summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/tests/unit/test_cert_trust.js
diff options
context:
space:
mode:
Diffstat (limited to 'security/manager/ssl/tests/unit/test_cert_trust.js')
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust.js216
1 files changed, 216 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/test_cert_trust.js b/security/manager/ssl/tests/unit/test_cert_trust.js
new file mode 100644
index 000000000..622678c7a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@@ -0,0 +1,216 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"]
+ .getService(Ci.nsIX509CertDB);
+
+var certList = [
+ 'ee',
+ 'int',
+ 'ca',
+];
+
+function load_cert(cert_name, trust_string) {
+ let cert_filename = cert_name + ".pem";
+ addCertFromFile(certdb, "test_cert_trust/" + cert_filename, trust_string);
+}
+
+function setup_basic_trusts(ca_cert, int_cert) {
+ certdb.setCertTrust(ca_cert, Ci.nsIX509Cert.CA_CERT,
+ Ci.nsIX509CertDB.TRUSTED_SSL |
+ Ci.nsIX509CertDB.TRUSTED_EMAIL |
+ Ci.nsIX509CertDB.TRUSTED_OBJSIGN);
+
+ certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0);
+}
+
+function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
+ // On reset most usages are successful
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageSSLServer);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageSSLClient);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageEmailSigner);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageEmailRecipient);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageObjectSigner);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageVerifyCA);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
+ certificateUsageStatusResponder);
+
+
+ // Test of active distrust. No usage should pass.
+ setCertTrust(cert_to_modify_trust, 'p,p,p');
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLServer);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLClient);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailSigner);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailRecipient);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageObjectSigner);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageVerifyCA);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageStatusResponder);
+
+ // Trust set to T - trusted CA to issue client certs, where client cert is
+ // usageSSLClient.
+ setCertTrust(cert_to_modify_trust, 'T,T,T');
+ checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+ : PRErrorCodeSuccess,
+ certificateUsageSSLServer);
+
+ // XXX(Bug 982340)
+ checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+ : PRErrorCodeSuccess,
+ certificateUsageSSLClient);
+
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA);
+
+ checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+ : PRErrorCodeSuccess,
+ certificateUsageEmailSigner);
+ checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+ : PRErrorCodeSuccess,
+ certificateUsageEmailRecipient);
+ checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+ : PRErrorCodeSuccess,
+ certificateUsageObjectSigner);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageVerifyCA);
+ checkCertErrorGeneric(certdb, ee_cert,
+ isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+ : SEC_ERROR_INADEQUATE_CERT_TYPE,
+ certificateUsageStatusResponder);
+
+
+ // Now tests on the SSL trust bit
+ setCertTrust(cert_to_modify_trust, 'p,C,C');
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLServer);
+
+ //XXX(Bug 982340)
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageSSLClient);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageEmailSigner);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageEmailRecipient);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageObjectSigner);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageVerifyCA);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageStatusResponder);
+
+ // Inherited trust SSL
+ setCertTrust(cert_to_modify_trust, ',C,C');
+ checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+ : PRErrorCodeSuccess,
+ certificateUsageSSLServer);
+ // XXX(Bug 982340)
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageSSLClient);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageEmailSigner);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageEmailRecipient);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageObjectSigner);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageVerifyCA);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
+ certificateUsageStatusResponder);
+
+ // Now tests on the EMAIL trust bit
+ setCertTrust(cert_to_modify_trust, 'C,p,C');
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageSSLServer);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLClient);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailSigner);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailRecipient);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageObjectSigner);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageVerifyCA);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
+ certificateUsageStatusResponder);
+
+
+ //inherited EMAIL Trust
+ setCertTrust(cert_to_modify_trust, 'C,,C');
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageSSLServer);
+ checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+ : PRErrorCodeSuccess,
+ certificateUsageSSLClient);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA);
+ checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+ : PRErrorCodeSuccess,
+ certificateUsageEmailSigner);
+ checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+ : PRErrorCodeSuccess,
+ certificateUsageEmailRecipient);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageObjectSigner);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageVerifyCA);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
+ certificateUsageStatusResponder);
+}
+
+
+function run_test() {
+ for (let i = 0 ; i < certList.length; i++) {
+ load_cert(certList[i], ',,');
+ }
+
+ let ca_cert = certdb.findCertByNickname('ca');
+ notEqual(ca_cert, null, "CA cert should be in the cert DB");
+ let int_cert = certdb.findCertByNickname('int');
+ notEqual(int_cert, null, "Intermediate cert should be in the cert DB");
+ let ee_cert = certdb.findCertByNickname('ee');
+ notEqual(ee_cert, null, "EE cert should be in the cert DB");
+
+ setup_basic_trusts(ca_cert, int_cert);
+ test_ca_distrust(ee_cert, ca_cert, true);
+
+ setup_basic_trusts(ca_cert, int_cert);
+ test_ca_distrust(ee_cert, int_cert, false);
+
+ // Reset trust to default ("inherit trust")
+ setCertTrust(ca_cert, ",,");
+ setCertTrust(int_cert, ",,");
+
+ // It turns out that if an end-entity certificate is manually trusted, it can
+ // be the root of its own verified chain. This will be removed in bug 1294580.
+ setCertTrust(ee_cert, "C,,");
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageSSLServer);
+}