Bug 1125478 - Refactor and clean up key size test files. r=keeler
authorCykesiopka <cykesiopka.bmo@gmail.com>
Tue, 27 Jan 2015 22:11:00 +0100
changeset 239595 2af584e18fdb0788c1dc564650d2919b91ced287
parent 239594 8d063686d243f74077828c4ffe6721d62f8e0811
child 239596 ca80c9cad1844dc0cbee551635122fe7fb0bb6da
push id500
push userjoshua.m.grant@gmail.com
push dateThu, 29 Jan 2015 01:48:36 +0000
reviewerskeeler
bugs1125478
milestone38.0a1
Bug 1125478 - Refactor and clean up key size test files. r=keeler
security/manager/ssl/tests/unit/test_keysize.js
security/manager/ssl/tests/unit/test_keysize/generate.py
security/manager/ssl/tests/unit/test_keysize_ev.js
--- a/security/manager/ssl/tests/unit/test_keysize.js
+++ b/security/manager/ssl/tests/unit/test_keysize.js
@@ -12,52 +12,20 @@ do_get_profile(); // must be called befo
 const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);
 
 function certFromFile(filename) {
   let der = readFile(do_get_file("test_keysize/" + filename, false));
   return certdb.constructX509(der, der.length);
 }
 
-function load_cert(cert_name, trust_string) {
-  let cert_filename = cert_name + ".der";
-  addCertFromFile(certdb, "test_keysize/" + cert_filename, trust_string);
-  return certFromFile(cert_filename);
-}
-
-function check_cert_err_generic(cert, expected_error, usage) {
-  do_print("cert cn=" + cert.commonName);
-  do_print("cert issuer cn=" + cert.issuerCommonName);
-  let hasEVPolicy = {};
-  let verifiedChain = {};
-  let error = certdb.verifyCertNow(cert, usage,
-                                   NO_FLAGS, verifiedChain, hasEVPolicy);
-  equal(error, expected_error);
-}
-
-function check_cert_err(cert, expected_error) {
-  check_cert_err_generic(cert, expected_error, certificateUsageSSLServer)
-}
-
-function check_ok(cert) {
-  return check_cert_err(cert, 0);
-}
-
-function check_ok_ca(cert) {
-  return check_cert_err_generic(cert, 0, certificateUsageSSLCA);
-}
-
-function check_fail(cert) {
-  return check_cert_err(cert, MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
-}
-
-function check_fail_ca(cert) {
-  return check_cert_err_generic(cert,
-                                MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE,
-                                certificateUsageSSLCA);
+function loadCert(certName, trustString) {
+  let certFilename = certName + ".der";
+  addCertFromFile(certdb, "test_keysize/" + certFilename, trustString);
+  return certFromFile(certFilename);
 }
 
 /**
  * Tests a cert chain.
  *
  * @param {String} rootKeyType
  *        The key type of the root certificate, or the name of an elliptic
  *        curve, as output by the 'openssl ecparam -list_curves' command.
@@ -72,59 +40,58 @@ function checkChain(rootKeyType, rootKey
                     eeKeyType, eeKeySize, eeExpectedError) {
   let rootName = "root_" + rootKeyType + "_" + rootKeySize;
   let intName = "int_" + intKeyType + "_" + intKeySize;
   let eeName = "ee_" + eeKeyType + "_" + eeKeySize;
 
   let intFullName = intName + "-" + rootName;
   let eeFullName = eeName + "-" + intName + "-" + rootName;
 
-  load_cert(rootName, "CTu,CTu,CTu");
-  load_cert(intFullName, ",,");
-  let eeCert = certFromFile(eeFullName + ".der")
+  loadCert(rootName, "CTu,CTu,CTu");
+  loadCert(intFullName, ",,");
+  let eeCert = certFromFile(eeFullName + ".der");
 
   do_print("cert cn=" + eeCert.commonName);
   do_print("cert o=" + eeCert.organization);
   do_print("cert issuer cn=" + eeCert.issuerCommonName);
   do_print("cert issuer o=" + eeCert.issuerOrganization);
   checkCertErrorGeneric(certdb, eeCert, eeExpectedError,
                         certificateUsageSSLServer);
 }
 
