7tx65oHroH+UCU28VT/+WzsHc +5OjBqZvR928aWEXwIen9lhdk/5Rq2IrFqCTuUrNR5aiP6gJZoy4nIh3IFIxqWzsm +lOjqvzSQIuo+gLN7oduafrwetpp8ywSrDVTtp9yckIHuW8css+OZLfqbFPMSFRJo +Qee+FhxaGgDoRGk8oVGYyTJYUPIReZa5dtNPKs1JQvdqhIeUwA3GnJBTFCan +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ct/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ct/default-ee.pem.certspec new file mode 100644 index 0000000000..554339ff52 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/default-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test End-entity +extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/test_ct/test-ca.pem b/security/manager/ssl/tests/unit/test_ct/test-ca.pem new file mode 100644 index 0000000000..67e7ca56e8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/test-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0zCCAbugAwIBAgIUP5NBbozOXrtwcuQwu3pzUXbOl7owDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjASMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME +BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEABBSMkSBFq/bK +LpntIx6QJdqPtmnjdjwTpCbQyKKfQjjrazCfru5SheZq7ACtQ0uWFokUOQhB+Xvv +sqy9HqJhK4UN0zfNPjtkHOSbNefWXOseEzA6XxuaCzQXWOp1WNNPnfdtYZizy6hT +fKuKjhniKLmIQD61KNl7Ev1hWUhWC7R8U+IFztXusYYFUUmqqaZ/v7lNfY1sHu4k +zHQFp+xqeaXvkoRpTXhoSdwDQ7ldquwqMM0NIQXlhtcmg7IYwZBGlJgzoejN4k2H +2WycvxPW70I10NeAAhtie1+K4JHwr6/SLLwCCnJDoRMMpMhM9/853Ye/4PTDGhuK +fqhEoHH9Ig== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ct/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_ct/test-ca.pem.certspec new file mode 100644 index 0000000000..5d2435d7bb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ct/test-ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test CA +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_db_format_pref_new.js b/security/manager/ssl/tests/unit/test_db_format_pref_new.js new file mode 100644 index 0000000000..9921948927 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_db_format_pref_new.js @@ -0,0 +1,30 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Tests that when PSM initializes, we create the sqlite-backed certificate and +// key databases. + +function run_test() { + let profileDir = do_get_profile(); + let certificateDBFile = profileDir.clone(); + let certificateDBName = "cert9.db"; + certificateDBFile.append(certificateDBName); + ok( + !certificateDBFile.exists(), + `${certificateDBName} should not exist beforehand` + ); + let keyDBFile = profileDir.clone(); + let keyDBName = "key4.db"; + keyDBFile.append(keyDBName); + ok(!keyDBFile.exists(), `${keyDBName} should not exist beforehand`); + // This should start PSM. + Cc["@mozilla.org/psm;1"].getService(Ci.nsISupports); + ok( + certificateDBFile.exists(), + `${certificateDBName} should exist in the profile` + ); + ok(keyDBFile.exists(), `${keyDBName} should exist in the profile`); +} diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials.js b/security/manager/ssl/tests/unit/test_delegated_credentials.js new file mode 100644 index 0000000000..a1623ddcb2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials.js @@ -0,0 +1,91 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// Tests handling of certificates marked as permitting delegated credentials + +function shouldBeDelegatedCredential(aTransportSecurityInfo) { + Assert.ok( + aTransportSecurityInfo.isDelegatedCredential, + "This host should have used a delegated credential" + ); +} + +function shouldNotBeDelegatedCredential(aTransportSecurityInfo) { + Assert.ok( + !aTransportSecurityInfo.isDelegatedCredential, + "This host should not have used a delegated credential" + ); +} + +do_get_profile(); + +add_tls_server_setup( + "DelegatedCredentialsServer", + "test_delegated_credentials" +); + +// Test: +// Server certificate supports DC +// Server DC support enabled +// Client DC support disabled +// Result: Successful connection without DC +add_test(function() { + clearSessionCache(); + Services.prefs.setBoolPref( + "security.tls.enable_delegated_credentials", + false + ); + run_next_test(); +}); +add_connection_test( + "delegated-enabled.example.com", + PRErrorCodeSuccess, + null, + shouldNotBeDelegatedCredential +); + +// Test: +// Server certificate does not support DC +// Server DC support enabled +// Client DC support enabled +// Result: SSL_ERROR_DC_INVALID_KEY_USAGE from client when +// checking DC against EE cert, no DC in aTransportSecurityInfo. +add_test(function() { + clearSessionCache(); + Services.prefs.setBoolPref("security.tls.enable_delegated_credentials", true); + run_next_test(); +}); +add_connection_test( + "standard-enabled.example.com", + SSL_ERROR_DC_INVALID_KEY_USAGE, + null, + // We'll never |mHaveCipherSuiteAndProtocol|, + // and therefore can't check IsDelegatedCredential + null +); + +// Test: +// Server certificate supports DC +// Server DC support disabled +// Client DC support enabled +// Result: Successful connection without DC +add_connection_test( + "delegated-disabled.example.com", + PRErrorCodeSuccess, + null, + shouldNotBeDelegatedCredential +); + +// Test: +// Server certificate supports DC +// Server DC support enabled +// Client DC support enabled +// Result: Successful connection with DC +add_connection_test( + "delegated-enabled.example.com", + PRErrorCodeSuccess, + null, + shouldBeDelegatedCredential +); diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key new file mode 100644 index 0000000000..a926a54efb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM +1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48 +9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA +-----END EC PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key.keyspec new file mode 100644 index 0000000000..03c3ce198f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.key.keyspec @@ -0,0 +1 @@ +secp256r1 diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem new file mode 100644 index 0000000000..4ee85cb1eb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICSDCCATCgAwIBAgIUN26/sySuiNB+ynuprhHIoxsuFXQwDQYJKoZIhvcNAQEL +BQAwLDEqMCgGA1UEAwwhZGVsZWdhdGVkLWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRl +MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMBUxEzARBgNVBAMM +CmRlZmF1bHQtZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARPv7u7YeD4+bGm +ClmshwTi7AULQj489y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQej +BOqgSqbAo0AwPjATBgNVHSUEDDAKBggrBgEFBQcDATAnBgNVHREEIDAeghxzdGFu +ZGFyZC1lbmFibGVkLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBIxTo+ +s5Tg/YrX0tLgg0rKcrZumJdN64j10IW1JwKCgYqoP/XhXK5AEISudekcedjrQOtb +Kalacxn9Pecmw+EiDvhXklxQfZKSHBtsecLtmQnr2RaDdbxQx+ebAmAtn4y9MwjO +rWVqdW80viHcsn+1S/+uDF8tNPuBTTInLh7yYRwBZ1O44sT/w/5DXujmjefK5LoK +VORWpnHZ9JA1jVEj4MHlhHXky6og2SG+10WnouvmOGKJsV7JfWrUe/ogMnW1nkEZ +dcOBIqjHQWLCWKd27ZQASmTZThVDHoN+QnXe/dEYwBaCcUmoafM+uis9A2zcMdJw +o6scbgbJMwgS/e/d +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem.certspec new file mode 100644 index 0000000000..5ebe9b5ba7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/default-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:delegated-credential-intermediate +subjectKey:secp256r1 +subject:default-ee +extension:extKeyUsage:serverAuth +extension:subjectAlternativeName:standard-enabled.example.com diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem new file mode 100644 index 0000000000..8da0838e6f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICiTCCAXGgAwIBAgIUXdQo1CMJjWFQKxkJ45F9RpbesCQwDQYJKoZIhvcNAQEL +BQAwLDEqMCgGA1UEAwwhZGVsZWdhdGVkLWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRl +MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMBcxFTATBgNVBAMM +DGRlbGVnYXRlZC1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5 +saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGTkNeZG3st +B6ME6qBKpsCjfzB9MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDBI +BgNVHREEQTA/gh1kZWxlZ2F0ZWQtZW5hYmxlZC5leGFtcGxlLmNvbYIeZGVsZWdh +dGVkLWRpc2FibGVkLmV4YW1wbGUuY29tMA8GCSsGAQQBgtpLLAQCBQAwDQYJKoZI +hvcNAQELBQADggEBABih6ICVs7RsbhTEhAJQ16rrD36fF0fCe+1XqUy52nUaQuAj +a2JWbkqp24Ib76dU40B40L7Pd4ksmYnazKS4aFZ8HrTRKfPzmKR743Jex6rcFiRM +0JnqLw75p5LbZcOfW4+Nu1AzhgUiPp1u0PJnfCbVTlcCkyS3Fb+SH7knCftF6BJt +zS+ZQFRzorbVjjUAkUeN2B7qeesYJVLqFpGfhsTSge9+F8JIAqE9Fso7+a+sHuhp +5ItAKczQkFcXwyCdTCBnNo4yy7NvQ66tNj6+v0ifHnINg3wqd2gOAJ9xMY7mGE7F +uXi/dBWquWVHsg481ybTW20Ovk4HWJz33Ylxc6E= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem.certspec new file mode 100644 index 0000000000..e90fa3b646 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated-ee.pem.certspec @@ -0,0 +1,7 @@ +issuer:delegated-credential-intermediate +subject:delegated-ee +subjectKey:secp256r1 +extension:extKeyUsage:serverAuth +extension:keyUsage:digitalSignature,keyEncipherment +extension:subjectAlternativeName:delegated-enabled.example.com,delegated-disabled.example.com +extension:delegationUsage: diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key new file mode 100644 index 0000000000..1c1af40bda --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDADXHobENn6/oN7ZK2S +8i9c7QeJGGU4ZptcbYcs7D2SYSKzk3crV2Av8xNl7+E5MkahZANiAAShaHJDNitc +exiJ83kVRhWhxz+0je6GPgIpFdtgjiUt5LcTLajOmOgxU05qnAwLCcjWOa3oMgbl +uoE0c6EfozDgXajJbkOD/ieHPalxA74oiM/wAvBa9xof3cyDdKpuqc4= +-----END EC PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec new file mode 100644 index 0000000000..11f041d996 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec @@ -0,0 +1 @@ +secp384r1 diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem new file mode 100644 index 0000000000..8090606694 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8zCCAdugAwIBAgIUV5QPCtt30cr0OHQqp5FKh9iORPUwDQYJKoZIhvcNAQEL +BQAwIjEgMB4GA1UEAwwXZGVsZWdhdGVkLWNyZWRlbnRpYWwtY2EwIhgPMjAyMTEx +MjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowIjEgMB4GA1UEAwwXZGVsZWdhdGVk +LWNyZWRlbnRpYWwtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6 +iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr +4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP +8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OI +Q+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ +77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5J +I/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQD +AgEGMA0GCSqGSIb3DQEBCwUAA4IBAQB7snna6hblvBPTwNKeReVfshWDEeeW4cFM +zDZIxdQ+Xh9dWSZHN8fT0r4ZH621vnfipRqlfKTNp2/472WfVLGWRJSBX/bSqfVG +EH2SQVixHOAHnmgi2zfE6XY0O5CT1IoHLNOEoGkpPXXgpw6ya/XPWHNw/I+Poj9F +sEnot00uDdn3yO/mzMyHaOnWoKoycLIPHxsRQb/twRYFs5rypEzXvRd2IWj6E0Kj +TDAusnuYrzZOyTG+pqvq7V9Xr5igwD29f48KQVYRu+wuXaxH8KXw8nB3N7+rhMOW +x9nnItSoPDkZI2fxWedhDF6YLoDPkISZpw8/4vs4kVkBAgjnKxZ5 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem.certspec new file mode 100644 index 0000000000..91227f5da0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:delegated-credential-ca +subject:delegated-credential-ca +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem new file mode 100644 index 0000000000..dbeca6352f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/TCCAeWgAwIBAgIUJRD5PaFbjcWhPAHq+mbNZw66NKowDQYJKoZIhvcNAQEL +BQAwIjEgMB4GA1UEAwwXZGVsZWdhdGVkLWNyZWRlbnRpYWwtY2EwIhgPMjAyMTEx +MjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowLDEqMCgGA1UEAwwhZGVsZWdhdGVk +LWNyZWRlbnRpYWwtaW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/ +MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAeRvreFXifukKi5uoS290 +3UcsmVcGiPGrFFBvOi279MqzZFawGwsAFD9hCrQbx6Ym3PvMdKjcwAb/sVGui7b8 +NYKXt7U5hSvncWQOFShK0eWUYZp7yVUt+ZPd0NPpmP5QGbnBoR4YVAuubb/lLycZ +r3tt41pYBKhOBov4AX2Rab16yW619pClss4Qqd7pIAimSXYxRFh0p8FRh8c9a2tK +Cc8qA0tc8lQfem1Z1gWHhUMiFBTS0HRwRr6s4JqYVJcu1zMzU6QxEDzTClA3BVHB +tiSwVSDRg2blzlIbaAD4OQwip9aTzQQw0Sc7wV//UOjuR5DmcX5d6Qd18qE5NQHR +aA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem.certspec b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem.certspec new file mode 100644 index 0000000000..64cc4e5693 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_delegated_credentials/test-int.pem.certspec @@ -0,0 +1,4 @@ +issuer:delegated-credential-ca +subject:delegated-credential-intermediate +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_der.js b/security/manager/ssl/tests/unit/test_der.js new file mode 100644 index 0000000000..258f161aa1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_der.js @@ -0,0 +1,355 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ + +"use strict"; + +// Tests DER.jsm functionality. + +// Until DER.jsm is actually used in production code, this is where we have to +// import it from. +var { DER } = ChromeUtils.import("resource://gre/modules/psm/DER.jsm"); + +function run_simple_tests() { + throws( + () => new DER.DERDecoder("this is not an array"), + /invalid input/, + "should throw given non-array input" + ); + + let testReadByte = new DER.DERDecoder([0x0a, 0x0b]); + equal(testReadByte.readByte(), 0x0a, "should read 0x0a"); + equal(testReadByte.readByte(), 0x0b, "should read 0x0b"); + throws( + () => testReadByte.readByte(), + /data truncated/, + "reading more data than is available should fail" + ); + + let testReadBytes = new DER.DERDecoder([0x0c, 0x0d, 0x0e]); + deepEqual( + testReadBytes.readBytes(3), + [0x0c, 0x0d, 0x0e], + "should read correct sequence of bytes" + ); + + let testReadNegativeBytes = new DER.DERDecoder([0xff, 0xaf]); + throws( + () => testReadNegativeBytes.readBytes(-4), + /invalid length/, + "reading a negative number of bytes should fail" + ); + + let testReadZeroBytes = new DER.DERDecoder([]); + equal( + testReadZeroBytes.readBytes(0).length, + 0, + "reading zero bytes should result in a zero-length array" + ); + + let testReadTooManyBytes = new DER.DERDecoder([0xab, 0xcd, 0xef]); + throws( + () => testReadTooManyBytes.readBytes(4), + /data truncated/, + "reading too many bytes should fail" + ); + + let testSEQUENCE = new DER.DERDecoder([0x30, 0x01, 0x01]); + let content = testSEQUENCE.readTagAndGetContents(DER.SEQUENCE); + equal(content.length, 1, "content should have length 1"); + equal(content[0], 1, "value of content should be [1]"); + ok(testSEQUENCE.atEnd(), "testSEQUENCE should be at the end of its input"); + testSEQUENCE.assertAtEnd(); + + // The length purports to be 4 bytes, but there are only 2 available. + let truncatedSEQUENCE = new DER.DERDecoder([0x30, 0x04, 0x00, 0x00]); + throws( + () => truncatedSEQUENCE.readTagAndGetContents(DER.SEQUENCE), + /data truncated/, + "should get 'data truncated' error" + ); + + // With 2 bytes of content, there is 1 remaining after reading the content. + let extraDataSEQUENCE = new DER.DERDecoder([0x30, 0x02, 0xab, 0xcd, 0xef]); + content = extraDataSEQUENCE.readTagAndGetContents(DER.SEQUENCE); + equal(content.length, 2, "content should have length 2"); + deepEqual(content, [0xab, 0xcd], "value of content should be [0xab, 0xcd]"); + ok( + !extraDataSEQUENCE.atEnd(), + "extraDataSEQUENCE should not be at the end of its input" + ); + throws( + () => extraDataSEQUENCE.assertAtEnd(), + /extra data/, + "should get 'extra data' error" + ); + + // The length of 0x81 0x01 is invalid because it could be encoded as just + // 0x01, which is shorter. + let invalidLengthSEQUENCE1 = new DER.DERDecoder([0x30, 0x81, 0x01, 0x00]); + throws( + () => invalidLengthSEQUENCE1.readTagAndGetContents(DER.SEQUENCE), + /invalid length/, + "should get 'invalid length' error" + ); + + // Similarly, 0x82 0x00 0x01 could be encoded as just 0x01, which is shorter. + let invalidLengthSEQUENCE2 = new DER.DERDecoder([ + 0x30, + 0x82, + 0x00, + 0x01, + 0x00, + ]); + throws( + () => invalidLengthSEQUENCE2.readTagAndGetContents(DER.SEQUENCE), + /invalid length/, + "should get 'invalid length' error" + ); + + // Lengths requiring 4 bytes to encode are not supported. + let unsupportedLengthSEQUENCE = new DER.DERDecoder([ + 0x30, + 0x83, + 0x01, + 0x01, + 0x01, + ]); + throws( + () => unsupportedLengthSEQUENCE.readTagAndGetContents(DER.SEQUENCE), + /unsupported length/, + "should get 'unsupported length' error" + ); + + // Indefinite lengths are not supported (and aren't DER anyway). + let unsupportedASN1SEQUENCE = new DER.DERDecoder([ + 0x30, + 0x80, + 0x01, + 0x00, + 0x00, + ]); + throws( + () => unsupportedASN1SEQUENCE.readTagAndGetContents(DER.SEQUENCE), + /unsupported asn.1/, + "should get 'unsupported asn.1' error" + ); + + let unexpectedTag = new DER.DERDecoder([0x31, 0x01, 0x00]); + throws( + () => unexpectedTag.readTagAndGetContents(DER.SEQUENCE), + /unexpected tag/, + "should get 'unexpected tag' error" + ); + + let readTLVTestcase = new DER.DERDecoder([0x02, 0x03, 0x45, 0x67, 0x89]); + let bytes = readTLVTestcase.readTLV(); + deepEqual( + bytes, + [0x02, 0x03, 0x45, 0x67, 0x89], + "bytes read with readTLV should be equal to expected value" + ); + + let peekTagTestcase = new DER.DERDecoder([0x30, 0x01, 0x00]); + ok( + peekTagTestcase.peekTag(DER.SEQUENCE), + "peekTag should return true for peeking with a SEQUENCE at a SEQUENCE" + ); + ok( + !peekTagTestcase.peekTag(DER.SET), + "peekTag should return false for peeking with a SET at a SEQUENCE" + ); + peekTagTestcase.readTLV(); + ok( + !peekTagTestcase.peekTag(DER.SEQUENCE), + "peekTag should return false for peeking at a DER with no more data" + ); + + let tlvChoiceTestcase = new DER.DERDecoder([0x31, 0x02, 0xaa, 0xbb]); + let tlvChoiceContents = tlvChoiceTestcase.readTLVChoice([DER.NULL, DER.SET]); + deepEqual( + tlvChoiceContents, + [0x31, 0x02, 0xaa, 0xbb], + "readTLVChoice should return expected bytes" + ); + + let tlvChoiceNoMatchTestcase = new DER.DERDecoder([0x30, 0x01, 0xff]); + throws( + () => tlvChoiceNoMatchTestcase.readTLVChoice([DER.NULL, DER.SET]), + /unexpected tag/, + "readTLVChoice should throw if no matching tag is found" + ); +} + +function run_bit_string_tests() { + let bitstringDER = new DER.DERDecoder([0x03, 0x04, 0x03, 0x01, 0x02, 0xf8]); + let bitstring = bitstringDER.readBIT_STRING(); + equal(bitstring.unusedBits, 3, "BIT STRING should have 3 unused bits"); + deepEqual( + bitstring.contents, + [0x01, 0x02, 0xf8], + "BIT STRING should have expected contents" + ); + + let bitstringTooManyUnusedBits = new DER.DERDecoder([0x03, 0x02, 0x08, 0x00]); + throws( + () => bitstringTooManyUnusedBits.readBIT_STRING(), + /invalid BIT STRING encoding/, + "BIT STRING with too many unused bits should throw" + ); + + // A BIT STRING must have the unused bits byte, and so its length must be at + // least one. + let bitstringMissingUnusedBits = new DER.DERDecoder([0x03, 0x00]); + throws( + () => bitstringMissingUnusedBits.readBIT_STRING(), + /invalid BIT STRING encoding/, + "BIT STRING with missing unused bits (and no contents) should throw" + ); + + // The minimal BIT STRING is 03 01 00 (zero bits of padding and zero bytes of + // content). + let minimalBitstringDER = new DER.DERDecoder([0x03, 0x01, 0x00]); + let minimalBitstring = minimalBitstringDER.readBIT_STRING(); + equal( + minimalBitstring.unusedBits, + 0, + "minimal BIT STRING should have 0 unused bits" + ); + equal( + minimalBitstring.contents.length, + 0, + "minimal BIT STRING should have empty contents" + ); + + // However, a BIT STRING with zero bytes of content can't have any padding, + // because that makes no sense. + let noContentsPaddedBitstringDER = new DER.DERDecoder([0x03, 0x01, 0x03]); + throws( + () => noContentsPaddedBitstringDER.readBIT_STRING(), + /invalid BIT STRING encoding/, + "BIT STRING with no contents with non-zero padding should throw" + ); +} + +function run_compound_tests() { + let derBytes = [ + 0x30, + 0x1a, // SEQUENCE + 0x02, + 0x02, + 0x77, + 0xff, // INTEGER + 0x06, + 0x03, + 0x2b, + 0x01, + 0x01, // OBJECT IDENTIFIER + 0x30, + 0x07, // SEQUENCE + 0x05, + 0x00, // NULL + 0x02, + 0x03, + 0x45, + 0x46, + 0x47, // INTEGER + 0x30, + 0x06, // SEQUENCE + 0x02, + 0x02, + 0x00, + 0xff, // INTEGER + 0x05, + 0x00, + ]; // NULL + let der = new DER.DERDecoder(derBytes); + let contents = new DER.DERDecoder(der.readTagAndGetContents(DER.SEQUENCE)); + let firstINTEGER = contents.readTagAndGetContents(DER.INTEGER); + deepEqual( + firstINTEGER, + [0x77, 0xff], + "first INTEGER should have expected value" + ); + let oid = contents.readTagAndGetContents(DER.OBJECT_IDENTIFIER); + deepEqual( + oid, + [0x2b, 0x01, 0x01], + "OBJECT IDENTIFIER should have expected value" + ); + + let firstNested = new DER.DERDecoder( + contents.readTagAndGetContents(DER.SEQUENCE) + ); + let firstNestedNULL = firstNested.readTagAndGetContents(DER.NULL); + equal( + firstNestedNULL.length, + 0, + "first nested NULL should have expected value (empty array)" + ); + let firstNestedINTEGER = firstNested.readTagAndGetContents(DER.INTEGER); + deepEqual( + firstNestedINTEGER, + [0x45, 0x46, 0x47], + "first nested INTEGER should have expected value" + ); + firstNested.assertAtEnd(); + + let secondNested = new DER.DERDecoder( + contents.readTagAndGetContents(DER.SEQUENCE) + ); + let secondNestedINTEGER = secondNested.readTagAndGetContents(DER.INTEGER); + deepEqual( + secondNestedINTEGER, + [0x00, 0xff], + "second nested INTEGER should have expected value" + ); + let secondNestedNULL = secondNested.readTagAndGetContents(DER.NULL); + equal( + secondNestedNULL.length, + 0, + "second nested NULL should have expected value (empty array)" + ); + secondNested.assertAtEnd(); + + contents.assertAtEnd(); + der.assertAtEnd(); + + let invalidDERBytes = [ + 0x30, + 0x06, // SEQUENCE + 0x30, + 0x02, // SEQUENCE + 0x02, + 0x01, // INTEGER (missing data) + 0x05, + 0x00, // NULL + 0x00, + 0x00, + ]; // (extra data) + let invalidDER = new DER.DERDecoder(invalidDERBytes); + let invalidContents = new DER.DERDecoder( + invalidDER.readTagAndGetContents(DER.SEQUENCE) + ); + let invalidContentsContents = new DER.DERDecoder( + invalidContents.readTagAndGetContents(DER.SEQUENCE) + ); + throws( + () => invalidContentsContents.readTagAndGetContents(DER.INTEGER), + /data truncated/, + "should throw due to missing data" + ); + let nestedNULL = invalidContents.readTagAndGetContents(DER.NULL); + equal(nestedNULL.length, 0, "nested NULL should have expected value"); + invalidContents.assertAtEnd(); + throws( + () => invalidDER.assertAtEnd(), + /extra data/, + "should throw due to extra data" + ); +} + +function run_test() { + run_simple_tests(); + run_bit_string_tests(); + run_compound_tests(); +} diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello.js b/security/manager/ssl/tests/unit/test_encrypted_client_hello.js new file mode 100644 index 0000000000..945a9ea83f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello.js @@ -0,0 +1,101 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// Tests handling of Encrypted Client Hello. These ECHConfigs +// can be regenerated by running EncryptedClientHelloServer +// and dumping the output of SSL_EncodeEchConfig. They do not +// expire. An update here is only needed if the host or ECH +// ciphersuite configuration changes, or if the keypair in +// EncryptedClientHelloServer.cpp is modified. + +// Public name: ech-public.example.com +const ECH_CONFIG_FIXED = + "AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAEAA2QWZWNoLXB1YmxpYy5leGFtcGxlLmNvbQAA"; + +// Public name: ech-public.example.com, Unsupported AEAD to prompt retry_configs from a trusted host. +const ECH_CONFIG_TRUSTED_RETRY = + "AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAMAA2QWZWNoLXB1YmxpYy5leGFtcGxlLmNvbQAA"; + +// Public name: selfsigned.example.com. Unsupported AEAD to prompt retry_configs from an untrusted host. +const ECH_CONFIG_UNTRUSTED_RETRY = + "AEn+DQBFTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAMAA2QWc2VsZnNpZ25lZC5leGFtcGxlLmNvbQAA"; + +function shouldBeAcceptedEch(aTransportSecurityInfo) { + Assert.ok( + aTransportSecurityInfo.isAcceptedEch, + "This host should have accepted ECH" + ); + Assert.ok( + !aTransportSecurityInfo.usedPrivateDNS, + "This connection does not use DoH" + ); +} + +function shouldBeRejectedEch(aTransportSecurityInfo) { + Assert.ok( + !aTransportSecurityInfo.isAcceptedEch, + "This host should have rejected ECH" + ); + Assert.ok( + !aTransportSecurityInfo.usedPrivateDNS, + "This connection does not use DoH" + ); +} + +do_get_profile(); + +add_tls_server_setup( + "EncryptedClientHelloServer", + "test_encrypted_client_hello" +); + +// Connect directly without ECH first +add_connection_test( + "ech-public.example.com", + PRErrorCodeSuccess, + null, + shouldBeRejectedEch +); + +// Connect with ECH +add_connection_test( + "ech-private.example.com", + PRErrorCodeSuccess, + null, + shouldBeAcceptedEch, + null, + null, + ECH_CONFIG_FIXED +); + +// Trigger retry_configs by setting an ECHConfig with a different. +// AEAD than the server supports. +add_connection_test( + "ech-private.example.com", + SSL_ERROR_ECH_RETRY_WITH_ECH, + null, + null, + null, + null, + ECH_CONFIG_TRUSTED_RETRY +); + +// Trigger retry_configs, but from a host that is untrusted +// (due to a self-signed certificate for the public name). +// Retry_configs must not be used or reported as available. +add_connection_test( + "ech-private.example.com", + MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT, + null, + null, + null, + null, + ECH_CONFIG_UNTRUSTED_RETRY +); + +// A client-only (retry_without_ech) test is located in +// test_encrypted_client_hello_client_only.js We can't easily restart +// a different server (one without ECHConfigs) here, so put that +// test in a different file that launches a non-ECH server. diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem new file mode 100644 index 0000000000..60960b4daa --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4DCCAcigAwIBAgIUWxEI7DW20X+b24MUvyO3J1pngeQwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZWNoLWNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMBgxFjAUBgNVBAMMDWVjaC1wdWJsaWMtZWUwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo +V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p +0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk +fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh +W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI +TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjJTAjMCEG +A1UdEQQaMBiCFmVjaC1wdWJsaWMuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQAD +ggEBALBk11enYtAuUPy77WPmNv4fN/NigB4wuygvdTJqVQTUDrRLXhX7ThFL68pd +b7jTdBsCS3QGucU3W05miyyHwGfiN3PqTvzY6xATR6i4+cKPyW2OM8U7gIZmH3du +et/rIJ8eAio98S4wvqAmd7oMKeQ4zJ3iRomEHIXH80c8VLOaSugarZuZG11hKCWT +qbSiVYvCkLBuKzNMlLN3QEaK1mSWngwZ7u6AvbzvoDV3+JX1UThFjI97j/41Kpgy +Ip0PbKONjUOjb+Rd1Fo6FLBAtJ/tfKrJZqCm7HxJiY9PuPJWyL6PBxIAymFcAyRU +deD8cDEq9EaQmfYM3rPeUortM8g= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem.certspec new file mode 100644 index 0000000000..d5c332ceec --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/default-ee.pem.certspec @@ -0,0 +1,3 @@ +issuer:ech-ca +subject:ech-public-ee +extension:subjectAlternativeName:ech-public.example.com diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key.keyspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem new file mode 100644 index 0000000000..f136a811e8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4jCCAcqgAwIBAgIUN7V9tjNwYafgE24tOZNXBSQn96QwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZWNoLWNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMBkxFzAVBgNVBAMMDmVjaC1wcml2YXRlLWVlMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1 +aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we +adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS +pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W +YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR +CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoyYwJDAi +BgNVHREEGzAZghdlY2gtcHJpdmF0ZS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsF +AAOCAQEATfrz7BkT8pNISv2h71JHVkuPNDpjgSG+M0Z0IzXhTON0CpE/6Jk8nRwS +LjfW9n9nJL7PATF4RT45tQ83+jmfFykhrmPctl2Tiq1HfTKdMdpW2i8lZVOovKZN +3c98eNWZ5cqicG4XZEQbq1Nu+VsL7R5UCVvhIgLPWAdiEJu1D7VagCzZHguoUBDT +C428L9nx0z80l4XNOeqYGtJtN2YqRSErkeMPAN1Q7MxVyp0Lsz8lwHQx8D73jYKK +AN1kjtC18jBr5BYL1HCHvE/sL7ZLlaBRS+PQnF2HW0qkCOb3POlZ1UCjTa09Qy4f +pxbYP6sTh1c6VShYzlE04jXC3K8KKw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem.certspec new file mode 100644 index 0000000000..c152462f0d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/private-ee.pem.certspec @@ -0,0 +1,3 @@ +issuer:ech-ca +subject:ech-private-ee +extension:subjectAlternativeName:ech-private.example.com diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem new file mode 100644 index 0000000000..eb6a2c1096 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDAzCCAeugAwIBAgIUKXdVQO3RzfhQiRP9uZIuxnydYxAwDQYJKoZIhvcNAQEL +BQAwJjEkMCIGA1UEAwwbU2VsZi1zaWduZWQgVGVzdCBFbmQtZW50aXR5MCIYDzIw +MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCYxJDAiBgNVBAMMG1NlbGYt +c2lnbmVkIFRlc3QgRW5kLWVudGl0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x +nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM +wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF +4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20 +yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx +j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMlMCMwIQYDVR0RBBowGIIWc2Vs +ZnNpZ25lZC5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAXAU/SRgl952l +O2B26d2oytCFyWJkotYhd7cHLTWcdGdfwgJ6YD2JaW9Bos0NVFbj+Z9PJJh2xNCy +xULqNCVnRu11dFlGad6FDvY1psli8By00Kvz74kbNseISNuuzCTsZU2Uw5BXS9W9 +ia4S1dskQyuBae5M8ma6BeUyyHHfmu9TiqtzrlrAqIsXDucMs6WhgfOVimgAIQDl +fA5qju7cmOJ8lzSV+CTrmoAMv2Q80G3rw0CPPIWqKrcTjkf+R5p3CSYUQ5Qq38Qx +m0hK0fdlZ4MPsSKxQN7k/DeINotW2IaLX/AGL5z6dEFsBMp50iJCMEebkFmuFQ50 +oOILqRNvCA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem.certspec new file mode 100644 index 0000000000..438a08eba2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/selfsigned.pem.certspec @@ -0,0 +1,3 @@ +issuer:Self-signed Test End-entity +subject:Self-signed Test End-entity +extension:subjectAlternativeName:selfsigned.example.com diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem new file mode 100644 index 0000000000..80c87da490 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0TCCAbmgAwIBAgIUG1Lw/SgeLtklG97Ln5uybxccJyMwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZWNoLWNhMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMBExDzANBgNVBAMMBmVjaC1jYTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUw +AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAAMcKWJnU+OkvNVY +g3glJ1ZgNURoWjhFnyqX8EmxFYH8mRdEdb8ZBTGeBYUDc3diHdZcmunGJ3FCVO5v +zOI4UOCfADvIzY0hwtj+adtaavgRBRXeTZp8MyTSiN2a1T/3XgsnzKLYqAK7GIEq +NwdRcsgu/mFG6p0ktOBvfBgbyD3rlupZhuWoedUQ6fR04BKFgdp4zg411qCG8HBQ +lSa2t0e+dT5pZ1QTtyzIjtkAQu+GWJqc2Sqr5I4BnHOzRiXPc2lhVl0yGPjROHaD +qK/jsbIkFxvi++59F9ptkOJTPJk1rAJ69Grx5/V7s1NxtXocCEm6gtDSi0zJ3V0f +J0Qs50Y= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem.certspec new file mode 100644 index 0000000000..1735a15075 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello/test-ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ech-ca +subject:ech-ca +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_encrypted_client_hello_client_only.js b/security/manager/ssl/tests/unit/test_encrypted_client_hello_client_only.js new file mode 100644 index 0000000000..b01c5d6c90 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_encrypted_client_hello_client_only.js @@ -0,0 +1,32 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// Public Name = delegated-enabled.example.com +const ECH_CONFIG_FIXED = + "AFD+DQBMTQAgACCKB1Y5SfrGIyk27W82xPpzWTDs3q72c04xSurDWlb9CgAEAAEAA2QdZGVsZWdhdGVkLWVuYWJsZWQuZXhhbXBsZS5jb20AAA=="; +do_get_profile(); + +// An arbitrary, non-ECH server. +add_tls_server_setup( + "DelegatedCredentialsServer", + "test_delegated_credentials" +); + +add_test(function() { + clearSessionCache(); + run_next_test(); +}); + +// Connect, sending ECH. The server is not configured for it, +// but *is* authoritative for the public name. +add_connection_test( + "delegated-disabled.example.com", + SSL_ERROR_ECH_RETRY_WITHOUT_ECH, + null, + null, + null, + null, + ECH_CONFIG_FIXED +); diff --git a/security/manager/ssl/tests/unit/test_enterprise_roots.js b/security/manager/ssl/tests/unit/test_enterprise_roots.js new file mode 100644 index 0000000000..6abd7161ae --- /dev/null +++ b/security/manager/ssl/tests/unit/test_enterprise_roots.js @@ -0,0 +1,82 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// Tests enterprise root certificate support. When configured to do so, the +// platform will attempt to find and import enterprise root certificates. This +// feature is specific to Windows. + +do_get_profile(); // must be called before getting nsIX509CertDB + +const { TestUtils } = ChromeUtils.importESModule( + "resource://testing-common/TestUtils.sys.mjs" +); + +async function check_no_enterprise_roots_imported( + nssComponent, + certDB, + dbKey = undefined +) { + let enterpriseRoots = nssComponent.getEnterpriseRoots(); + notEqual(enterpriseRoots, null, "enterprise roots list should not be null"); + equal( + enterpriseRoots.length, + 0, + "should not have imported any enterprise roots" + ); + if (dbKey) { + let cert = certDB.findCertByDBKey(dbKey); + // If the garbage-collector hasn't run, there may be reachable copies of + // imported enterprise root certificates. If so, they shouldn't be trusted + // to issue TLS server auth certificates. + if (cert) { + await asyncTestCertificateUsages(certDB, cert, []); + } + } +} + +async function check_some_enterprise_roots_imported(nssComponent, certDB) { + let enterpriseRoots = nssComponent.getEnterpriseRoots(); + notEqual(enterpriseRoots, null, "enterprise roots list should not be null"); + notEqual( + enterpriseRoots.length, + 0, + "should have imported some enterprise roots" + ); + let foundNonBuiltIn = false; + let savedDBKey = null; + for (let certDer of enterpriseRoots) { + let cert = certDB.constructX509(certDer); + notEqual(cert, null, "should be able to decode cert from DER"); + if (!cert.isBuiltInRoot && !savedDBKey) { + foundNonBuiltIn = true; + savedDBKey = cert.dbKey; + info("saving dbKey from " + cert.commonName); + await asyncTestCertificateUsages(certDB, cert, [certificateUsageSSLCA]); + break; + } + } + ok(foundNonBuiltIn, "should have found non-built-in root"); + return savedDBKey; +} + +add_task(async function run_test() { + let nssComponent = Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent); + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + nssComponent.getEnterpriseRoots(); // blocks until roots are loaded + Services.prefs.setBoolPref("security.enterprise_roots.enabled", false); + await check_no_enterprise_roots_imported(nssComponent, certDB); + Services.prefs.setBoolPref("security.enterprise_roots.enabled", true); + await TestUtils.topicObserved("psm:enterprise-certs-imported"); + let savedDBKey = await check_some_enterprise_roots_imported( + nssComponent, + certDB + ); + Services.prefs.setBoolPref("security.enterprise_roots.enabled", false); + await check_no_enterprise_roots_imported(nssComponent, certDB, savedDBKey); +}); diff --git a/security/manager/ssl/tests/unit/test_ev_certs.js b/security/manager/ssl/tests/unit/test_ev_certs.js new file mode 100644 index 0000000000..f163623919 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs.js @@ -0,0 +1,310 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// Tests that end-entity certificates that should successfully verify as EV +// (Extended Validation) do so and that end-entity certificates that should not +// successfully verify as EV do not. Also tests related situations (e.g. that +// failure to fetch an OCSP response results in no EV treatment). +// +// A quick note about the certificates in these tests: generally, an EV +// certificate chain will have an end-entity with a specific policy OID followed +// by an intermediate with the anyPolicy OID chaining to a root with no policy +// OID (since it's a trust anchor, it can be omitted). In these tests, the +// specific policy OID is 1.3.6.1.4.1.13769.666.666.666.1.500.9.1 and is +// referred to as the test OID. In order to reflect what will commonly be +// encountered, the end-entity of any given test path will have the test OID +// unless otherwise specified in the name of the test path. Similarly, the +// intermediate will have the anyPolicy OID, again unless otherwise specified. +// For example, for the path where the end-entity does not have an OCSP URI +// (referred to as "no-ocsp-ee-path-{ee,int}", the end-entity has the test OID +// whereas the intermediate has the anyPolicy OID. +// For another example, for the test OID path ("test-oid-path-{ee,int}"), both +// the end-entity and the intermediate have the test OID. + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +registerCleanupFunction(() => { + Services.prefs.clearUserPref("network.dns.localDomains"); + Services.prefs.clearUserPref("security.OCSP.enabled"); +}); + +Services.prefs.setCharPref("network.dns.localDomains", "www.example.com"); +Services.prefs.setIntPref("security.OCSP.enabled", 1); +const evroot = addCertFromFile(certdb, "test_ev_certs/evroot.pem", "CTu,,"); +addCertFromFile(certdb, "test_ev_certs/non-evroot-ca.pem", "CTu,,"); + +const SERVER_PORT = 8888; + +function failingOCSPResponder() { + return getFailingHttpServer(SERVER_PORT, ["www.example.com"]); +} + +class EVCertVerificationResult { + constructor( + testcase, + expectedPRErrorCode, + expectedEV, + resolve, + ocspResponder + ) { + this.testcase = testcase; + this.expectedPRErrorCode = expectedPRErrorCode; + this.expectedEV = expectedEV; + this.resolve = resolve; + this.ocspResponder = ocspResponder; + } + + verifyCertFinished(prErrorCode, verifiedChain, hasEVPolicy) { + equal( + prErrorCode, + this.expectedPRErrorCode, + `${this.testcase} should have expected error code` + ); + equal( + hasEVPolicy, + this.expectedEV, + `${this.testcase} should result in expected EV status` + ); + this.ocspResponder.stop(this.resolve); + } +} + +function asyncTestEV( + cert, + expectedPRErrorCode, + expectedEV, + expectedOCSPRequestPaths, + ocspResponseTypes = undefined +) { + let now = Date.now() / 1000; + return new Promise((resolve, reject) => { + let ocspResponder = expectedOCSPRequestPaths.length + ? startOCSPResponder( + SERVER_PORT, + "www.example.com", + "test_ev_certs", + expectedOCSPRequestPaths, + expectedOCSPRequestPaths.slice(), + null, + ocspResponseTypes + ) + : failingOCSPResponder(); + let result = new EVCertVerificationResult( + cert.subjectName, + expectedPRErrorCode, + expectedEV, + resolve, + ocspResponder + ); + certdb.asyncVerifyCertAtTime( + cert, + certificateUsageSSLServer, + 0, + "ev-test.example.com", + now, + result + ); + }); +} + +function ensureVerifiesAsEV(testcase) { + let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`); + addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,"); + let expectedOCSPRequestPaths = [`${testcase}-ee`]; + return asyncTestEV( + cert, + PRErrorCodeSuccess, + gEVExpected, + expectedOCSPRequestPaths + ); +} + +function ensureVerifiesAsEVWithNoOCSPRequests(testcase) { + let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`); + addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,"); + return asyncTestEV(cert, PRErrorCodeSuccess, gEVExpected, []); +} + +function ensureVerifiesAsDV(testcase, expectedOCSPRequestPaths = undefined) { + let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`); + addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,"); + return asyncTestEV( + cert, + PRErrorCodeSuccess, + false, + expectedOCSPRequestPaths ? expectedOCSPRequestPaths : [`${testcase}-ee`] + ); +} + +function ensureVerificationFails(testcase, expectedPRErrorCode) { + let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`); + addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,"); + return asyncTestEV(cert, expectedPRErrorCode, false, []); +} + +function verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, expectSuccess) { + let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`); + addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,"); + let now = Date.now() / 1000; + let expectedErrorCode = SEC_ERROR_POLICY_VALIDATION_FAILED; + if (expectSuccess && gEVExpected) { + expectedErrorCode = PRErrorCodeSuccess; + } + return new Promise((resolve, reject) => { + let ocspResponder = failingOCSPResponder(); + let result = new EVCertVerificationResult( + cert.subjectName, + expectedErrorCode, + expectSuccess && gEVExpected, + resolve, + ocspResponder + ); + let flags = + Ci.nsIX509CertDB.FLAG_LOCAL_ONLY | Ci.nsIX509CertDB.FLAG_MUST_BE_EV; + certdb.asyncVerifyCertAtTime( + cert, + certificateUsageSSLServer, + flags, + "ev-test.example.com", + now, + result + ); + }); +} + +function ensureNoOCSPMeansNoEV(testcase) { + return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, false); +} + +function ensureVerifiesAsEVWithFLAG_LOCAL_ONLY(testcase) { + return verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, true); +} + +function verifyWithOCSPResponseType(testcase, response, expectEV) { + let cert = constructCertFromFile(`test_ev_certs/${testcase}-ee.pem`); + addCertFromFile(certdb, `test_ev_certs/${testcase}-int.pem`, ",,"); + let expectedOCSPRequestPaths = [`${testcase}-ee`]; + let ocspResponseTypes = [response]; + return asyncTestEV( + cert, + PRErrorCodeSuccess, + gEVExpected && expectEV, + expectedOCSPRequestPaths, + ocspResponseTypes + ); +} + +function ensureVerifiesAsDVWithOldEndEntityOCSPResponse(testcase) { + return verifyWithOCSPResponseType(testcase, "longvalidityalmostold", false); +} + +function ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse(testcase) { + return verifyWithOCSPResponseType(testcase, "ancientstillvalid", false); +} + +// These should all verify as EV. +add_task(async function plainExpectSuccessEVTests() { + await ensureVerifiesAsEV("anyPolicy-int-path"); + await ensureVerifiesAsEV("test-oid-path"); + await ensureVerifiesAsEV("cabforum-oid-path"); + await ensureVerifiesAsEV("cabforum-and-test-oid-ee-path"); + await ensureVerifiesAsEV("test-and-cabforum-oid-ee-path"); + await ensureVerifiesAsEV("reverse-order-oids-path"); + // In this case, the end-entity has both the CA/B Forum OID and the test OID + // (in that order). The intermediate has the CA/B Forum OID. Since the + // implementation tries all EV policies it encounters, this successfully + // verifies as EV. + await ensureVerifiesAsEV("cabforum-and-test-oid-ee-cabforum-oid-int-path"); + // In this case, the end-entity has both the test OID and the CA/B Forum OID + // (in that order). The intermediate has only the CA/B Forum OID. Since the + // implementation tries all EV policies it encounters, this successfully + // verifies as EV. + await ensureVerifiesAsEV("test-and-cabforum-oid-ee-cabforum-oid-int-path"); +}); + +// These fail for various reasons to verify as EV, but fallback to DV should +// succeed. +add_task(async function expectDVFallbackTests() { + await ensureVerifiesAsDV("anyPolicy-ee-path"); + await ensureVerifiesAsDV("non-ev-root-path"); + await ensureVerifiesAsDV("no-ocsp-ee-path", []); + await ensureVerifiesAsEV("no-ocsp-int-path"); + // In this case, the end-entity has the test OID and the intermediate has the + // CA/B Forum OID. Since the CA/B Forum OID is not treated the same as the + // anyPolicy OID, this will not verify as EV. + await ensureVerifiesAsDV("test-oid-ee-cabforum-oid-int-path"); +}); + +// Test that removing the trust bits from an EV root causes verifications +// relying on that root to fail (and then test that adding back the trust bits +// causes the verifications to succeed again). +add_task(async function evRootTrustTests() { + clearOCSPCache(); + info("untrusting evroot"); + certdb.setCertTrust( + evroot, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.UNTRUSTED + ); + await ensureVerificationFails("test-oid-path", SEC_ERROR_UNKNOWN_ISSUER); + info("re-trusting evroot"); + certdb.setCertTrust( + evroot, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.TRUSTED_SSL + ); + await ensureVerifiesAsEV("test-oid-path"); +}); + +// Test that if FLAG_LOCAL_ONLY and FLAG_MUST_BE_EV are specified, that no OCSP +// requests are made (this also means that nothing will verify as EV). +add_task(async function localOnlyMustBeEVTests() { + clearOCSPCache(); + await ensureNoOCSPMeansNoEV("anyPolicy-ee-path"); + await ensureNoOCSPMeansNoEV("anyPolicy-int-path"); + await ensureNoOCSPMeansNoEV("non-ev-root-path"); + await ensureNoOCSPMeansNoEV("no-ocsp-ee-path"); + await ensureNoOCSPMeansNoEV("no-ocsp-int-path"); + await ensureNoOCSPMeansNoEV("test-oid-path"); +}); + +// Prime the OCSP cache and then ensure that we can validate certificates as EV +// without hitting the network. There's two cases here: one where we simply +// validate like normal and then check that the network was never accessed and +// another where we use flags to mandate that the network not be used. +add_task(async function ocspCachingTests() { + clearOCSPCache(); + + await ensureVerifiesAsEV("anyPolicy-int-path"); + await ensureVerifiesAsEV("test-oid-path"); + + await ensureVerifiesAsEVWithNoOCSPRequests("anyPolicy-int-path"); + await ensureVerifiesAsEVWithNoOCSPRequests("test-oid-path"); + + await ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("anyPolicy-int-path"); + await ensureVerifiesAsEVWithFLAG_LOCAL_ONLY("test-oid-path"); +}); + +// Old-but-still-valid OCSP responses are accepted for intermediates but not +// end-entity certificates (because of OCSP soft-fail this results in DV +// fallback). +add_task(async function oldOCSPResponseTests() { + clearOCSPCache(); + + clearOCSPCache(); + await ensureVerifiesAsDVWithOldEndEntityOCSPResponse("anyPolicy-int-path"); + await ensureVerifiesAsDVWithOldEndEntityOCSPResponse("test-oid-path"); + + clearOCSPCache(); + await ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse( + "anyPolicy-int-path" + ); + await ensureVerifiesAsDVWithVeryOldEndEntityOCSPResponse("test-oid-path"); +}); diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem new file mode 100644 index 0000000000..bb67341220 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDVzCCAj+gAwIBAgIUHb9CrEDo8VwITKCJOkRAeW4iftkwDQYJKoZIhvcNAQEL +BQAwIDEeMBwGA1UEAwwVYW55UG9saWN5LWVlLXBhdGgtaW50MCIYDzIwMjExMTI3 +MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMB8xHTAbBgNVBAMMFGFueVBvbGljeS1l +ZS1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO +FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr +amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka +sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY +VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n +aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE +MdUDrNoYCjXtjQIDAQABo4GFMIGCME0GCCsGAQUFBwEBBEEwPzA9BggrBgEFBQcw +AYYxaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2FueVBvbGljeS1lZS1wYXRo +LWVlLzARBgNVHSAECjAIMAYGBFUdIAAwHgYDVR0RBBcwFYITZXYtdGVzdC5leGFt +cGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAt3y+8E3yCuL0S85twhU87JxsyNCL +Am+QQGqyTpH81RsL64uxvSVyswKvyA4LpJBN/w13xsIOue/55AK9CwGhyw9jSPcn +/OGRXzcqiBjeSkkCHOPXzPV5e/xWuWI9fR0XBBy/UgBsoXQzrrq5lCHR76yr2eyF +2RA5lh1qqk2fgsqq3cCqsFEiOUbWjsHjlra8yvArfqexLVowlyg5olisnORbi7eJ +/jm7w+X9eEP17yRDFnb5joeXh+UeCaxdhVp7c71oY/5lBdnesmkwr6b9CNVg9vLk +LHrp3IyQF5Wj1usyDu/BYr0lu+VRAEusNnqDiz7LZfhnUMZJJwvqC+Tcrg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec new file mode 100644 index 0000000000..a9175c32ed --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:anyPolicy-ee-path-int +subject:anyPolicy-ee-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-ee/ +extension:certificatePolicies:any +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem new file mode 100644 index 0000000000..860453152c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRDCCAiygAwIBAgIUHUngL0WtaSVKsjGfK6Ktnv/n3acwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMCAxHjAcBgNVBAMMFWFueVBvbGljeS1lZS1wYXRoLWludDCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ +6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk +nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N +/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG +JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd +7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA +AaOBgDB+MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGME4GCCsGAQUFBwEBBEIw +QDA+BggrBgEFBQcwAYYyaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2FueVBv +bGljeS1lZS1wYXRoLWludC8wEQYDVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEB +CwUAA4IBAQCSEsmhHQQkMTDD+JU3kEWCt7v0RujqGvkBuUUM5VObzheZFKTQVYZ1 +1fui+s+AlogSfCWOOHNLGMrF2HQd1imzVqSDaoeeGMqKsiJ/MR9MWKjxZE+omL4J +HsJ59n0+9U4k28/dujgno3BK65mbfKlAqBEBYFBmGmZO5Fb6U+dtDZi9mOiN2JzM +Y/l8uax0i1XmKR6TESu9f3ue5D5WFkd2uL9oexGnvpEpV/wEB1f8wViU3W1AFC52 +CYHGiwV/54PZ3cg7zH86i2Gionq4CMApP1QRvOBTheJpkM5ul3BPiGg8mDkjb5lB +dlPnrj4exf+eoqsrVFxdTX0EL7gQSRqr +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec new file mode 100644 index 0000000000..c49f6c4bcc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-ee-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:anyPolicy-ee-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-ee-path-int/ +extension:certificatePolicies:any diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem new file mode 100644 index 0000000000..c088a135a1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDaDCCAlCgAwIBAgIUBcyX7McNHTUw58i902kjb15KZlswDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWYW55UG9saWN5LWludC1wYXRoLWludDAiGA8yMDIxMTEy +NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAgMR4wHAYDVQQDDBVhbnlQb2xpY3kt +aW50LXBhdGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo +RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a +dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t +aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n +FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX +Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py +UcQx1QOs2hgKNe2NAgMBAAGjgZQwgZEwTgYIKwYBBQUHAQEEQjBAMD4GCCsGAQUF +BzABhjJodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvYW55UG9saWN5LWludC1w +YXRoLWVlLzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREE +FzAVghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAxk4+S +laaEinRp3bXkqJ3rQTdaZwX9uegjAfOfaDLMFnGiD63aGNg9mqvsdt9rgbGmuFYX +nsoeSzzWhV/Uk1VA/9El7x5eRHOMs3r5VnnW395eIYdAlGmDW81ANm4NIdiAfKZj +fr2LOkjhPbhrV9i3YtY9lDFIiZheS6V2RgeHLoHc1cj0EB46PH1HC8fP+rg4tOhd +vq5tL1p6dkHWnhduJ+oKrBuHehmnJfrXV53pz9VoOIj3F6F2F/c/EriyAPc/KOO9 +ocyNrJMoD0aFBF9ijK6uERhga/vM4dXIPUGzECQxceUuTUkn/2wEECNV2ETVmNTZ +cRcP3J32vzU1jaVQ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec new file mode 100644 index 0000000000..1c643c2f95 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:anyPolicy-int-path-int +subject:anyPolicy-int-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-ee/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem new file mode 100644 index 0000000000..779f2dfa85 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRjCCAi6gAwIBAgIUHyEVo6adgErPC5OEcIkP33KrTjgwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMCExHzAdBgNVBAMMFmFueVBvbGljeS1pbnQtcGF0aC1pbnQwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT +2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV +JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8N +jf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCA +BiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVh +He4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMB +AAGjgYEwfzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBPBggrBgEFBQcBAQRD +MEEwPwYIKwYBBQUHMAGGM2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9hbnlQ +b2xpY3ktaW50LXBhdGgtaW50LzARBgNVHSAECjAIMAYGBFUdIAAwDQYJKoZIhvcN +AQELBQADggEBAINthPjozG2qV5mlu5XJKM+LofF58fyxH7KCNIyDErghGz3DQyR/ +5GcPpKwzfl/gnXvXvF6yWOimQOOmU4u1oDtKv0lodL0EVEAqZQmZ0pDF2wBKPquH +H7Eaji8uDhSuhnJZpwmyaCpOiMCda3qq5YgxwjyQTZ63lLXqQpEnSqgExfUISueH +7j68bvPm8Q/SLVhOVLQdNf7mDVacFZE0OmtyjlSUN2ZFBZaN8o7FTnfocNmPlyD8 +EGmdkbdggXmESN5jGnBxo9fqLnqYCJEA8uN0Xckfz3ovKlt6PfbgnEeUzJRT71pN +fqXYugdt7ppcn3sJbEOKInkw6h8to/pNlCU= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec new file mode 100644 index 0000000000..5f5adacc7f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:anyPolicy-int-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-int/ +extension:certificatePolicies:any diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem new file mode 100644 index 0000000000..0c83086180 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDxTCCAq2gAwIBAgIUfU399SRJMbYE6q+pNnq6hlSOzt4wDQYJKoZIhvcNAQEL +BQAwPTE7MDkGA1UEAwwyY2FiZm9ydW0tYW5kLXRlc3Qtb2lkLWVlLWNhYmZvcnVt +LW9pZC1pbnQtcGF0aC1pbnQwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowPDE6MDgGA1UEAwwxY2FiZm9ydW0tYW5kLXRlc3Qtb2lkLWVlLWNhYmZv +cnVtLW9pZC1pbnQtcGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab +bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts +Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI +H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8 +rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX +Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBuTCBtjBqBggrBgEFBQcBAQReMFww +WgYIKwYBBQUHMAGGTmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9jYWJmb3J1 +bS1hbmQtdGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRoLWVlLzAoBgNV +HSAEITAfMAcGBWeBDAEBMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAV +ghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQB0CMZ2fLLZ +1qUT8t9DlOq9kMses1ASgX74/g5cl8W96x31QnxgEtRAMQKZrvucke8+us2LRh1d +Oi5XAYry+g0kNOwfpXiWo+y23WoA+WHX2hYcH26fgzoyz3ULuMMyoM9DMlrwJvHv +/+v1eMiAw71JfK987KWcbP1uESaTHZ04+5aN57efGVr3ADZiicaj6fUIsDIfMKJ3 +INVgVdMWpX01zFNTsSPNImxMZ7Gtqs1lP0gv30QXwGLTPCG1gARWSYF/fCFwbpon +P7wBCAr/ADvUJl0UjcdCpU+YmwYxOW0QPGNVwRwgEAdLCnnnztq3y3bOzmGL/lQ4 +eD9G3c6ZD14D +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem.certspec new file mode 100644 index 0000000000..c72237e453 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:cabforum-and-test-oid-ee-cabforum-oid-int-path-int +subject:cabforum-and-test-oid-ee-cabforum-oid-int-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-cabforum-oid-int-path-ee/ +extension:certificatePolicies:2.23.140.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem new file mode 100644 index 0000000000..6a2a55cd98 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgDCCAmigAwIBAgIUDTr/XHbekA2O0a9J+hMLRhyOr3EwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMD0xOzA5BgNVBAMMMmNhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1j +YWJmb3J1bS1vaWQtaW50LXBhdGgtaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GfMIGcMAwGA1UdEwQFMAMB +Af8wCwYDVR0PBAQDAgEGMGsGCCsGAQUFBwEBBF8wXTBbBggrBgEFBQcwAYZPaHR0 +cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2NhYmZvcnVtLWFuZC10ZXN0LW9pZC1l +ZS1jYWJmb3J1bS1vaWQtaW50LXBhdGgtaW50LzASBgNVHSAECzAJMAcGBWeBDAEB +MA0GCSqGSIb3DQEBCwUAA4IBAQCBt+AdgkYRRMubo29YkYXETC2UKiIHcyk/PuMU +yFtR0xqsj7oe5lUf7XYHUNbJPuoF7hflSIKXx5un5zwZ5Vw3SE0qYcy6kM2PS4dK +w6SMFkrZxCMf9GHFMubDk01T/p7BmpFKGVVAKgsUZmQSn+s/K+9+v4reDJ7yBfiu +l+KjNGsa5In6l2kO799Q/QAPfBLxl0ZOYIONF4+IjJAwt6AXuilkPgPUcRkyZ3ka +p+4GUc962Ylc4rGPxSKxcs93AkFl+8aYy5lW9kkFRQKSDM3W6WRPoal8411BsXEg +LBcS5MoY024Y4gRn5H2WVUcqYbZ+SQtQ3sqnFbgtvVH0t89E +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem.certspec new file mode 100644 index 0000000000..92ebdb37fd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-cabforum-oid-int-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:cabforum-and-test-oid-ee-cabforum-oid-int-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-cabforum-oid-int-path-int/ +extension:certificatePolicies:2.23.140.1.1 diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem new file mode 100644 index 0000000000..c6f64b2001 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDkjCCAnqgAwIBAgIUJwEFxlIecfbIub/Yy2vC/isMYB0wDQYJKoZIhvcNAQEL +BQAwLDEqMCgGA1UEAwwhY2FiZm9ydW0tYW5kLXRlc3Qtb2lkLWVlLXBhdGgtaW50 +MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCsxKTAnBgNVBAMM +IGNhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1wYXRoLWVlMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GoMIGlMFkG +CCsGAQUFBwEBBE0wSzBJBggrBgEFBQcwAYY9aHR0cDovL3d3dy5leGFtcGxlLmNv +bTo4ODg4L2NhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1wYXRoLWVlLzAoBgNVHSAE +ITAfMAcGBWeBDAEBMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNl +di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBQdToSfEhnomqt +UFfMjK3tieFSRqQ60lF28IFX40/Yu48k8AQY8UN/frh7r4tVk59aQK44QDj9CwUo +E5DIwPwqOozGrrNYfSVaqqsyepepYp410EuT5OTjHIJ71Wus3EPf8w7oPABApidH +GjOdoMj8dUufmnsCOlXYt32g/x70OpAn1PRw7Sc7YfIQwOuGRuTIuCS2T/JKkU2Y +s+DNT98tuBlTnpByHen7QpdPdWCmMX+30e7B2bC/1IRetDOaUuT0zLMFBtL1sx2p +W/U9p4mU3z9IkDflqSuxBuuMudY7n1+ZPw9uJF2z1PqZN4qOGXiebiGfigWlU4Ac +uDd/MtOD +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem.certspec new file mode 100644 index 0000000000..36f80e017b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:cabforum-and-test-oid-ee-path-int +subject:cabforum-and-test-oid-ee-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-path-ee/ +extension:certificatePolicies:2.23.140.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem new file mode 100644 index 0000000000..8f92651d3a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIUQS8yxTmnGrb3xLk+pZAOVYuZoR0wDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMCwxKjAoBgNVBAMMIWNhYmZvcnVtLWFuZC10ZXN0LW9pZC1lZS1w +YXRoLWludDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAAaOBjTCBijAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBa +BggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAGGPmh0dHA6Ly93d3cuZXhhbXBsZS5j +b206ODg4OC9jYWJmb3J1bS1hbmQtdGVzdC1vaWQtZWUtcGF0aC1pbnQvMBEGA1Ud +IAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsFAAOCAQEAZmY7h/FLsNdMGtjTauA7 +LY6oaWD8kZAEsn9tq59CsAQG/M/nJFrjeFQUtzaSz2vmg8u1xqinelrAoy02Ujup +Nm+/WULLoOjyb99QmkY3VaK7FkjNdbvt5AfgriRXWnbZpC+vXDHXMWViAQx0+Wm+ +9C1ssqbIClbQMhwsVldyRjVMRFMO5F/hvgGkLsUWaztEaVnMRG4eM/c9bl5HsdVM +VfSIIb7D92TmQyfPbum2ws2CDmsYL2OKgosy3eylZjwprrE4yq8ZTsRaovvB7FwG +UGV+L6FjuUVN7nR3EnQTDoXin3a0C5enc6fIfcmM5MLy+bHxpG5nHrQH9yvSwqqI +zw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem.certspec new file mode 100644 index 0000000000..79ae7ae801 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-and-test-oid-ee-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:cabforum-and-test-oid-ee-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/cabforum-and-test-oid-ee-path-int/ +extension:certificatePolicies:any diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem new file mode 100644 index 0000000000..fe4447dc7a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWDCCAkCgAwIBAgIUWy0RlFqNWWWgn+O3e6YCiRHdLFkwDQYJKoZIhvcNAQEL +BQAwIDEeMBwGA1UEAwwVY2FiZm9ydW0tb2lkLXBhdGgtaW50MCIYDzIwMjExMTI3 +MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMB8xHTAbBgNVBAMMFGNhYmZvcnVtLW9p +ZC1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO +FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr +amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka +sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY +VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n +aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE +MdUDrNoYCjXtjQIDAQABo4GGMIGDME0GCCsGAQUFBwEBBEEwPzA9BggrBgEFBQcw +AYYxaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2NhYmZvcnVtLW9pZC1wYXRo +LWVlLzASBgNVHSAECzAJMAcGBWeBDAEBMB4GA1UdEQQXMBWCE2V2LXRlc3QuZXhh +bXBsZS5jb20wDQYJKoZIhvcNAQELBQADggEBAH+evAgGQBC6njxTFd0BuozC3Skz +UGKec1dIMmiYFj7mgzuKp9eTAeOK1WdOvevygxoWRHkHAmquWEY9mvt4dSWIqhsz +RJ2b5cKnhtkFdfnQf+depCRZbdO4A7fLNYL9HCRnnN1PQKpaFF7fFEZ1rSzSShGX +nsz4KbEvGQVxCe2HmflqJQARp4gJUGZ+psAIspmwAqA4dViNZSgg79E1neG/g+EG +Ocq03fAbwb2Ko2eLzI0GF31L2iI1p0keEHzbwsxCjJQ5pRQdra5c7vEQHgQq5eSL +9RQrtE1J9erO0Jy9MUCDoZ4+WCnl4VZXVlYLt0oUh1YCOKD3J5dm7sRJ93A= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem.certspec new file mode 100644 index 0000000000..86fd9aca39 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:cabforum-oid-path-int +subject:cabforum-oid-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/cabforum-oid-path-ee/ +extension:certificatePolicies:2.23.140.1.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem new file mode 100644 index 0000000000..f4bbc67785 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDRTCCAi2gAwIBAgIUJ3QtUr7ndrb3mL/xD7keEx/Qj1owDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMCAxHjAcBgNVBAMMFWNhYmZvcnVtLW9pZC1wYXRoLWludDCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ +6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk +nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N +/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG +JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd +7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA +AaOBgTB/MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGME4GCCsGAQUFBwEBBEIw +QDA+BggrBgEFBQcwAYYyaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2NhYmZv +cnVtLW9pZC1wYXRoLWludC8wEgYDVR0gBAswCTAHBgVngQwBATANBgkqhkiG9w0B +AQsFAAOCAQEAGkKvsFxMmr30hx3Z4gJ8ZKLeQ2yomqPxSgjZxir4sumwkjEguFYE +ZcaLijKzoTdOHs1G6VnjOxVYUsAXBNT2gC2h3e5TO/toub2lyst6csDB3nj1y4Ee +2JYctZAyYHg4UJZU+zAvsTpTamEjn4LMievWD5foeoPFAAB5PNTSgvibAe6oi0Mo +MTb0dwrmWkfIDyH7xjQKNlLCgi0U+KF0TtWX7boZ2QDmMl3b5DLA2/idf1Y21ix3 +EmAXKz4Ni93vL3Oy+Wnj1R5KjEQw4U3RURZ/OnmQOhg2UJloUbDjKAHdtp6lQC0W +hL8oOBBAkCgkphWeDqOkjgRY+oyVMkgMSQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem.certspec new file mode 100644 index 0000000000..343307164b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/cabforum-oid-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:cabforum-oid-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/cabforum-oid-path-int/ +extension:certificatePolicies:2.23.140.1.1 diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.key b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key new file mode 100644 index 0000000000..1d88a930d5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh ++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU +dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H +cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y +1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t +oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ +5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB +0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+ ++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE +vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9 +HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE +MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V +vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV +7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH +lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V +jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv +nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui +p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ +zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v +4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA +hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C +pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV +bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3 +mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j +LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf +UVFRDKpassHG6z7+kpXRbowlyRY= +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec new file mode 100644 index 0000000000..1a3d76a550 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec @@ -0,0 +1 @@ +ev diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem new file mode 100644 index 0000000000..13c3031905 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx +MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/ +EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN +RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s +33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd +Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX ++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw +AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+ +5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo +UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf +cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY +Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH +z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH +HmbOwao= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec new file mode 100644 index 0000000000..3121f3486e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:evroot +subjectKey:ev +issuerKey:ev +validity:20150101-20350101 +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem new file mode 100644 index 0000000000..af5ffef782 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDEDCCAfigAwIBAgIUV4EyKmZfq4MEI8NLfzjTZovpx3owDQYJKoZIhvcNAQEL +BQAwHjEcMBoGA1UEAwwTbm8tb2NzcC1lZS1wYXRoLWludDAiGA8yMDIxMTEyNzAw +MDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAdMRswGQYDVQQDDBJuby1vY3NwLWVlLXBh +dGgtZWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAGjQzBBMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqFGgGDdAkB +MB4GA1UdEQQXMBWCE2V2LXRlc3QuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQAD +ggEBACqYubzmmeSUHH2ONuYa1B13hyuMCgDvyQKOxI1m/NewbtEZ80UDWmQMolFP +m2l8lbmlSuNWi25RQxONcXSspCQgIwRzfi4OBql81nZkjyGWWprLUTBrCfyYE3gi +P2acboz9ObJoXDzYl63MnyAiD/VQifM/iYuiiel/tJRCV5I72a2wQKlZniulgyWQ +HuWQk9v7lKUX+msgEo9ZW8ndb/hgq+QnEzB3kPmkWgEmLJdK2k05UIjYNBRbgntj +qGSUgCtdga8gfEeaD/00DweQ8MFwhQkXol2kQVY3j0rddi5T0BI9Fu8BuPaPXU4w +nr0GvC4bu/ATRI5EuKOJRt4WSv4= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec new file mode 100644 index 0000000000..ece1cf816f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:no-ocsp-ee-path-int +subject:no-ocsp-ee-path-ee +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem new file mode 100644 index 0000000000..09cfda1739 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPzCCAiegAwIBAgIUcXOmLIKcwe+H0AekAT8yEbaqdJUwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMB4xHDAaBgNVBAMME25vLW9jc3AtZWUtcGF0aC1pbnQwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk +NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC +fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m +CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM +HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m +1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj +fjB8MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMEwGCCsGAQUFBwEBBEAwPjA8 +BggrBgEFBQcwAYYwaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L25vLW9jc3At +ZWUtcGF0aC1pbnQvMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsFAAOC +AQEAS/QkZA0m4gZRyp7eyeXeHaR0toxH9RaypHw5FkG/vHQ4EIjO6eXRcC/bPuCX +N4cMfYmkCpU3Dy5uSZLetYYmu05X+rCwXQu6TZO3D4medEiVslbD3cQH7LmxCLxT +wBf2foLLFAJ+wFmVmzZk26+G71vbJ5RvzL5djHPZhm6XFQcg8D2oHMfp5mIWEkCk +VtB3/AIhxh8CIuhs1+lCsOc7XoOAZ04EVPP9kkc8o9K0rPaTzupmfHRTVuWyAQrC +MPSYnQITQAQAN9Qg/BGgIW1qudgFJpMmjb6AS+7Ts9f7225z+SzLBkNMQggApW14 +ZIUonu/c9e/2+3baPEiVfzcfzA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec new file mode 100644 index 0000000000..5eb952a9a7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-ee-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:no-ocsp-ee-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-ee-path-int/ +extension:certificatePolicies:any diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem new file mode 100644 index 0000000000..fd01063ac3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYjCCAkqgAwIBAgIUGwe4TG7p4Bv83RKwPf6KcStdBLAwDQYJKoZIhvcNAQEL +BQAwHzEdMBsGA1UEAwwUbm8tb2NzcC1pbnQtcGF0aC1pbnQwIhgPMjAyMTExMjcw +MDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowHjEcMBoGA1UEAwwTbm8tb2NzcC1pbnQt +cGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAAaOBkjCBjzBMBggrBgEFBQcBAQRAMD4wPAYIKwYBBQUHMAGG +MGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9uby1vY3NwLWludC1wYXRoLWVl +LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNl +di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCr21rqLU8BEBZN +oYZ/Mltq+7EXM7NKhRSBvwozcwVvBHgXO90bxogeLsXCyhW8b/zH908M1ne/0Ir2 +MuKUZy82wzLr9VSmN/3tAR4CsIftCR3gbPRgITkkvU/3sZkvZVJLaZkL9cQ7WVdL +0fwNQR7FQx8/S20/KNa/Ud63l0QnIR2uys6KpS93iT4W2DOiC2vrHS1xja0OAw9+ +BBfnLp99KRVOXi9LHXcWyLWJU7/zW7rbJX1S/mONZbQtq8qwpzb/q0mUSxBX1p4U +l6SY/m7Pl5Ef4RgwsMdu0zRmmmb6kQmboE/qBX75IgIZjOK5FnrJCZcR6EyV60uu +jMeIG7hs +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec new file mode 100644 index 0000000000..623057e9e9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:no-ocsp-int-path-int +subject:no-ocsp-int-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/no-ocsp-int-path-ee/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem new file mode 100644 index 0000000000..ff07be395f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8jCCAdqgAwIBAgIUTZjDIERCE7WIkgtKaDPqLLkqk9IwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMB8xHTAbBgNVBAMMFG5vLW9jc3AtaW50LXBhdGgtaW50MIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq +5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc +An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39 +ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk +zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u +JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB +ozAwLjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjARBgNVHSAECjAIMAYGBFUd +IAAwDQYJKoZIhvcNAQELBQADggEBAAKFwKsNxeiFmmVyq3YsF2tS11eJJ0/n/KzC +G4t39HZWfWw8u2osQpHn1O2+L0YhRBNpYX85GgVKSPYzjsptfTmIcAyAWdlJsK5r +Np9LHrsx65A7cFkKxD6V7FbG1YwL+VbD7qkEZBy3SqFe6m7hQ3om0LgWpaNu756x +TJeZdqNoSwvtbPdH/GYId1dTj8KdTDncer6eBfefcq0yCoNA1zphgdBMRVBPjXj8 +MFJEd+PTkyDzuTvBG5nB0ChZQ+ca3z8w38rI0KZTeWKH8mW3IU4dSj4q+8ZGymv6 +O1BYsVGr7Z4M//zJ70x9c5+jgDyam7LtxRpsd61R2/sVfqzJVTg= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec new file mode 100644 index 0000000000..548241de3a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-int-path-int.pem.certspec @@ -0,0 +1,6 @@ +issuer:evroot +subject:no-ocsp-int-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:certificatePolicies:any diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem new file mode 100644 index 0000000000..150eb3dfa1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYjCCAkqgAwIBAgIUVY/VRh2hxRcuAlpF5eXruz6Rbi4wDQYJKoZIhvcNAQEL +BQAwHzEdMBsGA1UEAwwUbm9uLWV2LXJvb3QtcGF0aC1pbnQwIhgPMjAyMTExMjcw +MDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowHjEcMBoGA1UEAwwTbm9uLWV2LXJvb3Qt +cGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAAaOBkjCBjzBMBggrBgEFBQcBAQRAMD4wPAYIKwYBBQUHMAGG +MGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9ub24tZXYtcm9vdC1wYXRoLWVl +LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNl +di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBXgdfedO5sSJJE +n1BMPeTQIZvhXADPJuQfw589m0J3KZIyQrZvpKJpnx70FcfnTx2ef1QFGrRPT0be +ikVjzahGsKl2YZxJTHsfsYIBtXb3gxJhWMOWjp/o61yJoMOxuv3+sD1FeK15F73R +LIwZ8FJw+kPVQr6nHKg/KxZ2x6z9AUzxr0vrbEXbClopnIoXVYT2YsnBLASlPKjk +iHxuR4AR31ue9T38Y2p8eTKAyxssqE5DUYeRlS6RxHQKf3zNPIDlYoU6K+CpXp/R +aGjUAsUGyFqEXSrqoiYrMthUmkESpgY8pj8gaFwwElIgrhL+TEJDLYVQtRcZf+9/ +NF21J9M2 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec new file mode 100644 index 0000000000..9895732b15 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:non-ev-root-path-int +subject:non-ev-root-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-ee/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem new file mode 100644 index 0000000000..fabab40b3d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSDCCAjCgAwIBAgIUL2l0QIXF1lhAxtAsa96UcJ2xVv0wDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNbm9uLWV2cm9vdC1jYTAiGA8yMDIxMTEyNzAwMDAwMFoY +DzIwMjQwMjA1MDAwMDAwWjAfMR0wGwYDVQQDDBRub24tZXYtcm9vdC1wYXRoLWlu +dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG +NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn +RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu +p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ +Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p +47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1 +7Y0CAwEAAaN/MH0wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwTQYIKwYBBQUH +AQEEQTA/MD0GCCsGAQUFBzABhjFodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgv +bm9uLWV2LXJvb3QtcGF0aC1pbnQvMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG +9w0BAQsFAAOCAQEAVcD0UEY9IIAhyuk9cnSrU9rf28agFR7Gs3YOQUqqGePrNf1w +ZwiFB3cHGaroBlFYsV9PHRM/o6kGKXiw+c5uo0vTQMAb8+/YcXUYL2eYBZMCIUDx +Z9yzPUZenK9WBaZCcWFBcoZsWSMb/CV0AasRpM8VMxQ+i0IejzF/Jk1FrfT1+jSO +H0EoUETMNx8ULbiUh3OWvTbTG5emiBIKA5YdhCQXwaqsB3tqwAz/fu8aYjf3zP3C +h8PjV5pe+hMk0vkkAekzdiJQJYodPEn0VZz4wiQn9KOtFFGO0PJ9JDxBQLCDLFza +07HSkmRfF7+Z3Nf9zEiYkuZZiRXWhE637X+rpw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec new file mode 100644 index 0000000000..5ce035ae1e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root-path-int.pem.certspec @@ -0,0 +1,6 @@ +issuer:non-evroot-ca +subject:non-ev-root-path-int +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/non-ev-root-path-int/ +extension:certificatePolicies:any diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem new file mode 100644 index 0000000000..345485e228 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3zCCAcegAwIBAgIUBfqrswEJGDjE9nm6ejtjD0kklVwwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNbm9uLWV2cm9vdC1jYTAiGA8yMDIxMTEyNzAwMDAwMFoY +DzIwMjQwMjA1MDAwMDAwWjAYMRYwFAYDVQQDDA1ub24tZXZyb290LWNhMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq +5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc +An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39 +ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk +zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u +JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB +ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC +AQEAgp5QqEQH2DbmS5o6AFElwUJqETVSj82Mh4x8MmMWX5kx/f2oRMYGd3fuqirQ +fgZFyp6z1O0Ei+sosKj6B5tsZKcEEIKBiOGJeFPv0XAVeny0GSN/UsCNpJdPI8bA +WzuwDFCL62a7Rh7rbViNyzEWw8PUwsNjziRUx6TcgbvFahkW25vJJr4mmOiE26zw +5kqI4AAqVHpzy89p11dsKld30Y122TdLuXVwvuE2Al1w3tW9HK8oeoQPueHpMQcz +i1SUAZdSSQ0MyOVWVWz6uGEWU+7iSYCQrwLR9eIfpOku8Pb6C6olsYYm0D6vG/a7 +1O2Tm7VL2prtY5lv503AKF7QHA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem.certspec new file mode 100644 index 0000000000..7b61447a80 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:non-evroot-ca +subject:non-evroot-ca +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem new file mode 100644 index 0000000000..9c18903539 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgDCCAmigAwIBAgIUY65iIQOPqad0zzesK3FOt5aVmeIwDQYJKoZIhvcNAQEL +BQAwJjEkMCIGA1UEAwwbcmV2ZXJzZS1vcmRlci1vaWRzLXBhdGgtaW50MCIYDzIw +MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCUxIzAhBgNVBAMMGnJldmVy +c2Utb3JkZXItb2lkcy1wYXRoLWVlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc +BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC +a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg +uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK +9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP +mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GiMIGfMFMGCCsGAQUFBwEBBEcw +RTBDBggrBgEFBQcwAYY3aHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L3JldmVy +c2Utb3JkZXItb2lkcy1wYXRoLWVlLzAoBgNVHSAEITAfMAcGBWeBDAEBMBQGEisG +AQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNldi10ZXN0LmV4YW1wbGUuY29t +MA0GCSqGSIb3DQEBCwUAA4IBAQC1RiorsYhREaYYkyTYNifb2XLtf5R2diikyO9E +P+ZObrMhOtiQuGymn/HmhX37bv+lcginsTP+7UhUyAtRrWYFZ/+KFiwogA0X0gVD +w6XbfCeExMc1PhyaCMTafIxbNjg0E4oaZZMZ8uM8ekxCXJoNVe7hms7AIjofQZkI +0UTcr35l/8QPwKHdMWarQNNGk/hLfrlKEl+aYCySi1VXmJDFfkw2Ttd75pEaDjCP +Lmx+8EUKqgLvwWJZ23b9+NbjYBwoS5E25qmd4v+nTykL0J6qYoIIiw3SzppsBE48 +Upeg19FmitAsp19J43mVB9/qvwvrreKs3Sjh2eDp64xmmbDm +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem.certspec new file mode 100644 index 0000000000..31e3e69e53 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:reverse-order-oids-path-int +subject:reverse-order-oids-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/reverse-order-oids-path-ee/ +extension:certificatePolicies:2.23.140.1.1,1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem new file mode 100644 index 0000000000..7b1255309b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDaDCCAlCgAwIBAgIUMWXAuy7fu9hNxa2wdzYNdAbnEfIwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMCYxJDAiBgNVBAMMG3JldmVyc2Utb3JkZXItb2lkcy1wYXRoLWlu +dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG +NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn +RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu +p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ +Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p +47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1 +7Y0CAwEAAaOBnjCBmzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBUBggrBgEF +BQcBAQRIMEYwRAYIKwYBBQUHMAGGOGh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4 +OC9yZXZlcnNlLW9yZGVyLW9pZHMtcGF0aC1pbnQvMCgGA1UdIAQhMB8wFAYSKwYB +BAHrSYUahRqFGgGDdAkBMAcGBWeBDAEBMA0GCSqGSIb3DQEBCwUAA4IBAQAAgTzv +rOKCCIsum1ejoJeKdCLVhOoYdkLwMvQPx9GrDrkOK0xBT/hS7CPgKoeni0GTFk8A +VIKO9p90STMWeAAvkvVoPbMMCjgirXf6H6BXnWBzROu5KQMEmCnozrGj7KlaNcFj +r8IjxvhKsAHzbIBnPorH2/ksXmai+34XOTDdSzXIDQvfPu8wZHU49xgwFArNfsh+ +m7cwPdqnk3zeBlQ5aMWZyRJG86LeTO2fTvMsyHxlL/p5SYb1JPWyK03qUwKpfKvX +rRqNqmUapWvsVBdAU60yLPipNO/mw6I10HJ1v3ZU7fdYeoOV/gDl7RPquPnV73Ff +tt+m1SpB9l5StlS9 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem.certspec new file mode 100644 index 0000000000..a2b523073e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/reverse-order-oids-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:reverse-order-oids-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/reverse-order-oids-path-int/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,2.23.140.1.1 diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem new file mode 100644 index 0000000000..5439295f29 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDxTCCAq2gAwIBAgIUFUZzpOeJ6SMwLH4GMYnNKJQ6J5YwDQYJKoZIhvcNAQEL +BQAwPTE7MDkGA1UEAwwydGVzdC1hbmQtY2FiZm9ydW0tb2lkLWVlLWNhYmZvcnVt +LW9pZC1pbnQtcGF0aC1pbnQwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowPDE6MDgGA1UEAwwxdGVzdC1hbmQtY2FiZm9ydW0tb2lkLWVlLWNhYmZv +cnVtLW9pZC1pbnQtcGF0aC1lZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab +bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts +Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI +H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8 +rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX +Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBuTCBtjBqBggrBgEFBQcBAQReMFww +WgYIKwYBBQUHMAGGTmh0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC90ZXN0LWFu +ZC1jYWJmb3J1bS1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRoLWVlLzAoBgNV +HSAEITAfMBQGEisGAQQB60mFGoUahRoBg3QJATAHBgVngQwBATAeBgNVHREEFzAV +ghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQB2gvv3BrZ0 +3wqNT7VwXUzgtvQ9gRC2l9PpKFGAPjZlN0QlOKh7q2A/efTeVr9IIEOJrvjMdepB +0qFRuGMw8Zw+veIEv4Gy5YfHYkeNPnYXm/NkvXiWECmCkOUyxZzrqqlEWdzjkcvI +bUVyspWmS5RjcNCJY+kFOclPRM8xqZbuyZs5gC3Qabo71cYLDW/7QobcOvmMN+P6 +1tBd5GPH4QJnJiJrSWmAotB44vdWM1guAftJhl0zf0wgr0Rxq/eUNBCm7Lc4Qv4R +neh/1uUBXjeh8py7HCTUK5nJb8eAcg/gD6d4+HYEOik8BpLB/gDqCLyGzuy409VO +qyX4hAhGVP8e +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem.certspec new file mode 100644 index 0000000000..edac2fc1ad --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:test-and-cabforum-oid-ee-cabforum-oid-int-path-int +subject:test-and-cabforum-oid-ee-cabforum-oid-int-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-cabforum-oid-int-path-ee/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,2.23.140.1.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem new file mode 100644 index 0000000000..7fb0c8a643 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgDCCAmigAwIBAgIUI59mCZyqqA1n9QHKquSu1nhheGUwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMD0xOzA5BgNVBAMMMnRlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1j +YWJmb3J1bS1vaWQtaW50LXBhdGgtaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GfMIGcMAwGA1UdEwQFMAMB +Af8wCwYDVR0PBAQDAgEGMGsGCCsGAQUFBwEBBF8wXTBbBggrBgEFBQcwAYZPaHR0 +cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L3Rlc3QtYW5kLWNhYmZvcnVtLW9pZC1l +ZS1jYWJmb3J1bS1vaWQtaW50LXBhdGgtaW50LzASBgNVHSAECzAJMAcGBWeBDAEB +MA0GCSqGSIb3DQEBCwUAA4IBAQAzuiRK8DbNihTSeXbgCz8rEAVK864Fyl+nyPoo +eMvIp/Xwb2lKakji3IRX2xqJuQR6sdckn8RyzVvvMzZHGXto+DbMnNPh0ACmNE2x +8rg+OBnNun8da0oP6gIlnl2q2eRP6XbQtQ7w2DSbbHJ7QvNyi77EjgMVOU2ZiE0M +yeWHvL+OqwqgB6ZsLRWjQeKu/iTKHh5EGG9yPQl+2TYOlTGAlBjpKDyptwA17CW3 ++tnXODlgGDBo3hLyFNStKG2JxtpJTwDn4k7IVJ6pJjFmpCNMXpcc9McI6xl6bBy8 +nXKJaRSM4wlJs8sPe4BMnCaSsUayoLEvzwnEu7vW71cOjmzA +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem.certspec new file mode 100644 index 0000000000..68dfd00573 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-cabforum-oid-int-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:test-and-cabforum-oid-ee-cabforum-oid-int-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-cabforum-oid-int-path-int/ +extension:certificatePolicies:2.23.140.1.1 diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem new file mode 100644 index 0000000000..087d1f05e4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDkjCCAnqgAwIBAgIUYT7HpFGQFkg/E790SoVkCNUtYn8wDQYJKoZIhvcNAQEL +BQAwLDEqMCgGA1UEAwwhdGVzdC1hbmQtY2FiZm9ydW0tb2lkLWVlLXBhdGgtaW50 +MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCsxKTAnBgNVBAMM +IHRlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1wYXRoLWVlMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GoMIGlMFkG +CCsGAQUFBwEBBE0wSzBJBggrBgEFBQcwAYY9aHR0cDovL3d3dy5leGFtcGxlLmNv +bTo4ODg4L3Rlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1wYXRoLWVlLzAoBgNVHSAE +ITAfMBQGEisGAQQB60mFGoUahRoBg3QJATAHBgVngQwBATAeBgNVHREEFzAVghNl +di10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBDRKyEcWf9alVl +a/qcpHwuJ1+5WGxFv88ZPo6CTav77YrxUdOxTt8abQh2AMMZcJ/Nucerm7eiESPK +2KO/fgayLkDqsJ0BBz+lpz6WmWk4puvQYNW5C3+FLvpgCI79kksva3h2WcOwRPrN +YmiITKnZsgzFxrU6EkRjgO/OQBlU/azBS3kHhWYPEmnDGtr3rjr51wBAXUwMFxcM +fxmopVMe/rERRoStxGvXAFNLfCBGFrcLSiMPB//BN/3Nk24iHrTvjzofF70oeOV3 +kcbYlCvpTF+bg9SzLvpOHqwxCiC9IrOA4D3jQmFv8Udo9QCaGC56IJTua+rhoWqm +e9viX7js +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem.certspec new file mode 100644 index 0000000000..affbd87458 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:test-and-cabforum-oid-ee-path-int +subject:test-and-cabforum-oid-ee-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-path-ee/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1,2.23.140.1.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem new file mode 100644 index 0000000000..cc2f45d3ce --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIUb2D4HeEORbizbOLDdYEKZeydFOcwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMCwxKjAoBgNVBAMMIXRlc3QtYW5kLWNhYmZvcnVtLW9pZC1lZS1w +YXRoLWludDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAAaOBjTCBijAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBa +BggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAGGPmh0dHA6Ly93d3cuZXhhbXBsZS5j +b206ODg4OC90ZXN0LWFuZC1jYWJmb3J1bS1vaWQtZWUtcGF0aC1pbnQvMBEGA1Ud +IAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsFAAOCAQEAnxGTQXg6kASA3iTx6F// +1NJjcf+xLthZA4Nr6Hr36gmgMwIPi1TQd40omtwIs+BcTXRUJsXkvW/NfRB2GIV2 +Zz1+2ViUMp95O98fVnIC1rJOvVha2t6Ct6jUGx9pznghH/5WR8yaK3GUCYjKO9Cn +t67wF8ff6/GTXxenyCHp8iAffUJOhiXinDEYZ7DF0ylzYCrFr9hUlNicNMCIOLLe +jeb+aD55bn8lvwgnErNIweOG+DKn3yWjjfnvVLn/PATg1xGRLe86MZgA5VzYU61q +rEx0y6dlaxpfISarNfuicLrznf67bNXCpU17tyeITzxBCIfokDdeW1VxwWVVlS5K +Aw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem.certspec new file mode 100644 index 0000000000..11630b4b4f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-and-cabforum-oid-ee-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:test-and-cabforum-oid-ee-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/test-and-cabforum-oid-ee-path-int/ +extension:certificatePolicies:any diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem new file mode 100644 index 0000000000..a49017dd4a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDlTCCAn2gAwIBAgIUBz5FscfzmfpyDXtVsfMuu/CYTkcwDQYJKoZIhvcNAQEL +BQAwMDEuMCwGA1UEAwwldGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRo +LWludDAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAvMS0wKwYD +VQQDDCR0ZXN0LW9pZC1lZS1jYWJmb3J1bS1vaWQtaW50LXBhdGgtZWUwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk +NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC +fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m +CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM +HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m +1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj +gaMwgaAwXQYIKwYBBQUHAQEEUTBPME0GCCsGAQUFBzABhkFodHRwOi8vd3d3LmV4 +YW1wbGUuY29tOjg4ODgvdGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRo +LWVlLzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAV +ghNldi10ZXN0LmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAH14OR4H62 +ENgeo7uXk6xgY01XulxL2jT4a/RY2Dsja43yjevGACMSO3X07y0MbjmPUtCS8vyo +x9zr8deVnh+4fllU1Q7IZFDraje0qnOueNOtFeYYM6GRt/6fMMikE5VrcOtUkjo8 +b4IRru3eWt56JdUr/sytkDEUGSZiP2ipNXDNhvHKO6KEDuJETwPmOMSS0QkxnisV +o1s9/tkrQV5ZNoZ3lgrK8hPIV4oHuJJnFyMtkcvLiRoN+uGVVVZL3jwTE17PlG2N +/pVVC4vZmZPNCIZyzXjfqifzg2vWPTAFdBqy0L+3nUDrGvXswrnKVpi8MbCzFJM9 +ZoOHfu2/Ncex +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem.certspec new file mode 100644 index 0000000000..bd0f955ada --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:test-oid-ee-cabforum-oid-int-path-int +subject:test-oid-ee-cabforum-oid-int-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/test-oid-ee-cabforum-oid-int-path-ee/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem new file mode 100644 index 0000000000..70c6974db9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDZjCCAk6gAwIBAgIUMcttbpnyWBC8D4SQ5L52xqdAchgwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMDAxLjAsBgNVBAMMJXRlc3Qtb2lkLWVlLWNhYmZvcnVtLW9pZC1p +bnQtcGF0aC1pbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo +RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a +dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t +aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n +FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX +Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py +UcQx1QOs2hgKNe2NAgMBAAGjgZIwgY8wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMC +AQYwXgYIKwYBBQUHAQEEUjBQME4GCCsGAQUFBzABhkJodHRwOi8vd3d3LmV4YW1w +bGUuY29tOjg4ODgvdGVzdC1vaWQtZWUtY2FiZm9ydW0tb2lkLWludC1wYXRoLWlu +dC8wEgYDVR0gBAswCTAHBgVngQwBATANBgkqhkiG9w0BAQsFAAOCAQEAkWY3TNtZ +uIZDgcBslHPsaNJ9CLy88Uv6WK4+0r07WeTK4m716cHARRzaWfG/saYZErCD3wPy +PXsDvzHH5TB7NYcDO9wGFvHyqr8nM6Y0g675LJZO/MIv/F+6cXnidGFpGQYAyN27 +oYlsg5UxHVf85unSWdYOekEk3Vb3j7yOyDyJlfPUjekCrFb2IXwGCXV8vwySnH08 +sOozuXxRL+IMOqhgXwSygP+uKIOpDTCm+ab9LCQ9rXrS/nSeP5dqsCTwSh08YUYW +R/7drxxbAIP4hkdfypW+qNSFhVUagRqyNPOlyclnXiT/ECPbvZTJO2aVUnq/2wgf +AACvPx4gGI/gPQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem.certspec new file mode 100644 index 0000000000..37d4d133a1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-ee-cabforum-oid-int-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:test-oid-ee-cabforum-oid-int-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/test-oid-ee-cabforum-oid-int-path-int/ +extension:certificatePolicies:2.23.140.1.1 diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem new file mode 100644 index 0000000000..b28d658f34 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWTCCAkGgAwIBAgIUP0QPDJYHS8iqIxQh16sMCzUo2J4wDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRdGVzdC1vaWQtcGF0aC1pbnQwIhgPMjAyMTExMjcwMDAw +MDBaGA8yMDI0MDIwNTAwMDAwMFowGzEZMBcGA1UEAwwQdGVzdC1vaWQtcGF0aC1l +ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG +NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn +RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu +p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ +Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p +47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1 +7Y0CAwEAAaOBjzCBjDBJBggrBgEFBQcBAQQ9MDswOQYIKwYBBQUHMAGGLWh0dHA6 +Ly93d3cuZXhhbXBsZS5jb206ODg4OC90ZXN0LW9pZC1wYXRoLWVlLzAfBgNVHSAE +GDAWMBQGEisGAQQB60mFGoUahRoBg3QJATAeBgNVHREEFzAVghNldi10ZXN0LmV4 +YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAulta+AvmR58Lr0CzIcRHSFkx6 +OAXxS7qxSy2DhfMucxyjIGFiL5GTFZ+PjZjpm7kBavXAq3s42/6gYaoUsTWy+exE +G2wSV22L2iU0zTPJExtcOciLaWpX90yqUZN9ThB0WCosLGg9GiLfZLjlmX+IL0bC +bGmOMmxpk9wCEdQbQGkSkkucZaPONST/n3W4g0eYzlCiC5bY45HnEbYPVxGKDd1P +xTcJqEsbxffNflSAMyY4c5+KEY9DFpdXeKJvfAddoT61bBbrUHvi6g4xo+fBDfgP +Zz9VeBvUMILYrbpFyFBmQL2rd8pCFnUcC7M6+HrSHdrXwAZWKiNmATFexWS4 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec new file mode 100644 index 0000000000..a9d62c65e9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:test-oid-path-int +subject:test-oid-path-ee +extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-ee/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 +extension:subjectAlternativeName:ev-test.example.com diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem new file mode 100644 index 0000000000..ad2bd1d509 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSzCCAjOgAwIBAgIUQ9qTdUCkE4CVzUr1Rvfr0N+HsVkwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMBwxGjAYBgNVBAMMEXRlc3Qtb2lkLXBhdGgtaW50MIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK +tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N +Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr +sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs +l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl +nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GL +MIGIMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMEoGCCsGAQUFBwEBBD4wPDA6 +BggrBgEFBQcwAYYuaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L3Rlc3Qtb2lk +LXBhdGgtaW50LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoBg3QJATANBgkq +hkiG9w0BAQsFAAOCAQEAGmKNKoN7WoJUTqRBPdDm/acbFxtmXXSwl9SdxQ8+yW9w +ukE9nqMii5V7viy+nimZ96ggcvbGsjZmyL9yMbG7nDyDbMI8z7p+5IaHY4pjPmu/ +JhWaMLneZDIQNADn8JOtBpwkGPRlKzDPBwjMBerfDXBxoj384iZZNsBCB0BLQgdx +oQL+yrHXCq882e1KFkl+j0JJhvqiNHE3A6WPPcz/iaHm8kKRfjYNIWWapXLlEyv1 +06QQew0gPEmUUZu3nK76gvmxGqJOg4MV9ahCOW4R5ScHCyBH7QNZzlRRwmobfmH/ +gVfq9IkiIV2PXiic+YiXUlERvXElRzLamt/zWaHk6w== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec new file mode 100644 index 0000000000..53534eb526 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-int.