wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 1089305 - Switch EV tests to SQL DB and partially clean up scripts. r=keeler

Browse Source
This commit is contained in:
Cykesiopka 2014-11-17 21:12:00 +01:00
parent 87504c39b8
commit 509363556e
21 changed files with 78 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
security/manager/ssl/tests/unit/test_ev_certs.js
View File

@ -7,6 +7,10 @@
// XXX: The isDebugBuild tests you see are here because the test EV root is
// only enabled for EV in debug builds, as a security measure. An ugly hack.
//
// Bug 1008316: B2G doesn't have EV enabled, so EV is not expected even in debug
// builds.
const gEVExpected = isDebugBuild && !("@mozilla.org/b2g-process-global;1" in Cc);
do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
@ -84,9 +88,9 @@ function run_test() {
add_test(function () {
clearOCSPCache();
let ocspResponder = start_ocsp_responder(
isDebugBuild ? ["int-ev-valid", "ev-valid"]
: ["ev-valid"]);
check_ee_for_ev("ev-valid", isDebugBuild);
gEVExpected ? ["int-ev-valid", "ev-valid"]
: ["ev-valid"]);
check_ee_for_ev("ev-valid", gEVExpected);
ocspResponder.stop(run_next_test);
});
@ -95,9 +99,9 @@ function run_test() {
clearOCSPCache();
let ocspResponder = start_ocsp_responder(
isDebugBuild ? ["int-ev-valid-anypolicy-int", "ev-valid-anypolicy-int"]
: ["ev-valid-anypolicy-int"]);
check_ee_for_ev("ev-valid-anypolicy-int", isDebugBuild);
gEVExpected ? ["int-ev-valid-anypolicy-int", "ev-valid-anypolicy-int"]
: ["ev-valid-anypolicy-int"]);
check_ee_for_ev("ev-valid-anypolicy-int", gEVExpected);
ocspResponder.stop(run_next_test);
});
@ -110,10 +114,8 @@ function run_test() {
add_test(function() {
clearOCSPCache();
// libpkix will attempt to validate the intermediate, which does have an
// OCSP URL.
let ocspResponder = isDebugBuild ? start_ocsp_responder(["int-ev-valid"])
: failingOCSPResponder();
let ocspResponder = gEVExpected ? start_ocsp_responder(["int-ev-valid"])
: failingOCSPResponder();
check_ee_for_ev("no-ocsp-url-cert", false);
ocspResponder.stop(run_next_test);
});
@ -141,9 +143,9 @@ function run_test() {
clearOCSPCache();
let ocspResponder = start_ocsp_responder(
isDebugBuild ? ["int-ev-valid", "ev-valid"]
: ["ev-valid"]);
check_ee_for_ev("ev-valid", isDebugBuild);
gEVExpected ? ["int-ev-valid", "ev-valid"]
: ["ev-valid"]);
check_ee_for_ev("ev-valid", gEVExpected);
ocspResponder.stop(run_next_test);
});
@ -164,9 +166,9 @@ function run_test() {
add_test(function () {
clearOCSPCache();
let ocspResponder = start_ocsp_responder(
isDebugBuild ? ["int-ev-valid", "ev-valid"]
: ["ev-valid"]);
check_ee_for_ev("ev-valid", isDebugBuild);
gEVExpected ? ["int-ev-valid", "ev-valid"]
: ["ev-valid"]);
check_ee_for_ev("ev-valid", gEVExpected);
ocspResponder.stop(function () {
// without net it must be able to EV verify
let failingOcspResponder = failingOCSPResponder();
@ -178,9 +180,9 @@ function run_test() {
let error = certdb.verifyCertNow(cert, certificateUsageSSLServer,
flags, verifiedChain, hasEVPolicy);
do_check_eq(hasEVPolicy.value, isDebugBuild);
do_check_eq(hasEVPolicy.value, gEVExpected);
do_check_eq(error,
isDebugBuild ? 0 : SEC_ERROR_POLICY_VALIDATION_FAILED);
gEVExpected ? 0 : SEC_ERROR_POLICY_VALIDATION_FAILED);
failingOcspResponder.stop(run_next_test);
});
});
@ -190,12 +192,12 @@ function run_test() {
clearOCSPCache();
let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [],
"test_ev_certs",
isDebugBuild ? ["int-ev-valid", "ev-valid"]
: ["ev-valid"],
gEVExpected ? ["int-ev-valid", "ev-valid"]
: ["ev-valid"],
[], [],
isDebugBuild ? ["longvalidityalmostold", "good"]
: ["good"]);
check_ee_for_ev("ev-valid", isDebugBuild);
gEVExpected ? ["longvalidityalmostold", "good"]
: ["good"]);
check_ee_for_ev("ev-valid", gEVExpected);
ocspResponder.stop(run_next_test);
});
@ -212,10 +214,10 @@ function run_test() {
"longvalidityalmostold"];
let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [],
"test_ev_certs",
isDebugBuild ? debugCertNickArray : ["ev-valid"],
gEVExpected ? debugCertNickArray : ["ev-valid"],
[], [],
isDebugBuild ? debugResponseArray
: ["longvalidityalmostold"]);
gEVExpected ? debugResponseArray
: ["longvalidityalmostold"]);
check_ee_for_ev("ev-valid", false);
ocspResponder.stop(run_next_test);
});
@ -229,10 +231,10 @@ function run_test() {
"ancientstillvalid"];
let ocspResponder = startOCSPResponder(SERVER_PORT, "www.example.com", [],
"test_ev_certs",
isDebugBuild ? debugCertNickArray : ["ev-valid"],
gEVExpected ? debugCertNickArray : ["ev-valid"],
[], [],
isDebugBuild ? debugResponseArray
: ["ancientstillvalid"]);
gEVExpected ? debugResponseArray
: ["ancientstillvalid"]);
check_ee_for_ev("ev-valid", false);
ocspResponder.stop(run_next_test);
});