-function checkForKeyType(keyType, inadequateKeySize, adequateKeySize) {
-  let rootOKName = "root_" + keyType + "_" + adequateKeySize;
-  let rootNotOKName = "root_" + keyType + "_" + inadequateKeySize;
-  let intOKName = "int_" + keyType + "_" + adequateKeySize;
-  let intNotOKName = "int_" + keyType + "_" + inadequateKeySize;
-  let eeOKName = "ee_" + keyType + "_" + adequateKeySize;
-  let eeNotOKName = "ee_" + keyType + "_" + inadequateKeySize;
-
+/**
+ * Tests various RSA chains.
+ *
+ * @param {Number} inadequateKeySize
+ * @param {Number} adequateKeySize
+ */
+function checkRSAChains(inadequateKeySize, adequateKeySize) {
   // Chain with certs that have adequate sizes for DV
-  let intFullName = intOKName + "-" + rootOKName;
-  let eeFullName = eeOKName + "-" + intOKName + "-" + rootOKName;
-  check_ok_ca(load_cert(rootOKName, "CTu,CTu,CTu"));
-  check_ok_ca(load_cert(intFullName, ",,"));
-  check_ok(certFromFile(eeFullName + ".der"));
+  checkChain("rsa", adequateKeySize,
+             "rsa", adequateKeySize,
+             "rsa", adequateKeySize,
+             0);
 
   // Chain with a root cert that has an inadequate size for DV
-  intFullName = intOKName + "-" + rootNotOKName;
-  eeFullName = eeOKName + "-" + intOKName + "-" + rootNotOKName;
-  check_fail_ca(load_cert(rootNotOKName, "CTu,CTu,CTu"));
-  check_fail_ca(load_cert(intFullName, ",,"));
-  check_fail(certFromFile(eeFullName + ".der"));
+  checkChain("rsa", inadequateKeySize,
+             "rsa", adequateKeySize,
+             "rsa", adequateKeySize,
+             MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
 
   // Chain with an intermediate cert that has an inadequate size for DV
-  intFullName = intNotOKName + "-" + rootOKName;
-  eeFullName = eeOKName + "-" + intNotOKName + "-" + rootOKName;
-  check_fail_ca(load_cert(intFullName, ",,"));
-  check_fail(certFromFile(eeFullName + ".der"));
+  checkChain("rsa", adequateKeySize,
+             "rsa", inadequateKeySize,
+             "rsa", adequateKeySize,
+             MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
 
   // Chain with an end entity cert that has an inadequate size for DV
-  eeFullName = eeNotOKName + "-" + intOKName + "-" + rootOKName;
-  check_fail(certFromFile(eeFullName + ".der"));
+  checkChain("rsa", adequateKeySize,
+             "rsa", adequateKeySize,
+             "rsa", inadequateKeySize,
+             MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
 }
 
 function checkECCChains() {
   checkChain("prime256v1", 256,
              "secp384r1", 384,
              "secp521r1", 521,
              0);
   checkChain("prime256v1", 256,
@@ -160,14 +127,14 @@ function checkCombinationChains() {
              SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
   checkChain("prime256v1", 256,
              "rsa", 1016,
              "prime256v1", 256,
              MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
 }
 
 function run_test() {
-  checkForKeyType("rsa", 1016, 1024);
+  checkRSAChains(1016, 1024);
   checkECCChains();
   checkCombinationChains();
 
   run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_keysize/generate.py
+++ b/security/manager/ssl/tests/unit/test_keysize/generate.py
@@ -81,17 +81,17 @@ def generate_and_maybe_import_cert(key_t
     subject_string += '/O=' + cert_name
 
