diff options
author | janekptacijarabaci <janekptacijarabaci@seznam.cz> | 2018-04-23 09:10:12 +0200 |
---|---|---|
committer | janekptacijarabaci <janekptacijarabaci@seznam.cz> | 2018-04-23 09:10:12 +0200 |
commit | c3ec00a15295120481e4b845e36ccf324dc6b669 (patch) | |
tree | dd0f4d6bf7ccaded789019870c4f81f4e1fd8d57 /security/manager | |
parent | c30ebdac27c93b57e368c69e9c13055a17229992 (diff) | |
download | UXP-c3ec00a15295120481e4b845e36ccf324dc6b669.tar UXP-c3ec00a15295120481e4b845e36ccf324dc6b669.tar.gz UXP-c3ec00a15295120481e4b845e36ccf324dc6b669.tar.lz UXP-c3ec00a15295120481e4b845e36ccf324dc6b669.tar.xz UXP-c3ec00a15295120481e4b845e36ccf324dc6b669.zip |
moebius#119: (Windows) Security - Certificate Stores - NSSCertDBTrustDomain allows end-entities to be their own trust anchors
https://github.com/MoonchildProductions/moebius/pull/119
Diffstat (limited to 'security/manager')
-rw-r--r-- | security/manager/ssl/tests/unit/test_cert_trust.js | 28 |
1 files changed, 25 insertions, 3 deletions
diff --git a/security/manager/ssl/tests/unit/test_cert_trust.js b/security/manager/ssl/tests/unit/test_cert_trust.js index 622678c7a..bf081f1bd 100644 --- a/security/manager/ssl/tests/unit/test_cert_trust.js +++ b/security/manager/ssl/tests/unit/test_cert_trust.js @@ -208,9 +208,31 @@ function run_test() { setCertTrust(ca_cert, ",,"); setCertTrust(int_cert, ",,"); - // It turns out that if an end-entity certificate is manually trusted, it can - // be the root of its own verified chain. This will be removed in bug 1294580. - setCertTrust(ee_cert, "C,,"); + // If an end-entity certificate is manually trusted, it may not be the root of + // its own verified chain. In general this will cause "unknown issuer" errors + // unless a CA trust anchor can be found. + setCertTrust(ee_cert, "CTu,CTu,CTu"); + checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLServer); + checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLClient); + checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageEmailSigner); + checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageEmailRecipient); + checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageObjectSigner); + + // Now make a CA trust anchor available. + setCertTrust(ca_cert, "CTu,CTu,CTu"); checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, certificateUsageSSLServer); + checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageSSLClient); + checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageEmailSigner); + checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageEmailRecipient); + checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageObjectSigner); } |