Bug 1085074 - Part 1 - Use adequate/OK and inadequate/notOK to refer to sizes for key size tests. r=briansmith

2024-09-13 09:24:08 -07:00 · 2014-12-07 20:23:00 +01:00 · 2014-12-07 20:23:00 +01:00 · 10ea8d764d
commit 10ea8d764d
parent 7012fe8c1a
3 changed files with 44 additions and 38 deletions
--- a/security/manager/ssl/tests/unit/test_keysize.js
+++ b/security/manager/ssl/tests/unit/test_keysize.js
@ -54,21 +54,21 @@ function check_fail_ca(cert) {
 }

 function check_for_key_type(key_type) {
-  // OK CA -> OK INT -> OK EE
+  // Chain with certs that have adequate sizes for DV
  check_ok_ca(load_cert(key_type + "-caOK", "CTu,CTu,CTu"));
  check_ok_ca(load_cert(key_type + "-intOK-caOK", ",,"));
  check_ok(certFromFile(key_type + "-eeOK-intOK-caOK.der"));

-  // Bad CA -> OK INT -> OK EE
+  // Chain with a root cert that has an inadequate size for DV
  check_fail_ca(load_cert(key_type + "-caBad", "CTu,CTu,CTu"));
  check_fail_ca(load_cert(key_type + "-intOK-caBad", ",,"));
  check_fail(certFromFile(key_type + "-eeOK-intOK-caBad.der"));

-  // OK CA -> Bad INT -> OK EE
+  // Chain with an intermediate cert that has an inadequate size for DV
  check_fail_ca(load_cert(key_type + "-intBad-caOK", ",,"));
  check_fail(certFromFile(key_type + "-eeOK-intBad-caOK.der"));

-  // OK CA -> OK INT -> Bad EE
+  // Chain with an end entity cert that has an inadequate size for DV
  check_fail(certFromFile(key_type + "-eeBad-intOK-caOK.der"));
 }

--- a/security/manager/ssl/tests/unit/test_keysize/generate.py
+++ b/security/manager/ssl/tests/unit/test_keysize/generate.py
@ -15,7 +15,7 @@ import CertUtils

 srcdir = os.getcwd()
 db_dir = tempfile.mkdtemp()
-dsaBad_param_filename = 'dsaBad_param.pem'
+dsaNotOK_param_filename = 'dsaNotOK_param.pem'
 dsaOK_param_filename = 'dsaOK_param.pem'

 ca_ext_text = ('basicConstraints = critical, CA:TRUE\n' +
@ -101,22 +101,24 @@ def generate_and_maybe_import_cert(key_type, cert_name_suffix, base_ext_text,

    return [key_filename, cert_filename]

-def generate_certs(key_type, bad_key_size, ok_key_size, generate_ev):
+def generate_certs(key_type, inadequate_key_size, adequate_key_size, generate_ev):
    """
    Generates the various certificates used by the key size tests.

    Arguments:
      key_type -- the type of key generated: potential values: 'rsa', 'dsa',
                  or any of the curves found by 'openssl ecparam -list_curves'
-      bad_key_size -- the public key size bad certs should have
-      ok_key_size -- the public key size OK certs should have
+      inadequate_key_size -- a string defining the inadequate public key size
+                             for the generated certs
+      adequate_key_size -- a string defining the adequate public key size for
+                           the generated certs
      generate_ev -- whether an EV cert should be generated
    """
    if key_type == 'dsa':
-        CertUtils.init_dsa(db_dir, dsaBad_param_filename, bad_key_size)
-        CertUtils.init_dsa(db_dir, dsaOK_param_filename, ok_key_size)
+        CertUtils.init_dsa(db_dir, dsaNotOK_param_filename, inadequate_key_size)
+        CertUtils.init_dsa(db_dir, dsaOK_param_filename, adequate_key_size)

-    # OK Chain
+    # Generate chain with certs that have adequate sizes
    if generate_ev and key_type == 'rsa':
        # Reuse the existing RSA EV root
        caOK_cert_name = 'evroot'
@ -133,7 +135,7 @@ def generate_certs(key_type, bad_key_size, ok_key_size, generate_ev):
            '',
            '',
            dsaOK_param_filename,
-            ok_key_size,
+            adequate_key_size,
            generate_ev)

    [intOK_key, intOK_cert] = generate_and_maybe_import_cert(
@ -143,7 +145,7 @@ def generate_certs(key_type, bad_key_size, ok_key_size, generate_ev):
        caOK_key,
        caOK_cert,
        dsaOK_param_filename,
-        ok_key_size,
+        adequate_key_size,
        generate_ev)

    generate_and_maybe_import_cert(
@ -153,28 +155,28 @@ def generate_certs(key_type, bad_key_size, ok_key_size, generate_ev):
        intOK_key,
        intOK_cert,
        dsaOK_param_filename,
-        ok_key_size,
+        adequate_key_size,
        generate_ev)