     # Reuse the existing RSA EV root
     if (generate_ev and key_type == 'rsa' and signer_key_filename == ''
             and signer_cert_filename == '' and key_size == '2048'):
         cert_name = 'evroot'
         key_filename = '../test_ev_certs/evroot.key'
         cert_filename = '../test_ev_certs/evroot.der'
-        CertUtils.import_cert_and_pkcs12(srcdir, key_filename,
+        CertUtils.import_cert_and_pkcs12(srcdir, cert_filename,
                                          '../test_ev_certs/evroot.p12',
                                          cert_name, ',,')
         return [cert_name, key_filename, cert_filename]
 
     # Don't regenerate a previously generated cert
     for cert in generated_certs:
         if cert_name == cert[0]:
             return cert
@@ -161,131 +161,51 @@ def generate_cert_chain(root_key_type, r
         'ee',
         int_nick,
         ee_ext_text,
         int_key_file,
         int_cert_file,
         ee_key_size,
         generate_ev)
 
-def generate_certs(key_type, inadequate_key_size, adequate_key_size, generate_ev):
+def generate_rsa_chains(inadequate_key_size, adequate_key_size, generate_ev):
     """
-    Generates the various certificates used by the key size tests.
+    Generates various RSA chains with different combinations of adequately and
+    inadequately sized certs.
 
     Arguments:
-      key_type -- the type of key generated: potential values: 'rsa',
-                  or any of the curves found by 'openssl ecparam -list_curves'
       inadequate_key_size -- a string defining the inadequate public key size
                              for the generated certs
       adequate_key_size -- a string defining the adequate public key size for
                            the generated certs
-      generate_ev -- whether an EV cert should be generated
+      generate_ev -- whether EV certs should be generated
     """
     # Generate chain with certs that have adequate sizes
-    if generate_ev and key_type == 'rsa':
-        # Reuse the existing RSA EV root
-        rootOK_nick = 'evroot'
-        caOK_key = '../test_ev_certs/evroot.key'
-        caOK_cert = '../test_ev_certs/evroot.der'
-        caOK_pkcs12_filename = '../test_ev_certs/evroot.p12'
-        CertUtils.import_cert_and_pkcs12(srcdir, caOK_cert, caOK_pkcs12_filename,
-                                         rootOK_nick, ',,')
-    else:
-        [rootOK_nick, caOK_key, caOK_cert] = generate_and_maybe_import_cert(
-            key_type,
-            'root',
-            '',
-            ca_ext_text,
-            '',
-            '',
-            adequate_key_size,
-            generate_ev)
-
-    [intOK_nick, intOK_key, intOK_cert] = generate_and_maybe_import_cert(
-        key_type,
-        'int',
-        rootOK_nick,
-        ca_ext_text,
-        caOK_key,
-        caOK_cert,
-        adequate_key_size,
-        generate_ev)
-
-    generate_and_maybe_import_cert(
-        key_type,
-        'ee',
-        intOK_nick,
-        ee_ext_text,
-        intOK_key,
-        intOK_cert,
-        adequate_key_size,
-        generate_ev)
+    generate_cert_chain('rsa', adequate_key_size,
+                        'rsa', adequate_key_size,
+                        'rsa', adequate_key_size,
+                        generate_ev)
 
     # Generate chain with a root cert that has an inadequate size
-    [rootNotOK_nick, rootNotOK_key, rootNotOK_cert] = generate_and_maybe_import_cert(
-        key_type,
-        'root',
-        '',
-        ca_ext_text,
-        '',
-        '',
-        inadequate_key_size,
-        generate_ev)
-
-    [int_nick, int_key, int_cert] = generate_and_maybe_import_cert(
-        key_type,
-        'int',
-        rootNotOK_nick,
-        ca_ext_text,
-        rootNotOK_key,
-        rootNotOK_cert,
-        adequate_key_size,
-        generate_ev)
-
-    generate_and_maybe_import_cert(
-        key_type,
-        'ee',
-        int_nick,
-        ee_ext_text,
-        int_key,
-        int_cert,
-        adequate_key_size,
-        generate_ev)
+    generate_cert_chain('rsa', inadequate_key_size,
+                        'rsa', adequate_key_size,
+                        'rsa', adequate_key_size,
+                        generate_ev)
 
