--- a/security/manager/ssl/tests/unit/test_keysize.js
+++ b/security/manager/ssl/tests/unit/test_keysize.js
@@ -12,52 +12,20 @@ do_get_profile(); // must be called befo
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
function certFromFile(filename) {
let der = readFile(do_get_file("test_keysize/" + filename, false));
return certdb.constructX509(der, der.length);
}
-function load_cert(cert_name, trust_string) {
- let cert_filename = cert_name + ".der";
- addCertFromFile(certdb, "test_keysize/" + cert_filename, trust_string);
- return certFromFile(cert_filename);
-}
-
-function check_cert_err_generic(cert, expected_error, usage) {
- do_print("cert cn=" + cert.commonName);
- do_print("cert issuer cn=" + cert.issuerCommonName);
- let hasEVPolicy = {};
- let verifiedChain = {};
- let error = certdb.verifyCertNow(cert, usage,
- NO_FLAGS, verifiedChain, hasEVPolicy);
- equal(error, expected_error);
-}
-
-function check_cert_err(cert, expected_error) {
- check_cert_err_generic(cert, expected_error, certificateUsageSSLServer)
-}
-
-function check_ok(cert) {
- return check_cert_err(cert, 0);
-}
-
-function check_ok_ca(cert) {
- return check_cert_err_generic(cert, 0, certificateUsageSSLCA);
-}
-
-function check_fail(cert) {
- return check_cert_err(cert, MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
-}
-
-function check_fail_ca(cert) {
- return check_cert_err_generic(cert,
- MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE,
- certificateUsageSSLCA);
+function loadCert(certName, trustString) {
+ let certFilename = certName + ".der";
+ addCertFromFile(certdb, "test_keysize/" + certFilename, trustString);
+ return certFromFile(certFilename);
}
/**
* Tests a cert chain.
*
* @param {String} rootKeyType
* The key type of the root certificate, or the name of an elliptic
* curve, as output by the 'openssl ecparam -list_curves' command.
@@ -72,59 +40,58 @@ function checkChain(rootKeyType, rootKey
eeKeyType, eeKeySize, eeExpectedError) {
let rootName = "root_" + rootKeyType + "_" + rootKeySize;
let intName = "int_" + intKeyType + "_" + intKeySize;
let eeName = "ee_" + eeKeyType + "_" + eeKeySize;
let intFullName = intName + "-" + rootName;
let eeFullName = eeName + "-" + intName + "-" + rootName;
- load_cert(rootName, "CTu,CTu,CTu");
- load_cert(intFullName, ",,");
- let eeCert = certFromFile(eeFullName + ".der")
+ loadCert(rootName, "CTu,CTu,CTu");
+ loadCert(intFullName, ",,");
+ let eeCert = certFromFile(eeFullName + ".der");
do_print("cert cn=" + eeCert.commonName);
do_print("cert o=" + eeCert.organization);
do_print("cert issuer cn=" + eeCert.issuerCommonName);
do_print("cert issuer o=" + eeCert.issuerOrganization);
checkCertErrorGeneric(certdb, eeCert, eeExpectedError,
certificateUsageSSLServer);
}
-function checkForKeyType(keyType, inadequateKeySize, adequateKeySize) {
- let rootOKName = "root_" + keyType + "_" + adequateKeySize;
- let rootNotOKName = "root_" + keyType + "_" + inadequateKeySize;
- let intOKName = "int_" + keyType + "_" + adequateKeySize;
- let intNotOKName = "int_" + keyType + "_" + inadequateKeySize;
- let eeOKName = "ee_" + keyType + "_" + adequateKeySize;
- let eeNotOKName = "ee_" + keyType + "_" + inadequateKeySize;
-
+/**
+ * Tests various RSA chains.
