tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_name_constraints.js (2929B)

      1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
      2 // This Source Code Form is subject to the terms of the Mozilla Public
      3 // License, v. 2.0. If a copy of the MPL was not distributed with this
      4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
      5 
      6 "use strict";
      7 
      8 // This test tests two specific items:
      9 // 1. Are name constraints properly enforced across the entire constructed
     10 // certificate chain? This makes use of a certificate hierarchy like so:
     11 //  - (trusted) root CA with permitted subtree dNSName example.com
     12 //  - intermediate CA with permitted subtree dNSName example.org
     13 //    a. end-entity with dNSNames example.com and example.org
     14 //       (the first entry is allowed by the root but not by the intermediate,
     15 //        and the second entry is allowed by the intermediate but not by the
     16 //        root)
     17 //    b. end-entity with dNSName example.com (not allowed by the intermediate)
     18 //    c. end-entity with dNSName examle.org (not allowed by the root)
     19 //    d. end-entity with dNSName example.test (not allowed by either)
     20 //  All of these cases should fail to verify with the error that the
     21 //  end-entity is not in the name space permitted by the hierarchy.
     22 //
     23 // 2. Are externally-imposed name constraints properly enforced? This makes use
     24 // of a certificate hierarchy rooted by a certificate with the same DN as an
     25 // existing hierarchy that has externally-imposed name constraints (DCISS).
     26 
     27 do_get_profile(); // must be called before getting nsIX509CertDB
     28 const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
     29  Ci.nsIX509CertDB
     30 );
     31 
     32 function certFromFile(name) {
     33  return constructCertFromFile(`test_name_constraints/${name}.pem`);
     34 }
     35 
     36 function loadCertWithTrust(certName, trustString) {
     37  addCertFromFile(certdb, `test_name_constraints/${certName}.pem`, trustString);
     38 }
     39 
     40 function checkCertNotInNameSpace(cert) {
     41  return checkCertErrorGeneric(
     42    certdb,
     43    cert,
     44    SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
     45    Ci.nsIX509CertDB.verifyUsageTLSServer
     46  );
     47 }
     48 
     49 function checkCertInNameSpace(cert) {
     50  return checkCertErrorGeneric(
     51    certdb,
     52    cert,
     53    PRErrorCodeSuccess,
     54    Ci.nsIX509CertDB.verifyUsageTLSServer
     55  );
     56 }
     57 
     58 add_task(async function () {
     59  // Test that name constraints from the entire certificate chain are enforced.
     60  loadCertWithTrust("ca-example-com-permitted", "CTu,,");
     61  loadCertWithTrust("int-example-org-permitted", ",,");
     62  await checkCertNotInNameSpace(certFromFile("ee-example-com-and-org"));
     63  await checkCertNotInNameSpace(certFromFile("ee-example-com"));
     64  await checkCertNotInNameSpace(certFromFile("ee-example-org"));
     65  await checkCertNotInNameSpace(certFromFile("ee-example-test"));
     66 
     67  // Test that externally-imposed name constraints are enforced (DCISS tests).
     68  loadCertWithTrust("dciss", "CTu,,");
     69  await checkCertInNameSpace(certFromFile("NameConstraints.dcissallowed"));
     70  await checkCertNotInNameSpace(certFromFile("NameConstraints.dcissblocked"));
     71 });