     # Generate chain with an intermediate cert that has an inadequate size
-    [intNotOK_nick, intNotOK_key, intNotOK_cert] = generate_and_maybe_import_cert(
-        key_type,
-        'int',
-        rootOK_nick,
-        ca_ext_text,
-        caOK_key,
-        caOK_cert,
-        inadequate_key_size,
-        generate_ev)
-
-    generate_and_maybe_import_cert(
-        key_type,
-        'ee',
-        intNotOK_nick,
-        ee_ext_text,
-        intNotOK_key,
-        intNotOK_cert,
-        adequate_key_size,
-        generate_ev)
+    generate_cert_chain('rsa', adequate_key_size,
+                        'rsa', inadequate_key_size,
+                        'rsa', adequate_key_size,
+                        generate_ev)
 
     # Generate chain with an end entity cert that has an inadequate size
-    generate_and_maybe_import_cert(
-        key_type,
-        'ee',
-        intOK_nick,
-        ee_ext_text,
-        intOK_key,
-        intOK_cert,
-        inadequate_key_size,
-        generate_ev)
+    generate_cert_chain('rsa', adequate_key_size,
+                        'rsa', adequate_key_size,
+                        'rsa', inadequate_key_size,
+                        generate_ev)
 
 def generate_ecc_chains():
     generate_cert_chain('prime256v1', '256',
                         'secp384r1', '384',
                         'secp521r1', '521',
                         False)
     generate_cert_chain('prime256v1', '256',
                         'secp224r1', '224',
@@ -323,18 +243,18 @@ def generate_combination_chains():
                         False)
 
 # Create a NSS DB for use by the OCSP responder.
 CertUtils.init_nss_db(srcdir)
 
 # TODO(bug 636807): SECKEY_PublicKeyStrengthInBits() rounds up the number of
 # bits to the next multiple of 8 - therefore the highest key size less than 1024
 # that can be tested is 1016, less than 2048 is 2040 and so on.
-generate_certs('rsa', '1016', '1024', False)
-generate_certs('rsa', '2040', '2048', True)
+generate_rsa_chains('1016', '1024', False)
+generate_rsa_chains('2040', '2048', True)
 generate_ecc_chains()
 generate_combination_chains()
 
 # Print a blank line and the information needed to enable EV for any roots
 # generated by this script.
 print
 for cert_filename in generated_ev_root_filenames:
     CertUtils.print_cert_info(cert_filename)
--- a/security/manager/ssl/tests/unit/test_keysize_ev.js
+++ b/security/manager/ssl/tests/unit/test_keysize_ev.js
@@ -42,76 +42,70 @@ function checkEVStatus(cert, usage, isEV
   equal(0, error);
 }
 
 /**
  * Adds a single EV key size test.
  *
  * @param {Array} expectedNamesForOCSP
  *        An array of nicknames of the certs to be responded to.
- * @param {String} rootCACertFileName
- *        The file name of the root CA cert. Can begin with ".." to reference
+ * @param {String} rootCertFileName
+ *        The file name of the root cert. Can begin with ".." to reference
  *        certs in folders other than "test_keysize/".
- * @param {Array} subCACertFileNames
- *        An array of file names of any sub CA certificates.
+ * @param {Array} intCertFileNames
+ *        An array of file names of any intermediate certificates.
  * @param {String} endEntityCertFileName
  *        The file name of the end entity cert.
  * @param {Boolean} expectedResult
  *        Whether the chain is expected to validate as EV.
  */
 function addKeySizeTestForEV(expectedNamesForOCSP,
-                             rootCACertFileName, subCACertFileNames,
+                             rootCertFileName, intCertFileNames,
                              endEntityCertFileName, expectedResult)
 {
   add_test(function() {
     clearOCSPCache();
     let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
 