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:test-oid-path-int +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-int/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key new file mode 100644 index 0000000000..a926a54efb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM +1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48 +9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA +-----END EC PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec new file mode 100644 index 0000000000..03c3ce198f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.key.keyspec @@ -0,0 +1 @@ +secp256r1 diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem new file mode 100644 index 0000000000..a5c0e04b0a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICMjCCARqgAwIBAgIUQQv+1NaQ2YW3zROTKhMXi0+z4+kwDQYJKoZIhvcNAQEL +BQAwJTEjMCEGA1UEAwwaZmF1bHR5LXNlcnZlci1pbnRlcm1lZGlhdGUwIhgPMjAy +MTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowFTETMBEGA1UEAwwKZGVmYXVs +dC1lZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5saYKWayHBOLs +BQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGTkNeZG3stB6ME6qBKpsCj +MTAvMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBgGA1UdEQQRMA+CDSouZXhhbXBsZS5j +b20wDQYJKoZIhvcNAQELBQADggEBAIa1n0PRvEO1vobr+MUhrdC2pkjrf3BkPofv +UMX0GArZsYtkZTnB073ZuzRMaR1RNnEbCerDC8ibxVQzPqc3+HjCGhxUH8Mv6QMl +K/F9FixiEHSiWOocGpSqNIbUtLFTVJOf7GC7GvT5a3rvAzMwtujetHKw+3QzgpZT +Ja77qqxE1VJDdjnaXGgUc1hUfiNGPy1bh4/Eed/nLIbeDYDP9TfvvkhNTc3mb/vG +LIxhaAXuQmxm3vHJl7ewXSzL+3g8Slr+LycODwv07SCz5ZYkY42ahqDlELKlkcwM +O867QbO8leAZV2B/6ugEZJV02Sho1fNJkE/zYr/yBpZkTHqB3Uc= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec new file mode 100644 index 0000000000..5d471da110 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/default-ee.pem.certspec @@ -0,0 +1,5 @@ +issuer:faulty-server-intermediate +subjectKey:secp256r1 +subject:default-ee +extension:extKeyUsage:serverAuth +extension:subjectAlternativeName:*.example.com diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem new file mode 100644 index 0000000000..c896de631d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICFjCB/6ADAgECAhQJA7Qytg0FIuJ3Y9mQfFhL/MXBgzANBgkqhkiG9w0BAQsF +ADAlMSMwIQYDVQQDDBpmYXVsdHktc2VydmVyLWludGVybWVkaWF0ZTAiGA8yMDIx +MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAUMRIwEAYDVQQDDAluby1zYW4t +ZWUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARPv7u7YeD4+bGmClmshwTi7AUL +Qj489y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbAoxcw +FTATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEACQkHi4sl +CReY+YWeZ7YCkzCt0UYHAlrd4F86n4GEJzXrjdrorzV3R4o1tNQtbDBJVIH3OzuM +9xH2L7brtnVFP/INP4imkOFwvJiibt24hYssKTVS7vOh6VoIKF2QqLPh2mEO3u5g +0w7D1xIIqMFATeZ/ovTEJzAhM4rt4cp0sMYJ8Zx8etuK5xDdMxkVuWp+HHNcEaSd +674tpLwD2Peeoa/n90Dp8q3fxgbZ85jLetXz2Hi0WQE/nTKF3Cr1Fk+ECgCGbEL+ +DS2jbVYuR/P6EdBssZYtaCfW/Lajt9z+5+njqBGqCgfBeBN9m543xdUbvwdxFIGh +fezZ/D6tdaeSEQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec new file mode 100644 index 0000000000..68eb6b0202 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:faulty-server-intermediate +subjectKey:secp256r1 +subject:no-san-ee +extension:extKeyUsage:serverAuth diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key new file mode 100644 index 0000000000..a926a54efb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgIZFAPVcQvxWiZYGM +1C7W/t8JrdkteLGOeh6f65VSRwKhRANCAARPv7u7YeD4+bGmClmshwTi7AULQj48 +9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbA +-----END EC PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec new file mode 100644 index 0000000000..03c3ce198f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/no-san-ee.pem.key.keyspec @@ -0,0 +1 @@ +secp256r1 diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem new file mode 100644 index 0000000000..3d0ae14911 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5TCCAc2gAwIBAgIUGSmSb2HbEr51bpQzj+bUUISSggowDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQZmF1bHR5LXNlcnZlci1jYTAiGA8yMDIxMTEyNzAwMDAw +MFoYDzIwMjQwMjA1MDAwMDAwWjAbMRkwFwYDVQQDDBBmYXVsdHktc2VydmVyLWNh +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2 +ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF +h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n +cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv +OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj +tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt +jQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B +AQsFAAOCAQEARaxPN9ImyTHcTq2l4hCl3vybWKsY+RLOT0cap3xqst1htZbkoejV +sy9OrA6jMe7k6N7IquopV/3ZuZTbebQZwCP+82HDs48yL20ACrUU3rlQJoOPtTJf +7yUskA0ztDYkRtuV3KMWoscxoVFGoMIXwzjskUxy/Rp6+vKTuf0gvF+zd4iQzZ11 +oZarse5nF5pSxiFxQscep44bAh9Wnt8cMkUqoXgOc0hJE2MV/Kn1bLptNDVRyVmk +2e6403EsBzmAjfy7yLLx/mpz2Fl+XgztP52AwK2V0TcWxaHg29cRIc16si0wNqF4 +2xxhvYyAUMArnzvKgRHXHqZbuyyaHV762A== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec new file mode 100644 index 0000000000..bcbf751bb2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/test-ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:faulty-server-ca +subject:faulty-server-ca +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem new file mode 100644 index 0000000000..9964b1ed68 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7zCCAdegAwIBAgIUFXP/lk1Ozpz/foBDAI+E6dPYOJkwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQZmF1bHR5LXNlcnZlci1jYTAiGA8yMDIxMTEyNzAwMDAw +MFoYDzIwMjQwMjA1MDAwMDAwWjAlMSMwIQYDVQQDDBpmYXVsdHktc2VydmVyLWlu +dGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE +jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1 +a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p +GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW +2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO +p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR +xDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYw +DQYJKoZIhvcNAQELBQADggEBAKKRqr0ubyrDGcUcswUGJGZXcvCZryaa3vbv/ccm +G26nli+ANlthqjwnInKP1sdTjbk/BnhsOXrs05ygSdFuW/dOZqkeJKlPXbeFGF8i +wnJb0gYdceBoTqyJ7H83AIVYJbuP5JMR78CE/iFOUv+43OaRQAMQdppcMiyq49oU +hXMxsVuXOFelUD0XZSP/oAlrEXxeyAVkBJS2iPAN+B3Mxe9CVmkuibCZ47dsMHYr +LEtzbdKVaO8pg+FHEMiv95Wtx2fBDX+6mhPHbXo21pn8jAVV0uHR3u+CwGvGcMrL +Y94oWHnU2ojPicyhuy6NOH3v3RxACFW0jQV0sH/VK7bh8Ts= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec new file mode 100644 index 0000000000..5be535c81d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_faulty_server/test-int.pem.certspec @@ -0,0 +1,4 @@ +issuer:faulty-server-ca +subject:faulty-server-intermediate +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js new file mode 100644 index 0000000000..fd0738eda9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js @@ -0,0 +1,119 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- + * vim: sw=2 ts=2 sts=2 + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +"use strict"; + +// Ensures that HSTS (HTTP Strict Transport Security) information is cleared +// when using "Forget About This Site". + +const { ForgetAboutSite } = ChromeUtils.import( + "resource://gre/modules/ForgetAboutSite.jsm" +); + +do_get_profile(); // must be done before instantiating nsIX509CertDB + +registerCleanupFunction(() => { + Services.prefs.clearUserPref("security.cert_pinning.enforcement_level"); +}); + +const GOOD_MAX_AGE_SECONDS = 69403; +const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`; + +const sss = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService +); +const uri = Services.io.newURI("https://a.pinning.example.com"); + +// Test the normal case of processing HSTS headers for a.pinning.example.com, +// using "Forget About Site" on a.pinning2.example.com, and then checking +// that the platform doesn't consider a.pinning.example.com to be HSTS any +// longer. +add_task(async function() { + sss.processHeader(uri, GOOD_MAX_AGE); + + Assert.ok(sss.isSecureURI(uri), "a.pinning.example.com should be HSTS"); + + await ForgetAboutSite.removeDataFromDomain("a.pinning.example.com"); + + Assert.ok( + !sss.isSecureURI(uri), + "a.pinning.example.com should not be HSTS now" + ); +}); + +// Test the case of processing HSTS headers for a.pinning.example.com, using +// "Forget About Site" on example.com, and then checking that the platform +// doesn't consider the subdomain to be HSTS any longer. Also test that +// unrelated sites don't also get removed. +add_task(async function() { + sss.processHeader(uri, GOOD_MAX_AGE); + + Assert.ok( + sss.isSecureURI(uri), + "a.pinning.example.com should be HSTS (subdomain case)" + ); + + // Add an unrelated site to HSTS. + let unrelatedURI = Services.io.newURI("https://example.org"); + sss.processHeader(unrelatedURI, GOOD_MAX_AGE); + Assert.ok(sss.isSecureURI(unrelatedURI), "example.org should be HSTS"); + + await ForgetAboutSite.removeDataFromDomain("example.com"); + + Assert.ok( + !sss.isSecureURI(uri), + "a.pinning.example.com should not be HSTS now (subdomain case)" + ); + + Assert.ok(sss.isSecureURI(unrelatedURI), "example.org should still be HSTS"); +}); + +// Test the case of processing HSTS headers for a.pinning.example.com with +// various originAttributes, using "Forget About Site" on example.com, and +// then checking that the platform doesn't consider the subdomain to be HSTS +// for any originAttributes any longer. Also test that unrelated sites don't +// also get removed. +add_task(async function() { + let originAttributesList = [ + {}, + { userContextId: 1 }, + { firstPartyDomain: "foo.com" }, + { userContextId: 1, firstPartyDomain: "foo.com" }, + ]; + + let unrelatedURI = Services.io.newURI("https://example.org"); + + for (let originAttributes of originAttributesList) { + sss.processHeader(uri, GOOD_MAX_AGE, originAttributes); + + Assert.ok( + sss.isSecureURI(uri, originAttributes), + "a.pinning.example.com should be HSTS (originAttributes case)" + ); + + // Add an unrelated site to HSTS. + sss.processHeader(unrelatedURI, GOOD_MAX_AGE, originAttributes); + Assert.ok( + sss.isSecureURI(unrelatedURI, originAttributes), + "example.org should be HSTS (originAttributes case)" + ); + } + + await ForgetAboutSite.removeDataFromDomain("example.com"); + + for (let originAttributes of originAttributesList) { + Assert.ok( + !sss.isSecureURI(uri, originAttributes), + "a.pinning.example.com should not be HSTS now " + + "(originAttributes case)" + ); + + Assert.ok( + sss.isSecureURI(unrelatedURI, originAttributes), + "example.org should still be HSTS (originAttributes case)" + ); + } +}); diff --git a/security/manager/ssl/tests/unit/test_hash_algorithms.js b/security/manager/ssl/tests/unit/test_hash_algorithms.js new file mode 100644 index 0000000000..3a42017bea --- /dev/null +++ b/security/manager/ssl/tests/unit/test_hash_algorithms.js @@ -0,0 +1,158 @@ +"use strict"; + +// This file tests various aspects of the nsICryptoHash implementation for all +// of the supported algorithms. + +const messages = ["The quick brown fox jumps over the lazy dog", ""]; +const ALGORITHMS = [ + { + initString: "md5", + initConstant: Ci.nsICryptoHash.MD5, + hexHashes: [ + "9e107d9d372bb6826bd81d3542a419d6", + "d41d8cd98f00b204e9800998ecf8427e", + ], + b64Hashes: ["nhB9nTcrtoJr2B01QqQZ1g==", "1B2M2Y8AsgTpgAmY7PhCfg=="], + }, + { + initString: "sha1", + initConstant: Ci.nsICryptoHash.SHA1, + hexHashes: [ + "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", + "da39a3ee5e6b4b0d3255bfef95601890afd80709", + ], + b64Hashes: ["L9ThxnotKPzthJ7hu3bnORuT6xI=", "2jmj7l5rSw0yVb/vlWAYkK/YBwk="], + }, + { + initString: "sha256", + initConstant: Ci.nsICryptoHash.SHA256, + hexHashes: [ + "d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592", + "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + ], + b64Hashes: [ + "16j7swfXgJRpypq8sAguT41WUeRtPNt2LQLQvzfJ5ZI=", + "47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=", + ], + }, + { + initString: "sha384", + initConstant: Ci.nsICryptoHash.SHA384, + hexHashes: [ + "ca737f1014a48f4c0b6dd43cb177b0afd9e5169367544c494011e3317dbf9a509cb1e5dc1e85a941bbee3d7f2afbc9b1", + "38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b", + ], + b64Hashes: [ + "ynN/EBSkj0wLbdQ8sXewr9nlFpNnVExJQBHjMX2/mlCcseXcHoWpQbvuPX8q+8mx", + "OLBgp1GsljhM2TJ+sbHjaiH9txEUvgdDTAzHv2P24donTt6/529l+9Ua0vFImLlb", + ], + }, + { + initString: "sha512", + initConstant: Ci.nsICryptoHash.SHA512, + hexHashes: [ + "07e547d9586f6a73f73fbac0435ed76951218fb7d0c8d788a309d785436bbb642e93a252a954f23912547d1e8a3b5ed6e1bfd7097821233fa0538f3db854fee6", + "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e", + ], + b64Hashes: [ + "B+VH2VhvanP3P7rAQ17XaVEhj7fQyNeIownXhUNru2Quk6JSqVTyORJUfR6KO17W4b/XCXghIz+gU489uFT+5g==", + "z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==", + ], + }, +]; + +function doHash(algo, value, cmp) { + let hash = Cc["@mozilla.org/security/hash;1"].createInstance( + Ci.nsICryptoHash + ); + hash.initWithString(algo); + + let converter = Cc[ + "@mozilla.org/intl/scriptableunicodeconverter" + ].createInstance(Ci.nsIScriptableUnicodeConverter); + converter.charset = "utf8"; + value = converter.convertToByteArray(value); + hash.update(value, value.length); + equal( + hexify(hash.finish(false)), + cmp, + `Actual and expected hash for ${algo} should match` + ); + + hash.initWithString(algo); + hash.update(value, value.length); + equal( + hexify(hash.finish(false)), + cmp, + `Actual and expected hash for ${algo} should match after re-init` + ); +} + +function doHashStream(algo, value, cmp) { + // TODO(Bug 459835): Make updateFromStream() accept zero length streams. + if (!value.length) { + return; + } + + let hash = Cc["@mozilla.org/security/hash;1"].createInstance( + Ci.nsICryptoHash + ); + hash.initWithString(algo); + + let converter = Cc[ + "@mozilla.org/intl/scriptableunicodeconverter" + ].createInstance(Ci.nsIScriptableUnicodeConverter); + converter.charset = "utf8"; + let stream = converter.convertToInputStream(value); + hash.updateFromStream(stream, stream.available()); + equal( + hexify(hash.finish(false)), + cmp, + `Actual and expected hash for ${algo} should match updating from stream` + ); +} + +function testInitConstantAndBase64( + initConstant, + algoName, + message, + expectedOutput +) { + let converter = Cc[ + "@mozilla.org/intl/scriptableunicodeconverter" + ].createInstance(Ci.nsIScriptableUnicodeConverter); + converter.charset = "utf8"; + let value = converter.convertToByteArray(message); + + let hash = Cc["@mozilla.org/security/hash;1"].createInstance( + Ci.nsICryptoHash + ); + hash.init(initConstant); + hash.update(value, value.length); + equal( + hash.finish(true), + expectedOutput, + `Actual and expected base64 hash for ${algoName} should match` + ); +} + +function run_test() { + for (let algo of ALGORITHMS) { + algo.hexHashes.forEach((hash, i) => { + doHash(algo.initString, messages[i], hash); + doHashStream(algo.initString, messages[i], hash); + }); + algo.b64Hashes.forEach((hash, i) => { + testInitConstantAndBase64( + algo.initConstant, + algo.initString, + messages[i], + hash + ); + }); + } + + // Our buffer size for working with streams is 4096 bytes. This tests we + // handle larger inputs. + doHashStream("md5", " ".repeat(4100), "59f337d82f9ef5c9571bec4d78d66641"); +} diff --git a/security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js b/security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js new file mode 100644 index 0000000000..f2b7016c05 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_hash_algorithms_wrap.js @@ -0,0 +1,5 @@ +"use strict"; + +function run_test() { + run_test_in_child("test_hash_algorithms.js"); +} diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js new file mode 100644 index 0000000000..5bb4b1cecb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js @@ -0,0 +1,138 @@ +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function load_cert(name, trust) { + let filename = "test_intermediate_basic_usage_constraints/" + name + ".pem"; + addCertFromFile(certdb, filename, trust); +} + +function test_cert_for_usages(certChainNicks, expected_usages) { + let certs = []; + for (let i in certChainNicks) { + let certNick = certChainNicks[i]; + let certPEM = readFile( + do_get_file( + "test_intermediate_basic_usage_constraints/" + certNick + ".pem" + ), + false + ); + certs.push(certdb.constructX509FromBase64(pemToBase64(certPEM))); + } + + let cert = certs[0]; + return asyncTestCertificateUsages(certdb, cert, expected_usages); +} + +add_task(async function() { + let ee_usages = [ + certificateUsageSSLClient, + certificateUsageSSLServer, + certificateUsageEmailSigner, + certificateUsageEmailRecipient, + ]; + let ca_usages = [certificateUsageSSLCA]; + let eku_usages = [certificateUsageSSLClient, certificateUsageSSLServer]; + + // Load the ca into mem + let ca_name = "ca"; + load_cert(ca_name, "CTu,CTu,CTu"); + await test_cert_for_usages([ca_name], ca_usages); + + // A certificate with no basicConstraints extension is considered an EE. + await test_cert_for_usages(["int-no-extensions"], ee_usages); + + // int-no-extensions is an EE (see previous case), so no certs can chain to + // it. + await test_cert_for_usages(["ee-int-no-extensions", "int-no-extensions"], []); + + // a certificate with basicConstraints.cA==false is considered an EE. + await test_cert_for_usages(["int-not-a-ca"], ee_usages); + + // int-not-a-ca is an EE (see previous case), so no certs can chain to it. + await test_cert_for_usages(["ee-int-not-a-ca", "int-not-a-ca"], []); + + // a certificate with basicConstraints.cA==false but with the keyCertSign + // key usage may not act as a CA (it can act like an end-entity). + await test_cert_for_usages(["int-cA-FALSE-asserts-keyCertSign"], ee_usages); + await test_cert_for_usages( + ["ee-int-cA-FALSE-asserts-keyCertSign", "int-cA-FALSE-asserts-keyCertSign"], + [] + ); + + // int-limited-depth has cA==true and a path length constraint of zero. + await test_cert_for_usages(["int-limited-depth"], ca_usages); + + // path length constraints do not affect the ability of a non-CA cert to + // chain to to the CA cert. + await test_cert_for_usages( + ["ee-int-limited-depth", "int-limited-depth"], + ee_usages + ); + + // ca + // int-limited-depth (cA==true, pathLenConstraint==0) + // int-limited-depth-invalid (cA==true) + // + await test_cert_for_usages( + ["int-limited-depth-invalid", "int-limited-depth"], + [] + ); + await test_cert_for_usages( + [ + "ee-int-limited-depth-invalid", + "int-limited-depth-invalid", + "int-limited-depth", + ], + [] + ); + + // int-valid-ku-no-eku has keyCertSign + await test_cert_for_usages(["int-valid-ku-no-eku"], ca_usages); + await test_cert_for_usages( + ["ee-int-valid-ku-no-eku", "int-valid-ku-no-eku"], + ee_usages + ); + + // int-bad-ku-no-eku has basicConstraints.cA==true and has a KU extension + // but the KU extension is missing keyCertSign. Note that mozilla::pkix + // doesn't validate certificates with basicConstraints.Ca==true for non-CA + // uses. + await test_cert_for_usages(["int-bad-ku-no-eku"], []); + await test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], []); + + // int-no-ku-no-eku has basicConstraints.cA==true and no KU extension. + // We treat a missing KU as "any key usage is OK". + await test_cert_for_usages(["int-no-ku-no-eku"], ca_usages); + await test_cert_for_usages( + ["ee-int-no-ku-no-eku", "int-no-ku-no-eku"], + ee_usages + ); + + // int-valid-ku-server-eku has basicConstraints.cA==true, keyCertSign in KU, + // and EKU=={id-kp-serverAuth,id-kp-clientAuth}. + await test_cert_for_usages(["int-valid-ku-server-eku"], ca_usages); + await test_cert_for_usages( + ["ee-int-valid-ku-server-eku", "int-valid-ku-server-eku"], + eku_usages + ); + + // int-bad-ku-server-eku has basicConstraints.cA==true, a KU without + // keyCertSign, and EKU=={id-kp-serverAuth,id-kp-clientAuth}. + await test_cert_for_usages(["int-bad-ku-server-eku"], []); + await test_cert_for_usages( + ["ee-int-bad-ku-server-eku", "int-bad-ku-server-eku"], + [] + ); + + // int-bad-ku-server-eku has basicConstraints.cA==true, no KU, and + // EKU=={id-kp-serverAuth,id-kp-clientAuth}. + await test_cert_for_usages(["int-no-ku-server-eku"], ca_usages); + await test_cert_for_usages( + ["ee-int-no-ku-server-eku", "int-no-ku-server-eku"], + eku_usages + ); +}); diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem new file mode 100644 index 0000000000..69c16a8d42 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICvDCCAaSgAwIBAgIUSyYNcZmBB3Fq//SFPcSyXEpJ6tIwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEDAOMAwGA1UdEwQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBAFsWYvf5u1J578KdSOtot0N4h6jCRbE41le2inKzuBY4 +bKzTckFPNscz3NXjGydHHuMA0WI1BnskiXw59dotlAsaWttq2V02EP8fPMSC0Sbx +J+Uap+b9xONUzTTja2yBWVEI4pN47xiCAEyVWu88/XWm+Ig+HyTjfhT3a32FviiO +4MuXaN73kJvLjzTUqk0KOtzbuhPLF6kRvycIuLEDel7f21cIbp7ezQRBaDcT+nVv ++WdlXsm8aA7GqnKNY1wBGL8FwsIcIOOeAVb4HgCG4FXp4eKODoexywRu3LP9yN1u +XAy3x+0wUWp85H3CQuTD7p76ZR1Ui4soSHDs0DdRpkc= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem.certspec new file mode 100644 index 0000000000..eb7c4b4bee --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ca.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:ca +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem new file mode 100644 index 0000000000..b92dc8fc03 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5zCCAc+gAwIBAgIUX2dsScLlfW4gR9BgNZCZQUmGMVgwDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRaW50LWJhZC1rdS1uby1la3UwIhgPMjAyMTExMjcwMDAw +MDBaGA8yMDI0MDIwNTAwMDAwMFowHzEdMBsGA1UEAwwUZWUtaW50LWJhZC1rdS1u +by1la3UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3 +DQEBCwUAA4IBAQAwovJGGbmC872VetJzSnRzUuGG5tPdn6OrnalmanwsZipR5yzd +tNe+V3olt3kh9CS4M0aU8dB1Usu3VX35yNXMFAl1pa0wtgOWm4wU3iUu5e6XYoak +X1PM6FysCbiJoaRejhKJdt525zVomVZ/4v+Ww/OxfGfvqXOgfnhEkdVBDNsO02qx +RoDWllKKz+fjQbHfwN65VFMG4qFSeCBAo58+pTWapJgNT6rprIsmfqAX89lnpAyY +NhgWCSczyLtHL2voIeabbOWCpL4WjKp4yj2hztrlRuvWTnOzbZaiydckXnorkfmD +AVxdSYCZJT5zf+kDUFj7rSS1SfgGLEXa6uHW +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem.certspec new file mode 100644 index 0000000000..390adf2344 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-no-eku.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-bad-ku-no-eku +subject:ee-int-bad-ku-no-eku +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem new file mode 100644 index 0000000000..6602f1d911 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7zCCAdegAwIBAgIUaWcqNQwNMI1aFqgOG5mw0z0Ph8kwDQYJKoZIhvcNAQEL +BQAwIDEeMBwGA1UEAwwVaW50LWJhZC1rdS1zZXJ2ZXItZWt1MCIYDzIwMjExMTI3 +MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCMxITAfBgNVBAMMGGVlLWludC1iYWQt +a3Utc2VydmVyLWVrdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI +UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi +r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x +fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD +7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv +uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj ++nJRxDHVA6zaGAo17Y0CAwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCA/gw +DQYJKoZIhvcNAQELBQADggEBAFK/ct1l9T0Hs5cOB/yhXWKbEwp74UCZvwKzgpuc +VslyzB3GPHl8a8aOvastiSgBEzsWzOuGlKprqWsGozG4jG2KHLZWHWG535vjISIO +wrHyOv20wjgTmMca0osxiQxWumQG7HupZZou8xlbm9XDrFVFriWtvXD88sxhvy6r +DwtFFzTVXqE0W0LC2KVxFMI6oWIsviYClsAovQLBdMUwjcKpyJj0KFGf0158ncMv +bkdZgO4uvn+BdUTlbnhyJXs74iSgau7D7t8zCT92CcLojI4+Q70rVt6fw3ZqW/wo +6s6x+LfPkvkiOBifmhUJGxNOnYlIgxos9Jl1Gi+8nRyxgaw= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem.certspec new file mode 100644 index 0000000000..32bb6c2485 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-bad-ku-server-eku.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-bad-ku-server-eku +subject:ee-int-bad-ku-server-eku +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem new file mode 100644 index 0000000000..611c93cc97 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBTCCAe2gAwIBAgIUCQnY3uTX2s9L1e03jirXWhQ8u0QwDQYJKoZIhvcNAQEL +BQAwKzEpMCcGA1UEAwwgaW50LWNBLUZBTFNFLWFzc2VydHMta2V5Q2VydFNpZ24w +IhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowLjEsMCoGA1UEAwwj +ZWUtaW50LWNBLUZBTFNFLWFzc2VydHMta2V5Q2VydFNpZ24wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo +V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p +0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk +fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh +W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI +TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGjAYMAkG +A1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3DQEBCwUAA4IBAQCASFIVTN69 +PWqwJI0aACKMn9re9uVfSjXEljM9rxFCCYtW1lcTm3tqMq/Hn4BEa4hIBFGDADOc +DNAhvzIaLOWjxWPcKdxWSUsbg5QJ9M60yqUpbIMw6Y4igQkIUMZG8gOEqnvL2jW1 +dJnjpuBFNXKfW5Ww/WurNXSrz/M+z+6jSn3LCB3pzOpBrAIXYqul+4J0S6mJvXdZ +hP41/f2s/2r3pl91M/ZlE2uJtEPiGXlXxc5biHl9NxahBi8ZtO+dQ9fQX34Kj3y+ +SjAl594g+9zBpLyeoMJIu4h8cUSKbfCGEwrhlkWL5r0i2NCvdOjh/rVhAhuYoUKe +D/AGM1NDr5tC +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem.certspec new file mode 100644 index 0000000000..9e0fb65fd6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-cA-FALSE-asserts-keyCertSign.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-cA-FALSE-asserts-keyCertSign +subject:ee-int-cA-FALSE-asserts-keyCertSign +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem new file mode 100644 index 0000000000..0313f22fa3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC9zCCAd+gAwIBAgIUJTkDPPQhp5SptWJuRzUcxOQpGrwwDQYJKoZIhvcNAQEL +BQAwJDEiMCAGA1UEAwwZaW50LWxpbWl0ZWQtZGVwdGgtaW52YWxpZDAiGA8yMDIx +MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAnMSUwIwYDVQQDDBxlZS1pbnQt +bGltaXRlZC1kZXB0aC1pbnZhbGlkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc +BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC +a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg +uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK +9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP +mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1Ud +DwQEAwID+DANBgkqhkiG9w0BAQsFAAOCAQEAo54m8X4ZIwPI62dxL0v5YlxaR32S +8EEnFzpp9ZDKIDxBAjKdY8YLkbhXF/7VTAbqdQJIWZYsFjHVRKvzjgYQzei+oi9K +fc8HIwFKTaKd+MDcoLzMXm8J4ykRuz482C3jE5SnjwkaGnWWyMH7DLvqd0A+iUzI +FQhmwQmtiG1O5poN+qCJQmfXInPOs2ne0vKKM679tAMnWFD0qG+nL2+YRba/TJ5T +unSmCpRbQU/t8obecB38wa67tSC7u9YZ8ot6vWO7BlVe4NWU7eP71JFFCyl891fY +hD971ulMb9AKsujEhCIqjlcq9Eq64w6ZPFyVhy1P/Mp8dpJg+krXY1yUXg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem.certspec new file mode 100644 index 0000000000..f00b4d1591 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth-invalid.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-limited-depth-invalid +subject:ee-int-limited-depth-invalid +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem new file mode 100644 index 0000000000..7b206b3253 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5zCCAc+gAwIBAgIUTfEUPuNAjYMBNO7pTXwAW4m2QywwDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRaW50LWxpbWl0ZWQtZGVwdGgwIhgPMjAyMTExMjcwMDAw +MDBaGA8yMDI0MDIwNTAwMDAwMFowHzEdMBsGA1UEAwwUZWUtaW50LWxpbWl0ZWQt +ZGVwdGgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3 +DQEBCwUAA4IBAQBGRRnLNAucxyYbATTURGI3VH4aOQS5QfZI6X2Alga7U4odlAsN +l2wZzETWkgLh5PomEW85l4QGw7nt9AGqu+bVS1e7V4DTLdrNFPpMdjcxfBi36tUl +pZbvzW09pFO9klTUovL3i1i4KtY59wohPHsC1Px46sr1U1kMZbYxcGQnGtE3cerl +Pbfx1XuLInk1shMU/XnFn5gwtZLkPdRWcHJAjdPpH4DEyMxyiU7Xkq7j/5PmZp3R +eWFEh8B6Ww77kR9PgFXw9i3evQSwG3HKWiLvkpcfffHc73FQJC8Thhx7DrQqFyGp +RzG07oNPjprOIwm6GTWNcQ6bDvOksajKhONU +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem.certspec new file mode 100644 index 0000000000..df85342d98 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-limited-depth +subject:ee-int-limited-depth +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem new file mode 100644 index 0000000000..ee57cb363b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5zCCAc+gAwIBAgIUO9f0kr95LgU+xDs1PzAfLOKqnBMwDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRaW50LW5vLWV4dGVuc2lvbnMwIhgPMjAyMTExMjcwMDAw +MDBaGA8yMDI0MDIwNTAwMDAwMFowHzEdMBsGA1UEAwwUZWUtaW50LW5vLWV4dGVu +c2lvbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0GCSqGSIb3 +DQEBCwUAA4IBAQBBAowOTcEZ1VVW0v7xgIo1hga8cgsgRZHVfvh5n9AuEQ0D+l7e +tZ/oJFNOloyXu1hfTMCNbSE16trQWAE6b6g+3VsvJvwjYdWFJP6t5JgB3M6IvK+W +nETRBUw5rkcLASwJfNKWZoYvbblgm9q5AbqxcWUQD35vOunNSr+5qp8RwLzFP/Sl +8SkRS/vwNZALOZ0y6+OLuvw09m+rtrn+PRfxNLnOA0os7M8AlbEJXZoUkmlf2BlP +AhkHu3v2ujS11eirT7bQCMU2hB0qHr8W8e/PdsBvnjppv/F4/FPdcbH463q4DFV1 +rzUvWbWHFIt4AqdMZFibyQcSVwddPf5dcZzK +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem.certspec new file mode 100644 index 0000000000..c5279046d8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-extensions.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-no-extensions +subject:ee-int-no-extensions +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem new file mode 100644 index 0000000000..e356ecf72e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5TCCAc2gAwIBAgIUX5IwL/hJqOZ0Iyh2OWGyGSoA0kcwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQaW50LW5vLWt1LW5vLWVrdTAiGA8yMDIxMTEyNzAwMDAw +MFoYDzIwMjQwMjA1MDAwMDAwWjAeMRwwGgYDVQQDDBNlZS1pbnQtbm8ta3Utbm8t +ZWt1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62 +iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql +WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq +Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ +ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i +b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY +CjXtjQIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwID+DANBgkqhkiG9w0B +AQsFAAOCAQEAONTwF02LG0ZbucYtE7aGaaOP7nG6jZPiT8VPI19y77GVEFNwt+zW +FtDq/80SIJj1mIzJ4E9oTNUi2v5VxG5m9Slc2VAf2iZfGHdNUBO4gfYKm9waYjqd +cd7vYA7hEm+K+rMdhgc4TVf4c+I1tK8JtifycRMTZSYSaBeNb7SruB7ZAb+1QhvI +e8fMYSrZSKpHbE85CfOMHXF/sKJeojouBCdPpYzQRrQ9rbGyQTDZoEqBqdcbuAZo +m7gCtobppcjq3bBgxrdnPeTU0DMnhS/t5WLzEG28mTcwndIK9OVkZOrxgNTN5Jg8 +qTIRfVlgTurQm6S8BL+c/ncONJObKPwevQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem.certspec new file mode 100644 index 0000000000..92ee3cc6d6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-no-eku.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-no-ku-no-eku +subject:ee-int-no-ku-no-eku +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem new file mode 100644 index 0000000000..e5a5e0bea8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7TCCAdWgAwIBAgIUX22fNLvnip6KC7WCdXKFxQXZqUYwDQYJKoZIhvcNAQEL +BQAwHzEdMBsGA1UEAwwUaW50LW5vLWt1LXNlcnZlci1la3UwIhgPMjAyMTExMjcw +MDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowIjEgMB4GA1UEAwwXZWUtaW50LW5vLWt1 +LXNlcnZlci1la3UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGo +RI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9a +dWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6t +aRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8n +FthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kX +Dqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/py +UcQx1QOs2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgP4MA0G +CSqGSIb3DQEBCwUAA4IBAQBVZ/G/hh1al04zc3kxvCf9GF2KPR98ugcRGqqonXZP +ix5eHf6w8AgEbucuFqQ7Gd8DbrEeKkL5v7RoQxQuJvL/455BYdFSBN8nx94tRWyy +8taFHiSrjqt/7wF4kGoTlXuoEWvsowAsI65CgvRe8C/kPa3AYfS5ZsoQDbX39pJo +adrz5HeSaM7pPrVtxjjd4+0gxH1lwtDJqpPTqR8lpmcVLYxrUFWVmZjRL1nJ30e+ +U5M3vXWORDRPa9Vk6bzJXqwgr6hqXwr76w9ZO5H5RpLL1RNP/DGTt3Jp1yo035BJ +KPJzAUi7eu6vb/9FCJ69ltUIBdxFYaSYFyF6ZrmmkHm3 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem.certspec new file mode 100644 index 0000000000..c148896710 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-no-ku-server-eku.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-no-ku-server-eku +subject:ee-int-no-ku-server-eku +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem new file mode 100644 index 0000000000..ddb6b4810f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3TCCAcWgAwIBAgIUNx7IjEtdkB/tsL/CqgWRGxCMkSswDQYJKoZIhvcNAQEL +BQAwFzEVMBMGA1UEAwwMaW50LW5vdC1hLWNhMCIYDzIwMjExMTI3MDAwMDAwWhgP +MjAyNDAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD2VlLWludC1ub3QtYS1jYTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ +6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk +nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N +/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG +JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd +7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA +AaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCA/gwDQYJKoZIhvcNAQELBQADggEB +ACLu/f0o3T4sd35U49UKAJiKzzaJMLJJa/OUnxrja5p441nI7SAcr+uLKnQokaj6 +FATB/INGwYpGMg+WPrKp0FAFNFHFrsmcE6ADHdZ5nie2NRPCDSNG98X3uQeAK+La +90DqyYZoDj6C43KpML/oNxH4MBGS2bLL/zGVjoZBs20Fw8HlbjCmCBfa57gAmUC3 +588bjavhoOEqOIQQ5UXwgLQN03yhz/KAnTpB7/ctv9nzv3RdG5Eh7M8zr+VRoqkh +M8zMqJDY+lLQ/uNyq7GKfzxnpcEpYdH4mTcnDEKZfeocyl6WSk0dR94Iwpu8iXur +jRzyrsJEB+h+OipLAuSGHTg= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem.certspec new file mode 100644 index 0000000000..a95b0dc260 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-not-a-ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-not-a-ca +subject:ee-int-not-a-ca +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem new file mode 100644 index 0000000000..907671c3e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6zCCAdOgAwIBAgIUVanRJenZNEF+cjecPKqHsbneTa0wDQYJKoZIhvcNAQEL +BQAwHjEcMBoGA1UEAwwTaW50LXZhbGlkLWt1LW5vLWVrdTAiGA8yMDIxMTEyNzAw +MDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAhMR8wHQYDVQQDDBZlZS1pbnQtdmFsaWQt +a3Utbm8tZWt1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESO +FtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVr +amRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWka +sdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbY +VbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6n +aOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHE +MdUDrNoYCjXtjQIDAQABoxowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwID+DANBgkq +hkiG9w0BAQsFAAOCAQEAI1rwnetC4tEnvUYabxo0oNmtHi57Blddig3bLWKjTZB5 +jyWidVZqlhcQsKs1Vy2V/SkgFrERsCr3MejyY9FIS1ugqFp/bdq1I6W3BuRYjYKR +/EkuUMQXVZr+rijX0JDegh0Yo8gf+RTFzI80/NzBnO2OTCSE++lAvRf6DsjFKU4W +kLSP5tF4ZBdnuBJt+mlrk6SSDVppG2eMCPjJB2Lejkrvx6jJpIWHSzcWhsDC3jNU +YxtdZtUxyZlO82/EVJnFrinZSiPrA3X6MqinXX2Glyu1BEG05YUgEbDfUpczNgH1 +HWPojXE3OtirTtvFmCtQ0z0H/iDS2vWqGFI9WSez4w== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem.certspec new file mode 100644 index 0000000000..89a66b9f97 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-no-eku.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-valid-ku-no-eku +subject:ee-int-valid-ku-no-eku +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem new file mode 100644 index 0000000000..ef07acc2d0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8zCCAdugAwIBAgIUOSSwDry8R9Mp7YyOQ8GFPgOKxW4wDQYJKoZIhvcNAQEL +BQAwIjEgMB4GA1UEAwwXaW50LXZhbGlkLWt1LXNlcnZlci1la3UwIhgPMjAyMTEx +MjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowJTEjMCEGA1UEAwwaZWUtaW50LXZh +bGlkLWt1LXNlcnZlci1la3UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a +hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t +FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o +N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d +JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4 +s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgP4MA0GCSqGSIb3DQEBCwUAA4IBAQC5mUBhwkAJq11r0NRLh32+A+p26fJz1lBT +Fdct7k75tTY0dE7qTUC4XOWj2Ry63cE/LnNFeNRWrZV3sqmxLPbHLHVZZ3P7a31S +HAch7qxgtysmDYSMcirMa2SwmL8DEN138HXB2PH0T2B4OYmgYX0p0H4/bOPIjPRt +HNsDWzz3hg57jf4sR2UC4jV53w5uXmByaJLWVXlzsBsnZcVLnSp+4zmp68aUNsTx +mNMYTseMNYbtmNhNQlWwsvhBUvIog8zLdF6wYApdHjlyrV0NUVgEv8eDU+Xo73mt +5sPh9vRb26+B/CdyANACF5nMdse04Incym1yLFqHro0kcRnsnWF0 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem.certspec new file mode 100644 index 0000000000..43e83a336e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/ee-int-valid-ku-server-eku.pem.certspec @@ -0,0 +1,4 @@ +issuer:int-valid-ku-server-eku +subject:ee-int-valid-ku-server-eku +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem new file mode 100644 index 0000000000..d7cd3b7eb0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC2DCCAcCgAwIBAgIUBdrcACRCSGk1ypWIXk360U1xp6UwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowHDEaMBgGA1UEAwwRaW50LWJhZC1rdS1uby1la3UwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo +V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p +0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk +fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh +W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI +TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwG +A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgH6MA0GCSqGSIb3DQEBCwUAA4IBAQCEXus9 +J5tHBLGUt55OM7ms2OxUerMkz8DdgsDO/fzQi++6h4rIxktmYU/wL5XAtQKurf14 +boo+h9Kspx6GBHvhGAsTrFFAjtoDbi5jpXG4+8RagnJfe5gTL4Fipd9Rqxhrw5xu +lBltX0iCw6JkXBIb5r9EOyztJ9U8D5tQfbC/oqiNqMcJBaXlNayffh8d8jeLm79J +iEPIzRUMz25YGfPSBNHs5IyyNjCWGTtFDEXfDq82WAJMu4SYPiylgjQ4SQNaIKWX +sfrPjS7IZsTv0quMTzvNiCVz3JUR5I/IbgzMlLOGaZ3vVSYSI2w+NoWbUffXn+m1 +bZYy1Mh1ehAukwkQ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem.certspec new file mode 100644 index 0000000000..f6525449b4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-no-eku.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-bad-ku-no-eku +extension:basicConstraints:cA, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem new file mode 100644 index 0000000000..6710e14319 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+zCCAeOgAwIBAgIUT+4cv6NAFN70fnPV/T4jEnMVDLYwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowIDEeMBwGA1UEAwwVaW50LWJhZC1rdS1zZXJ2ZXItZWt1MIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVK +tOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7N +Q/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39Zgsr +sCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxs +l62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYl +nauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozww +OjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB+jAdBgNVHSUEFjAUBggrBgEFBQcD +AQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAB5ipw/UJs2yK/v6oQHpMkoD +Q7uoZkgNnOO5Sr5tZoc9OxKSkMluYVOFWFGDTfM24ENSqAT73OmaRbKITV1nR59g +W3oc/6bHPD4smjOQTK6ShVNBz3l4vSOvW2i/reui/v/vrKf9nZmwaV2JBJVkJBtu +IJ2VOPSlkA+22X4YaLi74VjgLNlkROjEB28GV0Xsd42h3zFfAmDtWAI1xNUMMKQS +wRm139Zy8d1UiZ6LchdUC0Ekktolen8eYRvaSlpOigJFBLjiaphJcfATKomyfvc3 +IpktKPHjS8d1MlQEumH8Wn15wfG2QzA5Eri8IXGX25dm9+OTNBLpdzCgn/0wT5k= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem.certspec new file mode 100644 index 0000000000..2d324508d4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-bad-ku-server-eku.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-bad-ku-server-eku +extension:basicConstraints:cA, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,cRLSign +extension:extKeyUsage:serverAuth,clientAuth diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem new file mode 100644 index 0000000000..7b677573a7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5DCCAcygAwIBAgIUHUteHerAK5l63j3cnwe85sn7MHIwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowKzEpMCcGA1UEAwwgaW50LWNBLUZBTFNFLWFzc2VydHMta2V5Q2VydFNp +Z24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI +BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa +p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB +7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C +kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv +aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK +Ne2NAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgH+MA0GCSqGSIb3DQEB +CwUAA4IBAQAp6oogLBAKI9JqnYGFFMTLRZ/v08fWlx8WXyrEMse10gpPluVYw9+Z +U0LpbLbiiUwrsF1Tt7OMNVRsjCQAnWfXKKvG+ekkUslrLHz0heWlHG0QU9VUqI6q +oumlE84qeEOrNFjyOscBnw/mqyAsCKyhNPNQIcqfotpDJnnZoPe8BTvn91vckaz6 +YtysMgQO58kNJN/ACFjjbg2cvSxB4qXkP1nDTZbtRVvVi7iqKLxKaJJI/orAvX4s +wjkW8XzD9oJBy8xV4Za28xHf/Y5flIT7uIn+0idyqCmQ9YMF29ymj7oTZPnVHVXx ++qr0nbnmjj0mLGAfOgsAdUojRpWJchjX +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem.certspec new file mode 100644 index 0000000000..39785d8a48 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-cA-FALSE-asserts-keyCertSign.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-cA-FALSE-asserts-keyCertSign +extension:basicConstraints:, +extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem new file mode 100644 index 0000000000..f6c42b54ff --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4jCCAcqgAwIBAgIUf4VnRPe9twPlf+DNyCIgMod7xZ0wDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRaW50LWxpbWl0ZWQtZGVwdGgwIhgPMjAyMTExMjcwMDAw +MDBaGA8yMDI0MDIwNTAwMDAwMFowJDEiMCAGA1UEAwwZaW50LWxpbWl0ZWQtZGVw +dGgtaW52YWxpZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE +jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1 +a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p +GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW +2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO +p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR +xDHVA6zaGAo17Y0CAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF +AAOCAQEAtE9Ejr5Lh+bKpA8ymVLC5uefOx2qgjNPNCICA2ohGuubKIWjiwYa9gpf +a02v15qTnnlgnldbOiKaoL8jK2GofpAaOWGtnQrjvMtjLz2OoSBaXTXybrOJhdlN +Vzk5dXsiIWmDGzsmM5H7i/TYm1MfbQK9n+ZBJ6wLq61WoMAKECQCoR+YJaWXyx3z +AUXRyN/IRWMIE6kCihZpU4/Cr8k+iLHDZ4ZTGUXmyJTzFSHkVLlgiHVeVfAmHPYy +3Vqjda16ObX7+xA4avruSKnwdpn8+1faHsPFDZri0x7uytM0UNTRIH5tyPWq5pee +odI/mhuYAlXOlJ0FEsfdSKA4z5A2lg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem.certspec new file mode 100644 index 0000000000..9fdb2a248a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth-invalid.pem.certspec @@ -0,0 +1,3 @@ +issuer:int-limited-depth +subject:int-limited-depth-invalid +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem new file mode 100644 index 0000000000..db6ac489a4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzjCCAbagAwIBAgIUE/WlBd0Of+fhvk5dxXZtLiWD4bYwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowHDEaMBgGA1UEAwwRaW50LWxpbWl0ZWQtZGVwdGgwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo +V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p +0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk +fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh +W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI +TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjEzARMA8G +A1UdEwQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggEBADwCYAuFWn/72BC3mor7 +YWcirS4nWpVyGfixmVv6E53EBfXn02Ed9yxuEPIN68cXgIlIfKyUk9gEuiTZZEuI +oFLOnC5vc1UnWGReX7CpzLMGP6FyYvsnP0AXpQ4BjQ42vkuQh8rgSAUAnmDZf0at +eJEyu/uqJFheWpLJqwYAfyMSyxf3nEz3itLbbTm+apj7wFyddWDoxoHJi6UX2CuJ +bevVoBHUiKaqRN8tsE0Ffaz1CvAJcSDn2XhAXGPCo0rT5GES///umEa32fvxNhOZ +Ia2JyjIfzGG9n57mraimiyGep0CiigwEX393G/Im2q2h86mvIedRPCl6zSi9f3td +FYE= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem.certspec new file mode 100644 index 0000000000..64f54b0441 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-limited-depth.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:int-limited-depth +extension:basicConstraints:cA,0 diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem new file mode 100644 index 0000000000..b283219ac2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICuTCCAaGgAwIBAgIUcaLqCVjHQF9LBa2AxD4jgbGxJrgwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowHDEaMBgGA1UEAwwRaW50LW5vLWV4dGVuc2lvbnMwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo +V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p +0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk +fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh +W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI +TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAEwDQYJKoZI +hvcNAQELBQADggEBAKO52Cuun7/lbVm57hiFGhkFAITYz3tnIPfI5LHk0iax1K+x +w/X3AoElGtU+/7wgUYzecNmLAs5MsHfxuzdjJ1NccZL/+X7Pfqqzgc0qhK/2l3ou +NOutsawlnqEw0HWL2th71IcCZvD7SxeL635BzHvJckbpvmMLv6IU/4YgHwmvRTOA +wYrzmBabL7kexVIss28bPX3Lg1uNWmqan+ZxBMXrN97eUUMm/rVetJlTJi1yPtie +htsx4T8nVzeXyc8krQJ3r7xYAnCbEIH4Gr1DQ74HMy1wEqGxYOK9qso7Tm0mfwbs +VRuE0QPnaqe19GC95YXYXen95ISOISnkV/iMp/o= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem.certspec new file mode 100644 index 0000000000..c99626bd5a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-extensions.pem.certspec @@ -0,0 +1,2 @@ +issuer:ca +subject:int-no-extensions diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem new file mode 100644 index 0000000000..8045f66c50 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyjCCAbKgAwIBAgIUXVploRsp/hZMzGClfcQ4dRVNaOwwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowGzEZMBcGA1UEAwwQaW50LW5vLWt1LW5vLWVrdTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhX +bCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQ +OCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9 +uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFb +t+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhO +NsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMQMA4wDAYD +VR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAhzPm8mP8EoZmB2TLj1oRwtwg +aah2AD+zb+2Y/whKrs5y5YNriOajAt7zxXPIxlNe2T++ZRUiwPlmJZyDhKaTxjfE +rWXgtm4fru3Pc972k8UxYkZdqOj5tnsFHJ7C/O9kwvkPUTvIcIJxVvtTLIypAaLs +DRq/CTvtGZ2XUUqSsvzrMcl1npaq2JjhAOURBo4QftJlTcAfm5tNZc4Mu9B9QnZA +7PyK4Ewv8CB66ZT6nRCnz7Bz2dhODqaVi7a92Gww1yCZTuTr7LkQY12V0bqyEBTc +3uAgInlxZ3sCTCI2NlFrqWalF+v3bdZIYIzooSAYOVHcN7zVYXIUbte2Z3MHYQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem.certspec new file mode 100644 index 0000000000..306a218db9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-no-eku.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:int-no-ku-no-eku +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem new file mode 100644 index 0000000000..dc4271d321 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7TCCAdWgAwIBAgIUVdlklAPEUQebV/LWoHRUcE1itMAwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowHzEdMBsGA1UEAwwUaW50LW5vLWt1LXNlcnZlci1la3UwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjLzAt +MAwGA1UdEwQFMAMBAf8wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0G +CSqGSIb3DQEBCwUAA4IBAQBo59TtYXo38fhbrYRtxnjeZeWUe6DFTlEf4zNHUFXz +dsHmslSp938LiAR0fTRB0PbWWquZz70vGbhRC8hl5lJgf+/R6yGAjLxBpcRlQu2t +MRvQjS7YDVGYafD5Mt7mUqkzw/Hb1fWAgOfUfSulv9c7gu7WUpSiuFlaHE8lOPR2 +aedPEcq1kza2Fc8xY3OidpJHtZq2jInQSnunu2hOkCRPXIvMvvbTio576QcfTPv4 +b/FNY7IqTC+DEh1VCkb5P9XFtHNGvZ2uYDuL3w1ekZFBL7Aq8hB+6UEb7WCIO6A/ +7vW9Ts+On4nZI11JCk3vRtn9dZYmJoJrJtHSzFaEkyVZ +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem.certspec new file mode 100644 index 0000000000..1482b627c7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-no-ku-server-eku.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-no-ku-server-eku +extension:basicConstraints:cA, +extension:extKeyUsage:serverAuth,clientAuth diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem new file mode 100644 index 0000000000..e6efeaa28a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICwzCCAaugAwIBAgIUWa2mJPi/2cEfrq8RFVw70uO0JJ4wDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowFzEVMBMGA1UEAwwMaW50LW5vdC1hLWNhMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABow0wCzAJBgNVHRME +AjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBuRuMaGSuSHD9Vuvm4Ln4QkXaqWtiUSfvO +d4LHv8NzZ8QTVaWZH5Q91yC/0EV82TmGP+YqCJ9e/ILqYCnNdUHfZ1+z1Jd/pwkL +Ir0uLdCePRee9CPBHPuz6hzHsgyQavYWsrAujBgetYC5De1tFPTl0YgFKtrhxLM6 +H6425T9eFvhZ+B5Jz9/iUB0NjbgpaG0qq32tUUZP/aJkosWqmweq1h9HcDXEamxs +y4azUVMtW2t6Hbtmn8lAFHz6iCzrbjVqXY/ZqHtrtnGFvcM044/VqjgU9jMlookh +cSyWqk62xQcpMSuZy955OTEpMnlXXkW4tjUxztAahlJhZP+tal5y +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem.certspec new file mode 100644 index 0000000000..3161680b1c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-not-a-ca.pem.certspec @@ -0,0 +1,3 @@ +issuer:ca +subject:int-not-a-ca +extension:basicConstraints:, diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem new file mode 100644 index 0000000000..fdfcbd8ccb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC2jCCAcKgAwIBAgIUBQhZeXfh8VRjz67JI9aGUjCi9/swDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowHjEcMBoGA1UEAwwTaW50LXZhbGlkLWt1LW5vLWVrdTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs +9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8 +HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7Ak +kqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJet +lmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2r +kQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBsw +DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQELBQADggEBAEUa +bjiSJtmAjz24jMQzwT9FDIKfYpuPjyff4TGhHh1+mKz4AtELFZE3IfS+TXaTwWHq +Rmi5SmFusKP8MK85CRKkX47SB3kdvXe4JVXp2QmQ0LwCyLP50sdpzn+gs32lHJHm +BXqe/fAfqvyAzjBwmkT6uPW6DFKcbrilBeQfX/D2B8LZ/8b74sWiGeBakocUzfNa +El3nyhWuAsw5nNImZYWW4/pOJecT23WTda3EJ1+J9CEDlW/F6VBdk+9Eckis33rW +BzoAc+gPS5eisilZsnDxEIVdpWif4IAON6Fh2bhHlrsMKR+gLqJ5g8NQrWkFO/0D +veptxxVD08aLSmFiIBk= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem.certspec new file mode 100644 index 0000000000..d7f9b0387a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-no-eku.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int-valid-ku-no-eku +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem new file mode 100644 index 0000000000..db3a11431e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/TCCAeWgAwIBAgIUM0xZKEt3/nPLSqS+U75xn0zoKhwwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowIjEgMB4GA1UEAwwXaW50LXZhbGlkLWt1LXNlcnZlci1la3UwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk +NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC +fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m +CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM +HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m +1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj +PDA6MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgIEMB0GA1UdJQQWMBQGCCsGAQUF +BwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAMLbdKU+1y7AV2h9hiMZw +vCxzBNcPr11o83mCP4eBrO9NQ+TZ/IDLWqWmfog80CA+VrKoEApsVce+1T/PZQ/S +nNYxawlBDkHD2lcKn929H2G53xhD+U6j69ZesfPiE83sR48fuzOUdpEDpQdR8yol +9UAVckFK00/6RQwF2YiyyHZDj37ft4mxkV2Y2l0oowgIRm1C5ZUU7BQUxTGbg6K8 +3Is575EyHAfMmeSMDTjWUDn0vT4saa77oG9tbwIhoauku2gwiX+ZIX0hvmaLyzed +R12GeOm2qgDKi99S4CTibgo4puF+AgiQYmeNwtHha+5XmGKCf6k8IIF5FQy9QNmj +sg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem.certspec new file mode 100644 index 0000000000..84314bfa40 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints/int-valid-ku-server-eku.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca +subject:int-valid-ku-server-eku +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign +extension:extKeyUsage:serverAuth,clientAuth diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads.js b/security/manager/ssl/tests/unit/test_intermediate_preloads.js new file mode 100644 index 0000000000..6d4cf205e4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads.js @@ -0,0 +1,528 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; +do_get_profile(); // must be called before getting nsIX509CertDB + +const { RemoteSecuritySettings } = ChromeUtils.import( + "resource://gre/modules/psm/RemoteSecuritySettings.jsm" +); +const { TestUtils } = ChromeUtils.importESModule( + "resource://testing-common/TestUtils.sys.mjs" +); +const { IntermediatePreloadsClient } = RemoteSecuritySettings.init(); + +let server; + +const INTERMEDIATES_DL_PER_POLL_PREF = + "security.remote_settings.intermediates.downloads_per_poll"; +const INTERMEDIATES_ENABLED_PREF = + "security.remote_settings.intermediates.enabled"; + +function getHashCommon(aStr, useBase64) { + let hasher = Cc["@mozilla.org/security/hash;1"].createInstance( + Ci.nsICryptoHash + ); + hasher.init(Ci.nsICryptoHash.SHA256); + let stringStream = Cc["@mozilla.org/io/string-input-stream;1"].createInstance( + Ci.nsIStringInputStream + ); + stringStream.data = aStr; + hasher.updateFromStream(stringStream, -1); + + return hasher.finish(useBase64); +} + +// Get a hexified SHA-256 hash of the given string. +function getHash(aStr) { + return hexify(getHashCommon(aStr, false)); +} + +function getSubjectBytes(certDERString) { + let bytes = stringToArray(certDERString); + let cert = new X509.Certificate(); + cert.parse(bytes); + return arrayToString(cert.tbsCertificate.subject._der._bytes); +} + +function getSPKIBytes(certDERString) { + let bytes = stringToArray(certDERString); + let cert = new X509.Certificate(); + cert.parse(bytes); + return arrayToString(cert.tbsCertificate.subjectPublicKeyInfo._der._bytes); +} + +/** + * Simulate a Remote Settings synchronization by filling up the + * local data with fake records. + * + * @param {*} filenames List of pem files for which we will create + * records. + * @param {*} options Options for records to generate. + */ +async function syncAndDownload(filenames, options = {}) { + const { + hashFunc = getHash, + lengthFunc = arr => arr.length, + clear = true, + } = options; + + const localDB = await IntermediatePreloadsClient.client.db; + if (clear) { + await localDB.clear(); + } + + let count = 1; + for (const filename of filenames) { + const file = do_get_file(`test_intermediate_preloads/${filename}`); + const certBytes = readFile(file); + const certDERBytes = atob(pemToBase64(certBytes)); + + const record = { + details: { + who: "", + why: "", + name: "", + created: "", + }, + derHash: getHashCommon(certDERBytes, true), + subject: "", + subjectDN: btoa(getSubjectBytes(certDERBytes)), + attachment: { + hash: hashFunc(certBytes), + size: lengthFunc(certBytes), + filename: `intermediate certificate #${count}.pem`, + location: `security-state-workspace/intermediates/${filename}`, + mimetype: "application/x-pem-file", + }, + whitelist: false, + pubKeyHash: getHashCommon(getSPKIBytes(certDERBytes), true), + crlite_enrolled: true, + }; + + await localDB.create(record); + count++; + } + // This promise will wait for the end of downloading. + const updatedPromise = TestUtils.topicObserved( + "remote-security-settings:intermediates-updated" + ); + // Simulate polling for changes, trigger the download of attachments. + Services.obs.notifyObservers(null, "remote-settings:changes-poll-end"); + const results = await updatedPromise; + return results[1]; // topicObserved gives back a 2-array +} + +/** + * Return the list of records whose attachment was downloaded. + */ +async function locallyDownloaded() { + return IntermediatePreloadsClient.client.get({ + filters: { cert_import_complete: true }, + syncIfEmpty: false, + }); +} + +add_task(async function test_preload_empty() { + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true); + + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + + // load the first root and end entity, ignore the initial intermediate + addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,"); + + let ee_cert = constructCertFromFile( + "test_intermediate_preloads/default-ee.pem" + ); + notEqual(ee_cert, null, "EE cert should have successfully loaded"); + + equal( + await syncAndDownload([]), + "success", + "Preloading update should have run" + ); + + equal( + (await locallyDownloaded()).length, + 0, + "There should have been no downloads" + ); + + // check that ee cert 1 is unknown + await checkCertErrorGeneric( + certDB, + ee_cert, + SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLServer + ); +}); + +add_task(async function test_preload_disabled() { + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, false); + + equal( + await syncAndDownload(["int.pem"]), + "disabled", + "Preloading update should not have run" + ); + + equal( + (await locallyDownloaded()).length, + 0, + "There should have been no downloads" + ); +}); + +add_task(async function test_preload_invalid_hash() { + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true); + const invalidHash = + "6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d"; + + const result = await syncAndDownload(["int.pem"], { + hashFunc: () => invalidHash, + }); + equal(result, "success", "Preloading update should have run"); + + equal( + (await locallyDownloaded()).length, + 0, + "There should be no local entry" + ); + + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + + // load the first root and end entity, ignore the initial intermediate + addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,"); + + let ee_cert = constructCertFromFile( + "test_intermediate_preloads/default-ee.pem" + ); + notEqual(ee_cert, null, "EE cert should have successfully loaded"); + + // We should still have a missing intermediate. + await checkCertErrorGeneric( + certDB, + ee_cert, + SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLServer + ); +}); + +add_task(async function test_preload_invalid_length() { + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true); + + const result = await syncAndDownload(["int.pem"], { + lengthFunc: () => 42, + }); + equal(result, "success", "Preloading update should have run"); + + equal( + (await locallyDownloaded()).length, + 0, + "There should be no local entry" + ); + + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + + // load the first root and end entity, ignore the initial intermediate + addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,"); + + let ee_cert = constructCertFromFile( + "test_intermediate_preloads/default-ee.pem" + ); + notEqual(ee_cert, null, "EE cert should have successfully loaded"); + + // We should still have a missing intermediate. + await checkCertErrorGeneric( + certDB, + ee_cert, + SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLServer + ); +}); + +add_task(async function test_preload_basic() { + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true); + Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100); + + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + + // load the first root and end entity, ignore the initial intermediate + addCertFromFile(certDB, "test_intermediate_preloads/ca.pem", "CTu,,"); + + let ee_cert = constructCertFromFile( + "test_intermediate_preloads/default-ee.pem" + ); + notEqual(ee_cert, null, "EE cert should have successfully loaded"); + + // load the second end entity, ignore both intermediate and root + let ee_cert_2 = constructCertFromFile("test_intermediate_preloads/ee2.pem"); + notEqual(ee_cert_2, null, "EE cert 2 should have successfully loaded"); + + // check that the missing intermediate causes an unknown issuer error, as + // expected, in both cases + await checkCertErrorGeneric( + certDB, + ee_cert, + SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLServer + ); + await checkCertErrorGeneric( + certDB, + ee_cert_2, + SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLServer + ); + + let intermediateBytes = readFile( + do_get_file("test_intermediate_preloads/int.pem") + ); + let intermediateDERBytes = atob(pemToBase64(intermediateBytes)); + let intermediateCert = new X509.Certificate(); + intermediateCert.parse(stringToArray(intermediateDERBytes)); + + const result = await syncAndDownload(["int.pem", "int2.pem"]); + equal(result, "success", "Preloading update should have run"); + + equal( + (await locallyDownloaded()).length, + 2, + "There should have been 2 downloads" + ); + + // check that ee cert 1 verifies now the update has happened and there is + // an intermediate + + // First verify by connecting to a server that uses that end-entity + // certificate but doesn't send the intermediate. + await asyncStartTLSTestServer( + "BadCertAndPinningServer", + "test_intermediate_preloads" + ); + // This ensures the test server doesn't include the intermediate in the + // handshake. + let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + certDir.append("test_intermediate_preloads"); + Assert.ok(certDir.exists(), "test_intermediate_preloads should exist"); + let args = ["-D", "-n", "int"]; + // If the certdb is cached from a previous run, the intermediate will have + // already been deleted, so this may "fail". + run_certutil_on_directory(certDir.path, args, false); + let certsCachedPromise = TestUtils.topicObserved( + "psm:intermediate-certs-cached" + ); + await asyncConnectTo("ee.example.com", PRErrorCodeSuccess); + let subjectAndData = await certsCachedPromise; + Assert.equal(subjectAndData.length, 2, "expecting [subject, data]"); + // Since the intermediate is preloaded, we don't save it to the profile's + // certdb. + Assert.equal(subjectAndData[1], "0", `expecting "0" certs imported`); + + await checkCertErrorGeneric( + certDB, + ee_cert, + PRErrorCodeSuccess, + certificateUsageSSLServer + ); + + let localDB = await IntermediatePreloadsClient.client.db; + let data = await localDB.list(); + ok(!!data.length, "should have some entries"); + // simulate a sync (syncAndDownload doesn't actually... sync.) + await IntermediatePreloadsClient.client.emit("sync", { + data: { + current: data, + created: data, + deleted: [], + updated: [], + }, + }); + + // check that ee cert 2 does not verify - since we don't know the issuer of + // this certificate + await checkCertErrorGeneric( + certDB, + ee_cert_2, + SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLServer + ); +}); + +add_task(async function test_preload_200() { + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true); + Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100); + + const files = []; + for (let i = 0; i < 200; i++) { + files.push(["int.pem", "int2.pem"][i % 2]); + } + + let result = await syncAndDownload(files); + equal(result, "success", "Preloading update should have run"); + + equal( + (await locallyDownloaded()).length, + 100, + "There should have been only 100 downloaded" + ); + + // Re-run + result = await syncAndDownload([], { clear: false }); + equal(result, "success", "Preloading update should have run"); + + equal( + (await locallyDownloaded()).length, + 200, + "There should have been 200 downloaded" + ); +}); + +add_task(async function test_delete() { + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true); + Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100); + + let syncResult = await syncAndDownload(["int.pem", "int2.pem"]); + equal(syncResult, "success", "Preloading update should have run"); + + equal( + (await locallyDownloaded()).length, + 2, + "There should have been 2 downloads" + ); + + let localDB = await IntermediatePreloadsClient.client.db; + let data = await localDB.list(); + ok(!!data.length, "should have some entries"); + let subject = data[0].subjectDN; + let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( + Ci.nsICertStorage + ); + let resultsBefore = certStorage.findCertsBySubject( + stringToArray(atob(subject)) + ); + equal( + resultsBefore.length, + 1, + "should find the intermediate in cert storage before" + ); + // simulate a sync where we deleted the entry + await IntermediatePreloadsClient.client.emit("sync", { + data: { + current: [], + created: [], + deleted: [data[0]], + updated: [], + }, + }); + let resultsAfter = certStorage.findCertsBySubject( + stringToArray(atob(subject)) + ); + equal( + resultsAfter.length, + 0, + "shouldn't find intermediate in cert storage now" + ); +}); + +function findCertByCommonName(certDB, commonName) { + for (let cert of certDB.getCerts()) { + if (cert.commonName == commonName) { + return cert; + } + } + return null; +} + +add_task(async function test_healer() { + Services.prefs.setBoolPref(INTERMEDIATES_ENABLED_PREF, true); + Services.prefs.setIntPref(INTERMEDIATES_DL_PER_POLL_PREF, 100); + + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + // Add an intermediate as if it had previously been cached. + addCertFromFile(certDB, "test_intermediate_preloads/int.pem", ",,"); + // Add an intermediate with non-default trust settings as if it had been added by the user. + addCertFromFile(certDB, "test_intermediate_preloads/int2.pem", "CTu,,"); + + let syncResult = await syncAndDownload(["int.pem", "int2.pem"]); + equal(syncResult, "success", "Preloading update should have run"); + + equal( + (await locallyDownloaded()).length, + 2, + "There should have been 2 downloads" + ); + + let healerRanPromise = TestUtils.topicObserved( + "psm:intermediate-preloading-healer-ran" + ); + Services.prefs.setIntPref( + "security.intermediate_preloading_healer.timer_interval_ms", + 500 + ); + Services.prefs.setBoolPref( + "security.intermediate_preloading_healer.enabled", + true + ); + await healerRanPromise; + Services.prefs.setBoolPref( + "security.intermediate_preloading_healer.enabled", + false + ); + + let intermediate = findCertByCommonName( + certDB, + "intermediate-preloading-intermediate" + ); + equal(intermediate, null, "should not find intermediate in NSS"); + let intermediate2 = findCertByCommonName( + certDB, + "intermediate-preloading-intermediate2" + ); + notEqual(intermediate2, null, "should find second intermediate in NSS"); +}); + +function run_test() { + server = new HttpServer(); + server.start(-1); + registerCleanupFunction(() => server.stop(() => {})); + + server.registerDirectory( + "/cdn/security-state-workspace/intermediates/", + do_get_file("test_intermediate_preloads") + ); + + server.registerPathHandler("/v1/", (request, response) => { + response.write( + JSON.stringify({ + capabilities: { + attachments: { + base_url: `http://localhost:${server.identity.primaryPort}/cdn/`, + }, + }, + }) + ); + response.setHeader("Content-Type", "application/json; charset=UTF-8"); + response.setStatusLine(null, 200, "OK"); + }); + + Services.prefs.setCharPref( + "services.settings.server", + `http://localhost:${server.identity.primaryPort}/v1` + ); + + Services.prefs.setCharPref("browser.policies.loglevel", "debug"); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem new file mode 100644 index 0000000000..680b068f34 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+TCCAeGgAwIBAgIUN/Y56TvJcL2liqk2Feh/QfKrlLwwDQYJKoZIhvcNAQEL +BQAwJTEjMCEGA1UEAwwaaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctY2EwIhgPMjAx +MDAxMDEwMDAwMDBaGA8yMDUwMDEwMTAwMDAwMFowJTEjMCEGA1UEAwwaaW50ZXJt +ZWRpYXRlLXByZWxvYWRpbmctY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD +VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBSPwr2BfSHT3saxwx6YGEautZx +w/sdM9AJAubFLqDd3MYHtzCZcQXaeDGbAzvo8m/PKA4Yt+UYbKyDnRR8sLA4f/iu +z1zHeenlzBWpRVHu/++ZSk/ESwn0zLprIsOcXjaYkbfrqcEGNWvLJzpT4T36Gr9t +DvxHnpsaMsJviZS3WHzTSoioWkcRyF78bYa51ZJWYJHFKZQppqhJ+jcoJhiomRlc +WwhI8NAU3dOOFJuEg/z+vQpcEQi0rRW9J6X/15BUZRQlF5Hs2wilGa8ViNX2+B5I +kjbmNrdT5hcnGEfR7JpHFuihFdxQc4CFY87u1chI8yaHLhhriUP6Jq0+J5ur +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem.certspec new file mode 100644 index 0000000000..4ccabc25b3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:intermediate-preloading-ca +subject:intermediate-preloading-ca +validity:20100101-20500101 +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem new file mode 100644 index 0000000000..4a69166215 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDDDCCAfSgAwIBAgIUcx7CbjSZKlPaTqjk1pXt0w+fswUwDQYJKoZIhvcNAQEL +BQAwLzEtMCsGA1UEAwwkaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctaW50ZXJtZWRp +YXRlMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMBkxFzAVBgNV +BAMMDmVlLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptu +Gobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO +7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgf +qDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/yt +HSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcx +uLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozIwMDATBgNVHSUEDDAKBggrBgEFBQcD +ATAZBgNVHREEEjAQgg5lZS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA +gNr8S/J6CJLQu56YUxksBCLxvcrJw82G9X7rdZ0sXZ4CCHTQjQZbnuc+rJTuGPJX +36f0m3EPkNa1UepfTtZWe364ATju/F2TUg0XWEm634NI4F8Hy7jXBsYaTVN6yBoK +cvRSdvko3BbcKXMQfq5zbdRvs1VtSC9cPPyrZYdQxpMar4+JhN1sPx7C3g0hn84C +VnVpgZlrh+CnSwUiq7I3Q44el2j453GEbKCbXDMxooSq+gD3rMTPsOCsk4GmeH3R +ILMtaJ/zFd6C7lSkGQPSLNarTqcIudXACWWbzEqZ8uS4GoyaEIYiUf00YMquS4Cu +xTG8+QNSp9tIoUw48chxjw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem.certspec new file mode 100644 index 0000000000..e9decb76dc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/default-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:intermediate-preloading-intermediate +subject:ee.example.com +extension:extKeyUsage:serverAuth +extension:subjectAlternativeName:ee.example.com diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem new file mode 100644 index 0000000000..a1394d56db --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5zCCAc+gAwIBAgIUI6lFTWQgzUkUf/0bE/nqjn1SLNYwDQYJKoZIhvcNAQEL +BQAwMDEuMCwGA1UEAwwlaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctaW50ZXJtZWRp +YXRlMjAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAOMQwwCgYD +VQQDDANlZTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W +1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtq +ZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx +0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthV +t2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo +4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx +1QOs2hgKNe2NAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3 +DQEBCwUAA4IBAQBDTPaqjguUw5J5Jh7p0NdZK6A2XxBRxUcrQqvT3FsnO5sauXHU +2y7BJNDilPs+A8edIPLezio6aCijg2uZpIKc0Le0L/AeyWYoObiuQ+Lcs9NkhQMm +3Jqnjw8lbKLO4ojOHEgJqW7VWDCyTCsLDFkZBSC0cAxr79mRdrvPF89Q27xHrBo2 +UgwKuffODwmgNJCznpvkYvvrZQ2WxO8JZk9eAy/mSn6vlyD41nqI8CYQhGKwdxLT +Xwip+uag1KQup6dgD3cNSRTBDeBL2z9m9HziPNlOTY9SyFxt32YxO1DOaSHy7kCi +o82rGqU5p8VbGlS2RvzQvMEhptxt+GKLC/6c +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem.certspec new file mode 100644 index 0000000000..089ac63831 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem.certspec @@ -0,0 +1,3 @@ +issuer:intermediate-preloading-intermediate2 +subject:ee2 +extension:extKeyUsage:serverAuth diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem new file mode 100644 index 0000000000..480a18002a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDAzCCAeugAwIBAgIUIRWUrRSEgMYUudCmgeB863e4mK4wDQYJKoZIhvcNAQEL +BQAwJTEjMCEGA1UEAwwaaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctY2EwIhgPMjAy +MTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowLzEtMCsGA1UEAwwkaW50ZXJt +ZWRpYXRlLXByZWxvYWRpbmctaW50ZXJtZWRpYXRlMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRME +BTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAuEbrWJmimyJJ +XQr4efjCRdNUaZ9b/7MihnpISIPvVQFrQ1XmDEG+9zy1IDaNNZ14s8NCEl0S12mI +vWxKtU91UAJttFH8idip6s2kC9Mfxw8wTbgsGcUnJhszS6emJ8TnEPMaovFwet2m +bjwjzvPoFohsupHz+FXMxHgaErzxIh08y6DzU+N9DctKcZkNGg5TTwfzYrcJo3MV +Xx1uxLHTRMdQHfve2g53kKzAJIThls7NdHoD8DcK54lns05tO7CD2vdtNXMc1M8q +DnofGLcaGBtPbB8RbwCSQme7G5ICvbxNDC3i6/LAjvKSAsUL2gCExFjaN7UK/qN+ +PklUW8438Q== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem.certspec new file mode 100644 index 0000000000..5863b3131f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem.certspec @@ -0,0 +1,4 @@ +issuer:intermediate-preloading-ca +subject:intermediate-preloading-intermediate +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem new file mode 100644 index 0000000000..2e2791ac00 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBTCCAe2gAwIBAgIUEyGPTx1+eoN9OVa+vKQz//tVlfYwDQYJKoZIhvcNAQEL +BQAwJjEkMCIGA1UEAwwbaW50ZXJtZWRpYXRlLXByZWxvYWRpbmctY2EyMCIYDzIw +MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMDAxLjAsBgNVBAMMJWludGVy +bWVkaWF0ZS1wcmVsb2FkaW5nLWludGVybWVkaWF0ZTIwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk +e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg +KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI +YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi +lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL +HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1Ud +EwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQAeX4/JsyHg +0g8S+om/H4zuEgGntF1nqpcAFejMJfl7DJe8ukzTzlQF/IcDQEtv264xjMWaVssn +kV/va8vVkYIJqc/FIrkuxrFLNFGNOrV6KL14sR0+TlJ/FEOyig+Yt5+RPC2HZZBS +4n5VUxxK/U52dM6jonbFOcqZXpPAJDYcfg2MThkg/oupcXW7v00EUOL6QEdAMlzY +wZk5PEIgQckDVr4hwygdmpmAYfD98ru0gqNp5KYdR5uqskQlfHjrIuUNEUpehPGX +KF9Fqo8Gu1G0dmI4poOxGarKum8nd+b/Cjo1rgQYTBwWMhFzS4zVK4CfgzgUCjNb +ykTwaGJf7EwV +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem.certspec b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem.certspec new file mode 100644 index 0000000000..27e9a008df --- /dev/null +++ b/security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem.certspec @@ -0,0 +1,4 @@ +issuer:intermediate-preloading-ca2 +subject:intermediate-preloading-intermediate2 +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_keysize.js b/security/manager/ssl/tests/unit/test_keysize.js new file mode 100644 index 0000000000..b9a1412819 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize.js @@ -0,0 +1,204 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Checks that RSA certs with key sizes below 1024 bits are rejected. +// Checks that ECC certs using curves other than the NIST P-256, P-384 or P-521 +// curves are rejected. + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +/** + * Tests a cert chain. + * + * @param {string} rootKeyType + * The key type of the root certificate, or the name of an elliptic + * curve, as output by the 'openssl ecparam -list_curves' command. + * @param {number} rootKeySize + * @param {string} intKeyType + * @param {number} intKeySize + * @param {string} eeKeyType + * @param {number} eeKeySize + * @param {PRErrorCode} eeExpectedError + * @returns {Promise} a promise that will resolve when the verification has + * completed + */ +function checkChain( + rootKeyType, + rootKeySize, + intKeyType, + intKeySize, + eeKeyType, + eeKeySize, + eeExpectedError +) { + let rootName = "root_" + rootKeyType + "_" + rootKeySize; + let intName = "int_" + intKeyType + "_" + intKeySize; + let eeName = "ee_" + eeKeyType + "_" + eeKeySize; + + let intFullName = intName + "-" + rootName; + let eeFullName = eeName + "-" + intName + "-" + rootName; + + addCertFromFile(certdb, `test_keysize/${rootName}.pem`, "CTu,CTu,CTu"); + addCertFromFile(certdb, `test_keysize/${intFullName}.pem`, ",,"); + let eeCert = constructCertFromFile(`test_keysize/${eeFullName}.pem`); + + info("cert o=" + eeCert.organization); + info("cert issuer o=" + eeCert.issuerOrganization); + return checkCertErrorGeneric( + certdb, + eeCert, + eeExpectedError, + certificateUsageSSLServer + ); +} + +/** + * Tests various RSA chains. + * + * @param {number} inadequateKeySize + * @param {number} adequateKeySize + */ +async function checkRSAChains(inadequateKeySize, adequateKeySize) { + // Chain with certs that have adequate sizes for DV + await checkChain( + "rsa", + adequateKeySize, + "rsa", + adequateKeySize, + "rsa", + adequateKeySize, + PRErrorCodeSuccess + ); + + // Chain with a root cert that has an inadequate size for DV + await checkChain( + "rsa", + inadequateKeySize, + "rsa", + adequateKeySize, + "rsa", + adequateKeySize, + MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE + ); + + // Chain with an intermediate cert that has an inadequate size for DV + await checkChain( + "rsa", + adequateKeySize, + "rsa", + inadequateKeySize, + "rsa", + adequateKeySize, + MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE + ); + + // Chain with an end entity cert that has an inadequate size for DV + await checkChain( + "rsa", + adequateKeySize, + "rsa", + adequateKeySize, + "rsa", + inadequateKeySize, + MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE + ); +} + +async function checkECCChains() { + await checkChain( + "secp256r1", + 256, + "secp384r1", + 384, + "secp521r1", + 521, + PRErrorCodeSuccess + ); + await checkChain( + "secp256r1", + 256, + "secp224r1", + 224, + "secp256r1", + 256, + SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE + ); + await checkChain( + "secp256r1", + 256, + "secp256r1", + 256, + "secp224r1", + 224, + SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE + ); + await checkChain( + "secp224r1", + 224, + "secp256r1", + 256, + "secp256r1", + 256, + SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE + ); + await checkChain( + "secp256r1", + 256, + "secp256r1", + 256, + "secp256k1", + 256, + SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE + ); + await checkChain( + "secp256k1", + 256, + "secp256r1", + 256, + "secp256r1", + 256, + SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE + ); +} + +async function checkCombinationChains() { + await checkChain( + "rsa", + 2048, + "secp256r1", + 256, + "secp384r1", + 384, + PRErrorCodeSuccess + ); + await checkChain( + "rsa", + 2048, + "secp256r1", + 256, + "secp224r1", + 224, + SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE + ); + await checkChain( + "secp256r1", + 256, + "rsa", + 1016, + "secp256r1", + 256, + MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE + ); +} + +add_task(async function() { + await checkRSAChains(1016, 1024); + await checkECCChains(); + await checkCombinationChains(); +}); diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem new file mode 100644 index 0000000000..1514e2afe0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB4DCCAUmgAwIBAgIUVwxpwbAz8P34bpOsh6+QbP2ojSAwDQYJKoZIhvcNAQEL +BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwIhgPMjAy +MTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowMTEvMC0GA1UEAwwmZWVfcnNh +XzEwMTYtaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwgZ4wDQYJKoZIhvcNAQEB +BQADgYwAMIGIAoGAANKbsS+4T93NKbOlGctmxDuNj4vlRbp5OEzmY+0D33WZFgDr +kgeQ0lMM7OVE25mnHwWJaj7SBxZVNKqZBX5HxH47yBrab6HhLjcmi1BGpVJo+drX +zLSF2BouGdUNTwtoVKyvbXvmnZoIMTbhWvqPU8HIyE/GB3J53Q5V1zaaW90CAwEA +ATANBgkqhkiG9w0BAQsFAAOBgQAJBfYK3k9MPwwgr5XUjo2GDsMyWL/rrF6qud/Q +vRhdgfPZYWXZ70dHdZEH3iEOub4z049/Jpvz4CkW+mxV1JTwzJn/t/t/UNWlhovX +rrRAUTid2ePG2AnceiuGRNj6DLMyIriMURnVj1imscyamATg2t6bIHEzsvmUheaA +3fDiMw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem.certspec new file mode 100644 index 0000000000..7b86ef7861 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.pem.certspec @@ -0,0 +1,4 @@ +issuer:int_rsa_1024-root_rsa_1024 +subject:ee_rsa_1016-int_rsa_1024-root_rsa_1024 +issuerKey:rsa1024 +subjectKey:rsa1016 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem new file mode 100644 index 0000000000..42daa0757b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB4DCCAUqgAwIBAgIUfx3llLPabDFECt89htHl5RT/8dgwDQYJKoZIhvcNAQEL +BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDE2LXJvb3RfcnNhXzEwMjQwIhgPMjAy +MTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowMTEvMC0GA1UEAwwmZWVfcnNh +XzEwMjQtaW50X3JzYV8xMDE2LXJvb3RfcnNhXzEwMjQwgZ8wDQYJKoZIhvcNAQEB +BQADgY0AMIGJAoGBANOpdEAQHrqMXflQPm+TXrUv/rPr6dDcXKzib5c8qUy8DZwx +1mwMATvOnILQ1IAyjfBftrzXmQpTEt2uYVKtbuYcjBvdhmPGi9NiJKmIKueOifVW +39vm9R2mESy/wnyKSTNrQa/bdTIbUrJKc0TRNI5kY1GlUcdXHM2guP419hp1AgMB +AAEwDQYJKoZIhvcNAQELBQADgYAAu75m62DkOU7ZXkCVpF1Qu6IZ3Kxpw+JCKDmm +jDyrtW7VyVadDnpcXeXsfoWgpWICGNgS/nYHPW/Sb8VmIdSkYZz0WZ4LrnJR+ReM +WYnShnhMnfVDZ+2ei5gFrNMlGy9VESyZpHMtK069v4y2Krj28CAQ5PLtK56MrlcW +KuGqsQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem.certspec new file mode 100644 index 0000000000..326d665dcc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.pem.certspec @@ -0,0 +1,4 @@ +issuer:int_rsa_1016-root_rsa_1024 +subject:ee_rsa_1024-int_rsa_1016-root_rsa_1024 +issuerKey:rsa1016 +subjectKey:rsa1024 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem new file mode 100644 index 0000000000..5e3c2b7616 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICRjCCAa+gAwIBAgIUbSYmFjBHNggSogoGtlUuasRUNUMwDQYJKoZIhvcNAQEL +BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMTYwIhgPMjAy +MTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowEjEQMA4GA1UEAwwHcnNhMTAy +NDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG +NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn +RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu +p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ +Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p +47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1 +7Y0CAwEAATANBgkqhkiG9w0BAQsFAAOBgQBPmmqHLLrGqankJL7agjYMNnN4zUnH +i03p3WOQHfI58xRjBev0xoLBIf7pD/N4+RyB2zGyhfUBN7DAcFxwr3n4If4Z1bo3 +KLjDe4vQx/cxU1iUod7VDB/FoDrKGG9otpUakgBURLmi/2sdfg5VyedmzfINJYso +Fx7U2rKFpkBTzA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem.certspec new file mode 100644 index 0000000000..c44a089ed6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.pem.certspec @@ -0,0 +1,4 @@ +issuer:int_rsa_1024-root_rsa_1016 +subject:ee_rsa_1024-int_rsa_1024-root_rsa_1016 +issuerKey:rsa1024 +subject:rsa1024 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem new file mode 100644 index 0000000000..2f05523a61 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB4TCCAUqgAwIBAgIUf88bfQzu3egYcqR2nozsNhooSEEwDQYJKoZIhvcNAQEL +BQAwJTEjMCEGA1UEAwwaaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwIhgPMjAy +MTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowMTEvMC0GA1UEAwwmZWVfcnNh +XzEwMjQtaW50X3JzYV8xMDI0LXJvb3RfcnNhXzEwMjQwgZ8wDQYJKoZIhvcNAQEB +BQADgY0AMIGJAoGBANOpdEAQHrqMXflQPm+TXrUv/rPr6dDcXKzib5c8qUy8DZwx +1mwMATvOnILQ1IAyjfBftrzXmQpTEt2uYVKtbuYcjBvdhmPGi9NiJKmIKueOifVW +39vm9R2mESy/wnyKSTNrQa/bdTIbUrJKc0TRNI5kY1GlUcdXHM2guP419hp1AgMB +AAEwDQYJKoZIhvcNAQELBQADgYEAl0O2IIX5cI8wtLbjxrwrIxPq04WSzUHA0/MM +UKTvB544MDje/rjg88UKuQ/JbPWYCrK/8kKpriQKFSwx9y8aL32j2jD6u/QkPdE2 +ow/P2ycHJlgdrROCrWiByfaXullQRR2e7dxWgHXINcIeokdDeOlh6rORQWySaSdm +kYpjObw= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem.certspec new file mode 100644 index 0000000000..a6ee408ec9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.pem.certspec @@ -0,0 +1,4 @@ +issuer:int_rsa_1024-root_rsa_1024 +subject:ee_rsa_1024-int_rsa_1024-root_rsa_1024 +issuerKey:rsa1024 +subjectKey:rsa1024 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem new file mode 100644 index 0000000000..f3a5ab79b4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBXDCCAQOgAwIBAgIUXYvHjg0MUxqF2X6hrh/dJbT805AwCgYIKoZIzj0EAwIw +KjEoMCYGA1UEAwwfaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9yc2FfMjA0ODAiGA8y +MDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjA7MTkwNwYDVQQDDDBlZV9z +ZWNwMjI0cjFfMjI0LWludF9zZWNwMjU2cjFfMjU2LXJvb3RfcnNhXzIwNDgwTTAQ +BgcqhkjOPQIBBgUrgQQAIQM5AARmjXLMpv1qGzVXtTZhBNhECOy2N/COjIa7/4LM +6I8AZtevY8Mpi6N3NIoSArA7N/1rH/QVqjEeMAoGCCqGSM49BAMCA0cAMEQCIFx1 +UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDmAiB0nTf5BbTdtJmD7a1JRbHC +tQ5dVzRgseqLk/nFu2/0cg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem.certspec new file mode 100644 index 0000000000..87d2f67339 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_rsa_2048.pem.certspec @@ -0,0 +1,5 @@ +issuer:int_secp256r1_256-root_rsa_2048 +subject:ee_secp224r1_224-int_secp256r1_256-root_rsa_2048 +issuerKey:secp256r1 +subjectKey:secp224r1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem new file mode 100644 index 0000000000..c0894db548 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBZzCCAQ2gAwIBAgIUb5c9bUbBr5F+ODFobDbjzKYl6ZwwCgYIKoZIzj0EAwIw +LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2cjFfMjU2 +MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEAxPjA8BgNVBAMM +NWVlX3NlY3AyMjRyMV8yMjQtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2 +cjFfMjU2ME0wEAYHKoZIzj0CAQYFK4EEACEDOQAEZo1yzKb9ahs1V7U2YQTYRAjs +tjfwjoyGu/+CzOiPAGbXr2PDKYujdzSKEgKwOzf9ax/0FaoxHjAKBggqhkjOPQQD +AgNIADBFAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctCgApw5gIhALwxNSek +yl4Ve2/JszqMa7k+C2Q4tuZChCZYvNqQp99f +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..1aadce0765 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256.pem.certspec @@ -0,0 +1,5 @@ +issuer:int_secp256r1_256-root_secp256r1_256 +subject:ee_secp224r1_224-int_secp256r1_256-root_secp256r1_256 +issuerKey:secp256r1 +subjectKey:secp224r1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem new file mode 100644 index 0000000000..4ca0497642 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBbzCCARagAwIBAgIUa1MOcQgjz0GXbvb/nNSJWQo7Y9MwCgYIKoZIzj0EAwIw +LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2cjFfMjU2 +MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEAxPjA8BgNVBAMM +NWVlX3NlY3AyNTZrMV8yNTYtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2 +cjFfMjU2MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAENe58conY/veoav5dpm2Lwuu2 +qFQ/0v6tCJ9FznrND6ZDgqlQDEHa13D/1LURv0tJLrEjiADDLE92xzo/MpTnxTAK +BggqhkjOPQQDAgNHADBEAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctCgApw +5gIgdRmR9h7EWLJiw/HOA4VI/+aCQTQ74ywcJc6m1v8bxcc= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..ba999e8f14 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256.pem.certspec @@ -0,0 +1,5 @@ +issuer:int_secp256r1_256-root_secp256r1_256 +subject:ee_secp256k1_256-int_secp256r1_256-root_secp256r1_256 +issuerKey:secp256r1 +subjectKey:secp256k1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem new file mode 100644 index 0000000000..f9b3563ce6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBqDCCARKgAwIBAgIUQXmjIgDMGJMlxFe7ZCL7DCwTTOwwDQYJKoZIhvcNAQEL +BQAwKjEoMCYGA1UEAwwfaW50X3JzYV8xMDE2LXJvb3Rfc2VjcDI1NnIxXzI1NjAi +GA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjA7MTkwNwYDVQQDDDBl +ZV9zZWNwMjU2cjFfMjU2LWludF9yc2FfMTAxNi1yb290X3NlY3AyNTZyMV8yNTYw +WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARPv7u7YeD4+bGmClmshwTi7AULQj48 +9y6SPyxPeUtFXCpp0jNFbDbEEZ0HBuAO7cjRk5DXmRt7LQejBOqgSqbAMA0GCSqG +SIb3DQEBCwUAA4GAAHF+Lr1T0H2jrjkcXLUsXkVPjNZjy1NRRr6WJyjhF6FKnetP +SAMZx1oTY9Sql2mgfWJqJA7vx7t8074hsyjbPt4SHozNdoRw8UhDTIhYZf+pH5pf +u7D/l0d3zwTm2rHy4PBBJRnJYPES9Gdh5XnQWX08zsPU50Y6NGQm/WS2b1Q= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..1e2e0a3759 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_rsa_1016-root_secp256r1_256.pem.certspec @@ -0,0 +1,4 @@ +issuer:int_rsa_1016-root_secp256r1_256 +subject:ee_secp256r1_256-int_rsa_1016-root_secp256r1_256 +issuerKey:rsa1016 +subjectKey:secp256r1 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem new file mode 100644 index 0000000000..4403f731cc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBazCCARmgAwIBAgIUJ2KRkxVMwamWLnZIQF6ghanSUzIwCgYIKoZIzj0EAwIw +LzEtMCsGA1UEAwwkaW50X3NlY3AyMjRyMV8yMjQtcm9vdF9zZWNwMjU2cjFfMjU2 +MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEAxPjA8BgNVBAMM +NWVlX3NlY3AyNTZyMV8yNTYtaW50X3NlY3AyMjRyMV8yMjQtcm9vdF9zZWNwMjU2 +cjFfMjU2MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+PmxpgpZrIcE +4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0HowTqoEqm +wDAKBggqhkjOPQQDAgNAADA9Ah0Amjxv8EbbcPJV9S/WmFIc1y28BSBjT5W2S7JS +VAIcT8yypPbHzh/icArRyNdIkahxBc/+5tX8YsY/OA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..bd7bc770c7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256.pem.certspec @@ -0,0 +1,5 @@ +issuer:int_secp224r1_224-root_secp256r1_256 +subject:ee_secp256r1_256-int_secp224r1_224-root_secp256r1_256 +issuerKey:secp224r1 +subjectKey:secp256r1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem new file mode 100644 index 0000000000..6ee2ed1f2f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBcjCCARmgAwIBAgIUDQfZ3zvs9qJa/PtD+Zsr5myOCYYwCgYIKoZIzj0EAwIw +LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjI0cjFfMjI0 +MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEAxPjA8BgNVBAMM +NWVlX3NlY3AyNTZyMV8yNTYtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjI0 +cjFfMjI0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+PmxpgpZrIcE +4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0HowTqoEqm +wDAKBggqhkjOPQQDAgNHADBEAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctC +gApw5gIgJDWD1/nBx/6dIMlHHa07N2IDyTwYFzltWBXmgrigTjQ= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem.certspec new file mode 100644 index 0000000000..fe7b7f7482 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224.pem.certspec @@ -0,0 +1,5 @@ +issuer:int_secp256r1_256-root_secp224r1_224 +subject:ee_secp256r1_256-int_secp256r1_256-root_secp224r1_224 +issuerKey:secp256r1 +subjectKey:secp256r1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem new file mode 100644 index 0000000000..e273ce5525 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBczCCARmgAwIBAgIUATe62fX5Ze+WwA3r3INkBmZ2No0wCgYIKoZIzj0EAwIw +LzEtMCsGA1UEAwwkaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2azFfMjU2 +MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEAxPjA8BgNVBAMM +NWVlX3NlY3AyNTZyMV8yNTYtaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9zZWNwMjU2 +azFfMjU2MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+PmxpgpZrIcE +4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0HowTqoEqm +wDAKBggqhkjOPQQDAgNIADBFAiBcdVGfExFQzV2K3iCjvAYwkf+yc3VfMWTs/ctC +gApw5gIhAKOvAfyNhAtngfvVMxAw2Ql34vGZccVGQDS59AWW93RV +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem.certspec new file mode 100644 index 0000000000..aefffd9810 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256.pem.certspec @@ -0,0 +1,5 @@ +issuer:int_secp256r1_256-root_secp256k1_256 +subject:ee_secp256r1_256-int_secp256r1_256-root_secp256k1_256 +issuerKey:secp256r1 +subjectKey:secp256r1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem new file mode 100644 index 0000000000..0e44de8e33 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBhTCCASygAwIBAgIUWfAaaiXGBAuskGffwQ+qApfqSwowCgYIKoZIzj0EAwIw +KjEoMCYGA1UEAwwfaW50X3NlY3AyNTZyMV8yNTYtcm9vdF9yc2FfMjA0ODAiGA8y +MDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjA7MTkwNwYDVQQDDDBlZV9z +ZWNwMzg0cjFfMzg0LWludF9zZWNwMjU2cjFfMjU2LXJvb3RfcnNhXzIwNDgwdjAQ +BgcqhkjOPQIBBgUrgQQAIgNiAAShaHJDNitcexiJ83kVRhWhxz+0je6GPgIpFdtg +jiUt5LcTLajOmOgxU05qnAwLCcjWOa3oMgbluoE0c6EfozDgXajJbkOD/ieHPalx +A74oiM/wAvBa9xof3cyDdKpuqc4wCgYIKoZIzj0EAwIDRwAwRAIgXHVRnxMRUM1d +it4go7wGMJH/snN1XzFk7P3LQoAKcOYCIDpgUEiNKL+ntNWMucP0wHDNTDIxEg4v +Bjem251RNI7f +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem.certspec new file mode 100644 index 0000000000..615818d08b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_secp256r1_256-root_rsa_2048.pem.certspec @@ -0,0 +1,5 @@ +issuer:int_secp256r1_256-root_rsa_2048 +subject:ee_secp384r1_384-int_secp256r1_256-root_rsa_2048 +issuerKey:secp256r1 +subjectKey:secp384r1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem new file mode 100644 index 0000000000..6d7ec9003f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIB1zCCAVygAwIBAgIUOd3+Ig6xQ1VYRGT/6xjAv5tiQnEwCgYIKoZIzj0EAwIw +LzEtMCsGA1UEAwwkaW50X3NlY3AzODRyMV8zODQtcm9vdF9zZWNwMjU2cjFfMjU2 +MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEAxPjA8BgNVBAMM +NWVlX3NlY3A1MjFyMV81MjEtaW50X3NlY3AzODRyMV8zODQtcm9vdF9zZWNwMjU2 +cjFfMjU2MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBTNycrMR5QQlrycxmdS7C +f1l3NPpmxit5L4jFGdbTfw0W6hxIOhgnoBC5Eo46CAcMoz719Xg1t8G6JR9sw1Id +xCsBBlNFGYG0RdND7tN4KjXWz/D/SE9aiD0gnxuQQrcmcDVosvMm4YuDO92KoHND +krzRlQHhDWmKefU+EeCiK90qrZAwCgYIKoZIzj0EAwIDaQAwZgIxAO0GJz6haDpU +tNgaQ3SESJY85j6+gRcD7Nc9cvCiVAZZ1OxFRuhW515lVbeTqfcA8wIxAOzP94f9 +No4Fk3LsupP5uGkSyi5QDAQ0o8uGQV9AzwOZ+qWIbTU5dtSscvjhskLAXQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..b2ae9d0c8f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256.pem.certspec @@ -0,0 +1,5 @@ +issuer:int_secp384r1_384-root_secp256r1_256 +subject:ee_secp521r1_521-int_secp384r1_384-root_secp256r1_256 +issuerKey:secp384r1 +subjectKey:secp521r1 +signature:ecdsaWithSHA256 diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem new file mode 100644 index 0000000000..b8374730a6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB5jCCAU+gAwIBAgIUEUvOHnMPiL7M+vsW3nuLxaEea2kwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAyNDAiGA8yMDIxMTEyNzAwMDAwMFoY +DzIwMjQwMjA1MDAwMDAwWjAlMSMwIQYDVQQDDBppbnRfcnNhXzEwMTYtcm9vdF9y +c2FfMTAyNDCBnjANBgkqhkiG9w0BAQEFAAOBjAAwgYgCgYAA0puxL7hP3c0ps6UZ +y2bEO42Pi+VFunk4TOZj7QPfdZkWAOuSB5DSUwzs5UTbmacfBYlqPtIHFlU0qpkF +fkfEfjvIGtpvoeEuNyaLUEalUmj52tfMtIXYGi4Z1Q1PC2hUrK9te+admggxNuFa ++o9TwcjIT8YHcnndDlXXNppb3QIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1Ud +DwQEAwIBBjANBgkqhkiG9w0BAQsFAAOBgQCoCuy8BladR/PAVrgOOf4Ph9dFe2MV +Yq6EKOWVU/PuYqZRssLh2CQX3v0vhfDzurD/zgj4+UEzJmm5B3knMFcBedPwW+0k +5KGSdI5Q+gROdkwNx5bGqfnWd+RApjnI8Ykf/HhfO7yFJNzxxr4NANGvt3+M+0rh +WlaGiJ8uWV02gg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem.certspec new file mode 100644 index 0000000000..c6e77116b7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.pem.certspec @@ -0,0 +1,6 @@ +issuer:root_rsa_1024 +subject:int_rsa_1016-root_rsa_1024 +issuerKey:rsa1024 +subjectKey:rsa1016 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem new file mode 100644 index 0000000000..7358d4358b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBsDCCAVagAwIBAgIUW50MunLFoD4GAqoirchzeiePUZcwCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjExMTI3MDAwMDAw +WhgPMjAyNDAyMDUwMDAwMDBaMCoxKDAmBgNVBAMMH2ludF9yc2FfMTAxNi1yb290 +X3NlY3AyNTZyMV8yNTYwgZ4wDQYJKoZIhvcNAQEBBQADgYwAMIGIAoGAANKbsS+4 +T93NKbOlGctmxDuNj4vlRbp5OEzmY+0D33WZFgDrkgeQ0lMM7OVE25mnHwWJaj7S +BxZVNKqZBX5HxH47yBrab6HhLjcmi1BGpVJo+drXzLSF2BouGdUNTwtoVKyvbXvm +nZoIMTbhWvqPU8HIyE/GB3J53Q5V1zaaW90CAwEAAaMdMBswDAYDVR0TBAUwAwEB +/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDSAAwRQIgXHVRnxMRUM1dit4go7wG +MJH/snN1XzFk7P3LQoAKcOYCIQD5W4T/b85G2u0prFnlPiVMZ0Wjw0rvAFjBUcDV +Y8l0kQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..27728ca374 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_secp256r1_256.pem.certspec @@ -0,0 +1,7 @@ +issuer:root_secp256r1_256 +subject:int_rsa_1016-root_secp256r1_256 +issuerKey:secp256r1 +subjectKey:rsa1016 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem new file mode 100644 index 0000000000..7228823bd3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB5jCCAVCgAwIBAgIUY2vK8QUP90UMoUqSZytNypfMOnwwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAxNjAiGA8yMDIxMTEyNzAwMDAwMFoY +DzIwMjQwMjA1MDAwMDAwWjAlMSMwIQYDVQQDDBppbnRfcnNhXzEwMjQtcm9vdF9y +c2FfMTAxNjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA06l0QBAeuoxd+VA+ +b5NetS/+s+vp0NxcrOJvlzypTLwNnDHWbAwBO86cgtDUgDKN8F+2vNeZClMS3a5h +Uq1u5hyMG92GY8aL02IkqYgq546J9Vbf2+b1HaYRLL/CfIpJM2tBr9t1MhtSskpz +RNE0jmRjUaVRx1cczaC4/jX2GnUCAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNV +HQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYAAINNXc+CjW72JwEYkt+uf23lsrKPb +FujBh35bnHAJJ1UurBdOrr6D1tujWdF+jiixRUeBxfhvn6o6k5UQmNvq8cs7YoJs +ZQNb6+VK849E09vhtE6/xo2GQI8Muyh/8+D9ujGlgWRWQsJmKuUTca02yLfD+Lcx +MHypk9mRS3CDPw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem.certspec new file mode 100644 index 0000000000..fafb393bf9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.pem.certspec @@ -0,0 +1,6 @@ +issuer:root_rsa_1016 +subject:int_rsa_1024-root_rsa_1016 +issuerKey:rsa1016 +subjectKey:rsa1024 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem new file mode 100644 index 0000000000..a0dc860b28 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB5zCCAVCgAwIBAgIUQQZXnXSEQFy9H8+KvR29mhZL8CkwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAyNDAiGA8yMDIxMTEyNzAwMDAwMFoY +DzIwMjQwMjA1MDAwMDAwWjAlMSMwIQYDVQQDDBppbnRfcnNhXzEwMjQtcm9vdF9y +c2FfMTAyNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA06l0QBAeuoxd+VA+ +b5NetS/+s+vp0NxcrOJvlzypTLwNnDHWbAwBO86cgtDUgDKN8F+2vNeZClMS3a5h +Uq1u5hyMG92GY8aL02IkqYgq546J9Vbf2+b1HaYRLL/CfIpJM2tBr9t1MhtSskpz +RNE0jmRjUaVRx1cczaC4/jX2GnUCAwEAAaMdMBswDAYDVR0TBAUwAwEB/zALBgNV +HQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAqL9M3IKj2oB7xmb5/kj/ljVzawt0 +rlcBTewr4diSiuuJtzR4FGhe7+Sdd8bt9iyOXfdTANOs4hwwuykMtLmNNQ6FT209 +XDzv9NP95kBu/Jc+cF12gYulgbBkFkx9D4zd7W5TTVjyr75Xs+wISSOFGNssNwBn +jOwDWk2JGPCL+sw= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem.certspec new file mode 100644 index 0000000000..66891f9793 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.pem.certspec @@ -0,0 +1,6 @@ +issuer:root_rsa_1024 +subject:int_rsa_1024-root_rsa_1024 +issuerKey:rsa1024 +subjectKey:rsa1024 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem new file mode 100644 index 0000000000..2f7ca90151 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBYjCCAQmgAwIBAgIUa0XXUQa7LlU9/NCMU/UvW1p5/r8wCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjExMTI3MDAwMDAw +WhgPMjAyNDAyMDUwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjI0cjFfMjI0 +LXJvb3Rfc2VjcDI1NnIxXzI1NjBNMBAGByqGSM49AgEGBSuBBAAhAzkABGaNcsym +/WobNVe1NmEE2EQI7LY38I6Mhrv/gszojwBm169jwymLo3c0ihICsDs3/Wsf9BWq +MR6jHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA0cA +MEQCIFx1UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDmAiB6OW49o/Plw34E +llpmo3clMwUoC5zINELSPN3uKMElUw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..89d77d3b89 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_secp256r1_256.pem.certspec @@ -0,0 +1,7 @@ +issuer:root_secp256r1_256 +subject:int_secp224r1_224-root_secp256r1_256 +issuerKey:secp256r1 +subjectKey:secp224r1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem new file mode 100644 index 0000000000..91bba98392 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICJjCCAQ6gAwIBAgIULfRIJwqhrTgphLCOMhBD3HMzZoIwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMjA0ODAiGA8yMDIxMTEyNzAwMDAwMFoY +DzIwMjQwMjA1MDAwMDAwWjAqMSgwJgYDVQQDDB9pbnRfc2VjcDI1NnIxXzI1Ni1y +b290X3JzYV8yMDQ4MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAET7+7u2Hg+Pmx +pgpZrIcE4uwFC0I+PPcukj8sT3lLRVwqadIzRWw2xBGdBwbgDu3I0ZOQ15kbey0H +owTqoEqmwKMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN +AQELBQADggEBALnX/gmXf0oTbESNYaBQ3w0fo/GMNfXFQJJicnstxFt510GGQnM6 +k+mCmtWB3e3w5LMClRz1irAVWEhp+xqaH9a0T7LkmziVv3Iz3YzqDOUkMVFIrWWr +jPX3O/HUV52UF/YNE3pbDD0w72Zbe6BFS0NzXgdBDZiBM9/GAE9Bepsg5pKGcjea +PpHcWIbxOJvzLAKrQdjHjoaYWTukL21kspsBw7dIaYgMo69f/JhY8suakh4Y45g9 +uD2S6A4lw2E+ITOi0V+EQU//OUFgynIt7kfB8kVyKTflHw2UpVCwu1XICGvPxDZU +7OKLAp/2Y18qqGbmVGEf9nZ4zojcCdtAsAU= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem.certspec new file mode 100644 index 0000000000..44a65ef5a7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_rsa_2048.pem.certspec @@ -0,0 +1,5 @@ +issuer:root_rsa_2048 +subject:int_secp256r1_256-root_rsa_2048 +subjectKey:secp256r1 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem new file mode 100644 index 0000000000..14178a22d5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBZzCCARWgAwIBAgIUS9UDyDRw6jcSIVOE3Jd/25HnZKUwCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwScm9vdF9zZWNwMjI0cjFfMjI0MCIYDzIwMjExMTI3MDAwMDAw +WhgPMjAyNDAyMDUwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjU2cjFfMjU2 +LXJvb3Rfc2VjcDIyNHIxXzIyNDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/ +u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGT +kNeZG3stB6ME6qBKpsCjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG +CCqGSM49BAMCA0AAMD0CHQCaPG/wRttw8lX1L9aYUhzXLbwFIGNPlbZLslJUAhwR +QjtGEs8T4jEfvTzExNDStQ07IOzgazIlFtfw +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem.certspec new file mode 100644 index 0000000000..66ebc1b93e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp224r1_224.pem.certspec @@ -0,0 +1,7 @@ +issuer:root_secp224r1_224 +subject:int_secp256r1_256-root_secp224r1_224 +issuerKey:secp224r1 +subjectKey:secp256r1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem new file mode 100644 index 0000000000..d8ee88f643 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBbjCCARWgAwIBAgIUbfWsobapssVY8KJM2yCX2ixKnPswCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2azFfMjU2MCIYDzIwMjExMTI3MDAwMDAw +WhgPMjAyNDAyMDUwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjU2cjFfMjU2 +LXJvb3Rfc2VjcDI1NmsxXzI1NjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/ +u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGT +kNeZG3stB6ME6qBKpsCjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG +CCqGSM49BAMCA0cAMEQCIFuwodUwyOUnIR4KN5ZCSrU7y4iz4/1EWRdHm5kWKi8d +AiAPwQROIzfXlMFBuhspsRKzB5bfRlK3JAQUSCN5CsmfEw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem.certspec new file mode 100644 index 0000000000..c7e190ab0b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256k1_256.pem.certspec @@ -0,0 +1,7 @@ +issuer:root_secp256k1_256 +subject:int_secp256r1_256-root_secp256k1_256 +issuerKey:secp256k1 +subjectKey:secp256r1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem new file mode 100644 index 0000000000..6eca3f2b9b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBbjCCARWgAwIBAgIUa0D2PJJTJo9PXI+vG9zQ1xsBn/owCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjExMTI3MDAwMDAw +WhgPMjAyNDAyMDUwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMjU2cjFfMjU2 +LXJvb3Rfc2VjcDI1NnIxXzI1NjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/ +u7th4Pj5saYKWayHBOLsBQtCPjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGT +kNeZG3stB6ME6qBKpsCjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoG +CCqGSM49BAMCA0cAMEQCIFx1UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDm +AiA4ISAfKF73X9PGnyvy/moXFGmSVwofC5A9v2X5+huJHQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..6854d21876 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp256r1_256-root_secp256r1_256.pem.certspec @@ -0,0 +1,7 @@ +issuer:root_secp256r1_256 +subject:int_secp256r1_256-root_secp256r1_256 +issuerKey:secp256r1 +subjectKey:secp256r1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem new file mode 100644 index 0000000000..a30df8f600 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBizCCATKgAwIBAgIUE3rMvYbUkYGloXh1cHBH2bCZyBcwCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjExMTI3MDAwMDAw +WhgPMjAyNDAyMDUwMDAwMDBaMC8xLTArBgNVBAMMJGludF9zZWNwMzg0cjFfMzg0 +LXJvb3Rfc2VjcDI1NnIxXzI1NjB2MBAGByqGSM49AgEGBSuBBAAiA2IABKFockM2 +K1x7GInzeRVGFaHHP7SN7oY+AikV22COJS3ktxMtqM6Y6DFTTmqcDAsJyNY5regy +BuW6gTRzoR+jMOBdqMluQ4P+J4c9qXEDviiIz/AC8Fr3Gh/dzIN0qm6pzqMdMBsw +DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDRwAwRAIgXHVR +nxMRUM1dit4go7wGMJH/snN1XzFk7P3LQoAKcOYCIEwCzXhoYODip/jtMmkCe36I +IIHXI7fafiAbVaadub6I +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..de8e851981 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_secp256r1_256.pem.certspec @@ -0,0 +1,7 @@ +issuer:root_secp256r1_256 +subject:int_secp384r1_384-root_secp256r1_256 +issuerKey:secp256r1 +subjectKey:secp384r1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem new file mode 100644 index 0000000000..4d1522bb8b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIB2DCCAUKgAwIBAgIUfXnvTK9B9FK+1IelCwSO1Mf5UTwwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAxNjAiGA8yMDIxMTEyNzAwMDAwMFoY +DzIwMjQwMjA1MDAwMDAwWjAYMRYwFAYDVQQDDA1yb290X3JzYV8xMDE2MIGeMA0G +CSqGSIb3DQEBAQUAA4GMADCBiAKBgADSm7EvuE/dzSmzpRnLZsQ7jY+L5UW6eThM +5mPtA991mRYA65IHkNJTDOzlRNuZpx8FiWo+0gcWVTSqmQV+R8R+O8ga2m+h4S43 +JotQRqVSaPna18y0hdgaLhnVDU8LaFSsr2175p2aCDE24Vr6j1PByMhPxgdyed0O +Vdc2mlvdAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG +SIb3DQEBCwUAA4GAAD8C2t9CPWsOkjh/CLrrCa+4TXvZ08h8W/8IhqdQAfCv7dti +9bEvHqR9zQOFDeahFe7z5PkQcy4muoEYycBEod7MmacIDz8Mp3tZ3z2dHlaGxYIN +zAhQa8PShkltJw9+whOhPyLFVd4sExO6GSJU616wDCO0XSsk82Akrp3b22E= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem.certspec