From 10ea8d764d45ab5916a82f39e8621570259a8fc9 Mon Sep 17 00:00:00 2001
From: Cykesiopka <cykesiopka.bmo@gmail.com>
Date: Sun, 7 Dec 2014 20:23:00 +0100
Subject: [PATCH] Bug 1085074 - Part 1 - Use adequate/OK and inadequate/notOK
 to refer to sizes for key size tests. r=briansmith

---
 .../manager/ssl/tests/unit/test_keysize.js    |  8 +--
 .../ssl/tests/unit/test_keysize/generate.py   | 58 ++++++++++---------
 .../manager/ssl/tests/unit/test_keysize_ev.js | 16 +++--
 3 files changed, 44 insertions(+), 38 deletions(-)

diff --git a/security/manager/ssl/tests/unit/test_keysize.js b/security/manager/ssl/tests/unit/test_keysize.js
index 0006d9fcf3f..0d7569d2b32 100644
--- a/security/manager/ssl/tests/unit/test_keysize.js
+++ b/security/manager/ssl/tests/unit/test_keysize.js
@@ -54,21 +54,21 @@ function check_fail_ca(cert) {
 }
 
 function check_for_key_type(key_type) {
-  // OK CA -> OK INT -> OK EE
+  // Chain with certs that have adequate sizes for DV
   check_ok_ca(load_cert(key_type + "-caOK", "CTu,CTu,CTu"));
   check_ok_ca(load_cert(key_type + "-intOK-caOK", ",,"));
   check_ok(certFromFile(key_type + "-eeOK-intOK-caOK.der"));
 
-  // Bad CA -> OK INT -> OK EE
+  // Chain with a root cert that has an inadequate size for DV
   check_fail_ca(load_cert(key_type + "-caBad", "CTu,CTu,CTu"));
   check_fail_ca(load_cert(key_type + "-intOK-caBad", ",,"));
   check_fail(certFromFile(key_type + "-eeOK-intOK-caBad.der"));
 
-  // OK CA -> Bad INT -> OK EE
+  // Chain with an intermediate cert that has an inadequate size for DV
   check_fail_ca(load_cert(key_type + "-intBad-caOK", ",,"));
   check_fail(certFromFile(key_type + "-eeOK-intBad-caOK.der"));
 
-  // OK CA -> OK INT -> Bad EE
+  // Chain with an end entity cert that has an inadequate size for DV
   check_fail(certFromFile(key_type + "-eeBad-intOK-caOK.der"));
 }
 
diff --git a/security/manager/ssl/tests/unit/test_keysize/generate.py b/security/manager/ssl/tests/unit/test_keysize/generate.py
index dc858f7425c..22d1de91226 100644
--- a/security/manager/ssl/tests/unit/test_keysize/generate.py
+++ b/security/manager/ssl/tests/unit/test_keysize/generate.py
@@ -15,7 +15,7 @@ import CertUtils
 
 srcdir = os.getcwd()
 db_dir = tempfile.mkdtemp()
-dsaBad_param_filename = 'dsaBad_param.pem'
+dsaNotOK_param_filename = 'dsaNotOK_param.pem'
 dsaOK_param_filename = 'dsaOK_param.pem'
 
 ca_ext_text = ('basicConstraints = critical, CA:TRUE\n' +
@@ -101,22 +101,24 @@ def generate_and_maybe_import_cert(key_type, cert_name_suffix, base_ext_text,
 
     return [key_filename, cert_filename]
 
-def generate_certs(key_type, bad_key_size, ok_key_size, generate_ev):
+def generate_certs(key_type, inadequate_key_size, adequate_key_size, generate_ev):
     """
     Generates the various certificates used by the key size tests.
 
     Arguments:
       key_type -- the type of key generated: potential values: 'rsa', 'dsa',
                   or any of the curves found by 'openssl ecparam -list_curves'
-      bad_key_size -- the public key size bad certs should have
-      ok_key_size -- the public key size OK certs should have
+      inadequate_key_size -- a string defining the inadequate public key size
+                             for the generated certs
+      adequate_key_size -- a string defining the adequate public key size for
+                           the generated certs
       generate_ev -- whether an EV cert should be generated
     """
     if key_type == 'dsa':
-        CertUtils.init_dsa(db_dir, dsaBad_param_filename, bad_key_size)
-        CertUtils.init_dsa(db_dir, dsaOK_param_filename, ok_key_size)
+        CertUtils.init_dsa(db_dir, dsaNotOK_param_filename, inadequate_key_size)
+        CertUtils.init_dsa(db_dir, dsaOK_param_filename, adequate_key_size)
 
-    # OK Chain
+    # Generate chain with certs that have adequate sizes
     if generate_ev and key_type == 'rsa':
         # Reuse the existing RSA EV root
         caOK_cert_name = 'evroot'
@@ -133,7 +135,7 @@ def generate_certs(key_type, bad_key_size, ok_key_size, generate_ev):
             '',
             '',
             dsaOK_param_filename,
-            ok_key_size,
+            adequate_key_size,
             generate_ev)
 
     [intOK_key, intOK_cert] = generate_and_maybe_import_cert(
@@ -143,7 +145,7 @@ def generate_certs(key_type, bad_key_size, ok_key_size, generate_ev):
         caOK_key,
         caOK_cert,
         dsaOK_param_filename,
-        ok_key_size,
+        adequate_key_size,
         generate_ev)
 
     generate_and_maybe_import_cert(
@@ -153,28 +155,28 @@ def generate_certs(key_type, bad_key_size, ok_key_size, generate_ev):
         intOK_key,
         intOK_cert,
         dsaOK_param_filename,
-        ok_key_size,
+        adequate_key_size,
         generate_ev)
 
