summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl
diff options
context:
space:
mode:
authorjanekptacijarabaci <janekptacijarabaci@seznam.cz>2018-04-23 09:10:12 +0200
committerjanekptacijarabaci <janekptacijarabaci@seznam.cz>2018-04-23 09:10:12 +0200
commitc3ec00a15295120481e4b845e36ccf324dc6b669 (patch)
treedd0f4d6bf7ccaded789019870c4f81f4e1fd8d57 /security/manager/ssl
parentc30ebdac27c93b57e368c69e9c13055a17229992 (diff)
downloadUXP-c3ec00a15295120481e4b845e36ccf324dc6b669.tar
UXP-c3ec00a15295120481e4b845e36ccf324dc6b669.tar.gz
UXP-c3ec00a15295120481e4b845e36ccf324dc6b669.tar.lz
UXP-c3ec00a15295120481e4b845e36ccf324dc6b669.tar.xz
UXP-c3ec00a15295120481e4b845e36ccf324dc6b669.zip
moebius#119: (Windows) Security - Certificate Stores - NSSCertDBTrustDomain allows end-entities to be their own trust anchors
https://github.com/MoonchildProductions/moebius/pull/119
Diffstat (limited to 'security/manager/ssl')
-rw-r--r--security/manager/ssl/tests/unit/test_cert_trust.js28
1 files changed, 25 insertions, 3 deletions
diff --git a/security/manager/ssl/tests/unit/test_cert_trust.js b/security/manager/ssl/tests/unit/test_cert_trust.js
index 622678c7a..bf081f1bd 100644
--- a/security/manager/ssl/tests/unit/test_cert_trust.js
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@@ -208,9 +208,31 @@ function run_test() {
setCertTrust(ca_cert, ",,");
setCertTrust(int_cert, ",,");
- // It turns out that if an end-entity certificate is manually trusted, it can
- // be the root of its own verified chain. This will be removed in bug 1294580.
- setCertTrust(ee_cert, "C,,");
+ // If an end-entity certificate is manually trusted, it may not be the root of
+ // its own verified chain. In general this will cause "unknown issuer" errors
+ // unless a CA trust anchor can be found.
+ setCertTrust(ee_cert, "CTu,CTu,CTu");
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLServer);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLClient);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageEmailSigner);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageEmailRecipient);
+ checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageObjectSigner);
+
+ // Now make a CA trust anchor available.
+ setCertTrust(ca_cert, "CTu,CTu,CTu");
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLServer);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageSSLClient);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageEmailSigner);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageEmailRecipient);
+ checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageObjectSigner);
}