| author | David Keeler <dkeeler@mozilla.com> |
| Wed, 11 Apr 2018 16:23:48 -0700 | |
| changeset 413924 | c76fdea6986887d84c1d252634f2a68228e375f6 |
| parent 413923 | 9a18481b44cdc5e2762631a4acc760dd54eb6a6a |
| child 413925 | 00a9881a5ceb8e1d345a39c4c425f5fd88b4aa76 |
| push id | 33853 |
| push user | cbrindusan@mozilla.com |
| push date | Tue, 17 Apr 2018 09:51:13 +0000 |
| treeherder | mozilla-central@8b0ba3f7d099 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | fkiefer, jcj |
| bugs | 1453741 |
| milestone | 61.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/security/manager/ssl/nsIX509CertDB.idl +++ b/security/manager/ssl/nsIX509CertDB.idl @@ -295,64 +295,38 @@ interface nsIX509CertDB : nsISupports { * effectively ignored by gecko, but they still must be specified * (at least by a final trailing comma) because this argument is * passed to CERT_DecodeTrustString. * @return nsIX509Cert the resulting certificate */ [must_use] nsIX509Cert addCert(in ACString certDER, in ACString trust); - // Flags for verifyCertNow (these must match the values in CertVerifier.cpp): - // Prevent network traffic. Doesn't work with classic verification. + // Flags for asyncVerifyCertAtTime (these must match the values in + // CertVerifier.cpp): + // Prevent network traffic. const uint32_t FLAG_LOCAL_ONLY = 1 << 0; // Do not fall back to DV verification after attempting EV validation. - // Actually does prevent network traffic, but can cause a valid EV - // certificate to not be considered valid. const uint32_t FLAG_MUST_BE_EV = 1 << 1; - /** Warning: This interface is inteded to use only for testing only as: - * 1. It can create IO on the main thread. - * 2. It is in constant change, so in/out can change at any release. - * - * Obtain the verification result for a cert given a particular usage. - * On success, the call returns 0, the chain built during verification, - * and whether the cert is good for EV usage. - * On failure, the call returns the PRErrorCode for the verification failure + /* + * Asynchronously verify a certificate given a set of parameters. Calls the + * `verifyCertFinished` function on the provided `nsICertVerificationCallback` + * with the results of the verification operation. + * See the documentation for nsICertVerificationCallback. * - * @param aCert Obtain the stored trust of this certificate - * @param aUsage a integer representing the usage from NSS - * @param aFlags flags as described above - * @param aHostname the (optional) hostname to verify for - * @param aTime the time at which to verify, in seconds since the epoch - * @param aVerifiedChain chain of verification up to the root if success - * @param aHasEVPolicy bool that signified that the cert was an EV cert - * @return 0 if success or the value or the error code for the verification - * failure - */ - [must_use] - int32_t /*PRErrorCode*/ - verifyCertAtTime(in nsIX509Cert aCert, - in int64_t /*SECCertificateUsage*/ aUsage, - in uint32_t aFlags, - in ACString aHostname, - in uint64_t aTime, - out nsIX509CertList aVerifiedChain, - out bool aHasEVPolicy); - [must_use] - int32_t /*PRErrorCode*/ - verifyCertNow(in nsIX509Cert aCert, - in int64_t /*SECCertificateUsage*/ aUsage, - in uint32_t aFlags, - in ACString aHostname, - out nsIX509CertList aVerifiedChain, - out bool aHasEVPolicy); - - /** - * Similar to the above, but asynchronous. As a result, use of this API is not - * limited to tests. + * @param aCert the certificate to verify + * @param aUsage an integer representing the usage to verify for (see + * SECCertificateUsage in certt.h from NSS) + * @param aFlags flags as described above + * @param aHostname the (optional) hostname to verify for + * @param aTime the time at which to verify, in seconds since the epoch + * @param aCallback the nsICertVerificationCallback that will receive the + results of this verification + * @return a succeeding nsresult if the job was dispatched successfully */ [must_use] void asyncVerifyCertAtTime(in nsIX509Cert aCert, in int64_t /*SECCertificateUsage*/ aUsage, in uint32_t aFlags, in ACString aHostname, in uint64_t aTime, in nsICertVerificationCallback aCallback);
--- a/security/manager/ssl/nsNSSCertificateDB.cpp +++ b/security/manager/ssl/nsNSSCertificateDB.cpp @@ -1301,45 +1301,16 @@ VerifyCertAtTime(nsIX509Cert* aCert, if (result == mozilla::pkix::Success && evOidPolicy != SEC_OID_UNKNOWN) { *aHasEVPolicy = true; } nssCertList.forget(aVerifiedChain); return NS_OK; } -NS_IMETHODIMP -nsNSSCertificateDB::VerifyCertNow(nsIX509Cert* aCert, - int64_t /*SECCertificateUsage*/ aUsage, - uint32_t aFlags, - const nsACString& aHostname, - nsIX509CertList** aVerifiedChain, - bool* aHasEVPolicy, - int32_t* /*PRErrorCode*/ _retval) -{ - return ::VerifyCertAtTime(aCert, aUsage, aFlags, aHostname, - mozilla::pkix::Now(), - aVerifiedChain, aHasEVPolicy, _retval); -} - -NS_IMETHODIMP -nsNSSCertificateDB::VerifyCertAtTime(nsIX509Cert* aCert, - int64_t /*SECCertificateUsage*/ aUsage, - uint32_t aFlags, - const nsACString& aHostname, - uint64_t aTime, - nsIX509CertList** aVerifiedChain, - bool* aHasEVPolicy, - int32_t* /*PRErrorCode*/ _retval) -{ - return ::VerifyCertAtTime(aCert, aUsage, aFlags, aHostname, - mozilla::pkix::TimeFromEpochInSeconds(aTime), - aVerifiedChain, aHasEVPolicy, _retval); -} - class VerifyCertAtTimeTask final : public CryptoTask { public: VerifyCertAtTimeTask(nsIX509Cert* aCert, int64_t aUsage, uint32_t aFlags, const nsACString& aHostname, uint64_t aTime, nsICertVerificationCallback* aCallback) : mCert(aCert) , mUsage(aUsage) @@ -1356,19 +1327,20 @@ public: private: virtual nsresult CalculateResult() override { nsCOMPtr<nsIX509CertDB> certDB = do_GetService(NS_X509CERTDB_CONTRACTID); if (!certDB) { return NS_ERROR_FAILURE; } - return certDB->VerifyCertAtTime(mCert, mUsage, mFlags, mHostname, mTime, - getter_AddRefs(mVerifiedCertList), - &mHasEVPolicy, &mPRErrorCode); + return VerifyCertAtTime(mCert, mUsage, mFlags, mHostname, + mozilla::pkix::TimeFromEpochInSeconds(mTime), + getter_AddRefs(mVerifiedCertList), + &mHasEVPolicy, &mPRErrorCode); } virtual void CallCallback(nsresult rv) override { if (NS_FAILED(rv)) { Unused << mCallback->VerifyCertFinished(SEC_ERROR_LIBRARY_FAILURE, nullptr, false); } else {
--- a/security/manager/ssl/tests/unit/head_psm.js +++ b/security/manager/ssl/tests/unit/head_psm.js @@ -171,49 +171,63 @@ function setCertTrust(cert, trustString) } function getXPCOMStatusFromNSS(statusNSS) { let nssErrorsService = Cc["@mozilla.org/nss_errors_service;1"] .getService(Ci.nsINSSErrorsService); return nssErrorsService.getXPCOMFromNSSError(statusNSS); } +// Helper for checkCertErrorGenericAtTime +class CertVerificationExpectedErrorResult { + constructor(certName, expectedError, expectedEVStatus, resolve) { + this.certName = certName; + this.expectedError = expectedError; + this.expectedEVStatus = expectedEVStatus; + this.resolve = resolve; + } + + verifyCertFinished(aPRErrorCode, aVerifiedChain, aHasEVPolicy) { + equal(aPRErrorCode, this.expectedError, + `verifying ${this.certName}: should get error ${this.expectedError}`); + if (this.expectedEVStatus != undefined) { + equal(aHasEVPolicy, this.expectedEVStatus, + `verifying ${this.certName}: ` + + `should ${this.expectedEVStatus ? "be" : "not be"} EV`); + } + this.resolve(); + } +} + // certdb implements nsIX509CertDB. See nsIX509CertDB.idl for documentation. // In particular, hostname is optional. function checkCertErrorGenericAtTime(certdb, cert, expectedError, usage, time, - /* optional */ hasEVPolicy, + /* optional */ isEVExpected, /* optional */ hostname) { - info(`cert cn=${cert.commonName}`); - info(`cert issuer cn=${cert.issuerCommonName}`); - let verifiedChain = {}; - let error = certdb.verifyCertAtTime(cert, usage, NO_FLAGS, hostname, time, - verifiedChain, hasEVPolicy || {}); - Assert.equal(error, expectedError, - "Actual and expected error should match"); + return new Promise((resolve, reject) => { + let result = new CertVerificationExpectedErrorResult( + cert.commonName, expectedError, isEVExpected, resolve); + certdb.asyncVerifyCertAtTime(cert, usage, NO_FLAGS, hostname, time, + result); + }); } // certdb implements nsIX509CertDB. See nsIX509CertDB.idl for documentation. // In particular, hostname is optional. function checkCertErrorGeneric(certdb, cert, expectedError, usage, - /* optional */ hasEVPolicy, - /* optional */ hostname) { - info(`cert cn=${cert.commonName}`); - info(`cert issuer cn=${cert.issuerCommonName}`); - let verifiedChain = {}; - let error = certdb.verifyCertNow(cert, usage, NO_FLAGS, hostname, - verifiedChain, hasEVPolicy || {}); - Assert.equal(error, expectedError, - "Actual and expected error should match"); + /* optional */ isEVExpected, + /* optional */ hostname) { + let now = (new Date()).getTime() / 1000; + return checkCertErrorGenericAtTime(certdb, cert, expectedError, usage, now, + isEVExpected, hostname); } function checkEVStatus(certDB, cert, usage, isEVExpected) { - let hasEVPolicy = {}; - checkCertErrorGeneric(certDB, cert, PRErrorCodeSuccess, usage, hasEVPolicy); - Assert.equal(hasEVPolicy.value, isEVExpected, - "Actual and expected EV status should match"); + return checkCertErrorGeneric(certDB, cert, PRErrorCodeSuccess, usage, + isEVExpected); } function _getLibraryFunctionWithNoArguments(functionName, libraryName, returnType) { // Open the NSS library. copied from services/crypto/modules/WeaveCrypto.js let path = ctypes.libraryName(libraryName); // XXX really want to be able to pass specific dlopen flags here. @@ -668,16 +682,25 @@ function startOCSPResponder(serverPort, Assert.equal(expectedResponseTypes.length, 0, "Should have 0 remaining expected response types"); } httpServer.stop(callback); } }; } +// Given an OCSP responder (see startOCSPResponder), returns a promise that +// resolves when the responder has successfully stopped. +function stopOCSPResponder(responder) { + return new Promise((resolve, reject) => { + responder.stop(resolve); + }); +} + + // A prototype for a fake, error-free sslstatus var FakeSSLStatus = function(certificate) { this.serverCert = certificate; }; FakeSSLStatus.prototype = { serverCert: null, cipherName: null,
--- a/security/manager/ssl/tests/unit/test_add_preexisting_cert.js +++ b/security/manager/ssl/tests/unit/test_add_preexisting_cert.js @@ -20,25 +20,25 @@ function load_cert(cert, trust) { function getDERString(cert) { let derString = ""; for (let rawByte of cert.getRawDER({})) { derString += String.fromCharCode(rawByte); } return derString; } -function run_test() { +add_task(async function() { load_cert("ca", "CTu,CTu,CTu"); let int_cert = load_cert("int-limited-depth", "CTu,CTu,CTu"); let file = "test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem"; let cert_pem = readFile(do_get_file(file)); let ee = certDB.constructX509FromBase64(pemToBase64(cert_pem)); - checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess, - certificateUsageSSLServer); + await checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess, + certificateUsageSSLServer); // Change the already existing intermediate certificate's trust using // addCertFromBase64(). notEqual(int_cert, null, "Intermediate cert should be in the cert DB"); let base64_cert = btoa(getDERString(int_cert)); let returnedEE = certDB.addCertFromBase64(base64_cert, "p,p,p"); notEqual(returnedEE, null, "addCertFromBase64 should return a certificate"); - checkCertErrorGeneric(certDB, ee, SEC_ERROR_UNTRUSTED_ISSUER, - certificateUsageSSLServer); -} + await checkCertErrorGeneric(certDB, ee, SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageSSLServer); +});
--- a/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js +++ b/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js @@ -26,22 +26,22 @@ function certFromFile(certName) { function loadCertWithTrust(certName, trustString) { addCertFromFile(gCertDB, `test_baseline_requirements/${certName}.pem`, trustString); } function checkCertOn25August2016(cert, expectedResult) { // (new Date("2016-08-25T00:00:00Z")).getTime() / 1000 const VALIDATION_TIME = 1472083200; - checkCertErrorGenericAtTime(gCertDB, cert, expectedResult, - certificateUsageSSLServer, VALIDATION_TIME, {}, - "example.com"); + return checkCertErrorGenericAtTime(gCertDB, cert, expectedResult, + certificateUsageSSLServer, VALIDATION_TIME, + false, "example.com"); } -function run_test() { +add_task(async function() { registerCleanupFunction(() => { Services.prefs.clearUserPref("security.pki.name_matching_mode"); Services.prefs.clearUserPref("security.test.built_in_root_hash"); Services.prefs.clearUserPref("privacy.reduceTimerPrecision"); }); Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false); @@ -50,142 +50,142 @@ function run_test() { // When verifying a certificate, if the trust anchor is not a built-in root, // name matching will fall back to using the subject common name if necessary // (i.e. if there is no subject alternative name extension or it does not // contain any dNSName or iPAddress entries). Thus, since imported roots are // not in general treated as built-ins, these should all successfully verify // regardless of the value of the pref. Services.prefs.setIntPref("security.pki.name_matching_mode", 0); info("current mode: always fall back, root not built-in"); - checkCertOn25August2016(certFromFile("no-san-recent"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("no-san-old"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("no-san-older"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"), - PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("no-san-recent"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("no-san-old"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("no-san-older"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"), + PRErrorCodeSuccess); Services.prefs.setIntPref("security.pki.name_matching_mode", 1); info("current mode: fall back for notBefore < August 23, 2016, root " + "not built-in"); - checkCertOn25August2016(certFromFile("no-san-recent"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("no-san-old"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("no-san-older"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"), - PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("no-san-recent"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("no-san-old"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("no-san-older"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"), + PRErrorCodeSuccess); Services.prefs.setIntPref("security.pki.name_matching_mode", 2); info("current mode: fall back for notBefore < August 23, 2015, root " + "not