1 files changed, 106 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/test_validity.js b/security/manager/ssl/tests/unit/test_validity.js
new file mode 100644
index 0000000000..e1ee44b060
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_validity.js
@@ -0,0 +1,106 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that chains containing an end-entity cert with an overly long validity
+// period are rejected.
+
+do_get_profile(); // Must be called before getting nsIX509CertDB
+const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+const SERVER_PORT = 8888;
+
+function getOCSPResponder(expectedCertNames) {
+  let expectedPaths = expectedCertNames.slice();
+  return startOCSPResponder(
+    SERVER_PORT,
+    "www.example.com",
+    "test_validity",
+    expectedCertNames,
+    expectedPaths
+  );
+}
+
+function certFromFile(filename) {
+  return constructCertFromFile(`test_validity/${filename}`);
+}
+
+function loadCert(certFilename, trustString) {
+  addCertFromFile(certDB, `test_validity/${certFilename}`, trustString);
+}
+
+/**
+ * Asynchronously runs a single EV test.
+ *
+ * @param {Array} expectedNamesForOCSP
+ *        An array of nicknames of the certs to be responded to.
+ * @param {string} rootCertFileName
+ *        The file name of the root cert. Can begin with ".." to reference
+ *        certs in folders other than "test_validity/".
+ * @param {Array} intCertFileNames
+ *        An array of file names of any intermediate certificates.
+ * @param {string} endEntityCertFileName
+ *        The file name of the end entity cert.
+ * @param {boolean} expectedResult
+ *        Whether the chain is expected to validate as EV.
+ */
+async function doEVTest(
+  expectedNamesForOCSP,
+  rootCertFileName,
+  intCertFileNames,
+  endEntityCertFileName,
+  expectedResult
+) {
+  clearOCSPCache();
+  let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
+
+  loadCert(`${rootCertFileName}.pem`, "CTu,CTu,CTu");
+  for (let intCertFileName of intCertFileNames) {
+    loadCert(`${intCertFileName}.pem`, ",,");
+  }
+  await checkEVStatus(
+    certDB,
+    certFromFile(`${endEntityCertFileName}.pem`),
+    certificateUsageSSLServer,
+    expectedResult
+  );
+
+  await stopOCSPResponder(ocspResponder);
+}
+
+async function checkEVChains() {
+  // Chain with an end entity cert with a validity period that is acceptable
+  // for EV.
+  const intFullName = "ev_int_60_months-evroot";
+  let eeFullName = `ev_ee_27_months-${intFullName}`;
+  let expectedNamesForOCSP = [eeFullName];
+  await doEVTest(
+    expectedNamesForOCSP,
+    "../test_ev_certs/evroot",
+    [intFullName],
+    eeFullName,
+    gEVExpected
+  );
+
+  // Chain with an end entity cert with a validity period that is too long
+  // for EV.
+  eeFullName = `ev_ee_28_months-${intFullName}`;
+  expectedNamesForOCSP = [eeFullName];
+  await doEVTest(
+    expectedNamesForOCSP,
+    "../test_ev_certs/evroot",
+    [intFullName],
+    eeFullName,
+    false
+  );
+}
+
+add_task(async function () {
+  Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+  await checkEVChains();
+});