diff options
Diffstat (limited to 'security/manager/ssl/tests/unit/test_startcom_wosign.js')
-rw-r--r-- | security/manager/ssl/tests/unit/test_startcom_wosign.js | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/test_startcom_wosign.js b/security/manager/ssl/tests/unit/test_startcom_wosign.js new file mode 100644 index 000000000..4ba89ca73 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_startcom_wosign.js @@ -0,0 +1,43 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests handling of certificates issued by StartCom and WoSign. If such +// certificates have a notBefore before 21 October 2016, they are handled +// normally. Otherwise, they are treated as revoked. + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"] + .getService(Ci.nsIX509CertDB); + +function loadCertWithTrust(certName, trustString) { + addCertFromFile(certdb, "test_startcom_wosign/" + certName + ".pem", trustString); +} + +function certFromFile(certName) { + return constructCertFromFile("test_startcom_wosign/" + certName + ".pem"); +} + +function checkEndEntity(cert, expectedResult) { + // (new Date("2016-11-01")).getTime() / 1000 + const VALIDATION_TIME = 1477958400; + checkCertErrorGenericAtTime(certdb, cert, expectedResult, + certificateUsageSSLServer, VALIDATION_TIME); +} + +loadCertWithTrust("ca", "CTu,,"); +// This is not a real StartCom CA - it merely has the same distinguished name as +// one (namely "/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2", +// encoded with PrintableStrings). By checking for specific DNs, we can enforce +// the date-based policy in a way that is testable. +loadCertWithTrust("StartComCA", ",,"); +checkEndEntity(certFromFile("StartCom-before-cutoff"), PRErrorCodeSuccess); +checkEndEntity(certFromFile("StartCom-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE); + +// Similarly, this is not a real WoSign CA. It has the same distinguished name +// as "/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign", encoded +// with PrintableStrings). +loadCertWithTrust("WoSignCA", ",,"); +checkEndEntity(certFromFile("WoSign-before-cutoff"), PRErrorCodeSuccess); +checkEndEntity(certFromFile("WoSign-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE); |