security/manager/ssl/tests/unit/test_cert_version.js

   1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
   2 // This Source Code Form is subject to the terms of the Mozilla Public
   3 // License, v. 2.0. If a copy of the MPL was not distributed with this
   4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
   5
   6 // Tests the interaction between the basic constraints extension and the
   7 // certificate version field. In general, the testcases consist of verifying
   8 // certificate chains of the form:
   9 //
  10 // end-entity (issued by) intermediate (issued by) trusted X509v3 root
  11 //
  12 // where the intermediate is one of X509 v1, v2, v3, or v4, and either does or
  13 // does not have the basic constraints extension. If it has the extension, it
  14 // either does or does not specify that it is a CA.
  15 //
  16 // To test cases where the trust anchor has a different version and/or does or
  17 // does not have the basic constraint extension, there are testcases where the
  18 // intermediate is trusted as an anchor and the verification is repeated.
  19 // (Loading a certificate with trust "CTu,," means that it is a trust anchor
  20 // for SSL. Loading a certificate with trust ",," means that it inherits its
  21 // trust.)
  22 //
  23 // There are also testcases for end-entities issued by a trusted X509v3 root
  24 // where the end-entities similarly cover the range of versions and basic
  25 // constraint extensions.
  26 //
  27 // Finally, there are testcases for self-signed certificates that, again, cover
  28 // the range of versions and basic constraint extensions.
  29
  30 "use strict";
  31
  32 do_get_profile(); // must be called before getting nsIX509CertDB
  33 const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
  34   Ci.nsIX509CertDB
  35 );
  36
  37 function certFromFile(certName) {
  38   return constructCertFromFile("test_cert_version/" + certName + ".pem");
  39 }
  40
  41 function loadCertWithTrust(certName, trustString) {
  42   addCertFromFile(
  43     certdb,
  44     "test_cert_version/" + certName + ".pem",
  45     trustString
  46   );
  47 }
  48
  49 function checkEndEntity(cert, expectedResult) {
  50   return checkCertErrorGeneric(
  51     certdb,
  52     cert,
  53     expectedResult,
  54     certificateUsageSSLServer
  55   );
  56 }
  57
  58 function checkIntermediate(cert, expectedResult) {
  59   return checkCertErrorGeneric(
  60     certdb,
  61     cert,
  62     expectedResult,
  63     certificateUsageSSLCA
  64   );
  65 }
  66
  67 add_task(async function () {
  68   loadCertWithTrust("ca", "CTu,,");
  69
  70   // Section for CAs lacking the basicConstraints extension entirely:
  71   loadCertWithTrust("int-v1-noBC_ca", ",,");
  72   await checkIntermediate(
  73     certFromFile("int-v1-noBC_ca"),
  74     MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA
  75   );
  76   await checkEndEntity(
  77     certFromFile("ee_int-v1-noBC"),
  78     MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA
  79   );
  80   // A v1 certificate with no basicConstraints extension may issue certificates
  81   // if it is a trust anchor.
  82   loadCertWithTrust("int-v1-noBC_ca", "CTu,,");
  83   await checkIntermediate(certFromFile("int-v1-noBC_ca"), PRErrorCodeSuccess);
  84   await checkEndEntity(certFromFile("ee_int-v1-noBC"), PRErrorCodeSuccess);
  85
  86   loadCertWithTrust("int-v2-noBC_ca", ",,");
  87   await checkIntermediate(
  88     certFromFile("int-v2-noBC_ca"),
  89     SEC_ERROR_CA_CERT_INVALID
  90   );
  91   await checkEndEntity(
  92     certFromFile("ee_int-v2-noBC"),
  93     SEC_ERROR_CA_CERT_INVALID
  94   );
  95   loadCertWithTrust("int-v2-noBC_ca", "CTu,,");
  96   await checkIntermediate(
  97     certFromFile("int-v2-noBC_ca"),
  98     SEC_ERROR_CA_CERT_INVALID
  99   );
 100   await checkEndEntity(
 101     certFromFile("ee_int-v2-noBC"),
 102     SEC_ERROR_CA_CERT_INVALID