new file mode 100644 index 0000000000..b0b5ba8e5e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.pem.certspec @@ -0,0 +1,6 @@ +issuer:root_rsa_1016 +subject:root_rsa_1016 +issuerKey:rsa1016 +subjectKey:rsa1016 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem new file mode 100644 index 0000000000..de4451ce56 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIB2jCCAUOgAwIBAgIUMVucrt/selpf3q8amlrvDqneZmEwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMTAyNDAiGA8yMDIxMTEyNzAwMDAwMFoY +DzIwMjQwMjA1MDAwMDAwWjAYMRYwFAYDVQQDDA1yb290X3JzYV8xMDI0MIGfMA0G +CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTqXRAEB66jF35UD5vk161L/6z6+nQ3Fys +4m+XPKlMvA2cMdZsDAE7zpyC0NSAMo3wX7a815kKUxLdrmFSrW7mHIwb3YZjxovT +YiSpiCrnjon1Vt/b5vUdphEsv8J8ikkza0Gv23UyG1KySnNE0TSOZGNRpVHHVxzN +oLj+NfYadQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq +hkiG9w0BAQsFAAOBgQAmXbjjKelajwlEDMtahrBCsERFd6+ROiGkWPd2f7DrcbM0 +4XTeBJMOk0JUHRNelafp7s+B/Na/gA6tF7DwbBff6CroFMA08AtT6CaGGshyym4e +v1gLXMZRAw7Ql0vHwp5+62umXMYQZRsxc7+evlm4BQKsIkVG20R9P39/f2DErg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem.certspec new file mode 100644 index 0000000000..09cd420f70 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.pem.certspec @@ -0,0 +1,6 @@ +issuer:root_rsa_1024 +subject:root_rsa_1024 +issuerKey:rsa1024 +subjectKey:rsa1024 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem new file mode 100644 index 0000000000..76c11d0c5d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3zCCAcegAwIBAgIUHc/POtVpyiofkS90PJVYOJh6zpcwDQYJKoZIhvcNAQEL +BQAwGDEWMBQGA1UEAwwNcm9vdF9yc2FfMjA0ODAiGA8yMDIxMTEyNzAwMDAwMFoY +DzIwMjQwMjA1MDAwMDAwWjAYMRYwFAYDVQQDDA1yb290X3JzYV8yMDQ4MIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq +5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc +An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39 +ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk +zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u +JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB +ox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOC +AQEAk5wQl5Buy92gRlkSDZ2zDu4l4vELd6YC+ObqOe6ixuUf4Y7rGMWiHtbyrhh1 +4IXAD8ZAhZQhdrhl6YX9QsLwIMSowkzhnDLgO7vBJrIw1PsQlyonMFk+A09sbFvk +iLo6gAo+8Vb83DrkJWp9uoIqSIhJTTRFz4MbWh82oNqpQZeARFZ6TzsJK2cekmL5 +sdIkC5Sh7nnDPQvH4pc+k+AwjAJIyj3ysDelxpvzVoVVhHJCdzVVaN25Kd3pAByL +nUhQ/r7z2tdg6I/7CijIuRVD8sPKAhrTT8Xo+fIcrqqXnuHEIgNcRpLaR3zgpVRV +G4p5aG3iXXviN44uwz7abs+l1A== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem.certspec new file mode 100644 index 0000000000..cebc2f8e6a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.pem.certspec @@ -0,0 +1,4 @@ +issuer:root_rsa_2048 +subject:root_rsa_2048 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem new file mode 100644 index 0000000000..6475f8ef91 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem @@ -0,0 +1,9 @@ +-----BEGIN CERTIFICATE----- +MIIBSDCB96ADAgECAhQHiZOs85zvfLeFMhsh68xncNi5wzAKBggqhkjOPQQDAjAd +MRswGQYDVQQDDBJyb290X3NlY3AyMjRyMV8yMjQwIhgPMjAyMTExMjcwMDAwMDBa +GA8yMDI0MDIwNTAwMDAwMFowHTEbMBkGA1UEAwwScm9vdF9zZWNwMjI0cjFfMjI0 +ME0wEAYHKoZIzj0CAQYFK4EEACEDOQAEZo1yzKb9ahs1V7U2YQTYRAjstjfwjoyG +u/+CzOiPAGbXr2PDKYujdzSKEgKwOzf9ax/0FaoxHqMdMBswDAYDVR0TBAUwAwEB +/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDQAAwPQIdAJo8b/BG23DyVfUv1phS +HNctvAUgY0+VtkuyUlQCHHjzlIZKE3ktC+mtNDdM57lQZsqdPCUo2IehzBo= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem.certspec new file mode 100644 index 0000000000..31370f6f73 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.pem.certspec @@ -0,0 +1,7 @@ +issuer:root_secp224r1_224 +subject:root_secp224r1_224 +issuerKey:secp224r1 +subjectKey:secp224r1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem new file mode 100644 index 0000000000..a062c78eb2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBWjCCAQCgAwIBAgIUfUU3FkeasPqniKMpSraSUECrlnowCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2azFfMjU2MCIYDzIwMjExMTI3MDAwMDAw +WhgPMjAyNDAyMDUwMDAwMDBaMB0xGzAZBgNVBAMMEnJvb3Rfc2VjcDI1NmsxXzI1 +NjBWMBAGByqGSM49AgEGBSuBBAAKA0IABDXufHKJ2P73qGr+XaZti8LrtqhUP9L+ +rQifRc56zQ+mQ4KpUAxB2tdw/9S1Eb9LSS6xI4gAwyxPdsc6PzKU58WjHTAbMAwG +A1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA0gAMEUCIFuwodUw +yOUnIR4KN5ZCSrU7y4iz4/1EWRdHm5kWKi8dAiEA75wpo6AToMf20m7rvmTKnlK8 +FGo2xq0TYVCCcCEfkcM= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem.certspec new file mode 100644 index 0000000000..c78aa61bba --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.pem.certspec @@ -0,0 +1,7 @@ +issuer:root_secp256k1_256 +subject:root_secp256k1_256 +issuerKey:secp256k1 +subjectKey:secp256k1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem new file mode 100644 index 0000000000..f0fa1a3298 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBXDCCAQOgAwIBAgIUB5NlTHpszJgjDr4BNFqeBut30O8wCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwScm9vdF9zZWNwMjU2cjFfMjU2MCIYDzIwMjExMTI3MDAwMDAw +WhgPMjAyNDAyMDUwMDAwMDBaMB0xGzAZBgNVBAMMEnJvb3Rfc2VjcDI1NnIxXzI1 +NjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE+/u7th4Pj5saYKWayHBOLsBQtC +Pjz3LpI/LE95S0VcKmnSM0VsNsQRnQcG4A7tyNGTkNeZG3stB6ME6qBKpsCjHTAb +MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMCA0cAMEQCIFx1 +UZ8TEVDNXYreIKO8BjCR/7JzdV8xZOz9y0KACnDmAiAwSXG3ZAwdTkc4IYrNr7A3 +PwsFyeNA6J5MEWhUHVzgTw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem.certspec b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem.certspec new file mode 100644 index 0000000000..4447fc4b47 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize/root_secp256r1_256.pem.certspec @@ -0,0 +1,7 @@ +issuer:root_secp256r1_256 +subject:root_secp256r1_256 +issuerKey:secp256r1 +subjectKey:secp256r1 +signature:ecdsaWithSHA256 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize_ev.js b/security/manager/ssl/tests/unit/test_keysize_ev.js new file mode 100644 index 0000000000..30d02f7adb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev.js @@ -0,0 +1,169 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Checks that RSA certs with key sizes below 2048 bits when verifying for EV +// are rejected. + +do_get_profile(); // Must be called before getting nsIX509CertDB +const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const SERVER_PORT = 8888; + +function getOCSPResponder(expectedCertNames) { + let expectedPaths = expectedCertNames.slice(); + return startOCSPResponder( + SERVER_PORT, + "www.example.com", + "test_keysize_ev/", + expectedCertNames, + expectedPaths + ); +} + +function loadCert(certName, trustString) { + let certFilename = "test_keysize_ev/" + certName + ".pem"; + addCertFromFile(certDB, certFilename, trustString); + return constructCertFromFile(certFilename); +} + +/** + * Asynchronously runs a single EV key size test. + * + * @param {Array} expectedNamesForOCSP + * An array of nicknames of the certs to be responded to. + * @param {string} rootCertFileName + * The file name of the root cert. Can begin with ".." to reference + * certs in folders other than "test_keysize_ev/". + * @param {Array} intCertFileNames + * An array of file names of any intermediate certificates. + * @param {string} endEntityCertFileName + * The file name of the end entity cert. + * @param {boolean} expectedResult + * Whether the chain is expected to validate as EV. + */ +async function keySizeTestForEV( + expectedNamesForOCSP, + rootCertFileName, + intCertFileNames, + endEntityCertFileName, + expectedResult +) { + clearOCSPCache(); + let ocspResponder = getOCSPResponder(expectedNamesForOCSP); + + loadCert(rootCertFileName, "CTu,CTu,CTu"); + for (let intCertFileName of intCertFileNames) { + loadCert(intCertFileName, ",,"); + } + await checkEVStatus( + certDB, + constructCertFromFile(`test_keysize_ev/${endEntityCertFileName}.pem`), + certificateUsageSSLServer, + expectedResult + ); + + await stopOCSPResponder(ocspResponder); +} + +/** + * For debug builds which have the test EV roots compiled in, checks RSA chains + * which contain certs with key sizes adequate for EV are validated as such, + * while chains that contain any cert with an inadequate key size fail EV and + * validate as DV. + * For opt builds which don't have the test EV roots compiled in, checks that + * none of the chains validate as EV. + * + * Note: This function assumes that the key size requirements for EV are greater + * than the requirements for DV. + * + * @param {number} inadequateKeySize + * The inadequate key size of the generated certs. + * @param {number} adequateKeySize + * The adequate key size of the generated certs. + */ +async function checkRSAChains(inadequateKeySize, adequateKeySize) { + // Reuse the existing test RSA EV root + let rootOKCertFileName = "../test_ev_certs/evroot"; + let rootOKName = "evroot"; + let rootNotOKName = "ev_root_rsa_" + inadequateKeySize; + let intOKName = "ev_int_rsa_" + adequateKeySize; + let intNotOKName = "ev_int_rsa_" + inadequateKeySize; + let eeOKName = "ev_ee_rsa_" + adequateKeySize; + let eeNotOKName = "ev_ee_rsa_" + inadequateKeySize; + + // Chain with certs that have adequate sizes for EV and DV + // In opt builds, this chain is only validated for DV. Hence, an OCSP fetch + // will for example not be done for the "ev_int_rsa_2048-evroot" intermediate + // in such a build. + let intFullName = intOKName + "-" + rootOKName; + let eeFullName = eeOKName + "-" + intOKName + "-" + rootOKName; + let expectedNamesForOCSP = [eeFullName]; + await keySizeTestForEV( + expectedNamesForOCSP, + rootOKCertFileName, + [intFullName], + eeFullName, + gEVExpected + ); + + // Chain with a root cert that has an inadequate size for EV, but + // adequate size for DV + intFullName = intOKName + "-" + rootNotOKName; + eeFullName = eeOKName + "-" + intOKName + "-" + rootNotOKName; + expectedNamesForOCSP = [eeFullName]; + await keySizeTestForEV( + expectedNamesForOCSP, + rootNotOKName, + [intFullName], + eeFullName, + false + ); + + // Chain with an intermediate cert that has an inadequate size for EV, but + // adequate size for DV + intFullName = intNotOKName + "-" + rootOKName; + eeFullName = eeOKName + "-" + intNotOKName + "-" + rootOKName; + expectedNamesForOCSP = [eeFullName]; + await keySizeTestForEV( + expectedNamesForOCSP, + rootOKCertFileName, + [intFullName], + eeFullName, + false + ); + + // Chain with an end entity cert that has an inadequate size for EV, but + // adequate size for DV + intFullName = intOKName + "-" + rootOKName; + eeFullName = eeNotOKName + "-" + intOKName + "-" + rootOKName; + expectedNamesForOCSP = [eeFullName]; + await keySizeTestForEV( + expectedNamesForOCSP, + rootOKCertFileName, + [intFullName], + eeFullName, + false + ); +} + +add_task(async function() { + Services.prefs.setCharPref("network.dns.localDomains", "www.example.com"); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + + let smallKeyEVRoot = constructCertFromFile( + "test_keysize_ev/ev_root_rsa_2040.pem" + ); + equal( + smallKeyEVRoot.sha256Fingerprint, + "40:AB:5D:A5:89:15:A9:4B:82:87:B8:A6:9A:84:B1:DB:" + + "7A:9D:DB:B8:4E:E1:23:E3:C6:64:E7:50:DC:35:8C:68", + "test sanity check: the small-key EV root must have the same " + + "fingerprint as the corresponding entry in ExtendedValidation.cpp" + ); + + await checkRSAChains(2040, 2048); +}); diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem new file mode 100644 index 0000000000..394cb6caea --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDZzCCAk+gAwIBAgIUVZYfMEsZbV/AnYHYi9fRg/e/buYwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWZXZfaW50X3JzYV8yMDQ4LWV2cm9vdDAiGA8yMDIxMTEy +NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAwMS4wLAYDVQQDDCVldl9lZV9yc2Ff +MjA0MC1ldl9pbnRfcnNhXzIwNDgtZXZyb290MIIBITANBgkqhkiG9w0BAQEFAAOC +AQ4AMIIBCQKCAQAAusBlL9+8AFWIL/uurO7Ij6LQg8KX3V1AZk3T2Q9S+aoCvYpQ ++6FuD9mRh470dfmzUNn44+sqvXF84yewl4hTHxPfjj5OO51ha7ikHlMG7tJHIWMW +EFEYASdqTrZvBzMbXLyLyucBao+bPU8qxFU8Ykz1JjvLNI6IQN5mEocJYKeSGRsT +j7IX92XOx7/46U8Ws5QZv3UExZp+T3m9bRc+nHvz2dKk5zzBgLBZCnPVhPt/ybVP +pURgflP8aFx6Vf1EqB1BQravUepvps6lKWWi6MXYTzygJNb7ubAFuWUc5dny7PQO +1ASYGp/8AmNuMRsJXGMyoMh9w5JxtVUUgXdLAgMBAAGjgYQwgYEwXgYIKwYBBQUH +AQEEUjBQME4GCCsGAQUFBzABhkJodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgv +ZXZfZWVfcnNhXzIwNDAtZXZfaW50X3JzYV8yMDQ4LWV2cm9vdC8wHwYDVR0gBBgw +FjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQELBQADggEBADEl0bWl +HI7w8k4AN2yIxDMFCzd4AJBqtqanL5JVkPFl4VCzmmK2okwdGq5TZYvbDRaQK4nQ +FECjTuxDGY95BVd4brca/JKvaCk8HBXFbh4iv9OZJbr6gm+N2LiV78P8V8nz1RVw +WfGB9T5TZAhsMBF8nMum9p3bPj5IJXA2IpQswtfAx19so9D7i+vt++F8g2M8MjHC +FIwH5961OYBUvd1c+CAjE8ekZ/ajQnrEuayPVGacBwWmqJ8Lz6viyXIfPdRIWlvn +0+rJB20eBXnoSW3k2kp0QwzTxuD/5RwRiTgGphGta0wHtaVCwrkdkWTH1u7R/OxW +I+X16RQo8Ayto3o= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem.certspec new file mode 100644 index 0000000000..e64c651bc7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.pem.certspec @@ -0,0 +1,5 @@ +issuer:ev_int_rsa_2048-evroot +subject:ev_ee_rsa_2040-ev_int_rsa_2048-evroot +subjectKey:rsa2040 +extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2040-ev_int_rsa_2048-evroot/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem new file mode 100644 index 0000000000..c7b6b0ddab --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDZzCCAlCgAwIBAgIUZfXrSpbPemyhfINT4zz1d30Ek2wwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWZXZfaW50X3JzYV8yMDQwLWV2cm9vdDAiGA8yMDIxMTEy +NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAwMS4wLAYDVQQDDCVldl9lZV9yc2Ff +MjA0OC1ldl9pbnRfcnNhXzIwNDAtZXZyb290MIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo +4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD +SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX +kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx +owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/ +Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GEMIGBMF4GCCsGAQUF +BwEBBFIwUDBOBggrBgEFBQcwAYZCaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4 +L2V2X2VlX3JzYV8yMDQ4LWV2X2ludF9yc2FfMjA0MC1ldnJvb3QvMB8GA1UdIAQY +MBYwFAYSKwYBBAHrSYUahRqFGgGDdAkBMA0GCSqGSIb3DQEBCwUAA4IBAAA0bpkI +YZXUPMUehztpOIlqHZyliVXpt5P2KpBG/3lSwkomGszQZT4+mvZqGS7Hy/gIJNnF +vE0Obol+2LT8WOsJuqlOZz2Q04ckggp+HsgwBZYTAvgSSPVbiXwsAVq9aMHcw9l1 +usGJC8Y3rEsQYdGx01/SBP/jAfq882yOSX/MmE0DElDDygLkpynttd60XBwUNiuM +RdvE9HmQ1g8teQjXoZiOctgSmYeNGcjx0Tabr96ONhf1ol7tf0lVECweWl32G0PL +Z9PnXtatiH4wcItb3S4P3jlCjEcaK6iq0PntcarxICyraOkWXvD+cAecptFSEhRh +TGE7OM/RblZ1waQ= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem.certspec new file mode 100644 index 0000000000..0b7bfd4269 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.pem.certspec @@ -0,0 +1,5 @@ +issuer:ev_int_rsa_2040-evroot +subject:ev_ee_rsa_2048-ev_int_rsa_2040-evroot +issuerKey:rsa2040 +extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2048-ev_int_rsa_2040-evroot/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem new file mode 100644 index 0000000000..6743c1859a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDhjCCAm6gAwIBAgIUSwd9p0zHyco2QXDr8tpsJc2ljTwwDQYJKoZIhvcNAQEL +BQAwKzEpMCcGA1UEAwwgZXZfaW50X3JzYV8yMDQ4LWV2X3Jvb3RfcnNhXzIwNDAw +IhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAwMDAwMFowOjE4MDYGA1UEAwwv +ZXZfZWVfcnNhXzIwNDgtZXZfaW50X3JzYV8yMDQ4LWV2X3Jvb3RfcnNhXzIwNDAw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ +PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH +9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw +4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86 +exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0 +ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N +AgMBAAGjgY4wgYswaAYIKwYBBQUHAQEEXDBaMFgGCCsGAQUFBzABhkxodHRwOi8v +d3d3LmV4YW1wbGUuY29tOjg4ODgvZXZfZWVfcnNhXzIwNDgtZXZfaW50X3JzYV8y +MDQ4LWV2X3Jvb3RfcnNhXzIwNDAvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqF +GgGDdAkBMA0GCSqGSIb3DQEBCwUAA4IBAQBuSOtnkDe3ob+sBv9AIEUi4Rysxb3N +Xhg3sAR6RFNP0kZnuROdWloSSfA9+H6f7l1w/LFTVFZhdQG2PqmJJ7vVzZYbgKXQ +bWFri8W5Moj75f+Q3hpOczTqgBZfKl07gQp15/BfaUxsvmiw0IZBZHpaggYGerC3 +stamAyLWYI4hvQacoVz/2wRLa/NMs2qWElZ8+AjR10cCevvC15HD/U48s5NdLhGZ +63x9dz7DCWQcrxz+eIS+S1qEeU7N4DTMYR5QRxPWM7s37hAZGASZlDmiL5fs3DRv +IbynUqPgLPELvM+BvZN6edALZxGC2ngcqxVVmg/j8nl5Xcjqvq0cO1VH +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec new file mode 100644 index 0000000000..a36acf887d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec @@ -0,0 +1,4 @@ +issuer:ev_int_rsa_2048-ev_root_rsa_2040 +subject:ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040 +extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem new file mode 100644 index 0000000000..753a39f0e7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDaDCCAlCgAwIBAgIUWW7gg8Czo9BnB6ui50M3Xu6ivEcwDQYJKoZIhvcNAQEL +BQAwITEfMB0GA1UEAwwWZXZfaW50X3JzYV8yMDQ4LWV2cm9vdDAiGA8yMDIxMTEy +NzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAwMS4wLAYDVQQDDCVldl9lZV9yc2Ff +MjA0OC1ldl9pbnRfcnNhXzIwNDgtZXZyb290MIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo +4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD +SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX +kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx +owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/ +Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GEMIGBMF4GCCsGAQUF +BwEBBFIwUDBOBggrBgEFBQcwAYZCaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4 +L2V2X2VlX3JzYV8yMDQ4LWV2X2ludF9yc2FfMjA0OC1ldnJvb3QvMB8GA1UdIAQY +MBYwFAYSKwYBBAHrSYUahRqFGgGDdAkBMA0GCSqGSIb3DQEBCwUAA4IBAQAZ6F/Z +4Alyl3Mc7/QcrKEbu1BWIWt4e5wvWqAw3evX36OsFrkAD+26FHLgkjyMVxeX6g95 +LAbbQN2K48mIHGLdK8fAnLmNJpBJpetAEfIpcQzKf4BuNsCAB+TVRfAt0yeDDagQ +va7jy8kzC+UG/OX2KW0SG5Zn6OwJTAIq6LLnGeyeMGqleBVW8HUsQBB4waPFfejJ +AuPPiIuHh+6lOcSpjLel/xcEnnmMJFjO8zoOW32HuR02iUsrkZqPvIeRm6sVjQEs +HWd0d+mAtzUWN4YkFqDdBJ71iK0ZZDlx4wPdjhshdDFLg/g0PW6sUEeUak6e3WQ4 +oNA9ie/2y779fkX6 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem.certspec new file mode 100644 index 0000000000..0b34be6db8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.pem.certspec @@ -0,0 +1,4 @@ +issuer:ev_int_rsa_2048-evroot +subject:ev_ee_rsa_2048-ev_int_rsa_2048-evroot +extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_rsa_2048-ev_int_rsa_2048-evroot/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem new file mode 100644 index 0000000000..cf632da080 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDVDCCAjygAwIBAgIUAcFzVqJIY35fm8QGImTLo+kRhoowDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMCExHzAdBgNVBAMMFmV2X2ludF9yc2FfMjA0MC1ldnJvb3QwggEh +MA0GCSqGSIb3DQEBAQUAA4IBDgAwggEJAoIBAAC6wGUv37wAVYgv+66s7siPotCD +wpfdXUBmTdPZD1L5qgK9ilD7oW4P2ZGHjvR1+bNQ2fjj6yq9cXzjJ7CXiFMfE9+O +Pk47nWFruKQeUwbu0kchYxYQURgBJ2pOtm8HMxtcvIvK5wFqj5s9TyrEVTxiTPUm +O8s0johA3mYShwlgp5IZGxOPshf3Zc7Hv/jpTxazlBm/dQTFmn5Peb1tFz6ce/PZ +0qTnPMGAsFkKc9WE+3/JtU+lRGB+U/xoXHpV/USoHUFCtq9R6m+mzqUpZaLoxdhP +PKAk1vu5sAW5ZRzl2fLs9A7UBJgan/wCY24xGwlcYzKgyH3DknG1VRSBd0sCAwEA +AaOBkDCBjTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjBPBggrBgEFBQcBAQRD +MEEwPwYIKwYBBQUHMAGGM2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9ldl9p +bnRfcnNhXzIwNDAtZXZyb290LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUahRoB +g3QJATANBgkqhkiG9w0BAQsFAAOCAQEAXXKAxLkrQ+U2XlsV87bacCpbpSpRsdps +EGFUEZ1h1Pmlcea7I4tgLhavwnP48zSa3J15dCacXlupHlKspILYbWvkSM3P+64s +MAo2Nt0av/eQsXZrasMNhLPPkvWXtA7MUB57eQm+2pKyy0hmNaZC2cOWsJw+FqXB +9Nw2tPpo/rSXr5jkqEMKSUrA/B8dDNjl1QNe0nbr6pS2Ux3Eayuc57xg8envOkn+ +nTm6Wf9oJeE/+0D7Y4whiRJWDv/ANYW5b982sn4BA48jtxYDP1M8UZ/ZzWfMG7tE +xtYL6EBZbZ9KOmPkPEzzKwM2IdFRexTAzVrid3VHbBYOQOfQBDP4pg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem.certspec new file mode 100644 index 0000000000..80be711742 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040-evroot.pem.certspec @@ -0,0 +1,8 @@ +issuer:evroot +subject:ev_int_rsa_2040-evroot +issuerKey:ev +subjectKey:rsa2040 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/ev_int_rsa_2040-evroot/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key new file mode 100644 index 0000000000..63b267865f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEtwIBADANBgkqhkiG9w0BAQEFAASCBKEwggSdAgEAAoIBAAC6wGUv37wAVYgv ++66s7siPotCDwpfdXUBmTdPZD1L5qgK9ilD7oW4P2ZGHjvR1+bNQ2fjj6yq9cXzj +J7CXiFMfE9+OPk47nWFruKQeUwbu0kchYxYQURgBJ2pOtm8HMxtcvIvK5wFqj5s9 +TyrEVTxiTPUmO8s0johA3mYShwlgp5IZGxOPshf3Zc7Hv/jpTxazlBm/dQTFmn5P +eb1tFz6ce/PZ0qTnPMGAsFkKc9WE+3/JtU+lRGB+U/xoXHpV/USoHUFCtq9R6m+m +zqUpZaLoxdhPPKAk1vu5sAW5ZRzl2fLs9A7UBJgan/wCY24xGwlcYzKgyH3DknG1 +VRSBd0sCAwEAAQKB/2A9smffl1VcvthrjfNVA0ryjx638+eCnSObzCc6fHppoQvo +8h8bbEsCxrrjcxwxWLW7/0YF9Xq3t7Kgy6LsAFottbHqbgrO6lvHRdzS0OnWuA1+ +sOorwIEnvONfpQxCzEEYcbpZHiO6ajhISjPv8TR/kH7ppakqIxG7C0NVEAIPeOO7 +AAmdtNEYKSgJZQX8uoTzyhI4/R66XuofORu7zFQksWgGP8F+HKbhkSzLpE+dApIw +ih/tuAYSUps59Z0KP4GAtbogETIZf5OlgV3tk43459k8mxV2ZYjzObtZEAr9pJSn +5FLX3UyaGc4uw6M6GLIPC02t4XK+4Z8m8Ny+QQKBgA7Dhpy5LUBsrd96MZqylEi8 +UFoFkTcHhzNh/FuYakmftl7rgVp+N2h9GfEoCHKJ2buIGOe8ylAsSQCtmuzhF5vh +L/PkZ9YG/IIOqPB6yev/4iNuOBaEEgKIIj5C2+aN/ZcqhaZEflFpXyNNp5EcZ8mr +lTHzPfO5lDLU7ojJpO+7AoGADKY5NFSehf6sjg9WBDA/0YSf6Ir0t/fhITKDu8ei +wqUJ+Sc8Qoxo3j25PmFF8bQAvW1KJiYU6QQ602LU66SmuZU5nIk0o5mRIZnoQdjo +2/8EifaeZjeWcwspgFMLMctwaVohYl6irczAnZMFFvqHIhGpHiLdif2et9qFdLci +NbECgYANfTp14X9l+KZYpIXECVwQpPZpeeK3O8qc+O8hJT4frKxtR5H1g5LOhlb4 +jxJAzJDCllPjEAxtejjtRLFjsznl87bjiRISbGmzzv8uUZJCbZZJtv/KGrt10rou +1tmiaqODxZc9ViFv8u25DM+Id0Kg8YOskslM8YdldkXHdy2a1wKBgAP1UBlMEX8k +vqKFsgkFgDL0KYX/Vazr6IsW35o3UntOYdyRpo28mmRRNFKM5fJIvaKJPJbLe+ee +5zmWx8Ild/bC95BAbzRyrbOyEbfpRJTzLFxvzAl4g5/kckwxsGMYokiVZ7T8oDN6 +yxuEEieqpfbHSACiMGkp8CzgOLrZQ99BAoGACAp9v6jCWEgUxxZkxW62LOTK8Wr+ +iNRJkVnWdHdKOj7N3xJWwC/JFSXFJ2kkItCrqU5cQe4S3HG7Zvhnn6F+CW8oCAhR +ugRusxiFwUFOiYWt5ZnZB68XRT0cyuosDQZEP4Nnpr4VSxJeOQ7g2Q90bwiAHdP1 +Nn9Z+6LlpnwF83U= +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key.keyspec new file mode 100644 index 0000000000..f488e73a94 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2040.key.keyspec @@ -0,0 +1 @@ +rsa2040 diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem new file mode 100644 index 0000000000..3460534a0b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDcjCCAlugAwIBAgIUZSpbli3rGt5J38O5lKUHT1lCyUEwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQZXZfcm9vdF9yc2FfMjA0MDAiGA8yMDIxMTEyNzAwMDAw +MFoYDzIwMjQwMjA1MDAwMDAwWjArMSkwJwYDVQQDDCBldl9pbnRfcnNhXzIwNDgt +ZXZfcm9vdF9yc2FfMjA0MDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG +8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V +gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3 +04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l +0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz +/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaOBmjCBlzAMBgNVHRMEBTADAQH/MAsGA1Ud +DwQEAwIBBjBZBggrBgEFBQcBAQRNMEswSQYIKwYBBQUHMAGGPWh0dHA6Ly93d3cu +ZXhhbXBsZS5jb206ODg4OC9ldl9pbnRfcnNhXzIwNDgtZXZfcm9vdF9yc2FfMjA0 +MC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQEL +BQADggEAABBuxXUR0hyJquyO21vDSVBAfJxZzfanX2HTra0RQuHKsMJT+stYBaW5 +dyxwmRtOnWgn4FOYqVppLZe1jSws6zUoWgSBiAxKJiX3RvQ4aR5bSIm9DueBDR8u +d/vwQOWR1+qqZb7FRvFkXkzFyBP9C5cT/INjmFiRzidMIWIPuoS3kSzIIcyLr4Gj +CPb/TDGTL3pc5xdSIiQ3i43f1u17yeurjzbN8yzjIX3CuoeaOrBUWsBxnNgFhmVm +KY8AP4GHKg0/If0cY1O+cVJ33meKLLxoV9sH98tAbBUs/jQ7mAH+lGQRBUtp5WxJ +hIPwSS31RIFglSm9FVEraLU+dl+mzA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec new file mode 100644 index 0000000000..5bc5674b2c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-ev_root_rsa_2040.pem.certspec @@ -0,0 +1,7 @@ +issuer:ev_root_rsa_2040 +subject:ev_int_rsa_2048-ev_root_rsa_2040 +issuerKey:evRSA2040 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/ev_int_rsa_2048-ev_root_rsa_2040/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem new file mode 100644 index 0000000000..982eb60fd4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDVTCCAj2gAwIBAgIUaQnDkiefXQWH/NTUbBlfx7LtXIMwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAy +MDUwMDAwMDBaMCExHzAdBgNVBAMMFmV2X2ludF9yc2FfMjA0OC1ldnJvb3QwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT +2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzV +JJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8N +jf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCA +BiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVh +He4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMB +AAGjgZAwgY0wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwTwYIKwYBBQUHAQEE +QzBBMD8GCCsGAQUFBzABhjNodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvZXZf +aW50X3JzYV8yMDQ4LWV2cm9vdC8wHwYDVR0gBBgwFjAUBhIrBgEEAetJhRqFGoUa +AYN0CQEwDQYJKoZIhvcNAQELBQADggEBAFr4zW09JSWiZyP/xLgjaSwybNjNy844 ++RveDtS0i9k3MgNI4pmG82CqfaMDdQYUSdiIDFLLZMbKYNU9pBG0WUr2AlPAMsU4 +Pt1I4/IT6xAQvB9reuKeHdM7r99W1r5IYmRFf4YHcGTeNOTBExaQCsnAwk1nWj4+ ++dNQidDkzcvb2CMcp5DvILtYyFam9irx1K2u/pzH4naBeXjvuCk2gE+nK9nBZUuD +Ot0Lg/hHNK/ultREiFoBXkEyuLHbUxfNug6SfUvppXy2tCR+bA98QkwM25LflG4J +/Bej2fWYhDcO1keGO9A9STb6S/4T64AVbqDZNILRwFENWKoarvcE3YA= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem.certspec new file mode 100644 index 0000000000..a0cb6250dc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048-evroot.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:ev_int_rsa_2048-evroot +issuerKey:ev +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/ev_int_rsa_2048-evroot/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_int_rsa_2048.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key new file mode 100644 index 0000000000..bcd996ab23 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEuQIBADANBgkqhkiG9w0BAQEFAASCBKMwggSfAgEAAoIBAADKcCDcIV9XkU00 +P65KAVERaXr5l6Xs6RhmSZ/CPxuIoRjL0wsQ2Rx7mg1O6JcvyuVsr1fyX8EnWipN +vLmCQowy71h78jh0EDMKD/sWuAKb14OWnvZ19t44wY9nGTy2wHL4sj0LM3QRJiel +e5AFV3HZ5iYD9TeI1/Y6+nJPXRCAlt8x+J8msetffENXmA4Aj81V2CfdJiOVyi9S +ageJfMQMWTs4cW68DKpZZxnG8prJtzp6lEdIo6o+CenrTUYeoAJ+VAkmYUcoudJD +l1z5oFQb79JedrUflREQsOdkT8fjhEF5G20iJzhMuABOIzQjcrHPXMPnPjG3u++h +YOaGLrsCAwEAAQKCAQAAstt0vOkjYqv3KVWmOK6HILowM7t/lxyvORiNdULqocGr +tdIFseIRH0eRwIkRouFB6M/XBUcC0jEAtWQsBuGjGxGK/R+aLzlsztQlxQHZFDXK +hlZ2bO0rk7u4Zp/Om6zXJ9Hayz2vq8MpPjU4nu+OoLWOGusaIOamH5/NRT91Z/4x +0SO2FqJv703x1sn3SQER0Cju/R2XIEWxokInPdemfr8RHbJ0GlqTx7IonMSiNvWp +mm7HqCBv2uHB0EvbsZgNSimMWhfa5BhkdKX3g12IK87ySu9O1vFJ+U2WyffXjmR/ +x3ipAX/yCNO0oXaLGCFiECzasDL6u6s41SAKMkZJAoGADzhE0NTU1qIazXam/DcL +hVDh1+xaYjQXLnkPACmuZR9tXFkzCrGYArnXogfeeh+3eON3T9vcQRdQYz2NGz/g +dQBv/P0dEOdjx6kifS1fDC2t4cnmWcNQoVnTa7mG8SY21PmUKyiLwP4h2oeZR3Fz +FEJJyi44nmxcJap4yMrX1N8CgYANTQvt0ZYvB6Hq1rI6TtZ66vEnDwUqbSm6B0lF +xjYaXE+PB7+FngZ67T9ObjI+8qqKas00CwvcfP5P0ynjyX+HDH93NXksaqnQ9+dU +KijtbwGw5VorjZwkplxtoxTJVIT1x8OVSoG7AWsH7RfumwYDlpW8oFmnn43CQj0y +jVJlpQKBgAnymi/wW+ipbWFLoxsIk1QgqGxrxCuZpmkuoNpXY/AeWWlZt93Oc++c +Lk9uW0BxCIdQDUS6DDzTEyy6J0dfOcLfdVLi0SOiSXpPlwZAKHaaSKNiRlf3K/U5 +89DeI0/szTvooKqQxr9umwvtQwcKJNBh/z7RdRo+8v9/a5C529X7AoGAAaZZ4XDK +wSCgO+HPj53xyqNTsDWTvXR25YU72HTChziGAcbDQc6dHShKXu8aOmadMrgWpers +2LeET+BwZLm8oMKzGNVAJ3s/fxUQ04a7NuA7BHceXSKeiIk+E7dTv7lFGLtjjiQE +vW5qmTwWaNk/wLgv8IqvNDR9P+g5cQjIfKUCgYAEAlfA1KIcC5hDKXxlZS22YwT7 +Jjdz1yi2q/oG03rAymLGKAI+CeN9wKkB5M4SJBgOJYKjqktqGnuY4r1wB3rsFKyK +tmp1XHHg/BAkcfm7wbRqlaoLZF8sOOdkUCiWGeo/XormEDe//PgknyKqTnbioBkJ +8/6ykM6T7fV7EOvnlg== +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key.keyspec new file mode 100644 index 0000000000..a85e16858b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.key.keyspec @@ -0,0 +1 @@ +evRSA2040 diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem new file mode 100644 index 0000000000..fe3abd78a8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4zCCAcygAwIBAgIUJ7nCMgtzNcSPG7jAh3CWzlTGHQgwDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQZXZfcm9vdF9yc2FfMjA0MDAiGA8yMDE1MDEwMTAwMDAw +MFoYDzIwMzUwMTAxMDAwMDAwWjAbMRkwFwYDVQQDDBBldl9yb290X3JzYV8yMDQw +MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQAAynAg3CFfV5FNND+uSgFR +EWl6+Zel7OkYZkmfwj8biKEYy9MLENkce5oNTuiXL8rlbK9X8l/BJ1oqTby5gkKM +Mu9Ye/I4dBAzCg/7FrgCm9eDlp72dfbeOMGPZxk8tsBy+LI9CzN0ESYnpXuQBVdx +2eYmA/U3iNf2OvpyT10QgJbfMfifJrHrX3xDV5gOAI/NVdgn3SYjlcovUmoHiXzE +DFk7OHFuvAyqWWcZxvKaybc6epRHSKOqPgnp601GHqACflQJJmFHKLnSQ5dc+aBU +G+/SXna1H5URELDnZE/H44RBeRttIic4TLgATiM0I3Kxz1zD5z4xt7vvoWDmhi67 +AgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEB +CwUAA4IBAAA/4/YVyeRLPr05Uw5j0JOCx5WNUv2HxemfvTZgF4QEg4vDt8ba3VDR +Xj3Z8hiGYG+s2Wz4k+82wCNRTglm3iutCJ/LbwOAZIa8dFyQUa03EssS0BBvVNhx +uu6+kYMqGteIX5Q94daqZe+0KM9xKbydNCQJKSMD8IV1YHKvotF91MFQHDdnVAZX +anpqDnw0j4YGknFHA1i++0GZC0aWxhRn6Epfza+bYCVogC5BviY6xYIg2kZE8kII +msQ6iUrKQ2OV7HmZ03BdpsGADorycyJ/wRGR3xDDg8RYUur80jU/D0eBq8BX1md8 +Rc+IyDmcFcs7hYRUaJAoxuLPvQ+/vy4= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem.certspec new file mode 100644 index 0000000000..fd1ade8dea --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/ev_root_rsa_2040.pem.certspec @@ -0,0 +1,7 @@ +issuer:ev_root_rsa_2040 +subject:ev_root_rsa_2040 +issuerKey:evRSA2040 +subjectKey:evRSA2040 +validity:20150101-20350101 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key new file mode 100644 index 0000000000..1d88a930d5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh ++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU +dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H +cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y +1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t +oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ +5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB +0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+ ++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE +vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9 +HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE +MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V +vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV +7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH +lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V +jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv +nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui +p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ +zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v +4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA +hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C +pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV +bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3 +mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j +LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf +UVFRDKpassHG6z7+kpXRbowlyRY= +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key.keyspec b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key.keyspec new file mode 100644 index 0000000000..1a3d76a550 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.key.keyspec @@ -0,0 +1 @@ +ev diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem new file mode 100644 index 0000000000..13c3031905 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx +MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/ +EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN +RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s +33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd +Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX ++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw +AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+ +5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo +UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf +cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY +Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH +z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH +HmbOwao= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem.certspec b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem.certspec new file mode 100644 index 0000000000..3121f3486e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_keysize_ev/evroot.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:evroot +subjectKey:ev +issuerKey:ev +validity:20150101-20350101 +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_logoutAndTeardown.js b/security/manager/ssl/tests/unit/test_logoutAndTeardown.js new file mode 100644 index 0000000000..c3299a47c1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_logoutAndTeardown.js @@ -0,0 +1,195 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +"use strict"; + +// This test ensures that in-progress https connections are cancelled when the +// user logs out of a PKCS#11 token. + +// Get a profile directory and ensure PSM initializes NSS. +do_get_profile(); +Cc["@mozilla.org/psm;1"].getService(Ci.nsISupports); + +function getTestServerCertificate() { + const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + const certFile = do_get_file("test_certDB_import/encrypted_with_aes.p12"); + certDB.importPKCS12File(certFile, "password"); + for (const cert of certDB.getCerts()) { + if (cert.commonName == "John Doe") { + return cert; + } + } + return null; +} + +class InputStreamCallback { + constructor(output) { + this.output = output; + this.stopped = false; + } + + onInputStreamReady(stream) { + info("input stream ready"); + if (this.stopped) { + info("input stream callback stopped - bailing"); + return; + } + let available = 0; + try { + available = stream.available(); + } catch (e) { + // onInputStreamReady may fire when the stream has been closed. + equal( + e.result, + Cr.NS_BASE_STREAM_CLOSED, + "error should be NS_BASE_STREAM_CLOSED" + ); + } + if (available > 0) { + let request = NetUtil.readInputStreamToString(stream, available, { + charset: "utf8", + }); + ok( + request.startsWith("GET / HTTP/1.1\r\n"), + "Should get a simple GET / HTTP/1.1 request" + ); + let response = + "HTTP/1.1 200 OK\r\n" + + "Content-Length: 2\r\n" + + "Content-Type: text/plain\r\n" + + "\r\nOK"; + let written = this.output.write(response, response.length); + equal( + written, + response.length, + "should have been able to write entire response" + ); + } + this.output.close(); + info("done with input stream ready"); + } + + stop() { + this.stopped = true; + this.output.close(); + } +} + +class TLSServerSecurityObserver { + constructor(input, output) { + this.input = input; + this.output = output; + this.callbacks = []; + this.stopped = false; + } + + onHandshakeDone(socket, status) { + info("TLS handshake done"); + info(`TLS version used: ${status.tlsVersionUsed}`); + + if (this.stopped) { + info("handshake done callback stopped - bailing"); + return; + } + + let callback = new InputStreamCallback(this.output); + this.callbacks.push(callback); + this.input.asyncWait(callback, 0, 0, Services.tm.currentThread); + + // We've set up everything needed for a successful request/response, + // but calling logoutAndTeardown should cause the request to be cancelled. + Cc["@mozilla.org/security/sdr;1"] + .getService(Ci.nsISecretDecoderRing) + .logoutAndTeardown(); + } + + stop() { + this.stopped = true; + this.input.close(); + this.output.close(); + this.callbacks.forEach(callback => { + callback.stop(); + }); + } +} + +class ServerSocketListener { + constructor() { + this.securityObservers = []; + } + + onSocketAccepted(socket, transport) { + info("accepted TLS client connection"); + let connectionInfo = transport.securityCallbacks.getInterface( + Ci.nsITLSServerConnectionInfo + ); + let input = transport.openInputStream(0, 0, 0); + let output = transport.openOutputStream(0, 0, 0); + let securityObserver = new TLSServerSecurityObserver(input, output); + this.securityObservers.push(securityObserver); + connectionInfo.setSecurityObserver(securityObserver); + } + + // For some reason we get input stream callback events after we've stopped + // listening, so this ensures we just drop those events. + onStopListening() { + info("onStopListening"); + this.securityObservers.forEach(observer => { + observer.stop(); + }); + } +} + +function getStartedServer(cert) { + let tlsServer = Cc["@mozilla.org/network/tls-server-socket;1"].createInstance( + Ci.nsITLSServerSocket + ); + tlsServer.init(-1, true, -1); + tlsServer.serverCert = cert; + tlsServer.setSessionTickets(false); + tlsServer.asyncListen(new ServerSocketListener()); + return tlsServer; +} + +const hostname = "example.com"; + +function storeCertOverride(port, cert) { + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.rememberValidityOverride(hostname, port, {}, cert, true); +} + +function startClient(port) { + let req = new XMLHttpRequest(); + req.open("GET", `https://${hostname}:${port}`); + return new Promise((resolve, reject) => { + req.onload = () => { + ok(false, "should not have gotten load event"); + resolve(); + }; + req.onerror = () => { + ok(true, "should have gotten an error"); + resolve(); + }; + + req.send(); + }); +} + +add_task(async function() { + Services.prefs.setCharPref("network.dns.localDomains", hostname); + let cert = getTestServerCertificate(); + + let server = getStartedServer(cert); + storeCertOverride(server.port, cert); + await startClient(server.port); + server.close(); +}); + +registerCleanupFunction(function() { + Services.prefs.clearUserPref("network.dns.localDomains"); +}); diff --git a/security/manager/ssl/tests/unit/test_missing_intermediate.js b/security/manager/ssl/tests/unit/test_missing_intermediate.js new file mode 100644 index 0000000000..2a723b2a0f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_missing_intermediate.js @@ -0,0 +1,92 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// Tests that if a server does not send a complete certificate chain, we can +// make use of cached intermediates to build a trust path. + +const { TestUtils } = ChromeUtils.importESModule( + "resource://testing-common/TestUtils.sys.mjs" +); + +do_get_profile(); // must be called before getting nsIX509CertDB + +registerCleanupFunction(() => { + let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + certDir.append("bad_certs"); + Assert.ok(certDir.exists(), "bad_certs should exist"); + let args = ["-D", "-n", "manually-added-missing-intermediate"]; + run_certutil_on_directory(certDir.path, args, false); +}); + +function run_test() { + add_tls_server_setup("BadCertAndPinningServer", "bad_certs"); + // If we don't know about the intermediate, we'll get an unknown issuer error. + add_connection_test( + "ee-from-missing-intermediate.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + + // Make BadCertAndPinningServer aware of the intermediate. + add_test(() => { + let args = [ + "-A", + "-n", + "manually-added-missing-intermediate", + "-i", + "test_missing_intermediate/missing-intermediate.pem", + "-a", + "-t", + ",,", + ]; + let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + certDir.append("bad_certs"); + Assert.ok(certDir.exists(), "bad_certs should exist"); + run_certutil_on_directory(certDir.path, args); + run_next_test(); + }); + + // We have to start observing the topic before there's a chance it gets + // emitted. + add_test(() => { + TestUtils.topicObserved("psm:intermediate-certs-cached").then( + subjectAndData => { + Assert.equal(subjectAndData.length, 2, "expecting [subject, data]"); + Assert.equal(subjectAndData[1], "1", `expecting "1" cert imported`); + run_next_test(); + } + ); + run_next_test(); + }); + // Connect and cache the intermediate. + add_connection_test( + "ee-from-missing-intermediate.example.com", + PRErrorCodeSuccess + ); + + // Add a dummy test so that the only way we advance from here is by observing + // "psm:intermediate-certs-cached". + add_test(() => {}); + + // Delete the intermediate on the server again. + add_test(() => { + clearSessionCache(); + let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + certDir.append("bad_certs"); + Assert.ok(certDir.exists(), "bad_certs should exist"); + let args = ["-D", "-n", "manually-added-missing-intermediate"]; + run_certutil_on_directory(certDir.path, args); + run_next_test(); + }); + + // Since we cached the intermediate in gecko, this should succeed. + add_connection_test( + "ee-from-missing-intermediate.example.com", + PRErrorCodeSuccess + ); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem new file mode 100644 index 0000000000..3ba4cc67d1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4DCCAcigAwIBAgIUXVqax21Zg1E4snLU25SGHPmGws8wDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAfMR0wGwYDVQQDDBRNaXNzaW5nIEludGVybWVkaWF0ZTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ +6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUk +nAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N +/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAG +JMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd +7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEA +AaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQAD +ggEBAJU1u07/x6ATZrK4/Cq6cqTbdkoUJRfZERwJBx4mBnQTbQXBhuo2y4qF+J7U +SA3LKtfAHRJGkH7nBwRIlAxfN87saJcVXMA8n6WRHNjrDzhK7bZtt1sS23tBCtbs +TxrMCmfrR2tVZApuGa3lwz8gWhzZkZvoENuqqFAM5nMroKjpKVDFRDAn/Ub7lsvQ +vQqXti0EqMcg7e6rmBQEvwD0L9sagFLyIqtQM2n901vDlLUfnWrddVH3pA0O3KAr +ft079b4Lh7RPyeocSU++xGtQ+jkx1WjNtNhVSUNjrmxQMhqAgFPONhJOTo3FqeYO +T/Rt5MdiZpnMuD2C3VF2r9rTURU= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem.certspec b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem.certspec new file mode 100644 index 0000000000..c21e757449 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Missing Intermediate +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_name_constraints.js b/security/manager/ssl/tests/unit/test_name_constraints.js new file mode 100644 index 0000000000..e04eb93b0c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints.js @@ -0,0 +1,71 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// This test tests two specific items: +// 1. Are name constraints properly enforced across the entire constructed +// certificate chain? This makes use of a certificate hierarchy like so: +// - (trusted) root CA with permitted subtree dNSName example.com +// - intermediate CA with permitted subtree dNSName example.org +// a. end-entity with dNSNames example.com and example.org +// (the first entry is allowed by the root but not by the intermediate, +// and the second entry is allowed by the intermediate but not by the +// root) +// b. end-entity with dNSName example.com (not allowed by the intermediate) +// c. end-entity with dNSName examle.org (not allowed by the root) +// d. end-entity with dNSName example.test (not allowed by either) +// All of these cases should fail to verify with the error that the +// end-entity is not in the name space permitted by the hierarchy. +// +// 2. Are externally-imposed name constraints properly enforced? This makes use +// of a certificate hierarchy rooted by a certificate with the same DN as an +// existing hierarchy that has externally-imposed name constraints (DCISS). + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function certFromFile(name) { + return constructCertFromFile(`test_name_constraints/${name}.pem`); +} + +function loadCertWithTrust(certName, trustString) { + addCertFromFile(certdb, `test_name_constraints/${certName}.pem`, trustString); +} + +function checkCertNotInNameSpace(cert) { + return checkCertErrorGeneric( + certdb, + cert, + SEC_ERROR_CERT_NOT_IN_NAME_SPACE, + certificateUsageSSLServer + ); +} + +function checkCertInNameSpace(cert) { + return checkCertErrorGeneric( + certdb, + cert, + PRErrorCodeSuccess, + certificateUsageSSLServer + ); +} + +add_task(async function() { + // Test that name constraints from the entire certificate chain are enforced. + loadCertWithTrust("ca-example-com-permitted", "CTu,,"); + loadCertWithTrust("int-example-org-permitted", ",,"); + await checkCertNotInNameSpace(certFromFile("ee-example-com-and-org")); + await checkCertNotInNameSpace(certFromFile("ee-example-com")); + await checkCertNotInNameSpace(certFromFile("ee-example-org")); + await checkCertNotInNameSpace(certFromFile("ee-example-test")); + + // Test that externally-imposed name constraints are enforced (DCISS tests). + loadCertWithTrust("dciss", "CTu,,"); + await checkCertInNameSpace(certFromFile("NameConstraints.dcissallowed")); + await checkCertNotInNameSpace(certFromFile("NameConstraints.dcissblocked")); +}); diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem new file mode 100644 index 0000000000..8058f77b23 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDVzCCAj+gAwIBAgIUByfcws/1BsAT11Q4PQoblWadQD0wDQYJKoZIhvcNAQEL +BQAwgYUxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBh +cmlzMRAwDgYDVQQKEwdQTS9TR0ROMQ4wDAYDVQQLEwVEQ1NTSTEOMAwGA1UEAxMF +SUdDL0ExIzAhBgkqhkiG9w0BCQEWFGlnY2FAc2dkbi5wbS5nb3V2LmZyMCIYDzIw +MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEExCzAJBgNVBAYTAlVTMQsw +CQYDVQQIDAJDQTEMMAoGA1UECgwDRm9vMRcwFQYDVQQDDA5mb28uZXhhbXBsZS5m +cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogG +NhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqn +RYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHu +p3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQ +Lzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p +47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo1 +7Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEADR+2W/J/dKAwAf8I06e89ZBKd0H5 +yxJqgpwCZfhtjT200R0KUy3Idml1TVdvM1J/hLKu5dMtQ6ewGZIEpf9A+TQ/CN8U +0D1m94HUAIZDMt+I/9FjXff9OrLOBxU1AQtlK9dunE0751bqq2aIvdMYcD3D3sHQ +jj1gxmsdoxWmoE7vTcwXzkTOX6s9SsylGmqWDuoNl2gioyAU0MFIgTkNRxuUOfSR +0LtBHsqEmWYXAjLFqRwa09NZ49jRq+n64svv65gdkKeuecvdYEnFQPKhQJHh0UE8 +oq3T7HWiGkaPgQ2FfFwIXGSQD+jJTDV+hzH5wuWbnxW5bl/Tq1olAh0S+w== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec new file mode 100644 index 0000000000..1a02a0cc1a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissallowed.pem.certspec @@ -0,0 +1,2 @@ +issuer:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr +subject:/C=US/ST=CA/O=Foo/CN=foo.example.fr diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem new file mode 100644 index 0000000000..4b29717d91 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWDCCAkCgAwIBAgIUeThptwYWQpW7Kmc4xj2lLpzdjfIwDQYJKoZIhvcNAQEL +BQAwgYUxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBh +cmlzMRAwDgYDVQQKEwdQTS9TR0ROMQ4wDAYDVQQLEwVEQ1NTSTEOMAwGA1UEAxMF +SUdDL0ExIzAhBgkqhkiG9w0BCQEWFGlnY2FAc2dkbi5wbS5nb3V2LmZyMCIYDzIw +MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMEIxCzAJBgNVBAYTAlVTMQsw +CQYDVQQIDAJDQTEMMAoGA1UECgwDRm9vMRgwFgYDVQQDDA9mb28uZXhhbXBsZS5j +b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI +BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa +p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB +7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C +kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv +aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK +Ne2NAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHG3W9MHDLoH+PtllciSci7+QaNX +lSb/+OyqCpx/XkjS2/Bd8+c4Pbn7GdrR/Nf17f/KZ5qgY+uO6NExeh3LrGvTKkig +Kpt+Uij0iVBd9XTzTnHZdU3EW1Y3539TBT0ABilG1YlKlpJWA+fzUWRo9vHPcETm +KJRH3eKtyXTHeRPpOSG2afJKzqfkiGSK/zvWe5YjTKLhJGRRnX37SG7GIA7l1kX7 +1UPJs2Wtr05qrUmSBSgP0k+T7pi4+94/TgMjai//E802m7EdfSfRsvUEnh6Lv1Mk +iY8C6RsPQIhTr4dsp04TazciE42TfsPZ/zpgf5AHF+Xrz1AoFdNABpXAcNk= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec new file mode 100644 index 0000000000..eabee87e83 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/NameConstraints.dcissblocked.pem.certspec @@ -0,0 +1,2 @@ +issuer:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr +subject:/C=US/ST=CA/O=Foo/CN=foo.example.com diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem new file mode 100644 index 0000000000..f96b43db09 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDETCCAfmgAwIBAgIUI3lD7Re7UzKxqghLVnq19q1yxakwDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYY2EtZXhhbXBsZS1jb20tcGVybWl0dGVkMCIYDzIwMjEx +MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCMxITAfBgNVBAMMGGNhLWV4YW1w +bGUtY29tLXBlcm1pdHRlZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG +8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0V +gg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g3 +04hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l +0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz +/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaM5MDcwDAYDVR0TBAUwAwEB/zALBgNVHQ8E +BAMCAQYwGgYDVR0eBBMwEaAPMA2CC2V4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUA +A4IBAQCqe0psTB+mMNH5u+5ZNGy27aYGpl4hegtWQtNUYmNWL6xnSJwLB+4tKtHG +I6HKMNQ9so3l0x28jitBbcnbSSkVV+Q2upVziZX8uNgg2613O//loKhvvSeJqeVw +vGfPNnIkwcSpTMqDyYuY1tSA2dW3fMeX6kqnP5nupmERt60Xqxd56XZaAC4ZI0vY +FVIbxCrxuBHDi/hcGCDFUB3gnwE+CNqTnNOh95w1nRLuBJxyrUF3SFrLVdlbSO9Q +YXD20E7e79ZdGCcIZFIvCG5AKDzd0amEVJ/GGNuqZGa3+ScP5PVd571KcFB0nl7s +hGWiQsC/9yJg0eZNZ64hlWLofeYf +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec new file mode 100644 index 0000000000..1cc3c1d81b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ca-example-com-permitted.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca-example-com-permitted +subject:ca-example-com-permitted +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:nameConstraints:permitted:example.com diff --git a/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem new file mode 100644 index 0000000000..632d60fd51 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuzCCAqOgAwIBAgIULcsHU0vMF8j+8wH20P0dJztPKgEwDQYJKoZIhvcNAQEL +BQAwgYUxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZGcmFuY2UxDjAMBgNVBAcTBVBh +cmlzMRAwDgYDVQQKEwdQTS9TR0ROMQ4wDAYDVQQLEwVEQ1NTSTEOMAwGA1UEAxMF +SUdDL0ExIzAhBgkqhkiG9w0BCQEWFGlnY2FAc2dkbi5wbS5nb3V2LmZyMCIYDzIw +MjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMIGFMQswCQYDVQQGEwJGUjEP +MA0GA1UECBMGRnJhbmNlMQ4wDAYDVQQHEwVQYXJpczEQMA4GA1UEChMHUE0vU0dE +TjEOMAwGA1UECxMFRENTU0kxDjAMBgNVBAMTBUlHQy9BMSMwIQYJKoZIhvcNAQkB +FhRpZ2NhQHNnZG4ucG0uZ291di5mcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72x +nAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lM +wmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF +4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20 +yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xx +j5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaMdMBswDAYDVR0TBAUwAwEB/zAL +BgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABMUv/zQZiMOGUd8VhQ2Bpct +bFy+LXpRmPZKuaxAeXWJOOO6YzXKWu5Ozvy1B0+2+OpS7eTWO/4p/sBcqmHuIf45 +jCPDm6RhRDXe+9zGKqv9dt0hXpZwUx7q9nUIlDsyVKrJ2XRd70EAvrpqbJBN2ztF +dGwvVFXYINyOFVBfMbdUnbqtwUMUoYQ8UgoTAoJTA09nfIv6YXIebX553u/ZOcpk +wQbyl69r8hc5pYxKdEBqjqfy6rrl7/h6ptTSJDp+z0EBCG592WVClVu3cpaRlnQt +/gSHxGH+ZTFKqjrf2pP9a34DtepJL1K/LNHv+XpnmUK6hSLkW9aR+MtK5A7lROg= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec new file mode 100644 index 0000000000..5d53706bc5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/dciss.pem.certspec @@ -0,0 +1,4 @@ +issuer:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr +subject:printableString/C=FR/ST=France/L=Paris/O=PM/SGDN/OU=DCSSI/CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem new file mode 100644 index 0000000000..f49fe5ebcc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/jCCAeagAwIBAgIUa3sb3Kmjzf4Q38n9GGzgAluQs3UwDQYJKoZIhvcNAQEL +BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIx +MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAhMR8wHQYDVQQDDBZlZS1leGFt +cGxlLWNvbS1hbmQtb3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +uohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGoby +a+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWC +D/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfT +iEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXT +Ce+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+ +SSP6clHEMdUDrNoYCjXtjQIDAQABoycwJTAjBgNVHREEHDAaggtleGFtcGxlLmNv +bYILZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQELBQADggEBAEp9KUBTRs8erSIiiAj1 +HVtbJyvBipgvWQHG/4G7A3tm6E0ZGZRofhovLspsDCdoaEiHSmLpxAjzAcYNA68v +OPloyfV8H0p/V0h/PzQKjJYcx4oQ5xt/TVo7oUgDL2ap37rMDYzXevSFJ/hFRJjX +IWrWoCwweGJrXlyRyF84SmC1oMWDfwOxNpDDOc1qW/+6Rhftx361B3GBe7A9Xb5g +X6I4xCFYSLnHMMBSfqsfLZkTb+rqpeLy1k0BBpJWZP1Dbgy3BCmWhyzMG1n6IYwr +Nqg35i2YhCFlr/lNvwy+Jix9EjAmrYVl8rJ0eOHUoFGyphzv331kO4B8MiZo33rY +Ci4= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec new file mode 100644 index 0000000000..904ca65955 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com-and-org.pem.certspec @@ -0,0 +1,3 @@ +issuer:int-example-org-permitted +subject:ee-example-com-and-org +extension:subjectAlternativeName:example.com,example.org diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem new file mode 100644 index 0000000000..e1872fb869 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6TCCAdGgAwIBAgIUNyYkQhaojroU27Ob3YEOgU/gSIowDQYJKoZIhvcNAQEL +BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIx +MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAZMRcwFQYDVQQDDA5lZS1leGFt +cGxlLWNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAAaMaMBgwFgYDVR0RBA8wDYILZXhhbXBsZS5jb20wDQYJKoZI +hvcNAQELBQADggEBAEbqCfq2MUMQ9/Y3GYVUCJZOTQd6LFbk7edj/d5B0MLialsm +xZ9+4/hv98hiL3V3rJPsZNLMgaZjE10Yer+HdwC8do2OsuIO85UA4oWJKKjjLbUO +Mek36zrzcgrbWqGEthXgnUwvUGKedEgeIoPzhN4UT3Ifkf1u0L308kc+0bnhQlEJ +V49YCMoyrIX/mzYs5D3zd1IxlWN3WNVfzF+pmQQ6LSfI8OtppCgRuNYDY3Md7Lqc +x+QITmjJYZJJN2hpRJPMoUagF89M3XUj/6w4oLNBJmF02VrU/4JChEyKqmAqNCi/ +Z0nDqmRwXyO8tnTIzx7XJcb9CDIoaBCzgoP2nCc= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec new file mode 100644 index 0000000000..46630c4a1a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-com.pem.certspec @@ -0,0 +1,3 @@ +issuer:int-example-org-permitted +subject:ee-example-com +extension:subjectAlternativeName:example.com diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem new file mode 100644 index 0000000000..9b820e9a3f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6TCCAdGgAwIBAgIUK/q+41F1BJ5V5yLuTubosg8UyzowDQYJKoZIhvcNAQEL +BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIx +MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAZMRcwFQYDVQQDDA5lZS1leGFt +cGxlLW9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAAaMaMBgwFgYDVR0RBA8wDYILZXhhbXBsZS5vcmcwDQYJKoZI +hvcNAQELBQADggEBAK38zSQwGdXOtrm9KyhDC2iUXdL+bmQyVPXqxgOsc39oG4kK +yQ49cmkrdTfrOccrXVK80mJaSlMccQkv7++BlWhxE0yJw4nU5PGfGZ1wbKdYgTXx +YYrqk7WTEZ28jvf42MXtz+YPceGLFI5jm4CACE4+RFjBUydRmadbIQytp5wz+rDX +90RAHw6K5niEylXpkaqIUjZj27qQRHX7X/2N9rFj0Z8c7wSrCA4RsG9RPWtDgoE8 +NtgqMrRqDwbIzxWw4RtnirErgk+1aFAleNJ8bS3QBTO/a5PWFwUi5/ZePpI+7+Gf +flEWX+zxAOdQCLNWRnk8BMjnuBN8rL9cj3s1okw= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec new file mode 100644 index 0000000000..6a24090e51 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-org.pem.certspec @@ -0,0 +1,3 @@ +issuer:int-example-org-permitted +subject:ee-example-org +extension:subjectAlternativeName:example.org diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem new file mode 100644 index 0000000000..53cd45391e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6zCCAdOgAwIBAgIULd4A5nOUpfcpueUvavcnGwnza44wDQYJKoZIhvcNAQEL +BQAwJDEiMCAGA1UEAwwZaW50LWV4YW1wbGUtb3JnLXBlcm1pdHRlZDAiGA8yMDIx +MTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9lZS1leGFt +cGxlLXRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W +1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtq +ZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx +0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthV +t2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo +4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx +1QOs2hgKNe2NAgMBAAGjGzAZMBcGA1UdEQQQMA6CDGV4YW1wbGUudGVzdDANBgkq +hkiG9w0BAQsFAAOCAQEAGclmIUn18xP9ZBL5dIZ6SDS1tYgwbDdczT6Lxe1QWILy +QxM5cL30hxf/O9dOBqCnv1px72RemKx9H0S5dr1JSaq4q+cuwtIqWlIiBAF3APoj +HpOct+VsLI+UxyfvTKVSvWXKgXdlvKYQ4FMu1CUI90dmRNP2fQbEMYqkbAoQXz47 +2Qk19gMhmTGah0RXE5cBfMf+3VD508dJejyzA+yA9hw5HUsH3tvSIX9JhP7s+wyu +cyMUfovHS20ML1VQ+Lzf2YQO0lhxmS3UMSEg2h4MBUcgLaJEeGpDt2WCJKliISk5 +TaJDaiQBTrd6eupMegUQcVn0UrBD4hxrPiAg1ibU3Q== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec new file mode 100644 index 0000000000..0926ce477a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/ee-example-test.pem.certspec @@ -0,0 +1,3 @@ +issuer:int-example-org-permitted +subject:ee-example-test +extension:subjectAlternativeName:example.test diff --git a/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem new file mode 100644 index 0000000000..715ee48d57 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDEjCCAfqgAwIBAgIUC12ZLFrh+TExo/zOUHTYqBfd0ZMwDQYJKoZIhvcNAQEL +BQAwIzEhMB8GA1UEAwwYY2EtZXhhbXBsZS1jb20tcGVybWl0dGVkMCIYDzIwMjEx +MTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCQxIjAgBgNVBAMMGWludC1leGFt +cGxlLW9yZy1wZXJtaXR0ZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24a +hvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7t +FYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+o +N9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0d +JdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4 +s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOTA3MAwGA1UdEwQFMAMBAf8wCwYDVR0P +BAQDAgEGMBoGA1UdHgQTMBGgDzANggtleGFtcGxlLm9yZzANBgkqhkiG9w0BAQsF +AAOCAQEAlnz9bttQ1SXr8R9fYrSQPPHXCQ2KfQNm3WWVj/jZwwcLokG3U8o9qpMn +0LZ8AW9726SK2YzkBEHsCA58Vi+4Sh/m4GGue6RKx02w2H3r+D9U+oB2VvqK71ga +HoS9FAy+Wy8f9dceZpJbteCpz/e7UTM+6BPXOp5F+VZoCk0jKhzhYEYqONTIL0Xk +/1IhkUT5jf3WNbAuGXhgUMc4Q6UdXj4GcYM1rx3r3YOb+wX1Zh0rjgkIEyBT5JFH +yBqBDWG9xhMoftQYkLb1VGIms/HcaEsP6ckz2sev6ZDRrhRQS+SU44X6bpKddqYo +xRRqtHKbc7bjutoBFGxNzJNRPvzCLg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec new file mode 100644 index 0000000000..87e2cf8a56 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints/int-example-org-permitted.pem.certspec @@ -0,0 +1,5 @@ +issuer:ca-example-com-permitted +subject:int-example-org-permitted +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:nameConstraints:permitted:example.org diff --git a/security/manager/ssl/tests/unit/test_nonascii_path.js b/security/manager/ssl/tests/unit/test_nonascii_path.js new file mode 100644 index 0000000000..3c31640d05 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_nonascii_path.js @@ -0,0 +1,52 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// Tests to make sure that the certificate DB works with non-ASCII paths. + +// Append a single quote and non-ASCII characters to the profile path. +let profd = Services.env.get("XPCSHELL_TEST_PROFILE_DIR"); +let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile); +file.initWithPath(profd); +file.append("'÷1"); +Services.env.set("XPCSHELL_TEST_PROFILE_DIR", file.path); + +file = do_get_profile(); // must be called before getting nsIX509CertDB +Assert.ok( + /[^\x20-\x7f]/.test(file.path), + "the profile path should contain a non-ASCII character" +); + +// Restore the original value. +Services.env.set("XPCSHELL_TEST_PROFILE_DIR", profd); + +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function load_cert(cert_name, trust_string) { + let cert_filename = cert_name + ".pem"; + return addCertFromFile( + certdb, + "test_cert_trust/" + cert_filename, + trust_string + ); +} + +function run_test() { + let certList = ["ca", "int", "ee"]; + let loadedCerts = []; + for (let certName of certList) { + loadedCerts.push(load_cert(certName, ",,")); + } + + let ca_cert = loadedCerts[0]; + notEqual(ca_cert, null, "CA cert should have successfully loaded"); + let int_cert = loadedCerts[1]; + notEqual(int_cert, null, "Intermediate cert should have successfully loaded"); + let ee_cert = loadedCerts[2]; + notEqual(ee_cert, null, "EE cert should have successfully loaded"); +} diff --git a/security/manager/ssl/tests/unit/test_nsCertType.js b/security/manager/ssl/tests/unit/test_nsCertType.js new file mode 100644 index 0000000000..8341575473 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_nsCertType.js @@ -0,0 +1,32 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +// +// While the Netscape certificate type extension is not a standard and has been +// discouraged from use for quite some time, it is still encountered. Thus, we +// handle it slightly differently from other unknown extensions. +// If it is not marked critical, we ignore it. +// If it is marked critical: +// If the basic constraints and extended key usage extensions are also +// present, we ignore it, because they are standardized and should convey the +// same information. +// Otherwise, we reject it with an error indicating an unknown critical +// extension. + +"use strict"; + +function run_test() { + do_get_profile(); + add_tls_server_setup("BadCertAndPinningServer", "bad_certs"); + add_connection_test("nsCertTypeNotCritical.example.com", PRErrorCodeSuccess); + add_connection_test( + "nsCertTypeCriticalWithExtKeyUsage.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "nsCertTypeCritical.example.com", + SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION + ); + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_nsIX509CertValidity.js b/security/manager/ssl/tests/unit/test_nsIX509CertValidity.js new file mode 100644 index 0000000000..8650409df7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_nsIX509CertValidity.js @@ -0,0 +1,25 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// This file tests the nsIX509CertValidity implementation. + +function run_test() { + // Date.parse("2013-01-01T00:00:00Z") + const NOT_BEFORE_IN_MS = 1356998400000; + // Date.parse("2014-01-01T00:00:00Z") + const NOT_AFTER_IN_MS = 1388534400000; + let cert = constructCertFromFile("bad_certs/expired-ee.pem"); + + equal( + cert.validity.notBefore, + NOT_BEFORE_IN_MS * 1000, + "Actual and expected notBefore should be equal" + ); + equal( + cert.validity.notAfter, + NOT_AFTER_IN_MS * 1000, + "Actual and expected notAfter should be equal" + ); +} diff --git a/security/manager/ssl/tests/unit/test_nsIX509Cert_utf8.js b/security/manager/ssl/tests/unit/test_nsIX509Cert_utf8.js new file mode 100644 index 0000000000..6305b878b4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_nsIX509Cert_utf8.js @@ -0,0 +1,96 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Checks that various nsIX509Cert attributes correctly handle UTF-8. + +do_get_profile(); // Must be called before getting nsIX509CertDB +const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function run_test() { + let cert = certDB.constructX509FromBase64( + "MIIF3DCCBMSgAwIBAgIEAJiZbzANBgkqhkiG9w0BAQUFADCCAQ0xYTBfBgNVBAMM" + + "WEkuQ0EgLSBRdWFsaWZpZWQgcm9vdCBjZXJ0aWZpY2F0ZSAoa3ZhbGlmaWtvdmFu" + + "w70gY2VydGlmaWvDoXQgcG9za3l0b3ZhdGVsZSkgLSBQU0VVRE9OWU0xCzAJBgNV" + + "BAYTAkNaMS8wLQYDVQQHDCZQb2R2aW5uw70gbWzDvW4gMjE3OC82LCAxOTAgMDAg" + + "UHJhaGEgOTEsMCoGA1UECgwjUHJ2bsOtIGNlcnRpZmlrYcSNbsOtIGF1dG9yaXRh" + + "IGEucy4xPDA6BgNVBAsMM0FrcmVkaXRvdmFuw70gcG9za3l0b3ZhdGVsIGNlcnRp" + + "ZmlrYcSNbsOtY2ggc2x1xb5lYjAeFw0wMjEyMTIxMzMzNDZaFw0wMzEyMTIxMzMz" + + "NDZaMIIBFDELMAkGA1UEBhMCQ1oxHzAdBgNVBAMeFgBMAHUAZAEbAGsAIABSAGEB" + + "YQBlAGsxGTAXBgNVBAgeEABWAHkAcwBvAQ0AaQBuAGExLzAtBgNVBAceJgBQAGEA" + + "YwBvAHYALAAgAE4A4QBkAHIAYQF+AG4A7QAgADcANgA5MSUwIwYJKoZIhvcNAQkB" + + "FhZsdWRlay5yYXNla0BjZW50cnVtLmN6MRMwEQYDVQQqHgoATAB1AGQBGwBrMQ0w" + + "CwYDVQQrHgQATABSMR8wHQYDVQQpHhYATAB1AGQBGwBrACAAUgBhAWEAZQBrMRMw" + + "EQYDVQQEHgoAUgBhAWEAZQBrMRcwFQYDVQQFEw5JQ0EgLSAxMDAwMzc2OTCBnzAN" + + "BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxc7dGd0cNlHZ7tUUl5k30bfYlY3lnOD0" + + "49JGbTXSt4jNFMRLj6s/777W3kcIdcIwdKxjQULBKgryDvZJ1DAWp2TwzhPDVYj3" + + "sU4Niqb7mOUcp/4ckteUxGF6FmXtJR9+XHTuLZ+omF9HOUefheBKnXvZuqrLM16y" + + "nbJn4sPwwdcCAwEAAaOCAbswggG3MCUGA1UdEQQeMBygGgYKKwMGAQQB3BkCAaAM" + + "DAoxNzYyODk2ODgzMGkGA1UdHwRiMGAwHqAcoBqGGGh0dHA6Ly9xLmljYS5jei9x" + + "aWNhLmNybDAeoBygGoYYaHR0cDovL2IuaWNhLmN6L3FpY2EuY3JsMB6gHKAahhho" + + "dHRwOi8vci5pY2EuY3ovcWljYS5jcmwwHwYDVR0jBBgwFoAUK1oKfvvlDYUsZTBy" + + "vGN701mca/UwHQYDVR0OBBYEFPAs70DB+LS0PnA6niPUfJ5wdQH5MIG4BgNVHSAE" + + "gbAwga0wgaoGCysGAQQBs2EBAQQEMIGaMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3" + + "LmljYS5jei9xY3AvY3BxcGljYTAyLnBkZjBnBggrBgEFBQcCAjBbGllUZW50byBj" + + "ZXJ0aWZpa2F0IGplIHZ5ZGFuIGpha28gS3ZhbGlmaWtvdmFueSBjZXJ0aWZpa2F0" + + "IHYgc291bGFkdSBzZSB6YWtvbmVtIDIyNy8yMDAwIFNiLjAYBggrBgEFBQcBAwQM" + + "MAowCAYGBACORgEBMA4GA1UdDwEB/wQEAwIE8DANBgkqhkiG9w0BAQUFAAOCAQEA" + + "v2V+nnYYMIgabmmgHx49CtlZIHdGS3TuWKXw130xFhbXDnNhEbx3alaskNsvjQQR" + + "Lqs1ZwKy58yynse+eJYHqenmHDACpAfVpCF9PXC/mDarVsoQw7NTcUpsAFhSd/zT" + + "v9jIf3twECyxx/RVzONVcob7nPePESHiKoG4FbtcuUh0wSHvCmTwRIQqPDCIuHcF" + + "StSt3Jr9iXcbXEhe4mSccOZ8N+r7Rv3ncKcevlRl7uFfDKDTyd43SZeRS/7J8KRf" + + "hD/h2nawrCFwc5gJW10aLJGFL/mcS7ViAIT9HCVk23j4TuBjsVmnZ0VKxB5edux+" + + "LIEqtU428UVHZWU/I5ngLw==" + ); + + equal( + cert.emailAddress, + "ludek.rasek@centrum.cz", + "Actual and expected emailAddress should match" + ); + equal( + cert.subjectName, + 'serialNumber=ICA - 10003769,SN=RaÅ¡ek,name=LudÄ›k RaÅ¡ek,initials=LR,givenName=LudÄ›k,E=ludek.rasek@centrum.cz,L="Pacov, Nádražní 769",ST=VysoÄina,CN=LudÄ›k RaÅ¡ek,C=CZ', + "Actual and expected subjectName should match" + ); + equal( + cert.commonName, + "LudÄ›k RaÅ¡ek", + "Actual and expected commonName should match" + ); + equal(cert.organization, "", "Actual and expected organization should match"); + equal( + cert.organizationalUnit, + "", + "Actual and expected organizationalUnit should match" + ); + equal( + cert.displayName, + "LudÄ›k RaÅ¡ek", + "Actual and expected displayName should match" + ); + equal( + cert.issuerName, + 'OU=Akreditovaný poskytovatel certifikaÄních služeb,O=První certifikaÄní autorita a.s.,L="Podvinný mlýn 2178/6, 190 00 Praha 9",C=CZ,CN=I.CA - Qualified root certificate (kvalifikovaný certifikát poskytovatele) - PSEUDONYM', + "Actual and expected issuerName should match" + ); + equal( + cert.issuerCommonName, + "I.CA - Qualified root certificate (kvalifikovaný certifikát poskytovatele) - PSEUDONYM", + "Actual and expected issuerCommonName should match" + ); + equal( + cert.issuerOrganization, + "První certifikaÄní autorita a.s.", + "Actual and expected issuerOrganization should match" + ); + equal( + cert.issuerOrganizationUnit, + "Akreditovaný poskytovatel certifikaÄních služeb", + "Actual and expected issuerOrganizationUnit should match" + ); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_caching.js b/security/manager/ssl/tests/unit/test_ocsp_caching.js new file mode 100644 index 0000000000..8d742e14da --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js @@ -0,0 +1,479 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Checks various aspects of the OCSP cache, mainly to to ensure we do not fetch +// responses more than necessary. + +var gFetchCount = 0; +var gGoodOCSPResponse = null; +var gResponsePattern = []; + +function respondWithGoodOCSP(request, response) { + info("returning 200 OK"); + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "application/ocsp-response"); + response.write(gGoodOCSPResponse); +} + +function respondWithSHA1OCSP(request, response) { + info("returning 200 OK with sha-1 delegated response"); + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "application/ocsp-response"); + + let args = [["good-delegated", "default-ee", "delegatedSHA1Signer", 0]]; + let responses = generateOCSPResponses(args, "ocsp_certs"); + response.write(responses[0]); +} + +function respondWithError(request, response) { + info("returning 500 Internal Server Error"); + response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); + let body = "Refusing to return a response"; + response.bodyOutputStream.write(body, body.length); +} + +function generateGoodOCSPResponse(thisUpdateSkew) { + let args = [["good", "default-ee", "unused", thisUpdateSkew]]; + let responses = generateOCSPResponses(args, "ocsp_certs"); + return responses[0]; +} + +function add_ocsp_test( + aHost, + aExpectedResult, + aResponses, + aMessage, + aOriginAttributes +) { + add_connection_test( + aHost, + aExpectedResult, + function() { + clearSessionCache(); + gFetchCount = 0; + gResponsePattern = aResponses; + }, + function() { + // check the number of requests matches the size of aResponses + equal(gFetchCount, aResponses.length, aMessage); + }, + null, + aOriginAttributes + ); +} + +function run_test() { + do_get_profile(); + Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); + + let ocspResponder = new HttpServer(); + ocspResponder.registerPrefixHandler("/", function(request, response) { + info("gFetchCount: " + gFetchCount); + let responseFunction = gResponsePattern[gFetchCount]; + Assert.notEqual(undefined, responseFunction); + + ++gFetchCount; + responseFunction(request, response); + }); + ocspResponder.start(8888); + + add_tests(); + + add_test(function() { + ocspResponder.stop(run_next_test); + }); + run_next_test(); +} + +function add_tests() { + // Test that verifying a certificate with a "short lifetime" doesn't result + // in OCSP fetching. Due to longevity requirements in our testing + // infrastructure, the certificate we encounter is valid for a very long + // time, so we have to define a "short lifetime" as something very long. + add_test(function() { + Services.prefs.setIntPref( + "security.pki.cert_short_lifetime_in_days", + 12000 + ); + run_next_test(); + }); + + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [], + "expected zero OCSP requests for a short-lived certificate" + ); + + add_test(function() { + Services.prefs.setIntPref("security.pki.cert_short_lifetime_in_days", 100); + run_next_test(); + }); + + // If a "short lifetime" is something more reasonable, ensure that we do OCSP + // fetching for this long-lived certificate. + + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithError], + "expected one OCSP request for a long-lived certificate" + ); + add_test(function() { + Services.prefs.clearUserPref("security.pki.cert_short_lifetime_in_days"); + run_next_test(); + }); + // --------------------------------------------------------------------------- + + // Reset state + add_test(function() { + clearOCSPCache(); + run_next_test(); + }); + + // This test assumes that OCSPStaplingServer uses the same cert for + // ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com. + + // Get an Unknown response for the *.example.com cert and put it in the + // OCSP cache. + add_ocsp_test( + "ocsp-stapling-unknown.example.com", + SEC_ERROR_OCSP_UNKNOWN_CERT, + [], + "Stapled Unknown response -> a fetch should not have been attempted" + ); + + // A failure to retrieve an OCSP response must result in the cached Unknown + // response being recognized and honored. + add_ocsp_test( + "ocsp-stapling-none.example.com", + SEC_ERROR_OCSP_UNKNOWN_CERT, + [respondWithError, respondWithError], + "No stapled response -> a fetch should have been attempted" + ); + + // A valid Good response from the OCSP responder must override the cached + // Unknown response. + // + // Note that We need to make sure that the Unknown response and the Good + // response have different thisUpdate timestamps; otherwise, the Good + // response will be seen as "not newer" and it won't replace the existing + // entry. + add_test(function() { + gGoodOCSPResponse = generateGoodOCSPResponse(1200); + run_next_test(); + }); + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithGoodOCSP], + "Cached Unknown response, no stapled response -> a fetch" + + " should have been attempted" + ); + + // The Good response retrieved from the previous fetch must have replaced + // the Unknown response in the cache, resulting in the catched Good response + // being returned and no fetch. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [], + "Cached Good response -> a fetch should not have been attempted" + ); + + // --------------------------------------------------------------------------- + + // Reset state + add_test(function() { + clearOCSPCache(); + run_next_test(); + }); + + // A failure to retrieve an OCSP response will result in an error entry being + // added to the cache. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithError], + "No stapled response -> a fetch should have been attempted" + ); + + // The error entry will prevent a fetch from happening for a while. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [], + "Noted OCSP server failure -> a fetch should not have been attempted" + ); + + // The error entry must not prevent a stapled OCSP response from being + // honored. + add_ocsp_test( + "ocsp-stapling-revoked.example.com", + SEC_ERROR_REVOKED_CERTIFICATE, + [], + "Stapled Revoked response -> a fetch should not have been attempted" + ); + + // --------------------------------------------------------------------------- + + // Ensure OCSP responses from signers with SHA1 certificates are OK. This + // is included in the OCSP caching tests since there were OCSP cache-related + // regressions when sha-1 telemetry probes were added. + add_test(function() { + clearOCSPCache(); + // set security.OCSP.require so that checking the OCSP signature fails + Services.prefs.setBoolPref("security.OCSP.require", true); + run_next_test(); + }); + + add_ocsp_test( + "ocsp-stapling-none.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + [respondWithSHA1OCSP], + "OCSP signing cert was issued with sha1 - should fail" + ); + + add_test(function() { + Services.prefs.setBoolPref("security.OCSP.require", false); + run_next_test(); + }); + + // --------------------------------------------------------------------------- + + // Reset state + add_test(function() { + clearOCSPCache(); + run_next_test(); + }); + + // This test makes sure that OCSP cache are isolated by firstPartyDomain. + + let gObservedCnt = 0; + let protocolProxyService = Cc[ + "@mozilla.org/network/protocol-proxy-service;1" + ].getService(Ci.nsIProtocolProxyService); + + // Observe all channels and make sure the firstPartyDomain in their loadInfo's + // origin attributes are aFirstPartyDomain. + function startObservingChannels(aFirstPartyDomain) { + // We use a dummy proxy filter to catch all channels, even those that do not + // generate an "http-on-modify-request" notification. + let proxyFilter = { + applyFilter(aChannel, aProxy, aCallback) { + // We have the channel; provide it to the callback. + if (aChannel.originalURI.spec == "http://localhost:8888/") { + gObservedCnt++; + equal( + aChannel.loadInfo.originAttributes.firstPartyDomain, + aFirstPartyDomain, + "firstPartyDomain should match" + ); + } + // Pass on aProxy unmodified. + aCallback.onProxyFilterResult(aProxy); + }, + }; + protocolProxyService.registerChannelFilter(proxyFilter, 0); + // Return the stop() function: + return () => protocolProxyService.unregisterChannelFilter(proxyFilter); + } + + let stopObservingChannels; + add_test(function() { + stopObservingChannels = startObservingChannels("foo.com"); + run_next_test(); + }); + + // A good OCSP response will be cached. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithGoodOCSP], + "No stapled response (firstPartyDomain = foo.com) -> a fetch " + + "should have been attempted", + { firstPartyDomain: "foo.com" } + ); + + // The cache will prevent a fetch from happening. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [], + "Noted OCSP server failure (firstPartyDomain = foo.com) -> a " + + "fetch should not have been attempted", + { firstPartyDomain: "foo.com" } + ); + + add_test(function() { + stopObservingChannels(); + equal(gObservedCnt, 1, "should have observed only 1 OCSP requests"); + gObservedCnt = 0; + run_next_test(); + }); + + add_test(function() { + stopObservingChannels = startObservingChannels("bar.com"); + run_next_test(); + }); + + // But using a different firstPartyDomain should result in a fetch. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithGoodOCSP], + "No stapled response (firstPartyDomain = bar.com) -> a fetch " + + "should have been attempted", + { firstPartyDomain: "bar.com" } + ); + + add_test(function() { + stopObservingChannels(); + equal(gObservedCnt, 1, "should have observed only 1 OCSP requests"); + gObservedCnt = 0; + run_next_test(); + }); + + // --------------------------------------------------------------------------- + + // Reset state + add_test(function() { + clearOCSPCache(); + run_next_test(); + }); + + // Test that the OCSP cache is not isolated by userContextId. + + // A good OCSP response will be cached. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithGoodOCSP], + "No stapled response (userContextId = 1) -> a fetch " + + "should have been attempted", + { userContextId: 1 } + ); + + // The cache will prevent a fetch from happening. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [], + "Noted OCSP server failure (userContextId = 1) -> a " + + "fetch should not have been attempted", + { userContextId: 1 } + ); + + // Fetching is prevented even if in a different userContextId. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [], + "Noted OCSP server failure (userContextId = 2) -> a " + + "fetch should not have been attempted", + { userContextId: 2 } + ); + + // --------------------------------------------------------------------------- + + // Reset state + add_test(function() { + clearOCSPCache(); + run_next_test(); + }); + + // This test makes sure that OCSP cache are isolated by partitionKey. + + add_test(function() { + Services.prefs.setBoolPref( + "privacy.partition.network_state.ocsp_cache", + true + ); + run_next_test(); + }); + + // A good OCSP response will be cached. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithGoodOCSP], + "No stapled response (partitionKey = (https,foo.com)) -> a fetch " + + "should have been attempted", + { partitionKey: "(https,foo.com)" } + ); + + // The cache will prevent a fetch from happening. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [], + "Noted OCSP server failure (partitionKey = (https,foo.com)) -> a " + + "fetch should not have been attempted", + { partitionKey: "(https,foo.com)" } + ); + + // Using a different partitionKey should result in a fetch. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithGoodOCSP], + "Noted OCSP server failure (partitionKey = (https,bar.com)) -> a " + + "fetch should have been attempted", + { partitionKey: "(https,bar.com)" } + ); + + // --------------------------------------------------------------------------- + + // Reset state + add_test(function() { + Services.prefs.clearUserPref("privacy.partition.network_state.ocsp_cache"); + clearOCSPCache(); + run_next_test(); + }); + + // This test makes sure that OCSP cache are isolated by partitionKey in + // private mode. + + // A good OCSP response will be cached. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithGoodOCSP], + "No stapled response (partitionKey = (https,foo.com)) -> a fetch " + + "should have been attempted", + { partitionKey: "(https,foo.com)", privateBrowsingId: 1 } + ); + + // The cache will prevent a fetch from happening. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [], + "Noted OCSP server failure (partitionKey = (https,foo.com)) -> a " + + "fetch should not have been attempted", + { partitionKey: "(https,foo.com)", privateBrowsingId: 1 } + ); + + // Using a different partitionKey should result in a fetch. + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + [respondWithGoodOCSP], + "Noted OCSP server failure (partitionKey = (https,bar.com)) -> a " + + "fetch should have been attempted", + { partitionKey: "(https,bar.com)", privateBrowsingId: 1 } + ); + + // --------------------------------------------------------------------------- + + // Reset state + add_test(function() { + clearOCSPCache(); + run_next_test(); + }); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js b/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js new file mode 100644 index 0000000000..ee6af780c8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js @@ -0,0 +1,146 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Checks that the security.OCSP.enabled pref correctly controls OCSP fetching +// behavior. + +do_get_profile(); // Must be called before getting nsIX509CertDB +const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const SERVER_PORT = 8888; + +function certFromFile(filename) { + return constructCertFromFile(`test_ev_certs/${filename}.pem`); +} + +function loadCert(certName, trustString) { + addCertFromFile(gCertDB, `test_ev_certs/${certName}.pem`, trustString); +} + +function getFailingOCSPResponder() { + return getFailingHttpServer(SERVER_PORT, ["www.example.com"]); +} + +function getOCSPResponder(expectedCertNames) { + return startOCSPResponder( + SERVER_PORT, + "www.example.com", + "test_ev_certs", + expectedCertNames, + [] + ); +} + +// Tests that in ocspOff mode, OCSP fetches are never done. +async function testOff() { + Services.prefs.setIntPref("security.OCSP.enabled", 0); + info("Setting security.OCSP.enabled to 0"); + + // EV chains should verify successfully but never get EV status. + clearOCSPCache(); + let ocspResponder = getFailingOCSPResponder(); + await checkEVStatus( + gCertDB, + certFromFile("test-oid-path-ee"), + certificateUsageSSLServer, + false + ); + await stopOCSPResponder(ocspResponder); + + // A DV chain should verify successfully. + clearOCSPCache(); + ocspResponder = getFailingOCSPResponder(); + await checkCertErrorGeneric( + gCertDB, + certFromFile("non-ev-root-path-ee"), + PRErrorCodeSuccess, + certificateUsageSSLServer + ); + await stopOCSPResponder(ocspResponder); +} + +// Tests that in ocspOn mode, OCSP fetches are done for both EV and DV certs. +async function testOn() { + Services.prefs.setIntPref("security.OCSP.enabled", 1); + info("Setting security.OCSP.enabled to 1"); + + // If a successful OCSP response is fetched, then an EV chain should verify + // successfully and get EV status as well. + clearOCSPCache(); + let ocspResponder = getOCSPResponder(["test-oid-path-ee"]); + await checkEVStatus( + gCertDB, + certFromFile("test-oid-path-ee"), + certificateUsageSSLServer, + gEVExpected + ); + await stopOCSPResponder(ocspResponder); + + // If a successful OCSP response is fetched, then a DV chain should verify + // successfully. + clearOCSPCache(); + ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]); + await checkCertErrorGeneric( + gCertDB, + certFromFile("non-ev-root-path-ee"), + PRErrorCodeSuccess, + certificateUsageSSLServer + ); + await stopOCSPResponder(ocspResponder); +} + +// Tests that in ocspEVOnly mode, OCSP fetches are done for EV certs only. +async function testEVOnly() { + Services.prefs.setIntPref("security.OCSP.enabled", 2); + info("Setting security.OCSP.enabled to 2"); + + // If a successful OCSP response is fetched, then an EV chain should verify + // successfully and get EV status as well. + clearOCSPCache(); + let ocspResponder = gEVExpected + ? getOCSPResponder(["test-oid-path-ee"]) + : getFailingOCSPResponder(); + await checkEVStatus( + gCertDB, + certFromFile("test-oid-path-ee"), + certificateUsageSSLServer, + gEVExpected + ); + await stopOCSPResponder(ocspResponder); + + // A DV chain should verify successfully even without doing OCSP fetches. + clearOCSPCache(); + ocspResponder = getFailingOCSPResponder(); + await checkCertErrorGeneric( + gCertDB, + certFromFile("non-ev-root-path-ee"), + PRErrorCodeSuccess, + certificateUsageSSLServer + ); + await stopOCSPResponder(ocspResponder); +} + +add_task(async function() { + registerCleanupFunction(() => { + Services.prefs.clearUserPref("network.dns.localDomains"); + Services.prefs.clearUserPref("security.OCSP.enabled"); + Services.prefs.clearUserPref("security.OCSP.require"); + }); + Services.prefs.setCharPref("network.dns.localDomains", "www.example.com"); + // Enable hard fail to ensure chains that should only succeed because they get + // a good OCSP response do not succeed due to soft fail leniency. + Services.prefs.setBoolPref("security.OCSP.require", true); + + loadCert("evroot", "CTu,,"); + loadCert("test-oid-path-int", ",,"); + loadCert("non-evroot-ca", "CTu,,"); + loadCert("non-ev-root-path-int", ",,"); + + await testOff(); + await testOn(); + await testEVOnly(); +}); diff --git a/security/manager/ssl/tests/unit/test_ocsp_must_staple.js b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js new file mode 100644 index 0000000000..46f6127c50 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js @@ -0,0 +1,160 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Tests OCSP Must Staple handling by connecting to various domains (as faked by +// a server running locally) that correspond to combinations of whether the +// extension is present in intermediate and end-entity certificates. + +var gExpectOCSPRequest; + +function add_ocsp_test( + aHost, + aExpectedResult, + aStaplingEnabled, + aExpectOCSPRequest = false, + aWithSecurityInfo = undefined +) { + add_connection_test( + aHost, + aExpectedResult, + function() { + gExpectOCSPRequest = aExpectOCSPRequest; + clearOCSPCache(); + clearSessionCache(); + Services.prefs.setBoolPref( + "security.ssl.enable_ocsp_stapling", + aStaplingEnabled + ); + }, + aWithSecurityInfo + ); +} + +function add_tests() { + // Next, a case where it's present in the intermediate, not the ee + add_ocsp_test( + "ocsp-stapling-plain-ee-with-must-staple-int.example.com", + MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, + true + ); + + // We disable OCSP stapling in the next two tests so we can perform checks + // on TLS Features in the chain without needing to support the TLS + // extension values used. + // Test an issuer with multiple TLS features in matched in the EE + add_ocsp_test( + "multi-tls-feature-good.example.com", + PRErrorCodeSuccess, + false + ); + + // Finally, an issuer with multiple TLS features not matched by the EE. + add_ocsp_test( + "multi-tls-feature-bad.example.com", + MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, + false + ); + + // Now a bunch of operations with only a must-staple ee + add_ocsp_test( + "ocsp-stapling-must-staple.example.com", + PRErrorCodeSuccess, + true + ); + + add_ocsp_test( + "ocsp-stapling-must-staple-revoked.example.com", + SEC_ERROR_REVOKED_CERTIFICATE, + true + ); + + add_ocsp_test( + "ocsp-stapling-must-staple-missing.example.com", + MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, + true, + true + ); + + add_ocsp_test( + "ocsp-stapling-must-staple-empty.example.com", + SEC_ERROR_OCSP_MALFORMED_RESPONSE, + true + ); + + add_ocsp_test( + "ocsp-stapling-must-staple-missing.example.com", + PRErrorCodeSuccess, + false, + true + ); + + // If the stapled response is expired, we will try to fetch a new one. + // If that fails, we should report the original error. + add_ocsp_test( + "ocsp-stapling-must-staple-expired.example.com", + SEC_ERROR_OCSP_OLD_RESPONSE, + true, + true + ); + // Similarly with a "try server later" response. + add_ocsp_test( + "ocsp-stapling-must-staple-try-later.example.com", + SEC_ERROR_OCSP_TRY_SERVER_LATER, + true, + true + ); + // And again with an invalid OCSP response signing certificate. + add_ocsp_test( + "ocsp-stapling-must-staple-invalid-signer.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + + // check that disabling must-staple works + add_test(function() { + clearSessionCache(); + Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", false); + run_next_test(); + }); + + add_ocsp_test( + "ocsp-stapling-must-staple-missing.example.com", + PRErrorCodeSuccess, + true, + true + ); +} + +function run_test() { + do_get_profile(); + Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", true); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + // This test may sometimes fail on android due to an OCSP request timing out. + // That aspect of OCSP requests is not what we're testing here, so we can just + // bump the timeout and hopefully avoid these failures. + Services.prefs.setIntPref("security.OCSP.timeoutMilliseconds.soft", 5000); + + let fakeOCSPResponder = new HttpServer(); + fakeOCSPResponder.registerPrefixHandler("/", function(request, response) { + response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); + ok( + gExpectOCSPRequest, + "Should be getting an OCSP request only when expected" + ); + }); + fakeOCSPResponder.start(8888); + + add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); + + add_tests(); + + add_test(function() { + fakeOCSPResponder.stop(run_next_test); + }); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js b/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js new file mode 100644 index 0000000000..855ccb15fb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js @@ -0,0 +1,58 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Test that if an OCSP request is made to a domain that (erroneously) +// has HSTS status, the request is not upgraded from HTTP to HTTPS. + +function run_test() { + do_get_profile(); + // OCSP required means this test will only pass if the request succeeds. + Services.prefs.setBoolPref("security.OCSP.require", true); + + // We don't actually make use of stapling in this test. This is just how we + // get a TLS connection. + add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); + + let args = [["good", "default-ee", "unused", 0]]; + let ocspResponses = generateOCSPResponses(args, "ocsp_certs"); + let goodOCSPResponse = ocspResponses[0]; + + let ocspResponder = new HttpServer(); + ocspResponder.registerPrefixHandler("/", function(request, response) { + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "application/ocsp-response"); + response.write(goodOCSPResponse); + }); + ocspResponder.start(8888); + + // ocsp-stapling-none.example.com does not staple an OCSP response in the + // handshake, so the revocation checking code will attempt to fetch one. + // Since the domain of the certificate's OCSP AIA URI is an HSTS host + // (as added in the setup of this test, below), a buggy implementation would + // upgrade the OCSP request to HTTPS. We specifically prevent this. This + // test demonstrates that our implementation is correct in this regard. + add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess); + add_test(function() { + run_next_test(); + }); + + add_test(function() { + ocspResponder.stop(run_next_test); + }); + + let SSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + let uri = Services.io.newURI("http://localhost"); + SSService.processHeader(uri, "max-age=10000"); + ok( + SSService.isSecureURI(uri), + "Domain for the OCSP AIA URI should be considered a HSTS host, otherwise" + + " we wouldn't be testing what we think we're testing" + ); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_private_caching.js b/security/manager/ssl/tests/unit/test_ocsp_private_caching.js new file mode 100644 index 0000000000..47b976cf71 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_private_caching.js @@ -0,0 +1,115 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// In which we connect to a host and encounter OCSP responses with the +// Cache-Control header set, which normally Necko would cache. This test +// ensures that these responses aren't cached. PSM has its own OCSP cache, so +// Necko shouldn't also be caching them. + +do_get_profile(); // must be called before getting nsIX509CertDB + +const SERVER_PORT = 8888; + +function add_flush_cache() { + add_test(() => { + // This appears to either fire multiple times or fire once for every + // observer that has ever been passed to flush. To prevent multiple calls to + // run_next_test, keep track of if this observer has already called it. + let observed = false; + let observer = { + observe: () => { + if (!observed) { + observed = true; + run_next_test(); + } + }, + }; + Services.cache2.QueryInterface(Ci.nsICacheTesting).flush(observer); + }); +} + +function add_ocsp_necko_cache_test(loadContext) { + // Pre-testcase cleanup/setup. + add_test(() => { + Services.cache2.clear(); + run_next_test(); + }); + add_flush_cache(); + + let responder; + add_test(() => { + clearOCSPCache(); + clearSessionCache(); + responder = startOCSPResponder( + SERVER_PORT, + "localhost", + "ocsp_certs", + ["default-ee"], + [], + [], + [], + [["Cache-Control", "max-age=1000"]] + ); + run_next_test(); + }); + + // Prepare a connection that will cause an OCSP request. + add_connection_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + null, + null, + null, + loadContext.originAttributes + ); + + add_flush_cache(); + + // Traverse the cache and ensure the response was not cached. + add_test(() => { + let foundEntry = false; + let visitor = { + onCacheStorageInfo() {}, + onCacheEntryInfo( + aURI, + aIdEnhance, + aDataSize, + aFetchCount, + aLastModifiedTime, + aExpirationTime, + aPinned, + aInfo + ) { + Assert.equal( + aURI.spec, + "http://localhost:8888/", + "expected OCSP request URI should match" + ); + foundEntry = true; + }, + onCacheEntryVisitCompleted() { + Assert.ok(!foundEntry, "should not find a cached entry"); + run_next_test(); + }, + QueryInterface: ChromeUtils.generateQI(["nsICacheStorageVisitor"]), + }; + Services.cache2.asyncVisitAllStorages(visitor, true); + }); + + // Clean up (stop the responder). + add_test(() => { + responder.stop(run_next_test); + }); +} + +function run_test() { + Services.prefs.setIntPref("security.OCSP.enabled", 1); + add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); + add_ocsp_necko_cache_test(Services.loadContextInfo.private); + add_ocsp_necko_cache_test(Services.loadContextInfo.default); + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_required.js b/security/manager/ssl/tests/unit/test_ocsp_required.js new file mode 100644 index 0000000000..17f471d66c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_required.js @@ -0,0 +1,95 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// In which we connect to a domain (as faked by a server running locally) and +// start up an OCSP responder (also basically faked) that gives a response with +// a bad signature (and later, an empty response). With security.OCSP.require +// set to true, these connections should fail (but they also shouldn't cause +// assertion failures). + +var gOCSPRequestCount = 0; +var gOCSPResponse; + +function run_test() { + do_get_profile(); + Services.prefs.setBoolPref("security.OCSP.require", true); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + + // We don't actually make use of stapling in this test. This is just how we + // get a TLS connection. + add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); + + let args = [["bad-signature", "default-ee", "unused", 0]]; + let ocspResponses = generateOCSPResponses(args, "ocsp_certs"); + // Start by replying with a response with a bad signature. + gOCSPResponse = ocspResponses[0]; + + let ocspResponder = new HttpServer(); + ocspResponder.registerPrefixHandler("/", function(request, response) { + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "application/ocsp-response"); + response.write(gOCSPResponse); + gOCSPRequestCount++; + }); + ocspResponder.start(8888); + + add_tests(); + + add_test(function() { + ocspResponder.stop(run_next_test); + }); + + run_next_test(); +} + +function add_tests() { + add_connection_test( + "ocsp-stapling-none.example.com", + SEC_ERROR_OCSP_BAD_SIGNATURE, + function() {}, + function(aTransportSecurityInfo) { + Assert.ok( + aTransportSecurityInfo.madeOCSPRequests, + "An OCSP Request should have been made." + ); + } + ); + add_connection_test( + "ocsp-stapling-none.example.com", + SEC_ERROR_OCSP_BAD_SIGNATURE, + function() {}, + function(aTransportSecurityInfo) { + Assert.ok( + !aTransportSecurityInfo.madeOCSPRequests, + "An OCSP Request should not have been made." + ); + } + ); + add_test(function() { + equal( + gOCSPRequestCount, + 1, + "OCSP request count should be 1 due to OCSP response caching" + ); + gOCSPRequestCount = 0; + // Now set the OCSP responder to reply with 200 OK but empty content. + gOCSPResponse = ""; + clearOCSPCache(); + run_next_test(); + }); + + add_connection_test( + "ocsp-stapling-none.example.com", + SEC_ERROR_OCSP_MALFORMED_RESPONSE, + function() {}, + function(aTransportSecurityInfo) { + Assert.ok( + aTransportSecurityInfo.madeOCSPRequests, + "An OCSP Request should have been made." + ); + } + ); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling.js b/security/manager/ssl/tests/unit/test_ocsp_stapling.js new file mode 100644 index 0000000000..a41610392b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js @@ -0,0 +1,393 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// In which we connect to a number of domains (as faked by a server running +// locally) with and without OCSP stapling enabled to determine that good +// things happen and bad things don't. + +var gExpectOCSPRequest; + +function add_ocsp_test( + aHost, + aExpectedResult, + aStaplingEnabled, + aExpectOCSPRequest = false +) { + add_connection_test(aHost, aExpectedResult, function() { + gExpectOCSPRequest = aExpectOCSPRequest; + clearOCSPCache(); + clearSessionCache(); + Services.prefs.setBoolPref( + "security.ssl.enable_ocsp_stapling", + aStaplingEnabled + ); + }); +} + +function add_tests() { + // In the absence of OCSP stapling, these should actually all work. + add_ocsp_test( + "ocsp-stapling-good.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-revoked.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-good-other-ca.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-malformed.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-srverr.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-trylater.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-needssig.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-unauthorized.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-unknown.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-good-other.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-expired.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-expired-fresh-ca.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-skip-responseBytes.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-critical-extension.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-noncritical-extension.example.com", + PRErrorCodeSuccess, + false, + true + ); + add_ocsp_test( + "ocsp-stapling-empty-extensions.example.com", + PRErrorCodeSuccess, + false, + true + ); + + // Now test OCSP stapling + // The following error codes are defined in security/nss/lib/util/SECerrs.h + + add_ocsp_test("ocsp-stapling-good.example.com", PRErrorCodeSuccess, true); + + add_ocsp_test( + "ocsp-stapling-revoked.example.com", + SEC_ERROR_REVOKED_CERTIFICATE, + true + ); + + // This stapled response is from a CA that is untrusted and did not issue + // the server's certificate. + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + let otherTestCA = constructCertFromFile("ocsp_certs/other-test-ca.pem"); + add_test(function() { + certDB.setCertTrust( + otherTestCA, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.UNTRUSTED + ); + run_next_test(); + }); + add_ocsp_test( + "ocsp-stapling-good-other-ca.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + + // The stapled response is from a CA that is trusted but did not issue the + // server's certificate. + add_test(function() { + certDB.setCertTrust( + otherTestCA, + Ci.nsIX509Cert.CA_CERT, + Ci.nsIX509CertDB.TRUSTED_SSL + ); + run_next_test(); + }); + // TODO(bug 979055): When using ByName instead of ByKey, the error here is + // SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE. We should be testing both cases. + add_ocsp_test( + "ocsp-stapling-good-other-ca.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + + // TODO: Test the case where the signing cert can't be found at all, which + // will result in SEC_ERROR_BAD_DATABASE in the NSS classic case. + + add_ocsp_test( + "ocsp-stapling-malformed.example.com", + SEC_ERROR_OCSP_MALFORMED_REQUEST, + true + ); + add_ocsp_test( + "ocsp-stapling-srverr.example.com", + SEC_ERROR_OCSP_SERVER_ERROR, + true + ); + add_ocsp_test( + "ocsp-stapling-trylater.example.com", + SEC_ERROR_OCSP_TRY_SERVER_LATER, + true, + true + ); + add_ocsp_test( + "ocsp-stapling-needssig.example.com", + SEC_ERROR_OCSP_REQUEST_NEEDS_SIG, + true + ); + add_ocsp_test( + "ocsp-stapling-unauthorized.example.com", + SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST, + true + ); + add_ocsp_test( + "ocsp-stapling-unknown.example.com", + SEC_ERROR_OCSP_UNKNOWN_CERT, + true + ); + add_ocsp_test( + "ocsp-stapling-good-other.example.com", + MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING, + true + ); + // If the server doesn't staple an OCSP response, we continue as normal + // (this means that even though stapling is enabled, we expect an OCSP + // request). + add_connection_test( + "ocsp-stapling-none.example.com", + PRErrorCodeSuccess, + function() { + gExpectOCSPRequest = true; + clearOCSPCache(); + clearSessionCache(); + Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true); + } + ); + add_ocsp_test( + "ocsp-stapling-empty.example.com", + SEC_ERROR_OCSP_MALFORMED_RESPONSE, + true + ); + + add_ocsp_test( + "ocsp-stapling-skip-responseBytes.example.com", + SEC_ERROR_OCSP_MALFORMED_RESPONSE, + true + ); + + add_ocsp_test( + "ocsp-stapling-critical-extension.example.com", + SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION, + true + ); + add_ocsp_test( + "ocsp-stapling-noncritical-extension.example.com", + PRErrorCodeSuccess, + true + ); + // TODO(bug 997994): Disallow empty Extensions in responses + add_ocsp_test( + "ocsp-stapling-empty-extensions.example.com", + PRErrorCodeSuccess, + true + ); + + add_ocsp_test( + "ocsp-stapling-delegated-included.example.com", + PRErrorCodeSuccess, + true + ); + add_ocsp_test( + "ocsp-stapling-delegated-included-last.example.com", + PRErrorCodeSuccess, + true + ); + add_ocsp_test( + "ocsp-stapling-delegated-missing.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + add_ocsp_test( + "ocsp-stapling-delegated-missing-multiple.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + add_ocsp_test( + "ocsp-stapling-delegated-no-extKeyUsage.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + add_ocsp_test( + "ocsp-stapling-delegated-from-intermediate.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + add_ocsp_test( + "ocsp-stapling-delegated-keyUsage-crlSigning.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + add_ocsp_test( + "ocsp-stapling-delegated-wrong-extKeyUsage.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + + // ocsp-stapling-expired.example.com and + // ocsp-stapling-expired-fresh-ca.example.com are handled in + // test_ocsp_stapling_expired.js + + // Check that OCSP responder certificates with key sizes below 1024 bits are + // rejected, even when the main certificate chain keys are at least 1024 bits. + add_ocsp_test( + "keysize-ocsp-delegated.example.com", + SEC_ERROR_OCSP_INVALID_SIGNING_CERT, + true, + true + ); + + add_ocsp_test( + "revoked-ca-cert-used-as-end-entity.example.com", + SEC_ERROR_REVOKED_CERTIFICATE, + true + ); +} + +function check_ocsp_stapling_telemetry() { + let histogram = Services.telemetry + .getHistogramById("SSL_OCSP_STAPLING") + .snapshot(); + equal( + histogram.values[0], + 0, + "Should have 0 connections for unused histogram bucket 0" + ); + equal( + histogram.values[1], + 5, + "Actual and expected connections with a good response should match" + ); + equal( + histogram.values[2], + 18, + "Actual and expected connections with no stapled response should match" + ); + equal( + histogram.values[3] || 0, + 0, + "Actual and expected connections with an expired response should match" + ); + equal( + histogram.values[4], + 21, + "Actual and expected connections with bad responses should match" + ); + run_next_test(); +} + +function run_test() { + do_get_profile(); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + // This test may sometimes fail on android due to an OCSP request timing out. + // That aspect of OCSP requests is not what we're testing here, so we can just + // bump the timeout and hopefully avoid these failures. + Services.prefs.setIntPref("security.OCSP.timeoutMilliseconds.soft", 5000); + + let fakeOCSPResponder = new HttpServer(); + fakeOCSPResponder.registerPrefixHandler("/", function(request, response) { + response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); + ok( + gExpectOCSPRequest, + "Should be getting an OCSP request only when expected" + ); + }); + fakeOCSPResponder.start(8888); + + add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); + + add_tests(); + + add_test(function() { + fakeOCSPResponder.stop(check_ocsp_stapling_telemetry); + }); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js new file mode 100644 index 0000000000..d7ee169011 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js @@ -0,0 +1,317 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// In which we connect to a number of domains (as faked by a server running +// locally) with OCSP stapling enabled to determine that good things happen +// and bad things don't, specifically with respect to various expired OCSP +// responses (stapled and otherwise). +// According to RFC 6066, if a stapled OCSP response can't be satisfactorilly +// verified, the client should terminate the connection. Unfortunately, due to +// some bugs where servers will staple any old garbage without verifying it, we +// can't be this strict in practice. Originally this caveat only applied to +// expired responses, but recent high-profile failures have caused us to expand +// this to "try later" responses and responses where the signing certificate +// doesn't verify successfully. + +var gCurrentOCSPResponse = null; +var gOCSPRequestCount = 0; + +function add_ocsp_test( + aHost, + aExpectedResult, + aOCSPResponseToServe, + aExpectedRequestCount +) { + add_connection_test( + aHost, + aExpectedResult, + function() { + clearOCSPCache(); + clearSessionCache(); + gCurrentOCSPResponse = aOCSPResponseToServe; + gOCSPRequestCount = 0; + }, + function() { + equal( + gOCSPRequestCount, + aExpectedRequestCount, + "Should have made " + + aExpectedRequestCount + + " fallback OCSP request" + + (aExpectedRequestCount == 1 ? "" : "s") + ); + } + ); +} + +do_get_profile(); +Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true); +Services.prefs.setIntPref("security.OCSP.enabled", 1); +// Sometimes this test will fail on android due to an OCSP request timing out. +// That aspect of OCSP requests is not what we're testing here, so we can just +// bump the timeout and hopefully avoid these failures. +Services.prefs.setIntPref("security.OCSP.timeoutMilliseconds.soft", 5000); +var args = [ + ["good", "default-ee", "unused", 0], + ["expiredresponse", "default-ee", "unused", 0], + ["oldvalidperiod", "default-ee", "unused", 0], + ["revoked", "default-ee", "unused", 0], + ["unknown", "default-ee", "unused", 0], + ["good", "must-staple-ee", "unused", 0], +]; +var ocspResponses = generateOCSPResponses(args, "ocsp_certs"); +// Fresh response, certificate is good. +var ocspResponseGood = ocspResponses[0]; +// Expired response, certificate is good. +var expiredOCSPResponseGood = ocspResponses[1]; +// Fresh signature, old validity period, certificate is good. +var oldValidityPeriodOCSPResponseGood = ocspResponses[2]; +// Fresh signature, certificate is revoked. +var ocspResponseRevoked = ocspResponses[3]; +// Fresh signature, certificate is unknown. +var ocspResponseUnknown = ocspResponses[4]; +var ocspResponseGoodMustStaple = ocspResponses[5]; + +// sometimes we expect a result without re-fetch +var willNotRetry = 1; +// but sometimes, since a bad response is in the cache, OCSP fetch will be +// attempted for each validation - in practice, for these test certs, this +// means 2 requests because various key sizes are tried. +var willRetry = 2; + +function run_test() { + let ocspResponder = new HttpServer(); + ocspResponder.registerPrefixHandler("/", function(request, response) { + if (gCurrentOCSPResponse) { + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "application/ocsp-response"); + response.write(gCurrentOCSPResponse); + } else { + response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); + response.write("Internal Server Error"); + } + gOCSPRequestCount++; + }); + ocspResponder.start(8888); + add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); + + // In these tests, the OCSP stapling server gives us a stapled + // response based on the host name ("ocsp-stapling-expired" or + // "ocsp-stapling-expired-fresh-ca"). We then ensure that we're + // properly falling back to fetching revocation information. + // For ocsp-stapling-expired.example.com, the OCSP stapling server + // staples an expired OCSP response. The certificate has not expired. + // For ocsp-stapling-expired-fresh-ca.example.com, the OCSP stapling + // server staples an OCSP response with a recent signature but with an + // out-of-date validity period. The certificate has not expired. + add_ocsp_test( + "ocsp-stapling-expired.example.com", + PRErrorCodeSuccess, + ocspResponseGood, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-expired-fresh-ca.example.com", + PRErrorCodeSuccess, + ocspResponseGood, + willNotRetry + ); + // if we can't fetch a more recent response when + // given an expired stapled response, we terminate the connection. + add_ocsp_test( + "ocsp-stapling-expired.example.com", + SEC_ERROR_OCSP_OLD_RESPONSE, + expiredOCSPResponseGood, + willRetry + ); + add_ocsp_test( + "ocsp-stapling-expired-fresh-ca.example.com", + SEC_ERROR_OCSP_OLD_RESPONSE, + expiredOCSPResponseGood, + willRetry + ); + add_ocsp_test( + "ocsp-stapling-expired.example.com", + SEC_ERROR_OCSP_OLD_RESPONSE, + oldValidityPeriodOCSPResponseGood, + willRetry + ); + add_ocsp_test( + "ocsp-stapling-expired-fresh-ca.example.com", + SEC_ERROR_OCSP_OLD_RESPONSE, + oldValidityPeriodOCSPResponseGood, + willRetry + ); + add_ocsp_test( + "ocsp-stapling-expired.example.com", + SEC_ERROR_OCSP_OLD_RESPONSE, + null, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-expired.example.com", + SEC_ERROR_OCSP_OLD_RESPONSE, + null, + willNotRetry + ); + // Of course, if the newer response indicates Revoked or Unknown, + // that status must be returned. + add_ocsp_test( + "ocsp-stapling-expired.example.com", + SEC_ERROR_REVOKED_CERTIFICATE, + ocspResponseRevoked, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-expired-fresh-ca.example.com", + SEC_ERROR_REVOKED_CERTIFICATE, + ocspResponseRevoked, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-expired.example.com", + SEC_ERROR_OCSP_UNKNOWN_CERT, + ocspResponseUnknown, + willRetry + ); + add_ocsp_test( + "ocsp-stapling-expired-fresh-ca.example.com", + SEC_ERROR_OCSP_UNKNOWN_CERT, + ocspResponseUnknown, + willRetry + ); + + // If the response is expired but indicates Revoked or Unknown and a + // newer status can't be fetched, the Revoked or Unknown status will + // be returned. + add_ocsp_test( + "ocsp-stapling-revoked-old.example.com", + SEC_ERROR_REVOKED_CERTIFICATE, + null, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-unknown-old.example.com", + SEC_ERROR_OCSP_UNKNOWN_CERT, + null, + willNotRetry + ); + // If the response is expired but indicates Revoked or Unknown and + // a newer status can be fetched and successfully verified, this + // should result in a successful certificate verification. + add_ocsp_test( + "ocsp-stapling-revoked-old.example.com", + PRErrorCodeSuccess, + ocspResponseGood, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-unknown-old.example.com", + PRErrorCodeSuccess, + ocspResponseGood, + willNotRetry + ); + // If a newer status can be fetched but it fails to verify, the + // Revoked or Unknown status of the expired stapled response + // should be returned. + add_ocsp_test( + "ocsp-stapling-revoked-old.example.com", + SEC_ERROR_REVOKED_CERTIFICATE, + expiredOCSPResponseGood, + willRetry + ); + add_ocsp_test( + "ocsp-stapling-unknown-old.example.com", + SEC_ERROR_OCSP_UNKNOWN_CERT, + expiredOCSPResponseGood, + willRetry + ); + + // These tests are verifying that an valid but very old response + // is rejected as a valid stapled response, requiring a fetch + // from the ocsp responder. + add_ocsp_test( + "ocsp-stapling-ancient-valid.example.com", + PRErrorCodeSuccess, + ocspResponseGood, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-ancient-valid.example.com", + SEC_ERROR_REVOKED_CERTIFICATE, + ocspResponseRevoked, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-ancient-valid.example.com", + SEC_ERROR_OCSP_UNKNOWN_CERT, + ocspResponseUnknown, + willRetry + ); + + // Test how OCSP-must-staple (i.e. TLS feature) interacts with stapled OCSP + // responses that don't successfully verify. + // A strict reading of the relevant RFCs might say that these connections + // should all fail because a satisfactory stapled OCSP response is not + // present, but for compatibility reasons we fall back to active OCSP fetching + // in these situations. If the fetch succeeds, then connection succeeds. + add_ocsp_test( + "ocsp-stapling-must-staple-expired.example.com", + PRErrorCodeSuccess, + ocspResponseGoodMustStaple, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-must-staple-try-later.example.com", + PRErrorCodeSuccess, + ocspResponseGoodMustStaple, + willNotRetry + ); + add_ocsp_test( + "ocsp-stapling-must-staple-invalid-signer.example.com", + PRErrorCodeSuccess, + ocspResponseGoodMustStaple, + willNotRetry + ); + + add_test(function() { + ocspResponder.stop(run_next_test); + }); + add_test(check_ocsp_stapling_telemetry); + run_next_test(); +} + +function check_ocsp_stapling_telemetry() { + let histogram = Services.telemetry + .getHistogramById("SSL_OCSP_STAPLING") + .snapshot(); + equal( + histogram.values[0] || 0, + 0, + "Should have 0 connections for unused histogram bucket 0" + ); + equal( + histogram.values[1] || 0, + 0, + "Actual and expected connections with a good response should match" + ); + equal( + histogram.values[2] || 0, + 0, + "Actual and expected connections with no stapled response should match" + ); + equal( + histogram.values[3], + 22, + "Actual and expected connections with an expired response should match" + ); + equal( + histogram.values[4], + 2, + "Actual and expected connections with bad responses should match" + ); + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js new file mode 100644 index 0000000000..4fc8013ea9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js @@ -0,0 +1,48 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// In which we connect to a server that staples an OCSP response for a +// certificate signed by an intermediate that has an OCSP AIA to ensure +// that an OCSP request is not made for the intermediate. + +var gOCSPRequestCount = 0; + +function add_ocsp_test(aHost, aExpectedResult) { + add_connection_test(aHost, aExpectedResult, function() { + clearOCSPCache(); + clearSessionCache(); + }); +} + +function run_test() { + do_get_profile(); + Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true); + + let ocspResponder = new HttpServer(); + ocspResponder.registerPrefixHandler("/", function(request, response) { + gOCSPRequestCount++; + response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); + let body = "Refusing to return a response"; + response.bodyOutputStream.write(body, body.length); + }); + ocspResponder.start(8888); + + add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); + + add_ocsp_test( + "ocsp-stapling-with-intermediate.example.com", + PRErrorCodeSuccess + ); + + add_test(function() { + ocspResponder.stop(run_next_test); + }); + add_test(function() { + equal(gOCSPRequestCount, 0, "No OCSP requests should have been made"); + run_next_test(); + }); + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_timeout.js b/security/manager/ssl/tests/unit/test_ocsp_timeout.js new file mode 100644 index 0000000000..e06f064d04 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_timeout.js @@ -0,0 +1,100 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// This test connects to ocsp-stapling-none.example.com to test that OCSP +// requests are cancelled if they're taking too long. +// ocsp-stapling-none.example.com doesn't staple an OCSP response, so +// connecting to it will cause a request to the OCSP responder. As with all of +// these tests, the OCSP AIA (i.e. the url of the responder) in the certificate +// is http://localhost:8888. Since this test opens a TCP socket listening on +// port 8888 that just accepts connections and then ignores them (with +// connect/read/write timeouts of 30 seconds), the OCSP requests should cancel +// themselves. When OCSP hard-fail is enabled, connections will be terminated. +// Otherwise, they will succeed. + +var gSocketListener = { + onSocketAccepted(serverSocket, socketTransport) { + socketTransport.setTimeout(Ci.nsISocketTransport.TIMEOUT_CONNECT, 30); + socketTransport.setTimeout(Ci.nsISocketTransport.TIMEOUT_READ_WRITE, 30); + }, + + onStopListening(serverSocket, status) {}, +}; + +function run_test() { + do_get_profile(); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + + add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); + + let socket = Cc["@mozilla.org/network/server-socket;1"].createInstance( + Ci.nsIServerSocket + ); + socket.init(8888, true, -1); + socket.asyncListen(gSocketListener); + + add_one_test(false, "security.OCSP.timeoutMilliseconds.soft", 1000); + add_one_test(false, "security.OCSP.timeoutMilliseconds.soft", 2000); + add_one_test(false, "security.OCSP.timeoutMilliseconds.soft", 4000); + + add_one_test(true, "security.OCSP.timeoutMilliseconds.hard", 3000); + add_one_test(true, "security.OCSP.timeoutMilliseconds.hard", 10000); + add_one_test(true, "security.OCSP.timeoutMilliseconds.hard", 15000); + + add_test(function() { + socket.close(); + run_next_test(); + }); + run_next_test(); +} + +function add_one_test(useHardFail, timeoutPrefName, timeoutMilliseconds) { + let startTime; + add_test(function() { + Services.prefs.setBoolPref("security.OCSP.require", useHardFail); + Services.prefs.setIntPref(timeoutPrefName, timeoutMilliseconds); + startTime = new Date(); + run_next_test(); + }); + + add_connection_test( + "ocsp-stapling-none.example.com", + useHardFail ? SEC_ERROR_OCSP_SERVER_ERROR : PRErrorCodeSuccess, + clearSessionCache + ); + + add_test(function() { + let endTime = new Date(); + let timeDifference = endTime - startTime; + info(`useHardFail = ${useHardFail}`); + info(`startTime = ${startTime.getTime()} (${startTime})`); + info(`endTime = ${endTime.getTime()} (${endTime})`); + info(`timeDifference = ${timeDifference}ms`); + // Date() is not guaranteed to be monotonic, so add extra fuzz time to + // prevent intermittent failures (this only appeared to be a problem on + // Windows XP). See Bug 1121117. + const FUZZ_MS = 300; + ok( + timeDifference + FUZZ_MS > timeoutMilliseconds, + `OCSP timeout should be ~${timeoutMilliseconds}s for ` + + `${useHardFail ? "hard" : "soft"}-fail` + ); + // Make sure we didn't wait too long. + // (Unfortunately, we probably can't have a tight upper bound on + // how long is too long for this test, because we might be running + // on slow hardware.) + ok( + timeDifference < 60000, + "Automatic OCSP timeout shouldn't be more than 60s" + ); + + // Reset state + clearOCSPCache(); + Services.prefs.clearUserPref("security.OCSP.require"); + Services.prefs.clearUserPref(timeoutPrefName); + run_next_test(); + }); +} diff --git a/security/manager/ssl/tests/unit/test_ocsp_url.js b/security/manager/ssl/tests/unit/test_ocsp_url.js new file mode 100644 index 0000000000..b26d74b3b3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url.js @@ -0,0 +1,122 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// In which we try to validate several ocsp responses, checking in particular +// if the ocsp url is valid and the path expressed is correctly passed to +// the caller. + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const SERVER_PORT = 8888; + +function failingOCSPResponder() { + return getFailingHttpServer(SERVER_PORT, ["www.example.com"]); +} + +function start_ocsp_responder(expectedCertNames, expectedPaths) { + return startOCSPResponder( + SERVER_PORT, + "www.example.com", + "test_ocsp_url", + expectedCertNames, + expectedPaths + ); +} + +function check_cert_err(cert_name, expected_error) { + let cert = constructCertFromFile("test_ocsp_url/" + cert_name + ".pem"); + return checkCertErrorGeneric( + certdb, + cert, + expected_error, + certificateUsageSSLServer + ); +} + +add_task(async function() { + addCertFromFile(certdb, "test_ocsp_url/ca.pem", "CTu,CTu,CTu"); + addCertFromFile(certdb, "test_ocsp_url/int.pem", ",,"); + + // Enabled so that we can force ocsp failure responses. + Services.prefs.setBoolPref("security.OCSP.require", true); + + Services.prefs.setCharPref("network.dns.localDomains", "www.example.com"); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + + // Note: We don't test the case of a well-formed HTTP URL with an empty port + // because the OCSP code would then send a request to port 80, which we + // can't use in tests. + + clearOCSPCache(); + let ocspResponder = failingOCSPResponder(); + await check_cert_err("bad-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("ftp-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]); + await check_cert_err("hTTp-url", PRErrorCodeSuccess); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("no-host-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = start_ocsp_responder(["no-path-url"], [""]); + await check_cert_err("no-path-url", PRErrorCodeSuccess); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err( + "no-scheme-host-port", + SEC_ERROR_CERT_BAD_ACCESS_LOCATION + ); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); + + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); + + // Note: We currently don't have anything that ensures user:pass sections + // weren't sent. The following test simply checks that such sections + // don't cause failures. + clearOCSPCache(); + ocspResponder = start_ocsp_responder(["user-pass"], [""]); + await check_cert_err("user-pass", PRErrorCodeSuccess); + await stopOCSPResponder(ocspResponder); +}); diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem new file mode 100644 index 0000000000..4d31ad30e2 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAc6gAwIBAgIUcxiMVENAraxc4sbSRTxsifEGHjQwDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw +MDAwMDBaMBUxEzARBgNVBAMMCmJhZC1zY2hlbWUwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HH +Jajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOr +IMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQ +sVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLA +dTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQE +LL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjMTAvMC0GCCsGAQUF +BwEBBCEwHzAdBggrBgEFBQcwAYYRL3d3dy5leGFtcGxlLmNvbS8wDQYJKoZIhvcN +AQELBQADggEBADf/rIlagOSOthTQAOg21ESO5SKZuH/hOQkdagoSupiui6BX2E8d +1wMoZPGGOQBwEo8XT3ak+0ANlznoFLCvac4UQlLEiN6TR5ODJTep/8vTMDxBguRd +WoCIHtFFpcs8HGWvyZtoh+pr8UH38Csw9g8mqX3L6g5QcpDUIfVhPEOSK46HapVM +15BBqYsOpM5B0Yd+7AiIhiZZiNRojPxSN8DT55J+sRGiXunzP4BV2GwOI2ldjRJ5 +yJYJfUF4D+hmM37/QsLocV3AnWzSegY8xc372bkaHc3jOgo+9DJPliOOhrWNLEDk +1cM5IXNP+fQxkCCm6VMO5dUx/mM2OXPVldc= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec new file mode 100644 index 0000000000..12cc072792 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/bad-scheme.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:bad-scheme +extension:authorityInformationAccess:/www.example.com/ diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem new file mode 100644 index 0000000000..54b436cdab --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIUbd6irDfViDg0hGYGrBFpSOiAgmswDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowDTELMAkGA1UEAwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYD +VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBa/UJSVAkS4R5UUprUZ+VETh+G +TbLf+xbhyhpXn39i7Rk0/U7IelYJN3qalF3eIL7ab4qij3jWLrdOJz1ERkxVWXeX +a9rjQC7nQQqnOrdcEPvq297cHuwtKb+jTTKDI4ATy7UVeE3DDW6VWewmAz8VA7FH +SxAwdLWgqKzAqLEhhrg6l0JtpDmCfoBZ5yVA9gPdcSouaQ+6WnL0TFmNtriZPZI5 +Sq7Ua1aM1X/Ca3kQLo1DD06lgR7bJbjH+2j0uRYbB7NeB5aeYYnnxRdXcbXtM2Wl +dPg/8WETAK3hjbaY0Xq5UFP9tLkLbq3a1lew5BEz9xFz7P+offg8hSAONOZu +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem.certspec new file mode 100644 index 0000000000..d809dbd635 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/ca.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:ca +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem new file mode 100644 index 0000000000..9e014e046a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8zCCAdugAwIBAgIUfXZLX886ys6oYF2hFTD113w25vIwDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw +MDAwMDBaMBsxGTAXBgNVBAMMEGVtcHR5LXNjaGVtZS11cmwwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVo +V2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p +0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKk +fbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZh +W7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EI +TjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjODA2MDQG +CCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYOi8vd3d3LmV4YW1wbGUuY29tOjg4 +ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQB/FqFwqO/trl/aSBpjWE9+jPLtnJOUxWRt +J0lx/7SREoxDlltp+qrDcpKgA4uEz2xeo/AVHpcEd8V1mjFJhiFCQR3IGuCIkBtX +/fanzlYl49XTtGDHmVZOOgok3Q3NwV+qwv/Qah/PzL7C2z8QD9UDDSu5jeGUC5vP +wSe8pr+LFMSB4Koe13biFiHZ2rerLuRrHXPCwlHytFXr6MeZyk8DrjBpQ4Qa0I6P +tMXFRLIXm30dKxKZefY4Cxqce2M5iUhTJQ7AH6NDtV7SClbi8Px7yFeIAIBcGTbQ +HauxBJ189pnzGpMTAZ7dheZW/tK++MCzu+oy1tGbjWEeSpFFD+92 +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem.certspec new file mode 100644 index 0000000000..e8959653f3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/empty-scheme-url.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:empty-scheme-url +extension:authorityInformationAccess:://www.example.com:8888/ diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem new file mode 100644 index 0000000000..0e76de6922 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7TCCAdWgAwIBAgIUP6gYyih9vcQFEmw6jInzA0Lcx5owDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw +MDAwMDBaMBIxEDAOBgNVBAMMB2Z0cC11cmwwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg +2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ +5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQ +PdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGj +DJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8W +iy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOzA5MDcGCCsGAQUFBwEB +BCswKTAnBggrBgEFBQcwAYYbZnRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvMA0G +CSqGSIb3DQEBCwUAA4IBAQB8Ts6atwiom8QSkIVDayT7fMWo6Qu0M/Uhd60/M8cI +it4KBFBN1IimF8768ZmX/CPx0BaUopC5aOnkrZ69bJYrVao8nZ4Iv46IY1S1Xroa +ty+lej25NkVKVJe6Vlc73rbt36nc9xW8hl/mXV63tXmbm7SXUIWOiYuZIa4HwmGw +FkDexshf5QFoe8FfMix1ZiVj8oKr2Ah5Tpmc8oHOI1CfbKK4OACvA3zWSrfNRUL3 +QysUc8a5ivjRXNAerBdCUsCD0AGqxNKMKksAehaGw7QoH0lpsV0nhnB7sAfo3g23 +azcOr1kugLtYVU9zLjqXHXp85WQQNW6u7jjN7rZ7O27V +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem.certspec new file mode 100644 index 0000000000..9f50a7d792 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/ftp-url.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:ftp-url +extension:authorityInformationAccess:ftp://www.example.com:8888/ diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem new file mode 100644 index 0000000000..0e9765db26 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC9zCCAd+gAwIBAgIUPyIl+CW63MemORS1mNNtzeYU1PYwDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw +MDAwMDBaMBMxETAPBgNVBAMMCGhUVHAtdXJsMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo +4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDD +SeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFX +kD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUx +owyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/ +Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo0QwQjBABggrBgEFBQcB +AQQ0MDIwMAYIKwYBBQUHMAGGJGhUVHA6Ly93d3cuZXhhbXBsZS5jb206ODg4OC9o +VFRwLXVybDANBgkqhkiG9w0BAQsFAAOCAQEATB54EtpZ1EK2bz1gy9khuT9HJHqZ +UvBlzz3wto/NXvq9Cd79bW93sydmKiNveiVrGuYJG5WX3VdxzHBlcTzpm+9ObsgH +FRLu5KP4fLRhL49dix48k9Gl5VBgZfZSjjzpb/tpPjUvPnE2UPtDa8kC1Is9xN4m +bL6hbwVpcusFBiRQWq37tzCCV1oce0S/MvvEMinnp6daLwI3BYAcmWexq0JdpRV+ +ixu3IL0chOIjM4W2Zv0WHPXtz0q9/rU7HbJ9X7k3e7lYmoU297tM5r3MKw2T8D/h +9McUjgTMwqdcoUUM8iwCphbjmFO3yPLILiAMdXV/4OvhognLpL6wViD+Kw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem.certspec new file mode 100644 index 0000000000..10b1504b29 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/hTTp-url.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:hTTp-url +extension:authorityInformationAccess:hTTp://www.example.com:8888/hTTp-url diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem new file mode 100644 index 0000000000..233c7dbbb4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+jCCAeKgAwIBAgIUcYnrnPrivVifCZHI3B1RI9yhpcUwDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw +MDAwMDBaMBQxEjAQBgNVBAMMCWh0dHBzLXVybDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNGMEQwQgYIKwYBBQUH +AQEENjA0MDIGCCsGAQUFBzABhiZodHRwczovL3d3dy5leGFtcGxlLmNvbTo4ODg4 +L2h0dHBzLXVybDANBgkqhkiG9w0BAQsFAAOCAQEAjx5EcBAumCFK8/lj8vr6N88i +G6vq8vkUMFXjlqrxw4ODbajVVFnGBIfzG7usDajQr2f3Rvl6huLm1P4ljLfHwu60 +d7uJKExnjTXzxEjC6mrupOG8t3VvIjv4C9MgaD6P4I96opG0V1V22YDC+fHuRZgb +7I0+9EwUqrM3BqBSob3AFkcl7oyjIovG/KU26GlMbtLBbt1F6UpI5DAiOsb/UfY9 +bhEevyv7L9Sn07CYRbLFXUy47D5MhJk9XLZJQmgalnAtWxK6G+i8Y6s9DDDz6g0n +AYiRmOQydYgVMt8+h5KYzOnNO/vES41ATBgGPrp5J0LAxNvofme02+nU0sFQPw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem.certspec new file mode 100644 index 0000000000..891005bf5c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/https-url.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:https-url +extension:authorityInformationAccess:https://www.example.com:8888/https-url diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.key b/security/manager/ssl/tests/unit/test_ocsp_url/int.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.key.keyspec b/security/manager/ssl/tests/unit/test_ocsp_url/int.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.pem b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem new file mode 100644 index 0000000000..f12ebf91fd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyjCCAbKgAwIBAgIUS7UFd8kviZT6AzkUw+zBza2WxxcwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEAwwCY2EwIhgPMjAyMTExMjcwMDAwMDBaGA8yMDI0MDIwNTAw +MDAwMFowDjEMMAoGA1UEAwwDaW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGc +BptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzC +a2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8Xg +uEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK +9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGP +mRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAMBgNVHRMEBTADAQH/MAsG +A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAXr6DXGOqX+xkzyNm1YZc+wtm +6yFQo2jgeCMxgOv4j07wEEgGPP4adgyHjAhqTtYNbdBCuPtEbMInVRHdJooWNGk7 +MeoyTmJLlEJlnzVHdCUDi0mb+E7w2vVWNeirXnUSBN8qStok8vNoHJDT7pX3QEQs +zRRNHw5qs/xxZKxzxeBiljYlh1d1zVgqNWTx9LP5IOEKOQ9OzxpzsCpJtPZRxh/d +gip6TZT9srCndY2jCFUEYdSFRWOjsb6ni9TGC2o4SUxxJvC8jmrLjgGqPGNdTMiX +DOxuAjt1gue4kqK6r6nMqxOZ04TEe0c/M5+hF4dhQaxqga6vvGBl0oF2QMxXGA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/int.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem.certspec new file mode 100644 index 0000000000..a7f6d81419 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/int.pem.certspec @@ -0,0 +1,4 @@ +issuer:ca +subject:int +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem new file mode 100644 index 0000000000..07b3eece77 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8jCCAdqgAwIBAgIUI+NlsiPCC51FapO6j10d1zhvVkYwDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw +MDAwMDBaMBgxFjAUBgNVBAMMDW5lZ2F0aXZlLXBvcnQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk +e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg +KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI +YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi +lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL +HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjOjA4MDYGCCsG +AQUFBwEBBCowKDAmBggrBgEFBQcwAYYaaHR0cDovL3d3dy5leGFtcGxlLmNvbTot +MS8wDQYJKoZIhvcNAQELBQADggEBABCPXr4pvTLeDOPJ9G/A06wTpyoTAUa925GG +hRTuEeEw5o83Uzgm/fT2bO6+RJCfdR0wA95897l/p6vzybobZe8w2GM4RYWzkzkL +xMHrJQtzSdgG7tLRaxZ58A+Q1l8mRGtYpyAb14hwEsKY+8phG3XGP2w7ekQxODhM +gTgaICYNoQaBlz4PqVdqhDv7ZgmF9QQyG0C3H5Hma0jinr5YcCYRkzPciZTwS8DP +Jv7n+/9WbTK0rOc1n5omFwb0fPs64rpVgWqGmySPPT7G8aUo89a9ma8XJMoaHjzE +T1TZL03SoOxxEN3NBB4+9i14qHfmiWu+pOFlcDxCnVkRACMk2d0= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec new file mode 100644 index 0000000000..fce6d43848 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/negative-port.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:negative-port +extension:authorityInformationAccess:http://www.example.com:-1/ diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem new file mode 100644 index 0000000000..0358a13a65 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC4zCCAcugAwIBAgIUJ/hWC/IA8OSkpAm4v2bLiFq5xlMwDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw +MDAwMDBaMBYxFDASBgNVBAMMC25vLWhvc3QtdXJsMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoy0wKzApBggrBgEF +BQcBAQQdMBswGQYIKwYBBQUHMAGGDWh0dHA6Ly86ODg4OC8wDQYJKoZIhvcNAQEL +BQADggEBAK4Fk3641sIxflNan2/JobCNeV8UoDpVn9ZaU9sUOfXHnVVPjUAnlzKj +SdhI9Z9bVqsEt787B2UIGQeqYnot5x7Gu9hGSeGz7kfp/xURyx4CHmIC33n9jwKZ +daWaiWvqHfbRljd6Mvm9lJYWx3w8Ggci61N+GeeRAmBhPJvpe6gzo/vCmO6rnSqG +0AxiEb98DHaes4ofL/DTgDlHWryB5UByyf9FEenHFFizr/YuYEKc8FMf19nvbQiN +VJFP6LMmIlmg4Xq7ED97U5VhDal1e6vro12d5Cv9EZkkTxaTQMKhG4W8iNHZlwFB +BsQX7n6BT1Lg/MqVCUt265qDF3c7Pvc= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem.certspec new file mode 100644 index 0000000000..4ac76e7eb3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-host-url.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:no-host-url +extension:authorityInformationAccess:http://:8888/ diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem new file mode 100644 index 0000000000..f7b346e338 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC8TCCAdmgAwIBAgIUaz9vziBHmRLkLlxVoF1xxTuiNH4wDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw +MDAwMDBaMBYxFDASBgNVBAMMC25vLXBhdGgtdXJsMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozswOTA3BggrBgEF +BQcBAQQrMCkwJwYIKwYBBQUHMAGGG2h0dHA6Ly93d3cuZXhhbXBsZS5jb206ODg4 +ODANBgkqhkiG9w0BAQsFAAOCAQEAlMdLsu6jig7c3TW2eYVzA8uAuANVDpE49XXf +6KJI/RCGjJZa5h6SEPRnvhmruc3TsY/3Tt1U8i9QqEgFTkFmFmFI+twqJGH/F2KM +Ied4MBF970tkTVYRRUI0RCOdhBUfx1kDuA1D00YdDA3v5mYTcdsSIB7U6lqah/28 +Rga+PhQX6Yu2VVcQF48sO51vsa2Q3hhZEqyGwezWDml1IAgr5EXT3hDdVKTXtZpM +g6lzAfcdF/vhDVtmABvDpyWhMcfTQ/nNel2/7ICJvukP5v1VW15XYzL4tsyMx4K7 +8CL1Ol6XMixU7Ov0liwN3s4ltvJqpVoyOrMWLoa3Qn7F4XHJMg== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem.certspec new file mode 100644 index 0000000000..497bb28796 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-path-url.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:no-path-url +extension:authorityInformationAccess:http://www.example.com:8888 diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem new file mode 100644 index 0000000000..2e4b35203d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC3zCCAcegAwIBAgIUc6pGAyMLd73M5wLzGIk7VHQ1UGgwDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw +MDAwMDBaMB4xHDAaBgNVBAMME25vLXNjaGVtZS1ob3N0LXBvcnQwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjITAf +MB0GCCsGAQUFBwEBBBEwDzANBggrBgEFBQcwAYYBLzANBgkqhkiG9w0BAQsFAAOC +AQEAoNZDLXjNXKUumNMieyWv67kOH/uoDS9tsX4+LIuZRgKLeb4xjstHxxKkaWWy +HJCjBwHYjbndWXSqE+6NPm8oHTypPc0+vZOStKnj/OzxHWfxbEzqsy27qoWKFpxA +HNzyt4/EWmSdoDRiCoXTYP4KuIPGrtqUS2wnJAoEcNa52wazsqSRJPfiK02r+N96 +N/z8+Olyudbgkl6QNMNaxmzYejENLfwxS1nH5R3orxEH2/L+6Mr3vKDMq9IQc3Ou +vrHHtW7XiOaYNV+8p4ChaGe6yEEbnz53G7TwjoDKvxD1tV0AGqRqMxdCJ+CDQ7Ev +xwxHLNIXGsaQs2H7m7eE9OpN/Q== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem.certspec new file mode 100644 index 0000000000..42a555e411 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-host-port.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:no-scheme-host-port +extension:authorityInformationAccess:/ diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem new file mode 100644 index 0000000000..9a7530baa9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7TCCAdWgAwIBAgIUccG45Puc/if4zk65IRFmiwMkTyowDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw +MDAwMDBaMBgxFjAUBgNVBAMMDW5vLXNjaGVtZS11cmwwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wk +e8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0Dgg +KZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmI +YXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7fi +lhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbL +HCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjNTAzMDEGCCsG +AQUFBwEBBCUwIzAhBggrBgEFBQcwAYYVd3d3LmV4YW1wbGUuY29tOjg4ODgvMA0G +CSqGSIb3DQEBCwUAA4IBAQBTjpqXEXFANWFs+cs4nu2rUFEnvXkZzmkoRlPbWaKw +naVdEJ5xetaX79sh5N3vSNPCsArAF1iCnv8jmgnQRzXRKWxrZGVrUGm+5a74O/99 +vvy7CIj90A7OytXUwyAhrz6hGxmWYrnJUY5RjZTmjxvr4wgiXXZuHc+/uZRn84RK +sJnh+XDS3hFz0M78FQOSTgdwEI/hC/QFh0CIycrc4qR6xY+fwdfLvk8GepC6ABCG +6hn9bEpt1POO7O7UmBtIYuiyHx/32hwVrCXFbD7sgnLvz0iQYvnO4gg4Cb42pK2N +gBeej4JDWaxq3HOBCKEARgdpWML2E94Vx7a484EuLI0h +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem.certspec new file mode 100644 index 0000000000..a82196a6d1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/no-scheme-url.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:no-scheme-url +extension:authorityInformationAccess:www.example.com:8888/ diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem new file mode 100644 index 0000000000..798afe22d3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7zCCAdegAwIBAgIUNW/IeKC4Vw2JT/VDNXHrYgCqKegwDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw +MDAwMDBaMBkxFzAVBgNVBAMMDnVua25vd24tc2NoZW1lMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABozYwNDAyBggr +BgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFnR0cDovL3d3dy5leGFtcGxlLmNvbS8w +DQYJKoZIhvcNAQELBQADggEBALT6AXU+U5IK7KxE2FW8F719+2Solmn3WcbLP9z+ +klThJ2HcNlxZBxuV+DwS3kBhsocZDneuOvUfSMilswGrGi9pGNgdhQWN2gO41LUy +QavfjRuSbGJghAZJSN5dVWBkF8kuv19ZiLMiM53C5vQo92/+Vww+Ue5S1HSagybI +3mmBUyf+8nvVO5mDsfDL8OnH4ON66sxqgu6Kuwlr2wc3inZo7ZOW24m75KLJG2Ah +KOs0sksn7DsG2VFUIJJj/qN9Co8ZjrnJbLYec57MBM8V8l1wIfVdqM/a7wof4tE3 +DVKvFl7uGK/u1nh4lRYQx7/MH1GU4ItULEbOZ2kCIpnozpU= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec new file mode 100644 index 0000000000..0089455398 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/unknown-scheme.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:unknown-scheme +extension:authorityInformationAccess:ttp://www.example.com/ diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem new file mode 100644 index 0000000000..ab104a9f45 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+jCCAeKgAwIBAgIUJ7gBTm0Yo/h/kQT3ggLP9jbM3yIwDQYJKoZIhvcNAQEL +BQAwDjEMMAoGA1UEAwwDaW50MCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUw +MDAwMDBaMBQxEjAQBgNVBAMMCXVzZXItcGFzczCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wccl +qODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sg +w0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCx +V5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1 +MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQs +vxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNGMEQwQgYIKwYBBQUH +AQEENjA0MDIGCCsGAQUFBzABhiZodHRwOi8vdXNlcjpwYXNzQHd3dy5leGFtcGxl +LmNvbTo4ODg4LzANBgkqhkiG9w0BAQsFAAOCAQEAatrdhzPYl8dtK3j+q0F2cD0M +QpgNpBZeRa+9puQK/mLlSNEI1ottNU+DbukELLpwAtS0YzN02qf48MptuWkyudT0 +3bDNWIGMmzXpGgD7OCE2iwuiWJD6URahLoCew0eByIhaywaexEtqiNFIBtD3xPJr +vqxAJ7JvXpTNpE90dbnHCXlXQU6h9HFIfj8pIPDc/hXACjqVmqetwzK6d5XPLUaG +D4Jxy+lHN90JvH9+oApumJj/i2g7Bpjbn1SFwg5UKamAFc4SsDbV/DsXy91rqpSJ +Wtrq6EP8cPNQ5cTQ3nzs/cO7nSVrVXllxkcUpOo1JnAARmWlyePioomaqf1fKA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec new file mode 100644 index 0000000000..337e67e5f9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url/user-pass.pem.certspec @@ -0,0 +1,3 @@ +issuer:int +subject:user-pass +extension:authorityInformationAccess:http://user:pass@www.example.com:8888/ diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem new file mode 100644 index 0000000000..74a9711cf6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIBHzANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFUZXN0 +IEludGVybWVkaWF0ZTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAw +WjAwMS4wLAYDVQQDDCVBbm90aGVyIEVFIFJldm9rZWQgYnkgcmV2b2NhdGlvbnMu +dHh0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62 +iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql +WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq +Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ +ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i +b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY +CjXtjQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB2pHWaL4x9Z6EwRI54eDjBvbhW +Nckc9QFYHdheA91DnlSkyeAIHcXe+fW0nvoCZ9xfnSjPlsXgs/qQyOHg+w6LgfhM +3UaGRRRouIqOMMko1DgbrJRm2YFrUhCjmsnnKq99rp4eShc2kwBSd0Az6OGhBnE6 ++CcU7a6wfOV/enX/KGiiWeQON5+jh9bBBDRO1trvFd7CDSMyAEkg+CEu6Mb53QlK +cOBuev+Bc5GV6gng+I/X7vh3DsMIbsfOAU6llpqx0VO/evp4SFExSQI4zbjxQEqv +/38YQAhJ7j97kupgPXL98q27TQaUZvOCok/Go8j0ZQZ1dlJFwRNZE6ZT393R +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem.certspec new file mode 100644 index 0000000000..d3ba461104 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test Intermediate +subject:Another EE Revoked by revocations.txt +serialNumber:31 diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem new file mode 100644 index 0000000000..f118e94dd3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyTCCAbGgAwIBAgIBTjANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFUZXN0 +IEludGVybWVkaWF0ZTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQwMjA1MDAwMDAw +WjAwMS4wLAYDVQQDDCVBbm90aGVyIEVFIFJldm9rZWQgYnkgcmV2b2NhdGlvbnMu +dHh0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62 +iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHql +WqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosq +Qe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ +ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8i +b2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoY +CjXtjQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAD1fjkHeUSNoIXuGDYRYn2rZJS +5oV2caQaXRv7FaB4M7oGx5FNTaooSJLr+M6yC+0dxkfU8316vJ4d2DAKyL1sVrpw +QMhndYCKQXpJ/06F59khzZnsPVAdnuXJ99aLGVjiebN+NYWzLDPUQw9sERvw+lep +wNWJAgBsjdc/9iyLR7Tj5Y72zB4tV961GLSX6WztKyuLhIHCFueU3IvbDe4NWLyT +CNZOohGcpdAzGH18gPOJnuVKLzND629qUZrr8/orh0xk989/uk97Kg1oF5Wd6LaT +4CuH3CIVA5ijYj6jwPbj6gkV5IdxW4QVYefH47G9xum7RDF/IVEs3rzwybPj +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem.certspec new file mode 100644 index 0000000000..10f8f07cce --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/another-ee-revoked-by-revocations-txt.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test Intermediate +subject:Another EE Revoked by revocations.txt +serialNumber:78 diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem new file mode 100644 index 0000000000..566f6f227d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICtzCCAZ+gAwIBAgIBKjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0 +IENBMCIYDzIwMjExMTI3MDAwMDAwWhgPMjAyNDAyMDUwMDAwMDBaMCgxJjAkBgNV +BAMMHUVFIFJldm9rZWQgYnkgcmV2b2NhdGlvbnMudHh0MIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFds +JHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4 +ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25 +iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu3 +4pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42 +yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABMA0GCSqGSIb3 +DQEBCwUAA4IBAQBXENg6gQp2CVGvs2e5SFpj+9K0Df6qICkQeIsEsqL/loRbBhdf +kRudVBVaXANEWdInLppGGfv8tk3VAre2Trlq8Owt3RuP4mdyrlSt3ZTNPbK3lPCU +K51iqEX/URBvwo+dZpOZqBy+NQ1ZdLlWWTzABiXfQNnsg1z0U/laGYNvNoGxWmg0 +YDU/moLw4EOh8akvTRdoZ6WaSTRCwNISTPCUrwj4RvKeSlsuat+MsxCA4oQqquni +iDD1Aq2MLDXAsMfCz7fB+FJ8hMA8nGOTNd4eRXsJIFRcIRSiPo6eADZaex88z84b +NlE/N5/6MQ7EDsiumkHO35B1Nr2hKSnygrCl +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem.certspec new file mode 100644 index 0000000000..a2a67d909c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-revocations-txt.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test CA +subject:EE Revoked by revocations.txt +serialNumber:42 diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem new file mode 100644 index 0000000000..eb6db83ff8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIICzTCCAbWgAwIBAgIUF0SQAekyqW5LqQAmYGwNQpn7o18wDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjArMSkwJwYDVQQDDCBFRSBSZXZva2VkIEJ5IFN1YmplY3QgYW5k +IFB1YktleTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbW +Qf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pk +cQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHT +AjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3 +ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jh +s3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHV +A6zaGAo17Y0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAtqoXX2PHLaQdil4gzPbg +vONLbChJFeN/rBwenDrYYvyyw/x7hEov3pedjiapzjQHZiEINFICipArwEkN3hBK +5eSSdfRbHrfzZ3XIRwkgRlPkVSN0DPv1QXvRbym3OuKZLmDHYNLr0g4siTB9QT/X +KuCCnJazaBrNclz2DmZq7tMjKi/82i5aMot7fCJ8Rc+TSOMgTGCS2BnvoM/F4+0e +q3Nd7XfSrdEgd2qfzKON4qrJyDK8v9RnY3c1kG+JbpQHby70JPz9YBO8sa2Yuy1U +Vxnh2zhmPBUWPNwDYefkGfA+Mw2cW48+6vvFxigWjoLyNAGVEH8zrYhgSGY67P1l +2g== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem.certspec new file mode 100644 index 0000000000..cadbcf9038 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/ee-revoked-by-subject-and-pubkey.pem.certspec @@ -0,0 +1,2 @@ +issuer:Test CA +subject:EE Revoked By Subject and PubKey diff --git a/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem new file mode 100644 index 0000000000..d524b4480b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDITCCAgmgAwIBAgIUKU+OMvdur/GbuU28D3WfX/xbV9AwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAiMSAwHgYDVQQDDBdBbm90aGVyIFRlc3QgRW5kLWVudGl0eTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9 +PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3 +HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3Dg +Dw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7 +EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SK +lWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0C +AwEAAaNbMFkwIwYDVR0RBBwwGoIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tMDIG +CCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDo4ODg4 +LzANBgkqhkiG9w0BAQsFAAOCAQEAReIPRx+jafffXyK50Ig6Juzjs51zXX3IrdA2 +HYcXGZsdsLL8CvlnwHJhrMBP+Eh/bs8u9UgfmC9rxDX2gLxfIDlbidryYGzONAQq +jWiFlVzq30fz28uatwFYzUzKODtsCM+47Qg0Y+HY9506Bj7TNmPB/a9JBY76SSw0 +Rwk1LSaMEuzu62XXuT+jjVGWqQZktAAUCtpM39UlC8aazrk6ipfh6iKHcJCN5+U1 ++IM4BOErevre0SxKTz7cNKr04lghxFFGUKm/jkoZeF/6Hm73Ke75EhKlfS3D1YAY +rm3DuUnGaWn/00X6lAWrm/dCfq1uepp+Xmgsc27jFPnVAccuMw== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem.certspec new file mode 100644 index 0000000000..8b20f03f59 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/same-issuer-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Another Test End-entity +extension:subjectAlternativeName:localhost,*.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/test_onecrl/sample_revocations.txt b/security/manager/ssl/tests/unit/test_onecrl/sample_revocations.txt new file mode 100644 index 0000000000..8983eb65c7 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/sample_revocations.txt @@ -0,0 +1,41 @@ +# a sample revocations.txt for tests +# Lines starting with '#' are ignored - as are empty lines like this: + +# otherwise: +# non-empty lines are treated as base-64 encoded DER DN data (e.g. issuer or +# subject) +# ...unless the line starts with a ' ' (space) character, in which case it's +# assumed to be base-64 encoded DER serial data, or +# the line starts with a '\t' (tab) character, in which case it's assumed to +# be a base-64 encoded SHA256 hash of a public key + +# First a serial with no issuer to ensure this doesn't cause parsing to fail +# (there should be an issuer first, but we need to test this won't fail) + dGVzdA== +# next, let's ensure data that isn't valid base64 doesn't cause breakage. + this serial isn't valid base64 (but then there's no issuer anyway) +Neither is this issuer, though the serial is fine + dGVzdA== +dGVzdA== + in this case, issuer is fine but not the serial +# Next two entries; we can add valid base-64 encoded data for some basic tests: +# issuer is the base-64 encoded subject DN for the shared Test CA +# serial is the base-64 encoded integer 42 +MBIxEDAOBgNVBAMMB1Rlc3QgQ0E= + Kg== +# issuer is the base-64 encoded subject DN for the shared Test Intermediate +# the first serial is the base-64 encoded integer 78 +# the second serial is the base-64 encoded integer 31 +MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl + Tg== + Hw== + c2VyaWFsMi4= +# subject is base-64 encoded subject DN "CN=EE Revoked By Subject and PubKey" +# pubKeyHash is the base-64 encoded sha256 hash of the shared RSA SPKI +MCsxKTAnBgNVBAMMIEVFIFJldm9rZWQgQnkgU3ViamVjdCBhbmQgUHViS2V5 + VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8 +# and some more data to ensure that mixed items don't cause parsing failure +a DN + a serial + a hash + another serial diff --git a/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem new file mode 100644 index 0000000000..525cd71c47 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6jCCAdKgAwIBAgIUa4ks0VUTyrp6BlZyCB65lVeSFDgwDQYJKoZIhvcNAQEL +BQAwHDEaMBgGA1UEAwwRVGVzdCBJbnRlcm1lZGlhdGUwIhgPMjAyMTExMjcwMDAw +MDBaGA8yMDI0MDIwNTAwMDAwMFowJDEiMCAGA1UEAwwZRUUgaXNzdWVkIGJ5IGlu +dGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahE +jhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1 +a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1p +GrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW +2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcO +p2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJR +xDHVA6zaGAo17Y0CAwEAAaMYMBYwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqG +SIb3DQEBCwUAA4IBAQA1n1VzCy6MJBHPaZlsuILBLkNqd7Bhzalhp6ubI05DGgfq +yIYSyEn7ALTwo0bsp9kndmijyB3T8BJoDekEHjcKRpnDuuBGKGVrvOWquIJ1YFRf +1r+VxI7n0wC9RF953+rTgsyPYPS5q1DJrMx+q1PCzga4mP5Tm3OxTyMXsHpM7uxN +9/imDY0gLndSUYjx0S5EADhmXul+SCLxzh+9TfdQPRSiDhFsNrUen31Ajh/5Iu34 +e0wc4UEEUJftqbmbFMk7OJiUi2UcezCJdt7WYZQJGLWHLQFugJmsE6sLy0fDXHVX +65VKh/HrXYQ5xemJtJaQfImoHV5+SGkVxdyYFKwO +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem.certspec b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem.certspec new file mode 100644 index 0000000000..24792d540a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_onecrl/test-int-ee.pem.certspec @@ -0,0 +1,3 @@ +issuer:Test Intermediate +subject:EE issued by intermediate +extension:subjectAlternativeName:localhost diff --git a/security/manager/ssl/tests/unit/test_osclientcerts_module.js b/security/manager/ssl/tests/unit/test_osclientcerts_module.js new file mode 100644 index 0000000000..69f812a90e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_osclientcerts_module.js @@ -0,0 +1,63 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests that the platform can load the osclientcerts module. + +// Ensure that the appropriate initialization has happened. +Services.prefs.setBoolPref("security.osclientcerts.autoload", false); +do_get_profile(); + +const { TestUtils } = ChromeUtils.importESModule( + "resource://testing-common/TestUtils.sys.mjs" +); + +async function check_osclientcerts_module_loaded() { + // Loading happens asynchronously, so we have to wait for the notification. + await TestUtils.topicObserved("psm:load-os-client-certs-module-task-ran"); + let testModule = checkPKCS11ModuleExists( + "OS Client Cert Module", + "osclientcerts" + ); + + // Check that listing the slots for the osclientcerts module works. + let testModuleSlotNames = Array.from( + testModule.listSlots(), + slot => slot.name + ); + testModuleSlotNames.sort(); + const expectedSlotNames = [ + "OS Client Cert Slot (Legacy)", + "OS Client Cert Slot (Modern)", + ]; + deepEqual( + testModuleSlotNames, + expectedSlotNames, + "Actual and expected slot names should be equal" + ); +} + +add_task(async function run_test() { + // Check that if we haven't loaded the osclientcerts module, we don't find it + // in the module list. + checkPKCS11ModuleNotPresent("OS Client Cert Module", "osclientcerts"); + + // Check that enabling the pref that loads the osclientcerts module makes it + // appear in the module list. + Services.prefs.setBoolPref("security.osclientcerts.autoload", true); + await check_osclientcerts_module_loaded(); + + // Check that disabling the pref that loads the osclientcerts module (thus + // unloading the module) makes it disappear from the module list. + Services.prefs.setBoolPref("security.osclientcerts.autoload", false); + checkPKCS11ModuleNotPresent("OS Client Cert Module", "osclientcerts"); + + // Check that loading the module again succeeds. + Services.prefs.setBoolPref("security.osclientcerts.autoload", true); + await check_osclientcerts_module_loaded(); + + // And once more check that unloading succeeds. + Services.prefs.setBoolPref("security.osclientcerts.autoload", false); + checkPKCS11ModuleNotPresent("OS Client Cert Module", "osclientcerts"); +}); diff --git a/security/manager/ssl/tests/unit/test_oskeystore.js b/security/manager/ssl/tests/unit/test_oskeystore.js new file mode 100644 index 0000000000..a5ef0f9172 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_oskeystore.js @@ -0,0 +1,413 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests the methods and attributes for interfacing with nsIOSKeyStore. + +// Ensure that the appropriate initialization has happened. +do_get_profile(); + +const LABELS = ["mylabel1", "mylabel2", "mylabel3"]; + +async function delete_all_secrets() { + let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService( + Ci.nsIOSKeyStore + ); + for (let label of LABELS) { + if (await keystore.asyncSecretAvailable(label)) { + await keystore.asyncDeleteSecret(label); + ok( + !(await keystore.asyncSecretAvailable(label)), + label + " should be deleted now." + ); + } + } +} + +// Test that Firefox handles locking and unlocking of the OSKeyStore properly. +// Does so by mocking out the actual dialog and "filling in" the +// password. Also tests that providing an incorrect password will fail (well, +// technically the user will just get prompted again, but if they then cancel +// the dialog the overall operation will fail). + +var gMockPrompter = { + passwordToTry: null, + numPrompts: 0, + + // This intentionally does not use arrow function syntax to avoid an issue + // where in the context of the arrow function, |this != gMockPrompter| due to + // how objects get wrapped when going across xpcom boundaries. + promptPassword(dialogTitle, text, password, checkMsg, checkValue) { + this.numPrompts++; + equal( + text, + "Please enter your Primary Password.", + "password prompt text should be as expected" + ); + equal(checkMsg, null, "checkMsg should be null"); + ok(this.passwordToTry, "passwordToTry should be non-null"); + if (this.passwordToTry == "DontTryThisPassword") { + // Cancel the prompt in this case. + return false; + } + password.value = this.passwordToTry; + return true; + }, + + QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]), +}; + +// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt +// to call promptPassword. We return the mock one, above. +var gWindowWatcher = { + getNewPrompter: () => gMockPrompter, + QueryInterface: ChromeUtils.generateQI(["nsIWindowWatcher"]), +}; + +async function encrypt_decrypt_test() { + let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService( + Ci.nsIOSKeyStore + ); + ok( + !(await keystore.asyncSecretAvailable(LABELS[0])), + "The secret should not be available yet." + ); + + let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]); + ok(recoveryPhrase, "A recovery phrase should've been created."); + let recoveryPhrase2 = await keystore.asyncGenerateSecret(LABELS[1]); + ok(recoveryPhrase2, "A recovery phrase should've been created."); + + let text = new Uint8Array([0x01, 0x00, 0x01]); + let ciphertext = ""; + try { + ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text); + ok(ciphertext, "We should have a ciphertext now."); + } catch (e) { + ok(false, "Error encrypting " + e); + } + + // Decrypting should give us the plaintext bytes again. + try { + let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext); + ok( + plaintext.toString() == text.toString(), + "Decrypted plaintext should be the same as text." + ); + } catch (e) { + ok(false, "Error decrypting ciphertext " + e); + } + + // Decrypting with a wrong key should throw an error. + try { + await keystore.asyncDecryptBytes(LABELS[1], ciphertext); + ok(false, "Decrypting with the wrong key should fail."); + } catch (e) { + ok(true, "Decrypting with the wrong key should fail " + e); + } +} + +add_task(async function() { + let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService( + Ci.nsIOSKeyStore + ); + let windowWatcherCID; + if (keystore.isNSSKeyStore) { + windowWatcherCID = MockRegistrar.register( + "@mozilla.org/embedcomp/window-watcher;1", + gWindowWatcher + ); + registerCleanupFunction(() => { + MockRegistrar.unregister(windowWatcherCID); + }); + } + + await delete_all_secrets(); + await encrypt_decrypt_test(); + await delete_all_secrets(); + + if ( + AppConstants.platform == "macosx" || + AppConstants.platform == "win" || + AppConstants.platform == "linux" + ) { + ok( + !keystore.isNSSKeyStore, + "OS X, Windows, and Linux should use the non-NSS implementation" + ); + } + + if (keystore.isNSSKeyStore) { + // If we use the NSS key store implementation test that everything works + // when a master password is set. + // Set an initial password. + let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService( + Ci.nsIPK11TokenDB + ); + let token = tokenDB.getInternalKeyToken(); + token.initPassword("hunter2"); + + // Lock the key store. This should be equivalent to token.logoutSimple() + await keystore.asyncLock(); + + // Set the correct password so that the test operations should succeed. + gMockPrompter.passwordToTry = "hunter2"; + await encrypt_decrypt_test(); + ok( + gMockPrompter.numPrompts == 1, + "There should've been one password prompt." + ); + await delete_all_secrets(); + } + + // Check lock/unlock behaviour. + // Unfortunately we can only test this automatically for the NSS key store. + // Uncomment the outer keystore.isNSSKeyStore to test other key stores manually. + if (keystore.isNSSKeyStore) { + await delete_all_secrets(); + await encrypt_decrypt_test(); + await keystore.asyncLock(); + info("Keystore should be locked. Cancel the login request."); + try { + if (keystore.isNSSKeyStore) { + gMockPrompter.passwordToTry = "DontTryThisPassword"; + } + await keystore.asyncUnlock(); + ok(false, "Unlock should've rejected."); + } catch (e) { + ok( + e.result == Cr.NS_ERROR_FAILURE || e.result == Cr.NS_ERROR_ABORT, + "Rejected login prompt." + ); + } + // clean up + if (keystore.isNSSKeyStore) { + gMockPrompter.passwordToTry = "hunter2"; + } + await delete_all_secrets(); + } +}); + +// Test that if we kick off a background operation and then call a synchronous function on the +// keystore, we don't deadlock. +add_task(async function() { + await delete_all_secrets(); + + let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService( + Ci.nsIOSKeyStore + ); + let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]); + ok(recoveryPhrase, "A recovery phrase should've been created."); + + try { + let text = new Uint8Array(8192); + let promise = keystore.asyncEncryptBytes(LABELS[0], text); + /* eslint-disable no-unused-expressions */ + keystore.isNSSKeyStore; // we don't care what this is - we just need to access it + /* eslint-enable no-unused-expressions */ + let ciphertext = await promise; + ok(ciphertext, "We should have a ciphertext now."); + } catch (e) { + ok(false, "Error encrypting " + e); + } + + await delete_all_secrets(); +}); + +// Test that using a recovery phrase works. +add_task(async function() { + await delete_all_secrets(); + + let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService( + Ci.nsIOSKeyStore + ); + + let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]); + ok(recoveryPhrase, "A recovery phrase should've been created."); + + let text = new Uint8Array([0x01, 0x00, 0x01]); + let ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text); + ok(ciphertext, "We should have a ciphertext now."); + + await keystore.asyncDeleteSecret(LABELS[0]); + // Decrypting should fail after deleting the secret. + await keystore + .asyncDecryptBytes(LABELS[0], ciphertext) + .then(() => + ok(false, "decrypting didn't throw as expected after deleting the secret") + ) + .catch(() => + ok(true, "decrypting threw as expected after deleting the secret") + ); + + await keystore.asyncRecoverSecret(LABELS[0], recoveryPhrase); + let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext); + ok( + plaintext.toString() == text.toString(), + "Decrypted plaintext should be the same as text." + ); + + await delete_all_secrets(); +}); + +// Test that trying to use a non-base64 recovery phrase fails. +add_task(async function() { + await delete_all_secrets(); + + let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService( + Ci.nsIOSKeyStore + ); + await keystore + .asyncRecoverSecret(LABELS[0], "@##$^&*()#$^&*(@#%&*_") + .then(() => + ok(false, "base64-decoding non-base64 should have failed but didn't") + ) + .catch(() => ok(true, "base64-decoding non-base64 failed as expected")); + + ok( + !(await keystore.asyncSecretAvailable(LABELS[0])), + "we didn't recover a secret, so the secret shouldn't be available" + ); + let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]); + ok( + recoveryPhrase && !!recoveryPhrase.length, + "we should be able to re-use that label to generate a new secret" + ); + await delete_all_secrets(); +}); + +// Test that re-using a label overwrites any previously-stored secret. +add_task(async function() { + await delete_all_secrets(); + + let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService( + Ci.nsIOSKeyStore + ); + + let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]); + ok(recoveryPhrase, "A recovery phrase should've been created."); + + let text = new Uint8Array([0x66, 0x6f, 0x6f, 0x66]); + let ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text); + ok(ciphertext, "We should have a ciphertext now."); + + let newRecoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]); + ok(newRecoveryPhrase, "A new recovery phrase should've been created."); + + // The new secret replaced the old one so we shouldn't be able to decrypt the ciphertext now. + await keystore + .asyncDecryptBytes(LABELS[0], ciphertext) + .then(() => + ok(false, "decrypting without the original key should have failed") + ) + .catch(() => + ok(true, "decrypting without the original key failed as expected") + ); + + await keystore.asyncRecoverSecret(LABELS[0], recoveryPhrase); + let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext); + ok( + plaintext.toString() == text.toString(), + "Decrypted plaintext should be the same as text (once we have the original key again)." + ); + + await delete_all_secrets(); +}); + +// Test that re-using a label (this time using a recovery phrase) overwrites any previously-stored +// secret. +add_task(async function() { + await delete_all_secrets(); + + let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService( + Ci.nsIOSKeyStore + ); + + let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]); + ok(recoveryPhrase, "A recovery phrase should've been created."); + + let newRecoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]); + ok(newRecoveryPhrase, "A new recovery phrase should've been created."); + + let text = new Uint8Array([0x66, 0x6f, 0x6f, 0x66]); + let ciphertext = await keystore.asyncEncryptBytes(LABELS[0], text); + ok(ciphertext, "We should have a ciphertext now."); + + await keystore.asyncRecoverSecret(LABELS[0], recoveryPhrase); + + // We recovered the old secret, so decrypting ciphertext that had been encrypted with the newer + // key should fail. + await keystore + .asyncDecryptBytes(LABELS[0], ciphertext) + .then(() => ok(false, "decrypting without the new key should have failed")) + .catch(() => ok(true, "decrypting without the new key failed as expected")); + + await keystore.asyncRecoverSecret(LABELS[0], newRecoveryPhrase); + let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext); + ok( + plaintext.toString() == text.toString(), + "Decrypted plaintext should be the same as text (once we have the new key again)." + ); + + await delete_all_secrets(); +}); + +// Test that trying to use recovery phrases that are the wrong size fails. +add_task(async function() { + await delete_all_secrets(); + + let keystore = Cc["@mozilla.org/security/oskeystore;1"].getService( + Ci.nsIOSKeyStore + ); + + await keystore + .asyncRecoverSecret(LABELS[0], "") + .then(() => ok(false, "'recovering' with an empty key should have failed")) + .catch(() => ok(true, "'recovering' with an empty key failed as expected")); + ok( + !(await keystore.asyncSecretAvailable(LABELS[0])), + "we didn't recover a secret, so the secret shouldn't be available" + ); + + await keystore + .asyncRecoverSecret(LABELS[0], "AAAAAA") + .then(() => + ok(false, "recovering with a key that is too short should have failed") + ) + .catch(() => + ok(true, "recovering with a key that is too short failed as expected") + ); + ok( + !(await keystore.asyncSecretAvailable(LABELS[0])), + "we didn't recover a secret, so the secret shouldn't be available" + ); + + await keystore + .asyncRecoverSecret( + LABELS[0], + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + ) + .then(() => + ok(false, "recovering with a key that is too long should have failed") + ) + .catch(() => + ok(true, "recovering with a key that is too long failed as expected") + ); + ok( + !(await keystore.asyncSecretAvailable(LABELS[0])), + "we didn't recover a secret, so the secret shouldn't be available" + ); + + let recoveryPhrase = await keystore.asyncGenerateSecret(LABELS[0]); + ok( + recoveryPhrase && !!recoveryPhrase.length, + "we should be able to use that label to generate a new secret" + ); + ok( + await keystore.asyncSecretAvailable(LABELS[0]), + "the generated secret should now be available" + ); + + await delete_all_secrets(); +}); diff --git a/security/manager/ssl/tests/unit/test_osreauthenticator.js b/security/manager/ssl/tests/unit/test_osreauthenticator.js new file mode 100644 index 0000000000..01784a5fef --- /dev/null +++ b/security/manager/ssl/tests/unit/test_osreauthenticator.js @@ -0,0 +1,27 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests nsIOSReauthenticator.asyncReauthenticateUser(). +// As this gets implemented on various platforms, running this test +// will result in a prompt from the OS. Consequently, we won't be able +// to run this in automation, but it will help in testing locally. +add_task(async function test_asyncReauthenticateUser() { + const reauthenticator = Cc[ + "@mozilla.org/security/osreauthenticator;1" + ].getService(Ci.nsIOSReauthenticator); + ok(reauthenticator, "nsIOSReauthenticator should be available"); + const EXPECTED = false; // Change this variable to suit your needs while testing. + ok( + ( + await reauthenticator.asyncReauthenticateUser( + "this is the prompt string", + "this is the caption string", + null + ) + )[0] == EXPECTED, + "nsIOSReauthenticator.asyncReauthenticateUser should return a boolean array with the first item being the authentication result of: " + + EXPECTED + ); +}); diff --git a/security/manager/ssl/tests/unit/test_password_prompt.js b/security/manager/ssl/tests/unit/test_password_prompt.js new file mode 100644 index 0000000000..cf4c6db7bf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_password_prompt.js @@ -0,0 +1,87 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests that PSM can successfully ask for a password from the user and relay it +// back to NSS. Does so by mocking out the actual dialog and "filling in" the +// password. Also tests that providing an incorrect password will fail (well, +// technically the user will just get prompted again, but if they then cancel +// the dialog the overall operation will fail). + +var gMockPrompter = { + passwordToTry: null, + numPrompts: 0, + + // This intentionally does not use arrow function syntax to avoid an issue + // where in the context of the arrow function, |this != gMockPrompter| due to + // how objects get wrapped when going across xpcom boundaries. + promptPassword(dialogTitle, text, password, checkMsg, checkValue) { + this.numPrompts++; + if (this.numPrompts > 1) { + // don't keep retrying a bad password + return false; + } + equal( + text, + "Please enter your Primary Password.", + "password prompt text should be as expected" + ); + equal(checkMsg, null, "checkMsg should be null"); + ok(this.passwordToTry, "passwordToTry should be non-null"); + password.value = this.passwordToTry; + return true; + }, + + QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]), +}; + +// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt +// to call promptPassword. We return the mock one, above. +var gWindowWatcher = { + getNewPrompter: () => gMockPrompter, + QueryInterface: ChromeUtils.generateQI(["nsIWindowWatcher"]), +}; + +function run_test() { + do_get_profile(); + + let windowWatcherCID = MockRegistrar.register( + "@mozilla.org/embedcomp/window-watcher;1", + gWindowWatcher + ); + registerCleanupFunction(() => { + MockRegistrar.unregister(windowWatcherCID); + }); + + // Set an initial password. + let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService( + Ci.nsIPK11TokenDB + ); + let token = tokenDB.getInternalKeyToken(); + token.initPassword("hunter2"); + token.logoutSimple(); + + // Try with the correct password. + gMockPrompter.passwordToTry = "hunter2"; + // Using nsISecretDecoderRing will cause the password prompt to come up if the + // token has a password and is logged out. + let sdr = Cc["@mozilla.org/security/sdr;1"].getService( + Ci.nsISecretDecoderRing + ); + sdr.encryptString("poke"); + equal(gMockPrompter.numPrompts, 1, "should have prompted for password once"); + + // Reset state. + gMockPrompter.numPrompts = 0; + token.logoutSimple(); + + // Try with an incorrect password. + gMockPrompter.passwordToTry = "*******"; + throws( + () => sdr.encryptString("poke2"), + /NS_ERROR_FAILURE/, + "logging in with the wrong password should fail" + ); + equal(gMockPrompter.numPrompts, 2, "should have prompted for password twice"); +} diff --git a/security/manager/ssl/tests/unit/test_pinning.js b/security/manager/ssl/tests/unit/test_pinning.js new file mode 100644 index 0000000000..fef2cd9358 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_pinning.js @@ -0,0 +1,311 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +// +// For all cases, the acceptable pinset includes only certificates pinned to +// Test End Entity Cert (signed by issuer testCA). Other certificates +// are issued by otherCA, which is never in the pinset but is a user-specified +// trust anchor. This test covers multiple cases: +// +// Pinned domain include-subdomains.pinning.example.com includes subdomains +// - PASS: include-subdomains.pinning.example.com serves a correct cert +// - PASS: good.include-subdomains.pinning.example.com serves a correct cert +// - FAIL (strict): bad.include-subdomains.pinning.example.com serves a cert +// not in the pinset +// - PASS (mitm): bad.include-subdomains.pinning.example.com serves a cert not +// in the pinset, but issued by a user-specified trust domain +// +// Pinned domain exclude-subdomains.pinning.example.com excludes subdomains +// - PASS: exclude-subdomains.pinning.example.com serves a correct cert +// - FAIL: exclude-subdomains.pinning.example.com serves an incorrect cert +// (TODO: test using verifyCertNow) +// - PASS: sub.exclude-subdomains.pinning.example.com serves an incorrect cert + +"use strict"; + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +function add_clear_override(host) { + add_test(function() { + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.clearValidityOverride(host, 8443, {}); + run_next_test(); + }); +} + +function test_strict() { + // In strict mode, we always evaluate pinning data, regardless of whether the + // issuer is a built-in trust anchor. We only enforce pins that are not in + // test mode. + add_test(function() { + Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2); + run_next_test(); + }); + + // Normally this is overridable. But, since we have pinning information for + // this host, we don't allow overrides. + add_prevented_cert_override_test( + "unknownissuer.include-subdomains.pinning.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_clear_override("unknownissuer.include-subdomains.pinning.example.com"); + + // Issued by otherCA, which is not in the pinset for pinning.example.com. + add_connection_test( + "bad.include-subdomains.pinning.example.com", + MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE + ); + + // Check that using a FQDN doesn't bypass pinning. + add_connection_test( + "bad.include-subdomains.pinning.example.com.", + MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE + ); + // For some reason this is also navigable (see bug 1118522). + add_connection_test( + "bad.include-subdomains.pinning.example.com..", + MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE + ); + + // These domains serve certs that match the pinset. + add_connection_test( + "include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "good.include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "exclude-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + + // This domain serves a cert that doesn't match the pinset, but subdomains + // are excluded. + add_connection_test( + "sub.exclude-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + + // This domain's pinset is exactly the same as + // include-subdomains.pinning.example.com, serves the same cert as + // bad.include-subdomains.pinning.example.com, but it should pass because + // it's in test_mode. + add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess); + // Similarly, this pin is in test-mode, so it should be overridable. + add_cert_override_test( + "unknownissuer.test-mode.pinning.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_clear_override("unknownissuer.test-mode.pinning.example.com"); +} + +function test_mitm() { + // In MITM mode, we allow pinning to pass if the chain resolves to any + // user-specified trust anchor, even if it is not in the pinset. + add_test(function() { + Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 1); + run_next_test(); + }); + + add_connection_test( + "include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "good.include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + + // Normally this is overridable. But, since we have pinning information for + // this host, we don't allow overrides (since building a trusted chain fails, + // we have no reason to believe this was issued by a user-added trust + // anchor, so we can't allow overrides for it). + add_prevented_cert_override_test( + "unknownissuer.include-subdomains.pinning.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_clear_override("unknownissuer.include-subdomains.pinning.example.com"); + + // In this case, even though otherCA is not in the pinset, it is a + // user-specified trust anchor and the pinning check succeeds. + add_connection_test( + "bad.include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + + add_connection_test( + "exclude-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "sub.exclude-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess); + add_cert_override_test( + "unknownissuer.test-mode.pinning.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_clear_override("unknownissuer.test-mode.pinning.example.com"); +} + +function test_disabled() { + // Disable pinning. + add_test(function() { + Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 0); + run_next_test(); + }); + + add_connection_test( + "include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "good.include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "bad.include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "exclude-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "sub.exclude-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess); + + add_cert_override_test( + "unknownissuer.include-subdomains.pinning.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_clear_override("unknownissuer.include-subdomains.pinning.example.com"); + add_cert_override_test( + "unknownissuer.test-mode.pinning.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_clear_override("unknownissuer.test-mode.pinning.example.com"); +} + +function test_enforce_test_mode() { + // In enforce test mode, we always enforce all pins, even test pins. + add_test(function() { + Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 3); + run_next_test(); + }); + + // Normally this is overridable. But, since we have pinning information for + // this host, we don't allow overrides. + add_prevented_cert_override_test( + "unknownissuer.include-subdomains.pinning.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_clear_override("unknownissuer.include-subdomains.pinning.example.com"); + + // Issued by otherCA, which is not in the pinset for pinning.example.com. + add_connection_test( + "bad.include-subdomains.pinning.example.com", + MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE + ); + + // These domains serve certs that match the pinset. + add_connection_test( + "include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "good.include-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + add_connection_test( + "exclude-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + + // This domain serves a cert that doesn't match the pinset, but subdomains + // are excluded. + add_connection_test( + "sub.exclude-subdomains.pinning.example.com", + PRErrorCodeSuccess + ); + + // This domain's pinset is exactly the same as + // include-subdomains.pinning.example.com, serves the same cert as + // bad.include-subdomains.pinning.example.com, is in test-mode, but we are + // enforcing test mode pins. + add_connection_test( + "test-mode.pinning.example.com", + MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE + ); + // Normally this is overridable. But, since we have pinning information for + // this host (and since we're enforcing test mode), we don't allow overrides. + add_prevented_cert_override_test( + "unknownissuer.test-mode.pinning.example.com", + SEC_ERROR_UNKNOWN_ISSUER + ); + add_clear_override("unknownissuer.test-mode.pinning.example.com"); +} + +function check_pinning_telemetry() { + let prod_histogram = Services.telemetry + .getHistogramById("CERT_PINNING_RESULTS") + .snapshot(); + let test_histogram = Services.telemetry + .getHistogramById("CERT_PINNING_TEST_RESULTS") + .snapshot(); + // Because all of our test domains are pinned to user-specified trust + // anchors, effectively only strict mode and enforce test-mode get evaluated + equal( + prod_histogram.values[0], + 4, + "Actual and expected prod (non-Mozilla) failure count should match" + ); + equal( + prod_histogram.values[1], + 6, + "Actual and expected prod (non-Mozilla) success count should match" + ); + equal( + test_histogram.values[0], + 2, + "Actual and expected test (non-Mozilla) failure count should match" + ); + equal( + test_histogram.values[1] || 0, + 0, + "Actual and expected test (non-Mozilla) success count should match" + ); + + run_next_test(); +} + +function run_test() { + // Ensure that static pinning works when HPKP is disabled. + Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", false); + + add_tls_server_setup("BadCertAndPinningServer", "bad_certs"); + + // Add a user-specified trust anchor. + addCertFromFile(certdb, "bad_certs/other-test-ca.pem", "CTu,u,u"); + + test_strict(); + test_mitm(); + test_disabled(); + test_enforce_test_mode(); + + add_test(function() { + check_pinning_telemetry(); + }); + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_pkcs11_module.js b/security/manager/ssl/tests/unit/test_pkcs11_module.js new file mode 100644 index 0000000000..abad2dbb54 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_pkcs11_module.js @@ -0,0 +1,58 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests the methods and attributes for interfacing with a PKCS #11 module and +// the module database. + +// Ensure that the appropriate initialization has happened. +do_get_profile(); + +const gModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB +); + +function run_test() { + // Check that if we have never added the test module, that we don't find it + // in the module list. + checkPKCS11ModuleNotPresent("PKCS11 Test Module", "pkcs11testmodule"); + + // Check that adding the test module makes it appear in the module list. + let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + libraryFile.append("pkcs11testmodule"); + libraryFile.append(ctypes.libraryName("pkcs11testmodule")); + loadPKCS11Module(libraryFile, "PKCS11 Test Module", true); + let testModule = checkPKCS11ModuleExists( + "PKCS11 Test Module", + "pkcs11testmodule" + ); + + // Check that listing the slots for the test module works. + let testModuleSlotNames = Array.from( + testModule.listSlots(), + slot => slot.name + ); + testModuleSlotNames.sort(); + const expectedSlotNames = [ + "Empty PKCS11 Slot", + "Test PKCS11 Slot", + "Test PKCS11 Slot 二", + ]; + deepEqual( + testModuleSlotNames, + expectedSlotNames, + "Actual and expected slot names should be equal" + ); + + // Check that deleting the test module makes it disappear from the module list. + let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB + ); + pkcs11ModuleDB.deleteModule("PKCS11 Test Module"); + checkPKCS11ModuleNotPresent("PKCS11 Test Module", "pkcs11testmodule"); + + // Check miscellaneous module DB methods and attributes. + ok(!gModuleDB.canToggleFIPS, "It should NOT be possible to toggle FIPS"); + ok(!gModuleDB.isFIPSEnabled, "FIPS should not be enabled"); +} diff --git a/security/manager/ssl/tests/unit/test_pkcs11_moduleDB.js b/security/manager/ssl/tests/unit/test_pkcs11_moduleDB.js new file mode 100644 index 0000000000..e8cbf17abf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_pkcs11_moduleDB.js @@ -0,0 +1,46 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests that adding modules with invalid names are prevented. + +// Ensure that the appropriate initialization has happened. +do_get_profile(); + +function run_test() { + let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + libraryFile.append("pkcs11testmodule"); + libraryFile.append(ctypes.libraryName("pkcs11testmodule")); + ok(libraryFile.exists(), "The pkcs11testmodule file should exist"); + + let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB + ); + throws( + () => moduleDB.addModule("Root Certs", libraryFile.path, 0, 0), + /NS_ERROR_ILLEGAL_VALUE/, + "Adding a module named 'Root Certs' should fail." + ); + throws( + () => moduleDB.addModule("", libraryFile.path, 0, 0), + /NS_ERROR_ILLEGAL_VALUE/, + "Adding a module with an empty name should fail." + ); + + let bundle = Services.strings.createBundle( + "chrome://pipnss/locale/pipnss.properties" + ); + let rootsModuleName = bundle.GetStringFromName("RootCertModuleName"); + let foundRootsModule = false; + for (let module of moduleDB.listModules()) { + if (module.name == rootsModuleName) { + foundRootsModule = true; + break; + } + } + ok( + foundRootsModule, + "Should be able to find builtin roots module by localized name." + ); +} diff --git a/security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js b/security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js new file mode 100644 index 0000000000..e4e3467d79 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_pkcs11_safe_mode.js @@ -0,0 +1,58 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// In safe mode, PKCS#11 modules should not be loaded. This test tests this by +// simulating starting in safe mode and then attempting to load a module. + +function run_test() { + do_get_profile(); + + // Simulate starting in safe mode. + let xulRuntime = { + inSafeMode: true, + logConsoleErrors: true, + OS: "XPCShell", + XPCOMABI: "noarch-spidermonkey", + invalidateCachesOnRestart: function invalidateCachesOnRestart() { + // Do nothing + }, + QueryInterface: ChromeUtils.generateQI(["nsIXULRuntime"]), + }; + + let xulRuntimeFactory = { + createInstance(iid) { + return xulRuntime.QueryInterface(iid); + }, + }; + + let registrar = Components.manager.QueryInterface(Ci.nsIComponentRegistrar); + const XULRUNTIME_CONTRACTID = "@mozilla.org/xre/runtime;1"; + const XULRUNTIME_CID = Components.ID( + "{f0f0b230-5525-4127-98dc-7bca39059e70}" + ); + registrar.registerFactory( + XULRUNTIME_CID, + "XULRuntime", + XULRUNTIME_CONTRACTID, + xulRuntimeFactory + ); + + // When starting in safe mode, the test module should fail to load. + let pkcs11ModuleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB + ); + let libraryName = ctypes.libraryName("pkcs11testmodule"); + let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + libraryFile.append("pkcs11testmodule"); + libraryFile.append(libraryName); + ok(libraryFile.exists(), "The pkcs11testmodule file should exist"); + throws( + () => + pkcs11ModuleDB.addModule("PKCS11 Test Module", libraryFile.path, 0, 0), + /NS_ERROR_FAILURE/, + "addModule should throw when in safe mode" + ); +} diff --git a/security/manager/ssl/tests/unit/test_pkcs11_slot.js b/security/manager/ssl/tests/unit/test_pkcs11_slot.js new file mode 100644 index 0000000000..dba2a4d3a1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_pkcs11_slot.js @@ -0,0 +1,161 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests the methods and attributes for interfacing with a PKCS #11 slot. + +// Ensure that the appropriate initialization has happened. +do_get_profile(); + +function find_slot_by_name(module, name) { + for (let slot of module.listSlots()) { + if (slot.name == name) { + return slot; + } + } + return null; +} + +function find_module_by_name(moduleDB, name) { + for (let slot of moduleDB.listModules()) { + if (slot.name == name) { + return slot; + } + } + return null; +} + +var gPrompt = { + QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]), + + // This intentionally does not use arrow function syntax to avoid an issue + // where in the context of the arrow function, |this != gPrompt| due to + // how objects get wrapped when going across xpcom boundaries. + alert(title, text) { + equal( + text, + "Please authenticate to the token “Test PKCS11 Tokeñ 2 Labelâ€. " + + "How to do so depends on the token (for example, using a fingerprint " + + "reader or entering a code with a keypad)." + ); + }, +}; + +const gPromptFactory = { + QueryInterface: ChromeUtils.generateQI(["nsIPromptFactory"]), + getPrompt: (aWindow, aIID) => gPrompt, +}; + +function run_test() { + MockRegistrar.register("@mozilla.org/prompter;1", gPromptFactory); + + let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile); + libraryFile.append("pkcs11testmodule"); + libraryFile.append(ctypes.libraryName("pkcs11testmodule")); + loadPKCS11Module(libraryFile, "PKCS11 Test Module", false); + + let moduleDB = Cc["@mozilla.org/security/pkcs11moduledb;1"].getService( + Ci.nsIPKCS11ModuleDB + ); + let testModule = find_module_by_name(moduleDB, "PKCS11 Test Module"); + notEqual(testModule, null, "should be able to find test module"); + let testSlot = find_slot_by_name(testModule, "Test PKCS11 Slot 二"); + notEqual(testSlot, null, "should be able to find 'Test PKCS11 Slot 二'"); + + equal( + testSlot.name, + "Test PKCS11 Slot 二", + "Actual and expected name should match" + ); + equal( + testSlot.desc, + "Test PKCS11 Slot 二", + "Actual and expected description should match" + ); + equal( + testSlot.manID, + "Test PKCS11 Manufacturer ID", + "Actual and expected manufacturer ID should match" + ); + equal( + testSlot.HWVersion, + "0.0", + "Actual and expected hardware version should match" + ); + equal( + testSlot.FWVersion, + "0.0", + "Actual and expected firmware version should match" + ); + equal( + testSlot.status, + Ci.nsIPKCS11Slot.SLOT_NOT_LOGGED_IN, + "Actual and expected status should match" + ); + equal( + testSlot.tokenName, + "Test PKCS11 Tokeñ 2 Label", + "Actual and expected token name should match" + ); + + let testToken = testSlot.getToken(); + notEqual(testToken, null, "getToken() should succeed"); + equal( + testToken.tokenName, + "Test PKCS11 Tokeñ 2 Label", + "Spot check: the actual and expected test token names should be equal" + ); + ok(!testToken.isInternalKeyToken, "This token is not the internal key token"); + + testToken.login(true); + ok(testToken.isLoggedIn(), "Should have 'logged in' successfully"); + + testSlot = find_slot_by_name(testModule, "Empty PKCS11 Slot"); + notEqual(testSlot, null, "should be able to find 'Empty PKCS11 Slot'"); + equal(testSlot.tokenName, null, "Empty slot is empty"); + equal( + testSlot.status, + Ci.nsIPKCS11Slot.SLOT_NOT_PRESENT, + "Actual and expected status should match" + ); + + let bundle = Services.strings.createBundle( + "chrome://pipnss/locale/pipnss.properties" + ); + let internalModule = find_module_by_name( + moduleDB, + "NSS Internal PKCS #11 Module" + ); + notEqual(internalModule, null, "should be able to find internal module"); + let cryptoSlot = find_slot_by_name( + internalModule, + bundle.GetStringFromName("TokenDescription") + ); + notEqual(cryptoSlot, "should be able to find internal crypto slot"); + equal( + cryptoSlot.desc, + bundle.GetStringFromName("SlotDescription"), + "crypto slot should have expected 'desc'" + ); + equal( + cryptoSlot.manID, + bundle.GetStringFromName("ManufacturerID"), + "crypto slot should have expected 'manID'" + ); + let keySlot = find_slot_by_name( + internalModule, + bundle.GetStringFromName("PrivateTokenDescription") + ); + notEqual(keySlot, "should be able to find internal key slot"); + equal( + keySlot.desc, + bundle.GetStringFromName("PrivateSlotDescription"), + "key slot should have expected 'desc'" + ); + equal( + keySlot.manID, + bundle.GetStringFromName("ManufacturerID"), + "key slot should have expected 'manID'" + ); +} diff --git a/security/manager/ssl/tests/unit/test_pkcs11_token.js b/security/manager/ssl/tests/unit/test_pkcs11_token.js new file mode 100644 index 0000000000..575fc26b88 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_pkcs11_token.js @@ -0,0 +1,149 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests the methods and attributes for interfacing with a PKCS #11 token, using +// the internal key token. +// We don't use either of the test tokens in the test PKCS #11 module because: +// 1. Test token 1 cyclically inserts and removes itself in a tight loop. +// Using token 1 would complicate the test and introduce intermittent +// failures. +// 2. Neither test token implements login or password related functionality. +// We want to test such functionality. +// 3. Using the internal token lets us actually test the internal token works +// as expected. + +// Ensure that the appropriate initialization has happened. +do_get_profile(); + +function checkBasicAttributes(token) { + let bundle = Services.strings.createBundle( + "chrome://pipnss/locale/pipnss.properties" + ); + + let expectedTokenName = bundle.GetStringFromName("PrivateTokenDescription"); + equal( + token.tokenName, + expectedTokenName, + "Actual and expected name should match" + ); + equal( + token.tokenManID, + bundle.GetStringFromName("ManufacturerID"), + "Actual and expected manufacturer ID should match" + ); + equal( + token.tokenHWVersion, + "0.0", + "Actual and expected hardware version should match" + ); + equal( + token.tokenFWVersion, + "0.0", + "Actual and expected firmware version should match" + ); + equal( + token.tokenSerialNumber, + "0000000000000000", + "Actual and expected serial number should match" + ); +} + +/** + * Checks the various password related features of the given token. + * The token should already have been init with a password and be logged into. + * The password of the token will be reset after calling this function. + * + * @param {nsIPK11Token} token + * The token to test. + * @param {string} initialPW + * The password that the token should have been init with. + */ +function checkPasswordFeaturesAndResetPassword(token, initialPW) { + ok( + !token.needsUserInit, + "Token should not need user init after setting a password" + ); + ok( + token.hasPassword, + "Token should have a password after setting a password" + ); + + ok( + token.checkPassword(initialPW), + "checkPassword() should succeed if the correct initial password is given" + ); + token.changePassword(initialPW, "newPW ÿ 一二三"); + ok( + token.checkPassword("newPW ÿ 一二三"), + "checkPassword() should succeed if the correct new password is given" + ); + + ok( + !token.checkPassword("wrongPW"), + "checkPassword() should fail if an incorrect password is given" + ); + ok( + !token.isLoggedIn(), + "Token should be logged out after an incorrect password was given" + ); + ok( + !token.needsUserInit, + "Token should still be init with a password even if an incorrect " + + "password was given" + ); + + token.reset(); + ok(token.needsUserInit, "Token should need password init after reset"); + ok(!token.hasPassword, "Token should not have a password after reset"); + ok(!token.isLoggedIn(), "Token should be logged out of after reset"); +} + +function run_test() { + let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService( + Ci.nsIPK11TokenDB + ); + let token = tokenDB.getInternalKeyToken(); + notEqual(token, null, "The internal token should be present"); + ok( + token.isInternalKeyToken, + "The internal token should be represented as such" + ); + + checkBasicAttributes(token); + + ok(!token.isLoggedIn(), "Token should not be logged into yet"); + // Test that attempting to log out even when the token was not logged into + // does not result in an error. + token.logoutSimple(); + ok(!token.isLoggedIn(), "Token should still not be logged into"); + ok( + !token.hasPassword, + "Token should not have a password before it has been set" + ); + + let initialPW = "foo 1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/? 