no bug - Import translations from android-l10n r=release a=l10n CLOSED TREE

[gecko.git] / security / manager / ssl / tests / unit / test_intermediate_basic_usage_constraints.js

"use strict";

do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
  Ci.nsIX509CertDB
);

function load_cert(name, trust) {
  let filename = "test_intermediate_basic_usage_constraints/" + name + ".pem";
  addCertFromFile(certdb, filename, trust);
}

function test_cert_for_usages(certChainNicks, expected_usages) {
  let certs = [];
  for (let i in certChainNicks) {
    let certNick = certChainNicks[i];
    let certPEM = readFile(
      do_get_file(
        "test_intermediate_basic_usage_constraints/" + certNick + ".pem"
      ),
      false
    );
    certs.push(certdb.constructX509FromBase64(pemToBase64(certPEM)));
  }

  let cert = certs[0];
  return asyncTestCertificateUsages(certdb, cert, expected_usages);
}

add_task(async function () {
  let ee_usages = [
    certificateUsageSSLClient,
    certificateUsageSSLServer,
    certificateUsageEmailSigner,
    certificateUsageEmailRecipient,
  ];
  let ca_usages = [certificateUsageSSLCA];
  let eku_usages = [certificateUsageSSLClient, certificateUsageSSLServer];

  // Load the ca into mem
  let ca_name = "ca";
  load_cert(ca_name, "CTu,CTu,CTu");
  await test_cert_for_usages([ca_name], ca_usages);

  // A certificate with no basicConstraints extension is considered an EE.
  await test_cert_for_usages(["int-no-extensions"], ee_usages);

  // int-no-extensions is an EE (see previous case), so no certs can chain to
  // it.
  await test_cert_for_usages(["ee-int-no-extensions", "int-no-extensions"], []);

  // a certificate with basicConstraints.cA==false is considered an EE.
  await test_cert_for_usages(["int-not-a-ca"], ee_usages);

  // int-not-a-ca is an EE (see previous case), so no certs can chain to it.
  await test_cert_for_usages(["ee-int-not-a-ca", "int-not-a-ca"], []);

  // a certificate with basicConstraints.cA==false but with the keyCertSign
  // key usage may not act as a CA (it can act like an end-entity).
  await test_cert_for_usages(["int-cA-FALSE-asserts-keyCertSign"], ee_usages);
  await test_cert_for_usages(
    ["ee-int-cA-FALSE-asserts-keyCertSign", "int-cA-FALSE-asserts-keyCertSign"],
    []
  );

  // int-limited-depth has cA==true and a path length constraint of zero.
  await test_cert_for_usages(["int-limited-depth"], ca_usages);

  // path length constraints do not affect the ability of a non-CA cert to
  // chain to to the CA cert.
  await test_cert_for_usages(
    ["ee-int-limited-depth", "int-limited-depth"],
    ee_usages
  );

  // ca
  //   int-limited-depth (cA==true, pathLenConstraint==0)
  //      int-limited-depth-invalid (cA==true)
  //
  await test_cert_for_usages(
    ["int-limited-depth-invalid", "int-limited-depth"],
    []
  );
  await test_cert_for_usages(
    [
      "ee-int-limited-depth-invalid",
      "int-limited-depth-invalid",
      "int-limited-depth",
    ],
    []
  );

  // int-valid-ku-no-eku has keyCertSign
  await test_cert_for_usages(["int-valid-ku-no-eku"], ca_usages);
  await test_cert_for_usages(
    ["ee-int-valid-ku-no-eku", "int-valid-ku-no-eku"],
    ee_usages
  );

  // int-bad-ku-no-eku has basicConstraints.cA==true and has a KU extension
  // but the KU extension is missing keyCertSign. Note that mozilla::pkix
  // doesn't validate certificates with basicConstraints.Ca==true for non-CA
  // uses.
  await test_cert_for_usages(["int-bad-ku-no-eku"], []);
  await test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], []);

  // int-no-ku-no-eku has basicConstraints.cA==true and no KU extension.
  // We treat a missing KU as "any key usage is OK".
  await test_cert_for_usages(["int-no-ku-no-eku"], ca_usages);
  await test_cert_for_usages(
    ["ee-int-no-ku-no-eku", "int-no-ku-no-eku"],
    ee_usages
  );

  // int-valid-ku-server-eku has basicConstraints.cA==true, keyCertSign in KU,
  // and EKU=={id-kp-serverAuth,id-kp-clientAuth}.
  await test_cert_for_usages(["int-valid-ku-server-eku"], ca_usages);
  await test_cert_for_usages(
    ["ee-int-valid-ku-server-eku", "int-valid-ku-server-eku"],
    eku_usages
  );

  // int-bad-ku-server-eku has basicConstraints.cA==true, a KU without
  // keyCertSign, and EKU=={id-kp-serverAuth,id-kp-clientAuth}.
  await test_cert_for_usages(["int-bad-ku-server-eku"], []);
  await test_cert_for_usages(
    ["ee-int-bad-ku-server-eku", "int-bad-ku-server-eku"],
    []
  );

  // int-bad-ku-server-eku has basicConstraints.cA==true, no KU, and
  // EKU=={id-kp-serverAuth,id-kp-clientAuth}.
  await test_cert_for_usages(["int-no-ku-server-eku"], ca_usages);
  await test_cert_for_usages(
    ["ee-int-no-ku-server-eku", "int-no-ku-server-eku"],
    eku_usages
  );
});