[ tor-browser ].git.dasho

test_intermediate_basic_usage_constraints.js (4785B)
      1 "use strict";
      2 
      3 do_get_profile(); // must be called before getting nsIX509CertDB
      4 const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
      5  Ci.nsIX509CertDB
      6 );
      7 
      8 function load_cert(name, trust) {
      9  let filename = "test_intermediate_basic_usage_constraints/" + name + ".pem";
     10  addCertFromFile(certdb, filename, trust);
     11 }
     12 
     13 function test_cert_for_usages(certChainNicks, expected_usages) {
     14  let certs = [];
     15  for (let i in certChainNicks) {
     16    let certNick = certChainNicks[i];
     17    let certPEM = readFile(
     18      do_get_file(
     19        "test_intermediate_basic_usage_constraints/" + certNick + ".pem"
     20      ),
     21      false
     22    );
     23    certs.push(certdb.constructX509FromBase64(pemToBase64(certPEM)));
     24  }
     25 
     26  let cert = certs[0];
     27  return asyncTestCertificateUsages(certdb, cert, expected_usages);
     28 }
     29 
     30 add_task(async function () {
     31  let ee_usages = [
     32    Ci.nsIX509CertDB.verifyUsageTLSClient,
     33    Ci.nsIX509CertDB.verifyUsageTLSServer,
     34    Ci.nsIX509CertDB.verifyUsageEmailSigner,
     35    Ci.nsIX509CertDB.verifyUsageEmailRecipient,
     36  ];
     37  let ca_usages = [Ci.nsIX509CertDB.verifyUsageTLSServerCA];
     38  let eku_usages = [
     39    Ci.nsIX509CertDB.verifyUsageTLSClient,
     40    Ci.nsIX509CertDB.verifyUsageTLSServer,
     41  ];
     42 
     43  // Load the ca into mem
     44  let ca_name = "ca";
     45  load_cert(ca_name, "CTu,CTu,CTu");
     46  await test_cert_for_usages([ca_name], ca_usages);
     47 
     48  // A certificate with no basicConstraints extension is considered an EE.
     49  await test_cert_for_usages(["int-no-extensions"], ee_usages);
     50 
     51  // int-no-extensions is an EE (see previous case), so no certs can chain to
     52  // it.
     53  await test_cert_for_usages(["ee-int-no-extensions", "int-no-extensions"], []);
     54 
     55  // a certificate with basicConstraints.cA==false is considered an EE.
     56  await test_cert_for_usages(["int-not-a-ca"], ee_usages);
     57 
     58  // int-not-a-ca is an EE (see previous case), so no certs can chain to it.
     59  await test_cert_for_usages(["ee-int-not-a-ca", "int-not-a-ca"], []);
     60 
     61  // a certificate with basicConstraints.cA==false but with the keyCertSign
     62  // key usage may not act as a CA (it can act like an end-entity).
     63  await test_cert_for_usages(["int-cA-FALSE-asserts-keyCertSign"], ee_usages);
     64  await test_cert_for_usages(
     65    ["ee-int-cA-FALSE-asserts-keyCertSign", "int-cA-FALSE-asserts-keyCertSign"],
     66    []
     67  );
     68 
     69  // int-limited-depth has cA==true and a path length constraint of zero.
     70  await test_cert_for_usages(["int-limited-depth"], ca_usages);
     71 
     72  // path length constraints do not affect the ability of a non-CA cert to
     73  // chain to to the CA cert.
     74  await test_cert_for_usages(
     75    ["ee-int-limited-depth", "int-limited-depth"],
     76    ee_usages
     77  );
     78 
     79  // ca
     80  //   int-limited-depth (cA==true, pathLenConstraint==0)
     81  //      int-limited-depth-invalid (cA==true)
     82  //
     83  await test_cert_for_usages(
     84    ["int-limited-depth-invalid", "int-limited-depth"],
     85    []
     86  );
     87  await test_cert_for_usages(
     88    [
     89      "ee-int-limited-depth-invalid",
     90      "int-limited-depth-invalid",
     91      "int-limited-depth",
     92    ],
     93    []
     94  );
     95 
     96  // int-valid-ku-no-eku has keyCertSign
     97  await test_cert_for_usages(["int-valid-ku-no-eku"], ca_usages);
     98  await test_cert_for_usages(
     99    ["ee-int-valid-ku-no-eku", "int-valid-ku-no-eku"],
    100    ee_usages
    101  );
    102 
    103  // int-bad-ku-no-eku has basicConstraints.cA==true and has a KU extension
    104  // but the KU extension is missing keyCertSign. Note that mozilla::pkix
    105  // doesn't validate certificates with basicConstraints.Ca==true for non-CA
    106  // uses.
    107  await test_cert_for_usages(["int-bad-ku-no-eku"], []);
    108  await test_cert_for_usages(["ee-int-bad-ku-no-eku", "int-bad-ku-no-eku"], []);
    109 
    110  // int-no-ku-no-eku has basicConstraints.cA==true and no KU extension.
    111  // We treat a missing KU as "any key usage is OK".
    112  await test_cert_for_usages(["int-no-ku-no-eku"], ca_usages);
    113  await test_cert_for_usages(
    114    ["ee-int-no-ku-no-eku", "int-no-ku-no-eku"],
    115    ee_usages
    116  );
    117 
    118  // int-valid-ku-server-eku has basicConstraints.cA==true, keyCertSign in KU,
    119  // and EKU=={id-kp-serverAuth,id-kp-clientAuth}.
    120  await test_cert_for_usages(["int-valid-ku-server-eku"], ca_usages);
    121  await test_cert_for_usages(
    122    ["ee-int-valid-ku-server-eku", "int-valid-ku-server-eku"],
    123    eku_usages
    124  );
    125 
    126  // int-bad-ku-server-eku has basicConstraints.cA==true, a KU without
    127  // keyCertSign, and EKU=={id-kp-serverAuth,id-kp-clientAuth}.
    128  await test_cert_for_usages(["int-bad-ku-server-eku"], []);
    129  await test_cert_for_usages(
    130    ["ee-int-bad-ku-server-eku", "int-bad-ku-server-eku"],
    131    []
    132  );
    133 
    134  // int-bad-ku-server-eku has basicConstraints.cA==true, no KU, and
    135  // EKU=={id-kp-serverAuth,id-kp-clientAuth}.
    136  await test_cert_for_usages(["int-no-ku-server-eku"], ca_usages);
    137  await test_cert_for_usages(
    138    ["ee-int-no-ku-server-eku", "int-no-ku-server-eku"],
    139    eku_usages
    140  );
    141 });
	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE