Bug 971178, Part 1: Expand test_cert_signatures.js test insanity::pkix, r=cviecco
authorBrian Smith <brian@briansmith.org>
Tue, 11 Feb 2014 01:42:24 -0800
changeset 186578 ca16447717f31e38b9fd77908f7882c596ce33ef
parent 186577 1ccbdd0430f245511ac603321a71535121979fe9
child 186579 a7a95b0132c60ad6bb2297eeb407f8df19757e3a
push id474
push userasasaki@mozilla.com
push dateMon, 02 Jun 2014 21:01:02 +0000
treeherdermozilla-release@967f4cf1b31c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerscviecco
bugs971178
milestone30.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 971178, Part 1: Expand test_cert_signatures.js test insanity::pkix, r=cviecco
security/manager/ssl/tests/unit/test_cert_signatures.js
--- a/security/manager/ssl/tests/unit/test_cert_signatures.js
+++ b/security/manager/ssl/tests/unit/test_cert_signatures.js
@@ -19,68 +19,89 @@
  * Check in the generated files. These steps are not done as part of the build
  * because we do not want to add a build-time dependency on the OpenSSL or NSS
  * tools or libraries built for the host platform.
  */
 
 do_get_profile(); // must be called before getting nsIX509CertDB
 const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
 
-const ca_usage = 'SSL CA';
-const int_usage = 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
-const ee_usage = 'Client,Server,Sign,Encrypt';
-
-const cert2usage = {
-  // certs without the "int" prefix are end entity certs.
-  'int-rsa-valid': int_usage,
-  'rsa-valid': ee_usage,
-  'int-p384-valid': int_usage,
-  'p384-valid': ee_usage,
-  'int-dsa-valid': int_usage,
-  'dsa-valid': ee_usage,
-
-  'rsa-valid-int-tampered-ee': "",
-  'p384-valid-int-tampered-ee': "",
-  'dsa-valid-int-tampered-ee': "",
-
-  'int-rsa-tampered': "",
-  'rsa-tampered-int-valid-ee': "",
-  'int-p384-tampered': "",
-  'p384-tampered-int-valid-ee': "",
-  'int-dsa-tampered': "",
-  'dsa-tampered-int-valid-ee': "",
-
-};
-
 function load_ca(ca_name) {
   let ca_filename = ca_name + ".der";
   addCertFromFile(certdb, "test_cert_signatures/" + ca_filename, 'CTu,CTu,CTu');
+}
 
+function check_ca(ca_name) {
   do_print("ca_name=" + ca_name);
   let cert = certdb.findCertByNickname(null, ca_name);
 
   let verified = {};
   let usages = {};
   cert.getUsagesString(true, verified, usages);
-  do_check_eq(ca_usage, usages.value);
+  do_check_eq('SSL CA', usages.value);
 }
 
 function run_test() {
   // Load the ca into mem
   load_ca("ca-rsa");
   load_ca("ca-p384");
   load_ca("ca-dsa");
 
+  run_test_in_mode(true);
+  run_test_in_mode(false);
+}
+
+function run_test_in_mode(useInsanity) {
+  Services.prefs.setBoolPref("security.use_insanity_verification", useInsanity);
+  clearOCSPCache();
+  clearSessionCache();
+
+  check_ca("ca-rsa");
+  check_ca("ca-p384");
+  check_ca("ca-dsa");
+
+  // insanity::pkix does not allow CA certs to be validated for end-entity
+  // usages.
+  let int_usage = useInsanity
+                ? 'SSL CA'
+                : 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
+
+  // insanity::pkix doesn't implement the Netscape Object Signer restriction.
+  const ee_usage = useInsanity
+                 ? 'Client,Server,Sign,Encrypt,Object Signer'
+                 : 'Client,Server,Sign,Encrypt';
+
+  let cert2usage = {
+    // certs without the "int" prefix are end entity certs.
+    'int-rsa-valid': int_usage,
+    'rsa-valid': ee_usage,
+    'int-p384-valid': int_usage,
+    'p384-valid': ee_usage,
+    'int-dsa-valid': int_usage,
+    'dsa-valid': ee_usage,
+
+    'rsa-valid-int-tampered-ee': "",
+    'p384-valid-int-tampered-ee': "",
+    'dsa-valid-int-tampered-ee': "",
+
+    'int-rsa-tampered': "",
+    'rsa-tampered-int-valid-ee': "",
+    'int-p384-tampered': "",
+    'p384-tampered-int-valid-ee': "",
+    'int-dsa-tampered': "",
+    'dsa-tampered-int-valid-ee': "",
+
+  };
+
   // Load certs first
   for (let cert_name in cert2usage) {
     let cert_filename = cert_name + ".der";
     addCertFromFile(certdb, "test_cert_signatures/" + cert_filename, ',,');
   }
 
-  // Now do the checks
   for (let cert_name in cert2usage) {
     do_print("cert_name=" + cert_name);
 
     let cert = certdb.findCertByNickname(null, cert_name);
 
     let verified = {};
     let usages = {};
     cert.getUsagesString(true, verified, usages);