built-in"); - checkCertOn25August2016(certFromFile("no-san-recent"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("no-san-old"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("no-san-older"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"), - PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("no-san-recent"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("no-san-old"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("no-san-older"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"), + PRErrorCodeSuccess); Services.prefs.setIntPref("security.pki.name_matching_mode", 3); info("current mode: never fall back, root not built-in"); - checkCertOn25August2016(certFromFile("no-san-recent"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("no-san-old"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("no-san-older"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"), - PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("no-san-recent"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("no-san-old"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("no-san-older"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"), + PRErrorCodeSuccess); // In debug builds, we can treat an imported root as a built-in, and thus we // can actually test the different values of the pref. if (isDebugBuild) { let root = certFromFile("ca"); Services.prefs.setCharPref("security.test.built_in_root_hash", root.sha256Fingerprint); // Always fall back if necessary. Services.prefs.setIntPref("security.pki.name_matching_mode", 0); info("current mode: always fall back, root built-in"); - checkCertOn25August2016(certFromFile("no-san-recent"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("no-san-old"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("no-san-older"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"), - PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("no-san-recent"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("no-san-old"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("no-san-older"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"), + PRErrorCodeSuccess); // Only fall back if notBefore < 23 August 2016 Services.prefs.setIntPref("security.pki.name_matching_mode", 1); info("current mode: fall back for notBefore < August 23, 2016, root " + "built-in"); - checkCertOn25August2016(certFromFile("no-san-recent"), - SSL_ERROR_BAD_CERT_DOMAIN); - checkCertOn25August2016(certFromFile("no-san-old"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("no-san-older"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"), - SSL_ERROR_BAD_CERT_DOMAIN); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"), - PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("no-san-recent"), + SSL_ERROR_BAD_CERT_DOMAIN); + await checkCertOn25August2016(certFromFile("no-san-old"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("no-san-older"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"), + SSL_ERROR_BAD_CERT_DOMAIN); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"), + PRErrorCodeSuccess); // Only fall back if notBefore < 23 August 2015 Services.prefs.setIntPref("security.pki.name_matching_mode", 2); info("current mode: fall back for notBefore < August 23, 2015, root " + "built-in"); - checkCertOn25August2016(certFromFile("no-san-recent"), - SSL_ERROR_BAD_CERT_DOMAIN); - checkCertOn25August2016(certFromFile("no-san-old"), - SSL_ERROR_BAD_CERT_DOMAIN); - checkCertOn25August2016(certFromFile("no-san-older"), - PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"), - SSL_ERROR_BAD_CERT_DOMAIN); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"), - SSL_ERROR_BAD_CERT_DOMAIN); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"), - PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("no-san-recent"), + SSL_ERROR_BAD_CERT_DOMAIN); + await checkCertOn25August2016(certFromFile("no-san-old"), + SSL_ERROR_BAD_CERT_DOMAIN); + await checkCertOn25August2016(certFromFile("no-san-older"), + PRErrorCodeSuccess); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"), + SSL_ERROR_BAD_CERT_DOMAIN); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"), + SSL_ERROR_BAD_CERT_DOMAIN); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"), + PRErrorCodeSuccess); // Never fall back. Services.prefs.setIntPref("security.pki.name_matching_mode", 3); info("current mode: never fall back, root built-in"); - checkCertOn25August2016(certFromFile("no-san-recent"), - SSL_ERROR_BAD_CERT_DOMAIN); - checkCertOn25August2016(certFromFile("no-san-old"), - SSL_ERROR_BAD_CERT_DOMAIN); - checkCertOn25August2016(certFromFile("no-san-older"), - SSL_ERROR_BAD_CERT_DOMAIN); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"), - SSL_ERROR_BAD_CERT_DOMAIN); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"), - SSL_ERROR_BAD_CERT_DOMAIN); - checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"), - SSL_ERROR_BAD_CERT_DOMAIN); + await checkCertOn25August2016(certFromFile("no-san-recent"), + SSL_ERROR_BAD_CERT_DOMAIN); + await checkCertOn25August2016(certFromFile("no-san-old"), + SSL_ERROR_BAD_CERT_DOMAIN); + await checkCertOn25August2016(certFromFile("no-san-older"), + SSL_ERROR_BAD_CERT_DOMAIN); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"), + SSL_ERROR_BAD_CERT_DOMAIN); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"), + SSL_ERROR_BAD_CERT_DOMAIN); + await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"), + SSL_ERROR_BAD_CERT_DOMAIN); } -} +});
--- a/security/manager/ssl/tests/unit/test_cert_blocklist.js +++ b/security/manager/ssl/tests/unit/test_cert_blocklist.js @@ -161,28 +161,29 @@ var addonManager = Cc["@mozilla.org/addo addonManager.observe(null, "addons-startup", null); var converter = Cc["@mozilla.org/intl/scriptableunicodeconverter"] .createInstance(Ci.nsIScriptableUnicodeConverter); converter.charset = "UTF-8"; function verify_cert(file, expectedError) { let ee = constructCertFromFile(file); - checkCertErrorGeneric(certDB, ee, expectedError, certificateUsageSSLServer); + return checkCertErrorGeneric(certDB, ee, expectedError, + certificateUsageSSLServer); } // The certificate blocklist currently only applies to TLS server certificates. -function verify_non_tls_usage_succeeds(file) { +async function verify_non_tls_usage_succeeds(file) { let ee = constructCertFromFile(file); - checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess, - certificateUsageSSLClient); - checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess, - certificateUsageEmailSigner); - checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess, - certificateUsageEmailRecipient); + await checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess, + certificateUsageSSLClient); + await checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess, + certificateUsageEmailSigner); + await checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess, + certificateUsageEmailRecipient); } function load_cert(cert, trust) { let file = "bad_certs/" + cert + ".pem"; addCertFromFile(certDB, file, trust); } function test_is_revoked(certList, issuerString, serialString, subjectString, @@ -304,17 +305,17 @@ function run_test() { { " Rym6o+VN9xgZXT/QLrvN/nv1ZN4=": true}, "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=": { " a0X7/7DlTaedpgrIJg25iBPOkIM=": true}, "YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy": { " YW5vdGhlciBzZXJpYWwu": true, " c2VyaWFsMi4=": true } }; - add_test(function () { + add_task(async function() { // check some existing items in revocations.txt are blocked. Since the // CertBlocklistItems don't know about the data they contain, we can use // arbitrary data (not necessarily DER) to test if items are revoked or not. // This test corresponds to: // issuer: c29tZSBpbWFnaW5hcnkgaXNzdWVy // serial: c2VyaWFsLg== ok(test_is_revoked(certList, "some imaginary issuer", "serial."), "issuer / serial pair should be blocked"); @@ -331,35 +332,33 @@ function run_test() { // (we test this issuer twice to ensure we can read multiple serials) ok(test_is_revoked(certList, "another imaginary issuer", "serial2."), "issuer / serial pair should be blocked"); // Soon we'll load a blocklist which revokes test-int.pem, which issued // test-int-ee.pem. // Check the cert validates before we load the blocklist let file = "test_onecrl/test-int-ee.pem"; - verify_cert(file, PRErrorCodeSuccess); + await verify_cert(file, PRErrorCodeSuccess); // The blocklist also revokes other-test-ca.pem, which issued // other-ca-ee.pem. Check the cert validates before we load the blocklist file = "bad_certs/other-issuer-ee.pem"; - verify_cert(file, PRErrorCodeSuccess); + await verify_cert(file, PRErrorCodeSuccess); // The blocklist will revoke same-issuer-ee.pem via subject / pubKeyHash. // Check the cert validates before we load the blocklist file = "test_onecrl/same-issuer-ee.pem"; - verify_cert(file, PRErrorCodeSuccess); - - run_next_test(); + await verify_cert(file, PRErrorCodeSuccess); }); // blocklist load is async so we must use add_test from here add_task(fetch_blocklist); - add_test(function() { + add_task(async function() { // The blocklist will be loaded now. Let's check the data is sane. // In particular, we should still have the revoked issuer / serial pair // that was in both revocations.txt and the blocklist. ok(test_is_revoked(certList, "another imaginary issuer", "serial2."), "issuer / serial pair should be blocked"); // Check that both serials in the certItem with multiple serials were read // properly @@ -374,48 +373,46 @@ function run_test() { "issuer / serial pair should be blocked"); // Check the blocklist entry has been persisted properly to the backing // file check_revocations_txt_contents(expected); // Check the blocklisted intermediate now causes a failure let file = "test_onecrl/test-int-ee.pem"; - verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); - verify_non_tls_usage_succeeds(file); + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + await verify_non_tls_usage_succeeds(file); // Check the ee with the blocklisted root also causes a failure file = "bad_certs/other-issuer-ee.pem"; - verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); - verify_non_tls_usage_succeeds(file); + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + await verify_non_tls_usage_succeeds(file); // Check the ee blocked by subject / pubKey causes a failure file = "test_onecrl/same-issuer-ee.pem"; - verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); - verify_non_tls_usage_succeeds(file); + await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE); + await verify_non_tls_usage_succeeds(file); // Check a non-blocklisted chain still validates OK file = "bad_certs/default-ee.pem"; - verify_cert(file, PRErrorCodeSuccess); + await verify_cert(file, PRErrorCodeSuccess); // Check a bad cert is still bad (unknown issuer) file = "bad_certs/unknownissuer.pem"; - verify_cert(file, SEC_ERROR_UNKNOWN_ISSUER); + await verify_cert(file, SEC_ERROR_UNKNOWN_ISSUER); // check that save with no further update is a no-op let lastModified = gRevocations.lastModifiedTime; // add an already existing entry certList.revokeCertByIssuerAndSerial("YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy", "c2VyaWFsMi4="); certList.saveEntries(); let newModified = gRevocations.lastModifiedTime; equal(lastModified, newModified, "saveEntries with no modifications should not update the backing file"); - - run_next_test(); }); add_test(function() { // Check the blocklist entry has not changed check_revocations_txt_contents(expected); run_next_test(); });
--- a/security/manager/ssl/tests/unit/test_cert_eku.js +++ b/security/manager/ssl/tests/unit/test_cert_eku.js @@ -18,120 +18,122 @@ function certFromFile(certName) { return constructCertFromFile(`test_cert_eku/${certName}.pem`); } function loadCertWithTrust(certName, trustString) { addCertFromFile(certdb, `test_cert_eku/${certName}.pem`, trustString); } function checkEndEntity(cert, expectedResult) { - checkCertErrorGeneric(certdb, cert, expectedResult, certificateUsageSSLServer); + return checkCertErrorGeneric(certdb, cert, expectedResult, + certificateUsageSSLServer); } function checkCertOn25August2016(cert, expectedResult) { // (new Date("2016-08-25T00:00:00Z")).getTime() / 1000 const VALIDATION_TIME = 1472083200; - checkCertErrorGenericAtTime(certdb, cert, expectedResult, - certificateUsageSSLServer, VALIDATION_TIME); + return checkCertErrorGenericAtTime(certdb, cert, expectedResult, + certificateUsageSSLServer, + VALIDATION_TIME); } -function run_test() { +add_task(async function() { registerCleanupFunction(() => { Services.prefs.clearUserPref("privacy.reduceTimerPrecision"); }); Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false); loadCertWithTrust("ca", "CTu,,"); // end-entity has id-kp-serverAuth => success - checkEndEntity(certFromFile("ee-SA"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-SA"), PRErrorCodeSuccess); // end-entity has id-kp-serverAuth => success - checkEndEntity(certFromFile("ee-SA-CA"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-SA-CA"), PRErrorCodeSuccess); // end-entity has extended key usage, but id-kp-serverAuth is not present => // failure - checkEndEntity(certFromFile("ee-CA"), SEC_ERROR_INADEQUATE_CERT_TYPE); + await checkEndEntity(certFromFile("ee-CA"), SEC_ERROR_INADEQUATE_CERT_TYPE); // end-entity has id-kp-serverAuth => success - checkEndEntity(certFromFile("ee-SA-nsSGC"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-SA-nsSGC"), PRErrorCodeSuccess); // end-entity has extended key usage, but id-kp-serverAuth is not present => // failure (in particular, Netscape Server Gated Crypto (also known as // Netscape Step Up) is not an acceptable substitute for end-entity // certificates). // Verify this for all Netscape Step Up policy configurations. // 0 = "always accept nsSGC in place of serverAuth for CA certificates" Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0); - checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE); + await checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE); // 1 = "accept nsSGC before 23 August 2016" Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1); - checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE); + await checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE); // 2 = "accept nsSGC before 23 August 2015" Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2); - checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE); + await checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE); // 3 = "never accept nsSGC" Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3); - checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE); + await checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE); // end-entity has id-kp-OCSPSigning, which is not acceptable for end-entity // certificates being verified as TLS server certificates => failure - checkEndEntity(certFromFile("ee-SA-OCSP"), SEC_ERROR_INADEQUATE_CERT_TYPE); + await checkEndEntity(certFromFile("ee-SA-OCSP"), SEC_ERROR_INADEQUATE_CERT_TYPE); // intermediate has id-kp-serverAuth => success loadCertWithTrust("int-SA", ",,"); - checkEndEntity(certFromFile("ee-int-SA"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-int-SA"), PRErrorCodeSuccess); // intermediate has id-kp-serverAuth => success loadCertWithTrust("int-SA-CA", ",,"); - checkEndEntity(certFromFile("ee-int-SA-CA"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-int-SA-CA"), PRErrorCodeSuccess); // intermediate has extended key usage, but id-kp-serverAuth is not present // => failure loadCertWithTrust("int-CA", ",,"); - checkEndEntity(certFromFile("ee-int-CA"), SEC_ERROR_INADEQUATE_CERT_TYPE); + await checkEndEntity(certFromFile("ee-int-CA"), SEC_ERROR_INADEQUATE_CERT_TYPE); // intermediate has id-kp-serverAuth => success loadCertWithTrust("int-SA-nsSGC", ",,"); - checkEndEntity(certFromFile("ee-int-SA-nsSGC"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-int-SA-nsSGC"), PRErrorCodeSuccess); // Intermediate has Netscape Server Gated Crypto. Success will depend on the // Netscape Step Up policy configuration and the notBefore property of the // intermediate. loadCertWithTrust("int-nsSGC-recent", ",,"); loadCertWithTrust("int-nsSGC-old", ",,"); loadCertWithTrust("int-nsSGC-older", ",,"); // 0 = "always accept nsSGC in place of serverAuth for CA certificates" Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0); info("Netscape Step Up policy: always accept"); - checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"), + await checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"), PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"), + await checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"), PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"), + await checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"), PRErrorCodeSuccess); // 1 = "accept nsSGC before 23 August 2016" info("Netscape Step Up policy: accept before 23 August 2016"); Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1); - checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"), + await checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"), SEC_ERROR_INADEQUATE_CERT_TYPE); - checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"), + await checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"), PRErrorCodeSuccess); - checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"), + await checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"), PRErrorCodeSuccess); // 2 = "accept nsSGC before 23 August 2015" info("Netscape Step Up policy: accept before 23 August 2015"); Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2); - checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"), + await checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"), SEC_ERROR_INADEQUATE_CERT_TYPE); - checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"), + await checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"), SEC_ERROR_INADEQUATE_CERT_TYPE); - checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"), + await checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"), PRErrorCodeSuccess); // 3 = "never accept nsSGC" info("Netscape Step Up policy: never accept"); Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3); - checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"), + await checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"), SEC_ERROR_INADEQUATE_CERT_TYPE); - checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"), + await checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"), SEC_ERROR_INADEQUATE_CERT_TYPE); - checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"), + await checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"), SEC_ERROR_INADEQUATE_CERT_TYPE); // intermediate has id-kp-OCSPSigning, which is acceptable for CA // certificates => success loadCertWithTrust("int-SA-OCSP", ",,"); - checkEndEntity(certFromFile("ee-int-SA-OCSP"), PRErrorCodeSuccess); -} + await checkEndEntity(certFromFile("ee-int-SA-OCSP"), PRErrorCodeSuccess); +});
--- a/security/manager/ssl/tests/unit/test_cert_embedded_null.js +++ b/security/manager/ssl/tests/unit/test_cert_embedded_null.js @@ -9,30 +9,32 @@ // Includes a similar test case but for the subject alternative name extension. "use strict"; do_get_profile(); // must be called before getting nsIX509CertDB const certdb = Cc["@mozilla.org/security/x509certdb;1"] .getService(Ci.nsIX509CertDB); -function do_testcase(certname, checkCommonName) { +async function do_testcase(certname, checkCommonName) { let cert = constructCertFromFile(`test_cert_embedded_null/${certname}.pem`); // Where applicable, check that the testcase is meaningful (i.e. that the // certificate's subject common name has an embedded NUL in it). if (checkCommonName) { equal(cert.commonName, "www.bank1.com\\00www.bad-guy.com", "certificate subject common name should have an embedded NUL byte"); } - checkCertErrorGeneric(certdb, cert, SSL_ERROR_BAD_CERT_DOMAIN, - certificateUsageSSLServer, {}, "www.bank1.com"); - checkCertErrorGeneric(certdb, cert, SSL_ERROR_BAD_CERT_DOMAIN, - certificateUsageSSLServer, {}, "www.bad-guy.com"); + await checkCertErrorGeneric(certdb, cert, SSL_ERROR_BAD_CERT_DOMAIN, + certificateUsageSSLServer, undefined, + "www.bank1.com"); + await checkCertErrorGeneric(certdb, cert, SSL_ERROR_BAD_CERT_DOMAIN, + certificateUsageSSLServer, undefined, + "www.bad-guy.com"); } -function run_test() { +add_task(async function() { addCertFromFile(certdb, "test_cert_embedded_null/ca.pem", "CTu,,"); - do_testcase("embeddedNull", true); - do_testcase("embeddedNullSAN", false); - do_testcase("embeddedNullCNAndSAN", true); - do_testcase("embeddedNullSAN2", false); -} + await do_testcase("embeddedNull", true); + await do_testcase("embeddedNullSAN", false); + await do_testcase("embeddedNullCNAndSAN", true); + await do_testcase("embeddedNullSAN2", false); +});
--- a/security/manager/ssl/tests/unit/test_cert_sha1.js +++ b/security/manager/ssl/tests/unit/test_cert_sha1.js @@ -22,21 +22,22 @@ function certFromFile(certName) { return constructCertFromFile("test_cert_sha1/" + certName + ".pem"); } function loadCertWithTrust(certName, trustString) { addCertFromFile(certdb, "test_cert_sha1/" + certName + ".pem", trustString); } function checkEndEntity(cert, expectedResult) { - checkCertErrorGenericAtTime(certdb, cert, expectedResult, - certificateUsageSSLServer, VALIDATION_TIME); + return checkCertErrorGenericAtTime(certdb, cert, expectedResult, + certificateUsageSSLServer, + VALIDATION_TIME); } -function run_test() { +add_task(async function() { loadCertWithTrust("ca", "CTu,,"); loadCertWithTrust("int-pre", ",,"); loadCertWithTrust("int-post", ",,"); // Test cases per pref setting // // root intermed. end entity // =========================== @@ -82,61 +83,61 @@ function run_test() { // verifier does not take into account the currently configured SHA-1 policy. // This is in part due to implementation complexity and because this isn't // actually how TLS web server certificates are verified in the TLS handshake // (which makes a full implementation that supports heeding the SHA-1 policy // unnecessary). // SHA-1 allowed Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 0); - checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee-post_int-pre"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee-post_int-post"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-post_int-pre"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-post_int-post"), PRErrorCodeSuccess); // SHA-1 forbidden Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 1); - checkEndEntity(certFromFile("ee-pre_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); - checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); - checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); + await checkEndEntity(certFromFile("ee-pre_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); + await checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); + await checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); // SHA-1 forbidden (test the case where the pref has been set to 2) Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 2); - checkEndEntity(certFromFile("ee-pre_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); - checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); - checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); + await checkEndEntity(certFromFile("ee-pre_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); + await checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); + await checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); // SHA-1 allowed only when issued by an imported root. First test with the // test root considered a built-in (on debug only - this functionality is // disabled on non-debug builds). Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 3); if (isDebugBuild) { let root = certFromFile("ca"); Services.prefs.setCharPref("security.test.built_in_root_hash", root.sha256Fingerprint); - checkEndEntity(certFromFile("ee-pre_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); - checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); - checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); + await checkEndEntity(certFromFile("ee-pre_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); + await checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); + await checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); Services.prefs.clearUserPref("security.test.built_in_root_hash"); } // SHA-1 still allowed only when issued by an imported root. // Now test with the test root considered a non-built-in. - checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee-post_int-pre"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee-post_int-post"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-post_int-pre"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-post_int-post"), PRErrorCodeSuccess); // SHA-1 allowed before 2016 or when issued by an imported root. First test // with the test root considered a built-in. Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 4); if (isDebugBuild) { let root = certFromFile("ca"); Services.prefs.setCharPref("security.test.built_in_root_hash", root.sha256Fingerprint); - checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); - checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); + await checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); + await checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); Services.prefs.clearUserPref("security.test.built_in_root_hash"); } // SHA-1 still only allowed before 2016 or when issued by an imported root. // Now test with the test root considered a non-built-in. - checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee-post_int-pre"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee-post_int-post"), PRErrorCodeSuccess); -} + await checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-post_int-pre"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-post_int-post"), PRErrorCodeSuccess); +});
--- a/security/manager/ssl/tests/unit/test_cert_signatures.js +++ b/security/manager/ssl/tests/unit/test_cert_signatures.js @@ -39,25 +39,25 @@ function readAndTamperWithNthByte(certif const BYTE_IN_SIGNATURE = -8; function addSignatureTamperedCertificate(certificatePath) { let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SIGNATURE); certdb.addCertFromBase64(base64, ",,"); } function ensureSignatureVerificationFailure(certificatePath) { let cert = constructCertFromFile(certificatePath); - checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE, - certificateUsageSSLServer); + return checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE, + certificateUsageSSLServer); } function tamperWithSignatureAndEnsureVerificationFailure(certificatePath) { let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SIGNATURE); let cert = certdb.constructX509FromBase64(base64); - checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE, - certificateUsageSSLServer); + return checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE, + certificateUsageSSLServer); } // The beginning of a certificate looks like this (in hex, using DER): // 30 XX XX XX [the XX encode length - there are probably 3 bytes here] // 30 XX XX XX [length again] // A0 03 // 02 01 // 02 @@ -76,46 +76,46 @@ function addSerialNumberTamperedCertific BYTE_IN_SERIAL_NUMBER); certdb.addCertFromBase64(base64, ",,"); } function tamperWithSerialNumberAndEnsureVerificationFailure(certificatePath) { let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SERIAL_NUMBER); let cert = certdb.constructX509FromBase64(base64); - checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE, - certificateUsageSSLServer); + return checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE, + certificateUsageSSLServer); } -function run_test() { +add_task(async function() { addCertFromFile(certdb, "test_cert_signatures/ca-rsa.pem", "CTu,,"); addCertFromFile(certdb, "test_cert_signatures/ca-secp384r1.pem", "CTu,,"); // Tamper with the signatures on intermediate certificates and ensure that // end-entity certificates issued by those intermediates do not validate // successfully. addSignatureTamperedCertificate("test_cert_signatures/int-rsa.pem"); addSignatureTamperedCertificate("test_cert_signatures/int-secp384r1.pem"); - ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem"); - ensureSignatureVerificationFailure("test_cert_signatures/ee-secp384r1.pem"); + await ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem"); + await ensureSignatureVerificationFailure("test_cert_signatures/ee-secp384r1.pem"); // Tamper with the signatures on end-entity certificates and ensure that they // do not validate successfully. - tamperWithSignatureAndEnsureVerificationFailure( + await tamperWithSignatureAndEnsureVerificationFailure( "test_cert_signatures/ee-rsa-direct.pem"); - tamperWithSignatureAndEnsureVerificationFailure( + await tamperWithSignatureAndEnsureVerificationFailure( "test_cert_signatures/ee-secp384r1-direct.pem"); // Tamper with the serial numbers of intermediate certificates and ensure // that end-entity certificates issued by those intermediates do not validate // successfully. addSerialNumberTamperedCertificate("test_cert_signatures/int-rsa.pem"); addSerialNumberTamperedCertificate("test_cert_signatures/int-secp384r1.pem"); - ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem"); - ensureSignatureVerificationFailure("test_cert_signatures/ee-secp384r1.pem"); + await ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem"); + await ensureSignatureVerificationFailure("test_cert_signatures/ee-secp384r1.pem"); // Tamper with the serial numbers of end-entity certificates and ensure that // they do not validate successfully. - tamperWithSerialNumberAndEnsureVerificationFailure( + await tamperWithSerialNumberAndEnsureVerificationFailure( "test_cert_signatures/ee-rsa-direct.pem"); - tamperWithSerialNumberAndEnsureVerificationFailure( + await tamperWithSerialNumberAndEnsureVerificationFailure( "test_cert_signatures/ee-secp384r1-direct.pem"); -} +});
--- a/security/manager/ssl/tests/unit/test_cert_trust.js +++ b/security/manager/ssl/tests/unit/test_cert_trust.js @@ -18,129 +18,129 @@ function load_cert(cert_name, trust_stri function setup_basic_trusts(ca_cert, int_cert) { certdb.setCertTrust(ca_cert, Ci.nsIX509Cert.CA_CERT, Ci.nsIX509CertDB.TRUSTED_SSL | Ci.nsIX509CertDB.TRUSTED_EMAIL); certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0); } -function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) { +async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) { // On reset most usages are successful - checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, - certificateUsageSSLServer); - checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, - certificateUsageSSLClient); - checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID, - certificateUsageSSLCA); - checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, - certificateUsageEmailSigner); - checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, - certificateUsageEmailRecipient); + await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageSSLServer); + await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageSSLClient); + await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA); + await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageEmailSigner); + await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageEmailRecipient); // Test of active distrust. No usage should pass. setCertTrust(cert_to_modify_trust, "p,p,p"); - checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, - certificateUsageSSLServer); - checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, - certificateUsageSSLClient); - checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID, - certificateUsageSSLCA); - checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, - certificateUsageEmailSigner); - checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, - certificateUsageEmailRecipient); + await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageSSLServer); + await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageSSLClient); + await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA); + await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageEmailSigner); + await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageEmailRecipient); // Trust set to T - trusted CA to issue client certs, where client cert is // usageSSLClient. setCertTrust(cert_to_modify_trust, "T,T,T"); - checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER - : PRErrorCodeSuccess, - certificateUsageSSLServer); + await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER + : PRErrorCodeSuccess, + certificateUsageSSLServer); // XXX(Bug 982340) - checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER - : PRErrorCodeSuccess, - certificateUsageSSLClient); + await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER + : PRErrorCodeSuccess, + certificateUsageSSLClient); - checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID, - certificateUsageSSLCA); + await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA); - checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER - : PRErrorCodeSuccess, - certificateUsageEmailSigner); - checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER - : PRErrorCodeSuccess, - certificateUsageEmailRecipient); + await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER + : PRErrorCodeSuccess, + certificateUsageEmailSigner); + await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER + : PRErrorCodeSuccess, + certificateUsageEmailRecipient); // Now tests on the SSL trust bit setCertTrust(cert_to_modify_trust, "p,C,C"); - checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, - certificateUsageSSLServer); + await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageSSLServer); // XXX(Bug 982340) - checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, - certificateUsageSSLClient); - checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID, - certificateUsageSSLCA); - checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, - certificateUsageEmailSigner); - checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, - certificateUsageEmailRecipient); + await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageSSLClient); + await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA); + await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageEmailSigner); + await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageEmailRecipient); // Inherited trust SSL setCertTrust(cert_to_modify_trust, ",C,C"); - checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER - : PRErrorCodeSuccess, - certificateUsageSSLServer); + await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER + : PRErrorCodeSuccess, + certificateUsageSSLServer); // XXX(Bug 982340) - checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, - certificateUsageSSLClient); - checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID, - certificateUsageSSLCA); - checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, - certificateUsageEmailSigner); - checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, - certificateUsageEmailRecipient); + await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageSSLClient); + await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA); + await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageEmailSigner); + await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageEmailRecipient); // Now tests on the EMAIL trust bit setCertTrust(cert_to_modify_trust, "C,p,C"); - checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, - certificateUsageSSLServer); - checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, - certificateUsageSSLClient); - checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID, - certificateUsageSSLCA); - checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, - certificateUsageEmailSigner); - checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, - certificateUsageEmailRecipient); + await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageSSLServer); + await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageSSLClient); + await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA); + await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageEmailSigner); + await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER, + certificateUsageEmailRecipient); // inherited EMAIL Trust setCertTrust(cert_to_modify_trust, "C,,C"); - checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, - certificateUsageSSLServer); - checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER - : PRErrorCodeSuccess, - certificateUsageSSLClient); - checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID, - certificateUsageSSLCA); - checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER - : PRErrorCodeSuccess, - certificateUsageEmailSigner); - checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER - : PRErrorCodeSuccess, - certificateUsageEmailRecipient); + await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageSSLServer); + await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER + : PRErrorCodeSuccess, + certificateUsageSSLClient); + await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID, + certificateUsageSSLCA); + await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER + : PRErrorCodeSuccess, + certificateUsageEmailSigner); + await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER + : PRErrorCodeSuccess, + certificateUsageEmailRecipient); } -function run_test() { +add_task(async function() { let certList = [ "ca", "int", "ee", ]; let loadedCerts = []; for (let certName of certList) { loadedCerts.push(load_cert(certName, ",,")); @@ -149,41 +149,41 @@ function run_test() { let ca_cert = loadedCerts[0]; notEqual(ca_cert, null, "CA cert should have successfully loaded"); let int_cert = loadedCerts[1]; notEqual(int_cert, null, "Intermediate cert should have successfully loaded"); let ee_cert = loadedCerts[2]; notEqual(ee_cert, null, "EE cert should have successfully loaded"); setup_basic_trusts(ca_cert, int_cert); - test_ca_distrust(ee_cert, ca_cert, true); + await test_ca_distrust(ee_cert, ca_cert, true); setup_basic_trusts(ca_cert, int_cert); - test_ca_distrust(ee_cert, int_cert, false); + await test_ca_distrust(ee_cert, int_cert, false); // Reset trust to default ("inherit trust") setCertTrust(ca_cert, ",,"); setCertTrust(int_cert, ",,"); // If an end-entity certificate is manually trusted, it may not be the root of // its own verified chain. In general this will cause "unknown issuer" errors // unless a CA trust anchor can be found. setCertTrust(ee_cert, "CTu,CTu,CTu"); - checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER, - certificateUsageSSLServer); - checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER, - certificateUsageSSLClient); - checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER, - certificateUsageEmailSigner); - checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER, - certificateUsageEmailRecipient); + await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLServer); + await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageSSLClient); + await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageEmailSigner); + await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER, + certificateUsageEmailRecipient); // Now make a CA trust anchor available. setCertTrust(ca_cert, "CTu,CTu,CTu"); - checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, - certificateUsageSSLServer); - checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, - certificateUsageSSLClient); - checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, - certificateUsageEmailSigner); - checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, - certificateUsageEmailRecipient); -} + await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageSSLServer); + await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageSSLClient); + await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageEmailSigner); + await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess, + certificateUsageEmailRecipient); +});
--- a/security/manager/ssl/tests/unit/test_cert_version.js +++ b/security/manager/ssl/tests/unit/test_cert_version.js @@ -37,154 +37,156 @@ function certFromFile(certName) { return constructCertFromFile("test_cert_version/" + certName + ".pem"); } function loadCertWithTrust(certName, trustString) { addCertFromFile(certdb, "test_cert_version/" + certName + ".pem", trustString); } function checkEndEntity(cert, expectedResult) { - checkCertErrorGeneric(certdb, cert, expectedResult, certificateUsageSSLServer); + return checkCertErrorGeneric(certdb, cert, expectedResult, + certificateUsageSSLServer); } function checkIntermediate(cert, expectedResult) { - checkCertErrorGeneric(certdb, cert, expectedResult, certificateUsageSSLCA); + return checkCertErrorGeneric(certdb, cert, expectedResult, + certificateUsageSSLCA); } // Test that the code that decodes certificates to display them in the // certificate manager correctly handles the version field. function checkCertVersion(cert, expectedVersionString) { let asn1 = cert.ASN1Structure.QueryInterface(Ci.nsIASN1Sequence); let tbsCertificate = asn1.ASN1Objects.queryElementAt(0, Ci.nsIASN1Sequence); let version = tbsCertificate.ASN1Objects.queryElementAt(0, Ci.nsIASN1Object); equal(version.displayValue, expectedVersionString, "Actual and expected version strings should match"); } -function run_test() { +add_task(async function() { loadCertWithTrust("ca", "CTu,,"); // Section for CAs lacking the basicConstraints extension entirely: loadCertWithTrust("int-v1-noBC_ca", ",,"); - checkIntermediate(certFromFile("int-v1-noBC_ca"), MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA); - checkEndEntity(certFromFile("ee_int-v1-noBC"), MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA); + await checkIntermediate(certFromFile("int-v1-noBC_ca"), MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA); + await checkEndEntity(certFromFile("ee_int-v1-noBC"), MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA); // A v1 certificate with no basicConstraints extension may issue certificates // if it is a trust anchor. loadCertWithTrust("int-v1-noBC_ca", "CTu,,"); - checkIntermediate(certFromFile("int-v1-noBC_ca"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee_int-v1-noBC"), PRErrorCodeSuccess); + await checkIntermediate(certFromFile("int-v1-noBC_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v1-noBC"), PRErrorCodeSuccess); loadCertWithTrust("int-v2-noBC_ca", ",,"); - checkIntermediate(certFromFile("int-v2-noBC_ca"), SEC_ERROR_CA_CERT_INVALID); - checkEndEntity(certFromFile("ee_int-v2-noBC"), SEC_ERROR_CA_CERT_INVALID); + await checkIntermediate(certFromFile("int-v2-noBC_ca"), SEC_ERROR_CA_CERT_INVALID); + await checkEndEntity(certFromFile("ee_int-v2-noBC"), SEC_ERROR_CA_CERT_INVALID); loadCertWithTrust("int-v2-noBC_ca", "CTu,,"); - checkIntermediate(certFromFile("int-v2-noBC_ca"), SEC_ERROR_CA_CERT_INVALID); - checkEndEntity(certFromFile("ee_int-v2-noBC"), SEC_ERROR_CA_CERT_INVALID); + await checkIntermediate(certFromFile("int-v2-noBC_ca"), SEC_ERROR_CA_CERT_INVALID); + await checkEndEntity(certFromFile("ee_int-v2-noBC"), SEC_ERROR_CA_CERT_INVALID); loadCertWithTrust("int-v3-noBC_ca", ",,"); - checkIntermediate(certFromFile("int-v3-noBC_ca"), SEC_ERROR_CA_CERT_INVALID); - checkEndEntity(certFromFile("ee_int-v3-noBC"), SEC_ERROR_CA_CERT_INVALID); + await checkIntermediate(certFromFile("int-v3-noBC_ca"), SEC_ERROR_CA_CERT_INVALID); + await