BIN
security/manager/ssl/tests/unit/test_ev_certs/cert8.db
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_ev_certs/cert9.db Normal file
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.der
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_ev_certs/ev-valid.der
View File

Binary file not shown.

62
security/manager/ssl/tests/unit/test_ev_certs/ev_root_generate.py
View File

@ -1,13 +1,7 @@
#!/usr/bin/python
# after runing this file you MUST modify nsIdentityinfo.cpp to change the
# fingerprint of the evroot
import tempfile, os, sys
import random
import pexpect
import subprocess
import shutil
libpath = os.path.abspath('../psm_common_py')
sys.path.append(libpath)
@ -21,39 +15,29 @@ CA_basic_constraints = "basicConstraints = critical, CA:TRUE\n"
CA_min_ku = "keyUsage = critical, digitalSignature, keyCertSign, cRLSign\n"
subject_key_ident = "subjectKeyIdentifier = hash\n"
def generate_root_cert(db_dir, dest_dir, prefix, ext_text):
serial_num = 12343299546
name = prefix
key_name = dest_dir + "/" + name + ".key"
os.system ("openssl genpkey -algorithm RSA -out " + key_name +
" -pkeyopt rsa_keygen_bits:2048")
cert_name = 'evroot'
ext_text = CA_basic_constraints + CA_min_ku + subject_key_ident
subject_string = ('/C=US/ST=CA/L=Mountain View' +
'/O=Mozilla - EV debug test CA/OU=Security Engineering' +
'/CN=XPCShell EV Testing (untrustworthy) CA')
csr_name = dest_dir + "/" + name + ".csr"
os.system ("openssl req -new -key " + key_name + " -days 3650" +
" -extensions v3_ca -batch -out " + csr_name +
" -utf8 -subj '/C=US/ST=CA/L=Mountain View" +
"/O=Mozilla - EV debug test CA/OU=Security Engineering" +
"/CN=XPCShell EV Testing (untrustworthy) CA'")
# The db_dir argument of generate_cert_generic() is also set to dest_dir as
# the .key file generated is needed by other certs.
[ca_key, ca_cert] = CertUtils.generate_cert_generic(
dest_dir,
dest_dir,
random.randint(100, 40000000),
'rsa',
cert_name,
ext_text,
subject_string = subject_string)
extensions_filename = db_dir + "/openssl-exts"
f = open(extensions_filename, 'w')
f.write(ext_text)
f.close()
CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, cert_name)
cert_name = dest_dir + "/" + name + ".der"
signer_key_filename = key_name
os.system ("openssl x509 -req -sha256 -days 3650 -in " + csr_name +
" -signkey " + signer_key_filename +
" -set_serial " + str(serial_num) +
" -extfile " + extensions_filename +
" -outform DER -out " + cert_name)
return key_name, cert_name
prefix = "evroot"
[ca_key, ca_cert] = generate_root_cert(db, dest_dir, prefix,
CA_basic_constraints +
CA_min_ku + subject_key_ident)
CertUtils.generate_pkcs12(db, dest_dir, ca_cert, ca_key, prefix)
print ("You now MUST modify nsIdentityinfo.cpp to ensure the xpchell debug " +
"certificate there matches this newly generated one\n")
# Print a blank line and the information needed to enable EV for the root
# generated by this script.
print
CertUtils.print_cert_info_for_ev(ca_cert)
print ('You now MUST update the compiled test EV root information to match ' +
'the EV root information printed above. In addition, certs that chain ' +
'up to this root in other folders will also need to be regenerated.' )

