tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_cert_version.js (10397B)

      1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
      2 // This Source Code Form is subject to the terms of the Mozilla Public
      3 // License, v. 2.0. If a copy of the MPL was not distributed with this
      4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
      5 
      6 // Tests the interaction between the basic constraints extension and the
      7 // certificate version field. In general, the testcases consist of verifying
      8 // certificate chains of the form:
      9 //
     10 // end-entity (issued by) intermediate (issued by) trusted X509v3 root
     11 //
     12 // where the intermediate is one of X509 v1, v2, v3, or v4, and either does or
     13 // does not have the basic constraints extension. If it has the extension, it
     14 // either does or does not specify that it is a CA.
     15 //
     16 // To test cases where the trust anchor has a different version and/or does or
     17 // does not have the basic constraint extension, there are testcases where the
     18 // intermediate is trusted as an anchor and the verification is repeated.
     19 // (Loading a certificate with trust "CTu,," means that it is a trust anchor
     20 // for SSL. Loading a certificate with trust ",," means that it inherits its
     21 // trust.)
     22 //
     23 // There are also testcases for end-entities issued by a trusted X509v3 root
     24 // where the end-entities similarly cover the range of versions and basic
     25 // constraint extensions.
     26 //
     27 // Finally, there are testcases for self-signed certificates that, again, cover
     28 // the range of versions and basic constraint extensions.
     29 
     30 "use strict";
     31 
     32 do_get_profile(); // must be called before getting nsIX509CertDB
     33 const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
     34  Ci.nsIX509CertDB
     35 );
     36 
     37 function certFromFile(certName) {
     38  return constructCertFromFile("test_cert_version/" + certName + ".pem");
     39 }
     40 
     41 function loadCertWithTrust(certName, trustString) {
     42  addCertFromFile(
     43    certdb,
     44    "test_cert_version/" + certName + ".pem",
     45    trustString
     46  );
     47 }
     48 
     49 function checkEndEntity(cert, expectedResult) {
     50  return checkCertErrorGeneric(
     51    certdb,
     52    cert,
     53    expectedResult,
     54    Ci.nsIX509CertDB.verifyUsageTLSServer
     55  );
     56 }
     57 
     58 function checkIntermediate(cert, expectedResult) {
     59  return checkCertErrorGeneric(
     60    certdb,
     61    cert,
     62    expectedResult,
     63    Ci.nsIX509CertDB.verifyUsageTLSServerCA
     64  );
     65 }
     66 
     67 add_task(async function () {
     68  loadCertWithTrust("ca", "CTu,,");
     69 
     70  // Section for CAs lacking the basicConstraints extension entirely:
     71  loadCertWithTrust("int-v1-noBC_ca", ",,");
     72  await checkIntermediate(
     73    certFromFile("int-v1-noBC_ca"),
     74    MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA
     75  );
     76  await checkEndEntity(
     77    certFromFile("ee_int-v1-noBC"),
     78    MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA
     79  );
     80  // A v1 certificate with no basicConstraints extension may issue certificates
     81  // if it is a trust anchor.
     82  loadCertWithTrust("int-v1-noBC_ca", "CTu,,");
     83  await checkIntermediate(certFromFile("int-v1-noBC_ca"), PRErrorCodeSuccess);
     84  await checkEndEntity(certFromFile("ee_int-v1-noBC"), PRErrorCodeSuccess);
     85 
     86  loadCertWithTrust("int-v2-noBC_ca", ",,");
     87  await checkIntermediate(
     88    certFromFile("int-v2-noBC_ca"),
     89    SEC_ERROR_CA_CERT_INVALID
     90  );
     91  await checkEndEntity(
     92    certFromFile("ee_int-v2-noBC"),
     93    SEC_ERROR_CA_CERT_INVALID
     94  );
     95  loadCertWithTrust("int-v2-noBC_ca", "CTu,,");
     96  await checkIntermediate(
     97    certFromFile("int-v2-noBC_ca"),
     98    SEC_ERROR_CA_CERT_INVALID
     99  );
    100  await checkEndEntity(
    101    certFromFile("ee_int-v2-noBC"),
    102    SEC_ERROR_CA_CERT_INVALID
    103  );
    104 
    105  loadCertWithTrust("int-v3-noBC_ca", ",,");
    106  await checkIntermediate(
    107    certFromFile("int-v3-noBC_ca"),
    108    SEC_ERROR_CA_CERT_INVALID
    109  );
    110  await checkEndEntity(
    111    certFromFile("ee_int-v3-noBC"),
    112    SEC_ERROR_CA_CERT_INVALID
    113  );
    114  loadCertWithTrust("int-v3-noBC_ca", "CTu,,");
    115  await checkIntermediate(
    116    certFromFile("int-v3-noBC_ca"),
    117    SEC_ERROR_CA_CERT_INVALID
    118  );
    119  await checkEndEntity(
    120    certFromFile("ee_int-v3-noBC"),
    121    SEC_ERROR_CA_CERT_INVALID
    122  );
    123 
    124  loadCertWithTrust("int-v4-noBC_ca", ",,");
    125  await checkIntermediate(
    126    certFromFile("int-v4-noBC_ca"),
    127    SEC_ERROR_CA_CERT_INVALID
    128  );
    129  await checkEndEntity(
    130    certFromFile("ee_int-v4-noBC"),
    131    SEC_ERROR_CA_CERT_INVALID
    132  );
    133  loadCertWithTrust("int-v4-noBC_ca", "CTu,,");
    134  await checkIntermediate(
    135    certFromFile("int-v4-noBC_ca"),
    136    SEC_ERROR_CA_CERT_INVALID
    137  );
    138  await checkEndEntity(
    139    certFromFile("ee_int-v4-noBC"),
    140    SEC_ERROR_CA_CERT_INVALID
    141  );
    142 
    143  // Section for CAs with basicConstraints not specifying cA:
    144  loadCertWithTrust("int-v1-BC-not-cA_ca", ",,");
    145  await checkIntermediate(
    146    certFromFile("int-v1-BC-not-cA_ca"),
    147    SEC_ERROR_CA_CERT_INVALID
    148  );
    149  await checkEndEntity(
    150    certFromFile("ee_int-v1-BC-not-cA"),
    151    SEC_ERROR_CA_CERT_INVALID
    152  );
    153  loadCertWithTrust("int-v1-BC-not-cA_ca", "CTu,,");
    154  await checkIntermediate(
    155    certFromFile("int-v1-BC-not-cA_ca"),
    156    SEC_ERROR_CA_CERT_INVALID
    157  );
    158  await checkEndEntity(
    159    certFromFile("ee_int-v1-BC-not-cA"),
    160    SEC_ERROR_CA_CERT_INVALID
    161  );
    162 
    163  loadCertWithTrust("int-v2-BC-not-cA_ca", ",,");
    164  await checkIntermediate(
    165    certFromFile("int-v2-BC-not-cA_ca"),
    166    SEC_ERROR_CA_CERT_INVALID
    167  );
    168  await checkEndEntity(
    169    certFromFile("ee_int-v2-BC-not-cA"),
    170    SEC_ERROR_CA_CERT_INVALID
    171  );
    172  loadCertWithTrust("int-v2-BC-not-cA_ca", "CTu,,");
    173  await checkIntermediate(
    174    certFromFile("int-v2-BC-not-cA_ca"),
    175    SEC_ERROR_CA_CERT_INVALID
    176  );
    177  await checkEndEntity(
    178    certFromFile("ee_int-v2-BC-not-cA"),
    179    SEC_ERROR_CA_CERT_INVALID
    180  );
    181 
    182  loadCertWithTrust("int-v3-BC-not-cA_ca", ",,");
    183  await checkIntermediate(
    184    certFromFile("int-v3-BC-not-cA_ca"),
    185    SEC_ERROR_CA_CERT_INVALID
    186  );
    187  await checkEndEntity(
    188    certFromFile("ee_int-v3-BC-not-cA"),
    189    SEC_ERROR_CA_CERT_INVALID
    190  );
    191  loadCertWithTrust("int-v3-BC-not-cA_ca", "CTu,,");
    192  await checkIntermediate(
    193    certFromFile("int-v3-BC-not-cA_ca"),
    194    SEC_ERROR_CA_CERT_INVALID
    195  );
    196  await checkEndEntity(
    197    certFromFile("ee_int-v3-BC-not-cA"),
    198    SEC_ERROR_CA_CERT_INVALID
    199  );
    200 
    201  loadCertWithTrust("int-v4-BC-not-cA_ca", ",,");
    202  await checkIntermediate(
    203    certFromFile("int-v4-BC-not-cA_ca"),
    204    SEC_ERROR_CA_CERT_INVALID
    205  );
    206  await checkEndEntity(
    207    certFromFile("ee_int-v4-BC-not-cA"),
    208    SEC_ERROR_CA_CERT_INVALID
    209  );
    210  loadCertWithTrust("int-v4-BC-not-cA_ca", "CTu,,");
    211  await checkIntermediate(
    212    certFromFile("int-v4-BC-not-cA_ca"),
    213    SEC_ERROR_CA_CERT_INVALID
    214  );
    215  await checkEndEntity(
    216    certFromFile("ee_int-v4-BC-not-cA"),
    217    SEC_ERROR_CA_CERT_INVALID
    218  );
    219 
    220  // Section for CAs with basicConstraints specifying cA:
    221  loadCertWithTrust("int-v1-BC-cA_ca", ",,");
    222  await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
