Bug 986156 - Test anypolicyoid (no inhibit policy) for EV . r=dkeeler

--HG-- extra : rebase_source : 004dbe5fc1b168c43f62c5bed8e71d4d67b04754
2024-09-13 09:24:08 -07:00 · 2014-03-28 10:00:45 -07:00 · 2014-03-28 10:00:45 -07:00 · 02ccbcd3d6
commit 02ccbcd3d6
parent 402a7a9293
15 changed files with 47 additions and 0 deletions
--- a/security/manager/ssl/tests/unit/test_ev_certs.js
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@ -21,6 +21,8 @@ let certList = [
  // Test for successful EV validation
  'int-ev-valid',
  'ev-valid',
+  'ev-valid-anypolicy-int',
+  'int-ev-valid-anypolicy-int',
  'no-ocsp-url-cert', // a cert signed by the EV auth that has no OCSP url
                      // but that contains a valid CRLDP.

@ -136,6 +138,17 @@ function add_tests_in_mode(useMozillaPKIX)
    ocspResponder.stop(run_next_test);
  });

+
+  add_test(function () {
+    clearOCSPCache();
+
+    let ocspResponder = start_ocsp_responder(
+                          isDebugBuild ? ["int-ev-valid-anypolicy-int", "ev-valid-anypolicy-int"]
+                                       : ["ev-valid-anypolicy-int"]);
+    check_ee_for_ev("ev-valid-anypolicy-int", isDebugBuild);
+    ocspResponder.stop(run_next_test);
+  });
+
  add_test(function() {
    clearOCSPCache();
    let ocspResponder = start_ocsp_responder(["non-ev-root"]);
@ -205,6 +218,7 @@ function add_tests_in_mode(useMozillaPKIX)
                                     : SEC_ERROR_EXTENSION_NOT_FOUND));
  });

+
  // Test the EV continues to work with flags after successful EV verification
  add_test(function () {
    clearOCSPCache();
@ -231,6 +245,7 @@ function add_tests_in_mode(useMozillaPKIX)
      failingOcspResponder.stop(run_next_test);
    });
  });
+
 }

 // bug 950240: add FLAG_MUST_BE_EV to CertVerifier::VerifyCert
@ -258,3 +273,4 @@ function check_no_ocsp_requests(cert_name, expected_error) {
  do_check_eq(identityInfo.isExtendedValidation, false);
  ocspResponder.stop(run_next_test);
 }
+
--- a/security/manager/ssl/tests/unit/test_ev_certs/cert8.db
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cert8.db
--- a/security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.der
+++ b/security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.der
--- a/security/manager/ssl/tests/unit/test_ev_certs/ev-valid.der
+++ b/security/manager/ssl/tests/unit/test_ev_certs/ev-valid.der
--- a/security/manager/ssl/tests/unit/test_ev_certs/generate.py
+++ b/security/manager/ssl/tests/unit/test_ev_certs/generate.py
@ -40,6 +40,13 @@ mozilla_testing_ev_policy = ("certificatePolicies = @v3_ca_ev_cp\n\n" +
                               "1.3.6.1.4.1.13769.666.666.666.1.500.9.1\n\n" +
                             "CPS.1 = \"http://mytestdomain.local/cps\"")

+anypolicy_policy = ("certificatePolicies = @v3_ca_ev_cp\n\n" +
+                    "[ v3_ca_ev_cp ]\n" +
+                    "policyIdentifier = " +
+                    "2.5.29.32.0\n\n" +
+                    "CPS.1 = \"http://mytestdomain.local/cps\"")
+
+
 def import_untrusted_cert(certfile, nickname):
    os.system("certutil -A -d . -n " + nickname + " -i " + certfile +
              " -t ',,'")
@ -108,6 +115,30 @@ def generate_certs():
                                      int_key, int_cert);
    import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert');

+    # add an ev cert whose intermediate has a anypolicy oid
+    prefix = "ev-valid-anypolicy-int"
+    ee_ext_text = (EE_basic_constraints + EE_full_ku + Server_eku +
+                   authority_key_ident + aia_prefix + prefix + aia_suffix +
+                   endentity_crl + mozilla_testing_ev_policy)
+    int_ext_text = (CA_basic_constraints + EE_full_ku + CA_eku +
+                    authority_key_ident + subject_key_ident +
+                    aia_prefix + "int-" + prefix + aia_suffix +
+                    intermediate_crl + anypolicy_policy)
+
+    [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
+                                             srcdir,
+                                             ca_key,
+                                             ca_cert,
+                                             prefix,
+                                             int_ext_text,
+                                             ee_ext_text,
+                                             key_type)
+    pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
+                                         "int-" + prefix)
+    import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
+    import_untrusted_cert(ee_cert, prefix)
+
+
    [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db,
                                      srcdir,
                                      1,
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.der
+++ b/security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.der
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.der
+++ b/security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.der
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.p12
+++ b/security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.p12
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.der
+++ b/security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.der
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.p12
+++ b/security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.p12
--- a/security/manager/ssl/tests/unit/test_ev_certs/key3.db
+++ b/security/manager/ssl/tests/unit/test_ev_certs/key3.db
--- a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.der
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.der
--- a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.der
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.der
--- a/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.der
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.der
--- a/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.p12
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.p12