| blob | 07c808aed63c4b01e63bc535773bf0a8c25d6382 |
1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
2 // This Source Code Form is subject to the terms of the Mozilla Public
3 // License, v. 2.0. If a copy of the MPL was not distributed with this
4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
6 "use strict";
8 do_get_profile(); // must be called before getting nsIX509CertDB
9 const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
10 Ci.nsIX509CertDB
11 );
13 function load_cert(cert_name, trust_string) {
14 let cert_filename = cert_name + ".pem";
15 return addCertFromFile(
16 certdb,
17 "test_cert_trust/" + cert_filename,
18 trust_string
19 );
20 }
22 function setup_basic_trusts(ca_cert, int_cert) {
23 certdb.setCertTrust(
24 ca_cert,
25 Ci.nsIX509Cert.CA_CERT,
26 Ci.nsIX509CertDB.TRUSTED_SSL | Ci.nsIX509CertDB.TRUSTED_EMAIL
27 );
29 certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0);
30 }
32 async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
33 // On reset most usages are successful
34 await checkCertErrorGeneric(
35 certdb,
36 ee_cert,
37 PRErrorCodeSuccess,
38 certificateUsageSSLServer
39 );
40 await checkCertErrorGeneric(
41 certdb,
42 ee_cert,
43 PRErrorCodeSuccess,
44 certificateUsageSSLClient
45 );
46 await checkCertErrorGeneric(
47 certdb,
48 ee_cert,
49 SEC_ERROR_CA_CERT_INVALID,
50 certificateUsageSSLCA
51 );
52 await checkCertErrorGeneric(
53 certdb,
54 ee_cert,
55 PRErrorCodeSuccess,
56 certificateUsageEmailSigner
57 );
58 await checkCertErrorGeneric(
59 certdb,
60 ee_cert,
61 PRErrorCodeSuccess,
62 certificateUsageEmailRecipient
63 );
65 // Test of active distrust. No usage should pass.
66 setCertTrust(cert_to_modify_trust, "p,p,p");
67 await checkCertErrorGeneric(
68 certdb,
69 ee_cert,
70 SEC_ERROR_UNTRUSTED_ISSUER,
71 certificateUsageSSLServer
72 );
73 await checkCertErrorGeneric(
74 certdb,
75 ee_cert,
76 SEC_ERROR_UNTRUSTED_ISSUER,
77 certificateUsageSSLClient
78 );
79 await checkCertErrorGeneric(
80 certdb,
81 ee_cert,
82 SEC_ERROR_CA_CERT_INVALID,
83 certificateUsageSSLCA
84 );
85 await checkCertErrorGeneric(
86 certdb,
87 ee_cert,
88 SEC_ERROR_UNTRUSTED_ISSUER,
89 certificateUsageEmailSigner
90 );
91 await checkCertErrorGeneric(
92 certdb,
93 ee_cert,
94 SEC_ERROR_UNTRUSTED_ISSUER,
95 certificateUsageEmailRecipient
96 );
98 // Trust set to T - trusted CA to issue client certs, where client cert is
99 // usageSSLClient.
100 setCertTrust(cert_to_modify_trust, "T,T,T");
101 await checkCertErrorGeneric(
102 certdb,
103 ee_cert,
104 isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
105 certificateUsageSSLServer
106 );
108 // XXX(Bug 982340)
109 await checkCertErrorGeneric(
110 certdb,
111 ee_cert,
112 isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
113 certificateUsageSSLClient
114 );
116 await checkCertErrorGeneric(
117 certdb,
118 ee_cert,
119 SEC_ERROR_CA_CERT_INVALID,
120 certificateUsageSSLCA
121 );
123 await checkCertErrorGeneric(
124 certdb,
125 ee_cert,
126 isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
127 certificateUsageEmailSigner
128 );
129 await checkCertErrorGeneric(
130 certdb,
131 ee_cert,
132 isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
133 certificateUsageEmailRecipient
134 );
136 // Now tests on the SSL trust bit
137 setCertTrust(cert_to_modify_trust, "p,C,C");
138 await checkCertErrorGeneric(
139 certdb,
140 ee_cert,
141 SEC_ERROR_UNTRUSTED_ISSUER,
142 certificateUsageSSLServer
143 );
145 // XXX(Bug 982340)
146 await checkCertErrorGeneric(
147 certdb,
148 ee_cert,
149 PRErrorCodeSuccess,
150 certificateUsageSSLClient
151 );
152 await checkCertErrorGeneric(
153 certdb,
154 ee_cert,
155 SEC_ERROR_CA_CERT_INVALID,
156 certificateUsageSSLCA
157 );
158 await checkCertErrorGeneric(
159 certdb,
160 ee_cert,
161 PRErrorCodeSuccess,
162 certificateUsageEmailSigner
163 );
164 await checkCertErrorGeneric(
165 certdb,
166 ee_cert,
167 PRErrorCodeSuccess,
168 certificateUsageEmailRecipient
169 );
171 // Inherited trust SSL
172 setCertTrust(cert_to_modify_trust, ",C,C");
173 await checkCertErrorGeneric(
174 certdb,
175 ee_cert,
176 isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
177 certificateUsageSSLServer
178 );
179 // XXX(Bug 982340)
180 await checkCertErrorGeneric(
181 certdb,
182 ee_cert,
183 PRErrorCodeSuccess,
184 certificateUsageSSLClient
185 );
186 await checkCertErrorGeneric(
187 certdb,
188 ee_cert,
189 SEC_ERROR_CA_CERT_INVALID,
190 certificateUsageSSLCA
191 );
192 await checkCertErrorGeneric(
193 certdb,
194 ee_cert,
195 PRErrorCodeSuccess,
196 certificateUsageEmailSigner
197 );
198 await checkCertErrorGeneric(
199 certdb,
200 ee_cert,
201 PRErrorCodeSuccess,
202 certificateUsageEmailRecipient
203 );
205 // Now tests on the EMAIL trust bit
206 setCertTrust(cert_to_modify_trust, "C,p,C");
207 await checkCertErrorGeneric(
208 certdb,
209 ee_cert,
210 PRErrorCodeSuccess,
211 certificateUsageSSLServer
212 );
213 await checkCertErrorGeneric(
214 certdb,
215 ee_cert,
216 SEC_ERROR_UNTRUSTED_ISSUER,
217 certificateUsageSSLClient
218 );
219 await checkCertErrorGeneric(
220 certdb,
221 ee_cert,
222 SEC_ERROR_CA_CERT_INVALID,
223 certificateUsageSSLCA
224 );
225 await checkCertErrorGeneric(
226 certdb,
227 ee_cert,
228 SEC_ERROR_UNTRUSTED_ISSUER,
229 certificateUsageEmailSigner
230 );
231 await checkCertErrorGeneric(
232 certdb,
233 ee_cert,
234 SEC_ERROR_UNTRUSTED_ISSUER,
235 certificateUsageEmailRecipient
236 );
238 // inherited EMAIL Trust
239 setCertTrust(cert_to_modify_trust, "C,,C");
240 await checkCertErrorGeneric(
241 certdb,
242 ee_cert,
243 PRErrorCodeSuccess,
244 certificateUsageSSLServer
245 );
246 await checkCertErrorGeneric(
247 certdb,
248 ee_cert,
249 isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
250 certificateUsageSSLClient
251 );
252 await checkCertErrorGeneric(
253 certdb,
254 ee_cert,
255 SEC_ERROR_CA_CERT_INVALID,
256 certificateUsageSSLCA
257 );
258 await checkCertErrorGeneric(
259 certdb,
260 ee_cert,
261 isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
262 certificateUsageEmailSigner
263 );
264 await checkCertErrorGeneric(
265 certdb,
266 ee_cert,
267 isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
268 certificateUsageEmailRecipient
269 );
270 }
272 add_task(async function () {
273 let certList = ["ca", "int", "ee"];
274 let loadedCerts = [];
275 for (let certName of certList) {
276 loadedCerts.push(load_cert(certName, ",,"));
277 }
279 let ca_cert = loadedCerts[0];
280 notEqual(ca_cert, null, "CA cert should have successfully loaded");
281 let int_cert = loadedCerts[1];
282 notEqual(int_cert, null, "Intermediate cert should have successfully loaded");
283 let ee_cert = loadedCerts[2];
284 notEqual(ee_cert, null, "EE cert should have successfully loaded");
286 let init_num_trustObj = certdb.countTrustObjects();
287 setup_basic_trusts(ca_cert, int_cert);
288 await test_ca_distrust(ee_cert, ca_cert, true);
290 // testing countTrustObjects(), loaded 2 certs from above code
291 let num_trustObj = certdb.countTrustObjects();
292 equal(
293 num_trustObj,
294 init_num_trustObj + 2,
295 "Number of trust objects should be 2"
296 );
298 setup_basic_trusts(ca_cert, int_cert);
299 await test_ca_distrust(ee_cert, int_cert, false);
301 // Reset trust to default ("inherit trust")
302 setCertTrust(ca_cert, ",,");
303 setCertTrust(int_cert, ",,");
305 // End-entities can be trust anchors for interoperability with users who
306 // prefer not to build a hierarchy and instead directly trust a particular
307 // server certificate.
308 setCertTrust(ee_cert, "CTu,CTu,CTu");
309 await checkCertErrorGeneric(
310 certdb,
311 ee_cert,
312 PRErrorCodeSuccess,
313 certificateUsageSSLServer
314 );
315 await checkCertErrorGeneric(
316 certdb,
317 ee_cert,
318 PRErrorCodeSuccess,
319 certificateUsageSSLClient
320 );
321 await checkCertErrorGeneric(
322 certdb,
323 ee_cert,
324 PRErrorCodeSuccess,
325 certificateUsageEmailSigner
326 );
327 await checkCertErrorGeneric(
328 certdb,
329 ee_cert,
330 PRErrorCodeSuccess,
331 certificateUsageEmailRecipient
332 );
333 });