-    # Bad CA
-    [caBad_key, caBad_cert] = generate_and_maybe_import_cert(
+    # Generate chain with a root cert that has an inadequate size
+    [rootNotOK_key, rootNotOK_cert] = generate_and_maybe_import_cert(
         key_type,
         '-caBad',
         ca_ext_text,
         '',
         '',
-        dsaBad_param_filename,
-        bad_key_size,
+        dsaNotOK_param_filename,
+        inadequate_key_size,
         generate_ev)
 
     [int_key, int_cert] = generate_and_maybe_import_cert(
         key_type,
         '-intOK-caBad',
         ca_ext_text,
-        caBad_key,
-        caBad_cert,
+        rootNotOK_key,
+        rootNotOK_cert,
         dsaOK_param_filename,
-        ok_key_size,
+        adequate_key_size,
         generate_ev)
 
     generate_and_maybe_import_cert(
@@ -184,39 +186,39 @@ def generate_certs(key_type, bad_key_size, ok_key_size, generate_ev):
         int_key,
         int_cert,
         dsaOK_param_filename,
-        ok_key_size,
+        adequate_key_size,
         generate_ev)
 
-    # Bad Intermediate
-    [intBad_key, intBad_cert] = generate_and_maybe_import_cert(
+    # Generate chain with an intermediate cert that has an inadequate size
+    [intNotOK_key, intNotOK_cert] = generate_and_maybe_import_cert(
         key_type,
         '-intBad-caOK',
         ca_ext_text,
         caOK_key,
         caOK_cert,
-        dsaBad_param_filename,
-        bad_key_size,
+        dsaNotOK_param_filename,
+        inadequate_key_size,
         generate_ev)
 
     generate_and_maybe_import_cert(
         key_type,
         '-eeOK-intBad-caOK',
         ee_ext_text,
-        intBad_key,
-        intBad_cert,
+        intNotOK_key,
+        intNotOK_cert,
         dsaOK_param_filename,
-        ok_key_size,
+        adequate_key_size,
         generate_ev)
 
-    # Bad End Entity
+    # Generate chain with an end entity cert that has an inadequate size
     generate_and_maybe_import_cert(
         key_type,
         '-eeBad-intOK-caOK',
         ee_ext_text,
         intOK_key,
         intOK_cert,
-        dsaBad_param_filename,
-        bad_key_size,
+        dsaNotOK_param_filename,
+        inadequate_key_size,
         generate_ev)
 
 # Create a NSS DB for use by the OCSP responder.
diff --git a/security/manager/ssl/tests/unit/test_keysize_ev.js b/security/manager/ssl/tests/unit/test_keysize_ev.js
index b3eee2197c3..9e87cb285ae 100644
--- a/security/manager/ssl/tests/unit/test_keysize_ev.js
+++ b/security/manager/ssl/tests/unit/test_keysize_ev.js
@@ -86,8 +86,9 @@ function addKeySizeTestForEV(expectedNamesForOCSP, certNamePrefix,
 
 /**
  * For debug builds which have the test EV roots compiled in, checks for the
- * given key type that good chains validate as EV, while bad chains fail EV and
- * validate as DV.
+ * given key type that chains that contain certs with key sizes adequate for EV
+ * are validated as such, while chains that contain any cert with an inadequate
+ * key size fail EV and validate as DV.
  * For opt builds which don't have the test EV roots compiled in, checks that
  * none of the chains validate as EV.
  *
@@ -104,7 +105,7 @@ function checkForKeyType(keyType) {
   let rootCAOKCertFileName = keyType == "rsa" ? "../test_ev_certs/evroot"
                                               : "-caOK";
 
-  // OK CA -> OK INT -> OK EE
+  // Chain with certs that have adequate sizes for EV and DV
   // In opt builds, this chain is only validated for DV. Hence, an OCSP fetch
   // will not be done for the "-intOK-caOK" intermediate in such a build.
   let expectedNamesForOCSP = isDebugBuild
@@ -117,7 +118,8 @@ function checkForKeyType(keyType) {
                       "-eeOK-intOK-caOK",
                       isDebugBuild);
 
-  // Bad CA -> OK INT -> OK EE
+  // Chain with a root cert that has an inadequate size for EV, but
+  // adequate size for DV
   expectedNamesForOCSP = [ certNamePrefix + "-eeOK-intOK-caBad" ];
   addKeySizeTestForEV(expectedNamesForOCSP, certNamePrefix,
                       "-caBad",
@@ -125,7 +127,8 @@ function checkForKeyType(keyType) {
                       "-eeOK-intOK-caBad",
                       false);
 
-  // OK CA -> Bad INT -> OK EE
+  // Chain with an intermediate cert that has an inadequate size for EV, but
+  // adequate size for DV
   expectedNamesForOCSP = isDebugBuild
                        ? [ certNamePrefix + "-intBad-caOK" ]
                        : [ certNamePrefix + "-eeOK-intBad-caOK" ];
@@ -135,7 +138,8 @@ function checkForKeyType(keyType) {
                       "-eeOK-intBad-caOK",
                       false);
 
-  // OK CA -> OK INT -> Bad EE
+  // Chain with an end entity cert that has an inadequate size for EV, but
+  // adequate size for DV
   expectedNamesForOCSP = [ certNamePrefix + "-eeBad-intOK-caOK" ];
   addKeySizeTestForEV(expectedNamesForOCSP, certNamePrefix,
                       rootCAOKCertFileName,