checkEndEntity(certFromFile("ee_int-v3-noBC"), SEC_ERROR_CA_CERT_INVALID); loadCertWithTrust("int-v3-noBC_ca", "CTu,,"); - checkIntermediate(certFromFile("int-v3-noBC_ca"), SEC_ERROR_CA_CERT_INVALID); - checkEndEntity(certFromFile("ee_int-v3-noBC"), SEC_ERROR_CA_CERT_INVALID); + await checkIntermediate(certFromFile("int-v3-noBC_ca"), SEC_ERROR_CA_CERT_INVALID); + await checkEndEntity(certFromFile("ee_int-v3-noBC"), SEC_ERROR_CA_CERT_INVALID); loadCertWithTrust("int-v4-noBC_ca", ",,"); - checkIntermediate(certFromFile("int-v4-noBC_ca"), SEC_ERROR_CA_CERT_INVALID); - checkEndEntity(certFromFile("ee_int-v4-noBC"), SEC_ERROR_CA_CERT_INVALID); + await checkIntermediate(certFromFile("int-v4-noBC_ca"), SEC_ERROR_CA_CERT_INVALID); + await checkEndEntity(certFromFile("ee_int-v4-noBC"), SEC_ERROR_CA_CERT_INVALID); loadCertWithTrust("int-v4-noBC_ca", "CTu,,"); - checkIntermediate(certFromFile("int-v4-noBC_ca"), SEC_ERROR_CA_CERT_INVALID); - checkEndEntity(certFromFile("ee_int-v4-noBC"), SEC_ERROR_CA_CERT_INVALID); + await checkIntermediate(certFromFile("int-v4-noBC_ca"), SEC_ERROR_CA_CERT_INVALID); + await checkEndEntity(certFromFile("ee_int-v4-noBC"), SEC_ERROR_CA_CERT_INVALID); // Section for CAs with basicConstraints not specifying cA: loadCertWithTrust("int-v1-BC-not-cA_ca", ",,"); - checkIntermediate(certFromFile("int-v1-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID); - checkEndEntity(certFromFile("ee_int-v1-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID); + await checkIntermediate(certFromFile("int-v1-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID); + await checkEndEntity(certFromFile("ee_int-v1-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID); loadCertWithTrust("int-v1-BC-not-cA_ca", "CTu,,"); - checkIntermediate(certFromFile("int-v1-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID); - checkEndEntity(certFromFile("ee_int-v1-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID); + await checkIntermediate(certFromFile("int-v1-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID); + await checkEndEntity(certFromFile("ee_int-v1-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID); loadCertWithTrust("int-v2-BC-not-cA_ca", ",,"); - checkIntermediate(certFromFile("int-v2-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID); - checkEndEntity(certFromFile("ee_int-v2-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID); + await checkIntermediate(certFromFile("int-v2-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID); + await checkEndEntity(certFromFile("ee_int-v2-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID); loadCertWithTrust("int-v2-BC-not-cA_ca", "CTu,,"); - checkIntermediate(certFromFile("int-v2-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID); - checkEndEntity(certFromFile("ee_int-v2-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID); + await checkIntermediate(certFromFile("int-v2-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID); + await checkEndEntity(certFromFile("ee_int-v2-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID); loadCertWithTrust("int-v3-BC-not-cA_ca", ",,"); - checkIntermediate(certFromFile("int-v3-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID); - checkEndEntity(certFromFile("ee_int-v3-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID); + await checkIntermediate(certFromFile("int-v3-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID); + await checkEndEntity(certFromFile("ee_int-v3-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID); loadCertWithTrust("int-v3-BC-not-cA_ca", "CTu,,"); - checkIntermediate(certFromFile("int-v3-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID); - checkEndEntity(certFromFile("ee_int-v3-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID); + await checkIntermediate(certFromFile("int-v3-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID); + await checkEndEntity(certFromFile("ee_int-v3-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID); loadCertWithTrust("int-v4-BC-not-cA_ca", ",,"); - checkIntermediate(certFromFile("int-v4-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID); - checkEndEntity(certFromFile("ee_int-v4-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID); + await checkIntermediate(certFromFile("int-v4-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID); + await checkEndEntity(certFromFile("ee_int-v4-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID); loadCertWithTrust("int-v4-BC-not-cA_ca", "CTu,,"); - checkIntermediate(certFromFile("int-v4-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID); - checkEndEntity(certFromFile("ee_int-v4-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID); + await checkIntermediate(certFromFile("int-v4-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID); + await checkEndEntity(certFromFile("ee_int-v4-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID); // Section for CAs with basicConstraints specifying cA: loadCertWithTrust("int-v1-BC-cA_ca", ",,"); - checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess); + await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess); loadCertWithTrust("int-v1-BC-cA_ca", "CTu,,"); - checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess); + await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess); loadCertWithTrust("int-v2-BC-cA_ca", ",,"); - checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess); + await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess); loadCertWithTrust("int-v2-BC-cA_ca", "CTu,,"); - checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess); + await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess); loadCertWithTrust("int-v3-BC-cA_ca", ",,"); - checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess); + await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess); loadCertWithTrust("int-v3-BC-cA_ca", "CTu,,"); - checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess); + await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess); loadCertWithTrust("int-v4-BC-cA_ca", ",,"); - checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess); + await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess); loadCertWithTrust("int-v4-BC-cA_ca", "CTu,,"); - checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess); + await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess); // Section for end-entity certificates with various basicConstraints: - checkEndEntity(certFromFile("ee-v1-noBC_ca"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee-v2-noBC_ca"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee-v3-noBC_ca"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee-v4-noBC_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v1-noBC_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v2-noBC_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v3-noBC_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v4-noBC_ca"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee-v1-BC-not-cA_ca"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee-v2-BC-not-cA_ca"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee-v3-BC-not-cA_ca"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee-v4-BC-not-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v1-BC-not-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v2-BC-not-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v3-BC-not-cA_ca"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("ee-v4-BC-not-cA_ca"), PRErrorCodeSuccess); - checkEndEntity(certFromFile("ee-v1-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY); - checkEndEntity(certFromFile("ee-v2-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY); - checkEndEntity(certFromFile("ee-v3-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY); - checkEndEntity(certFromFile("ee-v4-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY); + await checkEndEntity(certFromFile("ee-v1-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY); + await checkEndEntity(certFromFile("ee-v2-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY); + await checkEndEntity(certFromFile("ee-v3-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY); + await checkEndEntity(certFromFile("ee-v4-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY); // Section for self-signed certificates: - checkEndEntity(certFromFile("ss-v1-noBC"), SEC_ERROR_UNKNOWN_ISSUER); - checkEndEntity(certFromFile("ss-v2-noBC"), SEC_ERROR_UNKNOWN_ISSUER); - checkEndEntity(certFromFile("ss-v3-noBC"), SEC_ERROR_UNKNOWN_ISSUER); - checkEndEntity(certFromFile("ss-v4-noBC"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v1-noBC"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v2-noBC"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v3-noBC"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v4-noBC"), SEC_ERROR_UNKNOWN_ISSUER); - checkEndEntity(certFromFile("ss-v1-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER); - checkEndEntity(certFromFile("ss-v2-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER); - checkEndEntity(certFromFile("ss-v3-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER); - checkEndEntity(certFromFile("ss-v4-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v1-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v2-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v3-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v4-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER); - checkEndEntity(certFromFile("ss-v1-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER); - checkEndEntity(certFromFile("ss-v2-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER); - checkEndEntity(certFromFile("ss-v3-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER); - checkEndEntity(certFromFile("ss-v4-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v1-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v2-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v3-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER); + await checkEndEntity(certFromFile("ss-v4-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER); checkCertVersion(certFromFile("ss-v1-noBC"), "Version 1"); checkCertVersion(certFromFile("int-v2-BC-cA_ca"), "Version 2"); checkCertVersion(certFromFile("ee-v3-BC-not-cA_ca"), "Version 3"); checkCertVersion(certFromFile("int-v4-BC-not-cA_ca"), "Version 4"); -} +});
--- a/security/manager/ssl/tests/unit/test_keysize.js +++ b/security/manager/ssl/tests/unit/test_keysize.js @@ -19,109 +19,109 @@ const certdb = Cc["@mozilla.org/security * The key type of the root certificate, or the name of an elliptic * curve, as output by the 'openssl ecparam -list_curves' command. * @param {Number} rootKeySize * @param {String} intKeyType * @param {Number} intKeySize * @param {String} eeKeyType * @param {Number} eeKeySize * @param {PRErrorCode} eeExpectedError + * @return {Promise} a promise that will resolve when the verification has + * completed */ function checkChain(rootKeyType, rootKeySize, intKeyType, intKeySize, eeKeyType, eeKeySize, eeExpectedError) { let rootName = "root_" + rootKeyType + "_" + rootKeySize; let intName = "int_" + intKeyType + "_" + intKeySize; let eeName = "ee_" + eeKeyType + "_" + eeKeySize; let intFullName = intName + "-" + rootName; let eeFullName = eeName + "-" + intName + "-" + rootName; addCertFromFile(certdb, `test_keysize/${rootName}.pem`, "CTu,CTu,CTu"); addCertFromFile(certdb, `test_keysize/${intFullName}.pem`, ",,"); let eeCert = constructCertFromFile(`test_keysize/${eeFullName}.pem`); info("cert o=" + eeCert.organization); info("cert issuer o=" + eeCert.issuerOrganization); - checkCertErrorGeneric(certdb, eeCert, eeExpectedError, - certificateUsageSSLServer); + return checkCertErrorGeneric(certdb, eeCert, eeExpectedError, + certificateUsageSSLServer); } /** * Tests various RSA chains. * * @param {Number} inadequateKeySize * @param {Number} adequateKeySize */ -function checkRSAChains(inadequateKeySize, adequateKeySize) { +async function checkRSAChains(inadequateKeySize, adequateKeySize) { // Chain with certs that have adequate sizes for DV - checkChain("rsa", adequateKeySize, - "rsa", adequateKeySize, - "rsa", adequateKeySize, - PRErrorCodeSuccess); + await checkChain("rsa", adequateKeySize, + "rsa", adequateKeySize, + "rsa", adequateKeySize, + PRErrorCodeSuccess); // Chain with a root cert that has an inadequate size for DV - checkChain("rsa", inadequateKeySize, - "rsa", adequateKeySize, - "rsa", adequateKeySize, - MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE); + await checkChain("rsa", inadequateKeySize, + "rsa", adequateKeySize, + "rsa", adequateKeySize, + MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE); // Chain with an intermediate cert that has an inadequate size for DV - checkChain("rsa", adequateKeySize, - "rsa", inadequateKeySize, - "rsa", adequateKeySize, - MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE); + await checkChain("rsa", adequateKeySize, + "rsa", inadequateKeySize, + "rsa", adequateKeySize, + MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE); // Chain with an end entity cert that has an inadequate size for DV - checkChain("rsa", adequateKeySize, - "rsa", adequateKeySize, - "rsa", inadequateKeySize, - MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE); + await checkChain("rsa", adequateKeySize, + "rsa", adequateKeySize, + "rsa", inadequateKeySize, + MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE); } -function checkECCChains() { - checkChain("secp256r1", 256, - "secp384r1", 384, - "secp521r1", 521, - PRErrorCodeSuccess); - checkChain("secp256r1", 256, - "secp224r1", 224, - "secp256r1", 256, - SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); - checkChain("secp256r1", 256, - "secp256r1", 256, - "secp224r1", 224, - SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); - checkChain("secp224r1", 224, - "secp256r1", 256, - "secp256r1", 256, - SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); - checkChain("secp256r1", 256, - "secp256r1", 256, - "secp256k1", 256, - SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); - checkChain("secp256k1", 256, - "secp256r1", 256, - "secp256r1", 256, - SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); +async function checkECCChains() { + await checkChain("secp256r1", 256, + "secp384r1", 384, + "secp521r1", 521, + PRErrorCodeSuccess); + await checkChain("secp256r1", 256, + "secp224r1", 224, + "secp256r1", 256, + SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); + await checkChain("secp256r1", 256, + "secp256r1", 256, + "secp224r1", 224, + SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); + await checkChain("secp224r1", 224, + "secp256r1", 256, + "secp256r1", 256, + SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); + await checkChain("secp256r1", 256, + "secp256r1", 256, + "secp256k1", 256, + SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); + await checkChain("secp256k1", 256, + "secp256r1", 256, + "secp256r1", 256, + SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); } -function checkCombinationChains() { - checkChain("rsa", 2048, - "secp256r1", 256, - "secp384r1", 384, - PRErrorCodeSuccess); - checkChain("rsa", 2048, - "secp256r1", 256, - "secp224r1", 224, - SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); - checkChain("secp256r1", 256, - "rsa", 1016, - "secp256r1", 256, - MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE); +async function checkCombinationChains() { + await checkChain("rsa", 2048, + "secp256r1", 256, + "secp384r1", 384, + PRErrorCodeSuccess); + await checkChain("rsa", 2048, + "secp256r1", 256, + "secp224r1", 224, + SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); + await checkChain("secp256r1", 256, + "rsa", 1016, + "secp256r1", 256, + MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE); } -function run_test() { - checkRSAChains(1016, 1024); - checkECCChains(); - checkCombinationChains(); - - run_next_test(); -} +add_task(async function() { + await checkRSAChains(1016, 1024); + await checkECCChains(); + await checkCombinationChains(); +});
