Bug 971178, Part 1: Expand test_cert_signatures.js test insanity::pkix, r=cviecco, a=test-only
authorBrian Smith <brian@briansmith.org>
Tue, 11 Feb 2014 01:42:24 -0800
changeset 177034 9cd89cbce0251eded808cd172c543e18799aade8
parent 177033 0939d42b51df3735500cfb60bb49a3bf8f551662
child 177035 eed845448ff34fc05178917f115df01431522079
push id5232
push userbrian@briansmith.org
push dateFri, 14 Feb 2014 09:42:22 +0000
treeherdermozilla-aurora@c3caf6accf2d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerscviecco, test-only
bugs971178
milestone29.0a2
Bug 971178, Part 1: Expand test_cert_signatures.js test insanity::pkix, r=cviecco, a=test-only
security/manager/ssl/tests/unit/test_cert_signatures.js
--- a/security/manager/ssl/tests/unit/test_cert_signatures.js
+++ b/security/manager/ssl/tests/unit/test_cert_signatures.js
@@ -19,68 +19,89 @@
  * Check in the generated files. These steps are not done as part of the build
  * because we do not want to add a build-time dependency on the OpenSSL or NSS
  * tools or libraries built for the host platform.
  */
 
 do_get_profile(); // must be called before getting nsIX509CertDB
 const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
 
-const ca_usage = 'SSL CA';
-const int_usage = 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
-const ee_usage = 'Client,Server,Sign,Encrypt';
-
-const cert2usage = {
-  // certs without the "int" prefix are end entity certs.
-  'int-rsa-valid': int_usage,
-  'rsa-valid': ee_usage,
-  'int-p384-valid': int_usage,
-  'p384-valid': ee_usage,
-  'int-dsa-valid': int_usage,
-  'dsa-valid': ee_usage,
-
-  'rsa-valid-int-tampered-ee': "",
-  'p384-valid-int-tampered-ee': "",
-  'dsa-valid-int-tampered-ee': "",
-
-  'int-rsa-tampered': "",
-  'rsa-tampered-int-valid-ee': "",
-  'int-p384-tampered': "",
-  'p384-tampered-int-valid-ee': "",
-  'int-dsa-tampered': "",
-  'dsa-tampered-int-valid-ee': "",
-
-};
-
 function load_ca(ca_name) {
   let ca_filename = ca_name + ".der";
   addCertFromFile(certdb, "test_cert_signatures/" + ca_filename, 'CTu,CTu,CTu');
+}
 
+function check_ca(ca_name) {
   do_print("ca_name=" + ca_name);
   let cert = certdb.findCertByNickname(null, ca_name);
 
   let verified = {};
   let usages = {};
   cert.getUsagesString(true, verified, usages);
-  do_check_eq(ca_usage, usages.value);
+  do_check_eq('SSL CA', usages.value);
 }
 
 function run_test() {
   // Load the ca into mem
   load_ca("ca-rsa");
   load_ca("ca-p384");
   load_ca("ca-dsa");
 
+  run_test_in_mode(true);
+  run_test_in_mode(false);
+}
+
+function run_test_in_mode(useInsanity) {
+  Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+  clearOCSPCache();
+  clearSessionCache();
+
+  check_ca("ca-rsa");
+  check_ca("ca-p384");
+  check_ca("ca-dsa");
+
+  // insanity::pkix does not allow CA certs to be validated for end-entity
+  // usages.
+  let int_usage = useInsanity
+                ? 'SSL CA'
+                : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
+
+  // insanity::pkix doesn't implement the Netscape Object Signer restriction.
+  const ee_usage = useInsanity
+                 ? 'Client,Server,Sign,Encrypt,Object Signer'
+                 : 'Client,Server,Sign,Encrypt';
+
+  let cert2usage = {
+    // certs without the "int" prefix are end entity certs.
+    'int-rsa-valid': int_usage,
+    'rsa-valid': ee_usage,
+    'int-p384-valid': int_usage,
+    'p384-valid': ee_usage,
+    'int-dsa-valid': int_usage,
+    'dsa-valid': ee_usage,
+
+    'rsa-valid-int-tampered-ee': "",
+    'p384-valid-int-tampered-ee': "",
+    'dsa-valid-int-tampered-ee': "",
+
+    'int-rsa-tampered': "",
+    'rsa-tampered-int-valid-ee': "",
+    'int-p384-tampered': "",
+    'p384-tampered-int-valid-ee': "",
+    'int-dsa-tampered': "",
+    'dsa-tampered-int-valid-ee': "",
+
+  };
+
   // Load certs first
   for (let cert_name in cert2usage) {
     let cert_filename = cert_name + ".der";
     addCertFromFile(certdb, "test_cert_signatures/" + cert_filename, ',,');
   }
 
-  // Now do the checks
   for (let cert_name in cert2usage) {
     do_print("cert_name=" + cert_name);
 
     let cert = certdb.findCertByNickname(null, cert_name);
 
     let verified = {};
     let usages = {};
     cert.getUsagesString(true, verified, usages);