Bug 971178, Part 3: Expand test_certificate_usages.js test insanity::pkix, r=cviecco

--HG-- extra : rebase_source : 3810925d18767d1b04f8a47004a0ab7a631e5b4b
2024-09-13 09:24:08 -07:00 · 2014-02-11 01:42:41 -08:00 · 2014-02-11 01:42:41 -08:00 · c5f75b4ab3
commit c5f75b4ab3
parent 5380137967
1 changed files with 92 additions and 75 deletions
--- a/security/manager/ssl/tests/unit/test_certificate_usages.js
+++ b/security/manager/ssl/tests/unit/test_certificate_usages.js
@ -19,89 +19,108 @@
 do_get_profile(); // must be called before getting nsIX509CertDB
 const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);

-var ca_usages = ['Client,Server,Sign,Encrypt,SSL CA,Status Responder',
-                 'SSL CA',
-                 'Client,Server,Sign,Encrypt,SSL CA,Status Responder',
-
-/* XXX
-  When using PKIX the usage for the fourth CA (key usage= all but certsigning) the
-  usage returned is 'Status Responder' only. (no SSL CA)
-  Thus (self-consistently) the ee_usages are all empty.
-
-  Reading rfc 5280 the combination of basic contraints+usages is not clear:
-   - Asserted key usage keyCertSign MUST have CA basic contraints.
-   - CA NOT asserted => keyCertSignt MUST NOT be asserted.
-
-  But the tests include -> basic CA asserted and Keyusage NOT asserted.
-  In this case, the 'classic' mode uses the 'union' of the capabilites ->
-  the cert is considered a CA. libpkix uses the 'intersection' of
-  capabilites, the cert is NOT considered a CA.
-
-  I think the intersection is a better way to interpret this as the extension
-  is marked as critical.
-
-  This should be: 'Status Responder'
-
-*/
-                 'Client,Server,Sign,Encrypt,Status Responder'];
-
-var ee_usages = [
-                  ['Client,Server,Sign,Encrypt',
-                   'Client,Server,Sign,Encrypt',
-                   'Client,Server,Sign,Encrypt',
-                   '',
-                   'Client,Server,Sign,Encrypt,Object Signer,Status Responder',
-                   'Client,Server',
-                   'Sign,Encrypt,Object Signer',
-                   'Server,Status Responder'
-                   ],
-                  ['Client,Server,Sign,Encrypt',
-                   'Client,Server,Sign,Encrypt',
-                   'Client,Server,Sign,Encrypt',
-                   '',
-                   'Client,Server,Sign,Encrypt,Object Signer,Status Responder',
-                   'Client,Server',
-                   'Sign,Encrypt,Object Signer',
-                   'Server,Status Responder'
-                   ],
-                  ['Client,Server,Sign,Encrypt',
-                   'Client,Server,Sign,Encrypt',
-                   'Client,Server,Sign,Encrypt',
-                   '',
-                   'Client,Server,Sign,Encrypt,Object Signer,Status Responder',
-                   'Client,Server',
-                   'Sign,Encrypt,Object Signer',
-                   'Server,Status Responder'
-                  ],
-
-/* XXX
-  The values for the following block of tests should all be empty
-  */
-
-                  ['Client,Server,Sign,Encrypt',
-                   'Client,Server,Sign,Encrypt',
-                   'Client,Server,Sign,Encrypt',
-                   '',
-                   'Client,Server,Sign,Encrypt,Object Signer,Status Responder',
-                   'Client,Server',
-                   'Sign,Encrypt,Object Signer',
-                   'Server,Status Responder'
-                  ]
-                ];
-
+const gNumCAs = 4;

 function run_test() {
  //ca's are one based!
-  for (var i = 0; i < ca_usages.length; i++) {
+  for (var i = 0; i < gNumCAs; i++) {
    var ca_name = "ca-" + (i + 1);
    var ca_filename = ca_name + ".der";
    addCertFromFile(certdb, "test_certificate_usages/" + ca_filename, "CTu,CTu,CTu");
    do_print("ca_name=" + ca_name);
-    var cert;
-    cert = certdb.findCertByNickname(null, ca_name);
+    var cert = certdb.findCertByNickname(null, ca_name);
+  }