一二三"; + token.initPassword(initialPW); + token.login(/* force */ false); + ok(token.isLoggedIn(), "Token should now be logged into"); + + checkPasswordFeaturesAndResetPassword(token, initialPW); + + // We reset the password previously, so we need to initialize again. + token.initPassword("arbitrary"); + ok( + token.isLoggedIn(), + "Token should be logged into after initializing password again" + ); + token.logoutSimple(); + ok( + !token.isLoggedIn(), + "Token should be logged out after calling logoutSimple()" + ); + + ok( + token.needsLogin(), + "The internal token should always need authentication" + ); +} diff --git a/security/manager/ssl/tests/unit/test_pkcs11_tokenDB.js b/security/manager/ssl/tests/unit/test_pkcs11_tokenDB.js new file mode 100644 index 0000000000..127c533439 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_pkcs11_tokenDB.js @@ -0,0 +1,20 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests the methods for interfacing with the PKCS #11 token database. + +// Ensure that the appropriate initialization has happened. +do_get_profile(); + +function run_test() { + let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService( + Ci.nsIPK11TokenDB + ); + + notEqual( + tokenDB.getInternalKeyToken(), + null, + "The internal token should be non-null" + ); +} diff --git a/security/manager/ssl/tests/unit/test_sanctions/apple-ist-ca-8-g1-intermediate.pem b/security/manager/ssl/tests/unit/test_sanctions/apple-ist-ca-8-g1-intermediate.pem new file mode 100644 index 0000000000..8401bd3e87 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/apple-ist-ca-8-g1-intermediate.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQDCCAsegAwIBAgIQDGdiB3elq8S6U12Nrc+a1zAKBggqhkjOPQQDAzBhMQsw +CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cu +ZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBHMzAe +Fw0xODEyMjExMjAwMDBaFw0zMTA2MDgxMjAwMDBaMGIxHDAaBgNVBAMME0FwcGxl +IElTVCBDQSA4IC0gRzExIDAeBgNVBAsMF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5 +MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABC1UjmiwEBPv9C3b2AmyQ+idZZluNLjUl8mOydaoIjcyyHFg +7rDx8sVk9rpHX/zmB3gyLfbKgCDJ/XD4cpMhiEWjggFeMIIBWjAdBgNVHQ4EFgQU +w8SkWAVj14MGupaN3LKPMva7t0EwHwYDVR0jBBgwFoAUs9tIpPmhxdiuNkHMEWNp +Yim8S8YwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF +BQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEF +BQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEIGA1UdHwQ7MDkwN6A1oDOG +MWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RHMy5j +cmwwWwYDVR0gBFQwUjAMBgoqhkiG92NkBQsEMAgGBmeBDAECAjA4BgpghkgBhv1s +AAIEMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMw +CgYIKoZIzj0EAwMDZwAwZAIwaMzTwP/37zR/ZM5T7OGnd9hYStUPL3QlqDXGhNUZ +cUZM7UmDZWvBS97XS9wKCtxPAjAeetP564whYQw4g3yLIEqpXNiHCW1Pf1e+uXMa +g1fK+AQr8p7TR2320C8NorVUcfM= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/cds-apple-com.pem b/security/manager/ssl/tests/unit/test_sanctions/cds-apple-com.pem new file mode 100644 index 0000000000..5e3054e80e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/cds-apple-com.pem @@ -0,0 +1,38 @@ +-----BEGIN CERTIFICATE----- +MIIGnzCCBkWgAwIBAgIQVwXojWDvTZtfUY6TR9QUTDAKBggqhkjOPQQDAjBiMRww +GgYDVQQDDBNBcHBsZSBJU1QgQ0EgOCAtIEcxMSAwHgYDVQQLDBdDZXJ0aWZpY2F0 +aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMw +HhcNMTkwMzExMjEzMjQxWhcNMjEwNDA5MjEzMjQxWjB2MRYwFAYDVQQDDA1jZHMu +YXBwbGUuY29tMSUwIwYDVQQLDBxtYW5hZ2VtZW50OmlkbXMuZ3JvdXAuNjY1MDM1 +MRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMQswCQYD +VQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJHADA5vqarO+Cj0Ha6T +uh/JhKmaIVuz0z7dVZUIBgVbxNOE3FW8zJTH20k4NBAnls3IXkJEiOWtt8GZbzlS +cXijggTHMIIEwzAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFMPEpFgFY9eDBrqW +jdyyjzL2u7dBMH4GCCsGAQUFBwEBBHIwcDA0BggrBgEFBQcwAoYoaHR0cDovL2Nl +cnRzLmFwcGxlLmNvbS9hcHBsZWlzdGNhOGcxLmRlcjA4BggrBgEFBQcwAYYsaHR0 +cDovL29jc3AuYXBwbGUuY29tL29jc3AwMy1hcHBsZWlzdGNhOGcxMDUwGAYDVR0R +BBEwD4INY2RzLmFwcGxlLmNvbTCB/gYDVR0gBIH2MIHzMIHwBgoqhkiG92NkBQsE +MIHhMIGkBggrBgEFBQcCAjCBlwyBlFJlbGlhbmNlIG9uIHRoaXMgY2VydGlmaWNh +dGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5jZSBvZiBhbnkgYXBwbGlj +YWJsZSB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UgYW5kL29yIGNlcnRpZmlj +YXRpb24gcHJhY3RpY2Ugc3RhdGVtZW50cy4wOAYIKwYBBQUHAgIwLAwqaHR0cDov +L3d3dy5hcHBsZS5jb20vY2VydGlmaWNhdGVhdXRob3JpdHkvMB0GA1UdJQQWMBQG +CCsGAQUFBwMCBggrBgEFBQcDATA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LmFwcGxlLmNvbS9hcHBsZWlzdGNhOGcxLmNybDAdBgNVHQ4EFgQUtfKFXS+GsdSn +im90n/2GX/X47rgwDgYDVR0PAQH/BAQDAgOIMIICbgYKKwYBBAHWeQIEAgSCAl4E +ggJaAlgAdgC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQlmQ2jh7RhQAAAWlutS/9 +AAAEAwBHMEUCIQC7JOfynh9ir4vZfE39sB2b7b9u6hwSo3i1A0WMCsB2kwIgHnqJ +dmGCaGHryIgFREBginRf879Km3zjdnCR4XjGTN4AdgDuS723dc5guuFCaR+r4Z5m +ow9+X7By2IMAxHuJeqj9ywAAAWlutS/9AAAEAwBHMEUCIQD+dYvPDT3PQ6T4eqqF +SSHsHU+ETeeMIhPWF1+5xxt0igIgbjEPNy+PV3wa0+dw4Umqvlp4padXYhF/zxKQ +UVSF5u0AdgBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAWlutTHE +AAAEAwBHMEUCIQCsggeANxAqJffU5L8inc3QZCQpC5f3ILhwSymugYaelQIgOKLJ +RmDt2rvI10G661L9MO0g4SHSbGZcTnkMVzUlSOUAdgBvU3asMfAxGdiZAKRRFf93 +FRwR2QLBACkGjbIImjfZEwAAAWlutTH/AAAEAwBHMEUCIFA7S1eyu7kxhvnAmVyB +fJUi7cy2/bizaC0LLE0w35dNAiEA+aIKxhYy6VAAyGAmTiAOA/VU/pDtQp4uUIKF +azgRpscAdgBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAWlutTA2 +AAAEAwBHMEUCIQDkm2/8xF0dSiyO/o8iwKPjEgYYhokUM03KLiSZWUSRzQIgMp5z +ryZTqIHFLgbE0y7L8CCDvgZRRyoKbnBcCaGJJ1gwCgYIKoZIzj0EAwIDSAAwRQIh +AKJgejWMoWWP42EQIPsvua2biHvRng0QcgA3+0GLzcjXAiBr2xfk0vGWinDLG3gz +m73X42sCFxyMZrLDbgyeBQNI8A== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.key b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem new file mode 100644 index 0000000000..5dc7cf4ef8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDiTCCAnGgAwIBAgIUOYwND1zpte36abEsvdvudfnxjHgwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIwMjQw +MjA1MDAwMDAwWjAaMRgwFgYDVQQDDA9UZXN0IEVuZC1lbnRpdHkwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq0 +7PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D +/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuw +JJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyX +rZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWd +q5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjgcow +gccwgZAGA1UdEQSBiDCBhYIJbG9jYWxob3N0gg0qLmV4YW1wbGUuY29tghUqLnBp +bm5pbmcuZXhhbXBsZS5jb22CKCouaW5jbHVkZS1zdWJkb21haW5zLnBpbm5pbmcu +ZXhhbXBsZS5jb22CKCouZXhjbHVkZS1zdWJkb21haW5zLnBpbm5pbmcuZXhhbXBs +ZS5jb20wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxo +b3N0Ojg4ODgvMA0GCSqGSIb3DQEBCwUAA4IBAQBr5H7lb24bMQYGDFY5qeMDNcti +AI4rI7Nu0aMvZtDcxqHkIg/a7nr7WeQc3gCg8mUJ6xvreXxRswrudZzjjsGiTbym +qjEz7HYrbvdWh5bLtdL7aoP1KmFD722guwdXVYQ7tx65oHroH+UCU28VT/+WzsHc +5OjBqZvR928aWEXwIen9lhdk/5Rq2IrFqCTuUrNR5aiP6gJZoy4nIh3IFIxqWzsm +lOjqvzSQIuo+gLN7oduafrwetpp8ywSrDVTtp9yckIHuW8css+OZLfqbFPMSFRJo +Qee+FhxaGgDoRGk8oVGYyTJYUPIReZa5dtNPKs1JQvdqhIeUwA3GnJBTFCan +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec new file mode 100644 index 0000000000..554339ff52 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec @@ -0,0 +1,4 @@ +issuer:Test CA +subject:Test End-entity +extension:subjectAlternativeName:localhost,*.example.com,*.pinning.example.com,*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com +extension:authorityInformationAccess:http://localhost:8888/ diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem new file mode 100644 index 0000000000..95316b235e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDPjCCAiagAwIBAgIUN+Dcp+HeMvZhIJ3BD5af4bwrj4IwDQYJKoZIhvcNAQEL +BQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT +HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwIhgPMjAxNjA2MDEwMDAwMDBa +GA8yMDUwMDEwMTAwMDAwMFowKTEnMCUGA1UEAwweZWUtZnJvbS1hbGxvd2xpc3Qt +YWZ0ZXItY3V0b2ZmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohR +qESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+Kv +WnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+ +rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPv +JxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5 +Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6 +clHEMdUDrNoYCjXtjQIDAQABozowODA2BgNVHREELzAtgitzeW1hbnRlYy1hbGxv +d2xpc3QtYWZ0ZXItY3V0b2ZmLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IB +AQB/2Pgyyje+T4uKkibYZ537NZB6OUvef4nrGtswjxKbUnHzrLK1kJd3mtyNpydK +fzW8WV1CR+nltFI5oaoOAf26FuQfaoCADmlmFlirgnm2fEH2xCokDCQHIgQxNwXr +Ok6JTHWeuaOsu+verDPjkuUATnONY+FRTBxfPh5B3OA+aBO62bAeNCAjIya1U60S +emAnleYtwhXs0Q9TLsR7O7aSYP3FgnqnWPuOkPF3wrUiE8Nrd3givz5OJW42IU63 +ijiojHtPpjAiudbzD8y1zuDcxTxiI4jEjTDS1kIqnvHd3f4bSxpgcQUPk44nu+wO +j5+as/TRu5dC+xHmWCVT10yd +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem.certspec new file mode 100644 index 0000000000..c8a4249dfc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-after-cutoff.pem.certspec @@ -0,0 +1,4 @@ +issuer:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2 +subject:ee-from-allowlist-after-cutoff +validity:20160601-20500101 +extension:subjectAlternativeName:symantec-allowlist-after-cutoff.example.com diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem new file mode 100644 index 0000000000..0c8a52b8d6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQDCCAiigAwIBAgIUVWP+EbM7hYQLOXoABvWpRwoPWJ0wDQYJKoZIhvcNAQEL +BQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT +HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwIhgPMjAxNDA2MDEwMDAwMDBa +GA8yMDUwMDEwMTAwMDAwMFowKjEoMCYGA1UEAwwfZWUtZnJvbS1hbGxvd2xpc3Qt +YmVmb3JlLWN1dG9mZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqI +UahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvi +r1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/x +fq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD +7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnv +uRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj ++nJRxDHVA6zaGAo17Y0CAwEAAaM7MDkwNwYDVR0RBDAwLoIsc3ltYW50ZWMtYWxs +b3dsaXN0LWJlZm9yZS1jdXRvZmYuZXhhbXBsZS5jb20wDQYJKoZIhvcNAQELBQAD +ggEBAFhn9xNv/Yp1Ua9OX7oXgbVgzxCIAm6/zDK7V4V37P5em/lI85OpbuuTO4ns +9VB2/nijkELhSkiyCjmCaxQhlUBzA/2wJeNIfaWu9Mq5MR6jWShhNXND66lTCDIQ +wGVQkBl8/3OqSD4IFI3pKAiPhCGsUnRIhGSARcrFMQpKssnN5XN1ump1YA7/u6Kv +apNbKccgKvLekO8/kUpFrpHt+uQaNS2IeVrmOnNh4GtyD3DG1ZDcZ1VgLAnzbVUg +xiUbs58mY0o1qumuzqJ0/ie5UPOjWnoXSNq6dd4jqsXcFeYXe106G6arV5BLN1Pa +gNxxfOfBcebE1OwxZpfQwNy3JxI= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem.certspec new file mode 100644 index 0000000000..51cecd1f8e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-allowlist-before-cutoff.pem.certspec @@ -0,0 +1,4 @@ +issuer:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2 +subject:ee-from-allowlist-before-cutoff +validity:20140601-20500101 +extension:subjectAlternativeName:symantec-allowlist-before-cutoff.example.com diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem new file mode 100644 index 0000000000..65eab919b5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSzCCAjOgAwIBAgIUNWWgyC4I0/jmqdamoCRL0qhP3QQwDQYJKoZIhvcNAQEL +BQAwTzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0Fub3RoZXIgQ0EgSW5jLjEmMCQG +A1UEAxMdU29tZSBPdGhlciBDQSBUaGFuIFRoZSBPdGhlcnMwIhgPMjAxNjA2MDEw +MDAwMDBaGA8yMDUwMDEwMTAwMDAwMFowKjEoMCYGA1UEAwwfZWUtbm90LWFsbG93 +bGlzdGVkLWFmdGVyLWN1dG9mZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAab +bhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmts +Du0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhI +H6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8 +rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kX +Mbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaNAMD4wPAYDVR0RBDUwM4Ixc3ltYW50 +ZWMtbm90LWFsbG93bGlzdGVkLWFmdGVyLWN1dG9mZi5leGFtcGxlLmNvbTANBgkq +hkiG9w0BAQsFAAOCAQEARlQNYz+w2ekzdX8FKwlWoMX6Df5o4ZhXreRK9V4SuYJg +SvAucL35TuTKkBz9C5VPjAL/Qts4n5DKWaWQfsvoCJOGtTMEKd1MEL9RbMFOewI0 +tN9sV9aMNsmhNPL4PB3A7lKJb8gi/tyoN3BXjsaZBxmyi5A6Vt3lyybgMOSTdzR6 +u2XAPm+zNDrOzc2tavZEyhEKzptaJuCQrefcnAM9JTHtJhvJp30WWighJyclqmRX +bLDYaHRRuRI0jkgrrcUKolau8YKsSoIBoxP2aels8drZDH4UAC86GW2iF/tK+J65 ++JJ2Mk9erdcLoYGLxHZqQySpRaFtciSF+Uym1nmNxA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem.certspec new file mode 100644 index 0000000000..85edcf742d --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-after-cutoff.pem.certspec @@ -0,0 +1,4 @@ +issuer:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others +subject:ee-not-allowlisted-after-cutoff +validity:20160601-20500101 +extension:subjectAlternativeName:symantec-not-allowlisted-after-cutoff.example.com diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem new file mode 100644 index 0000000000..23d6fec107 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDTTCCAjWgAwIBAgIUaxGuzjOrA/2qScMaz5tKQTUrvAYwDQYJKoZIhvcNAQEL +BQAwTzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0Fub3RoZXIgQ0EgSW5jLjEmMCQG +A1UEAxMdU29tZSBPdGhlciBDQSBUaGFuIFRoZSBPdGhlcnMwIhgPMjAxNDA2MDEw +MDAwMDBaGA8yMDUwMDEwMTAwMDAwMFowKzEpMCcGA1UEAwwgZWUtbm90LWFsbG93 +bGlzdGVkLWJlZm9yZS1jdXRvZmYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwG +m24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJr +bA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4 +SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3 +/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+Z +FzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGjQTA/MD0GA1UdEQQ2MDSCMnN5bWFu +dGVjLW5vdC1hbGxvd2xpc3RlZC1iZWZvcmUtY3V0b2ZmLmV4YW1wbGUuY29tMA0G +CSqGSIb3DQEBCwUAA4IBAQBCkIIEXnX/3rv0JuF0FZEpROnQw8zoa4vZjwG1NmvH ++PwnTL7FvBg9QBK0n8ZKfCMqJU98jR5+x6V9Eo2amXEYRAsxCU6kY/Xz43OxGLQz +5cbr9eDswWmt7h/LXl0tsprpgfBNaQ9512UbPMkDG4MSwLjkuTgdnM4dBsLURrAU +5lcukutuNYJ7x92/Ah7hffouB6QHyP80onxqqQTQs2j/0MvJxlUWrnKBzk+B475W +/1iMOCE3r2q6+TVp1sun9mcn7UvRHQRPvjSdjujjJ++5fqH5s4cF2Sv4lv+dEGJn +xrr/a9GA3bUE6Iq9PbAeX3l7RaP+q/znSDBtaLYZ1Xau +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem.certspec new file mode 100644 index 0000000000..b736169a04 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-allowlisted-before-cutoff.pem.certspec @@ -0,0 +1,4 @@ +issuer:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others +subject:ee-not-allowlisted-before-cutoff +validity:20140601-20500101 +extension:subjectAlternativeName:symantec-not-allowlisted-before-cutoff.example.com diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem new file mode 100644 index 0000000000..70bfa802ce --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDjTCCAnWgAwIBAgIUHayrfZ5YGkWYRPXIsNuGSemGyk8wDQYJKoZIhvcNAQEL +BQAwgZQxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlv +bjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazFFMEMGA1UEAxM8U3lt +YW50ZWMgQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv +cml0eSAtIEc0MCIYDzIwMTAwMTAxMDAwMDAwWhgPMjA1MDAxMDEwMDAwMDBaMEkx +CzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpHb29nbGUgSW5jMSUwIwYDVQQDExxHb29n +bGUgSW50ZXJuZXQgQXV0aG9yaXR5IEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvBxyWo4Ngf +vbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmTqyDDSeTb +uUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5kLFXkD3S +O8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYSwHUxowyR +3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwkBCy/Fosv +5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8EBAMCAQYw +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAUMbnz3c2Evfehzm1LU+L +3UL3alL/C5jteDjrrNqkamAZF26klGAZ5AX2tW6yG4bOnmZMzqkW/NV8+ydE6HGW +oVwm+qekOyR4nSPHS5mZRdHD3uBrVJ0PR2rUyk/6oIVBYEcNHY/vuHMorQ0q2plq +Z+62i1SHuq5qxP9apKmhvmgwvna3ber9VH8DgiZLJRAuiDAXpanGZh37dm/e2ZVI +OgVctvRIb7ETcDrSbj4oOKo4WwFaZHlsN1ee0hstxDnIVXWzu5cCdqGALlw2N1av +RPUgDI0kshVojmvKFwnYptE1Ru+CYf403ZD7gt3ZvHueOTpEEKLRQp1QRELXIx/7 +XQ== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem.certspec new file mode 100644 index 0000000000..518527b741 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-allowlisted.pem.certspec @@ -0,0 +1,5 @@ +issuer:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4 +subject:printableString/C=US/O=Google Inc/CN=Google Internet Authority G2 +validity:20100101-20500101 +extension:keyUsage:keyCertSign,cRLSign +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem new file mode 100644 index 0000000000..819d8a30da --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDFzCCAf+gAwIBAgIUBy1RVPb6jMqyBSQwtlK+jZftnKIwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAwwOVW5rbm93biBJc3N1ZXIwIhgPMjAxMDAxMDEwMDAwMDBa +GA8yMDUwMDEwMTAwMDAwMFowTzELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0Fub3Ro +ZXIgQ0EgSW5jLjEmMCQGA1UEAxMdU29tZSBPdGhlciBDQSBUaGFuIFRoZSBPdGhl +cnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braI +BjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVa +p0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB +7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4C +kC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJv +aeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgK +Ne2NAgMBAAGjHTAbMAsGA1UdDwQEAwIBBjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 +DQEBCwUAA4IBAQAs7dfRClCtgzMfYVRIciVqdjNR+jeFLmYFCDDqx5h6zve4VfxK +AEQPWNsIVdPlu+djILHHd9+RvLSHh5HqeXKppBevnux2SxwfXJQ3T+ysqGxH4tEQ +BCgXryt8v5q/DL9H2+T352NJCh7ZMkftEta3Hchtr4TSaT7udtib1uQ9JeLx97LJ +A6aI8SpfI/as1Ku1LAAV9rfhkJgMyeC0ppMfTVGj/gjgq8fL52/9Su9Id8l+SeYD +yLCXjPX0rhAjTeJyiOpAK9OPQgk7i3DRvdO/F+JCkTNE9V6PLX0J+30g+3YZND+a +R81zibhRfa6Ki5cqRflHYhAY4GCFk7mhHLsL +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec new file mode 100644 index 0000000000..fdcb287cd1 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec @@ -0,0 +1,5 @@ +issuer:Unknown Issuer +subject:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others +validity:20100101-20500101 +extension:keyUsage:keyCertSign,cRLSign +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem new file mode 100644 index 0000000000..9057a0a0dc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDkzCCAnugAwIBAgIUSyQ/MON3PZLW/WEcsIuOIT0kUlQwDQYJKoZIhvcNAQEL +BQAwgZQxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlv +bjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazFFMEMGA1UEAxM8U3lt +YW50ZWMgQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv +cml0eSAtIEc0MCIYDzIwMTAwMTAxMDAwMDAwWhgPMjA1MDAxMDEwMDAwMDBaME8x +CzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9Bbm90aGVyIENBIEluYy4xJjAkBgNVBAMT +HVNvbWUgT3RoZXIgQ0EgVGhhbiBUaGUgT3RoZXJzMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzALBgNVHQ8E +BAMCAQYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAfpCigqN5qPf/ +fD6N8a5taq4bsmggdNztYabFOFY8zIRNVYoVVAHd8a5FOlShKw1MTgRNEpzWcN4O +rX16HCaKCJA6mGbkoE/XVqo/shQR1P0U8N75oeWgxd10IsWpJoYYtF38GIM+HZM4 +8NZ/aM2ViKWexlpa7KhmIjCNsP4U+VFXPwLLuKbegQ6miTwdyG5Sq2PLsjQEn4Xq +/nHYyE3Nn+8H+dlyFuWn9XcJN9D9H3NqVGqAvnWWPR0Vz9Q5/iixw2Ym8NWNzlxa +RXLC9Bfg1BDSJLttopU6qGPotuQkhlm1AElcauI9FaWATsdM82tNMK3hrHnTqV28 +C/BiYIunmA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec new file mode 100644 index 0000000000..0c96819f94 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec @@ -0,0 +1,5 @@ +issuer:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4 +subject:printableString/C=US/O=Another CA Inc./CN=Some Other CA Than The Others +validity:20100101-20500101 +extension:keyUsage:keyCertSign,cRLSign +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem new file mode 100644 index 0000000000..77f5a05963 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID2TCCAsGgAwIBAgIUd4MA0Hhfw36r5rkFHdHo5/oSbTYwDQYJKoZIhvcNAQEL +BQAwgZQxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlv +bjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazFFMEMGA1UEAxM8U3lt +YW50ZWMgQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv +cml0eSAtIEc0MCIYDzIwMTAwMTAxMDAwMDAwWhgPMjA1MDAxMDEwMDAwMDBaMIGU +MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd +BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxRTBDBgNVBAMTPFN5bWFudGVj +IENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg +LSBHNDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1u +togGNhA9PBPZ6uQ1SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6 +pVqnRYf3HNUknAJ+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqL +KkHup3DgDw2N/WYLK7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3Zlqq +fgKQLzp7EIAGJMwcbJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3sv +Im9p47SKlWEd7ibWJZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6za +GAo17Y0CAwEAAaMdMBswCwYDVR0PBAQDAgEGMAwGA1UdEwQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAKAdvWVDbB3GxOooXgqNElLvjYwmNcWk12CvQnwxglCRytY5 +DX4UhcCJ6TW8pcezPDEdqrkf4iR+UpgDyBUbVa4m5O5MHGYy3nRHfwT/js9hh2PH +gcAmT0ivknTFlEcP4D0kp7HQr2kmlFuW64HOM+/3J7Zyvu3VNYAlqTlxgG7QyRaN +3W3jfDvc5Ol0O0vyFmhHv0k1yOqLJiOmmOOujfltl4Grbvss+wsHjmP+WOH/BYRn +ACDXdvGr9uu0Z2mymqP0Sy2ZKKrbA7dX5Q/RUr4p3EfyDuNgERx+pYXTUeQ3o9sL +ynQmBa+9aWijUN2USC69EDX9zObn7lO8WV19dQM= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec new file mode 100644 index 0000000000..f84697130c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec @@ -0,0 +1,5 @@ +issuer:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4 +subject:printableString/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 1 Public Primary Certification Authority - G4 +validity:20100101-20500101 +extension:keyUsage:keyCertSign,cRLSign +extension:basicConstraints:cA, diff --git a/security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js b/security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js new file mode 100644 index 0000000000..ce56714355 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js @@ -0,0 +1,95 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +do_get_profile(); + +const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +add_tls_server_setup( + "SanctionsTestServer", + "test_sanctions", + /* Don't try to load non-existent test-ca.pem */ false +); + +addCertFromFile(certDB, "test_sanctions/symantec-test-ca.pem", "CTu,u,u"); + +// Add the necessary intermediates. This is important because the test server, +// though it will attempt to send along an intermediate, isn't able to reliably +// pick between the intermediate-other-crossigned and intermediate-other. +add_test(function() { + addCertFromFile( + certDB, + "test_sanctions/symantec-intermediate-allowlisted.pem", + ",," + ); + addCertFromFile( + certDB, + "test_sanctions/symantec-intermediate-other.pem", + ",," + ); + run_next_test(); +}); + +add_connection_test( + "symantec-not-allowlisted-before-cutoff.example.com", + MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED, + null, + null +); + +add_connection_test( + "symantec-not-allowlisted-after-cutoff.example.com", + MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED, + null, + null +); + +// Add a cross-signed intermediate into the database, and ensure we still get +// the expected error. +add_test(function() { + addCertFromFile( + certDB, + "test_sanctions/symantec-intermediate-other-crossigned.pem", + ",," + ); + run_next_test(); +}); + +add_connection_test( + "symantec-not-allowlisted-before-cutoff.example.com", + MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED, + null, + null +); + +// Load the Apple EE cert and its intermediate, then verify +// it at a reasonable time and make sure the allowlists work +add_task(async function() { + addCertFromFile( + certDB, + "test_sanctions/apple-ist-ca-8-g1-intermediate.pem", + ",," + ); + let allowlistedCert = constructCertFromFile( + "test_sanctions/cds-apple-com.pem" + ); + + // Since we don't want to actually try to fetch OCSP for this certificate, + // (as an external fetch is bad in the tests), disable OCSP first. + Services.prefs.setIntPref("security.OCSP.enabled", 0); + + // (new Date("2020-01-01")).getTime() / 1000 + const VALIDATION_TIME = 1577836800; + + await checkCertErrorGenericAtTime( + certDB, + allowlistedCert, + PRErrorCodeSuccess, + certificateUsageSSLServer, + VALIDATION_TIME + ); +}); diff --git a/security/manager/ssl/tests/unit/test_sdr.js b/security/manager/ssl/tests/unit/test_sdr.js new file mode 100644 index 0000000000..e9e477efc5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sdr.js @@ -0,0 +1,272 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests various aspects of the nsISecretDecoderRing implementation. + +do_get_profile(); + +let gSetPasswordShownCount = 0; + +// Mock implementation of nsITokenPasswordDialogs. +const gTokenPasswordDialogs = { + setPassword(ctx, tokenName) { + gSetPasswordShownCount++; + info(`setPassword() called; shown ${gSetPasswordShownCount} times`); + info(`tokenName: ${tokenName}`); + return false; // Returning false means "the user didn't cancel". + }, + + QueryInterface: ChromeUtils.generateQI(["nsITokenPasswordDialogs"]), +}; + +let gMockPrompter = { + promptPassword(dialogTitle, text, password, checkMsg, checkValue) { + // Returning false simulates the user canceling the password prompt. + return false; + }, + + QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]), +}; + +// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt +// to call promptPassword. We return the mock one, above. +let gWindowWatcher = { + getNewPrompter: () => gMockPrompter, + QueryInterface: ChromeUtils.generateQI(["nsIWindowWatcher"]), +}; + +add_task(function setup() { + let windowWatcherCID = MockRegistrar.register( + "@mozilla.org/embedcomp/window-watcher;1", + gWindowWatcher + ); + registerCleanupFunction(() => { + MockRegistrar.unregister(windowWatcherCID); + }); +}); + +add_task(function testEncryptString() { + let sdr = Cc["@mozilla.org/security/sdr;1"].getService( + Ci.nsISecretDecoderRing + ); + + // Test valid inputs for encryptString() and decryptString(). + let inputs = [ + "", + " ", // First printable latin1 character (code point 32). + "foo", + "1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?", + "¡äöüÿ", // Misc + last printable latin1 character (code point 255). + "aaa 一二三", // Includes Unicode with code points outside [0, 255]. + ]; + for (let input of inputs) { + let converter = Cc[ + "@mozilla.org/intl/scriptableunicodeconverter" + ].createInstance(Ci.nsIScriptableUnicodeConverter); + converter.charset = "UTF-8"; + + let convertedInput = converter.ConvertFromUnicode(input); + convertedInput += converter.Finish(); + + let encrypted = sdr.encryptString(convertedInput); + + notEqual( + convertedInput, + encrypted, + "Encrypted input should not just be the input itself" + ); + + try { + atob(encrypted); + } catch (e) { + ok(false, `encryptString() should have returned Base64: ${e}`); + } + + equal( + convertedInput, + sdr.decryptString(encrypted), + "decryptString(encryptString(input)) should return input" + ); + } + + // Test invalid inputs for decryptString(). + throws( + () => sdr.decryptString("*"), + /NS_ERROR_ILLEGAL_VALUE/, + "decryptString() should throw if given non-Base64 input" + ); + + // Test calling changePassword() pops up the appropriate dialog. + // Note: On Android, nsITokenPasswordDialogs is apparently not implemented, + // which also seems to prevent us from mocking out the interface. + if (AppConstants.platform != "android") { + let tokenPasswordDialogsCID = MockRegistrar.register( + "@mozilla.org/nsTokenPasswordDialogs;1", + gTokenPasswordDialogs + ); + registerCleanupFunction(() => { + MockRegistrar.unregister(tokenPasswordDialogsCID); + }); + + equal( + gSetPasswordShownCount, + 0, + "changePassword() dialog should have been shown zero times" + ); + sdr.changePassword(); + equal( + gSetPasswordShownCount, + 1, + "changePassword() dialog should have been shown exactly once" + ); + } +}); + +add_task(async function testAsyncEncryptStrings() { + let sdr = Cc["@mozilla.org/security/sdr;1"].getService( + Ci.nsISecretDecoderRing + ); + + // Test valid inputs for encryptString() and decryptString(). + let inputs = [ + "", + " ", // First printable latin1 character (code point 32). + "foo", + "1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?", + "¡äöüÿ", // Misc + last printable latin1 character (code point 255). + "aaa 一二三", // Includes Unicode with code points outside [0, 255]. + ]; + + let encrypteds = await sdr.asyncEncryptStrings(inputs); + for (let i = 0; i < inputs.length; i++) { + let encrypted = encrypteds[i]; + let input = inputs[i]; + let converter = Cc[ + "@mozilla.org/intl/scriptableunicodeconverter" + ].createInstance(Ci.nsIScriptableUnicodeConverter); + converter.charset = "UTF-8"; + + let convertedInput = converter.ConvertFromUnicode(input); + convertedInput += converter.Finish(); + notEqual( + convertedInput, + encrypted, + "Encrypted input should not just be the input itself" + ); + + try { + atob(encrypted); + } catch (e) { + ok(false, `encryptString() should have returned Base64: ${e}`); + } + + equal( + convertedInput, + sdr.decryptString(encrypted), + "decryptString(encryptString(input)) should return input" + ); + } +}); + +add_task(async function testAsyncDecryptStrings() { + let sdr = Cc["@mozilla.org/security/sdr;1"].getService( + Ci.nsISecretDecoderRing + ); + + // Test valid inputs for encryptString() and decryptString(). + let testCases = [ + "", + " ", // First printable latin1 character (code point 32). + "foo", + "1234567890`~!@#$%^&*()-_=+{[}]|\\:;'\",<.>/?", + "¡äöüÿ", // Misc + last printable latin1 character (code point 255). + "aaa 一二三", // Includes Unicode with code points outside [0, 255]. + ]; + + let convertedTestCases = testCases.map(tc => { + let converter = Cc[ + "@mozilla.org/intl/scriptableunicodeconverter" + ].createInstance(Ci.nsIScriptableUnicodeConverter); + converter.charset = "UTF-8"; + + let convertedInput = converter.ConvertFromUnicode(tc); + convertedInput += converter.Finish(); + return convertedInput; + }); + + let encryptedStrings = convertedTestCases.map(tc => sdr.encryptString(tc)); + let decrypteds = await sdr.asyncDecryptStrings(encryptedStrings); + for (let i = 0; i < encryptedStrings.length; i++) { + let decrypted = decrypteds[i]; + + equal( + decrypted, + testCases[i], + "decrypted string should match expected value" + ); + equal( + sdr.decryptString(encryptedStrings[i]), + convertedTestCases[i], + "decryptString(encryptString(input)) should return the initial decrypted string value" + ); + } +}); + +add_task(async function testAsyncDecryptInvalidStrings() { + let sdr = Cc["@mozilla.org/security/sdr;1"].getService( + Ci.nsISecretDecoderRing + ); + + // Test invalid inputs for sdr.asyncDecryptStrings + let testCases = [ + "~bmV0cGxheQ==", // invalid base64 encoding + "bmV0cGxheQ==", // valid base64 characters but not encrypted + "https://www.example.com", // website address from erroneous migration + ]; + + let decrypteds = await sdr.asyncDecryptStrings(testCases); + equal( + decrypteds.length, + testCases.length, + "each testcase should still return a response" + ); + for (let i = 0; i < decrypteds.length; i++) { + let decrypted = decrypteds[i]; + + equal( + decrypted, + "", + "decrypted string should be empty when trying to decrypt an invalid input with asyncDecryptStrings" + ); + + Assert.throws( + () => sdr.decryptString(testCases[i]), + /NS_ERROR_ILLEGAL_VALUE|NS_ERROR_FAILURE/, + `Check testcase would have thrown: ${testCases[i]}` + ); + } +}); + +add_task(async function testAsyncDecryptLoggedOut() { + // Set a master password. + let token = Cc["@mozilla.org/security/pk11tokendb;1"] + .getService(Ci.nsIPK11TokenDB) + .getInternalKeyToken(); + token.initPassword("password"); + token.logoutSimple(); + + let sdr = Cc["@mozilla.org/security/sdr;1"].getService( + Ci.nsISecretDecoderRing + ); + + await Assert.rejects( + sdr.asyncDecryptStrings(["irrelevant"]), + /NS_ERROR_NOT_AVAILABLE/, + "Check error is thrown instead of returning empty strings" + ); + + token.reset(); + token.initPassword(""); +}); diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting.js b/security/manager/ssl/tests/unit/test_sdr_preexisting.js new file mode 100644 index 0000000000..69b5c194df --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sdr_preexisting.js @@ -0,0 +1,79 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// Tests that the SDR implementation is able to decrypt strings encrypted using +// a preexisting NSS key database. Creating the database is straight-forward: +// simply run Firefox (or xpcshell) and encrypt something using +// nsISecretDecoderRing (e.g. by saving a password or directly using the +// interface). The resulting key4.db file (in the profile directory) now +// contains the private key used to encrypt the data. + +function run_test() { + const keyDBName = "key4.db"; + let profile = do_get_profile(); + let keyDBFile = do_get_file(`test_sdr_preexisting/${keyDBName}`); + keyDBFile.copyTo(profile, keyDBName); + + let sdr = Cc["@mozilla.org/security/sdr;1"].getService( + Ci.nsISecretDecoderRing + ); + + let testcases = [ + // a full padding block + { + ciphertext: + "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGeDHwVfyFqzBBAYvqMq/kDMsrARVNdC1C8d", + plaintext: "password", + }, + // 7 bytes of padding + { + ciphertext: + "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCAzLDVmYG2/BAh3IoIsMmT8dQ==", + plaintext: "a", + }, + // 6 bytes of padding + { + ciphertext: + "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPN8zlZzn8FdBAiu2acpT8UHsg==", + plaintext: "bb", + }, + // 1 byte of padding + { + ciphertext: + "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECD5px1eMKkJQBAgUPp35GlrDvQ==", + plaintext: "!seven!", + }, + // 2 bytes of padding + { + ciphertext: + "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECMh0hLtKDyUdBAixw9UZsMt+vA==", + plaintext: "sixsix", + }, + // long plaintext requiring more than two blocks + { + ciphertext: + "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDATFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=", + plaintext: "thisismuchlongerandsotakesupmultipleblocks", + }, + // this differs from the previous ciphertext by one bit and demonstrates + // that this implementation does not enforce message integrity + { + ciphertext: + "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDAbFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=", + plaintext: "nnLbuwLRkhlongerandsotakesupmultipleblocks", + }, + ]; + + for (let testcase of testcases) { + let decrypted = sdr.decryptString(testcase.ciphertext); + equal( + decrypted, + testcase.plaintext, + "decrypted ciphertext should match expected plaintext" + ); + } +} diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db b/security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db new file mode 100644 index 0000000000..8f320dfdbd Binary files /dev/null and b/security/manager/ssl/tests/unit/test_sdr_preexisting/key4.db differ diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js new file mode 100644 index 0000000000..5c1b2bb653 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js @@ -0,0 +1,135 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// Tests that the SDR implementation is able to decrypt strings encrypted using +// a preexisting NSS key database that has a password. +// To create such a database, run Firefox (or xpcshell), set a primary +// password, and then encrypt something using nsISecretDecoderRing. + +var gMockPrompter = { + passwordToTry: "password", + numPrompts: 0, + + // This intentionally does not use arrow function syntax to avoid an issue + // where in the context of the arrow function, |this != gMockPrompter| due to + // how objects get wrapped when going across xpcom boundaries. + promptPassword(dialogTitle, text, password, checkMsg, checkValue) { + this.numPrompts++; + if (this.numPrompts > 1) { + // don't keep retrying a bad password + return false; + } + equal( + text, + "Please enter your Primary Password.", + "password prompt text should be as expected" + ); + equal(checkMsg, null, "checkMsg should be null"); + ok(this.passwordToTry, "passwordToTry should be non-null"); + password.value = this.passwordToTry; + return true; + }, + + QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]), +}; + +// Mock nsIWindowWatcher. PSM calls getNewPrompter on this to get an nsIPrompt +// to call promptPassword. We return the mock one, above. +var gWindowWatcher = { + getNewPrompter: () => gMockPrompter, + QueryInterface: ChromeUtils.generateQI(["nsIWindowWatcher"]), +}; + +function run_test() { + let windowWatcherCID = MockRegistrar.register( + "@mozilla.org/embedcomp/window-watcher;1", + gWindowWatcher + ); + registerCleanupFunction(() => { + MockRegistrar.unregister(windowWatcherCID); + }); + + // Append a single quote and non-ASCII characters to the profile path. + let profd = Services.env.get("XPCSHELL_TEST_PROFILE_DIR"); + let file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile); + file.initWithPath(profd); + file.append("'÷1"); + Services.env.set("XPCSHELL_TEST_PROFILE_DIR", file.path); + + let profile = do_get_profile(); // must be called before getting nsIX509CertDB + Assert.ok( + /[^\x20-\x7f]/.test(profile.path), + "the profile path should contain a non-ASCII character" + ); + + let key4DBFile = do_get_file("test_sdr_preexisting_with_password/key4.db"); + key4DBFile.copyTo(profile, "key4.db"); + + let sdr = Cc["@mozilla.org/security/sdr;1"].getService( + Ci.nsISecretDecoderRing + ); + + let testcases = [ + // a full padding block + { + ciphertext: + "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECGeDHwVfyFqzBBAYvqMq/kDMsrARVNdC1C8d", + plaintext: "password", + }, + // 7 bytes of padding + { + ciphertext: + "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCAzLDVmYG2/BAh3IoIsMmT8dQ==", + plaintext: "a", + }, + // 6 bytes of padding + { + ciphertext: + "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPN8zlZzn8FdBAiu2acpT8UHsg==", + plaintext: "bb", + }, + // 1 byte of padding + { + ciphertext: + "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECD5px1eMKkJQBAgUPp35GlrDvQ==", + plaintext: "!seven!", + }, + // 2 bytes of padding + { + ciphertext: + "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECMh0hLtKDyUdBAixw9UZsMt+vA==", + plaintext: "sixsix", + }, + // long plaintext requiring more than two blocks + { + ciphertext: + "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDATFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=", + plaintext: "thisismuchlongerandsotakesupmultipleblocks", + }, + // this differs from the previous ciphertext by one bit and demonstrates + // that this implementation does not enforce message integrity + { + ciphertext: + "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDRX1qi+/FX1BDAbFIcIneQjvBuq3wdFxzllJt2VtUD69ACdOKAXH3eA87oHDvuHqOeCDwRy4UzoG5s=", + plaintext: "nnLbuwLRkhlongerandsotakesupmultipleblocks", + }, + ]; + + for (let testcase of testcases) { + let decrypted = sdr.decryptString(testcase.ciphertext); + equal( + decrypted, + testcase.plaintext, + "decrypted ciphertext should match expected plaintext" + ); + } + equal( + gMockPrompter.numPrompts, + 1, + "Should have been prompted for a password once" + ); +} diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.db b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.db new file mode 100644 index 0000000000..959718da34 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password/key4.db differ diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs.js b/security/manager/ssl/tests/unit/test_self_signed_certs.js new file mode 100644 index 0000000000..662cd59714 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_self_signed_certs.js @@ -0,0 +1,69 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// This test uses a specially-crafted NSS cert DB containing 12 self-signed certificates that all +// have the same subject and issuer distinguished name. Since they all have different keys and none +// of them are trust anchors, there are a large number of potential trust paths that could be +// explored. If our trust domain were naive enough to allow mozilla::pkix to explore them all, it +// would take a long time to perform (mozilla::pkix does have the concept of a path-building budget, +// but even on a fast computer, it takes an unacceptable amount of time to exhaust). To prevent the +// full exploration of this space, NSSCertDBTrustDomain skips searching through self-signed +// certificates that aren't trust anchors, since those would never otherwise be essential to +// complete a path (note that this is only true as long as the extensions we support are restrictive +// rather than additive). +// When we try to verify one of these certificates in this test, we should finish relatively +// quickly, even on slow hardware. +// Should these certificates ever need regenerating, they were produced with the following commands: +// certutil -N -d . --empty-password +// for num in 00 01 02 03 04 05 06 07 08 09 10 11; do +// echo -ne "5\n6\n9\ny\ny\n\ny\n" | certutil -d . -S -s "CN=self-signed cert" -t ,, \ +// -q secp256r1 -x -k ec -z <(date +%s) -1 -2 -n cert$num; sleep 2; +// done + +add_task(async function run_test_no_overlong_path_building() { + let profile = do_get_profile(); + const CERT_DB_NAME = "cert9.db"; + let srcCertDBFile = do_get_file(`test_self_signed_certs/${CERT_DB_NAME}`); + srcCertDBFile.copyTo(profile, CERT_DB_NAME); + + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + let certToVerify = null; + for (let cert of certDB.getCerts()) { + if (cert.subjectName == "CN=self-signed cert") { + certToVerify = cert; + break; + } + } + notEqual( + certToVerify, + null, + "should have found one of the preloaded self-signed certs" + ); + let timeBefore = Date.now(); + // As mentioned above, mozilla::pkix limits how much it will search for a trusted path, even if a + // trust domain keeps providing potential issuers. So, if we only tried to verify a certificate + // once, this test could potentially pass on a fast computer even if we weren't properly skipping + // unnecessary paths. If we were to try and lower our time limit (the comparison with + // secondsElapsed, below), this test would intermittently fail on slow hardware. By trying to + // verify the certificate 10 times, we hopefully end up with a meaningful test (it should still + // fail on fast hardware if we don't properly skip unproductive paths) that won't intermittently + // time out on slow hardware. + for (let i = 0; i < 10; i++) { + let date = new Date("2019-05-15T00:00:00.000Z"); + await checkCertErrorGenericAtTime( + certDB, + certToVerify, + SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLCA, + date.getTime() / 1000 + ); + } + let timeAfter = Date.now(); + let secondsElapsed = (timeAfter - timeBefore) / 1000; + ok(secondsElapsed < 120, "verifications shouldn't take too long"); +}); diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs/cert9.db b/security/manager/ssl/tests/unit/test_self_signed_certs/cert9.db new file mode 100644 index 0000000000..5450fe82e5 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_self_signed_certs/cert9.db differ diff --git a/security/manager/ssl/tests/unit/test_session_resumption.js b/security/manager/ssl/tests/unit/test_session_resumption.js new file mode 100644 index 0000000000..26d30dad6a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_session_resumption.js @@ -0,0 +1,291 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests that PSM makes the correct determination of the security status of +// loads involving session resumption (i.e. when a TLS handshake bypasses the +// AuthCertificate callback). + +do_get_profile(); +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +registerCleanupFunction(() => { + Services.prefs.clearUserPref("security.OCSP.enabled"); +}); + +Services.prefs.setIntPref("security.OCSP.enabled", 1); + +addCertFromFile(certdb, "bad_certs/evroot.pem", "CTu,,"); +addCertFromFile(certdb, "bad_certs/ev-test-intermediate.pem", ",,"); + +// For expired.example.com, the platform will make a connection that will fail. +// Using information gathered at that point, an override will be added and +// another connection will be made. This connection will succeed. At that point, +// as long as the session cache isn't cleared, subsequent new connections should +// use session resumption, thereby bypassing the AuthCertificate hook. We need +// to ensure that the correct security state is propagated to the new connection +// information object. +function add_resume_non_ev_with_override_test() { + // This adds the override and makes one successful connection. + add_cert_override_test("expired.example.com", SEC_ERROR_EXPIRED_CERTIFICATE); + + // This connects again, using session resumption. Note that we don't clear + // the TLS session cache between these operations (that would defeat the + // purpose). + add_connection_test( + "expired.example.com", + PRErrorCodeSuccess, + null, + transportSecurityInfo => { + ok(transportSecurityInfo.resumed, "connection should be resumed"); + ok( + transportSecurityInfo.securityState & + Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN, + "expired.example.com should have STATE_CERT_USER_OVERRIDDEN flag" + ); + equal( + transportSecurityInfo.succeededCertChain.length, + 0, + "expired.example.com should not have succeededCertChain set" + ); + equal( + transportSecurityInfo.failedCertChain.length, + 2, + "expired.example.com should have failedCertChain set" + ); + equal( + transportSecurityInfo.overridableErrorCategory, + Ci.nsITransportSecurityInfo.ERROR_TIME, + "expired.example.com should have time overridable error category" + ); + ok( + !transportSecurityInfo.isExtendedValidation, + "expired.example.com should not have isExtendedValidation set" + ); + + let certOverrideService = Cc[ + "@mozilla.org/security/certoverride;1" + ].getService(Ci.nsICertOverrideService); + certOverrideService.clearValidityOverride( + "expired.example.com", + 8443, + {} + ); + } + ); +} + +// Helper function that adds a test that connects to ev-test.example.com and +// verifies that it validates as EV (or not, if we're running a non-debug +// build). This assumes that an appropriate OCSP responder is running or that +// good responses are cached. +function add_one_ev_test(resumed) { + add_connection_test( + "ev-test.example.com", + PRErrorCodeSuccess, + null, + transportSecurityInfo => { + equal( + transportSecurityInfo.resumed, + resumed, + "connection should be resumed or not resumed as expected" + ); + ok( + !( + transportSecurityInfo.securityState & + Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN + ), + "ev-test.example.com should not have STATE_CERT_USER_OVERRIDDEN flag" + ); + equal( + transportSecurityInfo.succeededCertChain.length, + 3, + "ev-test.example.com should have succeededCertChain set" + ); + equal( + transportSecurityInfo.failedCertChain.length, + 0, + "ev-test.example.com should not have failedCertChain set" + ); + equal( + transportSecurityInfo.overridableErrorCategory, + Ci.nsITransportSecurityInfo.ERROR_UNSET, + "ev-test.example.com should not have an overridable error category" + ); + ok( + !gEVExpected || transportSecurityInfo.isExtendedValidation, + "ev-test.example.com should have isExtendedValidation set " + + "(or this is a non-debug build)" + ); + } + ); +} + +// This test is similar, except with extended validation. We should connect +// successfully, and the certificate should be EV in debug builds. Without +// clearing the session cache, we should connect successfully again, this time +// with session resumption. The certificate should again be EV in debug builds. +function add_resume_ev_test() { + const SERVER_PORT = 8888; + let expectedRequestPaths = ["ev-test"]; + let responseTypes = ["good"]; + // Since we cache OCSP responses, we only ever actually serve one set. + let ocspResponder; + // If we don't wrap this in an `add_test`, the OCSP responder will be running + // while we are actually running unrelated testcases, which can disrupt them. + add_test(() => { + ocspResponder = startOCSPResponder( + SERVER_PORT, + "localhost", + "bad_certs", + expectedRequestPaths, + expectedRequestPaths.slice(), + null, + responseTypes + ); + run_next_test(); + }); + // We should be able to connect and verify the certificate as EV (in debug + // builds). + add_one_ev_test(false); + // We should be able to connect again (using session resumption). In debug + // builds, the certificate should be noted as EV. Again, it's important that + // nothing clears the TLS cache in between these two operations. + add_one_ev_test(true); + + add_test(() => { + ocspResponder.stop(run_next_test); + }); +} + +const GOOD_DOMAIN = "good.include-subdomains.pinning.example.com"; + +// Helper function that adds a test that connects to a domain that should +// succeed (but isn't EV) and verifies that its succeededCertChain gets set +// appropriately. +function add_one_non_ev_test() { + add_connection_test( + GOOD_DOMAIN, + PRErrorCodeSuccess, + null, + transportSecurityInfo => { + ok( + !( + transportSecurityInfo.securityState & + Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN + ), + `${GOOD_DOMAIN} should not have STATE_CERT_USER_OVERRIDDEN flag` + ); + ok( + transportSecurityInfo.succeededCertChain, + `${GOOD_DOMAIN} should have succeededCertChain set` + ); + equal( + transportSecurityInfo.overridableErrorCategory, + 0, + `${GOOD_DOMAIN} should not have an overridable error category set` + ); + ok( + !transportSecurityInfo.isExtendedValidation, + `${GOOD_DOMAIN} should not have isExtendedValidation set` + ); + } + ); +} + +// This test is similar, except with non-extended validation. We should connect +// successfully, and the certificate should not be EV. Without clearing the +// session cache, we should connect successfully again, this time with session +// resumption. In this case, though, we want to ensure the succeededCertChain is +// set. +function add_resume_non_ev_test() { + add_one_non_ev_test(); + add_one_non_ev_test(); +} + +const statsPtr = getSSLStatistics(); +const toInt32 = ctypes.Int64.lo; + +// Connect to the same domain with two origin attributes and check if any ssl +// session is resumed. +function add_origin_attributes_test( + originAttributes1, + originAttributes2, + resumeExpected +) { + add_connection_test( + GOOD_DOMAIN, + PRErrorCodeSuccess, + clearSessionCache, + null, + null, + originAttributes1 + ); + + let hitsBeforeConnect; + let missesBeforeConnect; + let expectedHits = resumeExpected ? 1 : 0; + let expectedMisses = 1 - expectedHits; + + add_connection_test( + GOOD_DOMAIN, + PRErrorCodeSuccess, + function() { + // Add the hits and misses before connection. + let stats = statsPtr.contents; + hitsBeforeConnect = toInt32(stats.sch_sid_cache_hits); + missesBeforeConnect = toInt32(stats.sch_sid_cache_misses); + }, + function() { + let stats = statsPtr.contents; + equal( + toInt32(stats.sch_sid_cache_hits), + hitsBeforeConnect + expectedHits, + "Unexpected cache hits" + ); + equal( + toInt32(stats.sch_sid_cache_misses), + missesBeforeConnect + expectedMisses, + "Unexpected cache misses" + ); + }, + null, + originAttributes2 + ); +} + +function add_resumption_tests() { + add_resume_ev_test(); + add_resume_non_ev_test(); + add_resume_non_ev_with_override_test(); + add_origin_attributes_test({}, {}, true); + add_origin_attributes_test({ userContextId: 1 }, { userContextId: 2 }, false); + add_origin_attributes_test({ userContextId: 3 }, { userContextId: 3 }, true); + add_origin_attributes_test( + { firstPartyDomain: "foo.com" }, + { firstPartyDomain: "bar.com" }, + false + ); + add_origin_attributes_test( + { firstPartyDomain: "baz.com" }, + { firstPartyDomain: "baz.com" }, + true + ); +} + +function run_test() { + add_tls_server_setup("BadCertAndPinningServer", "bad_certs"); + add_resumption_tests(); + // Enable external session cache and reset the status. + add_test(function() { + Services.prefs.setBoolPref("network.ssl_tokens_cache_enabled", true); + certdb.clearOCSPCache(); + run_next_test(); + }); + // Do tests again. + add_resumption_tests(); + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_signed_apps.js b/security/manager/ssl/tests/unit/test_signed_apps.js new file mode 100644 index 0000000000..f97edf350e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps.js @@ -0,0 +1,1038 @@ +"use strict"; + +// Tests the API nsIX509CertDB.openSignedAppFileAsync, which backs add-on +// signature verification. Testcases include various ways of tampering with +// add-ons as well as different hash algorithms used in the various +// signature/metadata files. + +// from prio.h +const PR_RDWR = 0x04; +const PR_CREATE_FILE = 0x08; +const PR_TRUNCATE = 0x20; +const PR_USEC_PER_MSEC = 1000; + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +// Creates a new app package based in the inFilePath package, with a set of +// modifications (including possibly deletions) applied to the existing entries, +// and/or a set of new entries to be included. +function tamper(inFilePath, outFilePath, modifications, newEntries) { + let writer = Cc["@mozilla.org/zipwriter;1"].createInstance(Ci.nsIZipWriter); + writer.open(outFilePath, PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE); + try { + let reader = Cc["@mozilla.org/libjar/zip-reader;1"].createInstance( + Ci.nsIZipReader + ); + reader.open(inFilePath); + try { + for (let entryName of reader.findEntries("")) { + let inEntry = reader.getEntry(entryName); + let entryInput = reader.getInputStream(entryName); + try { + let f = modifications[entryName]; + let outEntry, outEntryInput; + if (f) { + [outEntry, outEntryInput] = f(inEntry, entryInput); + delete modifications[entryName]; + } else { + [outEntry, outEntryInput] = [inEntry, entryInput]; + } + // if f does not want the input entry to be copied to the output entry + // at all (i.e. it wants it to be deleted), it will return null. + if (outEntryInput) { + try { + writer.addEntryStream( + entryName, + outEntry.lastModifiedTime, + outEntry.compression, + outEntryInput, + false + ); + } finally { + if (entryInput != outEntryInput) { + outEntryInput.close(); + } + } + } + } finally { + entryInput.close(); + } + } + } finally { + reader.close(); + } + + // Any leftover modification means that we were expecting to modify an entry + // in the input file that wasn't there. + for (let name in modifications) { + if (modifications.hasOwnProperty(name)) { + throw new Error("input file was missing expected entries: " + name); + } + } + + // Now, append any new entries to the end + newEntries.forEach(function(newEntry) { + let sis = Cc["@mozilla.org/io/string-input-stream;1"].createInstance( + Ci.nsIStringInputStream + ); + try { + sis.setData(newEntry.content, newEntry.content.length); + writer.addEntryStream( + newEntry.name, + new Date() * PR_USEC_PER_MSEC, + Ci.nsIZipWriter.COMPRESSION_BEST, + sis, + false + ); + } finally { + sis.close(); + } + }); + } finally { + writer.close(); + } +} + +function removeEntry(entry, entryInput) { + return [null, null]; +} + +function truncateEntry(entry, entryInput) { + if (entryInput.available() == 0) { + throw new Error( + "Truncating already-zero length entry will result in " + + "identical entry." + ); + } + + let content = Cc["@mozilla.org/io/string-input-stream;1"].createInstance( + Ci.nsIStringInputStream + ); + content.data = ""; + + return [entry, content]; +} + +function check_open_result(name, expectedRv) { + return function openSignedAppFileCallback(rv, aZipReader, aSignerCert) { + info("openSignedAppFileCallback called for " + name); + equal(rv, expectedRv, "Actual and expected return value should match"); + equal( + aZipReader != null, + Components.isSuccessCode(expectedRv), + "ZIP reader should be null only if the return value denotes failure" + ); + equal( + aSignerCert != null, + Components.isSuccessCode(expectedRv), + "Signer cert should be null only if the return value denotes failure" + ); + run_next_test(); + }; +} + +function original_app_path(test_name) { + return do_get_file("test_signed_apps/" + test_name + ".zip", false); +} + +function tampered_app_path(test_name) { + return new FileUtils.File( + PathUtils.join( + Services.dirsvc.get("TmpD", Ci.nsIFile).path, + `test_signed_app-${test_name}.zip` + ) + ); +} + +var hashTestcases = [ + // SHA-256 in PKCS#7 + SHA-256 present elsewhere => OK + { name: "app_mf-1-256_sf-1-256_p7-1-256", expectedResult: Cr.NS_OK }, + { name: "app_mf-1-256_sf-1-256_p7-256", expectedResult: Cr.NS_OK }, + { name: "app_mf-1-256_sf-256_p7-1-256", expectedResult: Cr.NS_OK }, + { name: "app_mf-1-256_sf-256_p7-256", expectedResult: Cr.NS_OK }, + { name: "app_mf-256_sf-1-256_p7-1-256", expectedResult: Cr.NS_OK }, + { name: "app_mf-256_sf-1-256_p7-256", expectedResult: Cr.NS_OK }, + { name: "app_mf-256_sf-256_p7-1-256", expectedResult: Cr.NS_OK }, + { name: "app_mf-256_sf-256_p7-256", expectedResult: Cr.NS_OK }, + + // SHA-1 in PKCS#7 + SHA-1 present elsewhere => OK + { name: "app_mf-1-256_sf-1-256_p7-1", expectedResult: Cr.NS_OK }, + { name: "app_mf-1-256_sf-1_p7-1", expectedResult: Cr.NS_OK }, + { name: "app_mf-1_sf-1-256_p7-1", expectedResult: Cr.NS_OK }, + { name: "app_mf-1_sf-1_p7-1", expectedResult: Cr.NS_OK }, + + // SHA-256 in PKCS#7 + SHA-256 not present elsewhere => INVALID + { + name: "app_mf-1-256_sf-1_p7-1-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-1-256_sf-1_p7-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-1_sf-1-256_p7-1-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-1_sf-1-256_p7-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-1_sf-1_p7-1-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-1_sf-1_p7-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-1_sf-256_p7-1-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-1_sf-256_p7-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-256_sf-1_p7-1-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-256_sf-1_p7-256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + + // SHA-1 in PKCS#7 + SHA-1 not present elsewhere => INVALID + { + name: "app_mf-1-256_sf-256_p7-1", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-1_sf-256_p7-1", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-256_sf-1-256_p7-1", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-256_sf-1_p7-1", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, + { + name: "app_mf-256_sf-256_p7-1", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + }, +]; + +// Policy values for the preference "security.signed_app_signatures.policy" +const PKCS7WithSHA1OrSHA256 = 0b0; +const PKCS7WithSHA256 = 0b1; +const COSEAndPKCS7WithSHA1OrSHA256 = 0b10; +const COSEAndPKCS7WithSHA256 = 0b11; +const COSERequiredAndPKCS7WithSHA1OrSHA256 = 0b100; +const COSERequiredAndPKCS7WithSHA256 = 0b101; +const COSEOnly = 0b110; +const COSEOnlyAgain = 0b111; + +function add_signature_test(policy, test) { + // First queue up a test to set the desired policy: + add_test(function() { + Services.prefs.setIntPref("security.signed_app_signatures.policy", policy); + run_next_test(); + }); + // Then queue up the test itself: + add_test(test); +} + +for (let testcase of hashTestcases) { + add_signature_test(PKCS7WithSHA1OrSHA256, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path(testcase.name), + check_open_result(testcase.name, testcase.expectedResult) + ); + }); +} + +add_signature_test(PKCS7WithSHA1OrSHA256, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("empty_signerInfos"), + check_open_result( + "the signerInfos in the PKCS#7 signature is empty", + Cr.NS_ERROR_CMS_VERIFY_NOT_SIGNED + ) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("unsigned_app"), + check_open_result("unsigned", Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("unknown_issuer_app"), + check_open_result( + "unknown_issuer", + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER) + ) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("cose_signed_with_pkcs7"), + check_open_result("cose_signed_with_pkcs7", Cr.NS_OK) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA256, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("app_mf-256_sf-256_p7-256"), + check_open_result("no COSE but correct PK#7", Cr.NS_OK) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA256, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("app_mf-1_sf-256_p7-256"), + check_open_result( + "no COSE and wrong PK#7 hash", + Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID + ) + ); +}); + +add_signature_test(COSERequiredAndPKCS7WithSHA1OrSHA256, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("app_mf-256_sf-256_p7-256"), + check_open_result( + "COSE signature missing (SHA1 or 256)", + Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE + ) + ); +}); + +add_signature_test(COSERequiredAndPKCS7WithSHA256, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("app_mf-256_sf-256_p7-256"), + check_open_result( + "COSE signature missing (SHA256)", + Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE + ) + ); +}); + +add_signature_test(COSERequiredAndPKCS7WithSHA256, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("only_cose_signed"), + check_open_result( + "COSE signature only (PK#7 allowed, not present)", + Cr.NS_OK + ) + ); +}); + +add_signature_test(COSERequiredAndPKCS7WithSHA1OrSHA256, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("only_cose_signed"), + check_open_result( + "COSE signature only (PK#7 allowed, not present)", + Cr.NS_OK + ) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("cose_multiple_signed_with_pkcs7"), + check_open_result("cose_multiple_signed_with_pkcs7", Cr.NS_OK) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("cose_int_signed_with_pkcs7"), + check_open_result("COSE signed with an intermediate", Cr.NS_OK) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("only_cose_signed"), + check_open_result( + "PK7 signature missing", + Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED + ) + ); +}); + +add_signature_test(COSEOnly, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("cose_multiple_signed_with_pkcs7"), + check_open_result( + "Expected only COSE signature", + Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY + ) + ); +}); + +add_signature_test(COSEOnly, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("only_cose_multiple_signed"), + check_open_result("only Multiple COSE signatures", Cr.NS_OK) + ); +}); + +add_signature_test(COSEOnly, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("only_cose_signed"), + check_open_result("only_cose_signed", Cr.NS_OK) + ); +}); + +add_signature_test(COSEOnlyAgain, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("only_cose_signed"), + check_open_result("only_cose_signed (again)", Cr.NS_OK) + ); +}); + +add_signature_test(COSEOnly, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("cose_signed_with_pkcs7"), + check_open_result( + "COSE only expected but also PK#7 signed", + Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY + ) + ); +}); + +// Sanity check to ensure a no-op tampering gives a valid result +add_signature_test(PKCS7WithSHA1OrSHA256, function() { + let tampered = tampered_app_path("identity_tampering"); + tamper(original_app_path("app_mf-1_sf-1_p7-1"), tampered, {}, []); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("app_mf-1_sf-1_p7-1"), + check_open_result("identity_tampering", Cr.NS_OK) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function() { + let tampered = tampered_app_path("missing_rsa"); + tamper( + original_app_path("app_mf-1_sf-1_p7-1"), + tampered, + { "META-INF/A.RSA": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result("missing_rsa", Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function() { + let tampered = tampered_app_path("missing_sf"); + tamper( + original_app_path("app_mf-1_sf-1_p7-1"), + tampered, + { "META-INF/A.SF": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result("missing_sf", Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function() { + let tampered = tampered_app_path("missing_manifest_mf"); + tamper( + original_app_path("app_mf-1_sf-1_p7-1"), + tampered, + { "META-INF/MANIFEST.MF": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "missing_manifest_mf", + Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID + ) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function() { + let tampered = tampered_app_path("missing_entry"); + tamper( + original_app_path("app_mf-1_sf-1_p7-1"), + tampered, + { "manifest.json": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result("missing_entry", Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function() { + let tampered = tampered_app_path("truncated_entry"); + tamper( + original_app_path("app_mf-1_sf-1_p7-1"), + tampered, + { "manifest.json": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result("truncated_entry", Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function() { + let tampered = tampered_app_path("truncated_manifestFile"); + tamper( + original_app_path("app_mf-1_sf-1_p7-1"), + tampered, + { "META-INF/MANIFEST.MF": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "truncated_manifestFile", + Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID + ) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function() { + let tampered = tampered_app_path("truncated_signatureFile"); + tamper( + original_app_path("app_mf-1_sf-1_p7-1"), + tampered, + { "META-INF/A.SF": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "truncated_signatureFile", + getXPCOMStatusFromNSS(SEC_ERROR_PKCS7_BAD_SIGNATURE) + ) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function() { + let tampered = tampered_app_path("truncated_pkcs7File"); + tamper( + original_app_path("app_mf-1_sf-1_p7-1"), + tampered, + { "META-INF/A.RSA": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result("truncated_pkcs7File", Cr.NS_ERROR_CMS_VERIFY_NOT_SIGNED) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function() { + let tampered = tampered_app_path("unsigned_entry"); + tamper(original_app_path("app_mf-1_sf-1_p7-1"), tampered, {}, [ + { name: "unsigned.txt", content: "unsigned content!" }, + ]); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result("unsigned_entry", Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY) + ); +}); + +add_signature_test(PKCS7WithSHA1OrSHA256, function() { + let tampered = tampered_app_path("unsigned_metainf_entry"); + tamper(original_app_path("app_mf-1_sf-1_p7-1"), tampered, {}, [ + { name: "META-INF/unsigned.txt", content: "unsigned content!" }, + ]); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "unsigned_metainf_entry", + Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY + ) + ); +}); + +add_signature_test(PKCS7WithSHA256, function testSHA1Disabled() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("app_mf-1_sf-1_p7-1"), + check_open_result( + "SHA-1 should not be accepted if disabled by policy", + Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE + ) + ); +}); + +add_signature_test(PKCS7WithSHA256, function testSHA256WorksWithSHA1Disabled() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("app_mf-256_sf-256_p7-256"), + check_open_result( + "SHA-256 should work if SHA-1 is disabled by policy", + Cr.NS_OK + ) + ); +}); + +add_signature_test( + PKCS7WithSHA256, + function testMultipleSignaturesWorkWithSHA1Disabled() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("app_mf-1-256_sf-1-256_p7-1-256"), + check_open_result( + "Multiple signatures should work if SHA-1 is " + + "disabled by policy (if SHA-256 signature verifies)", + Cr.NS_OK + ) + ); + } +); + +var cosePolicies = [ + COSEAndPKCS7WithSHA1OrSHA256, + COSERequiredAndPKCS7WithSHA1OrSHA256, +]; + +// PS256 is not yet supported. +var coseTestcasesStage = [ + { + name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384", + expectedResult: Cr.NS_OK, + root: Ci.nsIX509CertDB.AddonsStageRoot, + }, + { + name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + root: Ci.nsIX509CertDB.AddonsStageRoot, + }, + { + name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256", + expectedResult: Cr.NS_OK, + root: Ci.nsIX509CertDB.AddonsStageRoot, + }, + { + name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + root: Ci.nsIX509CertDB.AddonsStageRoot, + }, +]; + +var coseTestcasesProd = [ + { + name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384", + expectedResult: Cr.NS_OK, + root: Ci.nsIX509CertDB.AddonsPublicRoot, + }, + { + name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + root: Ci.nsIX509CertDB.AddonsPublicRoot, + }, + { + name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256", + expectedResult: Cr.NS_OK, + root: Ci.nsIX509CertDB.AddonsPublicRoot, + }, + { + name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256", + expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + root: Ci.nsIX509CertDB.AddonsPublicRoot, + }, +]; + +for (let policy of cosePolicies) { + for (let testcase of [...coseTestcasesStage, ...coseTestcasesProd]) { + add_signature_test(policy, function() { + certdb.openSignedAppFileAsync( + testcase.root, + original_app_path(testcase.name), + check_open_result(testcase.name, testcase.expectedResult) + ); + }); + } +} + +add_signature_test(COSEAndPKCS7WithSHA256, function testCOSESigTampered() { + let tampered = tampered_app_path("cose_sig_tampered"); + tamper( + original_app_path("cose_signed_with_pkcs7"), + tampered, + { "META-INF/cose.sig": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "cose_sig_tampered", + Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY + ) + ); +}); + +// PKCS7 is processed before COSE, so if a COSE signature file is removed or +// tampered with, this appears as a PKCS7 signature verification failure. +add_signature_test(COSEAndPKCS7WithSHA256, function testCOSESigRemoved() { + let tampered = tampered_app_path("cose_sig_removed"); + tamper( + original_app_path("cose_signed_with_pkcs7"), + tampered, + { "META-INF/cose.sig": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result("cose_sig_removed", Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEManifestTampered() { + let tampered = tampered_app_path("cose_manifest_tampered"); + tamper( + original_app_path("cose_signed_with_pkcs7"), + tampered, + { "META-INF/cose.manifest": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "cose_manifest_tampered", + Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY + ) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEManifestRemoved() { + let tampered = tampered_app_path("cose_manifest_removed"); + tamper( + original_app_path("cose_signed_with_pkcs7"), + tampered, + { "META-INF/cose.manifest": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "cose_manifest_removed", + Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING + ) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEFileAdded() { + let tampered = tampered_app_path("cose_file_added"); + tamper(original_app_path("cose_signed_with_pkcs7"), tampered, {}, [ + { name: "unsigned.txt", content: "unsigned content!" }, + ]); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result("cose_file_added", Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEFileRemoved() { + let tampered = tampered_app_path("cose_file_removed"); + tamper( + original_app_path("cose_signed_with_pkcs7"), + tampered, + { "manifest.json": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result("cose_file_removed", Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING) + ); +}); + +add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEFileTampered() { + let tampered = tampered_app_path("cose_file_tampered"); + tamper( + original_app_path("cose_signed_with_pkcs7"), + tampered, + { "manifest.json": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "cose_file_tampered", + Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY + ) + ); +}); + +add_signature_test(COSEOnly, function testOnlyCOSESigTampered() { + let tampered = tampered_app_path("only_cose_sig_tampered"); + tamper( + original_app_path("only_cose_signed"), + tampered, + { "META-INF/cose.sig": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "only_cose_sig_tampered", + Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID + ) + ); +}); + +add_signature_test(COSEOnly, function testOnlyCOSESigRemoved() { + let tampered = tampered_app_path("only_cose_sig_removed"); + tamper( + original_app_path("only_cose_signed"), + tampered, + { "META-INF/cose.sig": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "only_cose_sig_removed", + Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE + ) + ); +}); + +add_signature_test(COSEOnly, function testOnlyCOSEManifestTampered() { + let tampered = tampered_app_path("only_cose_manifest_tampered"); + tamper( + original_app_path("only_cose_signed"), + tampered, + { "META-INF/cose.manifest": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "only_cose_manifest_tampered", + Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID + ) + ); +}); + +add_signature_test(COSEOnly, function testOnlyCOSEManifestRemoved() { + let tampered = tampered_app_path("only_cose_manifest_removed"); + tamper( + original_app_path("only_cose_signed"), + tampered, + { "META-INF/cose.manifest": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "only_cose_manifest_removed", + Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE + ) + ); +}); + +add_signature_test(COSEOnly, function testOnlyCOSEFileAdded() { + let tampered = tampered_app_path("only_cose_file_added"); + tamper(original_app_path("only_cose_signed"), tampered, {}, [ + { name: "unsigned.txt", content: "unsigned content!" }, + ]); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "only_cose_file_added", + Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY + ) + ); +}); + +add_signature_test(COSEOnly, function testOnlyCOSEFileRemoved() { + let tampered = tampered_app_path("only_cose_file_removed"); + tamper( + original_app_path("only_cose_signed"), + tampered, + { "manifest.json": removeEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "only_cose_file_removed", + Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING + ) + ); +}); + +add_signature_test(COSEOnly, function testOnlyCOSEFileTampered() { + let tampered = tampered_app_path("only_cose_file_tampered"); + tamper( + original_app_path("only_cose_signed"), + tampered, + { "manifest.json": truncateEntry }, + [] + ); + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + tampered, + check_open_result( + "only_cose_file_tampered", + Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY + ) + ); +}); + +// This was signed with only COSE first, and then the contents were tampered +// with (making the signature invalid). Then, the file was signed with +// PKCS7/SHA1. We need to ensure that if we're configured to process COSE, this +// verification fails. +add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("cose_tampered_good_pkcs7"), + check_open_result( + "tampered COSE with good PKCS7 signature should fail " + + "when COSE and PKCS7 is processed", + Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY + ) + ); +}); + +add_signature_test(COSEOnly, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("cose_tampered_good_pkcs7"), + check_open_result( + "tampered COSE with good PKCS7 signature should fail " + + "when only COSE is processed", + Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY + ) + ); +}); + +// If we're not processing COSE, this should verify successfully. +add_signature_test(PKCS7WithSHA1OrSHA256, function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("cose_tampered_good_pkcs7"), + check_open_result( + "tampered COSE with good PKCS7 signature should succeed" + + "when COSE is not processed", + Cr.NS_OK + ) + ); +}); + +add_test(function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("bug_1411458"), + check_open_result("bug 1411458", Cr.NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO) + ); +}); + +// This has a big manifest file (~2MB). It should verify correctly. +add_test(function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("big_manifest"), + check_open_result("add-on with big manifest file", Cr.NS_OK) + ); +}); + +// This has a huge manifest file (~10MB). Manifest files this large are not +// supported (8MB is the limit). It should not verify correctly. +add_test(function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("huge_manifest"), + check_open_result( + "add-on with huge manifest file", + Cr.NS_ERROR_SIGNED_JAR_ENTRY_INVALID + ) + ); +}); + +// Verification should pass despite a not-yet-valid EE certificate. +// Regression test for bug 1713628 +add_test(function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("validity_not_yet_valid"), + check_open_result("validity_not_yet_valid", Cr.NS_OK) + ); +}); + +// Verification should pass despite an expired EE certificate. +// Regression test for bug 1267318 and bug 1548973 +add_test(function() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("validity_expired"), + check_open_result("validity_expired", Cr.NS_OK) + ); +}); + +// TODO: tampered MF, tampered SF +// TODO: too-large MF, too-large RSA, too-large SF +// TODO: MF and SF that end immediately after the last main header +// (no CR nor LF) +// TODO: broken headers to exercise the parser diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app/README b/security/manager/ssl/tests/unit/test_signed_apps/app/README new file mode 100644 index 0000000000..4f4db4f73e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app/README @@ -0,0 +1 @@ +This is the readme for the test extension. diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app/data/image.png b/security/manager/ssl/tests/unit/test_signed_apps/app/data/image.png new file mode 100644 index 0000000000..f4a62faddf Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app/data/image.png differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app/manifest.json b/security/manager/ssl/tests/unit/test_signed_apps/app/manifest.json new file mode 100644 index 0000000000..eacaedfa7a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app/manifest.json @@ -0,0 +1,5 @@ +{ + "manifest_version": 2, + "name": "Test Extension", + "version": "0.0.1" +} diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.manifest b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.manifest new file mode 100644 index 0000000000..be5069f57b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.manifest @@ -0,0 +1,10 @@ +Manifest-Version: 1.0 + +Name: README +SHA256-Digest: bY0l9xqGJYCpqYeJ0K6q4DWUQqu0mNBFM4H4emhjiJg= + +Name: manifest.json +SHA256-Digest: BTnCpT154N26RZm8bhdD43WXd0tj5bg6ofM19NLI0OE= + +Name: data/image.png +SHA256-Digest: EPjkNZwya9X+pruLlxG+FACLwGC48XU4S9oZOA0lVVQ= diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.sig b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.sig new file mode 100644 index 0000000000..ee9f3e2ce9 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/META-INF/cose.sig differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/README b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/README new file mode 100644 index 0000000000..46217087d8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/README @@ -0,0 +1,2 @@ +This is the readme for the test extension. +This app was created by unzipping only_cose_signed.zip and adding this line (thus invalidating the COSE signature). diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/data/image.png b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/data/image.png new file mode 100644 index 0000000000..f4a62faddf Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/data/image.png differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/manifest.json b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/manifest.json new file mode 100644 index 0000000000..eacaedfa7a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/app_cose_tampered/manifest.json @@ -0,0 +1,5 @@ +{ + "manifest_version": 2, + "name": "Test Extension", + "version": "0.0.1" +} diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zip new file mode 100644 index 0000000000..e8643ae4a1 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1.zip new file mode 100644 index 0000000000..c796b05d89 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-256.zip new file mode 100644 index 0000000000..65b1e7be43 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1-256.zip new file mode 100644 index 0000000000..eb6bbee0d4 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1-256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zip new file mode 100644 index 0000000000..1efcaf4408 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-256.zip new file mode 100644 index 0000000000..1554349f31 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1-256.zip new file mode 100644 index 0000000000..3beaf11361 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1-256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zip new file mode 100644 index 0000000000..7f2e5386bc Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-256.zip new file mode 100644 index 0000000000..8bd0938986 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1-256.zip new file mode 100644 index 0000000000..6021fd3aa9 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1-256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zip new file mode 100644 index 0000000000..54211eb519 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-256.zip new file mode 100644 index 0000000000..704504a448 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1-256.zip new file mode 100644 index 0000000000..68941bf6e3 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1-256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip new file mode 100644 index 0000000000..727b148130 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-256.zip new file mode 100644 index 0000000000..2bed33dce4 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1-256.zip new file mode 100644 index 0000000000..d57b44b6e2 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1-256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip new file mode 100644 index 0000000000..6f17528f8b Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-256.zip new file mode 100644 index 0000000000..243113b8a7 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1-256.zip new file mode 100644 index 0000000000..6735f81499 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1-256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zip new file mode 100644 index 0000000000..f213ac0990 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-256.zip new file mode 100644 index 0000000000..7a0f561196 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1-256.zip new file mode 100644 index 0000000000..ce8a55dfa4 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1-256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip new file mode 100644 index 0000000000..0fc2f9368e Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-256.zip new file mode 100644 index 0000000000..79bd0249c3 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1-256.zip new file mode 100644 index 0000000000..c7c76f6a6c Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1-256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1.zip new file mode 100644 index 0000000000..9ed61ff6a8 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-1.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zip b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zip new file mode 100644 index 0000000000..75e6434188 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384.zip new file mode 100644 index 0000000000..40b4fc7857 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256.zip new file mode 100644 index 0000000000..d364e590e5 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256.zip new file mode 100644 index 0000000000..a4353bba19 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256.zip new file mode 100644 index 0000000000..51ae592ee9 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip new file mode 100644 index 0000000000..b74e087620 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip new file mode 100644 index 0000000000..772c42e494 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip new file mode 100644 index 0000000000..b1d1999551 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip new file mode 100644 index 0000000000..0ce563680d Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/big_manifest.zip b/security/manager/ssl/tests/unit/test_signed_apps/big_manifest.zip new file mode 100644 index 0000000000..1daed90236 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/big_manifest.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/bug_1411458.zip b/security/manager/ssl/tests/unit/test_signed_apps/bug_1411458.zip new file mode 100644 index 0000000000..0b296945ab Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/bug_1411458.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zip new file mode 100644 index 0000000000..bb70811185 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/cose_int_signed_with_pkcs7.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip new file mode 100644 index 0000000000..105f2be712 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/cose_multiple_signed_with_pkcs7.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zip new file mode 100644 index 0000000000..8edd1bd7c0 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/cose_signed_with_pkcs7.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/cose_tampered_good_pkcs7.zip b/security/manager/ssl/tests/unit/test_signed_apps/cose_tampered_good_pkcs7.zip new file mode 100644 index 0000000000..a1565eb9f7 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/cose_tampered_good_pkcs7.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/empty_signerInfos.zip b/security/manager/ssl/tests/unit/test_signed_apps/empty_signerInfos.zip new file mode 100644 index 0000000000..53744b4a8e Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/empty_signerInfos.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/huge_manifest.zip b/security/manager/ssl/tests/unit/test_signed_apps/huge_manifest.zip new file mode 100644 index 0000000000..845c39c8b8 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/huge_manifest.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/moz.build b/security/manager/ssl/tests/unit/test_signed_apps/moz.build new file mode 100644 index 0000000000..8680c8d457 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/moz.build @@ -0,0 +1,78 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +@template +def SignedAppFile(name, flags, app_directory="app/"): + if not CONFIG["COMPILE_ENVIRONMENT"]: + return + + GENERATED_FILES += [name] + props = GENERATED_FILES[name] + props.script = "/security/manager/ssl/tests/unit/sign_app.py" + props.inputs = [app_directory] + props.flags = flags + # Turn RELATIVEDIR into list entry: like + # 'security/manager/ssl/tests/unit/test_signed_apps' -> + # TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_signed_apps. + files = TEST_HARNESS_FILES.xpcshell + for part in RELATIVEDIR.split("/"): + files = files[part] + files += ["!%s" % name] + + +# Except for unusual testcases (unknown issuer, unsigned app, empty +# signerInfos), the naming scheme is as follows: +# app_mf{-1,-256}_sf{-1,-256}_p7{-1,-256}.zip, where: +# "mf" refers to the manifest file, "sf" refers to the signature file, +# and "p7" refers to the pkcs#7 file. The "{-1,-256}" indicates which +# hash algorithms are present in the corresponding file (both may be +# present). +# For example, "app_mf-1_sf-1-256_p7-256.zip" means that the manifest +# file has sha-1 hashes, the signature file has sha-1 hashes and sha-256 +# hashes, and the pkcs#7 file only has sha-256. +# +# Temporarily disabled. See bug 1256495. +# signed_app_files = ( +# ['unknown_issuer_app.zip', '-i', 'unknown issuer', '-p', 'sha256'], +# ['unsigned_app.zip'], +# ['empty_signerInfos.zip', '-e'], +# ) +# +# for signed_app_file_params in signed_app_files: +# SignedAppFile(signed_app_file_params[0], signed_app_file_params[1:]) +# +# for mf_algs in [['1'], ['256'], ['1', '256']]: +# for sf_algs in [['1'], ['256'], ['1', '256']]: +# for p7_algs in [['1'], ['256'], ['1', '256']]: +# filename = "app_mf-%s_sf-%s_p7-%s.zip" % ('-'.join(mf_algs), '-'.join(sf_algs), '-'.join(p7_algs)) +# args = [] +# for mf_alg in mf_algs: +# args.append('-m') +# args.append('sha%s' % mf_alg) +# for sf_alg in sf_algs: +# args.append('-s') +# args.append('sha%s' % sf_alg) +# for p7_alg in p7_algs: +# args.append('-p') +# args.append('sha%s' % p7_alg) +# SignedAppFile(filename, args) +# +# COSE test-cases +# SignedAppFile('cose_signed_with_pkcs7.zip', ['-c', 'ES256', '-p', 'sha256']) +# SignedAppFile('cose_int_signed_with_pkcs7.zip', ['-c', 'ES256', '-r', 'xpcshell signed apps test root', '-p', 'sha256']) +# SignedAppFile('cose_multiple_signed_with_pkcs7.zip', ['-c', 'ES256', '-c', 'ES384', '-p', 'sha256']) +# SignedAppFile('only_cose_signed.zip', ['-c', 'ES256']) +# SignedAppFile('only_cose_multiple_signed.zip', ['-c', 'ES384', '-c', 'ES256']) +# SignedAppFile('cose_tampered_good_pkcs7.zip', ['-m', 'sha1', '-s', 'sha1', '-p', 'sha1'], 'app_cose_tampered/') +# SignedAppFile('big_manifest.zip', ['-p', 'sha256', '--pad-headers', '2']) +# SignedAppFile('huge_manifest.zip', ['-p', 'sha256', '--pad-headers', '10']) +# SignedAppFile('validity_expired.zip', ['-c', 'ES256', '-p', 'sha256', '--cert-validity', '19700101-19701212']) +# SignedAppFile('validity_not_yet_valid.zip', ['-c', 'ES256', '-p', 'sha256', '--cert-validity', '99990101-99991212']) + +# To generate a new entry, add SignedAppFile, run mach build and copy from +# objdir/_tests/xpcshell/security/manager/ssl/tests/unit/test_signed_apps/ +# to this directory. diff --git a/security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zip b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zip new file mode 100644 index 0000000000..4befbcd47f Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_multiple_signed.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zip b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zip new file mode 100644 index 0000000000..70ec223475 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/only_cose_signed.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zip b/security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zip new file mode 100644 index 0000000000..03f59a20bb Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zip b/security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zip new file mode 100644 index 0000000000..162b1107fe Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/validity_expired.zip b/security/manager/ssl/tests/unit/test_signed_apps/validity_expired.zip new file mode 100644 index 0000000000..4b160fe736 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/validity_expired.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/validity_not_yet_valid.zip b/security/manager/ssl/tests/unit/test_signed_apps/validity_not_yet_valid.zip new file mode 100644 index 0000000000..82a8b4836a Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/validity_not_yet_valid.