summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/tests/unit/test_startcom_wosign.js
diff options
context:
space:
mode:
Diffstat (limited to 'security/manager/ssl/tests/unit/test_startcom_wosign.js')
-rw-r--r--security/manager/ssl/tests/unit/test_startcom_wosign.js43
1 files changed, 43 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/test_startcom_wosign.js b/security/manager/ssl/tests/unit/test_startcom_wosign.js
new file mode 100644
index 000000000..4ba89ca73
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_startcom_wosign.js
@@ -0,0 +1,43 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests handling of certificates issued by StartCom and WoSign. If such
+// certificates have a notBefore before 21 October 2016, they are handled
+// normally. Otherwise, they are treated as revoked.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"]
+ .getService(Ci.nsIX509CertDB);
+
+function loadCertWithTrust(certName, trustString) {
+ addCertFromFile(certdb, "test_startcom_wosign/" + certName + ".pem", trustString);
+}
+
+function certFromFile(certName) {
+ return constructCertFromFile("test_startcom_wosign/" + certName + ".pem");
+}
+
+function checkEndEntity(cert, expectedResult) {
+ // (new Date("2016-11-01")).getTime() / 1000
+ const VALIDATION_TIME = 1477958400;
+ checkCertErrorGenericAtTime(certdb, cert, expectedResult,
+ certificateUsageSSLServer, VALIDATION_TIME);
+}
+
+loadCertWithTrust("ca", "CTu,,");
+// This is not a real StartCom CA - it merely has the same distinguished name as
+// one (namely "/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2",
+// encoded with PrintableStrings). By checking for specific DNs, we can enforce
+// the date-based policy in a way that is testable.
+loadCertWithTrust("StartComCA", ",,");
+checkEndEntity(certFromFile("StartCom-before-cutoff"), PRErrorCodeSuccess);
+checkEndEntity(certFromFile("StartCom-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE);
+
+// Similarly, this is not a real WoSign CA. It has the same distinguished name
+// as "/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign", encoded
+// with PrintableStrings).
+loadCertWithTrust("WoSignCA", ",,");
+checkEndEntity(certFromFile("WoSign-before-cutoff"), PRErrorCodeSuccess);
+checkEndEntity(certFromFile("WoSign-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE);