1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
"use strict";
// Checks that RSA certs with key sizes below 1024 bits are rejected.
// Checks that ECC certs using curves other than the NIST P-256, P-384 or P-521
// curves are rejected.
do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
/**
* Tests a cert chain.
*
* @param {String} rootKeyType
* The key type of the root certificate, or the name of an elliptic
* curve, as output by the 'openssl ecparam -list_curves' command.
* @param {Number} rootKeySize
* @param {String} intKeyType
* @param {Number} intKeySize
* @param {String} eeKeyType
* @param {Number} eeKeySize
* @param {PRErrorCode} eeExpectedError
*/
function checkChain(rootKeyType, rootKeySize, intKeyType, intKeySize,
eeKeyType, eeKeySize, eeExpectedError) {
let rootName = "root_" + rootKeyType + "_" + rootKeySize;
let intName = "int_" + intKeyType + "_" + intKeySize;
let eeName = "ee_" + eeKeyType + "_" + eeKeySize;
let intFullName = intName + "-" + rootName;
let eeFullName = eeName + "-" + intName + "-" + rootName;
addCertFromFile(certdb, `test_keysize/${rootName}.pem`, "CTu,CTu,CTu");
addCertFromFile(certdb, `test_keysize/${intFullName}.pem`, ",,");
let eeCert = constructCertFromFile(`test_keysize/${eeFullName}.pem`);
do_print("cert o=" + eeCert.organization);
do_print("cert issuer o=" + eeCert.issuerOrganization);
checkCertErrorGeneric(certdb, eeCert, eeExpectedError,
certificateUsageSSLServer);
}
/**
* Tests various RSA chains.
*
* @param {Number} inadequateKeySize
* @param {Number} adequateKeySize
*/
function checkRSAChains(inadequateKeySize, adequateKeySize) {
// Chain with certs that have adequate sizes for DV
checkChain("rsa", adequateKeySize,
"rsa", adequateKeySize,
"rsa", adequateKeySize,
PRErrorCodeSuccess);
// Chain with a root cert that has an inadequate size for DV
checkChain("rsa", inadequateKeySize,
"rsa", adequateKeySize,
"rsa", adequateKeySize,
MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
// Chain with an intermediate cert that has an inadequate size for DV
checkChain("rsa", adequateKeySize,
"rsa", inadequateKeySize,
"rsa", adequateKeySize,
MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
// Chain with an end entity cert that has an inadequate size for DV
checkChain("rsa", adequateKeySize,
"rsa", adequateKeySize,
"rsa", inadequateKeySize,
MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
}
function checkECCChains() {
checkChain("secp256r1", 256,
"secp384r1", 384,
"secp521r1", 521,
PRErrorCodeSuccess);
checkChain("secp256r1", 256,
"secp224r1", 224,
"secp256r1", 256,
SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
checkChain("secp256r1", 256,
"secp256r1", 256,
"secp224r1", 224,
SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
checkChain("secp224r1", 224,
"secp256r1", 256,
"secp256r1", 256,
SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
checkChain("secp256r1", 256,
"secp256r1", 256,
"secp256k1", 256,
SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
checkChain("secp256k1", 256,
"secp256r1", 256,
"secp256r1", 256,
SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
}
function checkCombinationChains() {
checkChain("rsa", 2048,
"secp256r1", 256,
"secp384r1", 384,
PRErrorCodeSuccess);
checkChain("rsa", 2048,
"secp256r1", 256,
"secp224r1", 224,
SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
checkChain("secp256r1", 256,
"rsa", 1016,
"secp256r1", 256,
MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
}
function run_test() {
checkRSAChains(1016, 1024);
checkECCChains();
checkCombinationChains();
run_next_test();
}
|