+  run_test_in_mode(true);
+  run_test_in_mode(false);
+}
+
+function run_test_in_mode(useInsanity) {
+  Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+  clearOCSPCache();
+  clearSessionCache();
+
+  // insanity::pkix does not allow CA certs to be validated for non-CA usages.
+  var allCAUsages = useInsanity
+                  ? 'SSL CA'
+                  : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
+
+  // insanity::pkix doesn't allow CA certificates to have the Status Responder
+  // EKU.
+  var ca_usages = [allCAUsages,
+                   'SSL CA',
+                   allCAUsages,
+                   useInsanity ? ''
+                               : 'Client,Server,Sign,Encrypt,Status Responder'];
+
+  // insanity::pkix doesn't implement the Netscape Object Signer restriction.
+  var basicEndEntityUsages = useInsanity
+                           ? 'Client,Server,Sign,Encrypt,Object Signer'
+                           : 'Client,Server,Sign,Encrypt';
+  var basicEndEntityUsagesWithObjectSigner = basicEndEntityUsages + ",Object Signer"
+
+  // insanity::pkix won't let a certificate with the "Status Responder" EKU get
+  // validated for any other usage.
+  var statusResponderUsages = (useInsanity ? "" : "Server,") + "Status Responder";
+  var statusResponderUsagesFull
+      = useInsanity ? statusResponderUsages
+                    : basicEndEntityUsages + ',Object Signer,Status Responder';
+
+  var ee_usages = [
+    [ basicEndEntityUsages,
+      basicEndEntityUsages,
+      basicEndEntityUsages,
+      '',
+      statusResponderUsagesFull,
+      'Client,Server',
+      'Sign,Encrypt,Object Signer',
+      statusResponderUsages
+    ],
+
+    [ basicEndEntityUsages,
+      basicEndEntityUsages,
+      basicEndEntityUsages,
+      '',
+      statusResponderUsagesFull,
+      'Client,Server',
+      'Sign,Encrypt,Object Signer',
+      statusResponderUsages
+    ],
+
+    [ basicEndEntityUsages,
+      basicEndEntityUsages,
+      basicEndEntityUsages,
+      '',
+      statusResponderUsagesFull,
+      'Client,Server',
+      'Sign,Encrypt,Object Signer',
+      statusResponderUsages
+    ],
+
+    // The CA has isCA=true without keyCertSign.
+    //
+    // The 'classic' NSS mode uses the 'union' of the
+    // capabilites so the cert is considered a CA.
+    // insanity::pkix and libpkix use the intersection of
+    // capabilites, so the cert is NOT considered a CA.
+    [ useInsanity ? '' : basicEndEntityUsages,
+      useInsanity ? '' : basicEndEntityUsages,
+      useInsanity ? '' : basicEndEntityUsages,
+      '',
+      useInsanity ? '' : statusResponderUsagesFull,
+      useInsanity ? '' : 'Client,Server',
+      useInsanity ? '' : 'Sign,Encrypt,Object Signer',
+      useInsanity ? '' : 'Server,Status Responder'
+     ]
+  ];
+
+  do_check_eq(gNumCAs, ca_usages.length);
+
+  for (var i = 0; i < gNumCAs; i++) {
+    var ca_name = "ca-" + (i + 1);
    var verified = {};
    var usages = {};
+    var cert = certdb.findCertByNickname(null, ca_name);
    cert.getUsagesString(true, verified, usages);
    do_print("usages.value=" + usages.value);
    do_check_eq(ca_usages[i], usages.value);
@ -120,7 +139,5 @@ function run_test() {
      do_print("cert usages.value=" + usages.value);
      do_check_eq(ee_usages[i][j], usages.value);
    }
-
  }
-
 }