diff options
Diffstat (limited to 'security/manager/ssl/tests/unit/test_name_constraints.js')
-rw-r--r-- | security/manager/ssl/tests/unit/test_name_constraints.js | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/test_name_constraints.js b/security/manager/ssl/tests/unit/test_name_constraints.js new file mode 100644 index 000000000..e75c89740 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_name_constraints.js @@ -0,0 +1,63 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// This test tests two specific items: +// 1. Are name constraints properly enforced across the entire constructed +// certificate chain? This makes use of a certificate hierarchy like so: +// - (trusted) root CA with permitted subtree dNSName example.com +// - intermediate CA with permitted subtree dNSName example.org +// a. end-entity with dNSNames example.com and example.org +// (the first entry is allowed by the root but not by the intermediate, +// and the second entry is allowed by the intermediate but not by the +// root) +// b. end-entity with dNSName example.com (not allowed by the intermediate) +// c. end-entity with dNSName examle.org (not allowed by the root) +// d. end-entity with dNSName example.test (not allowed by either) +// All of these cases should fail to verify with the error that the +// end-entity is not in the name space permitted by the hierarchy. +// +// 2. Are externally-imposed name constraints properly enforced? This makes use +// of a certificate hierarchy rooted by a certificate with the same DN as an +// existing hierarchy that has externally-imposed name constraints (DCISS). + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"] + .getService(Ci.nsIX509CertDB); + +function certFromFile(name) { + return constructCertFromFile(`test_name_constraints/${name}.pem`); +} + +function loadCertWithTrust(certName, trustString) { + addCertFromFile(certdb, `test_name_constraints/${certName}.pem`, + trustString); +} + +function checkCertNotInNameSpace(cert) { + checkCertErrorGeneric(certdb, cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, + certificateUsageSSLServer); +} + +function checkCertInNameSpace(cert) { + checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess, + certificateUsageSSLServer); +} + +function run_test() { + // Test that name constraints from the entire certificate chain are enforced. + loadCertWithTrust("ca-example-com-permitted", "CTu,,"); + loadCertWithTrust("int-example-org-permitted", ",,"); + checkCertNotInNameSpace(certFromFile("ee-example-com-and-org")); + checkCertNotInNameSpace(certFromFile("ee-example-com")); + checkCertNotInNameSpace(certFromFile("ee-example-org")); + checkCertNotInNameSpace(certFromFile("ee-example-test")); + + // Test that externally-imposed name constraints are enforced (DCISS tests). + loadCertWithTrust("dciss", "CTu,,"); + checkCertInNameSpace(certFromFile("NameConstraints.dcissallowed")); + checkCertNotInNameSpace(certFromFile("NameConstraints.dcissblocked")); +} |