bug 1171557 - make test_cert_trust.js certs a bit more realistic r=mgoodwin

According to the Baseline Requirements, root certificates MUST NOT have the extendedKeyUsage extension. The extension is optional for intermediates and required for end-entity certificates. This change modifies the test certificates so they're more in line with the BRs.
2024-09-13 09:24:08 -07:00 · 2015-06-03 15:37:38 -07:00 · 2015-06-03 15:37:38 -07:00 · 1bf24e0cc5
commit 1bf24e0cc5
parent 25303078e1
4 changed files with 8 additions and 11 deletions
--- a/security/manager/ssl/tests/unit/test_cert_trust.js
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@ -65,9 +65,7 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
                        certificateUsageObjectSigner);
  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
                        certificateUsageVerifyCA);
-  checkCertErrorGeneric(certdb, ee_cert,
-                        !isRootCA ? SEC_ERROR_UNTRUSTED_ISSUER
-                                  : SEC_ERROR_INADEQUATE_CERT_TYPE,
+  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                        certificateUsageStatusResponder);

  // Trust set to T  -  trusted CA to issue client certs, where client cert is
@ -96,7 +94,9 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
                        certificateUsageObjectSigner);
  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
                        certificateUsageVerifyCA);
-  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
+  checkCertErrorGeneric(certdb, ee_cert,
+                        isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+                                 : SEC_ERROR_INADEQUATE_CERT_TYPE,
                        certificateUsageStatusResponder);


@ -118,9 +118,7 @@ function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
                        certificateUsageObjectSigner);
  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
                        certificateUsageVerifyCA);
-  checkCertErrorGeneric(certdb, ee_cert,
-                        isRootCA ? SEC_ERROR_INADEQUATE_CERT_TYPE
-                                 : SEC_ERROR_UNTRUSTED_ISSUER,
+  checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
                        certificateUsageStatusResponder);

  // Inherited trust SSL
--- a/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_cert_trust/ca.pem.certspec
@ -1,5 +1,4 @@
 issuer:ca
 subject:ca
 extension:basicConstraints:cA,
-extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
-extension:extKeyUsage:serverAuth,clientAuth,emailProtection,codeSigning
+extension:keyUsage:keyCertSign,cRLSign
--- a/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_cert_trust/ee.pem.certspec
@ -1,2 +1,3 @@
 issuer:int
 subject:ee
+extension:extKeyUsage:serverAuth,clientAuth,emailProtection,codeSigning
--- a/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec
+++ b/security/manager/ssl/tests/unit/test_cert_trust/int.pem.certspec
@ -1,5 +1,4 @@
 issuer:ca
 subject:int
 extension:basicConstraints:cA,
-extension:keyUsage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
-extension:extKeyUsage:serverAuth,clientAuth,emailProtection,codeSigning
+extension:keyUsage:keyCertSign,cRLSign