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der new file mode 100644 index 0000000000..3c1869b13b Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem.certspec b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem.certspec new file mode 100644 index 0000000000..500c4185cd --- /dev/null +++ b/security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.pem.certspec @@ -0,0 +1,6 @@ +issuer:xpcshell signed apps test root +subject:xpcshell signed apps test root +validity:20150101-20350101 +extension:basicConstraints:cA, +extension:keyUsage:keyEncipherment,keyCertSign +extension:extKeyUsage:codeSigning diff --git a/security/manager/ssl/tests/unit/test_ssl_status.js b/security/manager/ssl/tests/unit/test_ssl_status.js new file mode 100644 index 0000000000..8e9aad40e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ssl_status.js @@ -0,0 +1,75 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +do_get_profile(); + +function run_test() { + Services.prefs.setIntPref("security.OCSP.enabled", 1); + add_tls_server_setup("BadCertAndPinningServer", "bad_certs"); + + let fakeOCSPResponder = new HttpServer(); + fakeOCSPResponder.registerPrefixHandler("/", function(request, response) { + response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); + }); + fakeOCSPResponder.start(8888); + + // Test successful connection (failedCertChain should be null, + // succeededCertChain should be set as expected) + add_connection_test( + "good.include-subdomains.pinning.example.com", + PRErrorCodeSuccess, + null, + function withSecurityInfo(aSecInfo) { + equal( + aSecInfo.failedCertChain.length, + 0, + "failedCertChain for a successful connection should be empty" + ); + ok( + areCertArraysEqual( + aSecInfo.succeededCertChain, + build_cert_chain(["default-ee", "test-ca"]) + ), + "succeededCertChain for a successful connection should be as expected" + ); + } + ); + + // Test failed connection (failedCertChain should be set as expected, + // succeededCertChain should be null) + add_connection_test( + "expired.example.com", + SEC_ERROR_EXPIRED_CERTIFICATE, + null, + function withSecurityInfo(aSecInfo) { + equal( + aSecInfo.succeededCertChain.length, + 0, + "succeededCertChain for a failed connection should be null" + ); + ok( + areCertArraysEqual( + aSecInfo.failedCertChain, + build_cert_chain(["expired-ee", "test-ca"]) + ), + "failedCertChain for a failed connection should be as expected" + ); + } + ); + + // Ensure the correct failed cert chain is set on cert override + let overrideStatus = { + failedCertChain: build_cert_chain(["expired-ee", "test-ca"]), + }; + add_cert_override_test( + "expired.example.com", + SEC_ERROR_EXPIRED_CERTIFICATE, + undefined, + overrideStatus + ); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_sss_enumerate.js b/security/manager/ssl/tests/unit/test_sss_enumerate.js new file mode 100644 index 0000000000..a785e31cdf --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_enumerate.js @@ -0,0 +1,79 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +do_get_profile(); // must be done before instantiating nsIX509CertDB + +const SECS_IN_A_WEEK = 7 * 24 * 60 * 60 * 1000; +const TESTCASES = [ + { + hostname: "a.pinning.example.com", + includeSubdomains: true, + expireTime: Date.now() + 12 * SECS_IN_A_WEEK * 1000, + }, + { + hostname: "b.pinning.example.com", + includeSubdomains: false, + expireTime: Date.now() + 13 * SECS_IN_A_WEEK * 1000, + }, +].sort((a, b) => a.expireTime - b.expireTime); + +let sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService); + +function getEntries() { + return Array.from(sss.enumerate()); +} + +function checkSiteSecurityStateAttrs(entries) { + entries.sort((a, b) => a.expireTime - b.expireTime); + equal( + entries.length, + TESTCASES.length, + "Should get correct number of entries" + ); + for (let i = 0; i < TESTCASES.length; i++) { + equal(entries[i].hostname, TESTCASES[i].hostname, "Hostnames should match"); + equal( + entries[i].securityPropertyState, + Ci.nsISiteSecurityState.SECURITY_PROPERTY_SET, + "Entries should have security property set" + ); + equal( + entries[i].includeSubdomains, + TESTCASES[i].includeSubdomains, + "IncludeSubdomains should match" + ); + // There's a delay from our "now" and the "now" that the implementation uses. + less( + Math.abs(entries[i].expireTime - TESTCASES[i].expireTime), + 60000, + "ExpireTime should be within 60-second error" + ); + } +} + +function run_test() { + sss.clearAll(); + + for (const testcase of TESTCASES) { + const uri = Services.io.newURI(`https://${testcase.hostname}`); + + // MaxAge is in seconds. + let maxAge = Math.round((testcase.expireTime - Date.now()) / 1000); + let header = `max-age=${maxAge}`; + if (testcase.includeSubdomains) { + header += "; includeSubdomains"; + } + sss.processHeader(uri, header); + } + + let hstsEntries = getEntries(); + + checkSiteSecurityStateAttrs(hstsEntries); + + sss.clearAll(); + hstsEntries = getEntries(); + + equal(hstsEntries.length, 0, "Should clear all HSTS entries"); +} diff --git a/security/manager/ssl/tests/unit/test_sss_eviction.js b/security/manager/ssl/tests/unit/test_sss_eviction.js new file mode 100644 index 0000000000..eee9e00e22 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_eviction.js @@ -0,0 +1,88 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// The purpose of this test is to check that a frequently visited site +// will not be evicted over an infrequently visited site. + +var gSSService = null; +var gProfileDir = null; + +function do_state_written(aSubject, aTopic, aData) { + if (aData == CLIENT_AUTH_FILE_NAME) { + return; + } + + equal(aData, SSS_STATE_FILE_NAME); + + let stateFile = gProfileDir.clone(); + stateFile.append(SSS_STATE_FILE_NAME); + ok(stateFile.exists()); + let stateFileContents = readFile(stateFile); + // the last part is removed because it's the empty string after the final \n + let lines = stateFileContents.split("\n").slice(0, -1); + // We can receive multiple data-storage-written events. In particular, we + // may receive one where DataStorage wrote out data before we were done + // processing all of our headers. In this case, the data may not be + // as we expect. We only care about the final one being correct, however, + // so we return and wait for the next event if things aren't as we expect. + // There should be 1024 entries. + if (lines.length != 1024) { + return; + } + + let foundLegitSite = false; + for (let line of lines) { + if (line.startsWith("frequentlyused.example.com:HSTS")) { + foundLegitSite = true; + break; + } + } + + ok(foundLegitSite); + do_test_finished(); +} + +function do_state_read(aSubject, aTopic, aData) { + if (aData == CLIENT_AUTH_FILE_NAME) { + return; + } + + equal(aData, SSS_STATE_FILE_NAME); + + ok( + gSSService.isSecureURI( + Services.io.newURI("https://frequentlyused.example.com") + ) + ); + for (let i = 0; i < 2000; i++) { + let uri = Services.io.newURI("http://bad" + i + ".example.com"); + gSSService.processHeader(uri, "max-age=1000"); + } + do_test_pending(); + Services.obs.addObserver(do_state_written, "data-storage-written"); + do_test_finished(); +} + +function run_test() { + Services.prefs.setIntPref("test.datastorage.write_timer_ms", 100); + gProfileDir = do_get_profile(); + let stateFile = gProfileDir.clone(); + stateFile.append(SSS_STATE_FILE_NAME); + // Assuming we're working with a clean slate, the file shouldn't exist + // until we create it. + ok(!stateFile.exists()); + let outputStream = FileUtils.openFileOutputStream(stateFile); + let now = new Date().getTime(); + let line = + "frequentlyused.example.com:HSTS\t4\t0\t" + (now + 100000) + ",1,0\n"; + outputStream.write(line, line.length); + outputStream.close(); + Services.obs.addObserver(do_state_read, "data-storage-ready"); + do_test_pending(); + gSSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + notEqual(gSSService, null); +} diff --git a/security/manager/ssl/tests/unit/test_sss_originAttributes.js b/security/manager/ssl/tests/unit/test_sss_originAttributes.js new file mode 100644 index 0000000000..280b0df5a6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_originAttributes.js @@ -0,0 +1,99 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- + * vim: sw=2 ts=2 sts=2 + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +"use strict"; + +// Ensures nsISiteSecurityService APIs respects origin attributes. + +const GOOD_MAX_AGE_SECONDS = 69403; +const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`; + +do_get_profile(); // must be done before instantiating nsIX509CertDB + +let sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService); +let host = "a.pinning.example.com"; +let uri = Services.io.newURI("https://" + host); + +// Check if originAttributes1 and originAttributes2 are isolated with respect +// to HSTS storage. +function doTest(originAttributes1, originAttributes2, shouldShare) { + sss.clearAll(); + let header = GOOD_MAX_AGE; + // Set HSTS for originAttributes1. + sss.processHeader(uri, header, originAttributes1); + ok( + sss.isSecureURI(uri, originAttributes1), + "URI should be secure given original origin attributes" + ); + equal( + sss.isSecureURI(uri, originAttributes2), + shouldShare, + "URI should be secure given different origin attributes if and " + + "only if shouldShare is true" + ); + + if (!shouldShare) { + // Remove originAttributes2 from the storage. + sss.resetState(uri, originAttributes2); + ok( + sss.isSecureURI(uri, originAttributes1), + "URI should still be secure given original origin attributes" + ); + } + + // Remove originAttributes1 from the storage. + sss.resetState(uri, originAttributes1); + ok( + !sss.isSecureURI(uri, originAttributes1), + "URI should not be secure after removeState" + ); + + sss.clearAll(); +} + +function testInvalidOriginAttributes(originAttributes) { + let header = GOOD_MAX_AGE; + + let callbacks = [ + () => sss.processHeader(uri, header, originAttributes), + () => sss.isSecureURI(uri, originAttributes), + () => sss.resetState(uri, originAttributes), + ]; + + for (let callback of callbacks) { + throws( + callback, + /NS_ERROR_ILLEGAL_VALUE/, + "Should get an error with invalid origin attributes" + ); + } +} + +function run_test() { + sss.clearAll(); + + let originAttributesList = []; + for (let userContextId of [0, 1, 2]) { + for (let firstPartyDomain of ["", "foo.com", "bar.com"]) { + originAttributesList.push({ userContextId, firstPartyDomain }); + } + } + for (let attrs1 of originAttributesList) { + for (let attrs2 of originAttributesList) { + // SSS storage is not isolated by userContext + doTest( + attrs1, + attrs2, + attrs1.firstPartyDomain == attrs2.firstPartyDomain + ); + } + } + + testInvalidOriginAttributes(undefined); + testInvalidOriginAttributes(null); + testInvalidOriginAttributes(1); + testInvalidOriginAttributes("foo"); +} diff --git a/security/manager/ssl/tests/unit/test_sss_readstate.js b/security/manager/ssl/tests/unit/test_sss_readstate.js new file mode 100644 index 0000000000..689df13495 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_readstate.js @@ -0,0 +1,123 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// The purpose of this test is to create a site security service state file +// and see that the site security service reads it properly. + +var gSSService = null; + +function checkStateRead(aSubject, aTopic, aData) { + if (aData == CLIENT_AUTH_FILE_NAME) { + return; + } + + equal(aData, SSS_STATE_FILE_NAME); + + ok( + !gSSService.isSecureURI(Services.io.newURI("https://expired.example.com")) + ); + ok( + gSSService.isSecureURI(Services.io.newURI("https://notexpired.example.com")) + ); + ok( + gSSService.isSecureURI( + Services.io.newURI("https://includesubdomains.preloaded.test") + ) + ); + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://sub.includesubdomains.preloaded.test") + ) + ); + ok( + gSSService.isSecureURI( + Services.io.newURI("https://incsubdomain.example.com") + ) + ); + ok( + gSSService.isSecureURI( + Services.io.newURI("https://sub.incsubdomain.example.com") + ) + ); + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://includesubdomains2.preloaded.test") + ) + ); + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://sub.includesubdomains2.preloaded.test") + ) + ); + + // Clearing the data should make everything go back to default. + gSSService.clearAll(); + ok( + !gSSService.isSecureURI(Services.io.newURI("https://expired.example.com")) + ); + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://notexpired.example.com") + ) + ); + ok( + gSSService.isSecureURI( + Services.io.newURI("https://includesubdomains.preloaded.test") + ) + ); + ok( + gSSService.isSecureURI( + Services.io.newURI("https://sub.includesubdomains.preloaded.test") + ) + ); + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://incsubdomain.example.com") + ) + ); + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://sub.incsubdomain.example.com") + ) + ); + ok( + gSSService.isSecureURI( + Services.io.newURI("https://includesubdomains2.preloaded.test") + ) + ); + ok( + gSSService.isSecureURI( + Services.io.newURI("https://sub.includesubdomains2.preloaded.test") + ) + ); + do_test_finished(); +} + +function run_test() { + let profileDir = do_get_profile(); + let stateFile = profileDir.clone(); + stateFile.append(SSS_STATE_FILE_NAME); + // Assuming we're working with a clean slate, the file shouldn't exist + // until we create it. + ok(!stateFile.exists()); + let outputStream = FileUtils.openFileOutputStream(stateFile); + let now = Date.now(); + let lines = [ + `expired.example.com:HSTS\t0\t0\t${now - 100000},1,0`, + `notexpired.example.com:HSTS\t0\t0\t${now + 100000},1,0`, + // This overrides an entry on the preload list. + `includesubdomains.preloaded.test:HSTS\t0\t0\t${now + 100000},1,0`, + `incsubdomain.example.com:HSTS\t0\t0\t${now + 100000},1,1`, + // This overrides an entry on the preload list. + "includesubdomains2.preloaded.test:HSTS\t0\t0\t0,2,0", + ]; + writeLinesAndClose(lines, outputStream); + Services.obs.addObserver(checkStateRead, "data-storage-ready"); + do_test_pending(); + gSSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + notEqual(gSSService, null); +} diff --git a/security/manager/ssl/tests/unit/test_sss_readstate_empty.js b/security/manager/ssl/tests/unit/test_sss_readstate_empty.js new file mode 100644 index 0000000000..83d96f5245 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_readstate_empty.js @@ -0,0 +1,50 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// The purpose of this test is to create an empty site security service state +// file and see that the site security service doesn't fail when reading it. + +var gSSService = null; + +function checkStateRead(aSubject, aTopic, aData) { + // nonexistent.example.com should never be an HSTS host + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://nonexistent.example.com") + ) + ); + ok( + gSSService.isSecureURI( + Services.io.newURI("https://includesubdomains.preloaded.test") + ) + ); + // notexpired.example.com is an HSTS host in a different test - we + // want to make sure that test hasn't interfered with this one. + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://notexpired.example.com") + ) + ); + do_test_finished(); +} + +function run_test() { + let profileDir = do_get_profile(); + let stateFile = profileDir.clone(); + stateFile.append(SSS_STATE_FILE_NAME); + // Assuming we're working with a clean slate, the file shouldn't exist + // until we create it. + ok(!stateFile.exists()); + stateFile.create(Ci.nsIFile.NORMAL_FILE_TYPE, 0x1a4); // 0x1a4 == 0o644 + ok(stateFile.exists()); + // Initialize nsISiteSecurityService after do_get_profile() so it + // can read the state file. + Services.obs.addObserver(checkStateRead, "data-storage-ready"); + do_test_pending(); + gSSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + notEqual(gSSService, null); +} diff --git a/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js b/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js new file mode 100644 index 0000000000..00c79756d9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js @@ -0,0 +1,95 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// The purpose of this test is to create a mostly bogus site security service +// state file and see that the site security service handles it properly. + +var gSSService = null; + +function checkStateRead(aSubject, aTopic, aData) { + if (aData == CLIENT_AUTH_FILE_NAME) { + return; + } + + equal(aData, SSS_STATE_FILE_NAME); + + const HSTS_HOSTS = [ + "https://example1.example.com", + "https://example2.example.com", + ]; + for (let host of HSTS_HOSTS) { + ok( + gSSService.isSecureURI(Services.io.newURI(host)), + `${host} should be HSTS enabled` + ); + } + + const NOT_HSTS_HOSTS = [ + "https://example.com", + "https://example3.example.com", + "https://extra.comma.example.com", + "https://empty.statestring.example.com", + "https://rubbish.statestring.example.com", + "https://spaces.statestring.example.com", + "https://invalid.expirytime.example.com", + "https://text.securitypropertystate.example.com", + "https://invalid.securitypropertystate.example.com", + "https://text.includesubdomains.example.com", + "https://invalid.includesubdomains.example.com", + ]; + for (let host of NOT_HSTS_HOSTS) { + ok( + !gSSService.isSecureURI(Services.io.newURI(host)), + `${host} should not be HSTS enabled` + ); + } + + do_test_finished(); +} + +function run_test() { + Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true); + let profileDir = do_get_profile(); + let stateFile = profileDir.clone(); + stateFile.append(SSS_STATE_FILE_NAME); + // Assuming we're working with a clean slate, the file shouldn't exist + // until we create it. + ok(!stateFile.exists()); + let outputStream = FileUtils.openFileOutputStream(stateFile); + let expiryTime = Date.now() + 100000; + let lines = [ + // General state file entry tests. + `example1.example.com:HSTS\t0\t0\t${expiryTime},1,0`, + "I'm a lumberjack and I'm okay; I work all night and I sleep all day!", + "This is a totally bogus entry\t", + "0\t0\t0\t0\t", + "\t\t\t\t\t\t\t", + "example.com:HSTS\t\t\t\t\t\t\t", + "example3.example.com:HSTS\t0\t\t\t\t\t\t", + `example2.example.com:HSTS\t0\t0\t${expiryTime},1,0`, + // HSTS state string parsing tests + `extra.comma.example.com:HSTS\t0\t0\t${expiryTime},,1,0`, + "empty.statestring.example.com:HSTS\t0\t0\t", + "rubbish.statestring.example.com:HSTS\t0\t0\tfoobar", + `spaces.statestring.example.com:HSTS\t0\t0\t${expiryTime}, 1,0 `, + `invalid.expirytime.example.com:HSTS\t0\t0\t${expiryTime}foo123,1,0`, + `text.securitypropertystate.example.com:HSTS\t0\t0\t${expiryTime},1foo,0`, + `invalid.securitypropertystate.example.com:HSTS\t0\t0\t${expiryTime},999,0`, + `text.includesubdomains.example.com:HSTS\t0\t0\t${expiryTime},1,1foo`, + `invalid.includesubdomains.example.com:HSTS\t0\t0\t${expiryTime},1,0foo`, + ]; + writeLinesAndClose(lines, outputStream); + Services.obs.addObserver(checkStateRead, "data-storage-ready"); + do_test_pending(); + gSSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + notEqual(gSSService, null); + + Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2); + registerCleanupFunction(() => { + Services.prefs.clearUserPref("security.cert_pinning.enforcement_level"); + }); +} diff --git a/security/manager/ssl/tests/unit/test_sss_readstate_huge.js b/security/manager/ssl/tests/unit/test_sss_readstate_huge.js new file mode 100644 index 0000000000..079fd598b4 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_readstate_huge.js @@ -0,0 +1,80 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// The purpose of this test is to create a site security service state file +// that is too large and see that the site security service reads it properly +// (this means discarding all entries after the 1024th). + +var gSSService = null; + +function checkStateRead(aSubject, aTopic, aData) { + if (aData == CLIENT_AUTH_FILE_NAME) { + return; + } + + equal(aData, SSS_STATE_FILE_NAME); + + ok( + gSSService.isSecureURI(Services.io.newURI("https://example0.example.com")) + ); + ok( + gSSService.isSecureURI(Services.io.newURI("https://example423.example.com")) + ); + ok( + gSSService.isSecureURI( + Services.io.newURI("https://example1023.example.com") + ) + ); + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://example1024.example.com") + ) + ); + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://example1025.example.com") + ) + ); + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://example9000.example.com") + ) + ); + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://example99999.example.com") + ) + ); + do_test_finished(); +} + +function run_test() { + let profileDir = do_get_profile(); + let stateFile = profileDir.clone(); + stateFile.append(SSS_STATE_FILE_NAME); + // Assuming we're working with a clean slate, the file shouldn't exist + // until we create it. + ok(!stateFile.exists()); + let outputStream = FileUtils.openFileOutputStream(stateFile); + let expiryTime = Date.now() + 100000; + let lines = []; + for (let i = 0; i < 10000; i++) { + // The 0s will all get squashed down into one 0 when they are read. + // This is just to make the file size large (>2MB). + lines.push( + `example${i}.example.com:HSTS\t` + + "0000000000000000000000000000000000000000000000000\t" + + "00000000000000000000000000000000000000\t" + + `${expiryTime},1,0000000000000000000000000000000000000000000000000000000000000000000000000` + ); + } + writeLinesAndClose(lines, outputStream); + Services.obs.addObserver(checkStateRead, "data-storage-ready"); + do_test_pending(); + gSSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + notEqual(gSSService, null); +} diff --git a/security/manager/ssl/tests/unit/test_sss_resetState.js b/security/manager/ssl/tests/unit/test_sss_resetState.js new file mode 100644 index 0000000000..4a667c05f0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_resetState.js @@ -0,0 +1,62 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// Tests that resetting HSTS state in the way the "forget about this site" +// functionality does works as expected for preloaded and non-preloaded sites. + +do_get_profile(); + +var gSSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService +); + +function test_removeState(originAttributes) { + info(`running test_removeState(originAttributes=${originAttributes})`); + // Simulate visiting a non-preloaded site by processing an HSTS header check + // that the HSTS bit gets set, simulate "forget about this site" (call + // removeState), and then check that the HSTS bit isn't set. + let notPreloadedURI = Services.io.newURI("https://not-preloaded.example.com"); + ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes)); + gSSService.processHeader(notPreloadedURI, "max-age=1000;", originAttributes); + ok(gSSService.isSecureURI(notPreloadedURI, originAttributes)); + gSSService.resetState(notPreloadedURI, originAttributes); + ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes)); + + // Simulate visiting a non-preloaded site that unsets HSTS by processing + // an HSTS header with "max-age=0", check that the HSTS bit isn't + // set, simulate "forget about this site" (call removeState), and then check + // that the HSTS bit isn't set. + gSSService.processHeader(notPreloadedURI, "max-age=0;", originAttributes); + ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes)); + gSSService.resetState(notPreloadedURI, originAttributes); + ok(!gSSService.isSecureURI(notPreloadedURI, originAttributes)); + + // Simulate visiting a preloaded site by processing an HSTS header, check + // that the HSTS bit is still set, simulate "forget about this site" + // (call removeState), and then check that the HSTS bit is still set. + let preloadedHost = "includesubdomains.preloaded.test"; + let preloadedURI = Services.io.newURI(`https://${preloadedHost}`); + ok(gSSService.isSecureURI(preloadedURI, originAttributes)); + gSSService.processHeader(preloadedURI, "max-age=1000;", originAttributes); + ok(gSSService.isSecureURI(preloadedURI, originAttributes)); + gSSService.resetState(preloadedURI, originAttributes); + ok(gSSService.isSecureURI(preloadedURI, originAttributes)); + + // Simulate visiting a preloaded site that unsets HSTS by processing an + // HSTS header with "max-age=0", check that the HSTS bit is what we + // expect (see below), simulate "forget about this site" (call removeState), + // and then check that the HSTS bit is set. + gSSService.processHeader(preloadedURI, "max-age=0;", originAttributes); + ok(!gSSService.isSecureURI(preloadedURI, originAttributes)); + gSSService.resetState(preloadedURI, originAttributes); + ok(gSSService.isSecureURI(preloadedURI, originAttributes)); +} + +function run_test() { + test_removeState({}); + test_removeState({ privateBrowsingId: 1 }); +} diff --git a/security/manager/ssl/tests/unit/test_sss_sanitizeOnShutdown.js b/security/manager/ssl/tests/unit/test_sss_sanitizeOnShutdown.js new file mode 100644 index 0000000000..1c4d7d3ddc --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_sanitizeOnShutdown.js @@ -0,0 +1,69 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// The purpose of this test is to ensure that Firefox sanitizes site security +// service data on shutdown if configured to do so. + +ChromeUtils.defineESModuleGetters(this, { + TestUtils: "resource://testing-common/TestUtils.sys.mjs", +}); + +XPCOMUtils.defineLazyModuleGetters(this, { + Sanitizer: "resource:///modules/Sanitizer.jsm", +}); + +Sanitizer.onStartup(); + +// This helps us away from test timed out. If service worker manager(swm) hasn't +// been initilaized before profile-change-teardown, this test would fail due to +// the shutdown blocker added by swm. Normally, swm should be initialized before +// that and the similar crash signatures are fixed. So, assume this cannot +// happen in the real world and initilaize swm here as a workaround. +Cc["@mozilla.org/serviceworkers/manager;1"].getService( + Ci.nsIServiceWorkerManager +); + +function getStateFileContents() { + let stateFile = do_get_profile(); + stateFile.append(SSS_STATE_FILE_NAME); + ok(stateFile.exists()); + return readFile(stateFile); +} + +add_task(async function run_test() { + Services.prefs.setIntPref("test.datastorage.write_timer_ms", 100); + do_get_profile(); + let SSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + let header = "max-age=50000"; + SSService.processHeader(Services.io.newURI("http://example.com"), header); + await TestUtils.topicObserved( + "data-storage-written", + (_, data) => data == SSS_STATE_FILE_NAME + ); + let stateFileContents = getStateFileContents(); + ok( + stateFileContents.includes("example.com"), + "should have written out state file" + ); + + // Configure Firefox to clear this data on shutdown. + Services.prefs.setBoolPref( + Sanitizer.PREF_SHUTDOWN_BRANCH + "siteSettings", + true + ); + Services.prefs.setBoolPref(Sanitizer.PREF_SANITIZE_ON_SHUTDOWN, true); + + // Simulate shutdown. + Services.startup.advanceShutdownPhase( + Services.startup.SHUTDOWN_PHASE_APPSHUTDOWNTEARDOWN + ); + Services.startup.advanceShutdownPhase( + Services.startup.SHUTDOWN_PHASE_APPSHUTDOWN + ); + + equal(getStateFileContents(), "", "state file should be empty"); +}); diff --git a/security/manager/ssl/tests/unit/test_sss_savestate.js b/security/manager/ssl/tests/unit/test_sss_savestate.js new file mode 100644 index 0000000000..0e82abf2e3 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sss_savestate.js @@ -0,0 +1,126 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// The purpose of this test is to see that the site security service properly +// writes its state file. + +const EXPECTED_ENTRIES = 5; +const EXPECTED_HSTS_COLUMNS = 3; + +var gProfileDir = null; +var gExpectingWrites = true; + +// For reference, the format of the state file is a list of: +// ,, +// separated by newlines ('\n') + +function checkStateWritten(aSubject, aTopic, aData) { + if (aData == CLIENT_AUTH_FILE_NAME) { + return; + } + + equal(aData, SSS_STATE_FILE_NAME); + ok(gExpectingWrites); + + let stateFile = gProfileDir.clone(); + stateFile.append(SSS_STATE_FILE_NAME); + ok(stateFile.exists()); + let stateFileContents = readFile(stateFile); + // the last line is removed because it's just a trailing newline + let lines = stateFileContents.split("\n").slice(0, -1); + equal(lines.length, EXPECTED_ENTRIES); + let sites = {}; // a map of domain name -> [the entry in the state file] + for (let line of lines) { + let parts = line.split("\t"); + let host = parts[0]; + let entry = parts[3].split(","); + let expectedColumns = EXPECTED_HSTS_COLUMNS; + equal(entry.length, expectedColumns); + sites[host] = entry; + } + + // While we're still processing headers, multiple writes of the backing data + // can be scheduled, and thus we can receive multiple data-storage-written + // notifications. In these cases, the data may not be as we expect. We only + // care about the final one being correct, however, so we return and wait for + // the next event if things aren't as we expect. + // each sites[url][1] should be SecurityPropertySet (i.e. 1). + // sites[url][2] corresponds to includeSubdomains, so every other one should + // be set (i.e. 1); + if (sites["includesubdomains.preloaded.test:HSTS"][1] != 1) { + return; + } + if (sites["includesubdomains.preloaded.test:HSTS"][2] != 0) { + return; + } + if (sites["a.example.com:HSTS"][1] != 1) { + return; + } + if (sites["a.example.com:HSTS"][2] != 1) { + return; + } + if (sites["b.example.com:HSTS"][1] != 1) { + return; + } + if (sites["b.example.com:HSTS"][2] != 0) { + return; + } + if (sites["c.c.example.com:HSTS"][1] != 1) { + return; + } + if (sites["c.c.example.com:HSTS"][2] != 1) { + return; + } + if (sites["d.example.com:HSTS"][1] != 1) { + return; + } + if (sites["d.example.com:HSTS"][2] != 0) { + return; + } + + // If we get here, the file was as expected and we no longer expect any + // data-storage-written notifications. + gExpectingWrites = false; + + // Process the headers again to test that seeing them again after such a + // short delay doesn't cause another write. + process_headers(); + + // Wait a bit before finishing the test, to see if another write happens. + do_timeout(2000, function() { + do_test_finished(); + }); +} + +function process_headers() { + let SSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + + let uris = [ + Services.io.newURI("http://includesubdomains.preloaded.test"), + Services.io.newURI("http://a.example.com"), + Services.io.newURI("http://b.example.com"), + Services.io.newURI("http://c.c.example.com"), + Services.io.newURI("http://d.example.com"), + ]; + + for (let i = 0; i < 1000; i++) { + let uriIndex = i % uris.length; + // vary max-age, but have it be within one day of one year + let maxAge = "max-age=" + (i + 31536000); + // have every other URI set includeSubdomains + let includeSubdomains = uriIndex % 2 == 1 ? "; includeSubdomains" : ""; + SSService.processHeader(uris[uriIndex], maxAge + includeSubdomains); + } +} + +function run_test() { + Services.prefs.setIntPref("test.datastorage.write_timer_ms", 100); + gProfileDir = do_get_profile(); + process_headers(); + do_test_pending(); + Services.obs.addObserver(checkStateWritten, "data-storage-written"); +} diff --git a/security/manager/ssl/tests/unit/test_sts_fqdn.js b/security/manager/ssl/tests/unit/test_sts_fqdn.js new file mode 100644 index 0000000000..3c136a9d99 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sts_fqdn.js @@ -0,0 +1,40 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ +"use strict"; + +function run_test() { + let SSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + let uri = Services.io.newURI("https://example.com"); + let uri1 = Services.io.newURI("https://example.com."); + let uri2 = Services.io.newURI("https://example.com.."); + ok(!SSService.isSecureURI(uri)); + ok(!SSService.isSecureURI(uri1)); + // These cases are only relevant as long as bug 1118522 hasn't been fixed. + ok(!SSService.isSecureURI(uri2)); + + SSService.processHeader(uri, "max-age=1000;includeSubdomains"); + ok(SSService.isSecureURI(uri)); + ok(SSService.isSecureURI(uri1)); + ok(SSService.isSecureURI(uri2)); + + SSService.resetState(uri); + ok(!SSService.isSecureURI(uri)); + ok(!SSService.isSecureURI(uri1)); + ok(!SSService.isSecureURI(uri2)); + + // Somehow creating this malformed URI succeeds - we need to handle it + // gracefully. + uri = Services.io.newURI("https://../foo"); + equal(uri.host, ".."); + throws( + () => { + SSService.isSecureURI(uri); + }, + /NS_ERROR_UNEXPECTED/, + "Malformed URI should be rejected" + ); +} diff --git a/security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js b/security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js new file mode 100644 index 0000000000..4ffac59356 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sts_ipv4_ipv6.js @@ -0,0 +1,55 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +function check_ip(s, v, ip) { + let str = "https://"; + if (v == 6) { + str += "["; + } + str += ip; + if (v == 6) { + str += "]"; + } + str += "/"; + + let uri = Services.io.newURI(str); + ok(!s.isSecureURI(uri)); + + let parsedMaxAge = {}; + let parsedIncludeSubdomains = {}; + s.processHeader( + uri, + "max-age=1000;includeSubdomains", + {}, + parsedMaxAge, + parsedIncludeSubdomains + ); + ok( + !s.isSecureURI(uri), + "URI should not be secure if it contains an IP address" + ); + + /* Test that processHeader will ignore headers for an uri, if the uri + * contains an IP address not a hostname. + * If processHeader indeed ignore the header, then the output parameters will + * remain empty, and we shouldn't see the values passed as the header. + */ + notEqual(parsedMaxAge.value, 1000); + notEqual(parsedIncludeSubdomains.value, true); + notEqual(parsedMaxAge.value, undefined); + notEqual(parsedIncludeSubdomains.value, undefined); +} + +function run_test() { + let SSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + + check_ip(SSService, 4, "127.0.0.1"); + check_ip(SSService, 4, "10.0.0.1"); + check_ip(SSService, 6, "2001:db8::1"); + check_ip(SSService, 6, "1080::8:800:200C:417A"); +} diff --git a/security/manager/ssl/tests/unit/test_sts_parser.js b/security/manager/ssl/tests/unit/test_sts_parser.js new file mode 100644 index 0000000000..4d689fede5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sts_parser.js @@ -0,0 +1,123 @@ +/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- + * vim: sw=2 ts=2 sts=2 + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +"use strict"; + +// STS parser tests + +let sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService); + +function testSuccess(header, expectedMaxAge, expectedIncludeSubdomains) { + let dummyUri = Services.io.newURI("https://foo.com/bar.html"); + let maxAge = {}; + let includeSubdomains = {}; + + sss.processHeader(dummyUri, header, {}, maxAge, includeSubdomains); + + equal(maxAge.value, expectedMaxAge, "Did not correctly parse maxAge"); + equal( + includeSubdomains.value, + expectedIncludeSubdomains, + "Did not correctly parse presence/absence of includeSubdomains" + ); +} + +function testFailure(header) { + let dummyUri = Services.io.newURI("https://foo.com/bar.html"); + let maxAge = {}; + let includeSubdomains = {}; + + throws( + () => { + sss.processHeader(dummyUri, header, {}, maxAge, includeSubdomains); + }, + /NS_ERROR_FAILURE/, + "Parsed invalid header: " + header + ); +} + +function run_test() { + // SHOULD SUCCEED: + testSuccess("max-age=100", 100, false); + testSuccess("max-age =100", 100, false); + testSuccess(" max-age=100", 100, false); + testSuccess("max-age = 100 ", 100, false); + testSuccess('max-age = "100" ', 100, false); + testSuccess('max-age="100"', 100, false); + testSuccess(' max-age ="100" ', 100, false); + testSuccess('\tmax-age\t=\t"100"\t', 100, false); + testSuccess("max-age = 100 ", 100, false); + + testSuccess("maX-aGe=100", 100, false); + testSuccess("MAX-age =100", 100, false); + testSuccess("max-AGE=100", 100, false); + testSuccess("Max-Age = 100 ", 100, false); + testSuccess("MAX-AGE = 100 ", 100, false); + + testSuccess("max-age=100;includeSubdomains", 100, true); + testSuccess("max-age=100\t; includeSubdomains", 100, true); + testSuccess(" max-age=100; includeSubdomains", 100, true); + testSuccess("max-age = 100 ; includeSubdomains", 100, true); + testSuccess( + "max-age = 100 ; includeSubdomains", + 100, + true + ); + + testSuccess("maX-aGe=100; includeSUBDOMAINS", 100, true); + testSuccess("MAX-age =100; includeSubDomains", 100, true); + testSuccess("max-AGE=100; iNcLuDeSuBdoMaInS", 100, true); + testSuccess("Max-Age = 100; includesubdomains ", 100, true); + testSuccess("INCLUDESUBDOMAINS;MaX-AgE = 100 ", 100, true); + // Turns out, the actual directive is entirely optional (hence the + // trailing semicolon) + testSuccess("max-age=100;includeSubdomains;", 100, true); + + // these are weird tests, but are testing that some extended syntax is + // still allowed (but it is ignored) + testSuccess("max-age=100 ; includesubdomainsSomeStuff", 100, false); + testSuccess( + "\r\n\t\t \tcompletelyUnrelated = foobar; max-age= 34520103" + + "\t \t; alsoUnrelated;asIsThis;\tincludeSubdomains\t\t \t", + 34520103, + true + ); + testSuccess('max-age=100; unrelated="quoted \\"thingy\\""', 100, false); + + // SHOULD FAIL: + // invalid max-ages + testFailure("max-age"); + testFailure("max-age "); + testFailure("max-age=p"); + testFailure("max-age=*1p2"); + testFailure("max-age=.20032"); + testFailure("max-age=!20032"); + testFailure("max-age==20032"); + + // invalid headers + testFailure("foobar"); + testFailure("maxage=100"); + testFailure("maxa-ge=100"); + testFailure("max-ag=100"); + testFailure("includesubdomains"); + testFailure(";"); + testFailure('max-age="100'); + // The max-age directive here doesn't conform to the spec, so it MUST + // be ignored. Consequently, the REQUIRED max-age directive is not + // present in this header, and so it is invalid. + testFailure("max-age=100, max-age=200; includeSubdomains"); + testFailure("max-age=100 includesubdomains"); + testFailure("max-age=100 bar foo"); + testFailure("max-age=100randomstuffhere"); + // All directives MUST appear only once in an STS header field. + testFailure("max-age=100; max-age=200"); + testFailure("includeSubdomains; max-age=200; includeSubdomains"); + testFailure("max-age=200; includeSubdomains; includeSubdomains"); + // The includeSubdomains directive is valueless. + testFailure("max-age=100; includeSubdomains=unexpected"); + // LWS must have at least one space or horizontal tab + testFailure("\r\nmax-age=200"); +} diff --git a/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js b/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js new file mode 100644 index 0000000000..f52605059f --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js @@ -0,0 +1,266 @@ +"use strict"; + +var gSSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService +); + +function Observer() {} +Observer.prototype = { + observe(subject, topic, data) { + if (topic == "last-pb-context-exited") { + run_next_test(); + } + }, +}; + +var gObserver = new Observer(); + +function cleanup() { + Services.obs.removeObserver(gObserver, "last-pb-context-exited"); + gSSService.clearAll(); +} + +function run_test() { + do_get_profile(); + + registerCleanupFunction(cleanup); + Services.obs.addObserver(gObserver, "last-pb-context-exited"); + + add_test(test_part1); + add_test(test_private_browsing1); + add_test(test_private_browsing2); + + run_next_test(); +} + +function test_part1() { + // check that a host not in the list is not identified as an sts host + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://nonexistent.example.com") + ) + ); + + // check that an ancestor domain is not identified as an sts host + ok(!gSSService.isSecureURI(Services.io.newURI("https://com"))); + + // check that the pref to toggle using the preload list works + Services.prefs.setBoolPref( + "network.stricttransportsecurity.preloadlist", + false + ); + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://includesubdomains.preloaded.test") + ) + ); + Services.prefs.setBoolPref( + "network.stricttransportsecurity.preloadlist", + true + ); + ok( + gSSService.isSecureURI( + Services.io.newURI("https://includesubdomains.preloaded.test") + ) + ); + + // check that a subdomain is an sts host (includeSubdomains is set) + ok( + gSSService.isSecureURI( + Services.io.newURI("https://subdomain.includesubdomains.preloaded.test") + ) + ); + + // check that another subdomain is an sts host (includeSubdomains is set) + ok( + gSSService.isSecureURI( + Services.io.newURI("https://a.b.c.def.includesubdomains.preloaded.test") + ) + ); + + // check that a subdomain is not an sts host (includeSubdomains is not set) + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://subdomain.noincludesubdomains.preloaded.test") + ) + ); + + // check that a host with a dot on the end won't break anything + ok( + !gSSService.isSecureURI( + Services.io.newURI("https://notsts.nonexistent.example.com.") + ) + ); + + // check that processing a header with max-age: 0 will remove a preloaded + // site from the list + let uri = Services.io.newURI("https://includesubdomains.preloaded.test"); + let subDomainUri = Services.io.newURI( + "https://subdomain.includesubdomains.preloaded.test" + ); + gSSService.processHeader(uri, "max-age=0"); + ok(!gSSService.isSecureURI(uri)); + ok(!gSSService.isSecureURI(subDomainUri)); + // check that processing another header (with max-age non-zero) will + // re-enable a site's sts status + gSSService.processHeader(uri, "max-age=1000"); + ok(gSSService.isSecureURI(uri)); + // but this time include subdomains was not set, so test for that + ok(!gSSService.isSecureURI(subDomainUri)); + gSSService.clearAll(); + + // check that processing a header with max-age: 0 from a subdomain of a site + // will not remove that (ancestor) site from the list + uri = Services.io.newURI( + "https://subdomain.noincludesubdomains.preloaded.test" + ); + gSSService.processHeader(uri, "max-age=0"); + ok( + gSSService.isSecureURI( + Services.io.newURI("https://noincludesubdomains.preloaded.test") + ) + ); + ok(!gSSService.isSecureURI(uri)); + + uri = Services.io.newURI( + "https://subdomain.includesubdomains.preloaded.test" + ); + gSSService.processHeader(uri, "max-age=0"); + // we received a header with "max-age=0", so we have "no information" + // regarding the sts state of subdomain.includesubdomains.preloaded.test specifically, + // but it is actually still an STS host, because of the preloaded + // includesubdomains.preloaded.test including subdomains. + // Here's a drawing: + // |-- includesubdomains.preloaded.test (in preload list, includes subdomains) IS sts host + // |-- subdomain.includesubdomains.preloaded.test IS sts host + // | `-- another.subdomain.includesubdomains.preloaded.test IS sts host + // `-- sibling.includesubdomains.preloaded.test IS sts host + ok( + gSSService.isSecureURI( + Services.io.newURI("https://includesubdomains.preloaded.test") + ) + ); + ok( + gSSService.isSecureURI( + Services.io.newURI("https://subdomain.includesubdomains.preloaded.test") + ) + ); + ok( + gSSService.isSecureURI( + Services.io.newURI("https://sibling.includesubdomains.preloaded.test") + ) + ); + ok( + gSSService.isSecureURI( + Services.io.newURI( + "https://another.subdomain.includesubdomains.preloaded.test" + ) + ) + ); + + gSSService.processHeader(uri, "max-age=1000"); + // Here's what we have now: + // |-- includesubdomains.preloaded.test (in preload list, includes subdomains) IS sts host + // |-- subdomain.includesubdomains.preloaded.test (include subdomains is false) IS sts host + // | `-- another.subdomain.includesubdomains.preloaded.test IS NOT sts host + // `-- sibling.includesubdomains.preloaded.test IS sts host + ok( + gSSService.isSecureURI( + Services.io.newURI("https://subdomain.includesubdomains.preloaded.test") + ) + ); + ok( + gSSService.isSecureURI( + Services.io.newURI("https://sibling.includesubdomains.preloaded.test") + ) + ); + ok( + !gSSService.isSecureURI( + Services.io.newURI( + "https://another.subdomain.includesubdomains.preloaded.test" + ) + ) + ); + + // Test that an expired non-private browsing entry results in correctly + // identifying a host that is on the preload list as no longer sts. + // (This happens when we're in regular browsing mode, we get a header from + // a site on the preload list, and that header later expires. We need to + // then treat that host as no longer an sts host.) + // (sanity check first - this should be in the preload list) + uri = Services.io.newURI("https://includesubdomains2.preloaded.test"); + ok(gSSService.isSecureURI(uri)); + gSSService.processHeader(uri, "max-age=1"); + do_timeout(1250, function() { + ok(!gSSService.isSecureURI(uri)); + run_next_test(); + }); +} + +const PRIVATE_ORIGIN_ATTRIBUTES = { privateBrowsingId: 1 }; + +function test_private_browsing1() { + gSSService.clearAll(); + let uri = Services.io.newURI("https://includesubdomains.preloaded.test"); + let subDomainUri = Services.io.newURI( + "https://a.b.c.subdomain.includesubdomains.preloaded.test" + ); + // sanity - includesubdomains.preloaded.test is preloaded, includeSubdomains set + ok(gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES)); + ok(gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES)); + + gSSService.processHeader(uri, "max-age=0", PRIVATE_ORIGIN_ATTRIBUTES); + ok(!gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES)); + ok(!gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES)); + + // check adding it back in + gSSService.processHeader(uri, "max-age=1000", PRIVATE_ORIGIN_ATTRIBUTES); + ok(gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES)); + // but no includeSubdomains this time + ok(!gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES)); + + // do the hokey-pokey... + gSSService.processHeader(uri, "max-age=0", PRIVATE_ORIGIN_ATTRIBUTES); + ok(!gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES)); + ok(!gSSService.isSecureURI(subDomainUri, PRIVATE_ORIGIN_ATTRIBUTES)); + + // Test that an expired private browsing entry results in correctly + // identifying a host that is on the preload list as no longer sts. + // (This happens when we're in private browsing mode, we get a header from + // a site on the preload list, and that header later expires. We need to + // then treat that host as no longer an sts host.) + // (sanity check first - this should be in the preload list) + uri = Services.io.newURI("https://includesubdomains2.preloaded.test"); + ok(gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES)); + gSSService.processHeader(uri, "max-age=1", PRIVATE_ORIGIN_ATTRIBUTES); + do_timeout(1250, function() { + ok(!gSSService.isSecureURI(uri, PRIVATE_ORIGIN_ATTRIBUTES)); + // Simulate leaving private browsing mode + Services.obs.notifyObservers(null, "last-pb-context-exited"); + }); +} + +function test_private_browsing2() { + // if this test gets this far, it means there's a private browsing service + ok( + gSSService.isSecureURI( + Services.io.newURI("https://includesubdomains.preloaded.test") + ) + ); + // the includesubdomains.preloaded.test entry has includeSubdomains set + ok( + gSSService.isSecureURI( + Services.io.newURI("https://subdomain.includesubdomains.preloaded.test") + ) + ); + + // Now that we're out of private browsing mode, we need to make sure + // we've "forgotten" that we "forgot" this site's sts status. + ok( + gSSService.isSecureURI( + Services.io.newURI("https://includesubdomains2.preloaded.test") + ) + ); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js b/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js new file mode 100644 index 0000000000..334fbf8a7b --- /dev/null +++ b/security/manager/ssl/tests/unit/test_sts_preloadlist_selfdestruct.js @@ -0,0 +1,22 @@ +"use strict"; + +function run_test() { + let SSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService + ); + let uri = Services.io.newURI("https://includesubdomains.preloaded.test"); + + // check that a host on the preload list is identified as an sts host + ok(SSService.isSecureURI(uri)); + + // now simulate that it's 19 weeks later than it actually is + let offsetSeconds = 19 * 7 * 24 * 60 * 60; + Services.prefs.setIntPref("test.currentTimeOffsetSeconds", offsetSeconds); + + // check that the preloaded host is no longer considered sts + ok(!SSService.isSecureURI(uri)); + + // just make sure we can get everything back to normal + Services.prefs.clearUserPref("test.currentTimeOffsetSeconds"); + ok(SSService.isSecureURI(uri)); +} diff --git a/security/manager/ssl/tests/unit/test_validity.js b/security/manager/ssl/tests/unit/test_validity.js new file mode 100644 index 0000000000..ebdc66f9c5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity.js @@ -0,0 +1,106 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests that chains containing an end-entity cert with an overly long validity +// period are rejected. + +do_get_profile(); // Must be called before getting nsIX509CertDB +const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +const SERVER_PORT = 8888; + +function getOCSPResponder(expectedCertNames) { + let expectedPaths = expectedCertNames.slice(); + return startOCSPResponder( + SERVER_PORT, + "www.example.com", + "test_validity", + expectedCertNames, + expectedPaths + ); +} + +function certFromFile(filename) { + return constructCertFromFile(`test_validity/${filename}`); +} + +function loadCert(certFilename, trustString) { + addCertFromFile(certDB, `test_validity/${certFilename}`, trustString); +} + +/** + * Asynchronously runs a single EV test. + * + * @param {Array} expectedNamesForOCSP + * An array of nicknames of the certs to be responded to. + * @param {string} rootCertFileName + * The file name of the root cert. Can begin with ".." to reference + * certs in folders other than "test_validity/". + * @param {Array} intCertFileNames + * An array of file names of any intermediate certificates. + * @param {string} endEntityCertFileName + * The file name of the end entity cert. + * @param {boolean} expectedResult + * Whether the chain is expected to validate as EV. + */ +async function doEVTest( + expectedNamesForOCSP, + rootCertFileName, + intCertFileNames, + endEntityCertFileName, + expectedResult +) { + clearOCSPCache(); + let ocspResponder = getOCSPResponder(expectedNamesForOCSP); + + loadCert(`${rootCertFileName}.pem`, "CTu,CTu,CTu"); + for (let intCertFileName of intCertFileNames) { + loadCert(`${intCertFileName}.pem`, ",,"); + } + await checkEVStatus( + certDB, + certFromFile(`${endEntityCertFileName}.pem`), + certificateUsageSSLServer, + expectedResult + ); + + await stopOCSPResponder(ocspResponder); +} + +async function checkEVChains() { + // Chain with an end entity cert with a validity period that is acceptable + // for EV. + const intFullName = "ev_int_60_months-evroot"; + let eeFullName = `ev_ee_27_months-${intFullName}`; + let expectedNamesForOCSP = [eeFullName]; + await doEVTest( + expectedNamesForOCSP, + "../test_ev_certs/evroot", + [intFullName], + eeFullName, + gEVExpected + ); + + // Chain with an end entity cert with a validity period that is too long + // for EV. + eeFullName = `ev_ee_28_months-${intFullName}`; + expectedNamesForOCSP = [eeFullName]; + await doEVTest( + expectedNamesForOCSP, + "../test_ev_certs/evroot", + [intFullName], + eeFullName, + false + ); +} + +add_task(async function() { + Services.prefs.setCharPref("network.dns.localDomains", "www.example.com"); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + + await checkEVChains(); +}); diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem new file mode 100644 index 0000000000..cccff8d9eb --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDbTCCAlWgAwIBAgIUL3u0qxcophiFgaiJ2owryQeh3uwwDQYJKoZIhvcNAQEL +BQAwIjEgMB4GA1UEAwwXZXZfaW50XzYwX21vbnRocy1ldnJvb3QwIhgPMjAyMTEx +MTUxMjAwMDBaGA8yMDI0MDIxNjEyMDAwMFowMjEwMC4GA1UEAwwnZXZfZWVfMjdf +bW9udGhzLWV2X2ludF82MF9tb250aHMtZXZyb290MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GGMIGDMGAGCCsG +AQUFBwEBBFQwUjBQBggrBgEFBQcwAYZEaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4 +ODg4L2V2X2VlXzI3X21vbnRocy1ldl9pbnRfNjBfbW9udGhzLWV2cm9vdC8wHwYD +VR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQELBQADggEB +ABZH5/BLYkqjaKryxtGq1Yc6CbguhJUg4LfYfIT2ir/ehmvSOUAv0S8ZrLNmNmVn +cDWDYehPoCuPlbuhgOpGM2+Oej+tWAA6k5SMZhOM0c/16x5Ljqc2ZtOL/JJwYV9z +3YqW4TPWqdcARu7Ijf4cqonlZ+Uc398/wMiRlDQxOobtR+qN1QgyFri8Qnz22rBd +JP+cRqjcyWAdhcHGT0c49dAk1fx7aO5zmithCJ6z+smrrruDms1aFb0kqi/TVkGv +xYtvnkgdi09Pk6vXpX5JPwLBKPDawMBvZmlJSNfjCvDpoHhY6FCjyXFRQj6R7Uiq +YP9z9sbvjS9D9lnYa3UjoGI= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec new file mode 100644 index 0000000000..d2c7fa1275 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_27_months-ev_int_60_months-evroot.pem.certspec @@ -0,0 +1,5 @@ +issuer:ev_int_60_months-evroot +subject:ev_ee_27_months-ev_int_60_months-evroot +validity:823 +extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_27_months-ev_int_60_months-evroot/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem new file mode 100644 index 0000000000..5baed71ca9 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDbTCCAlWgAwIBAgIUZf3qHuuMLRALksijM8PX7b+F3DQwDQYJKoZIhvcNAQEL +BQAwIjEgMB4GA1UEAwwXZXZfaW50XzYwX21vbnRocy1ldnJvb3QwIhgPMjAyMTEw +MzEwMDAwMDBaGA8yMDI0MDMwMzAwMDAwMFowMjEwMC4GA1UEAwwnZXZfZWVfMjhf +bW9udGhzLWV2X2ludF82MF9tb250aHMtZXZyb290MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1aFdsJHvB +xyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/weadA4ICmT +qyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSSpH25iGF5 +kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62WYVu34pYS +wHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauRCE42yxwk +BCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABo4GGMIGDMGAGCCsG +AQUFBwEBBFQwUjBQBggrBgEFBQcwAYZEaHR0cDovL3d3dy5leGFtcGxlLmNvbTo4 +ODg4L2V2X2VlXzI4X21vbnRocy1ldl9pbnRfNjBfbW9udGhzLWV2cm9vdC8wHwYD +VR0gBBgwFjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwDQYJKoZIhvcNAQELBQADggEB +AGG25tskpdAYzSwgXWQ8hC8Z44pkYGVHpu7LfszA4WPM+17I8iczxqHa9vANvEfh +g95QEuBbXVkp+W1aXvgDcA0ZyKumBRMrFFMapOapsqYMCSbMMjMtIhUwvAiJgPav +nmyap+Q5Ds0PY1d+MCT3PZQBTfk6zfusUTWhgQIaNZxXG7b6pxZ8AvUuZoxG9AWh +GuysraUJbUyFRfiM+YybbyldVDouFzaqSYh2Z6+/5bwf96AksVeepPLitNYibmsg +qBQsFje/90X6FU+GcD1PV91cC2j7hdENgSkmAJilBMBl5LclXMSH/lN5lTpyYll4 +YPNbYKy+3n64n0+PfW/JTus= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec new file mode 100644 index 0000000000..2dcfb2e29c --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/ev_ee_28_months-ev_int_60_months-evroot.pem.certspec @@ -0,0 +1,5 @@ +issuer:ev_int_60_months-evroot +subject:ev_ee_28_months-ev_int_60_months-evroot +validity:854 +extension:authorityInformationAccess:http://www.example.com:8888/ev_ee_28_months-ev_int_60_months-evroot/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key new file mode 100644 index 0000000000..09e044f5e0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6iFGoRI4W1kH9 +braIBjYQPTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEI +eqVap0WH9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6 +iypB7qdw4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Za +qn4CkC86exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7 +LyJvaeO0ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs +2hgKNe2NAgMBAAECggEBAJ7LzjhhpFTsseD+j4XdQ8kvWCXOLpl4hNDhqUnaosWs +VZskBFDlrJ/gw+McDu+mUlpl8MIhlABO4atGPd6e6CKHzJPnRqkZKcXmrD2IdT9s +JbpZeec+XY+yOREaPNq4pLDN9fnKsF8SM6ODNcZLVWBSXn47kq18dQTPHcfLAFeI +r8vh6Pld90AqFRUw1YCDRoZOs3CqeZVqWHhiy1M3kTB/cNkcltItABppAJuSPGgz +iMnzbLm16+ZDAgQceNkIIGuHAJy4yrrK09vbJ5L7kRss9NtmA1hb6a4Mo7jmQXqg +SwbkcOoaO1gcoDpngckxW2KzDmAR8iRyWUbuxXxtlEECgYEA3W4dT//r9o2InE0R +TNqqnKpjpZN0KGyKXCmnF7umA3VkTVyqZ0xLi8cyY1hkYiDkVQ12CKwn1Vttt0+N +gSfvj6CQmLaRR94GVXNEfhg9Iv59iFrOtRPZWB3V4HwakPXOCHneExNx7O/JznLp +xD3BJ9I4GQ3oEXc8pdGTAfSMdCsCgYEA16dz2evDgKdn0v7Ak0rU6LVmckB3Gs3r +ta15b0eP7E1FmF77yVMpaCicjYkQL63yHzTi3UlA66jAnW0fFtzClyl3TEMnXpJR +3b5JCeH9O/Hkvt9Go5uLODMo70rjuVuS8gcK8myefFybWH/t3gXo59hspXiG+xZY +EKd7mEW8MScCgYEAlkcrQaYQwK3hryJmwWAONnE1W6QtS1oOtOnX6zWBQAul3RMs +2xpekyjHu8C7sBVeoZKXLt+X0SdR2Pz2rlcqMLHqMJqHEt1OMyQdse5FX8CT9byb +WS11bmYhR08ywHryL7J100B5KzK6JZC7smGu+5WiWO6lN2VTFb6cJNGRmS0CgYAo +tFCnp1qFZBOyvab3pj49lk+57PUOOCPvbMjo+ibuQT+LnRIFVA8Su+egx2got7pl +rYPMpND+KiIBFOGzXQPVqFv+Jwa9UPzmz83VcbRspiG47UfWBbvnZbCqSgZlrCU2 +TaIBVAMuEgS4VZ0+NPtbF3yaVv+TUQpaSmKHwVHeLQKBgCgGe5NVgB0u9S36ltit +tYlnPPjuipxv9yruq+nva+WKT0q/BfeIlH3IUf2qNFQhR6caJGv7BU7naqNGq80m +ks/J5ExR5vBpxzXgc7oBn2pyFJYckbJoccrqv48GRBigJpDjmo1f8wZ7fNt/ULH1 +NBinA5ZsT8d0v3QCr2xDJH9D +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key.keyspec b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key.keyspec new file mode 100644 index 0000000000..4ad96d5159 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.key.keyspec @@ -0,0 +1 @@ +default diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem new file mode 100644 index 0000000000..e46a1bed99 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDVzCCAj+gAwIBAgIUEY63P4X1xogoyQ0ncUXjGGmc63YwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMjAwNzAyMTIwMDAwWhgPMjAyNTA3 +MDExMjAwMDBaMCIxIDAeBgNVBAMMF2V2X2ludF82MF9tb250aHMtZXZyb290MIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08 +E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc +1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAP +DY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQ +gAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqV +YR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQID +AQABo4GRMIGOMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMFAGCCsGAQUFBwEB +BEQwQjBABggrBgEFBQcwAYY0aHR0cDovL3d3dy5leGFtcGxlLmNvbTo4ODg4L2V2 +X2ludF82MF9tb250aHMtZXZyb290LzAfBgNVHSAEGDAWMBQGEisGAQQB60mFGoUa +hRoBg3QJATANBgkqhkiG9w0BAQsFAAOCAQEAKiVH+FgOqh/HTMCPjgftKQ8icRJF ++TysMrjJTCZ+whi1uMtXNHZmWtckAd8xEjor4qhO3K8gaZv3wm56t6FPZp9zWNO2 +QYbNeWwex6Dd9uIl0h2/uCTnUAjBGjPcNZngYMVh5NANQ1vRcnZ4CalBew9oPQwG +EEd2uerN+ikXUTAQD4Z1MuSZSoRaWw6vAB5sooFWc8TqDfWdAVtv+R7pKezIV76f +3Pas+Tci+CeUkwSRCTKPAy3aqygtaD4ZGq9d6n9pBoxEHg8iJs7iMUaJCy7HTYUj +t1Xou5AMJwEHm2OA+J9/okPxI1acDjTIxgkvLkmAYT6ieQsOXw5lpd2WxA== +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem.certspec new file mode 100644 index 0000000000..e169514ffa --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/ev_int_60_months-evroot.pem.certspec @@ -0,0 +1,8 @@ +issuer:evroot +subject:ev_int_60_months-evroot +issuerKey:ev +validity:1825 +extension:basicConstraints:cA, +extension:keyUsage:cRLSign,keyCertSign +extension:authorityInformationAccess:http://www.example.com:8888/ev_int_60_months-evroot/ +extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1 diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.key b/security/manager/ssl/tests/unit/test_validity/evroot.key new file mode 100644 index 0000000000..1d88a930d5 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/evroot.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQC1SYlcnQAQjRGh ++Z+HqePRpdtd+uzxiNpXv2QTaI8s5HIs/xCQOMF0Ask6Kkc9vShq7T/c02PPWikU +dwG92BjXYVv5NWvV08gzaqqMCXE2igbDzURhuT5RQk4XRLsuqtRqqzjOGWghlh+H +cUoWY2k/CXYc301roSXqzse+Jw04j3ifbN94rjFE7SjEXnkpOGOnoipImAo2pA5y +1XnJuSXf+MeTNi/9aJenwXVMXpfJZ8Pq3RquiqLMzjSKAWm4Diii1wwalgxvM18t +oJubZD9av7pJ6Kqpgelg4n2HSAvdVd2UF/oYUJ+7VUzPgaQ5fouoEoo0vfJ4ZcGJ +5XNPsikFAgMBAAECggEBAJg9VPlNb0x26yPW+T14UjUwz3Ow0WJUxueBdo1F9VaB +0dAvsr0qrGq8HDiYYJNcUqDY9BSCAQOUd4MUHYZL/zCANjilwBUlcK6dGPPYyhY+ ++0dbDd3zLn4W7HVl5rteAlxBxcZuV6A87eVUIh+DBFNHosTEUcPc5Ha3h84MBXJE +vp4E7xMRjbuz1eCmzIcCnq/Upp7ZsUdZsV452KmITlb1TS+asBPw0V8xipq2svc9 +HsPJ/idK6JQxoQZAvniZsAEcXlCToYNHCGid4QBjTaveYPvWqu+joz3zSh829gwE +MDa3SNHJ7pjEAxoK/sYO/aCpkL5ST1YU6sT9s0pS+VECgYEA6twssz5f8co3a72V +vWoXd9LPT6xHVF6S0RpiCbnV5N7UeDRYHBabPIhHQqCeoYdQXBylVBTY0ltJdjLV +7CqqBSM0MPrUmJJ3en1o4Dj1YaO4lp5gsKJj3vv9pIqbD/OdlbyIsVJnyK3pe1EH +lI5B5DMknYf32xCdXXRYTYa8wdcCgYEAxZrldqIWRwJI2USlW56b+TKZ2jQexW5V +jrqCGrzhv1e3nPQR0pBMd0+duh8VGF9gewV0oIIF1uwotmo21jQjLqry/qN1Yauv +nWRLaNs4yZZMuMluwKxh66ZNBbRGVC9COXb1rN5OzJVTbS31eJVPk/DP2cWPt4ui +p23VrChNyIMCgYEAwdLvOQYzHFKspkgR+f5CW+somDIvs9tRAyzo1+n8MiQL6SAZ +zySA/NXjKYNxJxGLKlmhv+BsiD46REfz8DHNmuvQuNNo/Hl0DSzOjq2zJN9/CR6v +4VZDYdVJILAbBHEjDl5H2T+O0zljxRe8T8ePbYsfnrqFvM7bcDMCZQjbYoUCgYEA +hSG421aU376ASjFfnvybZSdcVJCs8qNFbWXm5hC/n2R/xnUB1PV3LyMqxwzN75/C +pt+kFcfEG2r8evnQfDygP37ZPAnwuZ8sMEQ0Mi8QcXCbvBuqTJFXX6apWeB9SZaV +bZXiK1eTi25HyNUf/t/Jv4iM4NGj5CtlqJvtS5HT5fUCgYEA3El7BrkgyL4LAHe3 +mOl37vdEqQ7Cxdfmy7IkSPrHLagaMxgODYoC6DFGDH/H/TphL3uZMLYbeZ+OkI5j +LpugQJtqpwsDo7p4dCYmO1vVhD34R27bXRT2qGE+uvW5zVykL1+9KALgjk5J5XCf +UVFRDKpassHG6z7+kpXRbowlyRY= +-----END PRIVATE KEY----- diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.key.keyspec b/security/manager/ssl/tests/unit/test_validity/evroot.key.keyspec new file mode 100644 index 0000000000..1a3d76a550 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/evroot.key.keyspec @@ -0,0 +1 @@ +ev diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.pem b/security/manager/ssl/tests/unit/test_validity/evroot.pem new file mode 100644 index 0000000000..13c3031905 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/evroot.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0TCCAbmgAwIBAgIUIZSHsVgzcvhPgdfrgdMGlpSfMegwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZXZyb290MCIYDzIwMTUwMTAxMDAwMDAwWhgPMjAzNTAx +MDEwMDAwMDBaMBExDzANBgNVBAMMBmV2cm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBALVJiVydABCNEaH5n4ep49Gl21367PGI2le/ZBNojyzkciz/ +EJA4wXQCyToqRz29KGrtP9zTY89aKRR3Ab3YGNdhW/k1a9XTyDNqqowJcTaKBsPN +RGG5PlFCThdEuy6q1GqrOM4ZaCGWH4dxShZjaT8JdhzfTWuhJerOx74nDTiPeJ9s +33iuMUTtKMReeSk4Y6eiKkiYCjakDnLVecm5Jd/4x5M2L/1ol6fBdUxel8lnw+rd +Gq6KoszONIoBabgOKKLXDBqWDG8zXy2gm5tkP1q/uknoqqmB6WDifYdIC91V3ZQX ++hhQn7tVTM+BpDl+i6gSijS98nhlwYnlc0+yKQUCAwEAAaMdMBswDAYDVR0TBAUw +AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBABTOHA9XbfLv/C7+ +5KycYXToOIBRSjQ0j2nsiqFda4Jx+aKsvdpdrrbLHvhrpfsA3ZgB2+eKHunVc4fo +UHNqZllAs2nx+AEinq4GX8iya5BpiyTIxXWu8v06siGgz1GxlJw1cJ/ZnFEQ9IBf +cCAr5fCoZ4RC+2OVhiSTnYPCKM+zCyw3YpISjNOg1VVkp46Htp+831Eh12YfwvdY +Fgh1fc5ohYC5GCLRuXKc9PGTsr3gp7Y0liYbK7v0RBjd+GivNQ3dS3W+lB3Ow0LH +z/fc3qvrhsd58jHpb1QZQzd9bQjuIIM6Gij7TNdNNarEVZfSJjPYLfXosNdYh5fH +HmbOwao= +-----END CERTIFICATE----- diff --git a/security/manager/ssl/tests/unit/test_validity/evroot.pem.certspec b/security/manager/ssl/tests/unit/test_validity/evroot.pem.certspec new file mode 100644 index 0000000000..3121f3486e --- /dev/null +++ b/security/manager/ssl/tests/unit/test_validity/evroot.pem.certspec @@ -0,0 +1,7 @@ +issuer:evroot +subject:evroot +subjectKey:ev +issuerKey:ev +validity:20150101-20350101 +extension:basicConstraints:cA, +extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_x509.js b/security/manager/ssl/tests/unit/test_x509.js new file mode 100644 index 0000000000..73eb4ed97a --- /dev/null +++ b/security/manager/ssl/tests/unit/test_x509.js @@ -0,0 +1,142 @@ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ + +"use strict"; + +// Tests X509.jsm functionality. + +function stringToArray(s) { + let b = []; + for (let i = 0; i < s.length; i++) { + b.push(s.charCodeAt(i)); + } + return b; +} + +function readPEMToBytes(filename) { + return stringToArray(atob(pemToBase64(readFile(do_get_file(filename))))); +} + +function run_test() { + let certificate = new X509.Certificate(); + // We use this certificate because it has a set validity period, which means that when + // the test certificates get regenerated each year, the values in this test won't change. + certificate.parse(readPEMToBytes("bad_certs/expired-ee.pem")); + + equal( + certificate.tbsCertificate.version, + 3, + "expired-ee.pem should be x509v3" + ); + + // serialNumber + deepEqual( + certificate.tbsCertificate.serialNumber, + [ + 0x63, + 0xd1, + 0x11, + 0x00, + 0x82, + 0xa3, + 0xd2, + 0x3b, + 0x3f, + 0x61, + 0xb8, + 0x49, + 0xa0, + 0xca, + 0xdc, + 0x2e, + 0x78, + 0xfe, + 0xfa, + 0xea, + ], + "expired-ee.pem should have expected serialNumber" + ); + + deepEqual( + certificate.tbsCertificate.signature.algorithm._values, + [1, 2, 840, 113549, 1, 1, 11], // sha256WithRSAEncryption + "expired-ee.pem should have sha256WithRSAEncryption signature" + ); + deepEqual( + certificate.tbsCertificate.signature.parameters._contents, + [], + "expired-ee.pem should have NULL parameters for signature" + ); + + equal( + certificate.tbsCertificate.issuer.rdns.length, + 1, + "expired-ee.pem should have one RDN in issuer" + ); + equal( + certificate.tbsCertificate.issuer.rdns[0].avas.length, + 1, + "expired-ee.pem should have one AVA in RDN in issuer" + ); + deepEqual( + certificate.tbsCertificate.issuer.rdns[0].avas[0].value.value, + stringToArray("Test CA"), + "expired-ee.pem should have issuer 'Test CA'" + ); + + equal( + certificate.tbsCertificate.validity.notBefore.time.getTime(), + Date.parse("2013-01-01T00:00:00.000Z"), + "expired-ee.pem should have the correct value for notBefore" + ); + equal( + certificate.tbsCertificate.validity.notAfter.time.getTime(), + Date.parse("2014-01-01T00:00:00.000Z"), + "expired-ee.pem should have the correct value for notAfter" + ); + + equal( + certificate.tbsCertificate.subject.rdns.length, + 1, + "expired-ee.pem should have one RDN in subject" + ); + equal( + certificate.tbsCertificate.subject.rdns[0].avas.length, + 1, + "expired-ee.pem should have one AVA in RDN in subject" + ); + deepEqual( + certificate.tbsCertificate.subject.rdns[0].avas[0].value.value, + stringToArray("Expired Test End-entity"), + "expired-ee.pem should have subject 'Expired Test End-entity'" + ); + + deepEqual( + certificate.tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm._values, + [1, 2, 840, 113549, 1, 1, 1], // rsaEncryption + "expired-ee.pem should have a spki algorithm of rsaEncryption" + ); + + equal( + certificate.tbsCertificate.extensions.length, + 2, + "expired-ee.pem should have two extensions" + ); + + deepEqual( + certificate.signatureAlgorithm.algorithm._values, + [1, 2, 840, 113549, 1, 1, 11], // sha256WithRSAEncryption + "expired-ee.pem should have sha256WithRSAEncryption signatureAlgorithm" + ); + deepEqual( + certificate.signatureAlgorithm.parameters._contents, + [], + "expired-ee.pem should have NULL parameters for signatureAlgorithm" + ); + + equal( + certificate.signatureValue.length, + 2048 / 8, + "length of signature on expired-ee.pem should be 2048 bits" + ); +} diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp new file mode 100644 index 0000000000..1ccd5e876b --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp @@ -0,0 +1,141 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a standalone server that uses various bad certificates. +// The client is expected to connect, initiate an SSL handshake (with SNI +// to indicate which "server" to connect to), and verify the certificate. +// If all is good, the client then sends one encrypted byte and receives that +// same byte back. +// This server also has the ability to "call back" another process waiting on +// it. That is, when the server is all set up and ready to receive connections, +// it will connect to a specified port and issue a simple HTTP request. + +#include + +#include "TLSServer.h" + +using namespace mozilla; +using namespace mozilla::test; + +struct BadCertAndPinningHost { + const char* mHostName; + const char* mCertName; +}; + +// Hostname, cert nickname pairs. +const BadCertAndPinningHost sBadCertAndPinningHosts[] = { + {"expired.example.com", "expired-ee"}, + {"notyetvalid.example.com", "notYetValid"}, + {"before-epoch.example.com", "beforeEpoch"}, + {"before-epoch-self-signed.example.com", "beforeEpochSelfSigned"}, + {"selfsigned.example.com", "selfsigned"}, + {"unknownissuer.example.com", "unknownissuer"}, + {"mismatch.example.com", "mismatch"}, + {"mismatch-CN.example.com", "mismatchCN"}, + {"mitm.example.com", "mitm"}, + {"expiredissuer.example.com", "expiredissuer"}, + {"notyetvalidissuer.example.com", "notYetValidIssuer"}, + {"before-epoch-issuer.example.com", "beforeEpochIssuer"}, + {"md5signature.example.com", "md5signature"}, + {"untrusted.example.com", "default-ee"}, + {"untrustedissuer.example.com", "untrustedissuer"}, + {"mismatch-expired.example.com", "mismatch-expired"}, + {"mismatch-notYetValid.example.com", "mismatch-notYetValid"}, + {"mismatch-untrusted.example.com", "mismatch-untrusted"}, + {"untrusted-expired.example.com", "untrusted-expired"}, + {"md5signature-expired.example.com", "md5signature-expired"}, + {"mismatch-untrusted-expired.example.com", "mismatch-untrusted-expired"}, + {"inadequatekeyusage.example.com", "inadequatekeyusage-ee"}, + {"selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU"}, + {"self-signed-end-entity-with-cA-true.example.com", + "self-signed-EE-with-cA-true"}, + {"ca-used-as-end-entity.example.com", "ca-used-as-end-entity"}, + {"ca-used-as-end-entity-name-mismatch.example.com", + "ca-used-as-end-entity"}, + // All of include-subdomains.pinning.example.com is pinned to End Entity + // Test Cert with nick default-ee. Any other nick will only + // pass pinning when security.cert_pinning.enforcement.level != strict and + // otherCA is added as a user-specified trust anchor. See StaticHPKPins.h. + {"include-subdomains.pinning.example.com", "default-ee"}, + {"good.include-subdomains.pinning.example.com", "default-ee"}, + {"bad.include-subdomains.pinning.example.com", "other-issuer-ee"}, + {"bad.include-subdomains.pinning.example.com.", "other-issuer-ee"}, + {"bad.include-subdomains.pinning.example.com..", "other-issuer-ee"}, + {"exclude-subdomains.pinning.example.com", "default-ee"}, + {"sub.exclude-subdomains.pinning.example.com", "other-issuer-ee"}, + {"test-mode.pinning.example.com", "other-issuer-ee"}, + {"unknownissuer.include-subdomains.pinning.example.com", "unknownissuer"}, + {"unknownissuer.test-mode.pinning.example.com", "unknownissuer"}, + {"nsCertTypeNotCritical.example.com", "nsCertTypeNotCritical"}, + {"nsCertTypeCriticalWithExtKeyUsage.example.com", + "nsCertTypeCriticalWithExtKeyUsage"}, + {"nsCertTypeCritical.example.com", "nsCertTypeCritical"}, + {"end-entity-issued-by-v1-cert.example.com", "eeIssuedByV1Cert"}, + {"end-entity-issued-by-non-CA.example.com", "eeIssuedByNonCA"}, + {"inadequate-key-size-ee.example.com", "inadequateKeySizeEE"}, + {"badSubjectAltNames.example.com", "badSubjectAltNames"}, + {"ipAddressAsDNSNameInSAN.example.com", "ipAddressAsDNSNameInSAN"}, + {"noValidNames.example.com", "noValidNames"}, + {"bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", "idn-certificate"}, + {"emptyissuername.example.com", "emptyIssuerName"}, + {"ev-test.example.com", "ev-test"}, + {"ee-from-missing-intermediate.example.com", + "ee-from-missing-intermediate"}, + {"imminently-distrusted.example.com", "ee-imminently-distrusted"}, + {"localhost", "unknownissuer"}, + {"a.pinning.example.com", "default-ee"}, + {"b.pinning.example.com", "default-ee"}, + {"not-preloaded.example.com", "default-ee"}, + {"ee.example.com", "default-ee"}, + {nullptr, nullptr}}; + +int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd, + const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize) { + for (uint32_t i = 0; i < aSrvNameArrSize; i++) { + UniquePORTString name( + static_cast(PORT_ZAlloc(aSrvNameArr[i].len + 1))); + if (name) { + PORT_Memcpy(name.get(), aSrvNameArr[i].data, aSrvNameArr[i].len); + if (ConfigSecureServerWithNamedCert(aFd, name.get(), nullptr, nullptr, + nullptr) == SECSuccess) { + return 0; + } + } + } + + return SSL_SNI_SEND_ALERT; +} + +int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize, void* aArg) { + const BadCertAndPinningHost* host = + GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sBadCertAndPinningHosts); + if (!host) { + // No static cert <-> hostname mapping found. This happens when we use a + // collection of certificates in a given directory and build a cert DB at + // runtime, rather than using an NSS cert DB populated at build time. + // (This will be the default in the future.) + // For all given server names, check if the runtime-built cert DB contains + // a certificate with a matching subject CN. + return DoSNISocketConfigBySubjectCN(aFd, aSrvNameArr, aSrvNameArrSize); + } + + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName); + } + + UniqueCERTCertificate cert; + SSLKEAType certKEA; + if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert, + &certKEA, nullptr)) { + return SSL_SNI_SEND_ALERT; + } + + return 0; +} + +int main(int argc, char* argv[]) { + return StartServer(argc, argv, DoSNISocketConfig, nullptr); +} diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/DelegatedCredentialsServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/DelegatedCredentialsServer.cpp new file mode 100644 index 0000000000..5f12756425 --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/DelegatedCredentialsServer.cpp @@ -0,0 +1,142 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a standalone server used to test Delegated Credentials +// (see: https://tools.ietf.org/html/draft-ietf-tls-subcerts-03). +// +// The client is expected to connect, initiate an SSL handshake (with SNI +// to indicate which "server" to connect to), and verify the certificate. +// If all is good, the client then sends one encrypted byte and receives that +// same byte back. +// This server also has the ability to "call back" another process waiting on +// it. That is, when the server is all set up and ready to receive connections, +// it will connect to a specified port and issue a simple HTTP request. + +#include + +#include "TLSServer.h" + +#include "sslexp.h" + +using namespace mozilla; +using namespace mozilla::test; + +struct DelegatedCertHost { + const char* mHostName; + const char* mCertName; + const char* mDCKeyNick; + bool mEnableDelegatedCredentials; +}; + +const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */; + +// {host, eeCert, dcCert, enableDC} +const DelegatedCertHost sDelegatedCertHosts[] = { + {"delegated-enabled.example.com", "delegated-ee", "delegated.key", true}, + {"standard-enabled.example.com", "default-ee", "delegated.key", true}, + {"delegated-disabled.example.com", "delegated-ee", + /* anything non-null */ "delegated.key", false}, + {nullptr, nullptr, nullptr, false}}; + +int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize, void* aArg) { + const DelegatedCertHost* host = + GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sDelegatedCertHosts); + if (!host) { + return SSL_SNI_SEND_ALERT; + } + + if (gDebugLevel >= DEBUG_VERBOSE) { + std::cerr << "Identified host " << host->mHostName << std::endl; + } + + UniqueCERTCertificate delegatorCert( + PK11_FindCertFromNickname(host->mCertName, nullptr)); + if (!delegatorCert) { + PrintPRError("PK11_FindCertFromNickname failed"); + return SSL_SNI_SEND_ALERT; + } + + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { + PrintPRError("PK11_GetInternalKeySlot failed"); + return SSL_SNI_SEND_ALERT; + } + + SSLExtraServerCertData extra_data = {ssl_auth_null, + /* Filled in by callee */ nullptr, + nullptr, + nullptr, + /* DC */ nullptr, + /* DC PrivKey */ nullptr}; + + UniqueSECKEYPrivateKey delegatorPriv( + PK11_FindKeyByDERCert(slot.get(), delegatorCert.get(), nullptr)); + if (!delegatorPriv) { + PrintPRError("PK11_FindKeyByDERCert failed"); + return SSL_SNI_SEND_ALERT; + } + + // Find the DC keypair by the file (nick) name. + ScopedAutoSECItem dc; + UniqueSECKEYPrivateKey dcPriv; + if (host->mEnableDelegatedCredentials) { + if (gDebugLevel >= DEBUG_VERBOSE) { + std::cerr << "Enabling a delegated credential for host " + << host->mHostName << std::endl; + } + + if (PK11_NeedLogin(slot.get())) { + SECStatus rv = PK11_Authenticate(slot.get(), PR_TRUE, nullptr); + if (rv != SECSuccess) { + PrintPRError("PK11_Authenticate failed"); + return SSL_SNI_SEND_ALERT; + } + } + UniqueSECKEYPrivateKeyList list(PK11_ListPrivKeysInSlot( + slot.get(), const_cast(host->mDCKeyNick), nullptr)); + if (!list) { + PrintPRError("PK11_ListPrivKeysInSlot failed"); + return SSL_SNI_SEND_ALERT; + } + SECKEYPrivateKeyListNode* node = PRIVKEY_LIST_HEAD(list); + + dcPriv.reset(SECKEY_CopyPrivateKey(node->key)); + if (!dcPriv) { + PrintPRError("PK11_ListPrivKeysInSlot could not find dcPriv"); + return SSL_SNI_SEND_ALERT; + } + + UniqueSECKEYPublicKey dcPub(SECKEY_ConvertToPublicKey(dcPriv.get())); + if (!dcPub) { + PrintPRError("SECKEY_ConvertToPublicKey failed"); + return SSL_SNI_SEND_ALERT; + } + + // Create and set the DC. + if (SSL_DelegateCredential(delegatorCert.get(), delegatorPriv.get(), + dcPub.get(), ssl_sig_ecdsa_secp384r1_sha384, + kDCValidFor, PR_Now(), &dc) != SECSuccess) { + PrintPRError("SSL_DelegateCredential failed"); + return SSL_SNI_SEND_ALERT; + } + extra_data.delegCred = &dc; + extra_data.delegCredPrivKey = dcPriv.get(); + + // The list should only have a single key. + PORT_Assert(PRIVKEY_LIST_END(PRIVKEY_LIST_NEXT(node), list)); + } + + if (ConfigSecureServerWithNamedCert(aFd, host->mCertName, nullptr, nullptr, + &extra_data) != SECSuccess) { + PrintPRError("ConfigSecureServerWithNamedCert failed"); + return SSL_SNI_SEND_ALERT; + } + + return 0; +} + +int main(int argc, char* argv[]) { + return StartServer(argc, argv, DoSNISocketConfig, nullptr); +} diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/EncryptedClientHelloServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/EncryptedClientHelloServer.cpp new file mode 100644 index 0000000000..fd284874b3 --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/EncryptedClientHelloServer.cpp @@ -0,0 +1,178 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a standalone server that offers TLS 1.3 Encrypted +// Client Hello support. + +#include + +#include "nspr.h" +#include "ScopedNSSTypes.h" +#include "ssl.h" +#include "sslexp.h" +#include "TLSServer.h" +#include +#include + +using namespace mozilla; +using namespace mozilla::test; + +struct EchHost { + const char* mHostName; + const char* mCertName; +}; + +const std::vector kSuiteChaCha = { + (static_cast(HpkeKdfHkdfSha256) << 16) | + HpkeAeadChaCha20Poly1305}; + +// Hostname, cert nickname pairs. +const EchHost sEchHosts[] = {{"ech-public.example.com", "default-ee"}, + {"ech-private.example.com", "private-ee"}, + {"selfsigned.example.com", "selfsigned"}, + {nullptr, nullptr}}; + +int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd, + const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize) { + for (uint32_t i = 0; i < aSrvNameArrSize; i++) { + UniquePORTString name( + static_cast(PORT_ZAlloc(aSrvNameArr[i].len + 1))); + if (name) { + PORT_Memcpy(name.get(), aSrvNameArr[i].data, aSrvNameArr[i].len); + if (ConfigSecureServerWithNamedCert(aFd, name.get(), nullptr, nullptr, + nullptr) == SECSuccess) { + return 0; + } + } + } + + return SSL_SNI_SEND_ALERT; +} + +int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize, void* aArg) { + const EchHost* host = GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sEchHosts); + if (!host) { + PrintPRError("No cert found for hostname"); + return SSL_SNI_SEND_ALERT; + } + + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName); + } + + UniqueCERTCertificate cert; + SSLKEAType certKEA; + if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert, + &certKEA, nullptr)) { + return SSL_SNI_SEND_ALERT; + } + + return 0; +} + +int32_t SetAlpnOptions(PRFileDesc* aFd, uint8_t flags) { + const std::vector http1 = {0x08, 0x68, 0x74, 0x74, 0x70, + 0x2f, 0x31, 0x2e, 0x31}; + const std::vector http2 = {0x02, 0x68, 0x32}; + const std::vector http3 = {0x02, 0x68, 0x33}; + std::vector alpnVec = {}; + if (flags & 0b001) { + alpnVec.insert(alpnVec.end(), http1.begin(), http1.end()); + } + if (flags & 0b010) { + alpnVec.insert(alpnVec.end(), http2.begin(), http2.end()); + } + if (flags & 0b100) { + alpnVec.insert(alpnVec.end(), http3.begin(), http3.end()); + } + fprintf(stderr, "ALPN Flags: %u\n", flags); + fprintf(stderr, "ALPN length: %zu\n", alpnVec.size()); + if (SSL_SetNextProtoNego(aFd, alpnVec.data(), alpnVec.size()) != SECSuccess) { + fprintf(stderr, "Setting ALPN failed!\n"); + return 1; + } + + return 0; +} + +SECStatus ConfigureServer(PRFileDesc* aFd) { + const char* alpnFlag = PR_GetEnv("MOZ_TLS_ECH_ALPN_FLAG"); + if (alpnFlag) { + uint8_t flag = atoi(alpnFlag); + SetAlpnOptions(aFd, flag); + } + + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { + PrintPRError("PK11_GetInternalKeySlot failed"); + return SECFailure; + } + + UniqueSECKEYPublicKey pubKey; + UniqueSECKEYPrivateKey privKey; + SECKEYPublicKey* tmpPubKey = nullptr; + SECKEYPrivateKey* tmpPrivKey = nullptr; + + static const std::vector pkcs8{ + 0x30, 0x67, 0x02, 0x01, 0x00, 0x30, 0x14, 0x06, 0x07, 0x2a, 0x86, 0x48, + 0xce, 0x3d, 0x02, 0x01, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xda, + 0x47, 0x0f, 0x01, 0x04, 0x4c, 0x30, 0x4a, 0x02, 0x01, 0x01, 0x04, 0x20, + 0x8c, 0x49, 0x0e, 0x5b, 0x0c, 0x7d, 0xbe, 0x0c, 0x6d, 0x21, 0x92, 0x48, + 0x4d, 0x2b, 0x7a, 0x04, 0x23, 0xb3, 0xb4, 0x54, 0x4f, 0x24, 0x81, 0x09, + 0x5a, 0x99, 0xdb, 0xf2, 0x38, 0xfb, 0x35, 0x0f, 0xa1, 0x23, 0x03, 0x21, + 0x00, 0x8a, 0x07, 0x56, 0x39, 0x49, 0xfa, 0xc6, 0x23, 0x29, 0x36, 0xed, + 0x6f, 0x36, 0xc4, 0xfa, 0x73, 0x59, 0x30, 0xec, 0xde, 0xae, 0xf6, 0x73, + 0x4e, 0x31, 0x4a, 0xea, 0xc3, 0x5a, 0x56, 0xfd, 0x0a}; + + SECItem pkcs8Item = {siBuffer, const_cast(pkcs8.data()), + static_cast(pkcs8.size())}; + SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey( + slot.get(), &pkcs8Item, nullptr, nullptr, false, false, KU_ALL, + &tmpPrivKey, nullptr); + + if (rv != SECSuccess) { + PrintPRError("PK11_ImportDERPrivateKeyInfoAndReturnKey failed"); + return SECFailure; + } + privKey.reset(tmpPrivKey); + tmpPubKey = SECKEY_ConvertToPublicKey(privKey.get()); + pubKey.reset(tmpPubKey); + + if (!privKey || !pubKey) { + PrintPRError("ECH/HPKE Public or Private key is null!"); + return SECFailure; + } + + std::vector echConfig(1000, 0); + unsigned int len = 0; + const PRUint8 configId = 77; + const HpkeSymmetricSuite echCipherSuite = {HpkeKdfHkdfSha256, + HpkeAeadChaCha20Poly1305}; + rv = SSL_EncodeEchConfigId(configId, "ech-public.example.com", 100, + HpkeDhKemX25519Sha256, pubKey.get(), + &echCipherSuite, 1, echConfig.data(), &len, + echConfig.size()); + if (rv != SECSuccess) { + PrintPRError("SSL_EncodeEchConfig failed"); + return rv; + } + + rv = SSL_SetServerEchConfigs(aFd, pubKey.get(), privKey.get(), + echConfig.data(), len); + if (rv != SECSuccess) { + PrintPRError("SSL_SetServerEchConfigs failed"); + return rv; + } + + return SECSuccess; +} + +int main(int argc, char* argv[]) { + int rv = StartServer(argc, argv, DoSNISocketConfig, nullptr, ConfigureServer); + if (rv < 0) { + return rv; + } +} diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp new file mode 100644 index 0000000000..4d30f8a87a --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp @@ -0,0 +1,206 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include + +#include "nspr.h" +#include "ScopedNSSTypes.h" +#include "ssl.h" +#include "ssl3prot.h" +#include "sslexp.h" +#include "sslimpl.h" +#include "TLSServer.h" + +#include "mozilla/Sprintf.h" + +using namespace mozilla; +using namespace mozilla::test; + +enum FaultType { + None = 0, + ZeroRtt, + UnknownSNI, +}; + +struct FaultyServerHost { + const char* mHostName; + const char* mCertName; + FaultType mFaultType; +}; + +const char* kHostOk = "ok.example.com"; +const char* kHostUnknown = "unknown.example.com"; +const char* kHostZeroRttAlertBadMac = "0rtt-alert-bad-mac.example.com"; +const char* kHostZeroRttAlertVersion = + "0rtt-alert-protocol-version.example.com"; +const char* kHostZeroRttAlertUnexpected = "0rtt-alert-unexpected.example.com"; +const char* kHostZeroRttAlertDowngrade = "0rtt-alert-downgrade.example.com"; + +const char* kCertWildcard = "default-ee"; + +/* Each type of failure gets a different SNI. + * the "default-ee" cert has a SAN for *.example.com + * the "no-san-ee" cert is signed by the test-ca, but it doesn't have any SANs. + */ +const FaultyServerHost sFaultyServerHosts[]{ + {kHostOk, kCertWildcard, None}, + {kHostUnknown, kCertWildcard, UnknownSNI}, + {kHostZeroRttAlertBadMac, kCertWildcard, ZeroRtt}, + {kHostZeroRttAlertVersion, kCertWildcard, ZeroRtt}, + {kHostZeroRttAlertUnexpected, kCertWildcard, ZeroRtt}, + {kHostZeroRttAlertDowngrade, kCertWildcard, ZeroRtt}, + {nullptr, nullptr}, +}; + +nsresult SendAll(PRFileDesc* aSocket, const char* aData, size_t aDataLen) { + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "sending '%s'\n", aData); + } + + int32_t len = static_cast(aDataLen); + while (len > 0) { + int32_t bytesSent = PR_Send(aSocket, aData, len, 0, PR_INTERVAL_NO_TIMEOUT); + if (bytesSent == -1) { + PrintPRError("PR_Send failed"); + return NS_ERROR_FAILURE; + } + + len -= bytesSent; + aData += bytesSent; + } + + return NS_OK; +} + +// returns 0 on success, non-zero on error +int DoCallback(const char* path) { + UniquePRFileDesc socket(PR_NewTCPSocket()); + if (!socket) { + PrintPRError("PR_NewTCPSocket failed"); + return 1; + } + + uint32_t port = 0; + const char* callbackPort = PR_GetEnv("FAULTY_SERVER_CALLBACK_PORT"); + if (callbackPort) { + port = atoi(callbackPort); + } + if (!port) { + return 0; + } + + PRNetAddr addr; + PR_InitializeNetAddr(PR_IpAddrLoopback, port, &addr); + if (PR_Connect(socket.get(), &addr, PR_INTERVAL_NO_TIMEOUT) != PR_SUCCESS) { + PrintPRError("PR_Connect failed"); + return 1; + } + + char request[512]; + SprintfLiteral(request, "GET %s HTTP/1.0\r\n\r\n", path); + SendAll(socket.get(), request, strlen(request)); + char buf[4096]; + memset(buf, 0, sizeof(buf)); + int32_t bytesRead = + PR_Recv(socket.get(), buf, sizeof(buf) - 1, 0, PR_INTERVAL_NO_TIMEOUT); + if (bytesRead < 0) { + PrintPRError("PR_Recv failed 1"); + return 1; + } + if (bytesRead == 0) { + fprintf(stderr, "PR_Recv eof 1\n"); + return 1; + } + // fprintf(stderr, "%s\n", buf); + return 0; +} + +/* These are very rough examples. In practice the `arg` parameter to a callback + * might need to be an object that holds some state, like the various traffic + * secrets. */ + +/* An SSLSecretCallback is called after every key derivation step in the TLS + * 1.3 key schedule. + * + * Epoch 1 is for the early traffic secret. + * Epoch 2 is for the handshake traffic secrets. + * Epoch 3 is for the application traffic secrets. + */ +void SecretCallbackFailZeroRtt(PRFileDesc* fd, PRUint16 epoch, + SSLSecretDirection dir, PK11SymKey* secret, + void* arg) { + fprintf(stderr, "0RTT handler epoch=%d dir=%d\n", epoch, (uint32_t)dir); + FaultyServerHost* host = static_cast(arg); + + if (epoch == 1 && dir == ssl_secret_read) { + sslSocket* ss = ssl_FindSocket(fd); + if (!ss) { + fprintf(stderr, "0RTT handler, no ss!\n"); + return; + } + + char path[256]; + SprintfLiteral(path, "/callback/%d", epoch); + DoCallback(path); + + fprintf(stderr, "0RTT handler, configuring alert\n"); + if (!strcmp(host->mHostName, kHostZeroRttAlertBadMac)) { + SSL3_SendAlert(ss, alert_fatal, bad_record_mac); + } else if (!strcmp(host->mHostName, kHostZeroRttAlertVersion)) { + SSL3_SendAlert(ss, alert_fatal, protocol_version); + } else if (!strcmp(host->mHostName, kHostZeroRttAlertUnexpected)) { + SSL3_SendAlert(ss, alert_fatal, no_alert); + } + } +} + +/* An SSLRecordWriteCallback can replace the TLS record layer. */ +SECStatus WriteCallbackExample(PRFileDesc* fd, PRUint16 epoch, + SSLContentType contentType, const PRUint8* data, + unsigned int len, void* arg) { + /* do something */ + return SECSuccess; +} + +int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize, void* aArg) { + const FaultyServerHost* host = + GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sFaultyServerHosts); + if (!host || host->mFaultType == UnknownSNI) { + PrintPRError("No cert found for hostname"); + return SSL_SNI_SEND_ALERT; + } + + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName); + } + + switch (host->mFaultType) { + case ZeroRtt: + SSL_SecretCallback(aFd, &SecretCallbackFailZeroRtt, (void*)host); + break; + case None: + break; + default: + break; + } + + UniqueCERTCertificate cert; + SSLKEAType certKEA; + if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert, + &certKEA, nullptr)) { + return SSL_SNI_SEND_ALERT; + } + + return 0; +} + +SECStatus ConfigureServer(PRFileDesc* aFd) { return SECSuccess; } + +int main(int argc, char* argv[]) { + int rv = StartServer(argc, argv, DoSNISocketConfig, nullptr, ConfigureServer); + if (rv < 0) { + return rv; + } +} diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp new file mode 100644 index 0000000000..113e668f89 --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp @@ -0,0 +1,168 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=2 sw=2 tw=80 et: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* This simple program takes a database directory, and one or more tuples like + * + * to generate (one or more) ocsp responses. + */ + +#include +#include +#include + +#include "mozilla/ArrayUtils.h" + +#include "cert.h" +#include "nspr.h" +#include "nss.h" +#include "plarenas.h" +#include "prerror.h" +#include "ssl.h" +#include "secerr.h" + +#include "OCSPCommon.h" +#include "ScopedNSSTypes.h" +#include "TLSServer.h" + +using namespace mozilla; +using namespace mozilla::test; + +struct OCSPResponseName { + const char* mTypeString; + const OCSPResponseType mORT; +}; + +const static OCSPResponseName kOCSPResponseNameList[] = { + {"good", ORTGood}, // the certificate is good + {"good-delegated", ORTDelegatedIncluded}, // the certificate is good, using + // a delegated signer + {"revoked", ORTRevoked}, // the certificate has been revoked + {"unknown", ORTUnknown}, // the responder doesn't know if the + // cert is good + {"goodotherca", ORTGoodOtherCA}, // the wrong CA has signed the + // response + {"expiredresponse", ORTExpired}, // the signature on the response has + // expired + {"oldvalidperiod", ORTExpiredFreshCA}, // fresh signature, but old validity + // period + {"empty", ORTEmpty}, // an empty stapled response + + {"malformed", ORTMalformed}, // the response from the responder + // was malformed + {"serverr", ORTSrverr}, // the response indicates there was a + // server error + {"trylater", ORTTryLater}, // the responder replied with + // "try again later" + {"resp-unsigned", ORTNeedsSig}, // the response needs a signature + {"unauthorized", ORTUnauthorized}, // the responder does not know about + // the cert + {"bad-signature", ORTBadSignature}, // the response has a bad signature + {"longvalidityalmostold", + ORTLongValidityAlmostExpired}, // the response is + // still valid, but the generation + // is almost a year old + {"ancientstillvalid", ORTAncientAlmostExpired}, // The response is still + // valid but the generation + // is almost two years old +}; + +bool StringToOCSPResponseType(const char* respText, + /*out*/ OCSPResponseType* OCSPType) { + if (!OCSPType) { + return false; + } + for (auto ocspResponseName : kOCSPResponseNameList) { + if (strcmp(respText, ocspResponseName.mTypeString) == 0) { + *OCSPType = ocspResponseName.mORT; + return true; + } + } + return false; +} + +bool WriteResponse(const char* filename, const SECItem* item) { + if (!filename || !item || !item->data) { + PR_fprintf(PR_STDERR, "invalid parameters to WriteResponse"); + return false; + } + + UniquePRFileDesc outFile( + PR_Open(filename, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 0644)); + if (!outFile) { + PrintPRError("cannot open file for writing"); + return false; + } + int32_t rv = PR_Write(outFile.get(), item->data, item->len); + if (rv < 0 || (uint32_t)rv != item->len) { + PrintPRError("File write failure"); + return false; + } + + return true; +} + +int main(int argc, char* argv[]) { + if (argc < 7 || (argc - 7) % 5 != 0) { + PR_fprintf( + PR_STDERR, + "usage: %s " + " [ " + " ]* \n", + argv[0]); + exit(EXIT_FAILURE); + } + SECStatus rv = InitializeNSS(argv[1]); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed to initialize NSS\n"); + exit(EXIT_FAILURE); + } + UniquePLArenaPool arena(PORT_NewArena(256 * argc)); + if (!arena) { + PrintPRError("PORT_NewArena failed"); + exit(EXIT_FAILURE); + } + + for (int i = 2; i + 3 < argc; i += 5) { + const char* ocspTypeText = argv[i]; + const char* certNick = argv[i + 1]; + const char* extraCertname = argv[i + 2]; + const char* skewChars = argv[i + 3]; + const char* filename = argv[i + 4]; + + OCSPResponseType ORT; + if (!StringToOCSPResponseType(ocspTypeText, &ORT)) { + PR_fprintf(PR_STDERR, "Cannot generate OCSP response of type %s\n", + ocspTypeText); + exit(EXIT_FAILURE); + } + + UniqueCERTCertificate cert(PK11_FindCertFromNickname(certNick, nullptr)); + if (!cert) { + PrintPRError("PK11_FindCertFromNickname failed"); + PR_fprintf(PR_STDERR, "Failed to find certificate with nick '%s'\n", + certNick); + exit(EXIT_FAILURE); + } + + time_t skew = static_cast(atoll(skewChars)); + + SECItemArray* response = + GetOCSPResponseForType(ORT, cert, arena, extraCertname, skew); + if (!response) { + PR_fprintf(PR_STDERR, + "Failed to generate OCSP response of type %s " + "for %s\n", + ocspTypeText, certNick); + exit(EXIT_FAILURE); + } + + if (!WriteResponse(filename, &response->items[0])) { + PR_fprintf(PR_STDERR, "Failed to write file %s\n", filename); + exit(EXIT_FAILURE); + } + } + return 0; +} diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp new file mode 100644 index 0000000000..b35484572f --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp @@ -0,0 +1,153 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a standalone server that delivers various stapled OCSP responses. +// The client is expected to connect, initiate an SSL handshake (with SNI +// to indicate which "server" to connect to), and verify the OCSP response. +// If all is good, the client then sends one encrypted byte and receives that +// same byte back. +// This server also has the ability to "call back" another process waiting on +// it. That is, when the server is all set up and ready to receive connections, +// it will connect to a specified port and issue a simple HTTP request. + +#include + +#include "OCSPCommon.h" +#include "TLSServer.h" + +using namespace mozilla; +using namespace mozilla::test; + +const OCSPHost sOCSPHosts[] = { + {"ocsp-stapling-good.example.com", ORTGood, nullptr, nullptr}, + {"ocsp-stapling-revoked.example.com", ORTRevoked, nullptr, nullptr}, + {"ocsp-stapling-revoked-old.example.com", ORTRevokedOld, nullptr, nullptr}, + {"ocsp-stapling-unknown.example.com", ORTUnknown, nullptr, nullptr}, + {"ocsp-stapling-unknown-old.example.com", ORTUnknownOld, nullptr, nullptr}, + {"ocsp-stapling-good-other.example.com", ORTGoodOtherCert, + "ocspOtherEndEntity", nullptr}, + {"ocsp-stapling-good-other-ca.example.com", ORTGoodOtherCA, "other-test-ca", + nullptr}, + {"ocsp-stapling-expired.example.com", ORTExpired, nullptr, nullptr}, + {"ocsp-stapling-expired-fresh-ca.example.com", ORTExpiredFreshCA, nullptr, + nullptr}, + {"ocsp-stapling-none.example.com", ORTNone, nullptr, nullptr}, + {"ocsp-stapling-empty.example.com", ORTEmpty, nullptr, nullptr}, + {"ocsp-stapling-malformed.example.com", ORTMalformed, nullptr, nullptr}, + {"ocsp-stapling-srverr.example.com", ORTSrverr, nullptr, nullptr}, + {"ocsp-stapling-trylater.example.com", ORTTryLater, nullptr, nullptr}, + {"ocsp-stapling-needssig.example.com", ORTNeedsSig, nullptr, nullptr}, + {"ocsp-stapling-unauthorized.example.com", ORTUnauthorized, nullptr, + nullptr}, + {"ocsp-stapling-with-intermediate.example.com", ORTGood, nullptr, + "ocspEEWithIntermediate"}, + {"ocsp-stapling-bad-signature.example.com", ORTBadSignature, nullptr, + nullptr}, + {"ocsp-stapling-skip-responseBytes.example.com", ORTSkipResponseBytes, + nullptr, nullptr}, + {"ocsp-stapling-critical-extension.example.com", ORTCriticalExtension, + nullptr, nullptr}, + {"ocsp-stapling-noncritical-extension.example.com", ORTNoncriticalExtension, + nullptr, nullptr}, + {"ocsp-stapling-empty-extensions.example.com", ORTEmptyExtensions, nullptr, + nullptr}, + {"ocsp-stapling-delegated-included.example.com", ORTDelegatedIncluded, + "delegatedSigner", nullptr}, + {"ocsp-stapling-delegated-included-last.example.com", + ORTDelegatedIncludedLast, "delegatedSigner", nullptr}, + {"ocsp-stapling-delegated-missing.example.com", ORTDelegatedMissing, + "delegatedSigner", nullptr}, + {"ocsp-stapling-delegated-missing-multiple.example.com", + ORTDelegatedMissingMultiple, "delegatedSigner", nullptr}, + {"ocsp-stapling-delegated-no-extKeyUsage.example.com", ORTDelegatedIncluded, + "invalidDelegatedSignerNoExtKeyUsage", nullptr}, + {"ocsp-stapling-delegated-from-intermediate.example.com", + ORTDelegatedIncluded, "invalidDelegatedSignerFromIntermediate", nullptr}, + {"ocsp-stapling-delegated-keyUsage-crlSigning.example.com", + ORTDelegatedIncluded, "invalidDelegatedSignerKeyUsageCrlSigning", nullptr}, + {"ocsp-stapling-delegated-wrong-extKeyUsage.example.com", + ORTDelegatedIncluded, "invalidDelegatedSignerWrongExtKeyUsage", nullptr}, + {"ocsp-stapling-ancient-valid.example.com", ORTAncientAlmostExpired, + nullptr, nullptr}, + {"keysize-ocsp-delegated.example.com", ORTDelegatedIncluded, + "rsa-1016-keysizeDelegatedSigner", nullptr}, + {"revoked-ca-cert-used-as-end-entity.example.com", ORTRevoked, + "ca-used-as-end-entity", nullptr}, + {"ocsp-stapling-must-staple.example.com", ORTGood, nullptr, + "must-staple-ee"}, + {"ocsp-stapling-must-staple-revoked.example.com", ORTRevoked, nullptr, + "must-staple-ee"}, + {"ocsp-stapling-must-staple-missing.example.com", ORTNone, nullptr, + "must-staple-ee"}, + {"ocsp-stapling-must-staple-empty.example.com", ORTEmpty, nullptr, + "must-staple-ee"}, + {"ocsp-stapling-must-staple-ee-with-must-staple-int.example.com", ORTGood, + nullptr, "must-staple-ee-with-must-staple-int"}, + {"ocsp-stapling-plain-ee-with-must-staple-int.example.com", ORTGood, + nullptr, "must-staple-missing-ee"}, + {"ocsp-stapling-must-staple-expired.example.com", ORTExpired, nullptr, + "must-staple-ee"}, + {"ocsp-stapling-must-staple-try-later.example.com", ORTTryLater, nullptr, + "must-staple-ee"}, + {"ocsp-stapling-must-staple-invalid-signer.example.com", ORTGoodOtherCA, + "other-test-ca", "must-staple-ee"}, + {"multi-tls-feature-good.example.com", ORTNone, nullptr, + "multi-tls-feature-good-ee"}, + {"multi-tls-feature-bad.example.com", ORTNone, nullptr, + "multi-tls-feature-bad-ee"}, + {nullptr, ORTNull, nullptr, nullptr}}; + +int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize, void* aArg) { + const OCSPHost* host = + GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sOCSPHosts); + if (!host) { + return SSL_SNI_SEND_ALERT; + } + + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName); + } + + const char* certNickname = + host->mServerCertName ? host->mServerCertName : DEFAULT_CERT_NICKNAME; + + UniqueCERTCertificate cert; + SSLKEAType certKEA; + if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, certNickname, &cert, + &certKEA, nullptr)) { + return SSL_SNI_SEND_ALERT; + } + + // If the OCSP response type is "none", don't staple a response. + if (host->mORT == ORTNone) { + return 0; + } + + UniquePLArenaPool arena(PORT_NewArena(1024)); + if (!arena) { + PrintPRError("PORT_NewArena failed"); + return SSL_SNI_SEND_ALERT; + } + + // response is contained by the arena - freeing the arena will free it + SECItemArray* response = GetOCSPResponseForType(host->mORT, cert, arena, + host->mAdditionalCertName, 0); + if (!response) { + return SSL_SNI_SEND_ALERT; + } + + // SSL_SetStapledOCSPResponses makes a deep copy of response + SECStatus st = SSL_SetStapledOCSPResponses(aFd, response, certKEA); + if (st != SECSuccess) { + PrintPRError("SSL_SetStapledOCSPResponses failed"); + return SSL_SNI_SEND_ALERT; + } + + return 0; +} + +int main(int argc, char* argv[]) { + return StartServer(argc, argv, DoSNISocketConfig, nullptr); +} diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp new file mode 100644 index 0000000000..9371617305 --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp @@ -0,0 +1,87 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// This is a standalone server that uses various bad certificates. +// The client is expected to connect, initiate an SSL handshake (with SNI +// to indicate which "server" to connect to), and verify the certificate. +// If all is good, the client then sends one encrypted byte and receives that +// same byte back. +// This server also has the ability to "call back" another process waiting on +// it. That is, when the server is all set up and ready to receive connections, +// it will connect to a specified port and issue a simple HTTP request. + +#include + +#include "TLSServer.h" + +using namespace mozilla; +using namespace mozilla::test; + +struct SanctionsCertHost { + const char* mHostName; + const char* mCertName; +}; + +// Hostname, cert nickname pairs. +const SanctionsCertHost sSanctionsCertHosts[] = { + {"symantec-allowlist-after-cutoff.example.com", + "symantec-ee-from-allowlist-after-cutoff"}, + {"symantec-allowlist-before-cutoff.example.com", + "symantec-ee-from-allowlist-before-cutoff"}, + {"symantec-not-allowlisted-after-cutoff.example.com", + "symantec-ee-not-allowlisted-after-cutoff"}, + {"symantec-not-allowlisted-before-cutoff.example.com", + "symantec-ee-not-allowlisted-before-cutoff"}, + {"symantec-unaffected.example.com", "symantec-ee-unaffected"}, + {nullptr, nullptr}}; + +int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd, + const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize) { + for (uint32_t i = 0; i < aSrvNameArrSize; i++) { + UniquePORTString name( + static_cast(PORT_ZAlloc(aSrvNameArr[i].len + 1))); + if (name) { + PORT_Memcpy(name.get(), aSrvNameArr[i].data, aSrvNameArr[i].len); + if (ConfigSecureServerWithNamedCert(aFd, name.get(), nullptr, nullptr, + nullptr) == SECSuccess) { + return 0; + } + } + } + + return SSL_SNI_SEND_ALERT; +} + +int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize, void* aArg) { + const SanctionsCertHost* host = + GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sSanctionsCertHosts); + if (!host) { + // No static cert <-> hostname mapping found. This happens when we use a + // collection of certificates in a given directory and build a cert DB at + // runtime, rather than using an NSS cert DB populated at build time. + // (This will be the default in the future.) + // For all given server names, check if the runtime-built cert DB contains + // a certificate with a matching subject CN. + return DoSNISocketConfigBySubjectCN(aFd, aSrvNameArr, aSrvNameArrSize); + } + + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName); + } + + UniqueCERTCertificate cert; + SSLKEAType certKEA; + if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert, + &certKEA, nullptr)) { + return SSL_SNI_SEND_ALERT; + } + + return 0; +} + +int main(int argc, char* argv[]) { + return StartServer(argc, argv, DoSNISocketConfig, nullptr); +} diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build b/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build new file mode 100644 index 0000000000..ebf8f8e3e7 --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/moz.build @@ -0,0 +1,45 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +GeckoSimplePrograms( + [ + "BadCertAndPinningServer", + "DelegatedCredentialsServer", + "EncryptedClientHelloServer", + "GenerateOCSPResponse", + "OCSPStaplingServer", + "SanctionsTestServer", + ], + linkage=None, +) + +if not CONFIG["MOZ_SYSTEM_NSS"]: + # Bug 1805371. See comment in ../lib/moz.build + GeckoSimplePrograms( + [ + "FaultyServer", + ], + linkage=None, + ) + + DEFINES["NSS_USE_STATIC_LIBS"] = True + + LOCAL_INCLUDES += [ + "../../../../../../nss/lib/ssl", + "../lib", + ] + USE_LIBS += [ + "tlsserver", + ] +else: + LOCAL_INCLUDES += [ + "../lib", + ] + USE_LIBS += ["mozpkix", "nspr", "nss", "tlsserver"] + + +if CONFIG["MOZ_WIDGET_TOOLKIT"] == "gtk": + CXXFLAGS += CONFIG["MOZ_GTK3_CFLAGS"] diff --git a/security/manager/ssl/tests/unit/tlsserver/default-ee.der b/security/manager/ssl/tests/unit/tlsserver/default-ee.der new file mode 100644 index 0000000000..3a9b8fa9bc --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/default-ee.der @@ -0,0 +1,3 @@ +This is now an unused file. It exists to ease the coordination between gecko +development trees and the automation infrastructure that runs periodic updates. +See bug 1203312 and bug 1205406. diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp new file mode 100644 index 0000000000..be9a9af9b1 --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp @@ -0,0 +1,204 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "OCSPCommon.h" + +#include + +#include "mozpkix/test/pkixtestutil.h" +#include "mozpkix/test/pkixtestnss.h" +#include "TLSServer.h" +#include "secder.h" +#include "secerr.h" + +using namespace mozilla; +using namespace mozilla::pkix; +using namespace mozilla::pkix::test; +using namespace mozilla::test; + +static TestKeyPair* CreateTestKeyPairFromCert( + const UniqueCERTCertificate& cert) { + ScopedSECKEYPrivateKey privateKey(PK11_FindKeyByAnyCert(cert.get(), nullptr)); + if (!privateKey) { + return nullptr; + } + ScopedSECKEYPublicKey publicKey(CERT_ExtractPublicKey(cert.get())); + if (!publicKey) { + return nullptr; + } + return CreateTestKeyPair(RSA_PKCS1(), publicKey, privateKey); +} + +SECItemArray* GetOCSPResponseForType(OCSPResponseType aORT, + const UniqueCERTCertificate& aCert, + const UniquePLArenaPool& aArena, + const char* aAdditionalCertName, + time_t aThisUpdateSkew) { + MOZ_ASSERT(aArena); + MOZ_ASSERT(aCert); + // Note: |aAdditionalCertName| may or may not need to be non-null depending + // on the |aORT| value given. + + if (aORT == ORTNone) { + if (gDebugLevel >= DEBUG_WARNINGS) { + fprintf(stderr, + "GetOCSPResponseForType called with type ORTNone, " + "which makes no sense.