-    # Bad CA
-    [caBad_key, caBad_cert] = generate_and_maybe_import_cert(
+    # Generate chain with a root cert that has an inadequate size
+    [rootNotOK_key, rootNotOK_cert] = generate_and_maybe_import_cert(
        key_type,
        '-caBad',
        ca_ext_text,
        '',
        '',
-        dsaBad_param_filename,
-        bad_key_size,
+        dsaNotOK_param_filename,
+        inadequate_key_size,
        generate_ev)

    [int_key, int_cert] = generate_and_maybe_import_cert(
        key_type,
        '-intOK-caBad',
        ca_ext_text,
-        caBad_key,
-        caBad_cert,
+        rootNotOK_key,
+        rootNotOK_cert,
        dsaOK_param_filename,
-        ok_key_size,
+        adequate_key_size,
        generate_ev)

    generate_and_maybe_import_cert(
@ -184,39 +186,39 @@ def generate_certs(key_type, bad_key_size, ok_key_size, generate_ev):
        int_key,
        int_cert,
        dsaOK_param_filename,
-        ok_key_size,
+        adequate_key_size,
        generate_ev)

-    # Bad Intermediate
-    [intBad_key, intBad_cert] = generate_and_maybe_import_cert(
+    # Generate chain with an intermediate cert that has an inadequate size
+    [intNotOK_key, intNotOK_cert] = generate_and_maybe_import_cert(
        key_type,
        '-intBad-caOK',
        ca_ext_text,
        caOK_key,
        caOK_cert,
-        dsaBad_param_filename,
-        bad_key_size,
+        dsaNotOK_param_filename,
+        inadequate_key_size,
        generate_ev)

    generate_and_maybe_import_cert(
        key_type,
        '-eeOK-intBad-caOK',
        ee_ext_text,
-        intBad_key,
-        intBad_cert,
+        intNotOK_key,
+        intNotOK_cert,
        dsaOK_param_filename,
-        ok_key_size,
+        adequate_key_size,
        generate_ev)

-    # Bad End Entity
+    # Generate chain with an end entity cert that has an inadequate size
    generate_and_maybe_import_cert(
        key_type,
        '-eeBad-intOK-caOK',
        ee_ext_text,
        intOK_key,
        intOK_cert,
-        dsaBad_param_filename,
-        bad_key_size,
+        dsaNotOK_param_filename,
+        inadequate_key_size,
        generate_ev)

 # Create a NSS DB for use by the OCSP responder.
--- a/security/manager/ssl/tests/unit/test_keysize_ev.js
+++ b/security/manager/ssl/tests/unit/test_keysize_ev.js
@ -86,8 +86,9 @@ function addKeySizeTestForEV(expectedNamesForOCSP, certNamePrefix,

 /**
 * For debug builds which have the test EV roots compiled in, checks for the
- * given key type that good chains validate as EV, while bad chains fail EV and
- * validate as DV.
+ * given key type that chains that contain certs with key sizes adequate for EV
+ * are validated as such, while chains that contain any cert with an inadequate
+ * key size fail EV and validate as DV.
 * For opt builds which don't have the test EV roots compiled in, checks that
 * none of the chains validate as EV.
 *
@ -104,7 +105,7 @@ function checkForKeyType(keyType) {
  let rootCAOKCertFileName = keyType == "rsa" ? "../test_ev_certs/evroot"
                                              : "-caOK";

-  // OK CA -> OK INT -> OK EE
+  // Chain with certs that have adequate sizes for EV and DV
  // In opt builds, this chain is only validated for DV. Hence, an OCSP fetch
  // will not be done for the "-intOK-caOK" intermediate in such a build.
  let expectedNamesForOCSP = isDebugBuild
@ -117,7 +118,8 @@ function checkForKeyType(keyType) {
                      "-eeOK-intOK-caOK",
                      isDebugBuild);

-  // Bad CA -> OK INT -> OK EE
+  // Chain with a root cert that has an inadequate size for EV, but
+  // adequate size for DV
  expectedNamesForOCSP = [ certNamePrefix + "-eeOK-intOK-caBad" ];
  addKeySizeTestForEV(expectedNamesForOCSP, certNamePrefix,
                      "-caBad",
@ -125,7 +127,8 @@ function checkForKeyType(keyType) {
                      "-eeOK-intOK-caBad",
                      false);

-  // OK CA -> Bad INT -> OK EE
+  // Chain with an intermediate cert that has an inadequate size for EV, but
+  // adequate size for DV
  expectedNamesForOCSP = isDebugBuild
                       ? [ certNamePrefix + "-intBad-caOK" ]
                       : [ certNamePrefix + "-eeOK-intBad-caOK" ];
@ -135,7 +138,8 @@ function checkForKeyType(keyType) {
                      "-eeOK-intBad-caOK",
                      false);

-  // OK CA -> OK INT -> Bad EE
+  // Chain with an end entity cert that has an inadequate size for EV, but
+  // adequate size for DV
  expectedNamesForOCSP = [ certNamePrefix + "-eeBad-intOK-caOK" ];
  addKeySizeTestForEV(expectedNamesForOCSP, certNamePrefix,
                      rootCAOKCertFileName,