-    loadCert(rootCACertFileName, "CTu,CTu,CTu");
-    for (let subCACertFileName of subCACertFileNames) {
-      loadCert(subCACertFileName, ",,");
+    loadCert(rootCertFileName, "CTu,CTu,CTu");
+    for (let intCertFileName of intCertFileNames) {
+      loadCert(intCertFileName, ",,");
     }
     checkEVStatus(certFromFile(endEntityCertFileName + ".der"),
                   certificateUsageSSLServer, expectedResult);
 
     ocspResponder.stop(run_next_test);
   });
 }
 
 /**
- * For debug builds which have the test EV roots compiled in, checks for the
- * given key type that chains that contain certs with key sizes adequate for EV
- * are validated as such, while chains that contain any cert with an inadequate
- * key size fail EV and validate as DV.
+ * For debug builds which have the test EV roots compiled in, checks RSA chains
+ * which contain certs with key sizes adequate for EV are validated as such,
+ * while chains that contain any cert with an inadequate key size fail EV and
+ * validate as DV.
  * For opt builds which don't have the test EV roots compiled in, checks that
  * none of the chains validate as EV.
  *
  * Note: This function assumes that the key size requirements for EV are greater
  * than or equal to the requirements for DV.
  *
- * @param {String} keyType
- *        The key type to check (e.g. "rsa").
  * @param {Number} inadequateKeySize
  *        The inadequate key size of the generated certs.
  * @param {Number} adequateKeySize
  *        The adequate key size of the generated certs.
  */
-function checkForKeyType(keyType, inadequateKeySize, adequateKeySize) {
+function checkRSAChains(inadequateKeySize, adequateKeySize) {
   // Reuse the existing test RSA EV root
-  let rootOKCertFileName = keyType == "rsa"
-                         ? "../test_ev_certs/evroot"
-                         : "ev_root_" + keyType + "_" + adequateKeySize;
-  let rootOKName = keyType == "rsa"
-                 ? "evroot"
-                 : "ev_root_" + keyType + "_" + adequateKeySize;
-  let rootNotOKName = "ev_root_" + keyType + "_" + inadequateKeySize;
-  let intOKName = "ev_int_" + keyType + "_" + adequateKeySize;
-  let intNotOKName = "ev_int_" + keyType + "_" + inadequateKeySize;
-  let eeOKName = "ev_ee_" + keyType + "_" + adequateKeySize;
-  let eeNotOKName = "ev_ee_" + keyType + "_" + inadequateKeySize;
+  let rootOKCertFileName = "../test_ev_certs/evroot";
+  let rootOKName = "evroot";
+  let rootNotOKName = "ev_root_rsa_" + inadequateKeySize;
+  let intOKName = "ev_int_rsa_" + adequateKeySize;
+  let intNotOKName = "ev_int_rsa_" + inadequateKeySize;
+  let eeOKName = "ev_ee_rsa_" + adequateKeySize;
+  let eeNotOKName = "ev_ee_rsa_" + inadequateKeySize;
 
   // Chain with certs that have adequate sizes for EV and DV
   // In opt builds, this chain is only validated for DV. Hence, an OCSP fetch
   // will for example not be done for the "ev_int_rsa_2048-evroot" intermediate
   // in such a build.
   let intFullName = intOKName + "-" + rootOKName;
   let eeFullName = eeOKName + "-" + intOKName + "-" + rootOKName;
   let expectedNamesForOCSP = gEVExpected
@@ -144,15 +138,14 @@ function checkForKeyType(keyType, inadeq
   intFullName = intOKName + "-" + rootOKName;
   eeFullName = eeNotOKName + "-" + intOKName + "-" + rootOKName;
   expectedNamesForOCSP = [ eeFullName ];
   addKeySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName,
                       [ intFullName ], eeFullName, false);
 }
 
 function run_test() {
-  // Setup OCSP responder
   Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
 
-  checkForKeyType("rsa", 2040, 2048);
+  checkRSAChains(2040, 2048);
 
   run_next_test();
 }