+ *
+ * @param {Number} inadequateKeySize
+ * @param {Number} adequateKeySize
+ */
+function checkRSAChains(inadequateKeySize, adequateKeySize) {
// Chain with certs that have adequate sizes for DV
- let intFullName = intOKName + "-" + rootOKName;
- let eeFullName = eeOKName + "-" + intOKName + "-" + rootOKName;
- check_ok_ca(load_cert(rootOKName, "CTu,CTu,CTu"));
- check_ok_ca(load_cert(intFullName, ",,"));
- check_ok(certFromFile(eeFullName + ".der"));
+ checkChain("rsa", adequateKeySize,
+ "rsa", adequateKeySize,
+ "rsa", adequateKeySize,
+ 0);
// Chain with a root cert that has an inadequate size for DV
- intFullName = intOKName + "-" + rootNotOKName;
- eeFullName = eeOKName + "-" + intOKName + "-" + rootNotOKName;
- check_fail_ca(load_cert(rootNotOKName, "CTu,CTu,CTu"));
- check_fail_ca(load_cert(intFullName, ",,"));
- check_fail(certFromFile(eeFullName + ".der"));
+ checkChain("rsa", inadequateKeySize,
+ "rsa", adequateKeySize,
+ "rsa", adequateKeySize,
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
// Chain with an intermediate cert that has an inadequate size for DV
- intFullName = intNotOKName + "-" + rootOKName;
- eeFullName = eeOKName + "-" + intNotOKName + "-" + rootOKName;
- check_fail_ca(load_cert(intFullName, ",,"));
- check_fail(certFromFile(eeFullName + ".der"));
+ checkChain("rsa", adequateKeySize,
+ "rsa", inadequateKeySize,
+ "rsa", adequateKeySize,
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
// Chain with an end entity cert that has an inadequate size for DV
- eeFullName = eeNotOKName + "-" + intOKName + "-" + rootOKName;
- check_fail(certFromFile(eeFullName + ".der"));
+ checkChain("rsa", adequateKeySize,
+ "rsa", adequateKeySize,
+ "rsa", inadequateKeySize,
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
}
function checkECCChains() {
checkChain("prime256v1", 256,
"secp384r1", 384,
"secp521r1", 521,
0);
checkChain("prime256v1", 256,
@@ -160,14 +127,14 @@ function checkCombinationChains() {
SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
checkChain("prime256v1", 256,
"rsa", 1016,
"prime256v1", 256,
MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
}
function run_test() {
- checkForKeyType("rsa", 1016, 1024);
+ checkRSAChains(1016, 1024);
checkECCChains();
checkCombinationChains();
run_next_test();
}
--- a/security/manager/ssl/tests/unit/test_keysize/generate.py
+++ b/security/manager/ssl/tests/unit/test_keysize/generate.py
@@ -81,17 +81,17 @@ def generate_and_maybe_import_cert(key_t
subject_string += '/O=' + cert_name
# Reuse the existing RSA EV root
if (generate_ev and key_type == 'rsa' and signer_key_filename == ''
and signer_cert_filename == '' and key_size == '2048'):
cert_name = 'evroot'
key_filename = '../test_ev_certs/evroot.key'
cert_filename = '../test_ev_certs/evroot.der'
- CertUtils.import_cert_and_pkcs12(srcdir, key_filename,
+ CertUtils.import_cert_and_pkcs12(srcdir, cert_filename,
'../test_ev_certs/evroot.p12',
cert_name, ',,')
return [cert_name, key_filename, cert_filename]
# Don't regenerate a previously generated cert
for cert in generated_certs:
if cert_name == cert[0]:
return cert
@@ -161,131 +161,51 @@ def generate_cert_chain(root_key_type, r
'ee',
int_nick,
ee_ext_text,
int_key_file,
int_cert_file,
ee_key_size,
generate_ev)
-def generate_certs(key_type, inadequate_key_size, adequate_key_size, generate_ev):
+def generate_rsa_chains(inadequate_key_size, adequate_key_size, generate_ev):
"""
- Generates the various certificates used by the key size tests.
+ Generates various RSA chains with different combinations of adequately and
+ inadequately sized certs.