--- a/security/manager/ssl/tests/unit/test_keysize_ev.js +++ b/security/manager/ssl/tests/unit/test_keysize_ev.js @@ -20,49 +20,47 @@ function getOCSPResponder(expectedCertNa function loadCert(certName, trustString) { let certFilename = "test_keysize_ev/" + certName + ".pem"; addCertFromFile(certDB, certFilename, trustString); return constructCertFromFile(certFilename); } /** - * Adds a single EV key size test. + * Asynchronously runs a single EV key size test. * * @param {Array} expectedNamesForOCSP * An array of nicknames of the certs to be responded to. * @param {String} rootCertFileName * The file name of the root cert. Can begin with ".." to reference * certs in folders other than "test_keysize_ev/". * @param {Array} intCertFileNames * An array of file names of any intermediate certificates. * @param {String} endEntityCertFileName * The file name of the end entity cert. * @param {Boolean} expectedResult * Whether the chain is expected to validate as EV. */ -function addKeySizeTestForEV(expectedNamesForOCSP, - rootCertFileName, intCertFileNames, - endEntityCertFileName, expectedResult) { - add_test(function() { - clearOCSPCache(); - let ocspResponder = getOCSPResponder(expectedNamesForOCSP); +async function keySizeTestForEV(expectedNamesForOCSP, + rootCertFileName, intCertFileNames, + endEntityCertFileName, expectedResult) { + clearOCSPCache(); + let ocspResponder = getOCSPResponder(expectedNamesForOCSP); - loadCert(rootCertFileName, "CTu,CTu,CTu"); - for (let intCertFileName of intCertFileNames) { - loadCert(intCertFileName, ",,"); - } - checkEVStatus( - certDB, - constructCertFromFile(`test_keysize_ev/${endEntityCertFileName}.pem`), - certificateUsageSSLServer, - expectedResult); + loadCert(rootCertFileName, "CTu,CTu,CTu"); + for (let intCertFileName of intCertFileNames) { + loadCert(intCertFileName, ",,"); + } + await checkEVStatus( + certDB, + constructCertFromFile(`test_keysize_ev/${endEntityCertFileName}.pem`), + certificateUsageSSLServer, + expectedResult); - ocspResponder.stop(run_next_test); - }); + await stopOCSPResponder(ocspResponder); } /** * For debug builds which have the test EV roots compiled in, checks RSA chains * which contain certs with key sizes adequate for EV are validated as such, * while chains that contain any cert with an inadequate key size fail EV and * validate as DV. * For opt builds which don't have the test EV roots compiled in, checks that @@ -71,17 +69,17 @@ function addKeySizeTestForEV(expectedNam * Note: This function assumes that the key size requirements for EV are greater * than the requirements for DV. * * @param {Number} inadequateKeySize * The inadequate key size of the generated certs. * @param {Number} adequateKeySize * The adequate key size of the generated certs. */ -function checkRSAChains(inadequateKeySize, adequateKeySize) { +async function checkRSAChains(inadequateKeySize, adequateKeySize) { // Reuse the existing test RSA EV root let rootOKCertFileName = "../test_ev_certs/evroot"; let rootOKName = "evroot"; let rootNotOKName = "ev_root_rsa_" + inadequateKeySize; let intOKName = "ev_int_rsa_" + adequateKeySize; let intNotOKName = "ev_int_rsa_" + inadequateKeySize; let eeOKName = "ev_ee_rsa_" + adequateKeySize; let eeNotOKName = "ev_ee_rsa_" + inadequateKeySize; @@ -91,55 +89,53 @@ function checkRSAChains(inadequateKeySiz // will for example not be done for the "ev_int_rsa_2048-evroot" intermediate // in such a build. let intFullName = intOKName + "-" + rootOKName; let eeFullName = eeOKName + "-" + intOKName + "-" + rootOKName; let expectedNamesForOCSP = gEVExpected ? [ intFullName, eeFullName ] : [ eeFullName ]; - addKeySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName, - [ intFullName ], eeFullName, gEVExpected); + await keySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName, + [ intFullName ], eeFullName, gEVExpected); // Chain with a root cert that has an inadequate size for EV, but // adequate size for DV intFullName = intOKName + "-" + rootNotOKName; eeFullName = eeOKName + "-" + intOKName + "-" + rootNotOKName; expectedNamesForOCSP = [ eeFullName ]; - addKeySizeTestForEV(expectedNamesForOCSP, rootNotOKName, - [ intFullName ], eeFullName, false); + await keySizeTestForEV(expectedNamesForOCSP, rootNotOKName, + [ intFullName ], eeFullName, false); // Chain with an intermediate cert that has an inadequate size for EV, but // adequate size for DV intFullName = intNotOKName + "-" + rootOKName; eeFullName = eeOKName + "-" + intNotOKName + "-" + rootOKName; expectedNamesForOCSP = [ eeFullName ]; - addKeySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName, - [ intFullName ], eeFullName, false); + await keySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName, + [ intFullName ], eeFullName, false); // Chain with an end entity cert that has an inadequate size for EV, but // adequate size for DV intFullName = intOKName + "-" + rootOKName; eeFullName = eeNotOKName + "-" + intOKName + "-" + rootOKName; expectedNamesForOCSP = gEVExpected ? [ intFullName, eeFullName ] : [ eeFullName ]; - addKeySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName, - [ intFullName ], eeFullName, false); + await keySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName, + [ intFullName ], eeFullName, false); } -function run_test() { +add_task(async function() { Services.prefs.setCharPref("network.dns.localDomains", "www.example.com"); Services.prefs.setIntPref("security.OCSP.enabled", 1); let smallKeyEVRoot = constructCertFromFile("test_keysize_ev/ev_root_rsa_2040.pem"); equal(smallKeyEVRoot.sha256Fingerprint, "40:AB:5D:A5:89:15:A9:4B:82:87:B8:A6:9A:84:B1:DB:" + "7A:9D:DB:B8:4E:E1:23:E3:C6:64:E7:50:DC:35:8C:68", "test sanity check: the small-key EV root must have the same " + "fingerprint as the corresponding entry in ExtendedValidation.cpp"); - checkRSAChains(2040, 2048); - - run_next_test(); -} + await checkRSAChains(2040, 2048); +});
--- a/security/manager/ssl/tests/unit/test_name_constraints.js +++ b/security/manager/ssl/tests/unit/test_name_constraints.js @@ -33,31 +33,31 @@ function certFromFile(name) { } function loadCertWithTrust(certName, trustString) { addCertFromFile(certdb, `test_name_constraints/${certName}.pem`, trustString); } function checkCertNotInNameSpace(cert) { - checkCertErrorGeneric(certdb, cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, - certificateUsageSSLServer); + return checkCertErrorGeneric(certdb, cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE, + certificateUsageSSLServer); } function checkCertInNameSpace(cert) { - checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess, - certificateUsageSSLServer); + return checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess, + certificateUsageSSLServer); } -function run_test() { +add_task(async function() { // Test that name constraints from the entire certificate chain are enforced. loadCertWithTrust("ca-example-com-permitted", "CTu,,"); loadCertWithTrust("int-example-org-permitted", ",,"); - checkCertNotInNameSpace(certFromFile("ee-example-com-and-org")); - checkCertNotInNameSpace(certFromFile("ee-example-com")); - checkCertNotInNameSpace(certFromFile("ee-example-org")); - checkCertNotInNameSpace(certFromFile("ee-example-test")); + await checkCertNotInNameSpace(certFromFile("ee-example-com-and-org")); + await checkCertNotInNameSpace(certFromFile("ee-example-com")); + await checkCertNotInNameSpace(certFromFile("ee-example-org")); + await checkCertNotInNameSpace(certFromFile("ee-example-test")); // Test that externally-imposed name constraints are enforced (DCISS tests). loadCertWithTrust("dciss", "CTu,,"); - checkCertInNameSpace(certFromFile("NameConstraints.dcissallowed")); - checkCertNotInNameSpace(certFromFile("NameConstraints.dcissblocked")); -} + await checkCertInNameSpace(certFromFile("NameConstraints.dcissallowed")); + await checkCertNotInNameSpace(certFromFile("NameConstraints.dcissblocked")); +});
--- a/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js +++ b/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js @@ -25,117 +25,94 @@ function getFailingOCSPResponder() { } function getOCSPResponder(expectedCertNames) { return startOCSPResponder(SERVER_PORT, "www.example.com", "test_ev_certs", expectedCertNames, []); } // Tests that in ocspOff mode, OCSP fetches are never done. -function testOff() { - add_test(() => { - Services.prefs.setIntPref("security.OCSP.enabled", 0); - info("Setting security.OCSP.enabled to 0"); - run_next_test(); - }); +async function testOff() { + Services.prefs.setIntPref("security.OCSP.enabled", 0); + info("Setting security.OCSP.enabled to 0"); // EV chains should verify successfully but never get EV status. - add_test(() => { - clearOCSPCache(); - let ocspResponder = getFailingOCSPResponder(); - checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer, - false); - ocspResponder.stop(run_next_test); - }); + clearOCSPCache(); + let ocspResponder = getFailingOCSPResponder(); + await checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), + certificateUsageSSLServer, false); + await stopOCSPResponder(ocspResponder); // A DV chain should verify successfully. - add_test(() => { - clearOCSPCache(); - let ocspResponder = getFailingOCSPResponder(); - checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"), - PRErrorCodeSuccess, certificateUsageSSLServer); - ocspResponder.stop(run_next_test); - }); + clearOCSPCache(); + ocspResponder = getFailingOCSPResponder(); + await checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"), + PRErrorCodeSuccess, certificateUsageSSLServer); + await stopOCSPResponder(ocspResponder); } // Tests that in ocspOn mode, OCSP fetches are done for both EV and DV certs. -function testOn() { - add_test(() => { - Services.prefs.setIntPref("security.OCSP.enabled", 1); - info("Setting security.OCSP.enabled to 1"); - run_next_test(); - }); +async function testOn() { + Services.prefs.setIntPref("security.OCSP.enabled", 1); + info("Setting security.OCSP.enabled to 1"); // If a successful OCSP response is fetched, then an EV chain should verify // successfully and get EV status as well. - add_test(() => { - clearOCSPCache(); - let ocspResponder = + clearOCSPCache(); + let ocspResponder = getOCSPResponder(gEVExpected ? ["test-oid-path-int", "test-oid-path-ee"] : ["test-oid-path-ee"]); - checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer, - gEVExpected); - ocspResponder.stop(run_next_test); - }); + await checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), + certificateUsageSSLServer, gEVExpected); + await stopOCSPResponder(ocspResponder); // If a successful OCSP response is fetched, then a DV chain should verify // successfully. - add_test(() => { - clearOCSPCache(); - let ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]); - checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"), - PRErrorCodeSuccess, certificateUsageSSLServer); - ocspResponder.stop(run_next_test); - }); + clearOCSPCache(); + ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]); + await checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"), + PRErrorCodeSuccess, certificateUsageSSLServer); + await stopOCSPResponder(ocspResponder); } // Tests that in ocspEVOnly mode, OCSP fetches are done for EV certs only. -function testEVOnly() { - add_test(() => { - Services.prefs.setIntPref("security.OCSP.enabled", 2); - info("Setting security.OCSP.enabled to 2"); - run_next_test(); - }); +async function testEVOnly() { + Services.prefs.setIntPref("security.OCSP.enabled", 2); + info("Setting security.OCSP.enabled to 2"); // If a successful OCSP response is fetched, then an EV chain should verify // successfully and get EV status as well. - add_test(() => { - clearOCSPCache(); - let ocspResponder = gEVExpected - ? getOCSPResponder(["test-oid-path-int", "test-oid-path-ee"]) - : getFailingOCSPResponder(); - checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer, - gEVExpected); - ocspResponder.stop(run_next_test); - }); + clearOCSPCache(); + let ocspResponder = gEVExpected + ? getOCSPResponder(["test-oid-path-int", "test-oid-path-ee"]) + : getFailingOCSPResponder(); + await checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), + certificateUsageSSLServer, gEVExpected); + await stopOCSPResponder(ocspResponder); // A DV chain should verify successfully even without doing OCSP fetches. - add_test(() => { - clearOCSPCache(); - let ocspResponder = getFailingOCSPResponder(); - checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"), - PRErrorCodeSuccess, certificateUsageSSLServer); - ocspResponder.stop(run_next_test); - }); + clearOCSPCache(); + ocspResponder = getFailingOCSPResponder(); + await checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"), + PRErrorCodeSuccess, certificateUsageSSLServer); + await stopOCSPResponder(ocspResponder); } -function run_test() { +add_task(async function() { registerCleanupFunction(() => { Services.prefs.clearUserPref("network.dns.localDomains"); Services.prefs.clearUserPref("security.OCSP.enabled"); Services.prefs.clearUserPref("security.OCSP.require"); }); Services.prefs.setCharPref("network.dns.localDomains", "www.example.com"); // Enable hard fail to ensure chains that should only succeed because they get // a good OCSP response do not succeed due to soft fail leniency. Services.prefs.setBoolPref("security.OCSP.require", true); loadCert("evroot", "CTu,,"); loadCert("test-oid-path-int", ",,"); loadCert("non-evroot-ca", "CTu,,"); loadCert("non-ev-root-path-int", ",,"); - testOff(); - testOn(); - testEVOnly(); - - run_next_test(); -} + await testOff(); + await testOn(); + await testEVOnly(); +});
