summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/tests/unit/test_name_constraints.js
blob: e04eb93b0cd2f0b711c0e3229e6b4556bf64d33c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.

"use strict";

// This test tests two specific items:
// 1. Are name constraints properly enforced across the entire constructed
// certificate chain? This makes use of a certificate hierarchy like so:
//  - (trusted) root CA with permitted subtree dNSName example.com
//  - intermediate CA with permitted subtree dNSName example.org
//    a. end-entity with dNSNames example.com and example.org
//       (the first entry is allowed by the root but not by the intermediate,
//        and the second entry is allowed by the intermediate but not by the
//        root)
//    b. end-entity with dNSName example.com (not allowed by the intermediate)
//    c. end-entity with dNSName examle.org (not allowed by the root)
//    d. end-entity with dNSName example.test (not allowed by either)
//  All of these cases should fail to verify with the error that the
//  end-entity is not in the name space permitted by the hierarchy.
//
// 2. Are externally-imposed name constraints properly enforced? This makes use
// of a certificate hierarchy rooted by a certificate with the same DN as an
// existing hierarchy that has externally-imposed name constraints (DCISS).

do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
  Ci.nsIX509CertDB
);

function certFromFile(name) {
  return constructCertFromFile(`test_name_constraints/${name}.pem`);
}

function loadCertWithTrust(certName, trustString) {
  addCertFromFile(certdb, `test_name_constraints/${certName}.pem`, trustString);
}

function checkCertNotInNameSpace(cert) {
  return checkCertErrorGeneric(
    certdb,
    cert,
    SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
    certificateUsageSSLServer
  );
}

function checkCertInNameSpace(cert) {
  return checkCertErrorGeneric(
    certdb,
    cert,
    PRErrorCodeSuccess,
    certificateUsageSSLServer
  );
}

add_task(async function() {
  // Test that name constraints from the entire certificate chain are enforced.
  loadCertWithTrust("ca-example-com-permitted", "CTu,,");
  loadCertWithTrust("int-example-org-permitted", ",,");
  await checkCertNotInNameSpace(certFromFile("ee-example-com-and-org"));
  await checkCertNotInNameSpace(certFromFile("ee-example-com"));
  await checkCertNotInNameSpace(certFromFile("ee-example-org"));
  await checkCertNotInNameSpace(certFromFile("ee-example-test"));

  // Test that externally-imposed name constraints are enforced (DCISS tests).
  loadCertWithTrust("dciss", "CTu,,");
  await checkCertInNameSpace(certFromFile("NameConstraints.dcissallowed"));
  await checkCertNotInNameSpace(certFromFile("NameConstraints.dcissblocked"));
});