64 lines
2.8 KiB
JavaScript
64 lines
2.8 KiB
JavaScript
// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
|
|
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
"use strict";
|
|
|
|
// This test tests two specific items:
|
|
// 1. Are name constraints properly enforced across the entire constructed
|
|
// certificate chain? This makes use of a certificate hierarchy like so:
|
|
// - (trusted) root CA with permitted subtree dNSName example.com
|
|
// - intermediate CA with permitted subtree dNSName example.org
|
|
// a. end-entity with dNSNames example.com and example.org
|
|
// (the first entry is allowed by the root but not by the intermediate,
|
|
// and the second entry is allowed by the intermediate but not by the
|
|
// root)
|
|
// b. end-entity with dNSName example.com (not allowed by the intermediate)
|
|
// c. end-entity with dNSName examle.org (not allowed by the root)
|
|
// d. end-entity with dNSName example.test (not allowed by either)
|
|
// All of these cases should fail to verify with the error that the
|
|
// end-entity is not in the name space permitted by the hierarchy.
|
|
//
|
|
// 2. Are externally-imposed name constraints properly enforced? This makes use
|
|
// of a certificate hierarchy rooted by a certificate with the same DN as an
|
|
// existing hierarchy that has externally-imposed name constraints (DCISS).
|
|
|
|
do_get_profile(); // must be called before getting nsIX509CertDB
|
|
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
|
|
.getService(Ci.nsIX509CertDB);
|
|
|
|
function certFromFile(name) {
|
|
return constructCertFromFile(`test_name_constraints/${name}.pem`);
|
|
}
|
|
|
|
function loadCertWithTrust(certName, trustString) {
|
|
addCertFromFile(certdb, `test_name_constraints/${certName}.pem`,
|
|
trustString);
|
|
}
|
|
|
|
function checkCertNotInNameSpace(cert) {
|
|
checkCertErrorGeneric(certdb, cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
|
|
certificateUsageSSLServer);
|
|
}
|
|
|
|
function checkCertInNameSpace(cert) {
|
|
checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess,
|
|
certificateUsageSSLServer);
|
|
}
|
|
|
|
function run_test() {
|
|
// Test that name constraints from the entire certificate chain are enforced.
|
|
loadCertWithTrust("ca-example-com-permitted", "CTu,,");
|
|
loadCertWithTrust("int-example-org-permitted", ",,");
|
|
checkCertNotInNameSpace(certFromFile("ee-example-com-and-org"));
|
|
checkCertNotInNameSpace(certFromFile("ee-example-com"));
|
|
checkCertNotInNameSpace(certFromFile("ee-example-org"));
|
|
checkCertNotInNameSpace(certFromFile("ee-example-test"));
|
|
|
|
// Test that externally-imposed name constraints are enforced (DCISS tests).
|
|
loadCertWithTrust("dciss", "CTu,,");
|
|
checkCertInNameSpace(certFromFile("NameConstraints.dcissallowed"));
|
|
checkCertNotInNameSpace(certFromFile("NameConstraints.dcissblocked"));
|
|
}
|