Arguments:
- key_type -- the type of key generated: potential values: 'rsa',
- or any of the curves found by 'openssl ecparam -list_curves'
inadequate_key_size -- a string defining the inadequate public key size
for the generated certs
adequate_key_size -- a string defining the adequate public key size for
the generated certs
- generate_ev -- whether an EV cert should be generated
+ generate_ev -- whether EV certs should be generated
"""
# Generate chain with certs that have adequate sizes
- if generate_ev and key_type == 'rsa':
- # Reuse the existing RSA EV root
- rootOK_nick = 'evroot'
- caOK_key = '../test_ev_certs/evroot.key'
- caOK_cert = '../test_ev_certs/evroot.der'
- caOK_pkcs12_filename = '../test_ev_certs/evroot.p12'
- CertUtils.import_cert_and_pkcs12(srcdir, caOK_cert, caOK_pkcs12_filename,
- rootOK_nick, ',,')
- else:
- [rootOK_nick, caOK_key, caOK_cert] = generate_and_maybe_import_cert(
- key_type,
- 'root',
- '',
- ca_ext_text,
- '',
- '',
- adequate_key_size,
- generate_ev)
-
- [intOK_nick, intOK_key, intOK_cert] = generate_and_maybe_import_cert(
- key_type,
- 'int',
- rootOK_nick,
- ca_ext_text,
- caOK_key,
- caOK_cert,
- adequate_key_size,
- generate_ev)
-
- generate_and_maybe_import_cert(
- key_type,
- 'ee',
- intOK_nick,
- ee_ext_text,
- intOK_key,
- intOK_cert,
- adequate_key_size,
- generate_ev)
+ generate_cert_chain('rsa', adequate_key_size,
+ 'rsa', adequate_key_size,
+ 'rsa', adequate_key_size,
+ generate_ev)
# Generate chain with a root cert that has an inadequate size
- [rootNotOK_nick, rootNotOK_key, rootNotOK_cert] = generate_and_maybe_import_cert(
- key_type,
- 'root',
- '',
- ca_ext_text,
- '',
- '',
- inadequate_key_size,
- generate_ev)
-
- [int_nick, int_key, int_cert] = generate_and_maybe_import_cert(
- key_type,
- 'int',
- rootNotOK_nick,
- ca_ext_text,
- rootNotOK_key,
- rootNotOK_cert,
- adequate_key_size,
- generate_ev)
-
- generate_and_maybe_import_cert(
- key_type,
- 'ee',
- int_nick,
- ee_ext_text,
- int_key,
- int_cert,
- adequate_key_size,
- generate_ev)
+ generate_cert_chain('rsa', inadequate_key_size,
+ 'rsa', adequate_key_size,
+ 'rsa', adequate_key_size,
+ generate_ev)
# Generate chain with an intermediate cert that has an inadequate size
- [intNotOK_nick, intNotOK_key, intNotOK_cert] = generate_and_maybe_import_cert(
- key_type,
- 'int',
- rootOK_nick,
- ca_ext_text,
- caOK_key,
- caOK_cert,
- inadequate_key_size,
- generate_ev)
-
- generate_and_maybe_import_cert(
- key_type,
- 'ee',
- intNotOK_nick,
- ee_ext_text,
- intNotOK_key,
- intNotOK_cert,
- adequate_key_size,
- generate_ev)
+ generate_cert_chain('rsa', adequate_key_size,
+ 'rsa', inadequate_key_size,
+ 'rsa', adequate_key_size,
+ generate_ev)
# Generate chain with an end entity cert that has an inadequate size
- generate_and_maybe_import_cert(
- key_type,
- 'ee',
- intOK_nick,
- ee_ext_text,
- intOK_key,
- intOK_cert,
- inadequate_key_size,
- generate_ev)
+ generate_cert_chain('rsa', adequate_key_size,
+ 'rsa', adequate_key_size,
+ 'rsa', inadequate_key_size,
+ generate_ev)
def generate_ecc_chains():
generate_cert_chain('prime256v1', '256',
'secp384r1', '384',
'secp521r1', '521',
False)
generate_cert_chain('prime256v1', '256',
'secp224r1', '224',
@@ -323,18 +243,18 @@ def generate_combination_chains():
False)
# Create a NSS DB for use by the OCSP responder.
CertUtils.init_nss_db(srcdir)
# TODO(bug 636807): SECKEY_PublicKeyStrengthInBits() rounds up the number of
# bits to the next multiple of 8 - therefore the highest key size less than 1024
# that can be tested is 1016, less than 2048 is 2040 and so on.
-generate_certs('rsa', '1016', '1024', False)
-generate_certs('rsa', '2040', '2048', True)
+generate_rsa_chains('1016', '1024', False)
+generate_rsa_chains('2040', '2048', True)
generate_ecc_chains()
generate_combination_chains()
# Print a blank line and the information needed to enable EV for any roots
# generated by this script.
print
for cert_filename in generated_ev_root_filenames:
CertUtils.print_cert_info(cert_filename)
--- a/security/manager/ssl/tests/unit/test_keysize_ev.js
+++ b/security/manager/ssl/tests/unit/test_keysize_ev.js
@@ -42,76 +42,70 @@ function checkEVStatus(cert, usage, isEV
equal(0, error);
}
/**
* Adds a single EV key size test.
*
* @param {Array} expectedNamesForOCSP
* An array of nicknames of the certs to be responded to.
- * @param {String} rootCACertFileName
- * The file name of the root CA cert. Can begin with ".." to reference
+ * @param {String} rootCertFileName
+ * The file name of the root cert. Can begin with ".." to reference
* certs in folders other than "test_keysize/".