 103   );
 104
 105   loadCertWithTrust("int-v3-noBC_ca", ",,");
 106   await checkIntermediate(
 107     certFromFile("int-v3-noBC_ca"),
 108     SEC_ERROR_CA_CERT_INVALID
 109   );
 110   await checkEndEntity(
 111     certFromFile("ee_int-v3-noBC"),
 112     SEC_ERROR_CA_CERT_INVALID
 113   );
 114   loadCertWithTrust("int-v3-noBC_ca", "CTu,,");
 115   await checkIntermediate(
 116     certFromFile("int-v3-noBC_ca"),
 117     SEC_ERROR_CA_CERT_INVALID
 118   );
 119   await checkEndEntity(
 120     certFromFile("ee_int-v3-noBC"),
 121     SEC_ERROR_CA_CERT_INVALID
 122   );
 123
 124   loadCertWithTrust("int-v4-noBC_ca", ",,");
 125   await checkIntermediate(
 126     certFromFile("int-v4-noBC_ca"),
 127     SEC_ERROR_CA_CERT_INVALID
 128   );
 129   await checkEndEntity(
 130     certFromFile("ee_int-v4-noBC"),
 131     SEC_ERROR_CA_CERT_INVALID
 132   );
 133   loadCertWithTrust("int-v4-noBC_ca", "CTu,,");
 134   await checkIntermediate(
 135     certFromFile("int-v4-noBC_ca"),
 136     SEC_ERROR_CA_CERT_INVALID
 137   );
 138   await checkEndEntity(
 139     certFromFile("ee_int-v4-noBC"),
 140     SEC_ERROR_CA_CERT_INVALID
 141   );
 142
 143   // Section for CAs with basicConstraints not specifying cA:
 144   loadCertWithTrust("int-v1-BC-not-cA_ca", ",,");
 145   await checkIntermediate(
 146     certFromFile("int-v1-BC-not-cA_ca"),
 147     SEC_ERROR_CA_CERT_INVALID
 148   );
 149   await checkEndEntity(
 150     certFromFile("ee_int-v1-BC-not-cA"),
 151     SEC_ERROR_CA_CERT_INVALID
 152   );
 153   loadCertWithTrust("int-v1-BC-not-cA_ca", "CTu,,");
 154   await checkIntermediate(
 155     certFromFile("int-v1-BC-not-cA_ca"),
 156     SEC_ERROR_CA_CERT_INVALID
 157   );
 158   await checkEndEntity(
 159     certFromFile("ee_int-v1-BC-not-cA"),
 160     SEC_ERROR_CA_CERT_INVALID
 161   );
 162
 163   loadCertWithTrust("int-v2-BC-not-cA_ca", ",,");
 164   await checkIntermediate(
 165     certFromFile("int-v2-BC-not-cA_ca"),
 166     SEC_ERROR_CA_CERT_INVALID
 167   );
 168   await checkEndEntity(
 169     certFromFile("ee_int-v2-BC-not-cA"),
 170     SEC_ERROR_CA_CERT_INVALID
 171   );
 172   loadCertWithTrust("int-v2-BC-not-cA_ca", "CTu,,");
 173   await checkIntermediate(
 174     certFromFile("int-v2-BC-not-cA_ca"),
 175     SEC_ERROR_CA_CERT_INVALID
 176   );
 177   await checkEndEntity(
 178     certFromFile("ee_int-v2-BC-not-cA"),
 179     SEC_ERROR_CA_CERT_INVALID
 180   );
 181
 182   loadCertWithTrust("int-v3-BC-not-cA_ca", ",,");
 183   await checkIntermediate(
 184     certFromFile("int-v3-BC-not-cA_ca"),
 185     SEC_ERROR_CA_CERT_INVALID
 186   );
 187   await checkEndEntity(
 188     certFromFile("ee_int-v3-BC-not-cA"),
 189     SEC_ERROR_CA_CERT_INVALID
 190   );
 191   loadCertWithTrust("int-v3-BC-not-cA_ca", "CTu,,");
 192   await checkIntermediate(
 193     certFromFile("int-v3-BC-not-cA_ca"),
 194     SEC_ERROR_CA_CERT_INVALID
 195   );
 196   await checkEndEntity(
 197     certFromFile("ee_int-v3-BC-not-cA"),
 198     SEC_ERROR_CA_CERT_INVALID
 199   );
 200
 201   loadCertWithTrust("int-v4-BC-not-cA_ca", ",,");
 202   await checkIntermediate(
 203     certFromFile("int-v4-BC-not-cA_ca"),
 204     SEC_ERROR_CA_CERT_INVALID
 205   );
 206   await checkEndEntity(
 207     certFromFile("ee_int-v4-BC-not-cA"),
 208     SEC_ERROR_CA_CERT_INVALID
 209   );
 210   loadCertWithTrust("int-v4-BC-not-cA_ca", "CTu,,");
 211   await checkIntermediate(
 212     certFromFile("int-v4-BC-not-cA_ca"),
 213     SEC_ERROR_CA_CERT_INVALID
 214   );
 215   await checkEndEntity(
 216     certFromFile("ee_int-v4-BC-not-cA"),
 217     SEC_ERROR_CA_CERT_INVALID
 218   );
 219
 220   // Section for CAs with basicConstraints specifying cA:
 221   loadCertWithTrust("int-v1-BC-cA_ca", ",,");
 222   await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
 223   await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
 224   loadCertWithTrust("int-v1-BC-cA_ca", "CTu,,");
