Source code
Revision control
Copy as Markdown
Other Tools
Test Info: Warnings
- This test gets skipped with pattern: os == 'win' && msix
- Manifest: security/manager/ssl/tests/unit/xpcshell.toml
// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
"use strict";
// Checks that RSA certs with key sizes below 1024 bits are rejected.
// Checks that ECC certs using curves other than the NIST P-256, P-384 or P-521
// curves are rejected.
do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
Ci.nsIX509CertDB
);
/**
* Tests a cert chain.
*
* @param {string} rootKeyType
* The key type of the root certificate, or the name of an elliptic
* curve, as output by the 'openssl ecparam -list_curves' command.
* @param {number} rootKeySize
* @param {string} intKeyType
* @param {number} intKeySize
* @param {string} eeKeyType
* @param {number} eeKeySize
* @param {PRErrorCode} eeExpectedError
* @returns {Promise} a promise that will resolve when the verification has
* completed
*/
function checkChain(
rootKeyType,
rootKeySize,
intKeyType,
intKeySize,
eeKeyType,
eeKeySize,
eeExpectedError
) {
let rootName = "root_" + rootKeyType + "_" + rootKeySize;
let intName = "int_" + intKeyType + "_" + intKeySize;
let eeName = "ee_" + eeKeyType + "_" + eeKeySize;
let intFullName = intName + "-" + rootName;
let eeFullName = eeName + "-" + intName + "-" + rootName;
addCertFromFile(certdb, `test_keysize/${rootName}.pem`, "CTu,CTu,CTu");
addCertFromFile(certdb, `test_keysize/${intFullName}.pem`, ",,");
let eeCert = constructCertFromFile(`test_keysize/${eeFullName}.pem`);
info("cert o=" + eeCert.organization);
info("cert issuer o=" + eeCert.issuerOrganization);
return checkCertErrorGeneric(
certdb,
eeCert,
eeExpectedError,
certificateUsageSSLServer
);
}
/**
* Tests various RSA chains.
*
* @param {number} inadequateKeySize
* @param {number} adequateKeySize
*/
async function checkRSAChains(inadequateKeySize, adequateKeySize) {
// Chain with certs that have adequate sizes for DV
await checkChain(
"rsa",
adequateKeySize,
"rsa",
adequateKeySize,
"rsa",
adequateKeySize,
PRErrorCodeSuccess
);
// Chain with a root cert that has an inadequate size for DV
await checkChain(
"rsa",
inadequateKeySize,
"rsa",
adequateKeySize,
"rsa",
adequateKeySize,
MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
);
// Chain with an intermediate cert that has an inadequate size for DV
await checkChain(
"rsa",
adequateKeySize,
"rsa",
inadequateKeySize,
"rsa",
adequateKeySize,
MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
);
// Chain with an end entity cert that has an inadequate size for DV
await checkChain(
"rsa",
adequateKeySize,
"rsa",
adequateKeySize,
"rsa",
inadequateKeySize,
MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
);
}
async function checkECCChains() {
await checkChain(
"secp256r1",
256,
"secp384r1",
384,
"secp521r1",
521,
PRErrorCodeSuccess
);
await checkChain(
"secp256r1",
256,
"secp224r1",
224,
"secp256r1",
256,
SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
);
await checkChain(
"secp256r1",
256,
"secp256r1",
256,
"secp224r1",
224,
SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
);
await checkChain(
"secp224r1",
224,
"secp256r1",
256,
"secp256r1",
256,
SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
);
await checkChain(
"secp256r1",
256,
"secp256r1",
256,
"secp256k1",
256,
SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
);
await checkChain(
"secp256k1",
256,
"secp256r1",
256,
"secp256r1",
256,
SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
);
}
async function checkCombinationChains() {
await checkChain(
"rsa",
2048,
"secp256r1",
256,
"secp384r1",
384,
PRErrorCodeSuccess
);
await checkChain(
"rsa",
2048,
"secp256r1",
256,
"secp224r1",
224,
SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
);
await checkChain(
"secp256r1",
256,
"rsa",
1016,
"secp256r1",
256,
MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
);
}
add_task(async function () {
await checkRSAChains(1016, 1024);
await checkECCChains();
await checkCombinationChains();
});