Source code
Revision control
Copy as Markdown
Other Tools
Test Info: Warnings
- This test gets skipped with pattern: os == 'win' && msix
- Manifest: security/manager/ssl/tests/unit/xpcshell.toml
// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// Tests that the extended key usage extension is properly processed by the
// platform when verifying certificates. There are already comprehensive tests
// in mozilla::pkix itself, but these tests serve as integration tests to ensure
// that the cases we're particularly concerned about are correctly handled.
"use strict";
do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
Ci.nsIX509CertDB
);
function certFromFile(certName) {
return constructCertFromFile(`test_cert_eku/${certName}.pem`);
}
function loadCertWithTrust(certName, trustString) {
addCertFromFile(certdb, `test_cert_eku/${certName}.pem`, trustString);
}
function checkEndEntity(cert, expectedResult) {
return checkCertErrorGeneric(
certdb,
cert,
expectedResult,
certificateUsageSSLServer
);
}
function checkCertOn25August2016(cert, expectedResult) {
// (new Date("2016-08-25T00:00:00Z")).getTime() / 1000
const VALIDATION_TIME = 1472083200;
return checkCertErrorGenericAtTime(
certdb,
cert,
expectedResult,
certificateUsageSSLServer,
VALIDATION_TIME
);
}
add_task(async function () {
registerCleanupFunction(() => {
Services.prefs.clearUserPref("privacy.reduceTimerPrecision");
});
Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false);
loadCertWithTrust("ca", "CTu,,");
// end-entity has id-kp-serverAuth => success
await checkEndEntity(certFromFile("ee-SA"), PRErrorCodeSuccess);
// end-entity has id-kp-serverAuth => success
await checkEndEntity(certFromFile("ee-SA-CA"), PRErrorCodeSuccess);
// end-entity has extended key usage, but id-kp-serverAuth is not present =>
// failure
await checkEndEntity(certFromFile("ee-CA"), SEC_ERROR_INADEQUATE_CERT_TYPE);
// end-entity has id-kp-serverAuth => success
await checkEndEntity(certFromFile("ee-SA-nsSGC"), PRErrorCodeSuccess);
// end-entity has extended key usage, but id-kp-serverAuth is not present =>
// failure (in particular, Netscape Server Gated Crypto (also known as
// Netscape Step Up) is not an acceptable substitute for end-entity
// certificates).
// Verify this for all Netscape Step Up policy configurations.
// 0 = "always accept nsSGC in place of serverAuth for CA certificates"
Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0);
await checkEndEntity(
certFromFile("ee-nsSGC"),
SEC_ERROR_INADEQUATE_CERT_TYPE
);
// 1 = "accept nsSGC before 23 August 2016"
Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1);
await checkEndEntity(
certFromFile("ee-nsSGC"),
SEC_ERROR_INADEQUATE_CERT_TYPE
);
// 2 = "accept nsSGC before 23 August 2015"
Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2);
await checkEndEntity(
certFromFile("ee-nsSGC"),
SEC_ERROR_INADEQUATE_CERT_TYPE
);
// 3 = "never accept nsSGC"
Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3);
await checkEndEntity(
certFromFile("ee-nsSGC"),
SEC_ERROR_INADEQUATE_CERT_TYPE
);
// end-entity has id-kp-OCSPSigning, which is not acceptable for end-entity
// certificates being verified as TLS server certificates => failure
await checkEndEntity(
certFromFile("ee-SA-OCSP"),
SEC_ERROR_INADEQUATE_CERT_TYPE
);
// intermediate has id-kp-serverAuth => success
loadCertWithTrust("int-SA", ",,");
await checkEndEntity(certFromFile("ee-int-SA"), PRErrorCodeSuccess);
// intermediate has id-kp-serverAuth => success
loadCertWithTrust("int-SA-CA", ",,");
await checkEndEntity(certFromFile("ee-int-SA-CA"), PRErrorCodeSuccess);
// intermediate has extended key usage, but id-kp-serverAuth is not present
// => failure
loadCertWithTrust("int-CA", ",,");
await checkEndEntity(
certFromFile("ee-int-CA"),
SEC_ERROR_INADEQUATE_CERT_TYPE
);
// intermediate has id-kp-serverAuth => success
loadCertWithTrust("int-SA-nsSGC", ",,");
await checkEndEntity(certFromFile("ee-int-SA-nsSGC"), PRErrorCodeSuccess);
// Intermediate has Netscape Server Gated Crypto. Success will depend on the
// Netscape Step Up policy configuration and the notBefore property of the
// intermediate.
loadCertWithTrust("int-nsSGC-recent", ",,");
loadCertWithTrust("int-nsSGC-old", ",,");
loadCertWithTrust("int-nsSGC-older", ",,");
// 0 = "always accept nsSGC in place of serverAuth for CA certificates"
Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0);
info("Netscape Step Up policy: always accept");
await checkCertOn25August2016(
certFromFile("ee-int-nsSGC-recent"),
PRErrorCodeSuccess
);
await checkCertOn25August2016(
certFromFile("ee-int-nsSGC-old"),
PRErrorCodeSuccess
);
await checkCertOn25August2016(
certFromFile("ee-int-nsSGC-older"),
PRErrorCodeSuccess
);
// 1 = "accept nsSGC before 23 August 2016"
info("Netscape Step Up policy: accept before 23 August 2016");
Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1);
await checkCertOn25August2016(
certFromFile("ee-int-nsSGC-recent"),
SEC_ERROR_INADEQUATE_CERT_TYPE
);
await checkCertOn25August2016(
certFromFile("ee-int-nsSGC-old"),
PRErrorCodeSuccess
);
await checkCertOn25August2016(
certFromFile("ee-int-nsSGC-older"),
PRErrorCodeSuccess
);
// 2 = "accept nsSGC before 23 August 2015"
info("Netscape Step Up policy: accept before 23 August 2015");
Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2);
await checkCertOn25August2016(
certFromFile("ee-int-nsSGC-recent"),
SEC_ERROR_INADEQUATE_CERT_TYPE
);
await checkCertOn25August2016(
certFromFile("ee-int-nsSGC-old"),
SEC_ERROR_INADEQUATE_CERT_TYPE
);
await checkCertOn25August2016(
certFromFile("ee-int-nsSGC-older"),
PRErrorCodeSuccess
);
// 3 = "never accept nsSGC"
info("Netscape Step Up policy: never accept");
Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3);
await checkCertOn25August2016(
certFromFile("ee-int-nsSGC-recent"),
SEC_ERROR_INADEQUATE_CERT_TYPE
);
await checkCertOn25August2016(
certFromFile("ee-int-nsSGC-old"),
SEC_ERROR_INADEQUATE_CERT_TYPE
);
await checkCertOn25August2016(
certFromFile("ee-int-nsSGC-older"),
SEC_ERROR_INADEQUATE_CERT_TYPE
);
// intermediate has id-kp-OCSPSigning, which is acceptable for CA
// certificates => success
loadCertWithTrust("int-SA-OCSP", ",,");
await checkEndEntity(certFromFile("ee-int-SA-OCSP"), PRErrorCodeSuccess);
});