mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
bug 1171557 - make test_cert_trust.js certs a bit more realistic r=mgoodwin
According to the Baseline Requirements, root certificates MUST NOT have the extendedKeyUsage extension. The extension is optional for intermediates and required for end-entity certificates. This change modifies the test certificates so they're more in line with the BRs.
This commit is contained in:
parent
25303078e1
commit
1bf24e0cc5
@ -65,9 +65,7 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
|
||||
certificateUsageObjectSigner);
|
||||
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
|
||||
certificateUsageVerifyCA);
|
||||
checkCertErrorGeneric(certdb, ee_cert,
|
||||
!isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER
|
||||
: SEC_ERROR_INADEQUATE_CERT_TYPE,
|
||||
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
|
||||
certificateUsageStatusResponder);
|
||||
|
||||
// Trust set to T - trusted CA to issue client certs, where client cert is
|
||||
@ -96,7 +94,9 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
|
||||
certificateUsageObjectSigner);
|
||||
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
|
||||
certificateUsageVerifyCA);
|
||||
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
|
||||
checkCertErrorGeneric(certdb, ee_cert,
|
||||
isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
|
||||
: SEC_ERROR_INADEQUATE_CERT_TYPE,
|
||||
certificateUsageStatusResponder);
|
||||
|
||||
|
||||
@ -118,9 +118,7 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
|
||||
certificateUsageObjectSigner);
|
||||
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
|
||||
certificateUsageVerifyCA);
|
||||
checkCertErrorGeneric(certdb, ee_cert,
|
||||
isRootCA ? SEC_ERROR_INADEQUATE_CERT_TYPE
|
||||
: SEC_ERROR_UNTRUSTED_ISSUER,
|
||||
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
|
||||
certificateUsageStatusResponder);
|
||||
|
||||
// Inherited trust SSL
|
||||
|
@ -1,5 +1,4 @@
|
||||
issuer:ca
|
||||
subject:ca
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
|
||||
extension:extKeyUsage:serverAuth,clientAuth,emailProtection,codeSigning
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
|
@ -1,2 +1,3 @@
|
||||
issuer:int
|
||||
subject:ee
|
||||
extension:extKeyUsage:serverAuth,clientAuth,emailProtection,codeSigning
|
||||
|
@ -1,5 +1,4 @@
|
||||
issuer:ca
|
||||
subject:int
|
||||
extension:basicConstraints:cA,
|
||||
extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
|
||||
extension:extKeyUsage:serverAuth,clientAuth,emailProtection,codeSigning
|
||||
extension:keyUsage:keyCertSign,cRLSign
|
||||
|
Loading…
Reference in New Issue
Block a user