tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_cert_trust.js (8072B)

      1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
      2 // This Source Code Form is subject to the terms of the Mozilla Public
      3 // License, v. 2.0. If a copy of the MPL was not distributed with this
      4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
      5 
      6 "use strict";
      7 
      8 do_get_profile(); // must be called before getting nsIX509CertDB
      9 const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
     10  Ci.nsIX509CertDB
     11 );
     12 
     13 function load_cert(cert_name, trust_string) {
     14  let cert_filename = cert_name + ".pem";
     15  return addCertFromFile(
     16    certdb,
     17    "test_cert_trust/" + cert_filename,
     18    trust_string
     19  );
     20 }
     21 
     22 function setup_basic_trusts(ca_cert, int_cert) {
     23  certdb.setCertTrust(
     24    ca_cert,
     25    Ci.nsIX509Cert.CA_CERT,
     26    Ci.nsIX509CertDB.TRUSTED_SSL | Ci.nsIX509CertDB.TRUSTED_EMAIL
     27  );
     28 
     29  certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0);
     30 }
     31 
     32 async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
     33  // On reset most usages are successful
     34  await checkCertErrorGeneric(
     35    certdb,
     36    ee_cert,
     37    PRErrorCodeSuccess,
     38    Ci.nsIX509CertDB.verifyUsageTLSServer
     39  );
     40  await checkCertErrorGeneric(
     41    certdb,
     42    ee_cert,
     43    PRErrorCodeSuccess,
     44    Ci.nsIX509CertDB.verifyUsageTLSClient
     45  );
     46  await checkCertErrorGeneric(
     47    certdb,
     48    ee_cert,
     49    SEC_ERROR_CA_CERT_INVALID,
     50    Ci.nsIX509CertDB.verifyUsageTLSServerCA
     51  );
     52  await checkCertErrorGeneric(
     53    certdb,
     54    ee_cert,
     55    PRErrorCodeSuccess,
     56    Ci.nsIX509CertDB.verifyUsageEmailSigner
     57  );
     58  await checkCertErrorGeneric(
     59    certdb,
     60    ee_cert,
     61    PRErrorCodeSuccess,
     62    Ci.nsIX509CertDB.verifyUsageEmailRecipient
     63  );
     64 
     65  // Test of active distrust. No usage should pass.
     66  setCertTrust(cert_to_modify_trust, "p,p,p");
     67  await checkCertErrorGeneric(
     68    certdb,
     69    ee_cert,
     70    SEC_ERROR_UNTRUSTED_ISSUER,
     71    Ci.nsIX509CertDB.verifyUsageTLSServer
     72  );
     73  await checkCertErrorGeneric(
     74    certdb,
     75    ee_cert,
     76    SEC_ERROR_UNTRUSTED_ISSUER,
     77    Ci.nsIX509CertDB.verifyUsageTLSClient
     78  );
     79  await checkCertErrorGeneric(
     80    certdb,
     81    ee_cert,
     82    SEC_ERROR_CA_CERT_INVALID,
     83    Ci.nsIX509CertDB.verifyUsageTLSServerCA
     84  );
     85  await checkCertErrorGeneric(
     86    certdb,
     87    ee_cert,
     88    SEC_ERROR_UNTRUSTED_ISSUER,
     89    Ci.nsIX509CertDB.verifyUsageEmailSigner
     90  );
     91  await checkCertErrorGeneric(
     92    certdb,
     93    ee_cert,
     94    SEC_ERROR_UNTRUSTED_ISSUER,
     95    Ci.nsIX509CertDB.verifyUsageEmailRecipient
     96  );
     97 
     98  // Trust set to T  -  trusted CA to issue client certs, where client cert is
     99  // usageSSLClient.