--- a/security/manager/ssl/tests/unit/test_ocsp_fetch_method.js +++ b/security/manager/ssl/tests/unit/test_ocsp_fetch_method.js @@ -23,37 +23,31 @@ function start_ocsp_responder(expectedCe } function check_cert_err(cert_name, expected_error) { let cert = constructCertFromFile("test_ocsp_fetch_method/" + cert_name + ".pem"); return checkCertErrorGeneric(certdb, cert, expected_error, certificateUsageSSLServer); } -function run_test() { +add_task(async function() { addCertFromFile(certdb, "test_ocsp_fetch_method/ca.pem", "CTu,CTu,CTu"); addCertFromFile(certdb, "test_ocsp_fetch_method/int.pem", ",,"); // Enabled so that we can force ocsp failure responses. Services.prefs.setBoolPref("security.OCSP.require", true); Services.prefs.setCharPref("network.dns.localDomains", "www.example.com"); Services.prefs.setIntPref("security.OCSP.enabled", 1); - add_test(function() { - clearOCSPCache(); - Services.prefs.setBoolPref("security.OCSP.GET.enabled", false); - let ocspResponder = start_ocsp_responder(["a"], [], ["POST"]); - check_cert_err("a", PRErrorCodeSuccess); - ocspResponder.stop(run_next_test); - }); + clearOCSPCache(); + Services.prefs.setBoolPref("security.OCSP.GET.enabled", false); + let ocspResponder = start_ocsp_responder(["a"], [], ["POST"]); + await check_cert_err("a", PRErrorCodeSuccess); + await stopOCSPResponder(ocspResponder); - add_test(function() { - clearOCSPCache(); - Services.prefs.setBoolPref("security.OCSP.GET.enabled", true); - let ocspResponder = start_ocsp_responder(["a"], [], ["GET"]); - check_cert_err("a", PRErrorCodeSuccess); - ocspResponder.stop(run_next_test); - }); - - run_next_test(); -} + clearOCSPCache(); + Services.prefs.setBoolPref("security.OCSP.GET.enabled", true); + ocspResponder = start_ocsp_responder(["a"], [], ["GET"]); + await check_cert_err("a", PRErrorCodeSuccess); + await stopOCSPResponder(ocspResponder); +});
--- a/security/manager/ssl/tests/unit/test_ocsp_private_caching.js +++ b/security/manager/ssl/tests/unit/test_ocsp_private_caching.js @@ -18,22 +18,16 @@ const SERVER_PORT = 8888; function start_ocsp_responder(expectedCertNames, expectedPaths, expectedMethods) { return startOCSPResponder(SERVER_PORT, "www.example.com", "test_ocsp_fetch_method", expectedCertNames, expectedPaths, expectedMethods); } -function check_cert_err(cert_name, expected_error) { - let cert = constructCertFromFile("test_ocsp_fetch_method/" + cert_name + ".pem"); - return checkCertErrorGeneric(certdb, cert, expected_error, - certificateUsageSSLServer); -} - function add_flush_cache() { add_test(() => { // This appears to either fire multiple times or fire once for every // observer that has ever been passed to flush. To prevent multiple calls to // run_next_test, keep track of if this observer has already called it. let observed = false; let observer = { observe: () => { if (!observed) {
--- a/security/manager/ssl/tests/unit/test_ocsp_url.js +++ b/security/manager/ssl/tests/unit/test_ocsp_url.js @@ -25,113 +25,87 @@ function start_ocsp_responder(expectedCe } function check_cert_err(cert_name, expected_error) { let cert = constructCertFromFile("test_ocsp_url/" + cert_name + ".pem"); return checkCertErrorGeneric(certdb, cert, expected_error, certificateUsageSSLServer); } -function run_test() { +add_task(async function() { addCertFromFile(certdb, "test_ocsp_url/ca.pem", "CTu,CTu,CTu"); addCertFromFile(certdb, "test_ocsp_url/int.pem", ",,"); // Enabled so that we can force ocsp failure responses. Services.prefs.setBoolPref("security.OCSP.require", true); Services.prefs.setCharPref("network.dns.localDomains", "www.example.com"); Services.prefs.setIntPref("security.OCSP.enabled", 1); // Note: We don't test the case of a well-formed HTTP URL with an empty port // because the OCSP code would then send a request to port 80, which we // can't use in tests. - add_test(function() { - clearOCSPCache(); - let ocspResponder = failingOCSPResponder(); - check_cert_err("bad-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); - ocspResponder.stop(run_next_test); - }); + clearOCSPCache(); + let ocspResponder = failingOCSPResponder(); + await check_cert_err("bad-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); - add_test(function() { - clearOCSPCache(); - let ocspResponder = failingOCSPResponder(); - check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); - ocspResponder.stop(run_next_test); - }); + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); - add_test(() => { - clearOCSPCache(); - let ocspResponder = failingOCSPResponder(); - check_cert_err("ftp-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); - ocspResponder.stop(run_next_test); - }); + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("ftp-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); - add_test(function() { - clearOCSPCache(); - let ocspResponder = failingOCSPResponder(); - check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); - ocspResponder.stop(run_next_test); - }); + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); - add_test(function() { - clearOCSPCache(); - let ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]); - check_cert_err("hTTp-url", PRErrorCodeSuccess); - ocspResponder.stop(run_next_test); - }); + clearOCSPCache(); + ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]); + await check_cert_err("hTTp-url", PRErrorCodeSuccess); + await stopOCSPResponder(ocspResponder); - add_test(function() { - clearOCSPCache(); - let ocspResponder = failingOCSPResponder(); - check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); - ocspResponder.stop(run_next_test); - }); + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); - add_test(function() { - clearOCSPCache(); - let ocspResponder = failingOCSPResponder(); - // XXX Bug 1013615 parser accepts ":8888" as hostname - check_cert_err("no-host-url", SEC_ERROR_OCSP_SERVER_ERROR); - ocspResponder.stop(run_next_test); - }); + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + // XXX Bug 1013615 parser accepts ":8888" as hostname + await check_cert_err("no-host-url", SEC_ERROR_OCSP_SERVER_ERROR); + await stopOCSPResponder(ocspResponder); - add_test(function() { - clearOCSPCache(); - let ocspResponder = start_ocsp_responder(["no-path-url"], [""]); - check_cert_err("no-path-url", PRErrorCodeSuccess); - ocspResponder.stop(run_next_test); - }); + clearOCSPCache(); + ocspResponder = start_ocsp_responder(["no-path-url"], [""]); + await check_cert_err("no-path-url", PRErrorCodeSuccess); + await stopOCSPResponder(ocspResponder); - add_test(function() { - clearOCSPCache(); - let ocspResponder = failingOCSPResponder(); - check_cert_err("no-scheme-host-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); - ocspResponder.stop(run_next_test); - }); + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("no-scheme-host-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); - add_test(function() { - clearOCSPCache(); - let ocspResponder = failingOCSPResponder(); - check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); - ocspResponder.stop(run_next_test); - }); + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); - add_test(function() { - clearOCSPCache(); - let ocspResponder = failingOCSPResponder(); - check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); - ocspResponder.stop(run_next_test); - }); + clearOCSPCache(); + ocspResponder = failingOCSPResponder(); + await check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + await stopOCSPResponder(ocspResponder); // Note: We currently don't have anything that ensures user:pass sections // weren't sent. The following test simply checks that such sections // don't cause failures. - add_test(() => { - clearOCSPCache(); - let ocspResponder = start_ocsp_responder(["user-pass"], [""]); - check_cert_err("user-pass", PRErrorCodeSuccess); - ocspResponder.stop(run_next_test); - }); - - run_next_test(); -} + clearOCSPCache(); + ocspResponder = start_ocsp_responder(["user-pass"], [""]); + await check_cert_err("user-pass", PRErrorCodeSuccess); + await stopOCSPResponder(ocspResponder); +});
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic.js +++ b/security/manager/ssl/tests/unit/test_pinning_dynamic.js @@ -20,22 +20,22 @@ function certFromFile(cert_name) { function loadCert(cert_name, trust_string) { let cert_filename = "test_pinning_dynamic/" + cert_name + ".pem"; addCertFromFile(certdb, cert_filename, trust_string); return constructCertFromFile(cert_filename); } function checkOK(cert, hostname) { return checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess, - certificateUsageSSLServer, {}, hostname); + certificateUsageSSLServer, false, hostname); } function checkFail(cert, hostname) { return checkCertErrorGeneric(certdb, cert, MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE, - certificateUsageSSLServer, {}, hostname); + certificateUsageSSLServer, false, hostname); } const NON_ISSUED_KEY_HASH = "KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN="; const PINNING_ROOT_KEY_HASH = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8="; function run_test() { Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2); @@ -101,129 +101,141 @@ function checkStateRead(aSubject, aTopic throw new Error("Observed data should either be the Site Security " + "Service state file name or the preload file name"); } if (!gSSSStateSeen || !gPreloadStateSeen) { return; } + async_check_pins() + .then(function() { + return new Promise((resolve, reject) => { + do_timeout(1250, resolve); + }); + }) + .then(checkExpiredState) + .then(checkPreloadClear) + .then(do_test_finished); +} + +async function async_check_pins() { notEqual(gSSService, null, "SiteSecurityService should be initialized"); // Initializing the certificate DB will cause NSS-initialization, which in // turn initializes the site security service. Since we're in part testing // that the site security service correctly reads its state file, we have to // make sure it doesn't start up before we've populated the file certdb = Cc["@mozilla.org/security/x509certdb;1"] .getService(Ci.nsIX509CertDB); loadCert("pinningroot", "CTu,CTu,CTu"); loadCert("badca", "CTu,CTu,CTu"); // the written entry is for a.pinning2.example.com without subdomains // and b.pinning2.example.com with subdomains - checkFail(certFromFile("a.pinning2.example.com-badca"), - "a.pinning2.example.com"); - checkOK(certFromFile("a.pinning2.example.com-pinningroot"), - "a.pinning2.example.com"); - checkOK(certFromFile("x.a.pinning2.example.com-badca"), - "x.a.pinning2.example.com"); - checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"), - "x.a.pinning2.example.com"); + await checkFail(certFromFile("a.pinning2.example.com-badca"), + "a.pinning2.example.com"); + await checkOK(certFromFile("a.pinning2.example.com-pinningroot"), + "a.pinning2.example.com"); + await checkOK(certFromFile("x.a.pinning2.example.com-badca"), + "x.a.pinning2.example.com"); + await checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"), + "x.a.pinning2.example.com"); - checkFail(certFromFile("b.pinning2.example.com-badca"), - "b.pinning2.example.com"); - checkOK(certFromFile("b.pinning2.example.com-pinningroot"), - "b.pinning2.example.com"); - checkFail(certFromFile("x.b.pinning2.example.com-badca"), - "x.b.pinning2.example.com"); - checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"), - "x.b.pinning2.example.com"); + await checkFail(certFromFile("b.pinning2.example.com-badca"), + "b.pinning2.example.com"); + await checkOK(certFromFile("b.pinning2.example.com-pinningroot"), + "b.pinning2.example.com"); + await checkFail(certFromFile("x.b.pinning2.example.com-badca"), + "x.b.pinning2.example.com"); + await checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"), + "x.b.pinning2.example.com"); checkDefaultSiteHPKPStatus(); // add includeSubdomains to a.pinning2.example.com gSSService.setKeyPins("a.pinning2.example.com", true, new Date().getTime() + 1000000, 2, [NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH]); - checkFail(certFromFile("a.pinning2.example.com-badca"), - "a.pinning2.example.com"); - checkOK(certFromFile("a.pinning2.example.com-pinningroot"), - "a.pinning2.example.com"); - checkFail(certFromFile("x.a.pinning2.example.com-badca"), - "x.a.pinning2.example.com"); - checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"), - "x.a.pinning2.example.com"); - checkFail(certFromFile("b.pinning2.example.com-badca"), - "b.pinning2.example.com"); - checkOK(certFromFile("b.pinning2.example.com-pinningroot"), - "b.pinning2.example.com"); - checkFail(certFromFile("x.b.pinning2.example.com-badca"), - "x.b.pinning2.example.com"); - checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"), - "x.b.pinning2.example.com"); + await checkFail(certFromFile("a.pinning2.example.com-badca"), + "a.pinning2.example.com"); + await checkOK(certFromFile("a.pinning2.example.com-pinningroot"), + "a.pinning2.example.com"); + await checkFail(certFromFile("x.a.pinning2.example.com-badca"), + "x.a.pinning2.example.com"); + await checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"), + "x.a.pinning2.example.com"); + await checkFail(certFromFile("b.pinning2.example.com-badca"), + "b.pinning2.example.com"); + await checkOK(certFromFile("b.pinning2.example.com-pinningroot"), + "b.pinning2.example.com"); + await checkFail(certFromFile("x.b.pinning2.example.com-badca"), + "x.b.pinning2.example.com"); + await checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"), + "x.b.pinning2.example.com"); ok(gSSService.isSecureURI( Ci.nsISiteSecurityService.HEADER_HPKP, Services.io.newURI("https://a.pinning2.example.com"), 0), "a.pinning2.example.com should still have HPKP status after adding" + " includeSubdomains to a.pinning2.example.com"); ok(gSSService.isSecureURI( Ci.nsISiteSecurityService.HEADER_HPKP, Services.io.newURI("https://x.a.pinning2.example.com"), 0), "x.a.pinning2.example.com should now have HPKP status after adding" + " includeSubdomains to a.pinning2.example.com"); // Now setpins without subdomains gSSService.setKeyPins("a.pinning2.example.com", false, new Date().getTime() + 1000000, 2, [NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH]); - checkFail(certFromFile("a.pinning2.example.com-badca"), - "a.pinning2.example.com"); - checkOK(certFromFile("a.pinning2.example.com-pinningroot"), - "a.pinning2.example.com"); - checkOK(certFromFile("x.a.pinning2.example.com-badca"), - "x.a.pinning2.example.com"); - checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"), - "x.a.pinning2.example.com"); + await