 225   await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
 226   await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
 227
 228   loadCertWithTrust("int-v2-BC-cA_ca", ",,");
 229   await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
 230   await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
 231   loadCertWithTrust("int-v2-BC-cA_ca", "CTu,,");
 232   await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
 233   await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
 234
 235   loadCertWithTrust("int-v3-BC-cA_ca", ",,");
 236   await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
 237   await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
 238   loadCertWithTrust("int-v3-BC-cA_ca", "CTu,,");
 239   await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
 240   await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
 241
 242   loadCertWithTrust("int-v4-BC-cA_ca", ",,");
 243   await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
 244   await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
 245   loadCertWithTrust("int-v4-BC-cA_ca", "CTu,,");
 246   await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
 247   await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
 248
 249   // Section for end-entity certificates with various basicConstraints:
 250   await checkEndEntity(certFromFile("ee-v1-noBC_ca"), PRErrorCodeSuccess);
 251   await checkEndEntity(certFromFile("ee-v2-noBC_ca"), PRErrorCodeSuccess);
 252   await checkEndEntity(certFromFile("ee-v3-noBC_ca"), PRErrorCodeSuccess);
 253   await checkEndEntity(certFromFile("ee-v4-noBC_ca"), PRErrorCodeSuccess);
 254
 255   await checkEndEntity(certFromFile("ee-v1-BC-not-cA_ca"), PRErrorCodeSuccess);
 256   await checkEndEntity(certFromFile("ee-v2-BC-not-cA_ca"), PRErrorCodeSuccess);
 257   await checkEndEntity(certFromFile("ee-v3-BC-not-cA_ca"), PRErrorCodeSuccess);
 258   await checkEndEntity(certFromFile("ee-v4-BC-not-cA_ca"), PRErrorCodeSuccess);
 259
 260   await checkEndEntity(
 261     certFromFile("ee-v1-BC-cA_ca"),
 262     MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
 263   );
 264   await checkEndEntity(
 265     certFromFile("ee-v2-BC-cA_ca"),
 266     MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
 267   );
 268   await checkEndEntity(
 269     certFromFile("ee-v3-BC-cA_ca"),
 270     MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
 271   );
 272   await checkEndEntity(
 273     certFromFile("ee-v4-BC-cA_ca"),
 274     MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
 275   );
 276
 277   // Section for self-signed certificates:
 278   await checkEndEntity(certFromFile("ss-v1-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
 279   await checkEndEntity(certFromFile("ss-v2-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
 280   await checkEndEntity(certFromFile("ss-v3-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
 281   await checkEndEntity(certFromFile("ss-v4-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
 282
 283   await checkEndEntity(
 284     certFromFile("ss-v1-BC-not-cA"),
 285     SEC_ERROR_UNKNOWN_ISSUER
 286   );
 287   await checkEndEntity(
 288     certFromFile("ss-v2-BC-not-cA"),
 289     SEC_ERROR_UNKNOWN_ISSUER
 290   );
 291   await checkEndEntity(
 292     certFromFile("ss-v3-BC-not-cA"),
 293     SEC_ERROR_UNKNOWN_ISSUER
 294   );
 295   await checkEndEntity(
 296     certFromFile("ss-v4-BC-not-cA"),
 297     SEC_ERROR_UNKNOWN_ISSUER
 298   );
 299
 300   await checkEndEntity(certFromFile("ss-v1-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
 301   await checkEndEntity(certFromFile("ss-v2-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
 302   await checkEndEntity(certFromFile("ss-v3-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
 303   await checkEndEntity(certFromFile("ss-v4-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
 304 });