    223  await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
    224  loadCertWithTrust("int-v1-BC-cA_ca", "CTu,,");
    225  await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
    226  await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
    227 
    228  loadCertWithTrust("int-v2-BC-cA_ca", ",,");
    229  await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
    230  await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
    231  loadCertWithTrust("int-v2-BC-cA_ca", "CTu,,");
    232  await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
    233  await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
    234 
    235  loadCertWithTrust("int-v3-BC-cA_ca", ",,");
    236  await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
    237  await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
    238  loadCertWithTrust("int-v3-BC-cA_ca", "CTu,,");
    239  await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
    240  await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
    241 
    242  loadCertWithTrust("int-v4-BC-cA_ca", ",,");
    243  await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
    244  await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
    245  loadCertWithTrust("int-v4-BC-cA_ca", "CTu,,");
    246  await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
    247  await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
    248 
    249  // Section for end-entity certificates with various basicConstraints:
    250  await checkEndEntity(certFromFile("ee-v1-noBC_ca"), PRErrorCodeSuccess);
    251  await checkEndEntity(certFromFile("ee-v2-noBC_ca"), PRErrorCodeSuccess);
    252  await checkEndEntity(certFromFile("ee-v3-noBC_ca"), PRErrorCodeSuccess);
    253  await checkEndEntity(certFromFile("ee-v4-noBC_ca"), PRErrorCodeSuccess);
    254 
    255  await checkEndEntity(certFromFile("ee-v1-BC-not-cA_ca"), PRErrorCodeSuccess);
    256  await checkEndEntity(certFromFile("ee-v2-BC-not-cA_ca"), PRErrorCodeSuccess);
    257  await checkEndEntity(certFromFile("ee-v3-BC-not-cA_ca"), PRErrorCodeSuccess);
    258  await checkEndEntity(certFromFile("ee-v4-BC-not-cA_ca"), PRErrorCodeSuccess);
    259 
    260  await checkEndEntity(
    261    certFromFile("ee-v1-BC-cA_ca"),
    262    MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
    263  );
    264  await checkEndEntity(
    265    certFromFile("ee-v2-BC-cA_ca"),
    266    MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
    267  );
    268  await checkEndEntity(
    269    certFromFile("ee-v3-BC-cA_ca"),
    270    MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
    271  );
    272  await checkEndEntity(
    273    certFromFile("ee-v4-BC-cA_ca"),
    274    MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
    275  );
    276 
    277  // Section for self-signed certificates:
    278  await checkEndEntity(certFromFile("ss-v1-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
    279  await checkEndEntity(certFromFile("ss-v2-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
    280  await checkEndEntity(certFromFile("ss-v3-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
    281  await checkEndEntity(certFromFile("ss-v4-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
    282 
    283  await checkEndEntity(
    284    certFromFile("ss-v1-BC-not-cA"),
    285    SEC_ERROR_UNKNOWN_ISSUER
    286  );
    287  await checkEndEntity(
    288    certFromFile("ss-v2-BC-not-cA"),
    289    SEC_ERROR_UNKNOWN_ISSUER
    290  );
    291  await checkEndEntity(
    292    certFromFile("ss-v3-BC-not-cA"),
    293    SEC_ERROR_UNKNOWN_ISSUER
    294  );
    295  await checkEndEntity(
    296    certFromFile("ss-v4-BC-not-cA"),
    297    SEC_ERROR_UNKNOWN_ISSUER
    298  );
    299 
    300  await checkEndEntity(certFromFile("ss-v1-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
    301  await checkEndEntity(certFromFile("ss-v2-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
    302  await checkEndEntity(certFromFile("ss-v3-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
    303  await checkEndEntity(certFromFile("ss-v4-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
    304 });