checkFail(certFromFile("a.pinning2.example.com-badca"), + "a.pinning2.example.com"); + await checkOK(certFromFile("a.pinning2.example.com-pinningroot"), + "a.pinning2.example.com"); + await checkOK(certFromFile("x.a.pinning2.example.com-badca"), + "x.a.pinning2.example.com"); + await checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"), + "x.a.pinning2.example.com"); - checkFail(certFromFile("b.pinning2.example.com-badca"), - "b.pinning2.example.com"); - checkOK(certFromFile("b.pinning2.example.com-pinningroot"), - "b.pinning2.example.com"); - checkFail(certFromFile("x.b.pinning2.example.com-badca"), - "x.b.pinning2.example.com"); - checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"), - "x.b.pinning2.example.com"); + await checkFail(certFromFile("b.pinning2.example.com-badca"), + "b.pinning2.example.com"); + await checkOK(certFromFile("b.pinning2.example.com-pinningroot"), + "b.pinning2.example.com"); + await checkFail(certFromFile("x.b.pinning2.example.com-badca"), + "x.b.pinning2.example.com"); + await checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"), + "x.b.pinning2.example.com"); checkDefaultSiteHPKPStatus(); // failure to insert new pin entry leaves previous pin behavior throws(() => { gSSService.setKeyPins("a.pinning2.example.com", true, new Date().getTime() + 1000000, 1, ["not a hash"]); }, /NS_ERROR_ILLEGAL_VALUE/, "Attempting to set an invalid pin should fail"); - checkFail(certFromFile("a.pinning2.example.com-badca"), - "a.pinning2.example.com"); - checkOK(certFromFile("a.pinning2.example.com-pinningroot"), - "a.pinning2.example.com"); - checkOK(certFromFile("x.a.pinning2.example.com-badca"), - "x.a.pinning2.example.com"); - checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"), - "x.a.pinning2.example.com"); + await checkFail(certFromFile("a.pinning2.example.com-badca"), + "a.pinning2.example.com"); + await checkOK(certFromFile("a.pinning2.example.com-pinningroot"), + "a.pinning2.example.com"); + await checkOK(certFromFile("x.a.pinning2.example.com-badca"), + "x.a.pinning2.example.com"); + await checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"), + "x.a.pinning2.example.com"); - checkFail(certFromFile("b.pinning2.example.com-badca"), - "b.pinning2.example.com"); - checkOK(certFromFile("b.pinning2.example.com-pinningroot"), - "b.pinning2.example.com"); - checkFail(certFromFile("x.b.pinning2.example.com-badca"), - "x.b.pinning2.example.com"); - checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"), - "x.b.pinning2.example.com"); + await checkFail(certFromFile("b.pinning2.example.com-badca"), + "b.pinning2.example.com"); + await checkOK(certFromFile("b.pinning2.example.com-pinningroot"), + "b.pinning2.example.com"); + await checkFail(certFromFile("x.b.pinning2.example.com-badca"), + "x.b.pinning2.example.com"); + await checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"), + "x.b.pinning2.example.com"); checkDefaultSiteHPKPStatus(); // Incorrect size results in failure throws(() => { gSSService.setKeyPins("a.pinning2.example.com", true, new Date().getTime() + 1000000, 2, ["not a hash"]); }, /NS_ERROR_XPC_NOT_ENOUGH_ELEMENTS_IN_ARRAY/, @@ -238,56 +250,51 @@ function checkStateRead(aSubject, aTopic Ci.nsISiteSecurityService.HEADER_HPKP, Services.io.newURI("https://include-subdomains.pinning.example.com"), 0), "Built-in include-subdomains.pinning.example.com should have HPKP status"); gSSService.setKeyPins("a.pinning2.example.com", false, new Date().getTime(), 1, [NON_ISSUED_KEY_HASH]); // Check that a preload pin loaded from file works as expected - checkFail(certFromFile("a.preload.example.com-badca"), "a.preload.example.com"); - checkOK(certFromFile("a.preload.example.com-pinningroot"), "a.preload.example.com"); + await checkFail(certFromFile("a.preload.example.com-badca"), "a.preload.example.com"); + await checkOK(certFromFile("a.preload.example.com-pinningroot"), "a.preload.example.com"); // Check a dynamic addition works as expected // first, it should succeed with the badCA - because there's no pin - checkOK(certFromFile("b.preload.example.com-badca"), "b.preload.example.com"); + await checkOK(certFromFile("b.preload.example.com-badca"), "b.preload.example.com"); // then we add a pin, and we should get a failure (ensuring the expiry is // after the test timeout) gSSService.setKeyPins("b.preload.example.com", false, new Date().getTime() + 1000000, 2, [NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH], true); - checkFail(certFromFile("b.preload.example.com-badca"), "b.preload.example.com"); - - do_timeout(1250, checkExpiredState); + await checkFail(certFromFile("b.preload.example.com-badca"), "b.preload.example.com"); } -function checkExpiredState() { - checkOK(certFromFile("a.pinning2.example.com-badca"), - "a.pinning2.example.com"); - checkOK(certFromFile("a.pinning2.example.com-pinningroot"), - "a.pinning2.example.com"); - checkOK(certFromFile("x.a.pinning2.example.com-badca"), - "x.a.pinning2.example.com"); - checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"), - "x.a.pinning2.example.com"); +async function checkExpiredState() { + await checkOK(certFromFile("a.pinning2.example.com-badca"), + "a.pinning2.example.com"); + await checkOK(certFromFile("a.pinning2.example.com-pinningroot"), + "a.pinning2.example.com"); + await checkOK(certFromFile("x.a.pinning2.example.com-badca"), + "x.a.pinning2.example.com"); + await checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"), + "x.a.pinning2.example.com"); - checkFail(certFromFile("b.pinning2.example.com-badca"), - "b.pinning2.example.com"); - checkOK(certFromFile("b.pinning2.example.com-pinningroot"), - "b.pinning2.example.com"); - checkFail(certFromFile("x.b.pinning2.example.com-badca"), - "x.b.pinning2.example.com"); - checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"), - "x.b.pinning2.example.com"); - checkPreloadClear(); + await checkFail(certFromFile("b.pinning2.example.com-badca"), + "b.pinning2.example.com"); + await checkOK(certFromFile("b.pinning2.example.com-pinningroot"), + "b.pinning2.example.com"); + await checkFail(certFromFile("x.b.pinning2.example.com-badca"), + "x.b.pinning2.example.com"); + await checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"), + "x.b.pinning2.example.com"); } -function checkPreloadClear() { +async function checkPreloadClear() { // Check that the preloaded pins still work after private data is cleared gSSService.clearAll(); - checkFail(certFromFile("b.preload.example.com-badca"), "b.preload.example.com"); + await checkFail(certFromFile("b.preload.example.com-badca"), "b.preload.example.com"); // Check that the preloaded pins are cleared when we clear preloads gSSService.clearPreloads(); - checkOK(certFromFile("b.preload.example.com-badca"), "b.preload.example.com"); - - do_test_finished(); + await checkOK(certFromFile("b.preload.example.com-badca"), "b.preload.example.com"); }
--- a/security/manager/ssl/tests/unit/test_startcom_wosign.js +++ b/security/manager/ssl/tests/unit/test_startcom_wosign.js @@ -7,37 +7,41 @@ // certificates have a notBefore before 21 October 2016, they are handled // normally. Otherwise, they are treated as revoked. do_get_profile(); // must be called before getting nsIX509CertDB const certdb = Cc["@mozilla.org/security/x509certdb;1"] .getService(Ci.nsIX509CertDB); function loadCertWithTrust(certName, trustString) { - addCertFromFile(certdb, "test_startcom_wosign/" + certName + ".pem", trustString); + addCertFromFile(certdb, "test_startcom_wosign/" + certName + ".pem", + trustString); } function certFromFile(certName) { return constructCertFromFile("test_startcom_wosign/" + certName + ".pem"); } function checkEndEntity(cert, expectedResult) { // (new Date("2016-11-01")).getTime() / 1000 const VALIDATION_TIME = 1477958400; - checkCertErrorGenericAtTime(certdb, cert, expectedResult, - certificateUsageSSLServer, VALIDATION_TIME); + return checkCertErrorGenericAtTime(certdb, cert, expectedResult, + certificateUsageSSLServer, + VALIDATION_TIME); } -loadCertWithTrust("ca", "CTu,,"); -// This is not a real StartCom CA - it merely has the same distinguished name as -// one (namely "/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2", -// encoded with PrintableStrings). By checking for specific DNs, we can enforce -// the date-based policy in a way that is testable. -loadCertWithTrust("StartComCA", ",,"); -checkEndEntity(certFromFile("StartCom-before-cutoff"), PRErrorCodeSuccess); -checkEndEntity(certFromFile("StartCom-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE); +add_task(async function() { + loadCertWithTrust("ca", "CTu,,"); + // This is not a real StartCom CA - it merely has the same distinguished name + // as one (namely "/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority + // G2", encoded with PrintableStrings). By checking for specific DNs, we can + // enforce the date-based policy in a way that is testable. + loadCertWithTrust("StartComCA", ",,"); + await checkEndEntity(certFromFile("StartCom-before-cutoff"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("StartCom-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE); -// Similarly, this is not a real WoSign CA. It has the same distinguished name -// as "/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign", encoded -// with PrintableStrings). -loadCertWithTrust("WoSignCA", ",,"); -checkEndEntity(certFromFile("WoSign-before-cutoff"), PRErrorCodeSuccess); -checkEndEntity(certFromFile("WoSign-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE); + // Similarly, this is not a real WoSign CA. It has the same distinguished name + // as "/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign", + // encoded with PrintableStrings). + loadCertWithTrust("WoSignCA", ",,"); + await checkEndEntity(certFromFile("WoSign-before-cutoff"), PRErrorCodeSuccess); + await checkEndEntity(certFromFile("WoSign-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE); +});
--- a/security/manager/ssl/tests/unit/test_symantec_apple_google.js +++ b/security/manager/ssl/tests/unit/test_symantec_apple_google.js @@ -64,27 +64,25 @@ add_test(function() { }); add_connection_test("symantec-not-whitelisted-before-cutoff.example.com", MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED, null, null); // Load the wildcard *.google.com cert and its intermediate, then verify // it at a reasonable time and make sure the whitelists work -function run_test() { +add_task(async function() { addCertFromFile(certDB, "test_symantec_apple_google/real-google-g2-intermediate.pem", ",,"); let whitelistedCert = constructCertFromFile("test_symantec_apple_google/real-googlecom.pem"); // Since we don't want to actually try to fetch OCSP for this certificate, // (as an external fetch is bad in the tests), disable OCSP first. Services.prefs.setIntPref("security.OCSP.enabled", 0); Services.prefs.setIntPref("security.pki.distrust_ca_policy", /* DistrustedCAPolicy::DistrustSymantecRoots */ 1); // (new Date("2018-02-16")).getTime() / 1000 const VALIDATION_TIME = 1518739200; - checkCertErrorGenericAtTime(certDB, whitelistedCert, PRErrorCodeSuccess, - certificateUsageSSLServer, VALIDATION_TIME); - - run_next_test(); -} + await checkCertErrorGenericAtTime(certDB, whitelistedCert, PRErrorCodeSuccess, + certificateUsageSSLServer, VALIDATION_TIME); +});
--- a/security/manager/ssl/tests/unit/test_validity.js +++ b/security/manager/ssl/tests/unit/test_validity.js @@ -22,70 +22,66 @@ function certFromFile(filename) { return constructCertFromFile(`test_validity/${filename}`); } function loadCert(certFilename, trustString) { addCertFromFile(certDB, `test_validity/${certFilename}`, trustString); } /** - * Adds a single EV test. + * Asynchronously runs a single EV test. * * @param {Array} expectedNamesForOCSP * An array of nicknames of the certs to be responded to. * @param {String} rootCertFileName * The file name of the root cert. Can begin with ".." to reference * certs in folders other than "test_validity/". * @param {Array} intCertFileNames * An array of file names of any intermediate certificates. * @param {String} endEntityCertFileName * The file name of the end entity cert. * @param {Boolean} expectedResult * Whether the chain is expected to validate as EV. */ -function addEVTest(expectedNamesForOCSP, rootCertFileName, intCertFileNames, - endEntityCertFileName, expectedResult) { - add_test(function() { - clearOCSPCache(); - let ocspResponder = getOCSPResponder(expectedNamesForOCSP); +async function doEVTest(expectedNamesForOCSP, rootCertFileName, intCertFileNames, + endEntityCertFileName, expectedResult) { + clearOCSPCache(); + let ocspResponder = getOCSPResponder(expectedNamesForOCSP); - loadCert(`${rootCertFileName}.pem`, "CTu,CTu,CTu"); - for (let intCertFileName of intCertFileNames) { - loadCert(`${intCertFileName}.pem`, ",,"); - } - checkEVStatus(certDB, certFromFile(`${endEntityCertFileName}.pem`), - certificateUsageSSLServer, expectedResult); + loadCert(`${rootCertFileName}.pem`, "CTu,CTu,CTu"); + for (let intCertFileName of intCertFileNames) { + loadCert(`${intCertFileName}.pem`, ",,"); + } + await checkEVStatus(certDB, certFromFile(`${endEntityCertFileName}.pem`), + certificateUsageSSLServer, expectedResult); - ocspResponder.stop(run_next_test); - }); + await stopOCSPResponder(ocspResponder); } -function checkEVChains() { +async function checkEVChains() { // Chain with an end entity cert with a validity period that is acceptable // for EV. const intFullName = "ev_int_60_months-evroot"; let eeFullName = `ev_ee_27_months-${intFullName}`; let expectedNamesForOCSP = gEVExpected ? [ intFullName, eeFullName ] : [ eeFullName ]; - addEVTest(expectedNamesForOCSP, "../test_ev_certs/evroot", [ intFullName ], - eeFullName, gEVExpected); + await doEVTest(expectedNamesForOCSP, "../test_ev_certs/evroot", + [ intFullName ], eeFullName, gEVExpected); // Chain with an end entity cert with a validity period that is too long // for EV. eeFullName = `ev_ee_28_months-${intFullName}`; expectedNamesForOCSP = gEVExpected ? [ intFullName, eeFullName ] : [ eeFullName ]; - addEVTest(expectedNamesForOCSP, "../test_ev_certs/evroot", [ intFullName ], - eeFullName, false); + await doEVTest(expectedNamesForOCSP, "../test_ev_certs/evroot", + [ intFullName ], eeFullName, false); } -function run_test() { +add_task(async function () { Services.prefs.setCharPref("network.dns.localDomains", "www.example.com"); Services.prefs.setIntPref("security.OCSP.enabled", 1); - checkEVChains(); - - run_next_test(); -} + await checkEVChains(); +});