\n"); + } + return nullptr; + } + + if (aORT == ORTEmpty) { + SECItemArray* arr = SECITEM_AllocArray(aArena.get(), nullptr, 1); + arr->items[0].data = nullptr; + arr->items[0].len = 0; + return arr; + } + + time_t now = time(nullptr) + aThisUpdateSkew; + time_t oldNow = now - (8 * Time::ONE_DAY_IN_SECONDS); + + mozilla::UniqueCERTCertificate cert(CERT_DupCertificate(aCert.get())); + + if (aORT == ORTGoodOtherCert) { + cert.reset(PK11_FindCertFromNickname(aAdditionalCertName, nullptr)); + if (!cert) { + PrintPRError("PK11_FindCertFromNickname failed"); + return nullptr; + } + } + // XXX CERT_FindCertIssuer uses the old, deprecated path-building logic + mozilla::UniqueCERTCertificate issuerCert( + CERT_FindCertIssuer(aCert.get(), PR_Now(), certUsageSSLCA)); + if (!issuerCert) { + PrintPRError("CERT_FindCertIssuer failed"); + return nullptr; + } + Input issuer; + if (issuer.Init(cert->derIssuer.data, cert->derIssuer.len) != Success) { + return nullptr; + } + Input issuerPublicKey; + if (issuerPublicKey.Init(issuerCert->derPublicKey.data, + issuerCert->derPublicKey.len) != Success) { + return nullptr; + } + Input serialNumber; + if (serialNumber.Init(cert->serialNumber.data, cert->serialNumber.len) != + Success) { + return nullptr; + } + CertID certID(issuer, issuerPublicKey, serialNumber); + OCSPResponseContext context(certID, now); + + mozilla::UniqueCERTCertificate signerCert; + if (aORT == ORTGoodOtherCA || aORT == ORTDelegatedIncluded || + aORT == ORTDelegatedIncludedLast || aORT == ORTDelegatedMissing || + aORT == ORTDelegatedMissingMultiple) { + signerCert.reset(PK11_FindCertFromNickname(aAdditionalCertName, nullptr)); + if (!signerCert) { + PrintPRError("PK11_FindCertFromNickname failed"); + return nullptr; + } + } + + ByteString certs[5]; + + if (aORT == ORTDelegatedIncluded) { + certs[0].assign(signerCert->derCert.data, signerCert->derCert.len); + context.certs = certs; + } + if (aORT == ORTDelegatedIncludedLast || aORT == ORTDelegatedMissingMultiple) { + certs[0].assign(issuerCert->derCert.data, issuerCert->derCert.len); + certs[1].assign(cert->derCert.data, cert->derCert.len); + certs[2].assign(issuerCert->derCert.data, issuerCert->derCert.len); + if (aORT != ORTDelegatedMissingMultiple) { + certs[3].assign(signerCert->derCert.data, signerCert->derCert.len); + } + context.certs = certs; + } + + switch (aORT) { + case ORTMalformed: + context.responseStatus = 1; + break; + case ORTSrverr: + context.responseStatus = 2; + break; + case ORTTryLater: + context.responseStatus = 3; + break; + case ORTNeedsSig: + context.responseStatus = 5; + break; + case ORTUnauthorized: + context.responseStatus = 6; + break; + default: + // context.responseStatus is 0 in all other cases, and it has + // already been initialized in the constructor. + break; + } + if (aORT == ORTSkipResponseBytes) { + context.skipResponseBytes = true; + } + if (aORT == ORTExpired || aORT == ORTExpiredFreshCA || + aORT == ORTRevokedOld || aORT == ORTUnknownOld) { + context.thisUpdate = oldNow; + context.nextUpdate = oldNow + Time::ONE_DAY_IN_SECONDS; + } + if (aORT == ORTLongValidityAlmostExpired) { + context.thisUpdate = now - (320 * Time::ONE_DAY_IN_SECONDS); + } + if (aORT == ORTAncientAlmostExpired) { + context.thisUpdate = now - (640 * Time::ONE_DAY_IN_SECONDS); + } + if (aORT == ORTRevoked || aORT == ORTRevokedOld) { + context.certStatus = 1; + } + if (aORT == ORTUnknown || aORT == ORTUnknownOld) { + context.certStatus = 2; + } + if (aORT == ORTBadSignature) { + context.badSignature = true; + } + OCSPResponseExtension extension; + if (aORT == ORTCriticalExtension || aORT == ORTNoncriticalExtension) { + // python DottedOIDToCode.py --tlv + // some-Mozilla-OID 1.3.6.1.4.1.13769.666.666.666.1.500.9.2 + static const uint8_t tlv_some_Mozilla_OID[] = { + 0x06, 0x12, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xeb, 0x49, 0x85, + 0x1a, 0x85, 0x1a, 0x85, 0x1a, 0x01, 0x83, 0x74, 0x09, 0x02}; + + extension.id.assign(tlv_some_Mozilla_OID, sizeof(tlv_some_Mozilla_OID)); + extension.critical = (aORT == ORTCriticalExtension); + extension.value.push_back(0x05); // tag: NULL + extension.value.push_back(0x00); // length: 0 + extension.next = nullptr; + context.responseExtensions = &extension; + } + if (aORT == ORTEmptyExtensions) { + context.includeEmptyExtensions = true; + } + + if (!signerCert) { + signerCert.reset(CERT_DupCertificate(issuerCert.get())); + } + context.signerKeyPair.reset(CreateTestKeyPairFromCert(signerCert)); + if (!context.signerKeyPair) { + PrintPRError("PK11_FindKeyByAnyCert failed"); + return nullptr; + } + + ByteString response(CreateEncodedOCSPResponse(context)); + if (ENCODING_FAILED(response)) { + PrintPRError("CreateEncodedOCSPResponse failed"); + return nullptr; + } + + SECItem item = {siBuffer, const_cast(response.data()), + static_cast(response.length())}; + SECItemArray arr = {&item, 1}; + return SECITEM_DupArray(aArena.get(), &arr); +} diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h new file mode 100644 index 0000000000..c72eae6a8e --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h @@ -0,0 +1,66 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// Implements generating OCSP responses of various types. Used by the +// programs in tlsserver/cmd. + +#ifndef OCSPCommon_h +#define OCSPCommon_h + +#include "ScopedNSSTypes.h" +#include "certt.h" +#include "seccomon.h" + +enum OCSPResponseType { + ORTNull = 0, + ORTGood, // the certificate is good + ORTRevoked, // the certificate has been revoked + ORTRevokedOld, // same, but the response is old + ORTUnknown, // the responder doesn't know if the cert is good + ORTUnknownOld, // same, but the response is old + ORTGoodOtherCert, // the response references a different certificate + ORTGoodOtherCA, // the wrong CA has signed the response + ORTExpired, // the signature on the response has expired + ORTExpiredFreshCA, // fresh signature, but old validity period + ORTNone, // no stapled response + ORTEmpty, // an empty stapled response + ORTMalformed, // the response from the responder was malformed + ORTSrverr, // the response indicates there was a server error + ORTTryLater, // the responder replied with "try again later" + ORTNeedsSig, // the response needs a signature + ORTUnauthorized, // the responder is not authorized for this certificate + ORTBadSignature, // the response has a signature that does not verify + ORTSkipResponseBytes, // the response does not include responseBytes + ORTCriticalExtension, // the response includes a critical extension + ORTNoncriticalExtension, // the response includes an extension that is not + // critical + ORTEmptyExtensions, // the response includes a SEQUENCE OF Extension that is + // empty + ORTDelegatedIncluded, // the response is signed by an included delegated + // responder + ORTDelegatedIncludedLast, // same, but multiple other certificates are + // included + ORTDelegatedMissing, // the response is signed by a not included delegated + // responder + ORTDelegatedMissingMultiple, // same, but multiple other certificates are + // included + ORTLongValidityAlmostExpired, // a good response, but that was generated a + // almost a year ago + ORTAncientAlmostExpired, // a good response, with a validity of almost two + // years almost expiring +}; + +struct OCSPHost { + const char* mHostName; + OCSPResponseType mORT; + const char* mAdditionalCertName; // useful for ORTGoodOtherCert, etc. + const char* mServerCertName; +}; + +SECItemArray* GetOCSPResponseForType( + OCSPResponseType aORT, const mozilla::UniqueCERTCertificate& aCert, + const mozilla::UniquePLArenaPool& aArena, const char* aAdditionalCertName, + time_t aThisUpdateSkew); + +#endif // OCSPCommon_h diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp new file mode 100644 index 0000000000..8eca895525 --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp @@ -0,0 +1,694 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "TLSServer.h" + +#include +#include +#include +#include +#include +#include +#ifdef XP_WIN +# include +#else +# include +#endif + +#include + +#include "base64.h" +#include "mozilla/Sprintf.h" +#include "nspr.h" +#include "nss.h" +#include "plarenas.h" +#include "prenv.h" +#include "prerror.h" +#include "prnetdb.h" +#include "prtime.h" +#include "ssl.h" +#include "sslexp.h" +#include "sslproto.h" + +namespace mozilla { +namespace test { + +static const uint16_t LISTEN_PORT = 8443; + +SSLAntiReplayContext* antiReplay = nullptr; + +DebugLevel gDebugLevel = DEBUG_ERRORS; +uint16_t gCallbackPort = 0; + +const std::string kPEMBegin = "-----BEGIN "; +const std::string kPEMEnd = "-----END "; +const char DEFAULT_CERT_NICKNAME[] = "default-ee"; + +struct Connection { + PRFileDesc* mSocket; + char mByte; + + explicit Connection(PRFileDesc* aSocket); + ~Connection(); +}; + +Connection::Connection(PRFileDesc* aSocket) : mSocket(aSocket), mByte(0) {} + +Connection::~Connection() { + if (mSocket) { + PR_Close(mSocket); + } +} + +void PrintPRError(const char* aPrefix) { + const char* err = PR_ErrorToName(PR_GetError()); + if (err) { + if (gDebugLevel >= DEBUG_ERRORS) { + fprintf(stderr, "%s: %s\n", aPrefix, err); + } + } else { + if (gDebugLevel >= DEBUG_ERRORS) { + fprintf(stderr, "%s\n", aPrefix); + } + } +} + +// This decodes a PEM file into `item`. The line endings need to be +// UNIX-style, or there will be cross-platform issues. +static bool DecodePEMFile(const std::string& filename, SECItem* item) { + std::ifstream in(filename); + if (in.bad()) { + return false; + } + + char buf[1024]; + in.getline(buf, sizeof(buf)); + if (in.bad()) { + return false; + } + + if (strncmp(buf, kPEMBegin.c_str(), kPEMBegin.size()) != 0) { + return false; + } + + std::string value; + for (;;) { + in.getline(buf, sizeof(buf)); + if (in.bad()) { + return false; + } + + if (strncmp(buf, kPEMEnd.c_str(), kPEMEnd.size()) == 0) { + break; + } + + value += buf; + } + + unsigned int binLength; + UniquePORTString bin(BitwiseCast( + ATOB_AsciiToData(value.c_str(), &binLength))); + if (!bin || binLength == 0) { + PrintPRError("ATOB_AsciiToData failed"); + return false; + } + + if (SECITEM_AllocItem(nullptr, item, binLength) == nullptr) { + return false; + } + + PORT_Memcpy(item->data, bin.get(), binLength); + return true; +} + +static SECStatus AddKeyFromFile(const std::string& path, + const std::string& filename) { + ScopedAutoSECItem item; + + std::string file = path + "/" + filename; + if (!DecodePEMFile(file, &item)) { + return SECFailure; + } + + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { + PrintPRError("PK11_GetInternalKeySlot failed"); + return SECFailure; + } + + if (PK11_NeedUserInit(slot.get())) { + if (PK11_InitPin(slot.get(), nullptr, nullptr) != SECSuccess) { + PrintPRError("PK11_InitPin failed"); + return SECFailure; + } + } + + SECKEYPrivateKey* privateKey = nullptr; + SECItem nick = {siBuffer, + BitwiseCast(filename.data()), + static_cast(filename.size())}; + if (PK11_ImportDERPrivateKeyInfoAndReturnKey( + slot.get(), &item, &nick, nullptr, true, false, KU_ALL, &privateKey, + nullptr) != SECSuccess) { + PrintPRError("PK11_ImportDERPrivateKeyInfoAndReturnKey failed"); + return SECFailure; + } + + SECKEY_DestroyPrivateKey(privateKey); + return SECSuccess; +} + +static SECStatus AddCertificateFromFile(const std::string& path, + const std::string& filename) { + ScopedAutoSECItem item; + + std::string file = path + "/" + filename; + if (!DecodePEMFile(file, &item)) { + return SECFailure; + } + + UniqueCERTCertificate cert(CERT_NewTempCertificate( + CERT_GetDefaultCertDB(), &item, nullptr, false, true)); + if (!cert) { + PrintPRError("CERT_NewTempCertificate failed"); + return SECFailure; + } + + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { + PrintPRError("PK11_GetInternalKeySlot failed"); + return SECFailure; + } + // The nickname is the filename without '.pem'. + std::string nickname = filename.substr(0, filename.length() - 4); + SECStatus rv = PK11_ImportCert(slot.get(), cert.get(), CK_INVALID_HANDLE, + nickname.c_str(), false); + if (rv != SECSuccess) { + PrintPRError("PK11_ImportCert failed"); + return rv; + } + + return SECSuccess; +} + +SECStatus LoadCertificatesAndKeys(const char* basePath) { + // The NSS cert DB path could have been specified as "sql:path". Trim off + // the leading "sql:" if so. + if (strncmp(basePath, "sql:", 4) == 0) { + basePath = basePath + 4; + } + + UniquePRDir fdDir(PR_OpenDir(basePath)); + if (!fdDir) { + PrintPRError("PR_OpenDir failed"); + return SECFailure; + } + // On the B2G ICS emulator, operations taken in AddCertificateFromFile + // appear to interact poorly with readdir (more specifically, something is + // causing readdir to never return null - it indefinitely loops through every + // file in the directory, which causes timeouts). Rather than waste more time + // chasing this down, loading certificates and keys happens in two phases: + // filename collection and then loading. (This is probably a good + // idea anyway because readdir isn't reentrant. Something could change later + // such that it gets called as a result of calling AddCertificateFromFile or + // AddKeyFromFile.) + std::vector certificates; + std::vector keys; + for (PRDirEntry* dirEntry = PR_ReadDir(fdDir.get(), PR_SKIP_BOTH); dirEntry; + dirEntry = PR_ReadDir(fdDir.get(), PR_SKIP_BOTH)) { + size_t nameLength = strlen(dirEntry->name); + if (nameLength > 4) { + if (strncmp(dirEntry->name + nameLength - 4, ".pem", 4) == 0) { + certificates.push_back(dirEntry->name); + } else if (strncmp(dirEntry->name + nameLength - 4, ".key", 4) == 0) { + keys.push_back(dirEntry->name); + } + } + } + SECStatus rv; + for (std::string& certificate : certificates) { + rv = AddCertificateFromFile(basePath, certificate.c_str()); + if (rv != SECSuccess) { + return rv; + } + } + for (std::string& key : keys) { + rv = AddKeyFromFile(basePath, key.c_str()); + if (rv != SECSuccess) { + return rv; + } + } + return SECSuccess; +} + +SECStatus InitializeNSS(const char* nssCertDBDir) { + // Try initializing an existing DB. + if (NSS_Init(nssCertDBDir) == SECSuccess) { + return SECSuccess; + } + + // Create a new DB if there is none... + SECStatus rv = NSS_Initialize(nssCertDBDir, nullptr, nullptr, nullptr, 0); + if (rv != SECSuccess) { + return rv; + } + + // ...and load all certificates into it. + return LoadCertificatesAndKeys(nssCertDBDir); +} + +nsresult SendAll(PRFileDesc* aSocket, const char* aData, size_t aDataLen) { + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "sending '%s'\n", aData); + } + + while (aDataLen > 0) { + int32_t bytesSent = + PR_Send(aSocket, aData, aDataLen, 0, PR_INTERVAL_NO_TIMEOUT); + if (bytesSent == -1) { + PrintPRError("PR_Send failed"); + return NS_ERROR_FAILURE; + } + + aDataLen -= bytesSent; + aData += bytesSent; + } + + return NS_OK; +} + +nsresult ReplyToRequest(Connection* aConn) { + // For debugging purposes, SendAll can print out what it's sending. + // So, any strings we give to it to send need to be null-terminated. + char buf[2] = {aConn->mByte, 0}; + return SendAll(aConn->mSocket, buf, 1); +} + +nsresult SetupTLS(Connection* aConn, PRFileDesc* aModelSocket) { + PRFileDesc* sslSocket = SSL_ImportFD(aModelSocket, aConn->mSocket); + if (!sslSocket) { + PrintPRError("SSL_ImportFD failed"); + return NS_ERROR_FAILURE; + } + aConn->mSocket = sslSocket; + + /* anti-replay must be configured to accept 0RTT */ + if (antiReplay) { + SECStatus rv = SSL_SetAntiReplayContext(sslSocket, antiReplay); + if (rv != SECSuccess) { + PrintPRError("error configuring anti-replay "); + return NS_ERROR_FAILURE; + } + } + + SSL_OptionSet(sslSocket, SSL_SECURITY, true); + SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_CLIENT, false); + SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_SERVER, true); + // Unconditionally enabling 0RTT makes test_session_resumption.js fail + SSL_OptionSet(sslSocket, SSL_ENABLE_0RTT_DATA, + !!PR_GetEnv("MOZ_TLS_SERVER_0RTT")); + + SSL_ResetHandshake(sslSocket, /* asServer */ 1); + + return NS_OK; +} + +nsresult ReadRequest(Connection* aConn) { + int32_t bytesRead = + PR_Recv(aConn->mSocket, &aConn->mByte, 1, 0, PR_INTERVAL_NO_TIMEOUT); + if (bytesRead < 0) { + PrintPRError("PR_Recv failed"); + return NS_ERROR_FAILURE; + } else if (bytesRead == 0) { + PR_SetError(PR_IO_ERROR, 0); + PrintPRError("PR_Recv EOF in ReadRequest"); + return NS_ERROR_FAILURE; + } else { + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "read '0x%hhx'\n", aConn->mByte); + } + } + return NS_OK; +} + +void HandleConnection(PRFileDesc* aSocket, + const UniquePRFileDesc& aModelSocket) { + Connection conn(aSocket); + nsresult rv = SetupTLS(&conn, aModelSocket.get()); + if (NS_FAILED(rv)) { + PR_SetError(PR_INVALID_STATE_ERROR, 0); + PrintPRError("PR_Recv failed"); + exit(1); + } + + // TODO: On tests that are expected to fail (e.g. due to a revoked + // certificate), the client will close the connection wtihout sending us the + // request byte. In those cases, we should keep going. But, in the cases + // where the connection is supposed to suceed, we should verify that we + // successfully receive the request and send the response. + rv = ReadRequest(&conn); + if (NS_SUCCEEDED(rv)) { + rv = ReplyToRequest(&conn); + } +} + +// returns 0 on success, non-zero on error +int DoCallback() { + UniquePRFileDesc socket(PR_NewTCPSocket()); + if (!socket) { + PrintPRError("PR_NewTCPSocket failed"); + return 1; + } + + PRNetAddr addr; + PR_InitializeNetAddr(PR_IpAddrLoopback, gCallbackPort, &addr); + if (PR_Connect(socket.get(), &addr, PR_INTERVAL_NO_TIMEOUT) != PR_SUCCESS) { + PrintPRError("PR_Connect failed"); + return 1; + } + + const char* request = "GET / HTTP/1.0\r\n\r\n"; + SendAll(socket.get(), request, strlen(request)); + char buf[4096]; + memset(buf, 0, sizeof(buf)); + int32_t bytesRead = + PR_Recv(socket.get(), buf, sizeof(buf) - 1, 0, PR_INTERVAL_NO_TIMEOUT); + if (bytesRead < 0) { + PrintPRError("PR_Recv failed 1"); + return 1; + } + if (bytesRead == 0) { + fprintf(stderr, "PR_Recv eof 1\n"); + return 1; + } + fprintf(stderr, "%s\n", buf); + return 0; +} + +SECStatus ConfigSecureServerWithNamedCert( + PRFileDesc* fd, const char* certName, + /*optional*/ UniqueCERTCertificate* certOut, + /*optional*/ SSLKEAType* keaOut, + /*optional*/ SSLExtraServerCertData* extraData) { + UniqueCERTCertificate cert(PK11_FindCertFromNickname(certName, nullptr)); + if (!cert) { + PrintPRError("PK11_FindCertFromNickname failed"); + return SECFailure; + } + // If an intermediate certificate issued the server certificate (rather than + // directly by a trust anchor), we want to send it along in the handshake so + // we don't encounter unknown issuer errors when that's not what we're + // testing. + UniqueCERTCertificateList certList; + UniqueCERTCertificate issuerCert( + CERT_FindCertByName(CERT_GetDefaultCertDB(), &cert->derIssuer)); + // If we can't find the issuer cert, continue without it. + if (issuerCert) { + // Sadly, CERTCertificateList does not have a CERT_NewCertificateList + // utility function, so we must create it ourselves. This consists + // of creating an arena, allocating space for the CERTCertificateList, + // and then transferring ownership of the arena to that list. + UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); + if (!arena) { + PrintPRError("PORT_NewArena failed"); + return SECFailure; + } + certList.reset(static_cast( + PORT_ArenaAlloc(arena.get(), sizeof(CERTCertificateList)))); + if (!certList) { + PrintPRError("PORT_ArenaAlloc failed"); + return SECFailure; + } + certList->arena = arena.release(); + // We also have to manually copy the certificates we care about to the + // list, because there aren't any utility functions for that either. + certList->certs = static_cast( + PORT_ArenaAlloc(certList->arena, 2 * sizeof(SECItem))); + if (SECITEM_CopyItem(certList->arena, certList->certs, &cert->derCert) != + SECSuccess) { + PrintPRError("SECITEM_CopyItem failed"); + return SECFailure; + } + if (SECITEM_CopyItem(certList->arena, certList->certs + 1, + &issuerCert->derCert) != SECSuccess) { + PrintPRError("SECITEM_CopyItem failed"); + return SECFailure; + } + certList->len = 2; + } + + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { + PrintPRError("PK11_GetInternalKeySlot failed"); + return SECFailure; + } + UniqueSECKEYPrivateKey key( + PK11_FindKeyByDERCert(slot.get(), cert.get(), nullptr)); + if (!key) { + PrintPRError("PK11_FindKeyByDERCert failed"); + return SECFailure; + } + + if (extraData) { + SSLExtraServerCertData dataCopy = {ssl_auth_null, nullptr, nullptr, + nullptr, nullptr, nullptr}; + memcpy(&dataCopy, extraData, sizeof(dataCopy)); + dataCopy.certChain = certList.get(); + + if (SSL_ConfigServerCert(fd, cert.get(), key.get(), &dataCopy, + sizeof(dataCopy)) != SECSuccess) { + PrintPRError("SSL_ConfigServerCert failed"); + return SECFailure; + } + + } else { + // This is the deprecated setup mechanism, to be cleaned up in Bug 1569222 + SSLKEAType certKEA = NSS_FindCertKEAType(cert.get()); + if (SSL_ConfigSecureServerWithCertChain(fd, cert.get(), certList.get(), + key.get(), certKEA) != SECSuccess) { + PrintPRError("SSL_ConfigSecureServer failed"); + return SECFailure; + } + + if (keaOut) { + *keaOut = certKEA; + } + } + + if (certOut) { + *certOut = std::move(cert); + } + + SSL_OptionSet(fd, SSL_NO_CACHE, false); + SSL_OptionSet(fd, SSL_ENABLE_SESSION_TICKETS, true); + // Unconditionally enabling 0RTT makes test_session_resumption.js fail + SSL_OptionSet(fd, SSL_ENABLE_0RTT_DATA, !!PR_GetEnv("MOZ_TLS_SERVER_0RTT")); + + return SECSuccess; +} + +#ifdef XP_WIN +using PidType = DWORD; +constexpr bool IsValidPid(long long pid) { + // Excluding `(DWORD)-1` because it is not a valid process ID. + // See https://devblogs.microsoft.com/oldnewthing/20040223-00/?p=40503 + return pid > 0 && pid < std::numeric_limits::max(); +} +#else +using PidType = pid_t; +constexpr bool IsValidPid(long long pid) { + return pid > 0 && pid <= std::numeric_limits::max(); +} +#endif + +PidType ConvertPid(const char* pidStr) { + long long pid = strtoll(pidStr, nullptr, 10); + if (!IsValidPid(pid)) { + return 0; + } + return static_cast(pid); +} + +int StartServer(int argc, char* argv[], SSLSNISocketConfig sniSocketConfig, + void* sniSocketConfigArg, ServerConfigFunc configFunc) { + if (argc != 3) { + fprintf(stderr, "usage: %s \n", argv[0]); + return 1; + } + const char* nssCertDBDir = argv[1]; + PidType ppid = ConvertPid(argv[2]); + + const char* debugLevel = PR_GetEnv("MOZ_TLS_SERVER_DEBUG_LEVEL"); + if (debugLevel) { + int level = atoi(debugLevel); + switch (level) { + case DEBUG_ERRORS: + gDebugLevel = DEBUG_ERRORS; + break; + case DEBUG_WARNINGS: + gDebugLevel = DEBUG_WARNINGS; + break; + case DEBUG_VERBOSE: + gDebugLevel = DEBUG_VERBOSE; + break; + default: + PrintPRError("invalid MOZ_TLS_SERVER_DEBUG_LEVEL"); + return 1; + } + } + + const char* callbackPort = PR_GetEnv("MOZ_TLS_SERVER_CALLBACK_PORT"); + if (callbackPort) { + gCallbackPort = atoi(callbackPort); + } + + if (InitializeNSS(nssCertDBDir) != SECSuccess) { + PR_fprintf(PR_STDERR, "InitializeNSS failed"); + return 1; + } + + if (NSS_SetDomesticPolicy() != SECSuccess) { + PrintPRError("NSS_SetDomesticPolicy failed"); + return 1; + } + + if (SSL_ConfigServerSessionIDCache(0, 0, 0, nullptr) != SECSuccess) { + PrintPRError("SSL_ConfigServerSessionIDCache failed"); + return 1; + } + + UniquePRFileDesc serverSocket(PR_NewTCPSocket()); + if (!serverSocket) { + PrintPRError("PR_NewTCPSocket failed"); + return 1; + } + + PRSocketOptionData socketOption; + socketOption.option = PR_SockOpt_Reuseaddr; + socketOption.value.reuse_addr = true; + PR_SetSocketOption(serverSocket.get(), &socketOption); + + PRNetAddr serverAddr; + PR_InitializeNetAddr(PR_IpAddrLoopback, LISTEN_PORT, &serverAddr); + if (PR_Bind(serverSocket.get(), &serverAddr) != PR_SUCCESS) { + PrintPRError("PR_Bind failed"); + return 1; + } + + if (PR_Listen(serverSocket.get(), 1) != PR_SUCCESS) { + PrintPRError("PR_Listen failed"); + return 1; + } + + UniquePRFileDesc rawModelSocket(PR_NewTCPSocket()); + if (!rawModelSocket) { + PrintPRError("PR_NewTCPSocket failed for rawModelSocket"); + return 1; + } + + UniquePRFileDesc modelSocket(SSL_ImportFD(nullptr, rawModelSocket.release())); + if (!modelSocket) { + PrintPRError("SSL_ImportFD of rawModelSocket failed"); + return 1; + } + + SSLVersionRange range = {0, 0}; + if (SSL_VersionRangeGet(modelSocket.get(), &range) != SECSuccess) { + PrintPRError("SSL_VersionRangeGet failed"); + return 1; + } + + if (range.max < SSL_LIBRARY_VERSION_TLS_1_3) { + range.max = SSL_LIBRARY_VERSION_TLS_1_3; + if (SSL_VersionRangeSet(modelSocket.get(), &range) != SECSuccess) { + PrintPRError("SSL_VersionRangeSet failed"); + return 1; + } + } + + if (PR_GetEnv("MOZ_TLS_SERVER_0RTT")) { + if (SSL_CreateAntiReplayContext(PR_Now(), 1L * PR_USEC_PER_SEC, 7, 14, + &antiReplay) != SECSuccess) { + PrintPRError("Unable to create anti-replay context for 0-RTT."); + return 1; + } + } + + if (SSL_SNISocketConfigHook(modelSocket.get(), sniSocketConfig, + sniSocketConfigArg) != SECSuccess) { + PrintPRError("SSL_SNISocketConfigHook failed"); + return 1; + } + + // We have to configure the server with a certificate, but it's not one + // we're actually going to end up using. In the SNI callback, we pick + // the right certificate for the connection. + // + // Provide an empty |extra_data| to force config via SSL_ConfigServerCert. + // This is a temporary mechanism to work around inconsistent setting of + // |authType| in the deprecated API (preventing the default cert from + // being removed in favor of the SNI-selected cert). This may be removed + // after Bug 1569222 removes the deprecated mechanism. + SSLExtraServerCertData extra_data = {ssl_auth_null, nullptr, nullptr, + nullptr, nullptr, nullptr}; + if (ConfigSecureServerWithNamedCert(modelSocket.get(), DEFAULT_CERT_NICKNAME, + nullptr, nullptr, + &extra_data) != SECSuccess) { + return 1; + } + + // Call back to implementation-defined configuration func, if provided. + if (configFunc) { + if (((configFunc)(modelSocket.get())) != SECSuccess) { + PrintPRError("configFunc failed"); + return 1; + } + } + + if (gCallbackPort != 0) { + if (DoCallback()) { + return 1; + } + } + + std::thread([ppid] { + if (!ppid) { + if (gDebugLevel >= DEBUG_ERRORS) { + fprintf(stderr, "invalid ppid\n"); + } + return; + } +#ifdef XP_WIN + HANDLE parent = OpenProcess(SYNCHRONIZE, false, ppid); + if (!parent) { + if (gDebugLevel >= DEBUG_ERRORS) { + fprintf(stderr, "OpenProcess failed\n"); + } + return; + } + WaitForSingleObject(parent, INFINITE); + CloseHandle(parent); +#else + while (getppid() == ppid) { + sleep(1); + } +#endif + if (gDebugLevel >= DEBUG_ERRORS) { + fprintf(stderr, "Parent process crashed\n"); + } + exit(1); + }).detach(); + + while (true) { + PRNetAddr clientAddr; + PRFileDesc* clientSocket = + PR_Accept(serverSocket.get(), &clientAddr, PR_INTERVAL_NO_TIMEOUT); + HandleConnection(clientSocket, modelSocket); + } + + return 0; +} + +} // namespace test +} // namespace mozilla diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h new file mode 100644 index 0000000000..3927b3e541 --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.h @@ -0,0 +1,93 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef TLSServer_h +#define TLSServer_h + +// This is a standalone server for testing SSL features of Gecko. +// The client is expected to connect and initiate an SSL handshake (with SNI +// to indicate which "server" to connect to). If all is good, the client then +// sends one encrypted byte and receives that same byte back. +// This server also has the ability to "call back" another process waiting on +// it. That is, when the server is all set up and ready to receive connections, +// it will connect to a specified port and issue a simple HTTP request. + +#include + +#include "ScopedNSSTypes.h" +#include "mozilla/Casting.h" +#include "prio.h" +#include "secerr.h" +#include "ssl.h" + +namespace mozilla { + +MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePRDir, PRDir, PR_CloseDir); + +} // namespace mozilla + +namespace mozilla { +namespace test { + +typedef SECStatus (*ServerConfigFunc)(PRFileDesc* fd); + +enum DebugLevel { DEBUG_ERRORS = 1, DEBUG_WARNINGS = 2, DEBUG_VERBOSE = 3 }; + +extern DebugLevel gDebugLevel; + +void PrintPRError(const char* aPrefix); + +// The default certificate is trusted for localhost and *.example.com +extern const char DEFAULT_CERT_NICKNAME[]; + +// ConfigSecureServerWithNamedCert sets up the hostname name provided. If the +// extraData parameter is presented, extraData->certChain will be automatically +// filled in using database information. +// Pass DEFAULT_CERT_NICKNAME as certName unless you need a specific +// certificate. +SECStatus ConfigSecureServerWithNamedCert( + PRFileDesc* fd, const char* certName, + /*optional*/ UniqueCERTCertificate* cert, + /*optional*/ SSLKEAType* kea, + /*optional*/ SSLExtraServerCertData* extraData); + +SECStatus InitializeNSS(const char* nssCertDBDir); + +// StartServer initializes NSS, sockets, the SNI callback, and a default +// certificate. configFunc (optional) is a pointer to an implementation- +// defined configuration function, which is called on the model socket +// prior to handling any connections. +int StartServer(int argc, char* argv[], SSLSNISocketConfig sniSocketConfig, + void* sniSocketConfigArg, + ServerConfigFunc configFunc = nullptr); + +template +inline const Host* GetHostForSNI(const SECItem* aSrvNameArr, + uint32_t aSrvNameArrSize, const Host* hosts) { + for (uint32_t i = 0; i < aSrvNameArrSize; i++) { + for (const Host* host = hosts; host->mHostName; ++host) { + SECItem hostName; + hostName.data = BitwiseCast(host->mHostName); + hostName.len = strlen(host->mHostName); + if (SECITEM_ItemsAreEqual(&hostName, &aSrvNameArr[i])) { + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName); + } + return host; + } + } + } + + if (gDebugLevel >= DEBUG_VERBOSE) { + fprintf(stderr, "could not find host info from SNI\n"); + } + + PR_SetError(SEC_ERROR_INVALID_ARGS, 0); + return nullptr; +} + +} // namespace test +} // namespace mozilla + +#endif // TLSServer_h diff --git a/security/manager/ssl/tests/unit/tlsserver/lib/moz.build b/security/manager/ssl/tests/unit/tlsserver/lib/moz.build new file mode 100644 index 0000000000..8420cbd87f --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/lib/moz.build @@ -0,0 +1,50 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +UNIFIED_SOURCES += [ + "OCSPCommon.cpp", + "TLSServer.cpp", +] + +USE_LIBS += [ + "mozpkix-testlib", +] + +if not CONFIG["MOZ_SYSTEM_NSS"]: + # Bug 1805371: The FaultyServer binary added in Bug 1754746 needs to + # be statically linked against NSS, but the configuration here breaks + # builds with system NSS. A complete solution involves some changes + # to the NSS build system. For now we're disabling FaultyServer when + # using system NSS and linking the rest of the tests dynamically. + DEFINES["NSS_USE_STATIC_LIBS"] = True + + USE_LIBS += [ + "certdb", + "certhi", + "cryptohi", + "freebl", + "mozpkix", + "mozpkix-testlib", + "nspr", + "nss_static", + "nssb", + "nssdev", + "nsspki", + "pk11wrap", + "smime", + "softokn3", + "sqlite", + "ssl", + ] + + if CONFIG["MOZ_FOLD_LIBS"]: + USE_LIBS += ["nssutil"] + else: + USE_LIBS += ["nssutil3"] + +Library("tlsserver") + +REQUIRES_UNIFIED_BUILD = True diff --git a/security/manager/ssl/tests/unit/tlsserver/moz.build b/security/manager/ssl/tests/unit/tlsserver/moz.build new file mode 100644 index 0000000000..1488352914 --- /dev/null +++ b/security/manager/ssl/tests/unit/tlsserver/moz.build @@ -0,0 +1,8 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# lib must be first, because cmd depends on its output +DIRS += ["lib", "cmd"] diff --git a/security/manager/ssl/tests/unit/xpcshell-smartcards.ini b/security/manager/ssl/tests/unit/xpcshell-smartcards.ini new file mode 100644 index 0000000000..0a240f3e59 --- /dev/null +++ b/security/manager/ssl/tests/unit/xpcshell-smartcards.ini @@ -0,0 +1,17 @@ +[DEFAULT] +head = head_psm.js +tail = +tags = psm +skip-if = toolkit == 'android' +support-files = + +[test_osclientcerts_module.js] +skip-if = + os == "linux" + os == "android" +[test_pkcs11_module.js] +[test_pkcs11_moduleDB.js] +[test_pkcs11_safe_mode.js] +[test_pkcs11_slot.js] +[test_pkcs11_token.js] +[test_pkcs11_tokenDB.js] diff --git a/security/manager/ssl/tests/unit/xpcshell.ini b/security/manager/ssl/tests/unit/xpcshell.ini new file mode 100644 index 0000000000..1bf149cf35 --- /dev/null +++ b/security/manager/ssl/tests/unit/xpcshell.ini @@ -0,0 +1,242 @@ +[DEFAULT] +head = head_psm.js +tags = psm condprof +firefox-appdir = browser +skip-if = os == 'win' && msix # https://bugzilla.mozilla.org/show_bug.cgi?id=1809477 +support-files = + corrupted_crlite_helper.js + bad_certs/** + ocsp_certs/** + test_baseline_requirements/** + test_broken_fips/** + test_cert_eku/** + test_cert_embedded_null/** + test_cert_isBuiltInRoot_reload/** + test_cert_keyUsage/** + test_cert_overrides_read_only/** + test_cert_sha1/** + test_cert_signatures/** + test_cert_storage_direct/** + test_cert_storage_preexisting/** + test_cert_storage_preexisting_crlite/** + test_cert_trust/** + test_cert_utf8/** + test_cert_version/** + test_certDB_import/** + test_content_signing/** + test_crlite_filters/** + test_crlite_preexisting/** + test_crlite_corrupted/** + test_ct/** + test_delegated_credentials/** + test_encrypted_client_hello/** + test_ev_certs/** + test_faulty_server/** + test_intermediate_basic_usage_constraints/** + test_intermediate_preloads/** + test_keysize/** + test_keysize_ev/** + test_missing_intermediate/** + test_name_constraints/** + test_ocsp_url/** + test_onecrl/** + test_sanctions/** + test_sdr_preexisting/** + test_sdr_preexisting_with_password/** + test_self_signed_certs/** + test_signed_apps/** + test_validity/** + tlsserver/** + +[test_add_preexisting_cert.js] +[test_baseline_requirements_subject_common_name.js] +[test_blocklist_onecrl.js] +# Skip signature tests for Thunderbird (Bug 1341983). +skip-if = appname == "thunderbird" +tags = remote-settings blocklist psm +[test_broken_fips.js] +# FIPS has never been a thing on Android, so the workaround doesn't +# exist on that platform. +# FIPS still works on Linux, so this test doesn't make any sense there. +# FIPS still works on Windows, but running the test to ensure that it does not +# break with a non-ASCII profile path. +skip-if = toolkit == 'android' || os == 'linux' +[test_cert_storage.js] +tags = addons psm blocklist +[test_cert_storage_broken_db.js] +[test_cert_storage_direct.js] +[test_cert_storage_preexisting.js] +[test_cert_storage_preexisting_crlite.js] +# This test cannot succeed on 32-bit platforms. See bugs 1546361 and 1548956. +skip-if = bits != 64 +[test_cert_chains.js] +run-sequentially = hardcoded ports +[test_cert_dbKey.js] +[test_cert_eku.js] +[test_cert_embedded_null.js] +[test_cert_expiration_canary.js] +run-if = nightly_build +[test_cert_keyUsage.js] +[test_cert_isBuiltInRoot.js] +[test_cert_isBuiltInRoot_reload.js] +[test_cert_overrides.js] +run-sequentially = hardcoded ports +[test_cert_overrides_read_only.js] +run-sequentially = hardcoded ports +[test_cert_override_read.js] +[test_cert_sha1.js] +[test_cert_signatures.js] +[test_cert_trust.js] +[test_cert_version.js] +[test_cert_utf8.js] +[test_certDB_export_pkcs12.js] +[test_certDB_export_pkcs12_with_primary_password.js] +[test_certDB_import.js] +# nsCertificateDialogs not available in geckoview, bug 1554276 +skip-if = toolkit == 'android' && processor == 'x86_64' +[test_certDB_import_pkcs12.js] +[test_certDB_import_with_primary_password.js] +# nsCertificateDialogs not available in geckoview, bug 1554276 +skip-if = toolkit == 'android' && processor == 'x86_64' +[test_constructX509FromBase64.js] +[test_content_signing.js] +[test_crlite_filters.js] +tags = remote-settings psm +[test_crlite_preexisting.js] +[test_crlite_filter_corrupted.js] +[test_crlite_stash_corrupted.js] +[test_crlite_enrollment_version.js] +[test_crlite_enrollment_trunc1.js] +[test_crlite_coverage_version.js] +[test_crlite_coverage_trunc1.js] +[test_crlite_coverage_trunc2.js] +[test_crlite_coverage_trunc3.js] +[test_crlite_coverage_missing.js] +[test_ct.js] +# Requires hard-coded debug-only data +skip-if = !debug +run-sequentially = hardcoded ports +[test_db_format_pref_new.js] +# Android always has and always will use the new format, so +# this test doesn't apply. +skip-if = toolkit == 'android' + condprof # Bug 1769154 - as designed +[test_delegated_credentials.js] +run-sequentially = hardcoded ports +[test_encrypted_client_hello.js] +run-sequentially = hardcoded ports +[test_encrypted_client_hello_client_only.js] +run-sequentially = hardcoded ports +[test_der.js] +[test_enterprise_roots.js] +# This feature is implemented for Windows and OS X. However, we don't currently +# have a way to test it on OS X. +skip-if = os != 'win' +[test_ev_certs.js] +tags = blocklist psm +run-sequentially = hardcoded ports +[test_forget_about_site_security_headers.js] +[test_hash_algorithms.js] +[test_hash_algorithms_wrap.js] +# bug 1124289 - run_test_in_child violates the sandbox on android +skip-if = toolkit == 'android' +[test_intermediate_basic_usage_constraints.js] +[test_intermediate_preloads.js] +run-sequentially = hardcoded ports +tags = blocklist psm remote-settings +[test_allow_all_cert_errors.js] +run-sequentially = hardcoded ports +[test_keysize.js] +[test_keysize_ev.js] +run-sequentially = hardcoded ports +[test_logoutAndTeardown.js] +skip-if = socketprocess_networking && os == "linux" && debug +run-sequentially = hardcoded ports +[test_missing_intermediate.js] +run-sequentially = hardcoded ports +[test_name_constraints.js] +[test_nonascii_path.js] +[test_nsCertType.js] +run-sequentially = hardcoded ports +[test_nsIX509Cert_utf8.js] +[test_nsIX509CertValidity.js] +[test_ocsp_caching.js] +run-sequentially = hardcoded ports +[test_ocsp_enabled_pref.js] +run-sequentially = hardcoded ports +[test_ocsp_must_staple.js] +run-sequentially = hardcoded ports +[test_ocsp_private_caching.js] +run-sequentially = hardcoded ports +skip-if = condprof # Bug 1769154 - should look into this +[test_ocsp_no_hsts_upgrade.js] +run-sequentially = hardcoded ports +[test_ocsp_required.js] +run-sequentially = hardcoded ports +[test_ocsp_stapling.js] +run-sequentially = hardcoded ports +[test_ocsp_stapling_expired.js] +run-sequentially = hardcoded ports +[test_ocsp_stapling_with_intermediate.js] +run-sequentially = hardcoded ports +[test_ocsp_timeout.js] +skip-if = (os == "win" && socketprocess_networking) +run-sequentially = hardcoded ports +[test_ocsp_url.js] +run-sequentially = hardcoded ports +[test_oskeystore.js] +skip-if = apple_silicon # bug 1729538 +[test_osreauthenticator.js] +# Reauthentication has been implemented on Windows and MacOS, so running this +# test results in the OS popping up a dialog, which means we can't run it in +# automation. +skip-if = os == 'win' || os == 'mac' +[test_password_prompt.js] +[test_pinning.js] +run-sequentially = hardcoded ports +[test_sdr.js] +[test_sdr_preexisting.js] +# Not relevant to Android. See the comment in the test. +skip-if = toolkit == 'android' +[test_sdr_preexisting_with_password.js] +# Not relevant to Android. See the comment in the test. +skip-if = toolkit == 'android' +[test_self_signed_certs.js] +[test_session_resumption.js] +skip-if = + os == "win" # Bug 1585916 +run-sequentially = hardcoded ports +[test_signed_apps.js] +skip-if = true # Bug 1815090 - permanent failure after test certificates expired, disable temporarily +[test_ssl_status.js] +run-sequentially = hardcoded ports +[test_sss_enumerate.js] +[test_sss_eviction.js] +skip-if = condprof # Bug 1769154 - as designed +[test_sss_originAttributes.js] +[test_sss_readstate.js] +skip-if = condprof # Bug 1769154 - as designed +[test_sss_readstate_empty.js] +skip-if = condprof # Bug 1769154 - as designed +[test_sss_readstate_garbage.js] +skip-if = condprof # Bug 1769154 - as designed +[test_sss_readstate_huge.js] +skip-if = condprof # Bug 1769154 - as designed +[test_sss_resetState.js] +[test_sss_savestate.js] +skip-if = condprof # Bug 1769154 - as designed +[test_sss_sanitizeOnShutdown.js] +firefox-appdir = browser +# Sanitization works differently on Android - this doesn't apply. +# browser/modules/Sanitizer.jsm used by the test isn't available in Thunderbird. +skip-if = toolkit == 'android' || appname == 'thunderbird' +[test_sts_fqdn.js] +[test_sts_ipv4_ipv6.js] +[test_sts_parser.js] +[test_sts_preloadlist_perwindowpb.js] +[test_sts_preloadlist_selfdestruct.js] +[test_sanctions_symantec_apple_google.js] +run-sequentially = hardcoded ports +[test_validity.js] +run-sequentially = hardcoded ports +[test_x509.js] diff --git a/security/manager/tools/.eslintrc.js b/security/manager/tools/.eslintrc.js new file mode 100644 index 0000000000..44c1d9cba6 --- /dev/null +++ b/security/manager/tools/.eslintrc.js @@ -0,0 +1,13 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +"use strict"; + +module.exports = { + globals: { + // JS files in this folder are commonly xpcshell scripts where |arguments| + // is defined in the global scope. + arguments: false, + }, +}; diff --git a/security/manager/tools/KnownRootHashes.json b/security/manager/tools/KnownRootHashes.json new file mode 100644 index 0000000000..e939b39ca7 --- /dev/null +++ b/security/manager/tools/KnownRootHashes.json @@ -0,0 +1,1263 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +// +//*************************************************************************** +// This is an automatically generated file. It's used to maintain state for +// runs of genRootCAHashes.js; you should never need to manually edit it +//*************************************************************************** + +// Notes: +// binNumber 1 used to be for "GTE_CyberTrust_Global_Root", but that root was +// removed from the built-in roots module, so now it is used to indicate that +// the certificate is not a built-in and was found in the softoken (cert9.db). + +// binNumber 2 used to be for "Thawte_Server_CA", but that root was removed from +// the built-in roots module, so now it is used to indicate that the certificate +// is not a built-in and was found on an external PKCS#11 token. + +// binNumber 3 used to be for "Thawte_Premium_Server_CA", but that root was +// removed from the built-in roots module, so now it is used to indicate that +// the certificate is not a built-in and was temporarily imported from the OS as +// part of the "Enterprise Roots" feature. + +{ + "roots": [ + { + "label": "OU_Equifax_Secure_Certificate_Authority_O_Equifax_C_US", + "binNumber": 4, + "sha256Fingerprint": "CCl6QEfbojaAxzHbbjF2U8p4SOG+vToLAXmnB/ks8Xg=" + }, + { + "label": "OU_VeriSign_Trust_Network_OU___c__1998_VeriSign__Inc____For_authorized_use_only__OU_Class_3_Public_Primary_Certification_Authority___G2_O__VeriSign__Inc___C_US", + "binNumber": 5, + "sha256Fingerprint": "g848Eiloilk9SF+BlzwPkZVDHto3zF42Qw55x6iIY4s=" + }, + { + "label": "GlobalSign_Root_CA", + "binNumber": 6, + "sha256Fingerprint": "69QQQOS7PsdCyeOB0x7ypBpItmhclufO88HfbNQzHJk=" + }, + { + "label": "GlobalSign", + "binNumber": 7, + "sha256Fingerprint": "ykLdQXRf0LgeuQI2LPnYv3Gdob0bHvyUb1tMmfQsG54=" + }, + { + "label": "VeriSign_Class_3_Public_Primary_Certification_Authority___G3", + "binNumber": 8, + "sha256Fingerprint": "6wTPXrHzmvp2LyuxIPKWy6Ugwbl9sViVZbgcuaF7ckQ=" + }, + { + "label": "VeriSign_Class_4_Public_Primary_Certification_Authority___G3", + "binNumber": 9, + "sha256Fingerprint": "44k2DQ/brrPSUFhLRzAxTiIvOcFWoCAUTo2WBWF5FQY=" + }, + { + "label": "Entrust_net_Certification_Authority__2048_", + "binNumber": 10, + "sha256Fingerprint": "bcRxcuAcvLC/YlgNiV/iuKya1PhzgB4MELnIN9IesXc=" + }, + { + "label": "Baltimore_CyberTrust_Root", + "binNumber": 11, + "sha256Fingerprint": "Fq9XqfZ2sKsSYJWqXrre8iqzERnWRKyVzUuT2/Pyaus=" + }, + { + "label": "Equifax_Secure_Global_eBusiness_CA_1", + "binNumber": 12, + "sha256Fingerprint": "Xwti6rXjU+plIWUWWPu2U1n0QygKSvvRBNd9EPnwTAc=" + }, + { + "label": "Equifax_Secure_eBusiness_CA_1", + "binNumber": 13, + "sha256Fingerprint": "z1b/RqShhhCd2WWEte61ilEMQnWw5flPQLuuhl4Z9nM=" + }, + { + "label": "AddTrust_Class_1_CA_Root", + "binNumber": 14, + "sha256Fingerprint": "jHIJJ5rATideFtB/07d16AFUtZaARuMfUt0ldmMk6ac=" + }, + { + "label": "AddTrust_External_CA_Root", + "binNumber": 15, + "sha256Fingerprint": "aH+kUTgieP/wyLEfjUPVdmccbrK86rQT+4PZZdBtL/I=" + }, + { + "label": "AddTrust_Public_CA_Root", + "binNumber": 16, + "sha256Fingerprint": "B5HKB0myB4Kq08fXvQzfyUhYNYQ+steZYAnOQ6tsaSc=" + }, + { + "label": "AddTrust_Qualified_CA_Root", + "binNumber": 17, + "sha256Fingerprint": "gJUhCAXbS7w1XkQo2P1uws3jq1+5eplCmI649NzQYBY=" + }, + { + "label": "Entrust_Root_Certification_Authority", + "binNumber": 18, + "sha256Fingerprint": "c8F2Q08bxtWt9FsOducnKHyN5XYWwebmFBorLLx9jkw=" + }, + { + "label": "OU_RSA_Security_2048_V3_O_RSA_Security_Inc", + "binNumber": 19, + "sha256Fingerprint": "r4tnYqHlKCKBYaldXFWe4mYnj3XXnoMBiaUDUGq9a0w=" + }, + { + "label": "GeoTrust_Global_CA", + "binNumber": 20, + "sha256Fingerprint": "/4VqLSUdzYjTZlb0UBJnmM+rqt5AeZxyLeTStds2pzo=" + }, + { + "label": "GeoTrust_Global_CA_2", + "binNumber": 21, + "sha256Fingerprint": "yi2CoIZ3By+KtnZP8DVnbP4+XjJeASFy3z+SCW23m4U=" + }, + { + "label": "GeoTrust_Universal_CA", + "binNumber": 22, + "sha256Fingerprint": "oEWbn2OyJVn1+l1MbbP59y/xk0IDNXjwc78dG0bLuRI=" + }, + { + "label": "GeoTrust_Universal_CA_2", + "binNumber": 23, + "sha256Fingerprint": "oCNPO8hSfKVijuyBrV1piV2laA3JHRy4R38z+Hi5Wws=" + }, + { + "label": "America_Online_Root_Certification_Authority_1", + "binNumber": 24, + "sha256Fingerprint": "d0BzEsY6FT1bwAtOUXWc39rCN9wqM7Z5RumOm/poCuM=" + }, + { + "label": "America_Online_Root_Certification_Authority_2", + "binNumber": 25, + "sha256Fingerprint": "fTtGWmAU5SbAr/zuISfSMRcnrYEcJoQtAGrzcwbMgL0=" + }, + { + "label": "Visa_eCommerce_Root", + "binNumber": 26, + "sha256Fingerprint": "afrJvVX7CseNU7vuXPHVl5if0KqrIKJRUb3xcz7n0SI=" + }, + { + "label": "Certum_CA", + "binNumber": 27, + "sha256Fingerprint": "2OD+vB2y440AlA830n1BNE2ZPnNLmdVlbZd41NgUNiQ=" + }, + { + "label": "AAA_Certificate_Services", + "binNumber": 28, + "sha256Fingerprint": "16eg+11+JzHXcelITrze9x1fDD4KKUh4K8g+4OppnvQ=" + }, + { + "label": "Secure_Certificate_Services", + "binNumber": 29, + "sha256Fingerprint": "vYHOO09lkdEaZ7X8ekf97yVSG/mqThi5498uNKeAO+g=" + }, + { + "label": "Trusted_Certificate_Services", + "binNumber": 30, + "sha256Fingerprint": "PwblVoHUlvW+Fp61OJ+fK4/2HhcI32iBckhJzV0ny2k=" + }, + { + "label": "QuoVadis_Root_Certification_Authority", + "binNumber": 31, + "sha256Fingerprint": "pF7eO7vwnIrhXHLvwHJo1pOiHJlv1R5nygeUYP1tiHM=" + }, + { + "label": "QuoVadis_Root_CA_2", + "binNumber": 32, + "sha256Fingerprint": "haDdfdcgrbf/Bfg9VCsgncf/RSj31nexg4n+peXEnoY=" + }, + { + "label": "QuoVadis_Root_CA_3", + "binNumber": 33, + "sha256Fingerprint": "GPH8fyBd+K3d63/gB91X4683WpxNjXNUa/Tx/tHhjTU=" + }, + { + "label": "OU_Security_Communication_RootCA1_O_SECOM_Trust_net_C_JP", + "binNumber": 34, + "sha256Fingerprint": "515y7Z9WDuxutIAAc6Q/w60ZGVo5IoIBeJWXSpkCa2w=" + }, + { + "label": "Sonera_Class2_CA", + "binNumber": 35, + "sha256Fingerprint": "eQi0AxTBOBALUY0HNYB/+/z4UYoAlTNxBbo4axU92Sc=" + }, + { + "label": "Staat_der_Nederlanden_Root_CA", + "binNumber": 36, + "sha256Fingerprint": "1B2CnowWWYIq+T/OYr/83iZPyE6LlQxf8nXQUjVGlaM=" + }, + { + "label": "UTN___DATACorp_SGC", + "binNumber": 37, + "sha256Fingerprint": "hfsvkd0SJ1oBRbY2U0+EAkrWi2m47ohoT/cRN1gFs0g=" + }, + { + "label": "UTN_USERFirst_Hardware", + "binNumber": 38, + "sha256Fingerprint": "bqVHQdAEZn7tG0gWY0qjp55uS5aVD4J52vyNm9iBITc=" + }, + { + "label": "Chambers_of_Commerce_Root", + "binNumber": 39, + "sha256Fingerprint": "DCWKEqVnSu8l8oun3Prs7qNI5UHm9cxO5jtxs2FgasM=" + }, + { + "label": "Global_Chambersign_Root", + "binNumber": 40, + "sha256Fingerprint": "7zy0F/yOv2+Xh2yeTs453h6l/mSRQdECi30RwLIpjO0=" + }, + { + "label": "NetLock_Kozjegyzoi__Class_A__Tanusitvanykiado", + "binNumber": 41, + "sha256Fingerprint": "fxLNX35eKQ7H2FF51bcsIKW+dQj/21v4GrloSn/J9mc=" + }, + { + "label": "XRamp_Global_Certification_Authority", + "binNumber": 42, + "sha256Fingerprint": "zs3ckFCZ2NrfxbHSCbc3y+LBjPssEMD/C88NMob8GqI=" + }, + { + "label": "OU_Go_Daddy_Class_2_Certification_Authority_O__The_Go_Daddy_Group__Inc___C_US", + "binNumber": 43, + "sha256Fingerprint": "w4Rr8kuek8pkJ0wOxnwezF4CT/ys0tdAGTUOgf5UauQ=" + }, + { + "label": "OU_Starfield_Class_2_Certification_Authority_O__Starfield_Technologies__Inc___C_US", + "binNumber": 44, + "sha256Fingerprint": "FGX6IFOXuHb6pvCplY5VkOQPzH+qT7fCyGd1Iftftlg=" + }, + { + "label": "StartCom_Certification_Authority", + "binNumber": 45, + "sha256Fingerprint": "x2apvvLUBxyGOjGqSSDoE7LRmGCMt7fP4hFDuDbfCeo=" + }, + { + "label": "O_Government_Root_Certification_Authority_C_TW", + "binNumber": 46, + "sha256Fingerprint": "dgApXu/oW54f1iTbdgYqqq5ZgYpU0ndM1MCywBEx4bM=" + }, + { + "label": "Swisscom_Root_CA_1", + "binNumber": 47, + "sha256Fingerprint": "IdsgEjZguy7UGCBdoR7nqFpl4rxuVbWvfniZyKJm2S4=" + }, + { + "label": "DigiCert_Assured_ID_Root_CA", + "binNumber": 48, + "sha256Fingerprint": "PpCZtQFej0hsALzqnREe5yH6ujVaibzx32lWHj3GMlw=" + }, + { + "label": "DigiCert_Global_Root_CA", + "binNumber": 49, + "sha256Fingerprint": "Q0ig6URMeMsmXgWNXolEtNhPlmK9Jtslf4k0pEPHAWE=" + }, + { + "label": "DigiCert_High_Assurance_EV_Root_CA", + "binNumber": 50, + "sha256Fingerprint": "dDHl9MPBzkaQd08LYeBUQIg7qaAe0Aumq9eAbtOxGM8=" + }, + { + "label": "Class_2_Primary_CA", + "binNumber": 51, + "sha256Fingerprint": "D5k8iu+Xuq9WhxQO1ZrRghu0r6zwqppYtdV6M4o6+8s=" + }, + { + "label": "DST_Root_CA_X3", + "binNumber": 52, + "sha256Fingerprint": "BocmAzGnJAPZCfEF5pvPDTLhvSST/8bZIG0RvNZ3Bzk=" + }, + { + "label": "DST_ACES_CA_X6", + "binNumber": 53, + "sha256Fingerprint": "dnyVWnZBLImvaI6QoccPVWz9a2Al2+oQQW1+toMfjEA=" + }, + { + "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_", + "binNumber": 54, + "sha256Fingerprint": "RATjO14UDc+ZgFH9/IAox8gWFcXuc3sRG1iCM6m1NaA=" + }, + { + "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_", + "binNumber": 55, + "sha256Fingerprint": "xHDPVH4jArl3+yndcaiae2wfYHd7Ayn1YBfzKL9Pa+Y=" + }, + { + "label": "SwissSign_Gold_CA___G2", + "binNumber": 56, + "sha256Fingerprint": "Yt0L6bn1ChY+oPjnXAU7HspX6lXIaI9kfGiB8sg1e5U=" + }, + { + "label": "SwissSign_Silver_CA___G2", + "binNumber": 57, + "sha256Fingerprint": "vmxNoru5ulm285OXaDdCRsPABZk/qY8CDR3tvtSKgdU=" + }, + { + "label": "GeoTrust_Primary_Certification_Authority", + "binNumber": 58, + "sha256Fingerprint": "N9UQBsUS6qtiZCHx7IySAT/F+CrpjuUz60YZuN600Gw=" + }, + { + "label": "thawte_Primary_Root_CA", + "binNumber": 59, + "sha256Fingerprint": "jXIvganBE8B5HfE2opZtsmyVCpcdtGtBmfTqVLeL+58=" + }, + { + "label": "VeriSign_Class_3_Public_Primary_Certification_Authority___G5", + "binNumber": 60, + "sha256Fingerprint": "ms+rfkPI2IDQayYqlN7u5LRlmYnD0Mrxm69kBeQat98=" + }, + { + "label": "SecureTrust_CA", + "binNumber": 61, + "sha256Fingerprint": "8cG1CuWiDdgDDsn2vCSCPdNntSVXWbTnG2H86fc3XXM=" + }, + { + "label": "Secure_Global_CA", + "binNumber": 62, + "sha256Fingerprint": "QgD1BDrIWQ67Un0gntFQMCn7y9QcobUG7CfxWt59rGk=" + }, + { + "label": "COMODO_Certification_Authority", + "binNumber": 63, + "sha256Fingerprint": "DCzWPfeAb6OZ7egJEWtXW/h5ifBlGPmAjIYFAxeLr2Y=" + }, + { + "label": "Network_Solutions_Certificate_Authority", + "binNumber": 64, + "sha256Fingerprint": "FfC6AKOsevOsiEwHKxARoHe9d8CX9AFksvhZir2Dhgw=" + }, + { + "label": "WellsSecure_Public_Root_Certificate_Authority", + "binNumber": 65, + "sha256Fingerprint": "pxJyrqqjz+hyf3+znw+z0eVCbpBgsG7m8T6aPFgzzUM=" + }, + { + "label": "COMODO_ECC_Certification_Authority", + "binNumber": 66, + "sha256Fingerprint": "F5OSegYUVJeJrc4vjzT38LZtDzrjo7hNIewV27pPrcc=" + }, + { + "label": "IGC_A", + "binNumber": 67, + "sha256Fingerprint": "ub6nhgqWLqNhHauXq22j4hwQaLl9VVde0OESecEciTI=" + }, + { + "label": "OU_Security_Communication_EV_RootCA1_O__SECOM_Trust_Systems_CO__LTD___C_JP", + "binNumber": 68, + "sha256Fingerprint": "oi26aB6XN24tOX1yiq46m2KWuf26YLwuEfZH8sZ1+zc=" + }, + { + "label": "OISTE_WISeKey_Global_Root_GA_CA", + "binNumber": 69, + "sha256Fingerprint": "Qckjhmq0yta3rVeAgVguAgeXpsvfT/94zoOWs4k31/U=" + }, + { + "label": "Microsec_e_Szigno_Root_CA", + "binNumber": 70, + "sha256Fingerprint": "Mno9dhq63qA065mEBidcsaR3bv2uL99tAWjqHE9VZ9A=" + }, + { + "label": "Certigna", + "binNumber": 71, + "sha256Fingerprint": "47ai2y7XzkiEL3rFMkHHtx1UFEv7QMEfPx0LQvXuoS0=" + }, + { + "label": "TC_TrustCenter_Class_2_CA_II", + "binNumber": 72, + "sha256Fingerprint": "5rj4dmSF+Aeuf42sFnBGHwfAoT7vOh/3F1ONerrTkbQ=" + }, + { + "label": "TC_TrustCenter_Class_3_CA_II", + "binNumber": 73, + "sha256Fingerprint": "jaCE/Pmc4Hci+JsyBZOYBvpcuBHhyBP2oQjH0zazQI4=" + }, + { + "label": "TC_TrustCenter_Universal_CA_I", + "binNumber": 74, + "sha256Fingerprint": "6/PAKoeJsft9URmV1mO3KQbZE84NXhBWiop34lhhZ+c=" + }, + { + "label": "Deutsche_Telekom_Root_CA_2", + "binNumber": 75, + "sha256Fingerprint": "thkaUNDDl399qZvNqshqIn2uuWeexwujsMnZInHBcNM=" + }, + { + "label": "ComSign_Secured_CA", + "binNumber": 76, + "sha256Fingerprint": "UHlBx0RgoLRwhiINTpkyVyq10bW7y4mAqxyxdlGoRNI=" + }, + { + "label": "Cybertrust_Global_Root", + "binNumber": 77, + "sha256Fingerprint": "lgrfAGPpY1Z1DCll3QoIZ9oLnL1ud3FK6vsjSas5PaM=" + }, + { + "label": "OU_ePKI_Root_Certification_Authority_O__Chunghwa_Telecom_Co___Ltd___C_TW", + "binNumber": 78, + "sha256Fingerprint": "wKb03GOiS/3PVO8qaggqCnLeNYA+L/X/Unrl2HIG39U=" + }, + { + "label": "T_B_TAK_UEKAE_K_k_Sertifika_Hizmet_Sa_lay_c_s____S_r_m_3", + "binNumber": 79, + "sha256Fingerprint": "5Mc0MNeltQkl30M3Cg0hbpp5udbbg3Ogxp6xzDHHxSo=" + }, + { + "label": "Buypass_Class_2_CA_1", + "binNumber": 80, + "sha256Fingerprint": "D06c3SZLAlVQ0XCAY0AhT+lENMmwL2l+xxD8X+r7Xjg=" + }, + { + "label": "Buypass_Class_3_CA_1", + "binNumber": 81, + "sha256Fingerprint": "t7ErFx+CHaqZDND+UIexKESLqOUYT4TFHgK1yPuWKyQ=" + }, + { + "label": "EBG_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_", + "binNumber": 82, + "sha256Fingerprint": "Na5b3dj3rmNc/7pWgqjwC5X0hGLHEI7poOUpKwdKr7I=" + }, + { + "label": "OU_certSIGN_ROOT_CA_O_certSIGN_C_RO", + "binNumber": 83, + "sha256Fingerprint": "6qlixPpKa6/r5BUZbTUczYiNT1Pz+orm18RmqU5gQrs=" + }, + { + "label": "CNNIC_ROOT", + "binNumber": 84, + "sha256Fingerprint": "4oOTdz2oRaZ58ggMx/tEo7ehw3kst+t3Kf3Lao2Zrqc=" + }, + { + "label": "OU_ApplicationCA_O_Japanese_Government_C_JP", + "binNumber": 85, + "sha256Fingerprint": "LUdDfeF5USFaEvPFjlHHKaWAJu8fzApfs9ncAS9gDRk=" + }, + { + "label": "GeoTrust_Primary_Certification_Authority___G3", + "binNumber": 86, + "sha256Fingerprint": "tHi4EiUN+HhjXCqn7H0VXqpiXugpFuLNKUNhiGzR+9Q=" + }, + { + "label": "thawte_Primary_Root_CA___G2", + "binNumber": 87, + "sha256Fingerprint": "pDENUK8YpkRxkDcqhq+vi5Uf+0Mdg38eVoi0WXHtFVc=" + }, + { + "label": "thawte_Primary_Root_CA___G3", + "binNumber": 88, + "sha256Fingerprint": "SwP0WAetcPIb/Cyuccn95GBMBkz1/7aGuuXbqtf900w=" + }, + { + "label": "GeoTrust_Primary_Certification_Authority___G2", + "binNumber": 89, + "sha256Fingerprint": "Xtt6xDuCoGqHYejXvkl56/JhH33Xm/kcHGtWaiGe12Y=" + }, + { + "label": "VeriSign_Universal_Root_Certification_Authority", + "binNumber": 90, + "sha256Fingerprint": "I5lWESelcSXejO/qYQ3fL6B4tcgGf06CgpC/uGDoSzw=" + }, + { + "label": "VeriSign_Class_3_Public_Primary_Certification_Authority___G4", + "binNumber": 91, + "sha256Fingerprint": "ad3X6pC7V8k+E13IXqb81UgLYDI5vcRU/HWLKibPf3k=" + }, + { + "label": "NetLock_Arany__Class_Gold__F_tan_s_tv_ny", + "binNumber": 92, + "sha256Fingerprint": "bGHaw6Le8DFQa+A20qb+QBmU+9E9+cjUZlmSdMRG7Jg=" + }, + { + "label": "Staat_der_Nederlanden_Root_CA___G2", + "binNumber": 93, + "sha256Fingerprint": "ZoyDlH2mO3JL7OF0PDGg5q7Q247Fsxvjd7t4T5G2cW8=" + }, + { + "label": "CA_Disig", + "binNumber": 94, + "sha256Fingerprint": "kr9RGavsytCxMy3E4dBfunW1Z5BE7gyibpMfdE8vM88=" + }, + { + "label": "Juur_SK", + "binNumber": 95, + "sha256Fingerprint": "7MPpw0B1A77gkaqVL0E0j/iLqoY7ImS++sgHkBV06Tk=" + }, + { + "label": "Hongkong_Post_Root_CA_1", + "binNumber": 96, + "sha256Fingerprint": "+eZ9M2xRACrAVMYyAi1m3aLn4//xCtBh7THYu7QQz7I=" + }, + { + "label": "SecureSign_RootCA11", + "binNumber": 97, + "sha256Fingerprint": "vw/u+546WBrV+enbdYmYV0PSYQhcTTFPb11yWapCFhI=" + }, + { + "label": "ACEDICOM_Root", + "binNumber": 98, + "sha256Fingerprint": "A5UPtJpTHz4ZkZQjmN+p4Ooy17oc3ZvIXbV+2UALQ0o=" + }, + { + "label": "Microsec_e_Szigno_Root_CA_2009", + "binNumber": 99, + "sha256Fingerprint": "PF+B/qX6uCxkv6Lq7K/N6OB3/IYgp8rlNxY9827b83g=" + }, + { + "label": "e_Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi", + "binNumber": 100, + "sha256Fingerprint": "5gkHhGWkGXgMtqxMHAv7RlPZ2cxus5Rut/PWmZe61Zg=" + }, + { + "label": "GlobalSign", + "binNumber": 101, + "sha256Fingerprint": "y7Ui17fxJ61qAROGW98c1BAufQdZr2NafPRyDcljxTs=" + }, + { + "label": "Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068", + "binNumber": 102, + "sha256Fingerprint": "BASAKL8fKGTUj5rU2DKUNmqCiFZVPzsUMD+QFH9dQO8=" + }, + { + "label": "Izenpe_com", + "binNumber": 103, + "sha256Fingerprint": "JTDMjpgyFQK62W+bH7obCZ4tKZ4PRUi7kU82O8DUUx8=" + }, + { + "label": "Chambers_of_Commerce_Root___2008", + "binNumber": 104, + "sha256Fingerprint": "Bj5K+sSR39My8wibhULpRhfYk9f+lE4Qp5N+4p2Wk8A=" + }, + { + "label": "Global_Chambersign_Root___2008", + "binNumber": 105, + "sha256Fingerprint": "E2M1Q5M0p2mAFqDTJN5yKE4HnXtSILuPvXR4Fu6+uso=" + }, + { + "label": "Go_Daddy_Root_Certificate_Authority___G2", + "binNumber": 106, + "sha256Fingerprint": "RRQLMkfrnMjFtPDXtTCR9zKSCJ5uWmPidJ3TrKkZjto=" + }, + { + "label": "Starfield_Root_Certificate_Authority___G2", + "binNumber": 107, + "sha256Fingerprint": "LOHLC/nS+eECmT++IVFSw7LdDKveHGjlMZuDkVTbt/U=" + }, + { + "label": "Starfield_Services_Root_Certificate_Authority___G2", + "binNumber": 108, + "sha256Fingerprint": "Vo1pBaLIhwikswJRkO3P7bGXSmBqE8blKQ/LKuY+2rU=" + }, + { + "label": "AffirmTrust_Commercial", + "binNumber": 109, + "sha256Fingerprint": "A3arHVTF+YA85LLiAaDufu97V7Y26Kk8m41IYMlvX6c=" + }, + { + "label": "AffirmTrust_Networking", + "binNumber": 110, + "sha256Fingerprint": "CoHsWpKXd/FFkErzjV1Qn2a14sWPzbUxBYsOF/PwtBs=" + }, + { + "label": "AffirmTrust_Premium", + "binNumber": 111, + "sha256Fingerprint": "cKc/fzdrYAdCSJBFNLEUgtW/DmmOzEmN9SV36/LpO5o=" + }, + { + "label": "AffirmTrust_Premium_ECC", + "binNumber": 112, + "sha256Fingerprint": "vXH99tqX5M9i0WR63SWBsH15rfg5frTsupxehIiCFCM=" + }, + { + "label": "Certum_Trusted_Network_CA", + "binNumber": 113, + "sha256Fingerprint": "XFhGjVX1jkl+dDmC0rUAELbRZTdKz4On1KMtt2jEQI4=" + }, + { + "label": "Certinomis___Autorit__Racine", + "binNumber": 114, + "sha256Fingerprint": "/L/iiGIG9ysnWTyLBwKX4S12ntEO15MHBagJjv/BTRc=" + }, + { + "label": "Root_CA_Generalitat_Valenciana", + "binNumber": 115, + "sha256Fingerprint": "jE7f0ENI8yKWnn4ppM1NygBGVQYcFuGwdkIu80KtYw4=" + }, + { + "label": "A_Trust_nQual_03", + "binNumber": 116, + "sha256Fingerprint": "eTy/RVm5/eOKsi3xaGn2mIGuFMSwE5rHiKeKGvzKAvs=" + }, + { + "label": "TWCA_Root_Certification_Authority", + "binNumber": 117, + "sha256Fingerprint": "v9iP4RAcQa4+gBv4vlY1Dum60aa5vVFe3FxtW4cRrEQ=" + }, + { + "label": "OU_Security_Communication_RootCA2_O__SECOM_Trust_Systems_CO__LTD___C_JP", + "binNumber": 118, + "sha256Fingerprint": "UTss7LgQ1M3l3YU5Gt/Gwt1g2Hu3NtK1IUhKpHoOvvY=" + }, + { + "label": "EC_ACC", + "binNumber": 119, + "sha256Fingerprint": "iEl/AWAvMVQkauKMTVrvEPHYfrt2Ym9K4Lf5W6eWh5k=" + }, + { + "label": "Hellenic_Academic_and_Research_Institutions_RootCA_2011", + "binNumber": 120, + "sha256Fingerprint": "vBBPFaSL5wncpUKn4dS5328FRSfoAuqpLVlURCWK/nE=" + }, + { + "label": "Actalis_Authentication_Root_CA", + "binNumber": 121, + "sha256Fingerprint": "VZJghOyWOmS5biq+Ac4LqGpk+/68x6q1r8FVs3/XYGY=" + }, + { + "label": "OU_Trustis_FPS_Root_CA_O_Trustis_Limited_C_GB", + "binNumber": 122, + "sha256Fingerprint": "wbSCmaulII/pYwrOVcpooD7aWlGciAKg06Zzvo+OVX0=" + }, + { + "label": "StartCom_Certification_Authority", + "binNumber": 123, + "sha256Fingerprint": "4XiQ7gmj+/T0i5xBShfWN7elBkfpvHUjInJ/zBdCqRE=" + }, + { + "label": "StartCom_Certification_Authority_G2", + "binNumber": 124, + "sha256Fingerprint": "x7plZ96Tp5iuH6p5HnEtN4+uH5PEOX/qRBu3y+b9WZU=" + }, + { + "label": "Buypass_Class_2_Root_CA", + "binNumber": 125, + "sha256Fingerprint": "mhFAJRl8W7ldlOY9Vc1DeQhHtkayPN8RraSgDv8V+0g=" + }, + { + "label": "Buypass_Class_3_Root_CA", + "binNumber": 126, + "sha256Fingerprint": "7ffrvKJ6KjhNOHt9QBDGZuLttIQ+TCm0rh1bkzLmsk0=" + }, + { + "label": "T_TeleSec_GlobalRoot_Class_3", + "binNumber": 127, + "sha256Fingerprint": "/XPa0xxkT/G0O+8MzdqWcQuc2Ydeyn4xcHrz6W1SK70=" + }, + { + "label": "EE_Certification_Centre_Root_CA", + "binNumber": 128, + "sha256Fingerprint": "PoS6Q0KQhRbndXPAmS8JecoITkaFaB/xlcy6iiKbinY=" + }, + { + "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_", + "binNumber": 129, + "sha256Fingerprint": "l4zZZvL6oHunqpUA2cAunXfyza2mrWunSvS5HGZZPFA=" + }, + { + "label": "D_TRUST_Root_Class_3_CA_2_2009", + "binNumber": 130, + "sha256Fingerprint": "SeekQqzw6mKHBQBUtSVktlDk9J5C40jWqjjgOelXscE=" + }, + { + "label": "D_TRUST_Root_Class_3_CA_2_EV_2009", + "binNumber": 131, + "sha256Fingerprint": "7sVJa5iM6YYluTQJLuwpCL7QsPMWwtRzDITq8fPTSIE=" + }, + { + "label": "PSCProcert", + "binNumber": 132, + "sha256Fingerprint": "PPw8FNH2hP8X44xDykQMALln7JM+i/4GTKHXLJDyrbA=" + }, + { + "label": "China_Internet_Network_Information_Center_EV_Certificates_Root", + "binNumber": 133, + "sha256Fingerprint": "HAHG9Nuy/vwiVYsryjJWP0mESs/DK3vksP9Zn56Mevc=" + }, + { + "label": "Swisscom_Root_CA_2", + "binNumber": 134, + "sha256Fingerprint": "8JsSLHEU9KCb1OpPSpnVWLRuTCXNgRQNKcBWE5FMOEE=" + }, + { + "label": "Swisscom_Root_EV_CA_2", + "binNumber": 135, + "sha256Fingerprint": "2V/qPKTu3OdM1251/G0f9ixEHw+ovHfwNLGeXbJYAV0=" + }, + { + "label": "CA_Disig_Root_R1", + "binNumber": 136, + "sha256Fingerprint": "+W8j9MPnnAd6RpiNWvWQBnag8DnLZF3RdUmyFsgkQM4=" + }, + { + "label": "CA_Disig_Root_R2", + "binNumber": 137, + "sha256Fingerprint": "4j1KA217cOn1lbFCIHnSuR7fux+2UaBjPqqKncX4BwM=" + }, + { + "label": "ACCVRAIZ1", + "binNumber": 138, + "sha256Fingerprint": "mm7AEuGn2p2+NBlNR4rXwNsYIvsHHfEpgUlu0QQ4QRM=" + }, + { + "label": "TWCA_Global_Root_CA", + "binNumber": 139, + "sha256Fingerprint": "WXaQB/doXQ/NUIcvn5XVdVpbK0V9gfNpK2EKmGcvDhs=" + }, + { + "label": "TeliaSonera_Root_CA_v1", + "binNumber": 140, + "sha256Fingerprint": "3Wk2/iH48HfBI6GlIcEiJPciVbc+A6cmBpPooksPo4k=" + }, + { + "label": "E_Tugra_Certification_Authority", + "binNumber": 141, + "sha256Fingerprint": "sL/VK7DX2b2Sv11NwT2iVcAsVC83g2XqiTkR9V5V8jw=" + }, + { + "label": "T_TeleSec_GlobalRoot_Class_2", + "binNumber": 142, + "sha256Fingerprint": "keL1eI1YEOunulhzfeFUio7KzQFFmLwLFD4EGxcFJVI=" + }, + { + "label": "Atos_TrustedRoot_2011", + "binNumber": 143, + "sha256Fingerprint": "81a+okS3qR6zXVPKmteGSs4Bji011fj5bd9opvQapHQ=" + }, + { + "label": "QuoVadis_Root_CA_1_G3", + "binNumber": 144, + "sha256Fingerprint": "ioZv0bJ2tX5XjpIcZYKKK+1Y6fLyiAVBNLfx9L/JzHQ=" + }, + { + "label": "QuoVadis_Root_CA_2_G3", + "binNumber": 145, + "sha256Fingerprint": "j+T7Cvk6TQ1n2wvrsj43xxvzJdy83SQOoE2vWLR+GEA=" + }, + { + "label": "QuoVadis_Root_CA_3_G3", + "binNumber": 146, + "sha256Fingerprint": "iO+B3iAusBhFLkP4ZHJc6l+9H8LZ0gVzBwnF2LhpD0Y=" + }, + { + "label": "DigiCert_Assured_ID_Root_G2", + "binNumber": 147, + "sha256Fingerprint": "fQXrtoIzn4yUUe4JTuv++nlToRTtsvRJSUUvq30vwYU=" + }, + { + "label": "DigiCert_Assured_ID_Root_G3", + "binNumber": 148, + "sha256Fingerprint": "fjfLi0xHCQyrNlUbpvRduEBoD7oWapUtsQBxf0MFP8I=" + }, + { + "label": "DigiCert_Global_Root_G2", + "binNumber": 149, + "sha256Fingerprint": "yzzLt2Ax5eATj43TmiP53kf/w15DwRRM6ifUalqxy18=" + }, + { + "label": "DigiCert_Global_Root_G3", + "binNumber": 150, + "sha256Fingerprint": "Ma1mSPgQQTjHOPOepDIBMzk+OhjMAilu+Xwqye9nMdA=" + }, + { + "label": "DigiCert_Trusted_Root_G4", + "binNumber": 151, + "sha256Fingerprint": "VS973PGnr55s5nIBf08Sq/dyQMeOdhrCA9HZ0grImYg=" + }, + { + "label": "Certification_Authority_of_WoSign", + "binNumber": 152, + "sha256Fingerprint": "SyLVpq7JnzzbeapewGg4R5zV7LpxZPfyLcHWX2PYVwg=" + }, + { + "label": "CA______", + "binNumber": 153, + "sha256Fingerprint": "1vA0vZSqIz8Cl+ykJFsoOXPkR6pZDzEMd/SP34MRIlQ=" + }, + { + "label": "COMODO_RSA_Certification_Authority", + "binNumber": 154, + "sha256Fingerprint": "UvDhxOWOxikpG2AxfwdGcbhdfqgNWwcnNGNTSzK0AjQ=" + }, + { + "label": "USERTrust_RSA_Certification_Authority", + "binNumber": 155, + "sha256Fingerprint": "55PJsC/YqhPiHDEiisywgRlkO3SciYlksXRtRsPUy9I=" + }, + { + "label": "USERTrust_ECC_Certification_Authority", + "binNumber": 156, + "sha256Fingerprint": "T/Rg1Uuchtq/vPxXEuBADSvtP7xNT72qhuBq3NKprXo=" + }, + { + "label": "GlobalSign", + "binNumber": 157, + "sha256Fingerprint": "vslJEcKVVnbbbApVCYbXbjugBWZ8RCyXYrT7t3PeIow=" + }, + { + "label": "GlobalSign", + "binNumber": 158, + "sha256Fingerprint": "F5+8FIo90A/STqE0WMxDv6f1nIGC14OlE/br7BAMiSQ=" + }, + { + "label": "Staat_der_Nederlanden_Root_CA___G3", + "binNumber": 159, + "sha256Fingerprint": "PE+wuVq4swAy9DK4b1Nf4XLBhdD9OYZYN882GH+m9Cg=" + }, + { + "label": "Staat_der_Nederlanden_EV_Root_CA", + "binNumber": 160, + "sha256Fingerprint": "TSSRQUz+lWdG7Ezvps9vcuKKEylDL52KkHrEy12twVo=" + }, + { + "label": "IdenTrust_Commercial_Root_CA_1", + "binNumber": 161, + "sha256Fingerprint": "XVZJm+TS4IvPytCKPjhyPVBQO95waUjkL1VgMBnlKK4=" + }, + { + "label": "IdenTrust_Public_Sector_Root_CA_1", + "binNumber": 162, + "sha256Fingerprint": "MNCJWppEiiYgkWNVItH1IBC1hnrK4Sx475WP1PQ4ny8=" + }, + { + "label": "Entrust_Root_Certification_Authority___G2", + "binNumber": 163, + "sha256Fingerprint": "Q99XdLA+f+9f5A2TGnvt8bsua0JzjE5tOEEQPTqn8zk=" + }, + { + "label": "Entrust_Root_Certification_Authority___EC1", + "binNumber": 164, + "sha256Fingerprint": "Au0OsowU2kUWXFZnkXANZFHX+1bwsqsdO46wcOVu3/U=" + }, + { + "label": "CFCA_EV_ROOT", + "binNumber": 165, + "sha256Fingerprint": "XMPXjk4dXkVUegTmhz5k+Qz5U20czC74APNVxMX9cP0=" + }, + { + "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s__H5", + "binNumber": 166, + "sha256Fingerprint": "STUbkDREwYXM3FxpPSTYVVyyCNaoFBMHaZ9K8GMZnXg=" + }, + { + "label": "T_RKTRUST_Elektronik_Sertifika_Hizmet_Sa_lay_c_s__H6", + "binNumber": 167, + "sha256Fingerprint": "jeeGVeG+f3hHgAuT9pTSHTaMwG4DPn+rBLteuZ2mtwA=" + }, + { + "label": "Certinomis___Root_CA", + "binNumber": 168, + "sha256Fingerprint": "Kpn1vBF0tzy7HWIIhOAcNOUcyzl42hJfDjMmiIO/QVg=" + }, + { + "label": "OISTE_WISeKey_Global_Root_GB_CA", + "binNumber": 169, + "sha256Fingerprint": "a5wI6G6w92fPrWXNmLYhSeVJSmf1hF570e0Bnye4a9Y=" + }, + { + "label": "Certification_Authority_of_WoSign_G2", + "binNumber": 170, + "sha256Fingerprint": "1Ielb4OwdILoXpYzlMHswsnlHQkD7pRrAsMBWB7ZnhY=" + }, + { + "label": "CA_WoSign_ECC_Root", + "binNumber": 171, + "sha256Fingerprint": "i0XaHAb3kesMq/Jr5Yj1+yMWXC5hS/iFVi0NzlCymwI=" + }, + { + "label": "SZAFIR_ROOT_CA2", + "binNumber": 172, + "sha256Fingerprint": "oTOdMygaC1blV9PTKxzn+TZ+sJS9X6cqflAEyN7Xyv4=" + }, + { + "label": "Certum_Trusted_Network_CA_2", + "binNumber": 173, + "sha256Fingerprint": "tnby7drod1zTbLD2PNHUYDlh9J5iZboBOi8DB7bQuAQ=" + }, + { + "label": "Hellenic_Academic_and_Research_Institutions_RootCA_2015", + "binNumber": 174, + "sha256Fingerprint": "oECSmgLOU7Ss9PL/xpgc5ElvdV5tRf4LKmkrzVJSPzY=" + }, + { + "label": "Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015", + "binNumber": 175, + "sha256Fingerprint": "RLVFqool5lpzyhXcJ/w20kwcuZU6BmU5sRWC3Eh7SDM=" + }, + { + "label": "Certplus_Root_CA_G1", + "binNumber": 176, + "sha256Fingerprint": "FSpAK/zfLNVIBU0idbOcf8o+wJeAeLDw6nblYabHQz4=" + }, + { + "label": "Certplus_Root_CA_G2", + "binNumber": 177, + "sha256Fingerprint": "bMBQQeZEXnRpbEz7yfgPVDt+q7tEtM5veHxqmXHELxc=" + }, + { + "label": "OpenTrust_Root_CA_G1", + "binNumber": 178, + "sha256Fingerprint": "VsdxKNmMGNkbTP3/vCXukQPUdY6iq62CapDzRX1GDrQ=" + }, + { + "label": "OpenTrust_Root_CA_G2", + "binNumber": 179, + "sha256Fingerprint": "J5lYKf5qdRXBv+hI+cR2HbFsIlkpJXv0DQiU8p6ouvI=" + }, + { + "label": "OpenTrust_Root_CA_G3", + "binNumber": 180, + "sha256Fingerprint": "t8NiMXBugQeMNny4lhmPHjII3ZJpSd2PVwmkEPdbYpI=" + }, + { + "label": "ISRG_Root_X1", + "binNumber": 181, + "sha256Fingerprint": "lrzsBiZJdvN0YHeazyjFp8/oo8Cq4RqP/O4FwL3fCMY=" + }, + { + "label": "OU_AC_RAIZ_FNMT_RCM_O_FNMT_RCM_C_ES", + "binNumber": 182, + "sha256Fingerprint": "68VXDCkBjE1nsaoSe68S9wO0YR68F7fatVc4lBebk/o=" + }, + { + "label": "Amazon_Root_CA_1", + "binNumber": 183, + "sha256Fingerprint": "js3miE89h7ESW6Maw/yxPXAW3n9XzJBP4cuXxq6YGW4=" + }, + { + "label": "Amazon_Root_CA_2", + "binNumber": 184, + "sha256Fingerprint": "G6WyqoxlQBqClgEY+AvsT2IwTYPOxHE6GcOcAR6kbbQ=" + }, + { + "label": "Amazon_Root_CA_3", + "binNumber": 185, + "sha256Fingerprint": "GM5s/nvxTmCy40e43+hoyzHQLrs62icVafUDQ7Rts6Q=" + }, + { + "label": "Amazon_Root_CA_4", + "binNumber": 186, + "sha256Fingerprint": "410oQZ7QICXPppA4zWI5YkWNpcaV+96jwisL+yWJcJI=" + }, + { + "label": "LuxTrust_Global_Root_2", + "binNumber": 187, + "sha256Fingerprint": "VEVfcSnCCxRHxBj5lxaPJMWPxQI79dpb4utuHdiQLtU=" + }, + { + "label": "TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi___Surum_1", + "binNumber": 188, + "sha256Fingerprint": "Ru3DaJBG1TpFP7MQSrgNyuxliyZg6hYp3X6GeZBkhxY=" + }, + { + "label": "GDCA_TrustAUTH_R5_ROOT", + "binNumber": 189, + "sha256Fingerprint": "v/+P0EQzSH1qiqYMGil2ep/Cu7BeQg9xOhO5kokdOJM=" + }, + { + "label": "TrustCor_RootCert_CA_1", + "binNumber": 190, + "sha256Fingerprint": "1A6chs2P5GjBd2lZ9J6ndPpUhoS2xAbzkJJh9NziV1w=" + }, + { + "label": "TrustCor_RootCert_CA_2", + "binNumber": 191, + "sha256Fingerprint": "B1PpQDeMG9Xjg245Xa6ly4OeUEbxvQ6uGVHPEP7HyWU=" + }, + { + "label": "TrustCor_ECA_1", + "binNumber": 192, + "sha256Fingerprint": "WohdsZwB2RLFdZOIk4yvu98DGrLUjpHuFVibQpcdA5w=" + }, + { + "label": "SSL_com_Root_Certification_Authority_RSA", + "binNumber": 193, + "sha256Fingerprint": "hWZqVi7gvlzpJcHYiQpvdqh+wW1NfV8p6nQZzyASO2k=" + }, + { + "label": "SSL_com_Root_Certification_Authority_ECC", + "binNumber": 194, + "sha256Fingerprint": "NBe7BsxgB9oblhySC4q0zj+tgg5Kowuay8SnTr3OvGU=" + }, + { + "label": "SSL_com_EV_Root_Certification_Authority_RSA_R2", + "binNumber": 195, + "sha256Fingerprint": "LnvxbMIkhae74qqGlnUHYbCuOb47L+nQzG1O9zSRQlw=" + }, + { + "label": "SSL_com_EV_Root_Certification_Authority_ECC", + "binNumber": 196, + "sha256Fingerprint": "IqLB973tcEzB5wG19AjDEIgP6Va13ipKRPmchzolp8g=" + }, + { + "label": "GlobalSign", + "binNumber": 197, + "sha256Fingerprint": "LKvq/jfQbKIqunORwAM9JZgpUsRTZHNJdjo6ta1sz2k=" + }, + { + "label": "OISTE_WISeKey_Global_Root_GC_CA", + "binNumber": 198, + "sha256Fingerprint": "hWD5HDYk2rqVcLX+oNvjb/EagyO+lIaFT7PzSlVxGY0=" + }, + { + "label": "GTS_Root_R1", + "binNumber": 199, + "sha256Fingerprint": "KldUceMTQLwhWBy9LPE+FYRjID7OlLz508wZa/CaVHI=" + }, + { + "label": "GTS_Root_R2", + "binNumber": 200, + "sha256Fingerprint": "xF17sI5tZ+YuQjURC1ZOX3j9ku8FjIQK6k5kVddYXGA=" + }, + { + "label": "GTS_Root_R3", + "binNumber": 201, + "sha256Fingerprint": "FdW4d0YZ6n1Uzhym0LDEA+A3qRfxMeigTh5renG6vOU=" + }, + { + "label": "GTS_Root_R4", + "binNumber": 202, + "sha256Fingerprint": "ccylOR+eeUsEgCUws2PhIdqKMEO7JmYv6k3Kf8lRpL0=" + }, + { + "label": "UCA_Global_G2_Root", + "binNumber": 203, + "sha256Fingerprint": "m+oRyXb+AUdkwb5WpvkUtaVgMXq9mYg5M4LlFhqgSTw=" + }, + { + "label": "UCA_Extended_Validation_Root", + "binNumber": 204, + "sha256Fingerprint": "1Dr5s1RzdVyWhPwG19jLcO5cKOdz+ylOtB7nFyKSTSQ=" + }, + { + "label": "Certigna_Root_CA", + "binNumber": 205, + "sha256Fingerprint": "1I09I+7bUKRZ5VGXYBwnd0udexjJTVoFlRGhAlC5MWg=" + }, + { + "label": "emSign_Root_CA___G1", + "binNumber": 206, + "sha256Fingerprint": "QPavA0apmqHNHVVaTpzOYsf5Y0YD7kBmFYM9yMjQA2c=" + }, + { + "label": "emSign_ECC_Root_CA___G3", + "binNumber": 207, + "sha256Fingerprint": "hqHsugicSo07vic0xhK6NB2BPgQ8+eioYs1cV6Nrvms=" + }, + { + "label": "emSign_Root_CA___C1", + "binNumber": 208, + "sha256Fingerprint": "ElYJqjAdoKJJuXqCOctqNCFvRNysnzlUsUKS8ujIYI8=" + }, + { + "label": "emSign_ECC_Root_CA___C3", + "binNumber": 209, + "sha256Fingerprint": "vE2AmxUYnXjbPh2M9PlyanldoWQ8pfE1jh3bDtwNfrM=" + }, + { + "label": "Hongkong_Post_Root_CA_3", + "binNumber": 210, + "sha256Fingerprint": "Wi/APwyDsJC7+kBgSwmIRGx2Nhg9+YRuFxAaRH+479Y=" + }, + { + "label": "Entrust_Root_Certification_Authority___G4", + "binNumber": 211, + "sha256Fingerprint": "2zUX0fZzKi1auXxTPscHee4ycKYvtKxCODckYObwHog=" + }, + { + "label": "Microsoft_ECC_Root_Certificate_Authority_2017", + "binNumber": 212, + "sha256Fingerprint": "NY3znXZK+eG3ZunJct81LuFc+sInr2rR1w6OSm7cugI=" + }, + { + "label": "Microsoft_RSA_Root_Certificate_Authority_2017", + "binNumber": 213, + "sha256Fingerprint": "x0H3D0sqjYi/LnHBQSLvU+8Q66DPpeZM+iD0GIUwc+A=" + }, + { + "label": "e_Szigno_Root_CA_2017", + "binNumber": 214, + "sha256Fingerprint": "vrALMIObm8MsMuREeQWVBkHyZCGxXtCJGYtRiuLqG5k=" + }, + { + "label": "OU_certSIGN_ROOT_CA_G2_O_CERTSIGN_SA_C_RO", + "binNumber": 215, + "sha256Fingerprint": "ZXz+L6c/qjhGJXHzMqI2Okb85wIJUXEHAs37tu7aMwU=" + }, + { + "label": "Trustwave_Global_Certification_Authority", + "binNumber": 216, + "sha256Fingerprint": "l1UgFfXd/DyHiMAGlEVVQIiURQCE8QCGcIa8Giu1jcg=" + }, + { + "label": "Trustwave_Global_ECC_P256_Certification_Authority", + "binNumber": 217, + "sha256Fingerprint": "lFu8gl6lVPSJ0f1Rpz3fLqYkrHAZoFIFIlwip4zPqLQ=" + }, + { + "label": "Trustwave_Global_ECC_P384_Certification_Authority", + "binNumber": 218, + "sha256Fingerprint": "VZA4WcjAw+u4dZ7OTiVXIl/1dYu9OOvUgnZgHhvVgJc=" + }, + { + "label": "NAVER_Global_Root_Certification_Authority", + "binNumber": 219, + "sha256Fingerprint": "iPQ43Pj/0fqPQpEV/+X4KuHgbgxww3X6rXF7NKSecmU=" + }, + { + "label": "AC_RAIZ_FNMT_RCM_SERVIDORES_SEGUROS", + "binNumber": 220, + "sha256Fingerprint": "VUFTsT0s+d23U7++Gk4K4I0KpBhwWP5gorhisuS4e8s=" + }, + { + "label": "GlobalSign_Root_R46", + "binNumber": 221, + "sha256Fingerprint": "T6MSbY06EdHEhVpPgHy61s+RnTpaiLA76ixjctk8QMk=" + }, + { + "label": "GlobalSign_Root_E46", + "binNumber": 222, + "sha256Fingerprint": "y7nETYS4BD4QUOoxpp9RSVXXv9LixrSTAQGa1h2fUFg=" + }, + { + "label": "GLOBALTRUST_2020", + "binNumber": 223, + "sha256Fingerprint": "milqUYLR1FGi439Dm3Tar6JnUjMp+Q+aDSAHwzTiPJo=" + }, + { + "label": "ANF_Secure_Server_Root_CA", + "binNumber": 224, + "sha256Fingerprint": "+4/sdZFpuRBrHlEWRMYYxRMENz9sBkMIjYvv/RuZdZk=" + }, + { + "label": "Certum_EC_384_CA", + "binNumber": 225, + "sha256Fingerprint": "azKAhWJTGKpQ0XPJjYvaCdV+J0E9EUz3h6D10GwDDPY=" + }, + { + "label": "Certum_Trusted_Root_CA", + "binNumber": 226, + "sha256Fingerprint": "/naWVzhVdz43qV561NnMlsMBV8FdMXZbqbFXBOGueP0=" + }, + { + "label": "TunTrust_Root_CA", + "binNumber": 227, + "sha256Fingerprint": "LkQQKrWMuFQZRRyOGdms82Ysr7xhS2pTlgow99Di60E=" + }, + { + "label": "HARICA_TLS_RSA_Root_CA_2021", + "binNumber": 228, + "sha256Fingerprint": "2V0Ojtp5Ulv5vrEbFNIQDTKUmF8MYtn6vZzZmezLex0=" + }, + { + "label": "HARICA_TLS_ECC_Root_CA_2021", + "binNumber": 229, + "sha256Fingerprint": "P5nMR0rPzk3+1YeUZl5HjRVHc58ueA8btMqbEzCX1AE=" + }, + { + "label": "Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068", + "binNumber": 230, + "sha256Fingerprint": "V94Fg+/Ssm4DYdqZ2p30ZI3vfuhEHDtyivqbzeD5smo=" + }, + { + "label": "vTrus_ECC_Root_CA", + "binNumber": 231, + "sha256Fingerprint": "MPu6LDIjjiqYVHr5eTHlUEKLmz8cjutmM9z6hsWyfdM=" + }, + { + "label": "vTrus_Root_CA", + "binNumber": 232, + "sha256Fingerprint": "inHeZVkzb0JsJuU4gNANiKGNpMapHw3LYZTiBsXJY4c=" + }, + { + "label": "ISRG_Root_X2", + "binNumber": 233, + "sha256Fingerprint": "aXKbjhWobvwXelevtxcd/GSt0owvyozxUH40RTzLFHA=" + }, + { + "label": "HiPKI_Root_CA___G1", + "binNumber": 234, + "sha256Fingerprint": "8BXOPMI5v+8GS+nx0sQX4aAmSgqUvh8MjRIYZOtpScw=" + }, + { + "label": "GlobalSign", + "binNumber": 235, + "sha256Fingerprint": "sIXXC5ZPGRpz5K8NVK56Dgeq/a+bcd0IYhOKtzJaJKI=" + }, + { + "label": "GTS_Root_R1", + "binNumber": 236, + "sha256Fingerprint": "2UdDKr3nt/qQ/C5rWRAbEoDg4cfk5A+jxoh//1en9M8=" + }, + { + "label": "GTS_Root_R2", + "binNumber": 237, + "sha256Fingerprint": "jSXNlyKdv3A1a9pOs8xzQDHiTPAPr8/TLcdutYQcfqg=" + }, + { + "label": "GTS_Root_R3", + "binNumber": 238, + "sha256Fingerprint": "NNinPuII2bzbDZVlIJNLTkDmlIJZbotvc8hCawEKb0g=" + }, + { + "label": "GTS_Root_R4", + "binNumber": 239, + "sha256Fingerprint": "NJ36QFjF4mMSOzmK55VXPE4TE8g/5o+TVWzV6AMbPH0=" + }, + { + "label": "Telia_Root_CA_v2", + "binNumber": 240, + "sha256Fingerprint": "JCtpdC/LHlsqv5iJi5RXIYdUTltNmRF4ZXNiH2p0uCw=" + }, + { + "label": "D_TRUST_BR_Root_CA_1_2020", + "binNumber": 241, + "sha256Fingerprint": "5ZqqgWAJwiv/WyW6033zBvBJeXwfgdhasInmV72PAEQ=" + }, + { + "label": "D_TRUST_EV_Root_CA_1_2020", + "binNumber": 242, + "sha256Fingerprint": "CBcNGqNkU5AaL5WSReNH2wyNN6uqvFa4GqEA3JWJcNs=" + }, + { + "label": "DigiCert_TLS_ECC_P384_Root_G5", + "binNumber": 243, + "sha256Fingerprint": "AY4T8HclMs+Am9GxcoGGcoP8SMbhO+nGmBKFSkkMGwU=" + }, + { + "label": "DigiCert_TLS_RSA4096_Root_G5", + "binNumber": 244, + "sha256Fingerprint": "NxoA3AUzs3IafutA6EGecHmdKwoPLB2AaTFl987ErXU=" + }, + { + "label": "Certainly_Root_R1", + "binNumber": 245, + "sha256Fingerprint": "d7gs2GRMQwX3rMXLFWtFZ1AEAz1RxgxiAqjgwzRn06A=" + }, + { + "label": "Certainly_Root_E1", + "binNumber": 246, + "sha256Fingerprint": "tFhfIuSsdWpOhhKhNhxdnQMak/2E/rt3j6MGiw/ELcI=" + }, + { + "label": "E_Tugra_Global_Root_CA_RSA_v3", + "binNumber": 247, + "sha256Fingerprint": "72awsQo8258uNkjHa9KvGOrSv+bxF2VeKMQGDaGj9MI=" + }, + { + "label": "E_Tugra_Global_Root_CA_ECC_v3", + "binNumber": 248, + "sha256Fingerprint": "hz9Ghfp/VjYlJS5tNrzX8W/CSVHyZOR+G5VPSQjNyhM=" + }, + { + "label": "Security_Communication_RootCA3", + "binNumber": 249, + "sha256Fingerprint": "JKVcKrBRRC0GF3ZlQSOaStAy18VRdao0/94vvE9cUpQ=" + }, + { + "label": "Security_Communication_ECC_RootCA1", + "binNumber": 250, + "sha256Fingerprint": "50+9pVvVZMRzo2tEGqeZyKaOB3RA6CiLn6HlDku6yhE=" + } + ], + "maxBin": 250 +} \ No newline at end of file diff --git a/security/manager/tools/PreloadedHPKPins.json b/security/manager/tools/PreloadedHPKPins.json new file mode 100644 index 0000000000..2436258526 --- /dev/null +++ b/security/manager/tools/PreloadedHPKPins.json @@ -0,0 +1,214 @@ +// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +// The top-level element is a dictionary with two keys: "pinsets" maps details +// of certificate pinning to a name and "entries" contains the HPKP details for +// each host. +// +// "pinsets" is a list of objects. Each object has the following members: +// name: (string) the name of the pinset +// sha256_hashes: (list of strings) the set of allowed SPKIs hashes +// +// For a given pinset, a certificate is accepted if at least one of the +// Subject Public Key Infos (SPKIs) is found in the chain. SPKIs are specified +// as names, which must match up with the name given in the Mozilla root store. +// +// "entries" is a list of objects. Each object has the following members: +// name: (string) the DNS name of the host in question +// include_subdomains: (optional bool) whether subdomains of |name| are also covered +// pins: (string) the |name| member of an object in |pinsets| +// +// "extra_certificates" is a list of base64-encoded certificates. These are used in +// pinsets that reference certificates not in our root program (for example, +// Facebook or intermediate CA certs). + +{ + "chromium_data" : { + "cert_file_url": "https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/http/transport_security_state_static.pins?format=TEXT", + "json_file_url": "https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/http/transport_security_state_static_pins.json?format=TEXT", + "substitute_pinsets": { + // Use the larger google_root_pems pinset instead of google + "google": "google_root_pems" + }, + "production_pinsets": [ + "google_root_pems", + "facebook", + "ncsccs" + ], + "production_domains": [ + // Chrome's test domains. + "pinningtest.appspot.com", + "pinning-test.badssl.com", + // Dropbox + "dropbox.com", + "www.dropbox.com", + // Twitter + "api.twitter.com", + "business.twitter.com", + "dev.twitter.com", + "mobile.twitter.com", + "oauth.twitter.com", + "platform.twitter.com", + "twimg.com", + "www.twitter.com", + // Tor + "torproject.org", + "blog.torproject.org", + "check.torproject.org", + "dist.torproject.org", + "www.torproject.org", + // SpiderOak + "spideroak.com" + ], + "exclude_domains" : [ + // Chrome's entry for twitter.com doesn't include subdomains, so replace + // it with our own entry below which also uses an expanded pinset. + "twitter.com" + ] + }, + "pinsets": [ + { + "name": "mozilla_services", + "sha256_hashes": [ + "DigiCert Global Root CA", + "DigiCert High Assurance EV Root CA", + "ISRG Root X1" + ] + }, + // For pinning tests on pinning.example.com, the certificate must be 'End + // Entity Test Cert' + { + "name": "mozilla_test", + "sha256_hashes": [ + "End Entity Test Cert" + ] + }, + // Google's root PEMs. Chrome pins only to their intermediate certs, but + // they'd like us to be more liberal. For the initial list, we are using + // the certs from https://pki.google.com/roots.pem. + // We have no built-in for commented out CAs. + // This list should be updated via the dumpGoogleRoots.js script. + { + "name": "google_root_pems", + "sha256_hashes": [ + "AffirmTrust Commercial", + "AffirmTrust Networking", + "AffirmTrust Premium", + "AffirmTrust Premium ECC", + "Baltimore CyberTrust Root", + "Comodo AAA Services root", + "COMODO Certification Authority", + "COMODO ECC Certification Authority", + "COMODO RSA Certification Authority", + "DigiCert Assured ID Root CA", + "DigiCert Assured ID Root G2", + "DigiCert Assured ID Root G3", + "DigiCert Global Root CA", + "DigiCert Global Root G2", + "DigiCert Global Root G3", + "DigiCert High Assurance EV Root CA", + "DigiCert Trusted Root G4", + "Entrust Root Certification Authority", + "Entrust Root Certification Authority - EC1", + "Entrust Root Certification Authority - G2", + "Entrust.net Premium 2048 Secure Server CA", + // "GlobalSign", + "GlobalSign ECC Root CA - R5", + "GlobalSign Root CA", + "GlobalSign Root CA - R3", + "GlobalSign Root CA - R6", + "Go Daddy Class 2 CA", + "Go Daddy Root Certificate Authority - G2", + // "GTS Root R1", + // "GTS Root R2", + // "GTS Root R3", + // "GTS Root R4", + "Starfield Class 2 CA", + "Starfield Root Certificate Authority - G2", + "USERTrust ECC Certification Authority", + "USERTrust RSA Certification Authority" + ] + } + // The list above should be updated via the dumpGoogleRoots.js script. + ], + + "entries": [ + // Only domains that are operationally crucial to Firefox can have per-host + // telemetry reporting (the "id") field + { "name": "addons.mozilla.org", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": false, "id": 1 }, + { "name": "addons.mozilla.net", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": false, "id": 2 }, + // AUS servers MUST remain in test mode + // see: https://bugzilla.mozilla.org/show_bug.cgi?id=1301956#c23 + { "name": "aus4.mozilla.org", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": true, "id": 3 }, + { "name": "aus5.mozilla.org", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": true, "id": 7 }, + // Catchall for applications hosted under firefox.com + // see https://bugzilla.mozilla.org/show_bug.cgi?id=1494431 + { "name": "firefox.com", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": true, "id": 15 }, + // Firefox Accounts & sync + // superseded by catchall for firefox.com, but leaving for tracking + { "name": "accounts.firefox.com", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": false, "id": 4 }, + { "name": "api.accounts.firefox.com", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": false, "id": 5 }, + { "name": "sync.services.mozilla.com", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": false, "id": 13 }, + // Catch-all for all CDN resources, including product delivery + // Telemetry IDs added in bug 1521983. + { "name": "cdn.mozilla.net", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": false, "id": 16 }, + { "name": "cdn.mozilla.org", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": false, "id": 17 }, + { "name": "download.mozilla.org", "include_subdomains": false, + "pins": "mozilla_services", "test_mode": false, "id": 14 }, + // Catch-all for everything hosted under services.mozilla.com + { "name": "services.mozilla.com", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": false, "id": 6 }, + // Catch-all for everything hosted under telemetry.mozilla.org + // MUST remain in test mode in order to receive telemetry on broken pins + { "name": "telemetry.mozilla.org", "include_subdomains": true, + "pins": "mozilla_services", "test_mode": true, "id": 8 }, + // Test Pilot + // superseded by catchall for firefox.com, but leaving for tracking + { "name": "testpilot.firefox.com", "include_subdomains": false, + "pins": "mozilla_services", "test_mode": false, "id": 9 }, + // Crash report sites + { "name": "crash-reports.mozilla.com", "include_subdomains": false, + "pins": "mozilla_services", "test_mode": false, "id": 10 }, + { "name": "crash-reports-xpsp2.mozilla.com", "include_subdomains": false, + "pins": "mozilla_services", "test_mode": false, "id": 11 }, + { "name": "crash-stats.mozilla.org", "include_subdomains": false, + "pins": "mozilla_services", "test_mode": false, "id": 12 }, + { "name": "include-subdomains.pinning.example.com", + "include_subdomains": true, "pins": "mozilla_test", + "test_mode": false }, + // Example domain to collect per-host stats for telemetry tests. + { "name": "exclude-subdomains.pinning.example.com", + "include_subdomains": false, "pins": "mozilla_test", + "test_mode": false }, + { "name": "test-mode.pinning.example.com", "include_subdomains": true, + "pins": "mozilla_test", "test_mode": true }, + // Expand twitter's pinset to include all of *.twitter.com and use + // twitterCDN. More specific rules take precedence because we search for + // exact domain name first. + { "name": "twitter.com", "include_subdomains": true, + "pins": "twitterCDN", "test_mode": false } + ], + // When pinning to non-root certs, like intermediates, + // place the PEM of the pinned certificate in this array + // so Firefox can find the subject DN and public key + "extra_certificates": [ + // Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 + // Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1 + "MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAwTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrXNSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHlNpi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7DcGu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgzuEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMBAAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsGAQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYDVR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIBABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGxA/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRMUM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOuOsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vwp7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKRPB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5brUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt", + // Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X4 + // Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1 + "MIIFjTCCA3WgAwIBAgIRAJObmZ6kjhYNW0JZtD0gE9owDQYJKoZIhvcNAQELBQAwTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0NDM0WhcNMjExMDA2MTU0NDM0WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhJHRCe7eRMdlz/ziq2M5EXLc5CtxErg29RbmXN2evvVBPX9MQVGv3QdqOY+ZtW8DoQKmMQfzRA4n/YmEJYNYHBXiakL0aZD5P3M93L4lry2evQU3FjQDAa/6NhNy18pUxqOj2kKBDSpN0XLM+Q2lLiSJHdFE+mWTDzSQB+YQvKHcXIqfdw2wITGYvN3TFb5OOsEY3FmHRUJjIsA9PWFN8rPbaLZZhUK1D3AqmT561Urmcju9O30azMdwg/GnCoyB1Puw4GzZOZmbS3/VmpJMve6YOlD5gPUpLHG+6tE0cPJFYbi9NxNpw2+0BOXbASefpNbUUBpDB5ZLiEP1rubSFAgMBAAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBTFsatOTLHNZDCTfsGEmQWr5gPiJTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEFBQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsGAQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYDVR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIBAF4tI1yGjZgld9lP01+zftU3aSV0un0d2GKUMO7GxvwTLWAKQz/eT+u3J4+GvpD+BMfopIxkJcDCzMChjjZtZZwJpIY7BatVrO6OkEmaRNITtbZ/hCwNkUnbk3C7EG3OGJZlo9b2wzA8v9WBsPzHpTvLfOr+dS57LLPZBhp3ArHaLbdk33lIONRPt9sseDEkmdHnVmGmBRf4+J0Wy67mddOvz5rHH8uzY94raOayf20gzzcmqmot4hPXtDG4Y49MoFMMT2kcWck3EOTAH6QiGWkGJ7cxMfSL3S0niA6wgFJtfETETOZu8AVDgENgCJ3DS0bz/dhVKvs3WRkaKuuR/W0nnC2VDdaFj4+CRF8LGtn/8ERaH48TktH5BDyDVcF9zfJ75Scxcy23jAL2N6w3n/t3nnqoXt9Im4FprDr+mP1g2Z6Lf2YA0jE3kZalgZ6lNHu4CmvJYoOTSJw9X2qlGl1K+B4U327rG1tRxgjM76pN6lIS02PMECoyKJigpOSBu4V8+LVaUMezCJH9Qf4EKeZTHddQ1t96zvNd2s9ewSKx/DblXbKsBDzIdHJ+qi6+F9DIVM5/ICdtDdulOO+dr/BXB+pBZ3uVxjRANvJKKpdxkePyluITSNZHbanWRN07gMvwBWOL060i4VrL9er1sBQrRjU9iNpZQGTnLVAxQVFu" + ] +} diff --git a/security/manager/tools/crtshToIdentifyingStruct/crtshToIdentifyingStruct.py b/security/manager/tools/crtshToIdentifyingStruct/crtshToIdentifyingStruct.py new file mode 100644 index 0000000000..05e0842e2a --- /dev/null +++ b/security/manager/tools/crtshToIdentifyingStruct/crtshToIdentifyingStruct.py @@ -0,0 +1,156 @@ +#!