    100  setCertTrust(cert_to_modify_trust, "T,T,T");
    101  await checkCertErrorGeneric(
    102    certdb,
    103    ee_cert,
    104    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
    105    Ci.nsIX509CertDB.verifyUsageTLSServer
    106  );
    107 
    108  // XXX(Bug 982340)
    109  await checkCertErrorGeneric(
    110    certdb,
    111    ee_cert,
    112    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
    113    Ci.nsIX509CertDB.verifyUsageTLSClient
    114  );
    115 
    116  await checkCertErrorGeneric(
    117    certdb,
    118    ee_cert,
    119    SEC_ERROR_CA_CERT_INVALID,
    120    Ci.nsIX509CertDB.verifyUsageTLSServerCA
    121  );
    122 
    123  await checkCertErrorGeneric(
    124    certdb,
    125    ee_cert,
    126    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
    127    Ci.nsIX509CertDB.verifyUsageEmailSigner
    128  );
    129  await checkCertErrorGeneric(
    130    certdb,
    131    ee_cert,
    132    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
    133    Ci.nsIX509CertDB.verifyUsageEmailRecipient
    134  );
    135 
    136  // Now tests on the SSL trust bit
    137  setCertTrust(cert_to_modify_trust, "p,C,C");
    138  await checkCertErrorGeneric(
    139    certdb,
    140    ee_cert,
    141    SEC_ERROR_UNTRUSTED_ISSUER,
    142    Ci.nsIX509CertDB.verifyUsageTLSServer
    143  );
    144 
    145  // XXX(Bug 982340)
    146  await checkCertErrorGeneric(
    147    certdb,
    148    ee_cert,
    149    PRErrorCodeSuccess,
    150    Ci.nsIX509CertDB.verifyUsageTLSClient
    151  );
    152  await checkCertErrorGeneric(
    153    certdb,
    154    ee_cert,
    155    SEC_ERROR_CA_CERT_INVALID,
    156    Ci.nsIX509CertDB.verifyUsageTLSServerCA
    157  );
    158  await checkCertErrorGeneric(
    159    certdb,
    160    ee_cert,
    161    PRErrorCodeSuccess,
    162    Ci.nsIX509CertDB.verifyUsageEmailSigner
    163  );
    164  await checkCertErrorGeneric(
    165    certdb,
    166    ee_cert,
    167    PRErrorCodeSuccess,
    168    Ci.nsIX509CertDB.verifyUsageEmailRecipient
    169  );
    170 
    171  // Inherited trust SSL
    172  setCertTrust(cert_to_modify_trust, ",C,C");
    173  await checkCertErrorGeneric(
    174    certdb,
    175    ee_cert,
    176    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
    177    Ci.nsIX509CertDB.verifyUsageTLSServer
    178  );
    179  // XXX(Bug 982340)
    180  await checkCertErrorGeneric(
    181    certdb,
    182    ee_cert,
    183    PRErrorCodeSuccess,
    184    Ci.nsIX509CertDB.verifyUsageTLSClient
    185  );
    186  await checkCertErrorGeneric(
    187    certdb,
    188    ee_cert,
    189    SEC_ERROR_CA_CERT_INVALID,
    190    Ci.nsIX509CertDB.verifyUsageTLSServerCA
    191  );
    192  await checkCertErrorGeneric(
    193    certdb,
    194    ee_cert,
    195    PRErrorCodeSuccess,
    196    Ci.nsIX509CertDB.verifyUsageEmailSigner
    197  );
    198  await checkCertErrorGeneric(
    199    certdb,
    200    ee_cert,
    201    PRErrorCodeSuccess,
    202    Ci.nsIX509CertDB.verifyUsageEmailRecipient
    203  );
    204 
    205  // Now tests on the EMAIL trust bit
    206  setCertTrust(cert_to_modify_trust, "C,p,C");
    207  await checkCertErrorGeneric(
    208    certdb,
    209    ee_cert,
    210    PRErrorCodeSuccess,
    211    Ci.nsIX509CertDB.verifyUsageTLSServer
    212  );
    213  await checkCertErrorGeneric(
    214    certdb,
    215    ee_cert,
    216    SEC_ERROR_UNTRUSTED_ISSUER,
    217    Ci.nsIX509CertDB.verifyUsageTLSClient