58
security/manager/ssl/tests/unit/test_ev_certs/generate.py
View File

@ -2,9 +2,6 @@
import tempfile, os, sys
import random
import pexpect
import subprocess
import shutil
libpath = os.path.abspath('../psm_common_py')
@ -39,34 +36,10 @@ anypolicy_policy = ("certificatePolicies = @v3_ca_ev_cp\n\n" +
def import_untrusted_cert(certfile, nickname):
os.system("certutil -A -d . -n " + nickname + " -i " + certfile +
" -t ',,'")
def import_cert_and_pkcs12(certfile, pkcs12file, nickname, trustflags):
os.system(" certutil -A -d . -n " + nickname + " -i " + certfile + " -t '" +
trustflags + "'")
child = pexpect.spawn("pk12util -i " + pkcs12file + " -d .")
child.expect('Enter password for PKCS12 file:')
child.sendline('')
child.expect(pexpect.EOF)
def init_nss_db():
nss_db_files = [ "cert8.db", "key3.db", "secmod.db" ]
for file in nss_db_files:
if os.path.isfile(file):
os.remove(file)
#now create DB
child = pexpect.spawn("certutil -N -d .")
child.expect("Enter new password:")
child.sendline('')
child.expect('Re-enter password:')
child.sendline('')
child.expect(pexpect.EOF)
import_cert_and_pkcs12("evroot.der", "evroot.p12", "evroot", "C,C,C")
os.system('certutil -A -d sql:%s -n %s -i %s -t ",,"' %
(srcdir, nickname, certfile))
def generate_certs():
init_nss_db()
ca_cert = 'evroot.der'
ca_key = 'evroot.key'
prefix = "ev-valid"
@ -75,6 +48,11 @@ def generate_certs():
endentity_crl + mozilla_testing_ev_policy)
int_ext_text = (CA_extensions + aia_prefix + "int-" + prefix + aia_suffix +
intermediate_crl + mozilla_testing_ev_policy)
CertUtils.init_nss_db(srcdir)
CertUtils.import_cert_and_pkcs12(srcdir, ca_cert, 'evroot.p12', 'evroot',
'C,C,C')
[int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
srcdir,
ca_key,
@ -83,9 +61,10 @@ def generate_certs():
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
"int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
'int-' + prefix, ',,')
import_untrusted_cert(ee_cert, prefix)
# now we generate an end entity cert with an AIA with no OCSP URL
@ -116,9 +95,10 @@ def generate_certs():
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
"int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
'int-' + prefix, ',,')
import_untrusted_cert(ee_cert, prefix)
@ -128,9 +108,10 @@ def generate_certs():
'rsa',
'non-evroot-ca',
CA_extensions)
pk12file = CertUtils.generate_pkcs12(db, srcdir, bad_ca_cert, bad_ca_key,
pk12file = CertUtils.generate_pkcs12(db, db, bad_ca_cert, bad_ca_key,
"non-evroot-ca")
import_cert_and_pkcs12(bad_ca_cert, pk12file, "non-evroot-ca", "C,C,C")
CertUtils.import_cert_and_pkcs12(srcdir, bad_ca_cert, pk12file,
'non-evroot-ca', 'C,C,C')
prefix = "non-ev-root"
ee_ext_text = (aia_prefix + prefix + aia_suffix +
endentity_crl + mozilla_testing_ev_policy)
@ -144,11 +125,10 @@ def generate_certs():
int_ext_text,
ee_ext_text,
key_type)
pk12file = CertUtils.generate_pkcs12(db, srcdir, int_cert, int_key,
pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
"int-" + prefix)
import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
'int-' + prefix, ',,')
import_untrusted_cert(ee_cert, prefix)
generate_certs()

BIN
security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.der
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.der
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.p12
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.der
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.p12
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_ev_certs/key3.db
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_ev_certs/key4.db Normal file
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.der
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.der
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.der
View File

Binary file not shown.

BIN
security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.p12
View File

Binary file not shown.

5
security/manager/ssl/tests/unit/test_ev_certs/pkcs11.txt Normal file
View File

@ -0,0 +1,5 @@
library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/home/m-c_drive/mozilla-inbound/security/manager/ssl/tests/unit/test_ev_certs' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})

BIN
security/manager/ssl/tests/unit/test_ev_certs/secmod.db
View File

Binary file not shown.

3
security/manager/ssl/tests/unit/xpcshell.ini
View File

@ -70,9 +70,6 @@ skip-if = os == "android" || os == "win"
[test_cert_signatures.js]
[test_ev_certs.js]
run-sequentially = hardcoded ports
# Bug 1009158: this test times out on Android
# Bug 1008316: Test needs modification to work on B2G
fail-if = os == "android" || buildapp == "b2g"
[test_getchain.js]
[test_cert_overrides.js]
run-sequentially = hardcoded ports