1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// Any copyright is dedicated to the Public Domain.
// http://creativecommons.org/publicdomain/zero/1.0/
"use strict";
// Tests handling of certificates issued by StartCom and WoSign. If such
// certificates have a notBefore before 21 October 2016, they are handled
// normally. Otherwise, they are treated as revoked.
do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
function loadCertWithTrust(certName, trustString) {
addCertFromFile(certdb, "test_startcom_wosign/" + certName + ".pem", trustString);
}
function certFromFile(certName) {
return constructCertFromFile("test_startcom_wosign/" + certName + ".pem");
}
function checkEndEntity(cert, expectedResult) {
// (new Date("2016-11-01")).getTime() / 1000
const VALIDATION_TIME = 1477958400;
checkCertErrorGenericAtTime(certdb, cert, expectedResult,
certificateUsageSSLServer, VALIDATION_TIME);
}
loadCertWithTrust("ca", "CTu,,");
// This is not a real StartCom CA - it merely has the same distinguished name as
// one (namely "/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2",
// encoded with PrintableStrings). By checking for specific DNs, we can enforce
// the date-based policy in a way that is testable.
loadCertWithTrust("StartComCA", ",,");
checkEndEntity(certFromFile("StartCom-before-cutoff"), PRErrorCodeSuccess);
checkEndEntity(certFromFile("StartCom-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE);
// Similarly, this is not a real WoSign CA. It has the same distinguished name
// as "/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign", encoded
// with PrintableStrings).
loadCertWithTrust("WoSignCA", ",,");
checkEndEntity(certFromFile("WoSign-before-cutoff"), PRErrorCodeSuccess);
checkEndEntity(certFromFile("WoSign-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE);
|