    218  );
    219  await checkCertErrorGeneric(
    220    certdb,
    221    ee_cert,
    222    SEC_ERROR_CA_CERT_INVALID,
    223    Ci.nsIX509CertDB.verifyUsageTLSServerCA
    224  );
    225  await checkCertErrorGeneric(
    226    certdb,
    227    ee_cert,
    228    SEC_ERROR_UNTRUSTED_ISSUER,
    229    Ci.nsIX509CertDB.verifyUsageEmailSigner
    230  );
    231  await checkCertErrorGeneric(
    232    certdb,
    233    ee_cert,
    234    SEC_ERROR_UNTRUSTED_ISSUER,
    235    Ci.nsIX509CertDB.verifyUsageEmailRecipient
    236  );
    237 
    238  // inherited EMAIL Trust
    239  setCertTrust(cert_to_modify_trust, "C,,C");
    240  await checkCertErrorGeneric(
    241    certdb,
    242    ee_cert,
    243    PRErrorCodeSuccess,
    244    Ci.nsIX509CertDB.verifyUsageTLSServer
    245  );
    246  await checkCertErrorGeneric(
    247    certdb,
    248    ee_cert,
    249    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
    250    Ci.nsIX509CertDB.verifyUsageTLSClient
    251  );
    252  await checkCertErrorGeneric(
    253    certdb,
    254    ee_cert,
    255    SEC_ERROR_CA_CERT_INVALID,
    256    Ci.nsIX509CertDB.verifyUsageTLSServerCA
    257  );
    258  await checkCertErrorGeneric(
    259    certdb,
    260    ee_cert,
    261    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
    262    Ci.nsIX509CertDB.verifyUsageEmailSigner
    263  );
    264  await checkCertErrorGeneric(
    265    certdb,
    266    ee_cert,
    267    isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
    268    Ci.nsIX509CertDB.verifyUsageEmailRecipient
    269  );
    270 }
    271 
    272 add_task(async function () {
    273  let certList = ["ca", "int", "ee"];
    274  let loadedCerts = [];
    275  for (let certName of certList) {
    276    loadedCerts.push(load_cert(certName, ",,"));
    277  }
    278 
    279  let ca_cert = loadedCerts[0];
    280  notEqual(ca_cert, null, "CA cert should have successfully loaded");
    281  let int_cert = loadedCerts[1];
    282  notEqual(int_cert, null, "Intermediate cert should have successfully loaded");
    283  let ee_cert = loadedCerts[2];
    284  notEqual(ee_cert, null, "EE cert should have successfully loaded");
    285 
    286  setup_basic_trusts(ca_cert, int_cert);
    287  await test_ca_distrust(ee_cert, ca_cert, true);
    288 
    289  setup_basic_trusts(ca_cert, int_cert);
    290  await test_ca_distrust(ee_cert, int_cert, false);
    291 
    292  // Reset trust to default ("inherit trust")
    293  setCertTrust(ca_cert, ",,");
    294  setCertTrust(int_cert, ",,");
    295 
    296  // End-entities can be trust anchors for interoperability with users who
    297  // prefer not to build a hierarchy and instead directly trust a particular
    298  // server certificate.
    299  setCertTrust(ee_cert, "CTu,CTu,CTu");
    300  await checkCertErrorGeneric(
    301    certdb,
    302    ee_cert,
    303    PRErrorCodeSuccess,
    304    Ci.nsIX509CertDB.verifyUsageTLSServer
    305  );
    306  await checkCertErrorGeneric(
    307    certdb,
    308    ee_cert,
    309    PRErrorCodeSuccess,
    310    Ci.nsIX509CertDB.verifyUsageTLSClient
    311  );
    312  await checkCertErrorGeneric(
    313    certdb,
    314    ee_cert,
    315    PRErrorCodeSuccess,
    316    Ci.nsIX509CertDB.verifyUsageEmailSigner
    317  );
    318  await checkCertErrorGeneric(
    319    certdb,
    320    ee_cert,
    321    PRErrorCodeSuccess,
    322    Ci.nsIX509CertDB.verifyUsageEmailRecipient
    323  );
    324 });