Bug 987816 - verifying with certificateUsageVerifyCA always return failure. r=dkeeler a=lsblakk
authorCamilo Viecco <cviecco@mozilla.com>
Fri, 28 Mar 2014 10:21:30 -0700
changeset 183784 b192379d4d65
parent 183783 92cae49290ae
child 183785 aaf5030cbf98
push id3482
push usercviecco@mozilla.com
push date2014-04-16 16:08 +0000
Treeherderresults
reviewersdkeeler, lsblakk
bugs987816
milestone29.0
Bug 987816 - verifying with certificateUsageVerifyCA always return failure. r=dkeeler a=lsblakk
security/certverifier/CertVerifier.cpp
security/manager/ssl/tests/unit/head_psm.js
security/manager/ssl/tests/unit/test_certificate_usages.js
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -140,16 +140,19 @@ ClassicVerifyCert(CERTCertificate* cert,
         enumUsage = certUsageEmailSigner;
         break;
       case certificateUsageEmailRecipient:
         enumUsage = certUsageEmailRecipient;
         break;
       case certificateUsageObjectSigner:
         enumUsage = certUsageObjectSigner;
         break;
+      case certificateUsageVerifyCA:
+        enumUsage = certUsageVerifyCA;
+        break;
       case certificateUsageStatusResponder:
         enumUsage = certUsageStatusResponder;
         break;
       default:
         PR_NOT_REACHED("unexpected usage");
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
@@ -462,16 +465,17 @@ CertVerifier::VerifyCert(CERTCertificate
 
   switch(usage){
     case certificateUsageSSLClient:
     case certificateUsageSSLServer:
     case certificateUsageSSLCA:
     case certificateUsageEmailSigner:
     case certificateUsageEmailRecipient:
     case certificateUsageObjectSigner:
+    case certificateUsageVerifyCA:
     case certificateUsageStatusResponder:
       break;
     default:
       PORT_SetError(SEC_ERROR_INVALID_ARGS);
       return SECFailure;
   }
 
   if ((flags & FLAG_MUST_BE_EV) && usage != certificateUsageSSLServer) {
--- a/security/manager/ssl/tests/unit/head_psm.js
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -76,16 +76,29 @@ function addCertFromFile(certdb, filenam
 }
 
 function getXPCOMStatusFromNSS(statusNSS) {
   let nssErrorsService = Cc["@mozilla.org/nss_errors_service;1"]
                            .getService(Ci.nsINSSErrorsService);
   return nssErrorsService.getXPCOMFromNSSError(statusNSS);
 }
 
+function checkCertErrorGeneric(certdb, cert, expectedError, usage) {
+  let hasEVPolicy = {};
+  let verifiedChain = {};
+  let error = certdb.verifyCertNow(cert, usage, NO_FLAGS, verifiedChain,
+                                   hasEVPolicy);
+  // expected error == -1 is a special marker for any error is OK
+  if (expectedError != -1 ) {
+    do_check_eq(error, expectedError);
+  } else {
+    do_check_neq (error, 0);
+  }
+}
+
 function _getLibraryFunctionWithNoArguments(functionName, libraryName) {
   // Open the NSS library. copied from services/crypto/modules/WeaveCrypto.js
   let path = ctypes.libraryName(libraryName);
 
   // XXX really want to be able to pass specific dlopen flags here.
   let nsslib;
   try {
     nsslib = ctypes.open(path);
--- a/security/manager/ssl/tests/unit/test_certificate_usages.js
+++ b/security/manager/ssl/tests/unit/test_certificate_usages.js
@@ -119,17 +119,19 @@ function run_test_in_mode(useInsanity) {
   for (var i = 0; i < gNumCAs; i++) {
     var ca_name = "ca-" + (i + 1);
     var verified = {};
     var usages = {};
     var cert = certdb.findCertByNickname(null, ca_name);
     cert.getUsagesString(true, verified, usages);
     do_print("usages.value=" + usages.value);
     do_check_eq(ca_usages[i], usages.value);
-
+    if (ca_usages[i].indexOf('SSL CA') != -1) {
+      checkCertErrorGeneric(certdb, cert, 0, certificateUsageVerifyCA);
+    }
     //now the ee, names also one based
     for (var j = 0; j < ee_usages[i].length; j++) {
       var ee_name = "ee-" + (j + 1) + "-" + ca_name;
       var ee_filename = ee_name + ".der";
       //do_print("ee_filename" + ee_filename);
       addCertFromFile(certdb, "test_certificate_usages/" + ee_filename, ",,");
       var ee_cert;
       ee_cert = certdb.findCertByNickname(null, ee_name);