/usr/bin/env python3 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +""" +This utility takes a series of https://crt.sh/ identifiers and writes to +stdout all of those certs' distinguished name or SPKI fields in hex, with an +array of all those. You'll need to post-process this list to handle any +duplicates. + +Requires Python 3. +""" +import argparse +import io +import re +import sys + +import requests +from cryptography import x509 +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives import hashes +from cryptography.x509.oid import NameOID +from pyasn1.codec.der import decoder, encoder +from pyasn1_modules import pem, rfc5280 + +assert sys.version_info >= (3, 2), "Requires Python 3.2 or later" + + +def hex_string_for_struct(bytes): + return ["0x{:02X}".format(x) for x in bytes] + + +def hex_string_human_readable(bytes): + return ["{:02X}".format(x) for x in bytes] + + +def nameOIDtoString(oid): + if oid == NameOID.COUNTRY_NAME: + return "C" + if oid == NameOID.COMMON_NAME: + return "CN" + if oid == NameOID.LOCALITY_NAME: + return "L" + if oid == NameOID.ORGANIZATION_NAME: + return "O" + if oid == NameOID.ORGANIZATIONAL_UNIT_NAME: + return "OU" + raise Exception("Unknown OID: {}".format(oid)) + + +def print_block(pemData, identifierType="DN", crtshId=None): + substrate = pem.readPemFromFile(io.StringIO(pemData.decode("utf-8"))) + cert, _ = decoder.decode(substrate, asn1Spec=rfc5280.Certificate()) + octets = None + + if identifierType == "DN": + der_subject = encoder.encode(cert["tbsCertificate"]["subject"]) + octets = hex_string_for_struct(der_subject) + elif identifierType == "SPKI": + der_spki = encoder.encode(cert["tbsCertificate"]["subjectPublicKeyInfo"]) + octets = hex_string_for_struct(der_spki) + else: + raise Exception("Unknown identifier type: " + identifierType) + + cert = x509.load_pem_x509_certificate(pemData, default_backend()) + common_name = cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0] + block_name = "CA{}{}".format( + re.sub(r"[-:=_. ]", "", common_name.value), identifierType + ) + + fingerprint = hex_string_human_readable(cert.fingerprint(hashes.SHA256())) + + dn_parts = [ + "/{id}={value}".format(id=nameOIDtoString(part.oid), value=part.value) + for part in cert.subject + ] + distinguished_name = "".join(dn_parts) + + print("// {dn}".format(dn=distinguished_name)) + print("// SHA256 Fingerprint: " + ":".join(fingerprint[:16])) + print("// " + ":".join(fingerprint[16:])) + if crtshId: + print("// https://crt.sh/?id={crtsh} (crt.sh ID={crtsh})".format(crtsh=crtshId)) + print("static const uint8_t {}[{}] = ".format(block_name, len(octets)) + "{") + + while len(octets) > 0: + print(" " + ", ".join(octets[:13]) + ",") + octets = octets[13:] + + print("};") + print() + + return block_name + + +if __name__ == "__main__": + parser = argparse.ArgumentParser() + parser.add_argument( + "-spki", + action="store_true", + help="Create a list of subject public key info fields", + ) + parser.add_argument( + "-dn", + action="store_true", + help="Create a list of subject distinguished name fields", + ) + parser.add_argument("-listname", help="Name of the final DataAndLength block") + parser.add_argument( + "certId", nargs="+", help="A list of PEM files on disk or crt.sh IDs" + ) + args = parser.parse_args() + + if not args.dn and not args.spki: + parser.print_help() + raise Exception("You must select either DN or SPKI matching") + + blocks = [] + + print( + "// Script from security/manager/tools/crtshToIdentifyingStruct/" + + "crtshToIdentifyingStruct.py" + ) + print("// Invocation: {}".format(" ".join(sys.argv))) + print() + + identifierType = None + if args.dn: + identifierType = "DN" + else: + identifierType = "SPKI" + + for certId in args.certId: + # Try a local file first, then crt.sh + try: + with open(certId, "rb") as pemFile: + blocks.append( + print_block(pemFile.read(), identifierType=identifierType) + ) + except OSError: + r = requests.get("https://crt.sh/?d={}".format(certId)) + r.raise_for_status() + blocks.append( + print_block(r.content, crtshId=certId, identifierType=identifierType) + ) + + print("static const DataAndLength " + args.listname + "[]= {") + for structName in blocks: + if len(structName) < 33: + print(" { " + "{name}, sizeof({name}) ".format(name=structName) + "},") + else: + print(" { " + "{},".format(structName)) + print(" sizeof({})".format(structName) + " },") + print("};") diff --git a/security/manager/tools/crtshToIdentifyingStruct/requirements.txt b/security/manager/tools/crtshToIdentifyingStruct/requirements.txt new file mode 100644 index 0000000000..c5c04ec1cc --- /dev/null +++ b/security/manager/tools/crtshToIdentifyingStruct/requirements.txt @@ -0,0 +1,4 @@ +cryptography >= 1.8 +requests >= 2.0 +pyasn1 >= 0.3 +pyasn1_modules >= 0.1 \ No newline at end of file diff --git a/security/manager/tools/dumpGoogleRoots.js b/security/manager/tools/dumpGoogleRoots.js new file mode 100644 index 0000000000..e744061312 --- /dev/null +++ b/security/manager/tools/dumpGoogleRoots.js @@ -0,0 +1,96 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// This file is a helper script that generates the list of certificates that +// make up the preloaded pinset for Google properties. +// +// How to run this file: +// 1. [obtain firefox source code] +// 2. [build/obtain firefox binaries] +// 3. run `[path to]/run-mozilla.sh [path to]/xpcshell dumpGoogleRoots.js' +// 4. [paste the output into the appropriate section in +// security/manager/tools/PreloadedHPKPins.json] + +Services.prefs.setBoolPref("network.process.enabled", false); + +function downloadRoots() { + let req = new XMLHttpRequest(); + req.open("GET", "https://pki.google.com/roots.pem", false); + try { + req.send(); + } catch (e) { + throw new Error("ERROR: problem downloading Google Root PEMs: " + e); + } + + if (req.status != 200) { + throw new Error( + "ERROR: problem downloading Google Root PEMs. Status: " + req.status + ); + } + + let pem = req.responseText; + let roots = []; + let currentPEM = ""; + let readingRoot = false; + let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB + ); + for (let line of pem.split(/[\r\n]/)) { + if (line == "-----END CERTIFICATE-----") { + if (currentPEM) { + roots.push(certDB.constructX509FromBase64(currentPEM)); + } + currentPEM = ""; + readingRoot = false; + continue; + } + if (readingRoot) { + currentPEM += line; + } + if (line == "-----BEGIN CERTIFICATE-----") { + readingRoot = true; + } + } + return roots; +} + +function makeFormattedNickname(cert) { + if (cert.isBuiltInRoot) { + return `"${cert.displayName}"`; + } + // Otherwise, this isn't a built-in and we have to comment it out. + return `// "${cert.displayName}"`; +} + +var roots = downloadRoots(); +var rootNicknames = []; +for (var root of roots) { + rootNicknames.push(makeFormattedNickname(root)); +} +rootNicknames.sort(function(rootA, rootB) { + let rootALowercase = rootA.toLowerCase().replace(/(^[^"]*")|"/g, ""); + let rootBLowercase = rootB.toLowerCase().replace(/(^[^"]*")|"/g, ""); + if (rootALowercase < rootBLowercase) { + return -1; + } + if (rootALowercase > rootBLowercase) { + return 1; + } + return 0; +}); +dump(" {\n"); +dump(' "name": "google_root_pems",\n'); +dump(' "sha256_hashes": [\n'); +var first = true; +for (var nickname of rootNicknames) { + if (!first) { + dump(",\n"); + } + first = false; + dump(" " + nickname); +} +dump("\n"); +dump(" ]\n"); +dump(" }\n"); diff --git a/security/manager/tools/genRootCAHashes.js b/security/manager/tools/genRootCAHashes.js new file mode 100644 index 0000000000..ea5794a2aa --- /dev/null +++ b/security/manager/tools/genRootCAHashes.js @@ -0,0 +1,274 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +"use strict"; + +// How to run this file: +// 1. [obtain firefox source code] +// 2. [build/obtain firefox binaries] +// 3. run `[path to]/run-mozilla.sh [path to]/xpcshell genRootCAHashes.js \ +// [absolute path to]/RootHashes.inc' + +const nsX509CertDB = "@mozilla.org/security/x509certdb;1"; +const CertDb = Cc[nsX509CertDB].getService(Ci.nsIX509CertDB); + +const { FileUtils } = ChromeUtils.importESModule( + "resource://gre/modules/FileUtils.sys.mjs" +); +const { NetUtil } = ChromeUtils.import("resource://gre/modules/NetUtil.jsm"); +const { CommonUtils } = ChromeUtils.import( + "resource://services-common/utils.js" +); + +const FILENAME_OUTPUT = "RootHashes.inc"; +const FILENAME_TRUST_ANCHORS = "KnownRootHashes.json"; +const ROOT_NOT_ASSIGNED = -1; + +const JSON_HEADER = `// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +// +//*************************************************************************** +// This is an automatically generated file. It's used to maintain state for +// runs of genRootCAHashes.js; you should never need to manually edit it +//*************************************************************************** + +// Notes: +// binNumber 1 used to be for "GTE_CyberTrust_Global_Root", but that root was +// removed from the built-in roots module, so now it is used to indicate that +// the certificate is not a built-in and was found in the softoken (cert9.db). + +// binNumber 2 used to be for "Thawte_Server_CA", but that root was removed from +// the built-in roots module, so now it is used to indicate that the certificate +// is not a built-in and was found on an external PKCS#11 token. + +// binNumber 3 used to be for "Thawte_Premium_Server_CA", but that root was +// removed from the built-in roots module, so now it is used to indicate that +// the certificate is not a built-in and was temporarily imported from the OS as +// part of the "Enterprise Roots" feature. + +`; + +const FILE_HEADER = + "/* This Source Code Form is subject to the terms of the Mozilla Public\n" + + " * License, v. 2.0. If a copy of the MPL was not distributed with this\n" + + " * file, You can obtain one at http://mozilla.org/MPL/2.0/. */\n" + + "\n" + + "/*****************************************************************************/\n" + + "/* This is an automatically generated file. If you're not */\n" + + "/* RootCertificateTelemetryUtils.cpp, you shouldn't be #including it. */\n" + + "/*****************************************************************************/\n" + + "\n" + + "#define HASH_LEN 32\n"; + +const FP_PREAMBLE = + "struct CertAuthorityHash {\n" + + " // See bug 1338873 about making these fields const.\n" + + " uint8_t hash[HASH_LEN];\n" + + " int32_t binNumber;\n" + + "};\n\n" + + "static const struct CertAuthorityHash ROOT_TABLE[] = {\n"; + +const FP_POSTAMBLE = "};\n"; + +// Helper +function writeString(fos, string) { + fos.write(string, string.length); +} + +// Remove all colons from a string +function stripColons(hexString) { + return hexString.replace(/:/g, ""); +} + +// Expect an array of bytes and make it C-formatted +function hexSlice(bytes, start, end) { + let ret = ""; + for (let i = start; i < end; i++) { + let hex = (0 + bytes.charCodeAt(i).toString(16)).slice(-2).toUpperCase(); + ret += "0x" + hex; + if (i < end - 1) { + ret += ", "; + } + } + return ret; +} + +function stripComments(buf) { + let lines = buf.split("\n"); + let entryRegex = /^\s*\/\//; + let data = ""; + for (let i = 0; i < lines.length; i++) { + let match = entryRegex.exec(lines[i]); + if (!match) { + data = data + lines[i]; + } + } + return data; +} + +// Load the trust anchors JSON object from disk +function loadTrustAnchors(file) { + if (file.exists()) { + let stream = Cc["@mozilla.org/network/file-input-stream;1"].createInstance( + Ci.nsIFileInputStream + ); + stream.init(file, -1, 0, 0); + let buf = NetUtil.readInputStreamToString(stream, stream.available()); + return JSON.parse(stripComments(buf)); + } + // If there's no input file, bootstrap. + return { roots: [], maxBin: 0 }; +} + +// Saves our persistence file so that we don't lose track of the mapping +// between bin numbers and the CA-hashes, even as CAs come and go. +function writeTrustAnchors(file) { + let fos = FileUtils.openSafeFileOutputStream(file); + + let serializedData = JSON.stringify(gTrustAnchors, null, " "); + fos.write(JSON_HEADER, JSON_HEADER.length); + fos.write(serializedData, serializedData.length); + + FileUtils.closeSafeFileOutputStream(fos); +} + +// Write the C++ header file +function writeRootHashes(fos) { + try { + writeString(fos, FILE_HEADER); + + // Output the sorted gTrustAnchors + writeString(fos, FP_PREAMBLE); + gTrustAnchors.roots.forEach(function(fp) { + let fpBytes = atob(fp.sha256Fingerprint); + + writeString(fos, " {\n"); + writeString(fos, " /* " + fp.label + " */\n"); + writeString(fos, " { " + hexSlice(fpBytes, 0, 16) + ",\n"); + writeString(fos, " " + hexSlice(fpBytes, 16, 32) + " },\n"); + writeString(fos, " " + fp.binNumber + " /* Bin Number */\n"); + + writeString(fos, " },\n"); + }); + writeString(fos, FP_POSTAMBLE); + + writeString(fos, "\n"); + } catch (e) { + dump("ERROR: problem writing output: " + e + "\n"); + } +} + +// Scan our list (linearly) for the given fingerprint string +function findTrustAnchorByFingerprint(sha256Fingerprint) { + for (let i = 0; i < gTrustAnchors.roots.length; i++) { + if (sha256Fingerprint == gTrustAnchors.roots[i].sha256Fingerprint) { + return i; + } + } + return ROOT_NOT_ASSIGNED; +} + +// Get a clean label for a given certificate; usually the common name. +function getLabelForCert(cert) { + let label = cert.commonName; + + if (label.length < 5) { + label = cert.subjectName; + } + + // replace non-ascii characters + label = label.replace(/[^[:ascii:]]/g, "_"); + // replace non-word characters + label = label.replace(/[^A-Za-z0-9]/g, "_"); + return label; +} + +// Fill in the gTrustAnchors list with trust anchors from the database. +function insertTrustAnchorsFromDatabase() { + // We only want CA certs for SSL + const CERT_TYPE = Ci.nsIX509Cert.CA_CERT; + const TRUST_TYPE = Ci.nsIX509CertDB.TRUSTED_SSL; + + // Iterate through the whole Cert DB + for (let cert of CertDb.getCerts()) { + // Find the certificate in our existing list. Do it here because we need to check if + // it's untrusted too. + + // If this is a trusted cert + if (CertDb.isCertTrusted(cert, CERT_TYPE, TRUST_TYPE)) { + // Base64 encode the hex string + let binaryFingerprint = CommonUtils.hexToBytes( + stripColons(cert.sha256Fingerprint) + ); + let encodedFingerprint = btoa(binaryFingerprint); + + // Scan to see if this is already in the database. + if ( + findTrustAnchorByFingerprint(encodedFingerprint) == ROOT_NOT_ASSIGNED + ) { + // Let's get a usable name; some old certs do not have CN= filled out + let label = getLabelForCert(cert); + + // Add to list + gTrustAnchors.maxBin += 1; + gTrustAnchors.roots.push({ + label, + binNumber: gTrustAnchors.maxBin, + sha256Fingerprint: encodedFingerprint, + }); + } + } + } +} + +// +// PRIMARY LOGIC +// + +if (arguments.length != 1) { + throw new Error( + "Usage: genRootCAHashes.js " + ); +} + +var trustAnchorsFile = new FileUtils.File( + PathUtils.join( + Services.dirsvc.get("CurWorkD", Ci.nsIFile).path, + FILENAME_TRUST_ANCHORS + ) +); +var rootHashesFile = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile); +rootHashesFile.initWithPath(arguments[0]); + +// Open the known hashes file; this is to ensure stable bin numbers. +var gTrustAnchors = loadTrustAnchors(trustAnchorsFile); + +// Collect all certificate entries +insertTrustAnchorsFromDatabase(); + +// Update known hashes before we sort +writeTrustAnchors(trustAnchorsFile); + +// Sort all trust anchors before writing, as AccumulateRootCA.cpp +// will perform binary searches +gTrustAnchors.roots.sort(function(a, b) { + // We need to work from the binary values, not the base64 values. + let aBin = atob(a.sha256Fingerprint); + let bBin = atob(b.sha256Fingerprint); + + if (aBin < bBin) { + return -1; + } + if (aBin > bBin) { + return 1; + } + return 0; +}); + +// Write the output file. +var rootHashesFileOutputStream = FileUtils.openSafeFileOutputStream( + rootHashesFile +); +writeRootHashes(rootHashesFileOutputStream); +FileUtils.closeSafeFileOutputStream(rootHashesFileOutputStream); diff --git a/security/manager/tools/getCTKnownLogs.py b/security/manager/tools/getCTKnownLogs.py new file mode 100755 index 0000000000..a121283a6a --- /dev/null +++ b/security/manager/tools/getCTKnownLogs.py @@ -0,0 +1,333 @@ +#!/usr/bin/env python +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +""" +Parses a JSON file listing the known Certificate Transparency logs +(log_list.json) and generates a C++ header file to be included in Firefox. + +The current log_list.json file available under security/manager/tools +was originally downloaded from +https://www.certificate-transparency.org/known-logs +and edited to include the disqualification time for the disqualified logs using +https://cs.chromium.org/chromium/src/net/cert/ct_known_logs_static-inc.h +""" + +import argparse +import base64 +import datetime +import json +import os.path +import sys +import textwrap +from string import Template + +import six +import urllib2 + + +def decodebytes(s): + if six.PY3: + return base64.decodebytes(six.ensure_binary(s)) + return base64.decodestring(s) + + +OUTPUT_TEMPLATE = """\ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* This file was automatically generated by $prog. */ + +#ifndef $include_guard +#define $include_guard + +#include "CTLog.h" + +#include + +struct CTLogInfo +{ + // See bug 1338873 about making these fields const. + const char* name; + // Index within kCTLogOperatorList. + mozilla::ct::CTLogStatus status; + // 0 for qualified logs, disqualification time for disqualified logs + // (in milliseconds, measured since the epoch, ignoring leap seconds). + uint64_t disqualificationTime; + size_t operatorIndex; + const char* key; + size_t keyLength; +}; + +struct CTLogOperatorInfo +{ + // See bug 1338873 about making these fields const. + const char* name; + mozilla::ct::CTLogOperatorId id; +}; + +const CTLogInfo kCTLogList[] = { +$logs +}; + +const CTLogOperatorInfo kCTLogOperatorList[] = { +$operators +}; + +#endif // $include_guard +""" + + +def get_disqualification_time(time_str): + """ + Convert a time string such as "2017-01-01T00:00:00Z" to an integer + representing milliseconds since the epoch. + Timezones in the string are not supported and will result in an exception. + """ + t = datetime.datetime.strptime(time_str, "%Y-%m-%dT%H:%M:%SZ") + epoch = datetime.datetime.utcfromtimestamp(0) + seconds_since_epoch = (t - epoch).total_seconds() + return int(seconds_since_epoch * 1000) + + +def get_hex_lines(blob, width): + """Convert a binary string to a multiline text of C escape sequences.""" + text = "".join(["\\x{:02x}".format(ord(c)) for c in blob]) + # When escaped, a single byte takes 4 chars (e.g. "\x00"). + # Make sure we don't break an escaped byte between the lines. + return textwrap.wrap(text, width - width % 4) + + +def get_operator_and_index(json_data, operator_id): + """Return operator's entry from the JSON along with its array index.""" + matches = [ + (operator, index) + for (index, operator) in enumerate(json_data["operators"]) + if operator["id"] == operator_id + ] + assert len(matches) != 0, "No operators with id {0} defined.".format(operator_id) + assert len(matches) == 1, "Found multiple operators with id {0}.".format( + operator_id + ) + return matches[0] + + +def get_log_info_structs(json_data): + """Return array of CTLogInfo initializers for the known logs.""" + tmpl = Template( + textwrap.dedent( + """\ + { $description, + $status, + $disqualification_time, // $disqualification_time_comment + $operator_index, // $operator_comment + $indented_log_key, + $log_key_len }""" + ) + ) + initializers = [] + for log in json_data["logs"]: + log_key = decodebytes(log["key"]) + # "operated_by" is a list, we assume here it always contains one item. + operated_by = log["operated_by"] + assert len(operated_by) == 1, "operated_by must contain one item." + operator, operator_index = get_operator_and_index(json_data, operated_by[0]) + if "disqualification_time" in log: + status = "mozilla::ct::CTLogStatus::Disqualified" + disqualification_time = get_disqualification_time( + log["disqualification_time"] + ) + disqualification_time_comment = 'Date.parse("{0}")'.format( + log["disqualification_time"] + ) + else: + status = "mozilla::ct::CTLogStatus::Included" + disqualification_time = 0 + disqualification_time_comment = "no disqualification time" + is_test_log = "test_only" in operator and operator["test_only"] + prefix = "" + suffix = "," + if is_test_log: + prefix = "#ifdef DEBUG\n" + suffix = ",\n#endif // DEBUG" + toappend = tmpl.substitute( + # Use json.dumps for C-escaping strings. + # Not perfect but close enough. + description=json.dumps(log["description"]), + operator_index=operator_index, + operator_comment="operated by {0}". + # The comment must not contain "/". + format(operator["name"]).replace("/", "|"), + status=status, + disqualification_time=disqualification_time, + disqualification_time_comment=disqualification_time_comment, + # Maximum line width is 80. + indented_log_key="\n".join( + [' "{0}"'.format(l) for l in get_hex_lines(log_key, 74)] + ), + log_key_len=len(log_key), + ) + initializers.append(prefix + toappend + suffix) + return initializers + + +def get_log_operator_structs(json_data): + """Return array of CTLogOperatorInfo initializers.""" + tmpl = Template(" { $name, $id }") + initializers = [] + for operator in json_data["operators"]: + prefix = "" + suffix = "," + is_test_log = "test_only" in operator and operator["test_only"] + if is_test_log: + prefix = "#ifdef DEBUG\n" + suffix = ",\n#endif // DEBUG" + toappend = tmpl.substitute(name=json.dumps(operator["name"]), id=operator["id"]) + initializers.append(prefix + toappend + suffix) + return initializers + + +def generate_cpp_header_file(json_data, out_file): + """Generate the C++ header file for the known logs.""" + filename = os.path.basename(out_file.name) + include_guard = filename.replace(".", "_").replace("/", "_") + log_info_initializers = get_log_info_structs(json_data) + operator_info_initializers = get_log_operator_structs(json_data) + out_file.write( + Template(OUTPUT_TEMPLATE).substitute( + prog=os.path.basename(sys.argv[0]), + include_guard=include_guard, + logs="\n".join(log_info_initializers), + operators="\n".join(operator_info_initializers), + ) + ) + + +def patch_in_test_logs(json_data): + """Insert Mozilla-specific test log data.""" + max_id = 0 + for operator in json_data["operators"]: + if operator["id"] > max_id: + max_id = operator["id"] + mozilla_test_operator_1 = { + "name": "Mozilla Test Org 1", + "id": max_id + 1, + "test_only": True, + } + mozilla_test_operator_2 = { + "name": "Mozilla Test Org 2", + "id": max_id + 2, + "test_only": True, + } + json_data["operators"].append(mozilla_test_operator_1) + json_data["operators"].append(mozilla_test_operator_2) + # The easiest way to get this is + # `openssl x509 -noout -pubkey -in ` + mozilla_rsa_log_1 = { + "description": "Mozilla Test RSA Log 1", + "key": """ + MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2 + ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF + h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n + cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv + OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj + tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt + jQIDAQAB + """, + "operated_by": [max_id + 1], + } + # Similarly, + # `openssl x509 -noout -pubkey -in ` + mozilla_rsa_log_2 = { + "description": "Mozilla Test RSA Log 2", + "key": """ + MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2 + w39c5TiwbErNIrHL1G+mWtoq3UHIwkmKxKOzwfYUh/QbaYlBvYClHDwSAkTFhKTE + SDMF5ROMAQbPCL6ahidguuai6PNvI8XZgxO53683g0XazlHU1tzSpss8xwbrzTBw + 7JjM5AqlkdcpWn9xxb5maR0rLf7ISURZC8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1C + aQiICBFCIGmYikP+5Izmh4HdIramnNKDdRMfkysSjOKG+n0lHAYq0n7wFvGHzdVO + gys1uJMPdLqQqovHYWckKrH9bWIUDRjEwLjGj8N0hFcyStfehuZVLx0eGR1xIWjT + uwIDAQAB + """, + "operated_by": [max_id + 2], + } + # `openssl x509 -noout -pubkey -in +subject: +[version:{1,2,3,4}] +[validity:] +[issuerKey:] +[subjectKey:] +[signature:{sha256WithRSAEncryption,sha1WithRSAEncryption, + md5WithRSAEncryption,ecdsaWithSHA256,ecdsaWithSHA384, + ecdsaWithSHA512}] +[serialNumber:] +[extension:>] +[...] + +Known extensions are: +basicConstraints:[cA],[pathLenConstraint] +keyUsage:[digitalSignature,nonRepudiation,keyEncipherment, + dataEncipherment,keyAgreement,keyCertSign,cRLSign] +extKeyUsage:[serverAuth,clientAuth,codeSigning,emailProtection + nsSGC, # Netscape Server Gated Crypto + OCSPSigning,timeStamping] +subjectAlternativeName:[,...] +authorityInformationAccess: +certificatePolicies:[,...] +nameConstraints:{permitted,excluded}:[,...] +nsCertType:sslServer +TLSFeature:[,...] +embeddedSCTList:[:,...] +delegationUsage: + +Where: + [] indicates an optional field or component of a field + <> indicates a required component of a field + {} indicates a choice of exactly one value among a set of values + [a,b,c] indicates a list of potential values, of which zero or more + may be used + +For instance, the version field is optional. However, if it is +specified, it must have exactly one value from the set {1,2,3,4}. + +Most fields have reasonable default values. By default one shared RSA +key is used for all signatures and subject public key information +fields. Using "issuerKey:" or +"subjectKey:" causes a different key be used for +signing or as the subject public key information field, respectively. +See pykey.py for the list of available specifications. +The signature algorithm is sha256WithRSAEncryption by default. + +The validity period may be specified as either concrete notBefore and +notAfter values or as a validity period centered around 'now'. For the +latter, this will result in a notBefore of 'now' - duration/2 and a +notAfter of 'now' + duration/2. + +Issuer and subject distinguished name specifications are of the form +'[stringEncoding]/C=XX/O=Example/CN=example.com'. C (country name), ST +(state or province name), L (locality name), O (organization name), OU +(organizational unit name), CN (common name) and emailAddress (email +address) are currently supported. The optional stringEncoding field may +be 'utf8String' or 'printableString'. If the given string does not +contain a '/', it is assumed to represent a common name. If an empty +string is provided, then an empty distinguished name is returned. +DirectoryNames also use this format. When specifying a directoryName in +a nameConstraints extension, the implicit form may not be used. + +If an extension name has '[critical]' after it, it will be marked as +critical. Otherwise (by default), it will not be marked as critical. + +TLSFeature values can either consist of a named value (currently only +'OCSPMustStaple' which corresponds to status_request) or a numeric TLS +feature value (see rfc7633 for more information). + +If a serial number is not explicitly specified, it is automatically +generated based on the contents of the certificate. +""" + +import base64 +import datetime +import hashlib +import re +import socket +import sys +from struct import pack + +import pyct +import pykey +import six +from pyasn1.codec.der import decoder, encoder +from pyasn1.type import constraint, tag, univ, useful +from pyasn1_modules import rfc2459 + + +class Error(Exception): + """Base class for exceptions in this module.""" + + pass + + +class UnknownBaseError(Error): + """Base class for handling unexpected input in this module.""" + + def __init__(self, value): + super(UnknownBaseError, self).__init__() + self.value = value + self.category = "input" + + def __str__(self): + return 'Unknown %s type "%s"' % (self.category, repr(self.value)) + + +class UnknownAlgorithmTypeError(UnknownBaseError): + """Helper exception type to handle unknown algorithm types.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "algorithm" + + +class UnknownParameterTypeError(UnknownBaseError): + """Helper exception type to handle unknown input parameters.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "parameter" + + +class UnknownExtensionTypeError(UnknownBaseError): + """Helper exception type to handle unknown input extensions.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "extension" + + +class UnknownKeyPurposeTypeError(UnknownBaseError): + """Helper exception type to handle unknown key purposes.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "keyPurpose" + + +class UnknownKeyTargetError(UnknownBaseError): + """Helper exception type to handle unknown key targets.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "key target" + + +class UnknownVersionError(UnknownBaseError): + """Helper exception type to handle unknown specified versions.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "version" + + +class UnknownNameConstraintsSpecificationError(UnknownBaseError): + """Helper exception type to handle unknown specified + nameConstraints.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "nameConstraints specification" + + +class UnknownDNTypeError(UnknownBaseError): + """Helper exception type to handle unknown DN types.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "DN" + + +class UnknownNSCertTypeError(UnknownBaseError): + """Helper exception type to handle unknown nsCertType types.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "nsCertType" + + +class UnknownTLSFeature(UnknownBaseError): + """Helper exception type to handle unknown TLS Features.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "TLSFeature" + + +class UnknownDelegatedCredentialError(UnknownBaseError): + """Helper exception type to handle unknown Delegated Credential args.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "delegatedCredential" + + +class InvalidSCTSpecification(Error): + """Helper exception type to handle invalid SCT specifications.""" + + def __init__(self, value): + super(InvalidSCTSpecification, self).__init__() + self.value = value + + def __str__(self): + return repr('invalid SCT specification "{}"' % self.value) + + +class InvalidSerialNumber(Error): + """Exception type to handle invalid serial numbers.""" + + def __init__(self, value): + super(InvalidSerialNumber, self).__init__() + self.value = value + + def __str__(self): + return repr(self.value) + + +def getASN1Tag(asn1Type): + """Helper function for returning the base tag value of a given + type from the pyasn1 package""" + return asn1Type.tagSet.baseTag.tagId + + +def stringToAccessDescription(string): + """Helper function that takes a string representing a URI + presumably identifying an OCSP authority information access + location. Returns an AccessDescription usable by pyasn1.""" + accessMethod = rfc2459.id_ad_ocsp + accessLocation = rfc2459.GeneralName() + accessLocation["uniformResourceIdentifier"] = string + sequence = univ.Sequence() + sequence.setComponentByPosition(0, accessMethod) + sequence.setComponentByPosition(1, accessLocation) + return sequence + + +def stringToDN(string, tag=None): + """Takes a string representing a distinguished name or directory + name and returns a Name for use by pyasn1. See the documentation + for the issuer and subject fields for more details. Takes an + optional implicit tag in cases where the Name needs to be tagged + differently.""" + if string and "/" not in string: + string = "/CN=%s" % string + rdns = rfc2459.RDNSequence() + pattern = "/(C|ST|L|O|OU|CN|emailAddress)=" + split = re.split(pattern, string) + # split should now be [[encoding], , , , , ...] + if split[0]: + encoding = split[0] + else: + encoding = "utf8String" + for pos, (nameType, value) in enumerate(zip(split[1::2], split[2::2])): + ava = rfc2459.AttributeTypeAndValue() + if nameType == "C": + ava["type"] = rfc2459.id_at_countryName + nameComponent = rfc2459.X520countryName(value) + elif nameType == "ST": + ava["type"] = rfc2459.id_at_stateOrProvinceName + nameComponent = rfc2459.X520StateOrProvinceName() + elif nameType == "L": + ava["type"] = rfc2459.id_at_localityName + nameComponent = rfc2459.X520LocalityName() + elif nameType == "O": + ava["type"] = rfc2459.id_at_organizationName + nameComponent = rfc2459.X520OrganizationName() + elif nameType == "OU": + ava["type"] = rfc2459.id_at_organizationalUnitName + nameComponent = rfc2459.X520OrganizationalUnitName() + elif nameType == "CN": + ava["type"] = rfc2459.id_at_commonName + nameComponent = rfc2459.X520CommonName() + elif nameType == "emailAddress": + ava["type"] = rfc2459.emailAddress + nameComponent = rfc2459.Pkcs9email(value) + else: + raise UnknownDNTypeError(nameType) + if not nameType == "C" and not nameType == "emailAddress": + # The value may have things like '\0' (i.e. a slash followed by + # the number zero) that have to be decoded into the resulting + # '\x00' (i.e. a byte with value zero). + nameComponent[encoding] = six.ensure_binary(value).decode( + encoding="unicode_escape" + ) + ava["value"] = nameComponent + rdn = rfc2459.RelativeDistinguishedName() + rdn.setComponentByPosition(0, ava) + rdns.setComponentByPosition(pos, rdn) + if tag: + name = rfc2459.Name().subtype(implicitTag=tag) + else: + name = rfc2459.Name() + name.setComponentByPosition(0, rdns) + return name + + +def stringToAlgorithmIdentifiers(string): + """Helper function that converts a description of an algorithm + to a representation usable by the pyasn1 package and a hash + algorithm constant for use by pykey.""" + algorithmIdentifier = rfc2459.AlgorithmIdentifier() + algorithmType = None + algorithm = None + # We add Null parameters for RSA only + addParameters = False + if string == "sha1WithRSAEncryption": + algorithmType = pykey.HASH_SHA1 + algorithm = rfc2459.sha1WithRSAEncryption + addParameters = True + elif string == "sha256WithRSAEncryption": + algorithmType = pykey.HASH_SHA256 + algorithm = univ.ObjectIdentifier("1.2.840.113549.1.1.11") + addParameters = True + elif string == "md5WithRSAEncryption": + algorithmType = pykey.HASH_MD5 + algorithm = rfc2459.md5WithRSAEncryption + addParameters = True + elif string == "ecdsaWithSHA256": + algorithmType = pykey.HASH_SHA256 + algorithm = univ.ObjectIdentifier("1.2.840.10045.4.3.2") + elif string == "ecdsaWithSHA384": + algorithmType = pykey.HASH_SHA384 + algorithm = univ.ObjectIdentifier("1.2.840.10045.4.3.3") + elif string == "ecdsaWithSHA512": + algorithmType = pykey.HASH_SHA512 + algorithm = univ.ObjectIdentifier("1.2.840.10045.4.3.4") + else: + raise UnknownAlgorithmTypeError(string) + algorithmIdentifier["algorithm"] = algorithm + if addParameters: + # Directly setting parameters to univ.Null doesn't currently work. + nullEncapsulated = encoder.encode(univ.Null()) + algorithmIdentifier["parameters"] = univ.Any(nullEncapsulated) + return (algorithmIdentifier, algorithmType) + + +def datetimeToTime(dt): + """Takes a datetime object and returns an rfc2459.Time object with + that time as its value as a GeneralizedTime""" + time = rfc2459.Time() + time["generalTime"] = useful.GeneralizedTime(dt.strftime("%Y%m%d%H%M%SZ")) + return time + + +def serialBytesToString(serialBytes): + """Takes a list of integers in the interval [0, 255] and returns + the corresponding serial number string.""" + serialBytesLen = len(serialBytes) + if serialBytesLen > 127: + raise InvalidSerialNumber("{} bytes is too long".format(serialBytesLen)) + # Prepend the ASN.1 INTEGER tag and length bytes. + stringBytes = [getASN1Tag(univ.Integer), serialBytesLen] + serialBytes + return bytes(stringBytes) + + +class Certificate(object): + """Utility class for reading a certificate specification and + generating a signed x509 certificate""" + + def __init__(self, paramStream): + self.versionValue = 2 # a value of 2 is X509v3 + self.signature = "sha256WithRSAEncryption" + self.issuer = "Default Issuer" + actualNow = datetime.datetime.utcnow() + self.now = datetime.datetime.strptime(str(actualNow.year), "%Y") + aYearAndAWhile = datetime.timedelta(days=400) + self.notBefore = self.now - aYearAndAWhile + self.notAfter = self.now + aYearAndAWhile + self.subject = "Default Subject" + self.extensions = None + # The serial number can be automatically generated from the + # certificate specification. We need this value to depend in + # part of what extensions are present. self.extensions are + # pyasn1 objects. Depending on the string representation of + # these objects can cause the resulting serial number to change + # unexpectedly, so instead we depend on the original string + # representation of the extensions as specified. + self.extensionLines = None + self.savedEmbeddedSCTListData = None + self.subjectKey = pykey.keyFromSpecification("default") + self.issuerKey = pykey.keyFromSpecification("default") + self.serialNumber = None + self.decodeParams(paramStream) + # If a serial number wasn't specified, generate one based on + # the certificate contents. + if not self.serialNumber: + self.serialNumber = self.generateSerialNumber() + # This has to be last because the SCT signature depends on the + # contents of the certificate. + if self.savedEmbeddedSCTListData: + self.addEmbeddedSCTListData() + + def generateSerialNumber(self): + """Generates a serial number for this certificate based on its + contents. Intended to be reproducible for compatibility with + the build system on OS X (see the comment above main, later in + this file).""" + hasher = hashlib.sha256() + hasher.update(six.ensure_binary(str(self.versionValue))) + hasher.update(six.ensure_binary(self.signature)) + hasher.update(six.ensure_binary(self.issuer)) + hasher.update(six.ensure_binary(str(self.notBefore))) + hasher.update(six.ensure_binary(str(self.notAfter))) + hasher.update(six.ensure_binary(self.subject)) + if self.extensionLines: + for extensionLine in self.extensionLines: + hasher.update(six.ensure_binary(extensionLine)) + if self.savedEmbeddedSCTListData: + # savedEmbeddedSCTListData is + # (embeddedSCTListSpecification, critical), where |critical| + # may be None + hasher.update(six.ensure_binary(self.savedEmbeddedSCTListData[0])) + if self.savedEmbeddedSCTListData[1]: + hasher.update(six.ensure_binary(self.savedEmbeddedSCTListData[1])) + serialBytes = [c for c in hasher.digest()[:20]] + # Ensure that the most significant bit isn't set (which would + # indicate a negative number, which isn't valid for serial + # numbers). + serialBytes[0] &= 0x7F + # Also ensure that the least significant bit on the most + # significant byte is set (to prevent a leading zero byte, + # which also wouldn't be valid). + serialBytes[0] |= 0x01 + return serialBytesToString(serialBytes) + + def decodeParams(self, paramStream): + for line in paramStream.readlines(): + self.decodeParam(line.strip()) + + def decodeParam(self, line): + param = line.split(":")[0] + value = ":".join(line.split(":")[1:]) + if param == "version": + self.setVersion(value) + elif param == "subject": + self.subject = value + elif param == "issuer": + self.issuer = value + elif param == "validity": + self.decodeValidity(value) + elif param == "extension": + self.decodeExtension(value) + elif param == "issuerKey": + self.setupKey("issuer", value) + elif param == "subjectKey": + self.setupKey("subject", value) + elif param == "signature": + self.signature = value + elif param == "serialNumber": + serialNumber = int(value) + # Ensure only serial numbers that conform to the rules listed in + # generateSerialNumber() are permitted. + if serialNumber < 1 or serialNumber > 127: + raise InvalidSerialNumber(value) + self.serialNumber = serialBytesToString([serialNumber]) + else: + raise UnknownParameterTypeError(param) + + def setVersion(self, version): + intVersion = int(version) + if intVersion >= 1 and intVersion <= 4: + self.versionValue = intVersion - 1 + else: + raise UnknownVersionError(version) + + def decodeValidity(self, duration): + match = re.search("([0-9]{8})-([0-9]{8})", duration) + if match: + self.notBefore = datetime.datetime.strptime(match.group(1), "%Y%m%d") + self.notAfter = datetime.datetime.strptime(match.group(2), "%Y%m%d") + else: + delta = datetime.timedelta(days=(int(duration) / 2)) + self.notBefore = self.now - delta + self.notAfter = self.now + delta + + def decodeExtension(self, extension): + match = re.search(r"([a-zA-Z]+)(\[critical\])?:(.*)", extension) + if not match: + raise UnknownExtensionTypeError(extension) + extensionType = match.group(1) + critical = match.group(2) + value = match.group(3) + if extensionType == "basicConstraints": + self.addBasicConstraints(value, critical) + elif extensionType == "keyUsage": + self.addKeyUsage(value, critical) + elif extensionType == "extKeyUsage": + self.addExtKeyUsage(value, critical) + elif extensionType == "subjectAlternativeName": + self.addSubjectAlternativeName(value, critical) + elif extensionType == "authorityInformationAccess": + self.addAuthorityInformationAccess(value, critical) + elif extensionType == "certificatePolicies": + self.addCertificatePolicies(value, critical) + elif extensionType == "nameConstraints": + self.addNameConstraints(value, critical) + elif extensionType == "nsCertType": + self.addNSCertType(value, critical) + elif extensionType == "TLSFeature": + self.addTLSFeature(value, critical) + elif extensionType == "embeddedSCTList": + self.savedEmbeddedSCTListData = (value, critical) + elif extensionType == "delegationUsage": + self.addDelegationUsage(critical) + else: + raise UnknownExtensionTypeError(extensionType) + + if extensionType != "embeddedSCTList": + if not self.extensionLines: + self.extensionLines = [] + self.extensionLines.append(extension) + + def setupKey(self, subjectOrIssuer, value): + if subjectOrIssuer == "subject": + self.subjectKey = pykey.keyFromSpecification(value) + elif subjectOrIssuer == "issuer": + self.issuerKey = pykey.keyFromSpecification(value) + else: + raise UnknownKeyTargetError(subjectOrIssuer) + + def addExtension(self, extensionType, extensionValue, critical): + if not self.extensions: + self.extensions = [] + encapsulated = univ.OctetString(encoder.encode(extensionValue)) + extension = rfc2459.Extension() + extension["extnID"] = extensionType + # critical is either the string '[critical]' or None. + # We only care whether or not it is truthy. + if critical: + extension["critical"] = True + extension["extnValue"] = encapsulated + self.extensions.append(extension) + + def addBasicConstraints(self, basicConstraints, critical): + cA = basicConstraints.split(",")[0] + pathLenConstraint = basicConstraints.split(",")[1] + basicConstraintsExtension = rfc2459.BasicConstraints() + basicConstraintsExtension["cA"] = cA == "cA" + if pathLenConstraint: + pathLenConstraintValue = univ.Integer(int(pathLenConstraint)).subtype( + subtypeSpec=constraint.ValueRangeConstraint(0, float("inf")) + ) + basicConstraintsExtension["pathLenConstraint"] = pathLenConstraintValue + self.addExtension( + rfc2459.id_ce_basicConstraints, basicConstraintsExtension, critical + ) + + def addKeyUsage(self, keyUsage, critical): + keyUsageExtension = rfc2459.KeyUsage(keyUsage) + self.addExtension(rfc2459.id_ce_keyUsage, keyUsageExtension, critical) + + def keyPurposeToOID(self, keyPurpose): + if keyPurpose == "serverAuth": + return rfc2459.id_kp_serverAuth + if keyPurpose == "clientAuth": + return rfc2459.id_kp_clientAuth + if keyPurpose == "codeSigning": + return rfc2459.id_kp_codeSigning + if keyPurpose == "emailProtection": + return rfc2459.id_kp_emailProtection + if keyPurpose == "nsSGC": + return univ.ObjectIdentifier("2.16.840.1.113730.4.1") + if keyPurpose == "OCSPSigning": + return univ.ObjectIdentifier("1.3.6.1.5.5.7.3.9") + if keyPurpose == "timeStamping": + return rfc2459.id_kp_timeStamping + raise UnknownKeyPurposeTypeError(keyPurpose) + + def addExtKeyUsage(self, extKeyUsage, critical): + extKeyUsageExtension = rfc2459.ExtKeyUsageSyntax() + for count, keyPurpose in enumerate(extKeyUsage.split(",")): + extKeyUsageExtension.setComponentByPosition( + count, self.keyPurposeToOID(keyPurpose) + ) + self.addExtension(rfc2459.id_ce_extKeyUsage, extKeyUsageExtension, critical) + + def addSubjectAlternativeName(self, names, critical): + IPV4_PREFIX = "ip4:" + + subjectAlternativeName = rfc2459.SubjectAltName() + for count, name in enumerate(names.split(",")): + generalName = rfc2459.GeneralName() + if "/" in name: + directoryName = stringToDN( + name, tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4) + ) + generalName["directoryName"] = directoryName + elif "@" in name: + generalName["rfc822Name"] = name + elif name.startswith(IPV4_PREFIX): + generalName["iPAddress"] = socket.inet_pton( + socket.AF_INET, name[len(IPV4_PREFIX) :] + ) + else: + # The string may have things like '\0' (i.e. a slash + # followed by the number zero) that have to be decoded into + # the resulting '\x00' (i.e. a byte with value zero). + generalName["dNSName"] = six.ensure_binary(name).decode( + "unicode_escape" + ) + subjectAlternativeName.setComponentByPosition(count, generalName) + self.addExtension( + rfc2459.id_ce_subjectAltName, subjectAlternativeName, critical + ) + + def addAuthorityInformationAccess(self, ocspURI, critical): + sequence = univ.Sequence() + accessDescription = stringToAccessDescription(ocspURI) + sequence.setComponentByPosition(0, accessDescription) + self.addExtension(rfc2459.id_pe_authorityInfoAccess, sequence, critical) + + def addCertificatePolicies(self, policyOIDs, critical): + policies = rfc2459.CertificatePolicies() + for pos, policyOID in enumerate(policyOIDs.split(",")): + if policyOID == "any": + policyOID = "2.5.29.32.0" + policy = rfc2459.PolicyInformation() + policyIdentifier = rfc2459.CertPolicyId(policyOID) + policy["policyIdentifier"] = policyIdentifier + policies.setComponentByPosition(pos, policy) + self.addExtension(rfc2459.id_ce_certificatePolicies, policies, critical) + + def addNameConstraints(self, constraints, critical): + nameConstraints = rfc2459.NameConstraints() + if constraints.startswith("permitted:"): + (subtreesType, subtreesTag) = ("permittedSubtrees", 0) + elif constraints.startswith("excluded:"): + (subtreesType, subtreesTag) = ("excludedSubtrees", 1) + else: + raise UnknownNameConstraintsSpecificationError(constraints) + generalSubtrees = rfc2459.GeneralSubtrees().subtype( + implicitTag=tag.Tag( + tag.tagClassContext, tag.tagFormatConstructed, subtreesTag + ) + ) + subtrees = constraints[(constraints.find(":") + 1) :] + for pos, name in enumerate(subtrees.split(",")): + generalName = rfc2459.GeneralName() + if "/" in name: + directoryName = stringToDN( + name, tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4) + ) + generalName["directoryName"] = directoryName + else: + generalName["dNSName"] = name + generalSubtree = rfc2459.GeneralSubtree() + generalSubtree["base"] = generalName + generalSubtrees.setComponentByPosition(pos, generalSubtree) + nameConstraints[subtreesType] = generalSubtrees + self.addExtension(rfc2459.id_ce_nameConstraints, nameConstraints, critical) + + def addNSCertType(self, certType, critical): + if certType != "sslServer": + raise UnknownNSCertTypeError(certType) + self.addExtension( + univ.ObjectIdentifier("2.16.840.1.113730.1.1"), + univ.BitString("'01'B"), + critical, + ) + + def addDelegationUsage(self, critical): + if critical: + raise UnknownDelegatedCredentialError(critical) + self.addExtension( + univ.ObjectIdentifier("1.3.6.1.4.1.44363.44"), univ.Null(), critical + ) + + def addTLSFeature(self, features, critical): + namedFeatures = {"OCSPMustStaple": 5} + featureList = [f.strip() for f in features.split(",")] + sequence = univ.Sequence() + for pos, feature in enumerate(featureList): + featureValue = 0 + try: + featureValue = int(feature) + except ValueError: + try: + featureValue = namedFeatures[feature] + except Exception: + raise UnknownTLSFeature(feature) + sequence.setComponentByPosition(pos, univ.Integer(featureValue)) + self.addExtension( + univ.ObjectIdentifier("1.3.6.1.5.5.7.1.24"), sequence, critical + ) + + def addEmbeddedSCTListData(self): + (scts, critical) = self.savedEmbeddedSCTListData + encodedSCTs = [] + for sctSpec in scts.split(","): + match = re.search(r"(\w+):(\d{8})", sctSpec) + if not match: + raise InvalidSCTSpecification(sctSpec) + keySpec = match.group(1) + key = pykey.keyFromSpecification(keySpec) + time = datetime.datetime.strptime(match.group(2), "%Y%m%d") + tbsCertificate = self.getTBSCertificate() + tbsDER = encoder.encode(tbsCertificate) + sct = pyct.SCT(key, time, tbsDER, self.issuerKey) + signed = sct.signAndEncode() + lengthPrefix = pack("!H", len(signed)) + encodedSCTs.append(lengthPrefix + signed) + encodedSCTBytes = b"".join(encodedSCTs) + lengthPrefix = pack("!H", len(encodedSCTBytes)) + extensionBytes = lengthPrefix + encodedSCTBytes + self.addExtension( + univ.ObjectIdentifier("1.3.6.1.4.1.11129.2.4.2"), + univ.OctetString(extensionBytes), + critical, + ) + + def getVersion(self): + return rfc2459.Version(self.versionValue).subtype( + explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0) + ) + + def getSerialNumber(self): + return decoder.decode(self.serialNumber)[0] + + def getIssuer(self): + return stringToDN(self.issuer) + + def getValidity(self): + validity = rfc2459.Validity() + validity["notBefore"] = self.getNotBefore() + validity["notAfter"] = self.getNotAfter() + return validity + + def getNotBefore(self): + return datetimeToTime(self.notBefore) + + def getNotAfter(self): + return datetimeToTime(self.notAfter) + + def getSubject(self): + return stringToDN(self.subject) + + def getTBSCertificate(self): + (signatureOID, _) = stringToAlgorithmIdentifiers(self.signature) + tbsCertificate = rfc2459.TBSCertificate() + tbsCertificate["version"] = self.getVersion() + tbsCertificate["serialNumber"] = self.getSerialNumber() + tbsCertificate["signature"] = signatureOID + tbsCertificate["issuer"] = self.getIssuer() + tbsCertificate["validity"] = self.getValidity() + tbsCertificate["subject"] = self.getSubject() + tbsCertificate[ + "subjectPublicKeyInfo" + ] = self.subjectKey.asSubjectPublicKeyInfo() + if self.extensions: + extensions = rfc2459.Extensions().subtype( + explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3) + ) + for count, extension in enumerate(self.extensions): + extensions.setComponentByPosition(count, extension) + tbsCertificate["extensions"] = extensions + return tbsCertificate + + def toDER(self): + (signatureOID, hashAlgorithm) = stringToAlgorithmIdentifiers(self.signature) + certificate = rfc2459.Certificate() + tbsCertificate = self.getTBSCertificate() + certificate["tbsCertificate"] = tbsCertificate + certificate["signatureAlgorithm"] = signatureOID + tbsDER = encoder.encode(tbsCertificate) + certificate["signatureValue"] = self.issuerKey.sign(tbsDER, hashAlgorithm) + return encoder.encode(certificate) + + def toPEM(self): + output = "-----BEGIN CERTIFICATE-----" + der = self.toDER() + b64 = six.ensure_text(base64.b64encode(der)) + while b64: + output += "\n" + b64[:64] + b64 = b64[64:] + output += "\n-----END CERTIFICATE-----" + return output + + +# The build harness will call this function with an output +# file-like object and a path to a file containing a +# specification. This will read the specification and output +# the certificate as PEM. +# This utility tries as hard as possible to ensure that two +# runs with the same input will have the same output. This is +# particularly important when building on OS X, where we +# generate everything twice for unified builds. During the +# unification step, if any pair of input files differ, the build +# system throws an error. +# The one concrete failure mode is if one run happens before +# midnight on New Year's Eve and the next run happens after +# midnight. +def main(output, inputPath): + with open(inputPath) as configStream: + output.write(Certificate(configStream).toPEM() + "\n") + + +# When run as a standalone program, this will read a specification from +# stdin and output the certificate as PEM to stdout. +if __name__ == "__main__": + print(Certificate(sys.stdin).toPEM()) diff --git a/security/manager/tools/pycms.py b/security/manager/tools/pycms.py new file mode 100755 index 0000000000..1717513fdf --- /dev/null +++ b/security/manager/tools/pycms.py @@ -0,0 +1,219 @@ +#!/usr/bin/env python +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +""" +Reads a specification from stdin and outputs a PKCS7 (CMS) message with +the desired properties. + +The specification format is as follows: + +sha1: +sha256: +signer: + + +Eith or both of sha1 and sha256 may be specified. The value of +each hash directive is what will be put in the messageDigest +attribute of the SignerInfo that corresponds to the signature +algorithm defined by the hash algorithm and key type of the +default key. Together, these comprise the signerInfos field of +the SignedData. If neither hash is specified, the signerInfos +will be an empty SET (i.e. there will be no actual signature +information). +The certificate specification must come last. +""" + +import base64 +import sys +from io import StringIO + +import pycert +import pykey +from pyasn1.codec.der import decoder, encoder +from pyasn1.type import tag, univ +from pyasn1_modules import rfc2315, rfc2459 + + +class Error(Exception): + """Base class for exceptions in this module.""" + + pass + + +class UnknownDirectiveError(Error): + """Helper exception type to handle unknown specification + directives.""" + + def __init__(self, directive): + super(UnknownDirectiveError, self).__init__() + self.directive = directive + + def __str__(self): + return "Unknown directive %s" % repr(self.directive) + + +class CMS(object): + """Utility class for reading a CMS specification and + generating a CMS message""" + + def __init__(self, paramStream): + self.sha1 = "" + self.sha256 = "" + signerSpecification = StringIO() + readingSignerSpecification = False + for line in paramStream.readlines(): + if readingSignerSpecification: + print(line.strip(), file=signerSpecification) + elif line.strip() == "signer:": + readingSignerSpecification = True + elif line.startswith("sha1:"): + self.sha1 = line.strip()[len("sha1:") :] + elif line.startswith("sha256:"): + self.sha256 = line.strip()[len("sha256:") :] + else: + raise UnknownDirectiveError(line.strip()) + signerSpecification.seek(0) + self.signer = pycert.Certificate(signerSpecification) + self.signingKey = pykey.keyFromSpecification("default") + + def buildAuthenticatedAttributes(self, value, implicitTag=None): + """Utility function to build a pyasn1 AuthenticatedAttributes + object. Useful because when building a SignerInfo, the + authenticatedAttributes needs to be tagged implicitly, but when + signing an AuthenticatedAttributes, it needs the explicit SET + tag.""" + if implicitTag: + authenticatedAttributes = rfc2315.Attributes().subtype( + implicitTag=implicitTag + ) + else: + authenticatedAttributes = rfc2315.Attributes() + contentTypeAttribute = rfc2315.Attribute() + # PKCS#9 contentType + contentTypeAttribute["type"] = univ.ObjectIdentifier("1.2.840.113549.1.9.3") + contentTypeAttribute["values"] = univ.SetOf(rfc2459.AttributeValue()) + # PKCS#7 data + contentTypeAttribute["values"][0] = univ.ObjectIdentifier( + "1.2.840.113549.1.7.1" + ) + authenticatedAttributes[0] = contentTypeAttribute + hashAttribute = rfc2315.Attribute() + # PKCS#9 messageDigest + hashAttribute["type"] = univ.ObjectIdentifier("1.2.840.113549.1.9.4") + hashAttribute["values"] = univ.SetOf(rfc2459.AttributeValue()) + hashAttribute["values"][0] = univ.OctetString(hexValue=value) + authenticatedAttributes[1] = hashAttribute + return authenticatedAttributes + + def pykeyHashToDigestAlgorithm(self, pykeyHash): + """Given a pykey hash algorithm identifier, builds an + AlgorithmIdentifier for use with pyasn1.""" + if pykeyHash == pykey.HASH_SHA1: + oidString = "1.3.14.3.2.26" + elif pykeyHash == pykey.HASH_SHA256: + oidString = "2.16.840.1.101.3.4.2.1" + else: + raise pykey.UnknownHashAlgorithmError(pykeyHash) + algorithmIdentifier = rfc2459.AlgorithmIdentifier() + algorithmIdentifier["algorithm"] = univ.ObjectIdentifier(oidString) + # Directly setting parameters to univ.Null doesn't currently work. + nullEncapsulated = encoder.encode(univ.Null()) + algorithmIdentifier["parameters"] = univ.Any(nullEncapsulated) + return algorithmIdentifier + + def buildSignerInfo(self, certificate, pykeyHash, digestValue): + """Given a pyasn1 certificate, a pykey hash identifier + and a hash value, creates a SignerInfo with the + appropriate values.""" + signerInfo = rfc2315.SignerInfo() + signerInfo["version"] = 1 + issuerAndSerialNumber = rfc2315.IssuerAndSerialNumber() + issuerAndSerialNumber["issuer"] = self.signer.getIssuer() + issuerAndSerialNumber["serialNumber"] = certificate["tbsCertificate"][ + "serialNumber" + ] + signerInfo["issuerAndSerialNumber"] = issuerAndSerialNumber + signerInfo["digestAlgorithm"] = self.pykeyHashToDigestAlgorithm(pykeyHash) + rsa = rfc2459.AlgorithmIdentifier() + rsa["algorithm"] = rfc2459.rsaEncryption + rsa["parameters"] = univ.Null() + authenticatedAttributes = self.buildAuthenticatedAttributes( + digestValue, + implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0), + ) + authenticatedAttributesTBS = self.buildAuthenticatedAttributes(digestValue) + signerInfo["authenticatedAttributes"] = authenticatedAttributes + signerInfo["digestEncryptionAlgorithm"] = rsa + authenticatedAttributesEncoded = encoder.encode(authenticatedAttributesTBS) + signature = self.signingKey.sign(authenticatedAttributesEncoded, pykeyHash) + # signature will be a hexified bit string of the form + # "''H". For some reason that's what BitString wants, + # but since this is an OCTET STRING, we have to strip off the + # quotation marks and trailing "H". + signerInfo["encryptedDigest"] = univ.OctetString(hexValue=signature[1:-2]) + return signerInfo + + def toDER(self): + contentInfo = rfc2315.ContentInfo() + contentInfo["contentType"] = rfc2315.signedData + + signedData = rfc2315.SignedData() + signedData["version"] = rfc2315.Version(1) + + digestAlgorithms = rfc2315.DigestAlgorithmIdentifiers() + digestAlgorithms[0] = self.pykeyHashToDigestAlgorithm(pykey.HASH_SHA1) + signedData["digestAlgorithms"] = digestAlgorithms + + dataContentInfo = rfc2315.ContentInfo() + dataContentInfo["contentType"] = rfc2315.data + signedData["contentInfo"] = dataContentInfo + + certificates = rfc2315.ExtendedCertificatesAndCertificates().subtype( + implicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0) + ) + extendedCertificateOrCertificate = rfc2315.ExtendedCertificateOrCertificate() + certificate = decoder.decode( + self.signer.toDER(), asn1Spec=rfc2459.Certificate() + )[0] + extendedCertificateOrCertificate["certificate"] = certificate + certificates[0] = extendedCertificateOrCertificate + signedData["certificates"] = certificates + + signerInfos = rfc2315.SignerInfos() + + if len(self.sha1) > 0: + signerInfos[len(signerInfos)] = self.buildSignerInfo( + certificate, pykey.HASH_SHA1, self.sha1 + ) + if len(self.sha256) > 0: + signerInfos[len(signerInfos)] = self.buildSignerInfo( + certificate, pykey.HASH_SHA256, self.sha256 + ) + signedData["signerInfos"] = signerInfos + + encoded = encoder.encode(signedData) + anyTag = univ.Any(encoded).subtype( + explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0) + ) + + contentInfo["content"] = anyTag + return encoder.encode(contentInfo) + + def toPEM(self): + output = "-----BEGIN PKCS7-----" + der = self.toDER() + b64 = base64.b64encode(der) + while b64: + output += "\n" + b64[:64] + b64 = b64[64:] + output += "\n-----END PKCS7-----\n" + return output + + +# When run as a standalone program, this will read a specification from +# stdin and output the certificate as PEM to stdout. +if __name__ == "__main__": + print(CMS(sys.stdin).toPEM()) diff --git a/security/manager/tools/pyct.py b/security/manager/tools/pyct.py new file mode 100644 index 0000000000..8f9d61b72b --- /dev/null +++ b/security/manager/tools/pyct.py @@ -0,0 +1,103 @@ +#!/usr/bin/env python +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +""" +Helper library for creating a Signed Certificate Timestamp given the +details of a signing key, when to sign, and the certificate data to +sign. Currently only supports precert_entry types. See RFC 6962. +""" + +import binascii +import calendar +import hashlib +from struct import pack + +import pykey +from pyasn1.codec.der import encoder + + +class InvalidKeyError(Exception): + """Helper exception to handle unknown key types.""" + + def __init__(self, key): + self.key = key + + def __str__(self): + return 'Invalid key: "%s"' % str(self.key) + + +class SCT(object): + """SCT represents a Signed Certificate Timestamp.""" + + def __init__(self, key, date, tbsCertificate, issuerKey): + self.key = key + self.timestamp = calendar.timegm(date.timetuple()) * 1000 + self.tbsCertificate = tbsCertificate + self.issuerKey = issuerKey + + def signAndEncode(self): + """Returns a signed and encoded representation of the SCT as a + string.""" + # The signature is over the following data: + # sct_version (one 0 byte) + # signature_type (one 0 byte) + # timestamp (8 bytes, milliseconds since the epoch) + # entry_type (two bytes [0, 1] - currently only precert_entry is + # supported) + # signed_entry (bytes of PreCert) + # extensions (2-byte-length-prefixed, currently empty (so two 0 + # bytes)) + # A PreCert is: + # issuer_key_hash (32 bytes of SHA-256 hash of the issuing + # public key, as DER-encoded SPKI) + # tbs_certificate (3-byte-length-prefixed data) + timestamp = pack("!Q", self.timestamp) + hasher = hashlib.sha256() + hasher.update(encoder.encode(self.issuerKey.asSubjectPublicKeyInfo())) + issuer_key_hash = hasher.digest() + len_prefix = pack("!L", len(self.tbsCertificate))[1:] + data = ( + b"\0\0" + + timestamp + + b"\0\1" + + issuer_key_hash + + len_prefix + + self.tbsCertificate + + b"\0\0" + ) + if isinstance(self.key, pykey.ECCKey): + signatureByte = b"\3" + elif isinstance(self.key, pykey.RSAKey): + signatureByte = b"\1" + else: + raise InvalidKeyError(self.key) + # sign returns a hex string like "''H", but we want + # bytes here + hexSignature = self.key.sign(data, pykey.HASH_SHA256) + signature = binascii.unhexlify(hexSignature[1:-2]) + # The actual data returned is the following: + # sct_version (one 0 byte) + # id (32 bytes of SHA-256 hash of the signing key, as + # DER-encoded SPKI) + # timestamp (8 bytes, milliseconds since the epoch) + # extensions (2-byte-length-prefixed data, currently + # empty) + # hash (one 4 byte representing sha256) + # signature (one byte - 1 for RSA and 3 for ECDSA) + # signature (2-byte-length-prefixed data) + hasher = hashlib.sha256() + hasher.update(encoder.encode(self.key.asSubjectPublicKeyInfo())) + key_id = hasher.digest() + signature_len_prefix = pack("!H", len(signature)) + return ( + b"\0" + + key_id + + timestamp + + b"\0\0\4" + + signatureByte + + signature_len_prefix + + signature + ) diff --git a/security/manager/tools/pykey.py b/security/manager/tools/pykey.py new file mode 100755 index 0000000000..3f08c341de --- /dev/null +++ b/security/manager/tools/pykey.py @@ -0,0 +1,959 @@ +#!/usr/bin/env python +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +""" +Reads a key specification from stdin or a file and outputs a +PKCS #8 file representing the (private) key. Also provides +methods for signing data and representing the key as a subject +public key info for use with pyasn1. + +The key specification format is as follows: + +default: a 2048-bit RSA key +alternate: a different 2048-bit RSA key +ev: a 2048-bit RSA key that, when combined with the right pycert + specification, results in a certificate that is enabled for + extended validation in debug Firefox (see ExtendedValidation.cpp). +evRSA2040: a 2040-bit RSA key that, when combined with the right pycert + specification, results in a certificate that is enabled for + extended validation in debug Firefox. +rsa2040: a 2040-bit RSA key +rsa1024: a 1024-bit RSA key +rsa1016: a 1016-bit RSA key +secp256k1: an ECC key on the curve secp256k1 +secp244r1: an ECC key on the curve secp244r1 +secp256r1: an ECC key on the curve secp256r1 +secp384r1: an ECC key on the curve secp384r1 +secp521r1: an ECC key on the curve secp521r1 +""" + +import base64 +import binascii +import hashlib +import math +import sys + +import ecdsa +import rsa +import six +from pyasn1.codec.der import encoder +from pyasn1.type import namedtype, tag, univ +from pyasn1_modules import rfc2459 + +# "constants" to make it easier for consumers to specify hash algorithms +HASH_MD5 = "hash:md5" +HASH_SHA1 = "hash:sha1" +HASH_SHA256 = "hash:sha256" +HASH_SHA384 = "hash:sha384" +HASH_SHA512 = "hash:sha512" + + +# NOTE: With bug 1621441 we migrated from one library for ecdsa to another. +# These libraries differ somewhat in terms of functionality and interface. In +# order to ensure there are no diffs and that the generated signatures are +# exactly the same between the two libraries, we need to patch some stuff in. + + +def _gen_k(curve): + # This calculation is arbitrary, but it matches what we were doing pre- + # bug 1621441 (see the above NOTE). Crucially, this generation of k is + # non-random; the ecdsa library exposes an option to deterministically + # generate a value of k for us, but it doesn't match up to what we were + # doing before so we have to inject a custom value. + num_bytes = int(math.log(curve.order - 1, 2) + 1) // 8 + 8 + entropy = int.from_bytes(b"\04" * num_bytes, byteorder="big") + p = curve.curve.p() + return (entropy % (p - 1)) + 1 + + +# As above, the library has built-in logic for truncating digests that are too +# large, but they use a slightly different technique than our previous library. +# Re-implement that logic here. +def _truncate_digest(digest, curve): + i = int.from_bytes(digest, byteorder="big") + p = curve.curve.p() + while i > p: + i >>= 1 + return i.to_bytes(math.ceil(i.bit_length() / 8), byteorder="big") + + +def byteStringToHexifiedBitString(string): + """Takes a string of bytes and returns a hex string representing + those bytes for use with pyasn1.type.univ.BitString. It must be of + the form "''H", where the trailing 'H' indicates to + pyasn1 that the input is a hex string.""" + return "'%s'H" % six.ensure_binary(string).hex() + + +class UnknownBaseError(Exception): + """Base class for handling unexpected input in this module.""" + + def __init__(self, value): + super(UnknownBaseError, self).__init__() + self.value = value + self.category = "input" + + def __str__(self): + return 'Unknown %s type "%s"' % (self.category, repr(self.value)) + + +class UnknownKeySpecificationError(UnknownBaseError): + """Helper exception type to handle unknown key specifications.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "key specification" + + +class UnknownHashAlgorithmError(UnknownBaseError): + """Helper exception type to handle unknown key specifications.""" + + def __init__(self, value): + UnknownBaseError.__init__(self, value) + self.category = "hash algorithm" + + +class UnsupportedHashAlgorithmError(Exception): + """Helper exception type for unsupported hash algorithms.""" + + def __init__(self, value): + super(UnsupportedHashAlgorithmError, self).__init__() + self.value = value + + def __str__(self): + return 'Unsupported hash algorithm "%s"' % repr(self.value) + + +class RSAPublicKey(univ.Sequence): + """Helper type for encoding an RSA public key""" + + componentType = namedtype.NamedTypes( + namedtype.NamedType("N", univ.Integer()), + namedtype.NamedType("E", univ.Integer()), + ) + + +class RSAPrivateKey(univ.Sequence): + """Helper type for encoding an RSA private key""" + + componentType = namedtype.NamedTypes( + namedtype.NamedType("version", univ.Integer()), + namedtype.NamedType("modulus", univ.Integer()), + namedtype.NamedType("publicExponent", univ.Integer()), + namedtype.NamedType("privateExponent", univ.Integer()), + namedtype.NamedType("prime1", univ.Integer()), + namedtype.NamedType("prime2", univ.Integer()), + namedtype.NamedType("exponent1", univ.Integer()), + namedtype.NamedType("exponent2", univ.Integer()), + namedtype.NamedType("coefficient", univ.Integer()), + ) + + +class ECPrivateKey(univ.Sequence): + """Helper type for encoding an EC private key + ECPrivateKey ::= SEQUENCE { + version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), + privateKey OCTET STRING, + parameters [0] ECParameters {{ NamedCurve }} OPTIONAL, + (NOTE: parameters field is not supported) + publicKey [1] BIT STRING OPTIONAL + }""" + + componentType = namedtype.NamedTypes( + namedtype.NamedType("version", univ.Integer()), + namedtype.NamedType("privateKey", univ.OctetString()), + namedtype.OptionalNamedType( + "publicKey", + univ.BitString().subtype( + explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1) + ), + ), + ) + + +class ECPoint(univ.Sequence): + """Helper type for encoding a EC point""" + + componentType = namedtype.NamedTypes( + namedtype.NamedType("x", univ.Integer()), + namedtype.NamedType("y", univ.Integer()), + ) + + +class PrivateKeyInfo(univ.Sequence): + """Helper type for encoding a PKCS #8 private key info""" + + componentType = namedtype.NamedTypes( + namedtype.NamedType("version", univ.Integer()), + namedtype.NamedType("privateKeyAlgorithm", rfc2459.AlgorithmIdentifier()), + namedtype.NamedType("privateKey", univ.OctetString()), + ) + + +class RSAKey(object): + # For reference, when encoded as a subject public key info, the + # base64-encoded sha-256 hash of this key is + # VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8= + sharedRSA_N = int( + "00ba8851a8448e16d641fd6eb6880636103d3c13d9eae4354ab4ecf56857" + "6c247bc1c725a8e0d81fbdb19c069b6e1a86f26be2af5a756b6a6471087a" + "a55aa74587f71cd5249c027ecd43fc1e69d038202993ab20c349e4dbb94c" + "c26b6c0eed15820ff17ead691ab1d3023a8b2a41eea770e00f0d8dfd660b" + "2bb02492a47db988617990b157903dd23bc5e0b8481fa837d38843ef2716" + "d855b7665aaa7e02902f3a7b10800624cc1c6c97ad96615bb7e29612c075" + "31a30c91ddb4caf7fcad1d25d309efb9170ea768e1b37b2f226f69e3b48a" + "95611dee26d6259dab91084e36cb1c24042cbf168b2fe5f18f991731b8b3" + "fe4923fa7251c431d503acda180a35ed8d", + 16, + ) + sharedRSA_E = 65537 + sharedRSA_D = int( + "009ecbce3861a454ecb1e0fe8f85dd43c92f5825ce2e997884d0e1a949da" + "a2c5ac559b240450e5ac9fe0c3e31c0eefa6525a65f0c22194004ee1ab46" + "3dde9ee82287cc93e746a91929c5e6ac3d88753f6c25ba5979e73e5d8fb2" + "39111a3cdab8a4b0cdf5f9cab05f1233a38335c64b5560525e7e3b92ad7c" + "7504cf1dc7cb005788afcbe1e8f95df7402a151530d5808346864eb370aa" + "79956a587862cb533791307f70d91c96d22d001a69009b923c683388c9f3" + "6cb9b5ebe64302041c78d908206b87009cb8cabacad3dbdb2792fb911b2c" + "f4db6603585be9ae0ca3b8e6417aa04b06e470ea1a3b581ca03a6781c931" + "5b62b30e6011f224725946eec57c6d9441", + 16, + ) + sharedRSA_P = int( + "00dd6e1d4fffebf68d889c4d114cdaaa9caa63a59374286c8a5c29a717bb" + "a60375644d5caa674c4b8bc7326358646220e4550d7608ac27d55b6db74f" + "8d8127ef8fa09098b69147de065573447e183d22fe7d885aceb513d9581d" + "d5e07c1a90f5ce0879de131371ecefc9ce72e9c43dc127d238190de81177" + "3ca5d19301f48c742b", + 16, + ) + sharedRSA_Q = int( + "00d7a773d9ebc380a767d2fec0934ad4e8b5667240771acdebb5ad796f47" + "8fec4d45985efbc9532968289c8d89102fadf21f34e2dd4940eba8c09d6d" + "1f16dcc29729774c43275e9251ddbe4909e1fd3bf1e4bedf46a39b8b3833" + "28ef4ae3b95b92f2070af26c9e7c5c9b587fedde05e8e7d86ca57886fb16" + "5810a77b9845bc3127", + 16, + ) + sharedRSA_exp1 = int( + "0096472b41a610c0ade1af2266c1600e3671355ba42d4b5a0eb4e9d7eb35" + "81400ba5dd132cdb1a5e9328c7bbc0bbb0155ea192972edf97d12751d8fc" + "f6ae572a30b1ea309a8712dd4e33241db1ee455fc093f5bc9b592d756e66" + "21474f32c07af22fb275d340792b32ba2590bbb261aefb95a258eea53765" + "5315be9c24d191992d", + 16, + ) + sharedRSA_exp2 = int( + "28b450a7a75a856413b2bda6f7a63e3d964fb9ecf50e3823ef6cc8e8fa26" + "ee413f8b9d1205540f12bbe7a0c76828b7ba65ad83cca4d0fe2a220114e1" + "b35d03d5a85bfe2706bd50fce6cfcdd571b46ca621b8ed47d605bbe765b0" + "aa4a0665ac25364da20154032e1204b8559d3e34fb5b177c9a56ff93510a" + "5a4a6287c151de2d", + 16, + ) + sharedRSA_coef = int( + "28067b9355801d2ef52dfa96d8adb589673cf8ee8a9c6ff72aeeabe9ef6b" + "e58a4f4abf05f788947dc851fdaa34542147a71a246bfb054ee76aa346ab" + "cd2692cfc9e44c51e6f069c735e073ba019f6a7214961c91b26871caeabf" + "8f064418a02690e39a8d5ff3067b7cdb7f50b1f53418a703966c4fc774bf" + "7402af6c43247f43", + 16, + ) + + # For reference, when encoded as a subject public key info, the + # base64-encoded sha-256 hash of this key is + # MQj2tt1yGAfwFpWETYUCVrZxk2CD2705NKBQUlAaKJI= + alternateRSA_N = int( + "00c175c65266099f77082a6791f1b876c37f5ce538b06c4acd22b1cbd46f" + "a65ada2add41c8c2498ac4a3b3c1f61487f41b698941bd80a51c3c120244" + "c584a4c4483305e5138c0106cf08be9a862760bae6a2e8f36f23c5d98313" + "b9dfaf378345dace51d4d6dcd2a6cb3cc706ebcd3070ec98cce40aa591d7" + "295a7f71c5be66691d2b2dfec84944590bc5a3ea49fd93b1d753405f1773" + "7699958666254797ed426908880811422069988a43fee48ce68781dd22b6" + "a69cd28375131f932b128ce286fa7d251c062ad27ef016f187cdd54e832b" + "35b8930f74ba90aa8bc76167242ab1fd6d62140d18c4c0b8c68fc3748457" + "324ad7de86e6552f1d1e191d712168d3bb", + 16, + ) + alternateRSA_E = 65537 + alternateRSA_D = int( + "7e3f6d7cb839ef66ae5d7dd92ff5410bb341dc14728d39034570e1a37079" + "0f30f0681355fff41e2ad4e9a9d9fcebfbd127bdfab8c00affb1f3cea732" + "7ead47aa1621f2ac1ee14ca02f04b3b2786017980b181a449d03b03e69d1" + "12b83571e55434f012056575d2832ed6731dce799e37c83f6d51c55ab71e" + "b58015af05e1af15c747603ef7f27d03a6ff049d96bbf854c1e4e50ef5b0" + "58d0fb08180e0ac7f7be8f2ff1673d97fc9e55dba838077bbf8a7cff2962" + "857785269cd9d5bad2b57469e4afcd33c4ca2d2f699f11e7c8fbdcd484f0" + "8d8efb8a3cb8a972eb24bed972efaae4bb712093e48fe94a46eb629a8750" + "78c4021a9a2c93c9a70390e9d0a54401", + 16, + ) + alternateRSA_P = int( + "00e63fc725a6ba76925a7ff8cb59c4f56dd7ec83fe85bf1f53e11cac9a81" + "258bcfc0ae819077b0f2d1477aaf868de6a8ecbeaf7bb22b196f2a9ad82d" + "3286f0d0cc29de719e5f2be8e509b7284d5963edd362f927887a4c4a8979" + "9d340d51b301ac7601ab27179024fcaadd38bf6522af63eb16461ec02a7f" + "27b06fe09ddda7c0a1", + 16, + ) + alternateRSA_Q = int( + "00d718b1fe9f8f99f00e832ae1fbdc6fe2ab27f34e049c498010fa0eb708" + "4852182346083b5c96c3eee5592c014a410c6b930b165c13b5c26aa32eac" + "6e7c925a8551c25134f2f4a72c6421f19a73148a0edfaba5d3a6888b35cb" + "a18c00fd38ee5aaf0b545731d720761bbccdee744a52ca415e98e4de01cd" + "fe764c1967b3e8cadb", + 16, + ) + alternateRSA_exp1 = int( + "01e5aca266c94a88d22e13c2b92ea247116c657a076817bdfd30db4b3a9d" + "3095b9a4b6749647e2f84e7a784fc7838b08c85971cf7a036fa30e3b91c3" + "c4d0df278f80c1b6e859d8456adb137defaa9f1f0ac5bac9a9184fd4ea27" + "9d722ea626f160d78aad7bc83845ccb29df115c83f61b7622b99bd439c60" + "9b5790a63c595181", + 16, + ) + alternateRSA_exp2 = int( + "0080cc45d10d2484ee0d1297fc07bf80b3beff461ea27e1f38f371789c3a" + "f66b4a0edd2192c227791db4f1c77ae246bf342f31856b0f56581b58a95b" + "1131c0c5396db2a8c3c6f39ea2e336bc205ae6a2a0b36869fca98cbba733" + "cf01319a6f9bb26b7ca23d3017fc551cd8da8afdd17f6fa2e30d34868798" + "1cd6234d571e90b7df", + 16, + ) + alternateRSA_coef = int( + "6f77c0c1f2ae7ac169561cca499c52bdfbe04cddccdbdc12aec5a85691e8" + "594b7ee29908f30e7b96aa6254b80ed4aeec9b993782bdfc79b69d8d58c6" + "8870fa4be1bc0c3527288c5c82bb4aebaf15edff110403fc78e6ace6a828" + "27bf42f0cfa751e507651c5638db9393dd23dd1f6b295151de44b77fe55a" + "7b0df271e19a65c0", + 16, + ) + + evRSA_N = int( + "00b549895c9d00108d11a1f99f87a9e3d1a5db5dfaecf188da57bf641368" + "8f2ce4722cff109038c17402c93a2a473dbd286aed3fdcd363cf5a291477" + "01bdd818d7615bf9356bd5d3c8336aaa8c0971368a06c3cd4461b93e5142" + "4e1744bb2eaad46aab38ce196821961f87714a1663693f09761cdf4d6ba1" + "25eacec7be270d388f789f6cdf78ae3144ed28c45e79293863a7a22a4898" + "0a36a40e72d579c9b925dff8c793362ffd6897a7c1754c5e97c967c3eadd" + "1aae8aa2ccce348a0169b80e28a2d70c1a960c6f335f2da09b9b643f5abf" + "ba49e8aaa981e960e27d87480bdd55dd9417fa18509fbb554ccf81a4397e" + "8ba8128a34bdf27865c189e5734fb22905", + 16, + ) + evRSA_E = 65537 + evRSA_D = int( + "00983d54f94d6f4c76eb23d6f93d78523530cf73b0d16254c6e781768d45" + "f55681d1d02fb2bd2aac6abc1c389860935c52a0d8f41482010394778314" + "1d864bff30803638a5c0152570ae9d18f3d8ca163efb475b0dddf32e7e16" + "ec7565e6bb5e025c41c5c66e57a03cede554221f83045347a2c4c451c3dc" + "e476b787ce0c057244be9e04ef13118dbbb3d5e0a6cc87029eafd4a69ed9" + "b14759b15e39d8a9884e56f54d2f9ab013f0d15f318a9ab6b2f73d1ec3c9" + "fe274ae89431a10640be7899b0011c5e5093a1834708689de100634dabde" + "60fbd6aaefa3a33df34a1f36f60c043036b748d1c9ee98c4031a0afec60e" + "fda0a990be524f5614eac4fdb34a52f951", + 16, + ) + evRSA_P = int( + "00eadc2cb33e5ff1ca376bbd95bd6a1777d2cf4fac47545e92d11a6209b9" + "d5e4ded47834581c169b3c884742a09ea187505c1ca55414d8d25b497632" + "d5ec2aaa05233430fad49892777a7d68e038f561a3b8969e60b0a263defb" + "fda48a9b0ff39d95bc88b15267c8ade97b5107948e41e433249d87f7db10" + "9d5d74584d86bcc1d7", + 16, + ) + evRSA_Q = int( + "00c59ae576a216470248d944a55b9e9bf93299da341ec56e558eba821abc" + "e1bf57b79cf411d2904c774f9dba1f15185f607b0574a08205d6ec28b66a" + "36d634232eaaf2fea37561abaf9d644b68db38c9964cb8c96ec0ac61eba6" + "4d05b446542f423976f5acde4ecc95536d2df578954f93f0cfd9c58fb78b" + "a2a76dd5ac284dc883", + 16, + ) + evRSA_exp1 = int( + "00c1d2ef3906331c52aca64811f9fe425beb2898322fb3db51032ce8d7e9" + "fc32240be92019cf2480fcd5e329837127118b2a59a1bfe06c883e3a4447" + "f3f031cd9aebd0b8d368fc79740d2cce8eadb324df7f091eafe1564361d5" + "4920b01b0471230e5e47d93f8ed33963c517bc4fc78f6d8b1f9eba85bcce" + "db7033026508db6285", + 16, + ) + evRSA_exp2 = int( + "008521b8db5694dfbe804a315f9efc9b65275c5490acf2a3456d65e6e610" + "bf9f647fc67501d4f5772f232ac70ccdef9fc2a6dfa415c7c41b6afc7af9" + "d07c3ca03f7ed93c09f0b99f2c304434322f1071709bbc1baa4c91575fa6" + "a959e07d4996956d95e22b57938b6e47c8d51ffedfc9bf888ce0d1a3e42b" + "65a89bed4b91d3e5f5", + 16, + ) + evRSA_coef = int( + "00dc497b06b920c8be0b0077b798e977eef744a90ec2c5d7e6cbb22448fa" + "c72da81a33180e0d8a02e831460c7fc7fd3a612f7b9930b61b799f8e908e" + "632e9ba0409b6aa70b03a3ba787426263b5bd5843df8476edb5d14f6a861" + "3ebaf5b9cd5ca42f5fbd2802e08e4e49e5709f5151510caa5ab2c1c6eb3e" + "fe9295d16e8c25c916", + 16, + ) + + evRSA2040_N = int( + "00ca7020dc215f57914d343fae4a015111697af997a5ece91866499fc23f" + "1b88a118cbd30b10d91c7b9a0d4ee8972fcae56caf57f25fc1275a2a4dbc" + "b982428c32ef587bf2387410330a0ffb16b8029bd783969ef675f6de38c1" + "8f67193cb6c072f8b23d0b3374112627a57b90055771d9e62603f53788d7" + "f63afa724f5d108096df31f89f26b1eb5f7c4357980e008fcd55d827dd26" + "2395ca2f526a07897cc40c593b38716ebc0caa596719c6f29ac9b73a7a94" + "4748a3aa3e09e9eb4d461ea0027e540926614728b9d243975cf9a0541bef" + "d25e76b51f951110b0e7644fc7e38441791b6d2227384cb8004e23342372" + "b1cf5cc3e73e31b7bbefa160e6862ebb", + 16, + ) + evRSA2040_E = 65537 + evRSA2040_D = int( + "00b2db74bce92362abf72955a638ae8720ba3033bb7f971caf39188d7542" + "eaa1c1abb5d205b1e2111f4791c08911a2e141e8cfd7054702d23100b564" + "2c06e1a31b118afd1f9a2f396cced425c501d91435ca8656766ced2b93bb" + "b8669fce9bacd727d1dacb3dafabc3293e35389eef8ea0b58e1aeb1a20e6" + "a61f9fcd453f7567fe31d123b616a26fef4df1d6c9f7490111d028eefd1d" + "972045b1a242273dd7a67ebf111db2741a5a93c7b2289cc4a236f5a99a6e" + "c7a8206fdae1c1d04bdbb1980d4a298c5a17dae4186474a5f7835d882bce" + "f24aef4ed6f149f94d96c9f7d78e647fc778a9017ff208d3b4a1768b1821" + "62102cdab032fabbab38d5200a324649", + 16, + ) + evRSA2040_P = int( + "0f3844d0d4d4d6a21acd76a6fc370b8550e1d7ec5a6234172e790f0029ae" + "651f6d5c59330ab19802b9d7a207de7a1fb778e3774fdbdc411750633d8d" + "1b3fe075006ffcfd1d10e763c7a9227d2d5f0c2dade1c9e659c350a159d3" + "6bb986f12636d4f9942b288bc0fe21da8799477173144249ca2e389e6c5c" + "25aa78c8cad7d4df", + 16, + ) + evRSA2040_Q = int( + "0d4d0bedd1962f07a1ead6b23a4ed67aeaf1270f052a6d29ba074945c636" + "1a5c4f8f07bf859e067aed3f4e6e323ef2aa8a6acd340b0bdc7cfe4fd329" + "e3c97f870c7f7735792c6aa9d0f7e7542a28ed6f01b0e55a2b8d9c24a65c" + "6da314c95484f5c7c3954a81bb016b07ed17ee9b06039695bca059a79f8d" + "c2423d328d5265a5", + 16, + ) + evRSA2040_exp1 = int( + "09f29a2ff05be8a96d614ba31b08935420a86c6bc42b99a6692ea0da5763" + "f01e596959b7ddce73ef9c2e4f6e5b40710887500d44ba0c3cd3132cba27" + "475f39c2df7552e2d123a2497a4f97064028769a48a3624657f72bf539f3" + "d0de234feccd3be8a0aa90c6bf6e9b0bed43070a24d061ff3ed1751a3ef2" + "ff7f6b90b9dbd5fb", + 16, + ) + evRSA2040_exp2 = int( + "01a659e170cac120a03be1cf8f9df1caa353b03593bd7476e5853bd874c2" + "87388601c6c341ce9d1d284a5eef1a3a669d32b816a5eaecd8b7844fe070" + "64b9bca0c2b318d540277b3f7f1510d386bb36e03b04771e5d229e88893e" + "13b753bfb94518bb638e2404bd6e6a993c1668d93fc0b82ff08aaf34347d" + "3fe8397108c87ca5", + 16, + ) + evRSA2040_coef = int( + "040257c0d4a21c0b9843297c65652db66304fb263773d728b6abfa06d37a" + "c0ca62c628023e09e37dc0a901e4ce1224180e2582a3aa4b6a1a7b98e2bd" + "70077aec14ac8ab66a755c71e0fc102471f9bbc1b46a95aa0b645f2c38e7" + "6450289619ea3f5e8ae61037bffcf8249f22aa4e76e2a01909f3feb290ce" + "93edf57b10ebe796", + 16, + ) + + rsa2040_N = int( + "00bac0652fdfbc0055882ffbaeaceec88fa2d083c297dd5d40664dd3d90f" + "52f9aa02bd8a50fba16e0fd991878ef475f9b350d9f8e3eb2abd717ce327" + "b09788531f13df8e3e4e3b9d616bb8a41e5306eed2472163161051180127" + "6a4eb66f07331b5cbc8bcae7016a8f9b3d4f2ac4553c624cf5263bcb348e" + "8840de6612870960a792191b138fb217f765cec7bff8e94f16b39419bf75" + "04c59a7e4f79bd6d173e9c7bf3d9d2a4e73cc180b0590a73d584fb7fc9b5" + "4fa544607e53fc685c7a55fd44a81d4142b6af51ea6fa6cea52965a2e8c5" + "d84f3ca024d6fbb9b005b9651ce5d9f2ecf40ed404981a9ffc02636e311b" + "095c6332a0c87dc39271b5551481774b", + 16, + ) + rsa2040_E = 65537 + rsa2040_D = int( + "603db267df97555cbed86b8df355034af28f1eb7f3e7829d239bcc273a7c" + "7a69a10be8f21f1b6c4b02c6bae3731c3158b5bbff4605f57ab7b7b2a0cb" + "a2ec005a2db5b1ea6e0aceea5bc745dcd2d0e9d6b80d7eb0ea2bc08127bc" + "e35fa50c42cc411871ba591e23ba6a38484a33eff1347f907ee9a5a92a23" + "11bb0b435510020f78e3bb00099db4d1182928096505fcba84f3ca1238fd" + "1eba5eea1f391bbbcc5424b168063fc17e1ca6e1912ccba44f9d0292308a" + "1fedb80612529b39f59d0a3f8180b5ba201132197f93a5815ded938df8e7" + "d93c9b15766588f339bb59100afda494a7e452d7dd4c9a19ce2ec3a33a18" + "b20f0b4dade172bee19f26f0dcbe41", + 16, + ) + rsa2040_P = int( + "0ec3869cb92d406caddf7a319ab29448bc505a05913707873361fc5b986a" + "499fb65eeb815a7e37687d19f128087289d9bb8818e7bcca502c4900ad9a" + "ece1179be12ff3e467d606fc820ea8f07ac9ebffe2236e38168412028822" + "3e42dbe68dfd972a85a6447e51695f234da7911c67c9ab9531f33df3b994" + "32d4ee88c9a4efbb", + 16, + ) + rsa2040_Q = int( + "0ca63934549e85feac8e0f5604303fd1849fe88af4b7f7e1213283bbc7a2" + "c2a509f9273c428c68de3db93e6145f1b400bd6d4a262614e9043ad362d4" + "eba4a6b995399c8934a399912199e841d8e8dbff0489f69e663796730b29" + "80530b31cb70695a21625ea2adccc09d930516fa872211a91e22dd89fd9e" + "b7da8574b72235b1", + 16, + ) + rsa2040_exp1 = int( + "0d7d3a75e17f65f8a658a485c4095c10a4f66979e2b73bca9cf8ef21253e" + "1facac6d4791f58392ce8656f88f1240cc90c29653e3100c6d7a38ed44b1" + "63b339e5f3b6e38912126c69b3ceff2e5192426d9649b6ffca1abb75d2ba" + "2ed6d9a26aa383c5973d56216ff2edb90ccf887742a0f183ac92c94cf187" + "657645c7772d9ad7", + 16, + ) + rsa2040_exp2 = int( + "03f550194c117f24bea285b209058032f42985ff55acebe88b16df9a3752" + "7b4e61dc91a68dbc9a645134528ce5f248bda2893c96cb7be79ee73996c7" + "c22577f6c2f790406f3472adb3b211b7e94494f32c5c6fcc0978839fe472" + "4c31b06318a2489567b4fca0337acb1b841227aaa5f6c74800a2306929f0" + "2ce038bad943df41", + 16, + ) + rsa2040_coef = int( + "080a7dbfa8c2584814c71664c56eb62ce4caf16afe88d4499159d674774a" + "3a3ecddf1256c02fc91525c527692422d0aba94e5c41ee12dc71bb66f867" + "9fa17e096f28080851ba046eb31885c1414e8985ade599d907af17453d1c" + "caea2c0d06443f8367a6be154b125e390ee0d90f746f08801dd3f5367f59" + "fba2e5a67c05f375", + 16, + ) + + rsa1024_N = int( + "00d3a97440101eba8c5df9503e6f935eb52ffeb3ebe9d0dc5cace26f973c" + "a94cbc0d9c31d66c0c013bce9c82d0d480328df05fb6bcd7990a5312ddae" + "6152ad6ee61c8c1bdd8663c68bd36224a9882ae78e89f556dfdbe6f51da6" + "112cbfc27c8a49336b41afdb75321b52b24a7344d1348e646351a551c757" + "1ccda0b8fe35f61a75", + 16, + ) + rsa1024_E = 65537 + rsa1024_D = int( + "5b6708e185548fc07ff062dba3792363e106ff9177d60ee3227162391024" + "1813f958a318f26db8b6a801646863ebbc69190d6c2f5e7723433e99666d" + "76b3987892cd568f1f18451e8dc05477c0607ee348380ebb7f4c98d0c036" + "a0260bc67b2dab46cbaa4ce87636d839d8fddcbae2da3e02e8009a21225d" + "d7e47aff2f82699d", + 16, + ) + rsa1024_P = int( + "00fcdee570323e8fc399dbfc63d8c1569546fb3cd6886c628668ab1e1d0f" + "ca71058febdf76d702970ad6579d80ac2f9521075e40ef8f3f39983bd819" + "07e898bad3", + 16, + ) + rsa1024_Q = int( + "00d64801c955b4eb75fbae230faa8b28c9cc5e258be63747ff5ac8d2af25" + "3e9f6d6ce03ea2eb13ae0eb32572feb848c32ca00743635374338fedacd8" + "c5885f7897", + 16, + ) + rsa1024_exp1 = int( + "76c0526d5b1b28368a75d5d42a01b9a086e20b9310241e2cd2d0b166a278" + "c694ff1e9d25d9193d47789b52bb0fa194de1af0b77c09007f12afdfeef9" + "58d108c3", + 16, + ) + rsa1024_exp2 = int( + "008a41898d8b14217c4d782cbd15ef95d0a660f45ed09a4884f4e170367b" + "946d2f20398b907896890e88fe17b54bd7febe133ebc7720c86fe0649cca" + "7ca121e05f", + 16, + ) + rsa1024_coef = int( + "22db133445f7442ea2a0f582031ee214ff5f661972986f172651d8d6b4ec" + "3163e99bff1c82fe58ec3d075c6d8f26f277020edb77c3ba821b9ba3ae18" + "ff8cb2cb", + 16, + ) + + rsa1016_N = int( + "00d29bb12fb84fddcd29b3a519cb66c43b8d8f8be545ba79384ce663ed03" + "df75991600eb920790d2530cece544db99a71f05896a3ed207165534aa99" + "057e47c47e3bc81ada6fa1e12e37268b5046a55268f9dad7ccb485d81a2e" + "19d50d4f0b6854acaf6d7be69d9a083136e15afa8f53c1c8c84fc6077279" + "dd0e55d7369a5bdd", + 16, + ) + rsa1016_E = 65537 + rsa1016_D = int( + "3c4965070bf390c251d5a2c5277c5b5fd0bdee85cad7fe2b27982bb28511" + "4a507004036ae1cf8ae54b25e4db39215abd7e903f618c2d8b2f08cc6cd1" + "2dbccd72205e4945b6b3df389e5e43de0a148bb2c84e2431fdbe5920b044" + "bb272f45ecff0721b7dfb60397fc613a9ea35c22300530cae8f9159c534d" + "f3bf0910951901", + 16, + ) + rsa1016_P = int( + "0f9f17597c85b8051b9c69afb55ef576c996dbd09047d0ccde5b9d60ea5c" + "67fe4fac67be803f4b6ac5a3f050f76b966fb14f5cf105761e5ade6dd960" + "b183ba55", + 16, + ) + rsa1016_Q = int( + "0d7b637112ce61a55168c0f9c9386fb279ab40cba0d549336bba65277263" + "aac782611a2c81d9b635cf78c40018859e018c5e9006d12e3d2ee6f346e7" + "9fa43369", + 16, + ) + rsa1016_exp1 = int( + "09fd6c9a3ea6e91ae32070f9fc1c210ff9352f97be5d1eeb951bb39681e9" + "dc5b672a532221b3d8900c9a9d99b9d0a4e102dc450ca1b87b0b1389de65" + "16c0ae0d", + 16, + ) + rsa1016_exp2 = int( + "0141b832491b7dd4a83308920024c79cae64bd447df883bb4c5672a96bab" + "48b7123b34f26324452cdceb17f21e570e347cbe2fd4c2d8f9910eac2cb6" + "d895b8c9", + 16, + ) + rsa1016_coef = int( + "0458dd6aee18c88b2f9b81f1bc3075ae20dc1f9973d20724f20b06043d61" + "47c8789d4a07ae88bc82c8438c893e017b13947f62e0b18958a31eb664b1" + "9e64d3e0", + 16, + ) + + def __init__(self, specification): + if specification == "default": + self.RSA_N = self.sharedRSA_N + self.RSA_E = self.sharedRSA_E + self.RSA_D = self.sharedRSA_D + self.RSA_P = self.sharedRSA_P + self.RSA_Q = self.sharedRSA_Q + self.RSA_exp1 = self.sharedRSA_exp1 + self.RSA_exp2 = self.sharedRSA_exp2 + self.RSA_coef = self.sharedRSA_coef + elif specification == "alternate": + self.RSA_N = self.alternateRSA_N + self.RSA_E = self.alternateRSA_E + self.RSA_D = self.alternateRSA_D + self.RSA_P = self.alternateRSA_P + self.RSA_Q = self.alternateRSA_Q + self.RSA_exp1 = self.alternateRSA_exp1 + self.RSA_exp2 = self.alternateRSA_exp2 + self.RSA_coef = self.alternateRSA_coef + elif specification == "ev": + self.RSA_N = self.evRSA_N + self.RSA_E = self.evRSA_E + self.RSA_D = self.evRSA_D + self.RSA_P = self.evRSA_P + self.RSA_Q = self.evRSA_Q + self.RSA_exp1 = self.evRSA_exp1 + self.RSA_exp2 = self.evRSA_exp2 + self.RSA_coef = self.evRSA_coef + elif specification == "evRSA2040": + self.RSA_N = self.evRSA2040_N + self.RSA_E = self.evRSA2040_E + self.RSA_D = self.evRSA2040_D + self.RSA_P = self.evRSA2040_P + self.RSA_Q = self.evRSA2040_Q + self.RSA_exp1 = self.evRSA2040_exp1 + self.RSA_exp2 = self.evRSA2040_exp2 + self.RSA_coef = self.evRSA2040_coef + elif specification == "rsa2040": + self.RSA_N = self.rsa2040_N + self.RSA_E = self.rsa2040_E + self.RSA_D = self.rsa2040_D + self.RSA_P = self.rsa2040_P + self.RSA_Q = self.rsa2040_Q + self.RSA_exp1 = self.rsa2040_exp1 + self.RSA_exp2 = self.rsa2040_exp2 + self.RSA_coef = self.rsa2040_coef + elif specification == "rsa1024": + self.RSA_N = self.rsa1024_N + self.RSA_E = self.rsa1024_E + self.RSA_D = self.rsa1024_D + self.RSA_P = self.rsa1024_P + self.RSA_Q = self.rsa1024_Q + self.RSA_exp1 = self.rsa1024_exp1 + self.RSA_exp2 = self.rsa1024_exp2 + self.RSA_coef = self.rsa1024_coef + elif specification == "rsa1016": + self.RSA_N = self.rsa1016_N + self.RSA_E = self.rsa1016_E + self.RSA_D = self.rsa1016_D + self.RSA_P = self.rsa1016_P + self.RSA_Q = self.rsa1016_Q + self.RSA_exp1 = self.rsa1016_exp1 + self.RSA_exp2 = self.rsa1016_exp2 + self.RSA_coef = self.rsa1016_coef + else: + raise UnknownKeySpecificationError(specification) + + def toDER(self): + privateKeyInfo = PrivateKeyInfo() + privateKeyInfo["version"] = 0 + algorithmIdentifier = rfc2459.AlgorithmIdentifier() + algorithmIdentifier["algorithm"] = rfc2459.rsaEncryption + # Directly setting parameters to univ.Null doesn't currently work. + nullEncapsulated = encoder.encode(univ.Null()) + algorithmIdentifier["parameters"] = univ.Any(nullEncapsulated) + privateKeyInfo["privateKeyAlgorithm"] = algorithmIdentifier + rsaPrivateKey = RSAPrivateKey() + rsaPrivateKey["version"] = 0 + rsaPrivateKey["modulus"] = self.RSA_N + rsaPrivateKey["publicExponent"] = self.RSA_E + rsaPrivateKey["privateExponent"] = self.RSA_D + rsaPrivateKey["prime1"] = self.RSA_P + rsaPrivateKey["prime2"] = self.RSA_Q + rsaPrivateKey["exponent1"] = self.RSA_exp1 + rsaPrivateKey["exponent2"] = self.RSA_exp2 + rsaPrivateKey["coefficient"] = self.RSA_coef + rsaPrivateKeyEncoded = encoder.encode(rsaPrivateKey) + privateKeyInfo["privateKey"] = univ.OctetString(rsaPrivateKeyEncoded) + return encoder.encode(privateKeyInfo) + + def toPEM(self): + output = "-----BEGIN PRIVATE KEY-----" + der = self.toDER() + b64 = six.ensure_text(base64.b64encode(der)) + while b64: + output += "\n" + b64[:64] + b64 = b64[64:] + output += "\n-----END PRIVATE KEY-----" + return output + + def asSubjectPublicKeyInfo(self): + """Returns a subject public key info representing + this key for use by pyasn1.""" + algorithmIdentifier = rfc2459.AlgorithmIdentifier() + algorithmIdentifier["algorithm"] = rfc2459.rsaEncryption + # Directly setting parameters to univ.Null doesn't currently work. + nullEncapsulated = encoder.encode(univ.Null()) + algorithmIdentifier["parameters"] = univ.Any(nullEncapsulated) + spki = rfc2459.SubjectPublicKeyInfo() + spki["algorithm"] = algorithmIdentifier + rsaKey = RSAPublicKey() + rsaKey["N"] = univ.Integer(self.RSA_N) + rsaKey["E"] = univ.Integer(self.RSA_E) + subjectPublicKey = univ.BitString( + byteStringToHexifiedBitString(encoder.encode(rsaKey)) + ) + spki["subjectPublicKey"] = subjectPublicKey + return spki + + def sign(self, data, hashAlgorithm): + """Returns a hexified bit string representing a + signature by this key over the specified data. + Intended for use with pyasn1.type.univ.BitString""" + hashAlgorithmName = None + if hashAlgorithm == HASH_MD5: + hashAlgorithmName = "MD5" + elif hashAlgorithm == HASH_SHA1: + hashAlgorithmName = "SHA-1" + elif hashAlgorithm == HASH_SHA256: + hashAlgorithmName = "SHA-256" + elif hashAlgorithm == HASH_SHA384: + hashAlgorithmName = "SHA-384" + elif hashAlgorithm == HASH_SHA512: + hashAlgorithmName = "SHA-512" + else: + raise UnknownHashAlgorithmError(hashAlgorithm) + rsaPrivateKey = rsa.PrivateKey( + self.RSA_N, self.RSA_E, self.RSA_D, self.RSA_P, self.RSA_Q + ) + signature = rsa.sign(data, rsaPrivateKey, hashAlgorithmName) + return byteStringToHexifiedBitString(signature) + + +ecPublicKey = univ.ObjectIdentifier("1.2.840.10045.2.1") +secp256k1 = univ.ObjectIdentifier("1.3.132.0.10") +secp224r1 = univ.ObjectIdentifier("1.3.132.0.33") +secp256r1 = univ.ObjectIdentifier("1.2.840.10045.3.1.7") +secp384r1 = univ.ObjectIdentifier("1.3.132.0.34") +secp521r1 = univ.ObjectIdentifier("1.3.132.0.35") + + +def longToEvenLengthHexString(val): + h = format(val, "x") + if not len(h) % 2 == 0: + h = "0" + h + return h + + +class ECCKey(object): + secp256k1KeyPair = ( + "35ee7c7289d8fef7a86afe5da66d8bc2ebb6a8543fd2fead089f45ce7acd0fa6" + + "4382a9500c41dad770ffd4b511bf4b492eb1238800c32c4f76c73a3f3294e7c5", + "67cebc208a5fa3df16ec2bb34acc59a42ab4abb0538575ca99b92b6a2149a04f", + ) + + secp224r1KeyPair = ( + "668d72cca6fd6a1b3557b5366104d84408ecb637f08e8c86bbff82cc" + + "00e88f0066d7af63c3298ba377348a1202b03b37fd6b1ff415aa311e", + "04389459926c3296c242b83e10a6cd2011c8fe2dae1b772ea5b21067", + ) + + secp256r1KeyPair = ( + "4fbfbbbb61e0f8f9b1a60a59ac8704e2ec050b423e3cf72e923f2c4f794b455c" + + "2a69d233456c36c4119d0706e00eedc8d19390d7991b7b2d07a304eaa04aa6c0", + "2191403d5710bf15a265818cd42ed6fedf09add92d78b18e7a1e9feb95524702", + ) + + secp384r1KeyPair = ( + "a1687243362b5c7b1889f379154615a1c73fb48dee863e022915db608e252de4b71" + + "32da8ce98e831534e6a9c0c0b09c8d639ade83206e5ba813473a11fa330e05da8c9" + + "6e4383fe27873da97103be2888cff002f05af71a1fddcc8374aa6ea9ce", + "035c7a1b10d9fafe837b64ad92f22f5ced0789186538669b5c6d872cec3d926122b" + + "393772b57602ff31365efe1393246", + ) + + secp521r1KeyPair = ( + "014cdc9cacc47941096bc9cc66752ec27f597734fa66c62b792f88c519d6d37f0d1" + + "6ea1c483a1827a010b9128e3a08070ca33ef5f57835b7c1ba251f6cc3521dc42b01" + + "0653451981b445d343eed3782a35d6cff0ff484f5a883d209f1b9042b726703568b" + + "2f326e18b833bdd8aa0734392bcd19501e10d698a79f53e11e0a22bdd2aad90", + "014f3284fa698dd9fe1118dd331851cdfaac5a3829278eb8994839de9471c940b85" + + "8c69d2d05e8c01788a7d0b6e235aa5e783fc1bee807dcc3865f920e12cf8f2d29", + ) + + def __init__(self, specification): + if specification == "secp256k1": + key_pair = self.secp256k1KeyPair + self.keyOID = secp256k1 + self.curve = ecdsa.SECP256k1 + elif specification == "secp224r1": + key_pair = self.secp224r1KeyPair + self.keyOID = secp224r1 + self.curve = ecdsa.NIST224p + elif specification == "secp256r1": + key_pair = self.secp256r1KeyPair + self.keyOID = secp256r1 + self.curve = ecdsa.NIST256p + elif specification == "secp384r1": + key_pair = self.secp384r1KeyPair + self.keyOID = secp384r1 + self.curve = ecdsa.NIST384p + elif specification == "secp521r1": + key_pair = self.secp521r1KeyPair + self.keyOID = secp521r1 + self.curve = ecdsa.NIST521p + else: + raise UnknownKeySpecificationError(specification) + + self.public_key, self.private_key = ( + binascii.unhexlify(key_pair[0]), + binascii.unhexlify(key_pair[1]), + ) + self.key = ecdsa.SigningKey.from_string(self.private_key, curve=self.curve) + + def getPublicKeyHexifiedString(self): + """Returns the EC public key as a hex string using the uncompressed + point representation. This is intended to be used in the encoder + functions, as it surrounds the value with ''H to indicate its type.""" + p1, p2 = ( + self.public_key[: len(self.public_key) // 2], + self.public_key[len(self.public_key) // 2 :], + ) + # We don't want leading zeroes. + p1, p2 = (p1.lstrip(b"\0"), p2.lstrip(b"\0")) + # '04' indicates that the points are in uncompressed form. + return byteStringToHexifiedBitString(b"\04" + p1 + p2) + + def toPEM(self): + """Return the EC private key in PEM-encoded form.""" + output = "-----BEGIN EC PRIVATE KEY-----" + der = self.toDER() + b64 = six.ensure_text(base64.b64encode(der)) + while b64: + output += "\n" + b64[:64] + b64 = b64[64:] + output += "\n-----END EC PRIVATE KEY-----" + return output + + def toDER(self): + """Return the EC private key in DER-encoded form, encoded per SEC 1 + section C.4 format.""" + privateKeyInfo = PrivateKeyInfo() + privateKeyInfo["version"] = 0 + algorithmIdentifier = rfc2459.AlgorithmIdentifier() + algorithmIdentifier["algorithm"] = ecPublicKey + algorithmIdentifier["parameters"] = self.keyOID + privateKeyInfo["privateKeyAlgorithm"] = algorithmIdentifier + ecPrivateKey = ECPrivateKey() + ecPrivateKey["version"] = 1 + ecPrivateKey["privateKey"] = self.private_key + ecPrivateKey["publicKey"] = univ.BitString( + self.getPublicKeyHexifiedString() + ).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1)) + ecPrivateKeyEncoded = encoder.encode(ecPrivateKey) + privateKeyInfo["privateKey"] = univ.OctetString(ecPrivateKeyEncoded) + return encoder.encode(privateKeyInfo) + + def asSubjectPublicKeyInfo(self): + """Returns a subject public key info representing + this key for use by pyasn1.""" + algorithmIdentifier = rfc2459.AlgorithmIdentifier() + algorithmIdentifier["algorithm"] = ecPublicKey + algorithmIdentifier["parameters"] = self.keyOID + spki = rfc2459.SubjectPublicKeyInfo() + spki["algorithm"] = algorithmIdentifier + spki["subjectPublicKey"] = univ.BitString(self.getPublicKeyHexifiedString()) + return spki + + def signRaw(self, data, hashAlgorithm): + """Performs the ECDSA signature algorithm over the given data. + The returned value is a string representing the bytes of the + resulting point when encoded by left-padding each of (r, s) to + the key size and concatenating them. + """ + assert hashAlgorithm.startswith("hash:") + hashAlgorithm = hashAlgorithm[len("hash:") :] + k = _gen_k(self.curve) + digest = hashlib.new(hashAlgorithm, six.ensure_binary(data)).digest() + digest = _truncate_digest(digest, self.curve) + # NOTE: Under normal circumstances it's advisable to use + # sign_digest_deterministic. In this case we don't want the library's + # default generation of k, so we call the normal "sign" method and + # inject it here. + return self.key.sign_digest(digest, sigencode=ecdsa.util.sigencode_string, k=k) + + def sign(self, data, hashAlgorithm): + """Returns a hexified bit string representing a + signature by this key over the specified data. + Intended for use with pyasn1.type.univ.BitString""" + # signRaw returns an encoded point, which is useful in some situations. + # However, for signatures on X509 certificates, we need to decode it so + # we can encode it as a BITSTRING consisting of a SEQUENCE of two + # INTEGERs. + raw = self.signRaw(data, hashAlgorithm) + point = ECPoint() + point["x"] = int.from_bytes(raw[: len(raw) // 2], byteorder="big") + point["y"] = int.from_bytes(raw[len(raw) // 2 :], byteorder="big") + return byteStringToHexifiedBitString(encoder.encode(point)) + + +def keyFromSpecification(specification): + """Pass in a specification, get the appropriate key back.""" + if specification.startswith("secp"): + return ECCKey(specification) + return RSAKey(specification) + + +# The build harness will call this function with an output file-like +# object and a path to a file containing a specification. This will +# read the specification and output the key as ASCII-encoded PKCS #8. + + +def main(output, inputPath): + with open(inputPath) as configStream: + output.write(keyFromSpecification(configStream.read().strip()).toPEM() + "\n") + + +# When run as a standalone program, this will read a specification from +# stdin and output the certificate as PEM to stdout. +if __name__ == "__main__": + print(keyFromSpecification(sys.stdin.read().strip()).toPEM()) -- cgit v1.2.3