- * @param {Array} subCACertFileNames
- * An array of file names of any sub CA certificates.
+ * @param {Array} intCertFileNames
+ * An array of file names of any intermediate certificates.
* @param {String} endEntityCertFileName
* The file name of the end entity cert.
* @param {Boolean} expectedResult
* Whether the chain is expected to validate as EV.
*/
function addKeySizeTestForEV(expectedNamesForOCSP,
- rootCACertFileName, subCACertFileNames,
+ rootCertFileName, intCertFileNames,
endEntityCertFileName, expectedResult)
{
add_test(function() {
clearOCSPCache();
let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
- loadCert(rootCACertFileName, "CTu,CTu,CTu");
- for (let subCACertFileName of subCACertFileNames) {
- loadCert(subCACertFileName, ",,");
+ loadCert(rootCertFileName, "CTu,CTu,CTu");
+ for (let intCertFileName of intCertFileNames) {
+ loadCert(intCertFileName, ",,");
}
checkEVStatus(certFromFile(endEntityCertFileName + ".der"),
certificateUsageSSLServer, expectedResult);
ocspResponder.stop(run_next_test);
});
}
/**
- * For debug builds which have the test EV roots compiled in, checks for the
- * given key type that chains that contain certs with key sizes adequate for EV
- * are validated as such, while chains that contain any cert with an inadequate
- * key size fail EV and validate as DV.
+ * For debug builds which have the test EV roots compiled in, checks RSA chains
+ * which contain certs with key sizes adequate for EV are validated as such,
+ * while chains that contain any cert with an inadequate key size fail EV and
+ * validate as DV.
* For opt builds which don't have the test EV roots compiled in, checks that
* none of the chains validate as EV.
*
* Note: This function assumes that the key size requirements for EV are greater
* than or equal to the requirements for DV.
*
- * @param {String} keyType
- * The key type to check (e.g. "rsa").
* @param {Number} inadequateKeySize
* The inadequate key size of the generated certs.
* @param {Number} adequateKeySize
* The adequate key size of the generated certs.
*/
-function checkForKeyType(keyType, inadequateKeySize, adequateKeySize) {
+function checkRSAChains(inadequateKeySize, adequateKeySize) {
// Reuse the existing test RSA EV root
- let rootOKCertFileName = keyType == "rsa"
- ? "../test_ev_certs/evroot"
- : "ev_root_" + keyType + "_" + adequateKeySize;
- let rootOKName = keyType == "rsa"
- ? "evroot"
- : "ev_root_" + keyType + "_" + adequateKeySize;
- let rootNotOKName = "ev_root_" + keyType + "_" + inadequateKeySize;
- let intOKName = "ev_int_" + keyType + "_" + adequateKeySize;
- let intNotOKName = "ev_int_" + keyType + "_" + inadequateKeySize;
- let eeOKName = "ev_ee_" + keyType + "_" + adequateKeySize;
- let eeNotOKName = "ev_ee_" + keyType + "_" + inadequateKeySize;
+ let rootOKCertFileName = "../test_ev_certs/evroot";
+ let rootOKName = "evroot";
+ let rootNotOKName = "ev_root_rsa_" + inadequateKeySize;
+ let intOKName = "ev_int_rsa_" + adequateKeySize;
+ let intNotOKName = "ev_int_rsa_" + inadequateKeySize;
+ let eeOKName = "ev_ee_rsa_" + adequateKeySize;
+ let eeNotOKName = "ev_ee_rsa_" + inadequateKeySize;
// Chain with certs that have adequate sizes for EV and DV
// In opt builds, this chain is only validated for DV. Hence, an OCSP fetch
// will for example not be done for the "ev_int_rsa_2048-evroot" intermediate
// in such a build.
let intFullName = intOKName + "-" + rootOKName;
let eeFullName = eeOKName + "-" + intOKName + "-" + rootOKName;
let expectedNamesForOCSP = gEVExpected
@@ -144,15 +138,14 @@ function checkForKeyType(keyType, inadeq
intFullName = intOKName + "-" + rootOKName;
eeFullName = eeNotOKName + "-" + intOKName + "-" + rootOKName;
expectedNamesForOCSP = [ eeFullName ];
addKeySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName,
[ intFullName ], eeFullName, false);
}
function run_test() {
- // Setup OCSP responder
Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
- checkForKeyType("rsa", 2040, 2048);
+ checkRSAChains(2040, 2048);
run_next_test();
}