--- a/security/manager/ssl/nsIX509CertDB.idl
+++ b/security/manager/ssl/nsIX509CertDB.idl
@@ -295,64 +295,38 @@ interface nsIX509CertDB : nsISupports {
* effectively ignored by gecko, but they still must be specified
* (at least by a final trailing comma) because this argument is
* passed to CERT_DecodeTrustString.
* @return nsIX509Cert the resulting certificate
*/
[must_use]
nsIX509Cert addCert(in ACString certDER, in ACString trust);
- // Flags for verifyCertNow (these must match the values in CertVerifier.cpp):
- // Prevent network traffic. Doesn't work with classic verification.
+ // Flags for asyncVerifyCertAtTime (these must match the values in
+ // CertVerifier.cpp):
+ // Prevent network traffic.
const uint32_t FLAG_LOCAL_ONLY = 1 << 0;
// Do not fall back to DV verification after attempting EV validation.
- // Actually does prevent network traffic, but can cause a valid EV
- // certificate to not be considered valid.
const uint32_t FLAG_MUST_BE_EV = 1 << 1;
- /** Warning: This interface is inteded to use only for testing only as:
- * 1. It can create IO on the main thread.
- * 2. It is in constant change, so in/out can change at any release.
- *
- * Obtain the verification result for a cert given a particular usage.
- * On success, the call returns 0, the chain built during verification,
- * and whether the cert is good for EV usage.
- * On failure, the call returns the PRErrorCode for the verification failure
+ /*
+ * Asynchronously verify a certificate given a set of parameters. Calls the
+ * `verifyCertFinished` function on the provided `nsICertVerificationCallback`
+ * with the results of the verification operation.
+ * See the documentation for nsICertVerificationCallback.
*
- * @param aCert Obtain the stored trust of this certificate
- * @param aUsage a integer representing the usage from NSS
- * @param aFlags flags as described above
- * @param aHostname the (optional) hostname to verify for
- * @param aTime the time at which to verify, in seconds since the epoch
- * @param aVerifiedChain chain of verification up to the root if success
- * @param aHasEVPolicy bool that signified that the cert was an EV cert
- * @return 0 if success or the value or the error code for the verification
- * failure
- */
- [must_use]
- int32_t /*PRErrorCode*/
- verifyCertAtTime(in nsIX509Cert aCert,
- in int64_t /*SECCertificateUsage*/ aUsage,
- in uint32_t aFlags,
- in ACString aHostname,
- in uint64_t aTime,
- out nsIX509CertList aVerifiedChain,
- out bool aHasEVPolicy);
- [must_use]
- int32_t /*PRErrorCode*/
- verifyCertNow(in nsIX509Cert aCert,
- in int64_t /*SECCertificateUsage*/ aUsage,
- in uint32_t aFlags,
- in ACString aHostname,
- out nsIX509CertList aVerifiedChain,
- out bool aHasEVPolicy);
-
- /**
- * Similar to the above, but asynchronous. As a result, use of this API is not
- * limited to tests.
+ * @param aCert the certificate to verify
+ * @param aUsage an integer representing the usage to verify for (see
+ * SECCertificateUsage in certt.h from NSS)
+ * @param aFlags flags as described above
+ * @param aHostname the (optional) hostname to verify for
+ * @param aTime the time at which to verify, in seconds since the epoch
+ * @param aCallback the nsICertVerificationCallback that will receive the
+ results of this verification
+ * @return a succeeding nsresult if the job was dispatched successfully
*/
[must_use]
void asyncVerifyCertAtTime(in nsIX509Cert aCert,
in int64_t /*SECCertificateUsage*/ aUsage,
in uint32_t aFlags,
in ACString aHostname,
in uint64_t aTime,
in nsICertVerificationCallback aCallback);
--- a/security/manager/ssl/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@@ -1301,45 +1301,16 @@ VerifyCertAtTime(nsIX509Cert* aCert,
if (result == mozilla::pkix::Success && evOidPolicy != SEC_OID_UNKNOWN) {
*aHasEVPolicy = true;
}
nssCertList.forget(aVerifiedChain);
return NS_OK;
}
-NS_IMETHODIMP
-nsNSSCertificateDB::VerifyCertNow(nsIX509Cert* aCert,
- int64_t /*SECCertificateUsage*/ aUsage,
- uint32_t aFlags,
- const nsACString& aHostname,
- nsIX509CertList** aVerifiedChain,
- bool* aHasEVPolicy,
- int32_t* /*PRErrorCode*/ _retval)
-{
- return ::VerifyCertAtTime(aCert, aUsage, aFlags, aHostname,
- mozilla::pkix::Now(),
- aVerifiedChain, aHasEVPolicy, _retval);
-}
-
-NS_IMETHODIMP
-nsNSSCertificateDB::VerifyCertAtTime(nsIX509Cert* aCert,
- int64_t /*SECCertificateUsage*/ aUsage,
- uint32_t aFlags,
- const nsACString& aHostname,
- uint64_t aTime,
- nsIX509CertList** aVerifiedChain,
- bool* aHasEVPolicy,
- int32_t* /*PRErrorCode*/ _retval)
-{
- return ::VerifyCertAtTime(aCert, aUsage, aFlags, aHostname,
- mozilla::pkix::TimeFromEpochInSeconds(aTime),
- aVerifiedChain, aHasEVPolicy, _retval);
-}
-
class VerifyCertAtTimeTask final : public CryptoTask
{
public:
VerifyCertAtTimeTask(nsIX509Cert* aCert, int64_t aUsage, uint32_t aFlags,
const nsACString& aHostname, uint64_t aTime,
nsICertVerificationCallback* aCallback)
: mCert(aCert)
, mUsage(aUsage)
@@ -1356,19 +1327,20 @@ public:
private:
virtual nsresult CalculateResult() override
{
nsCOMPtr<nsIX509CertDB> certDB = do_GetService(NS_X509CERTDB_CONTRACTID);
if (!certDB) {
return NS_ERROR_FAILURE;
}
- return certDB->VerifyCertAtTime(mCert, mUsage, mFlags, mHostname, mTime,
- getter_AddRefs(mVerifiedCertList),
- &mHasEVPolicy, &mPRErrorCode);
+ return VerifyCertAtTime(mCert, mUsage, mFlags, mHostname,
+ mozilla::pkix::TimeFromEpochInSeconds(mTime),
+ getter_AddRefs(mVerifiedCertList),
+ &mHasEVPolicy, &mPRErrorCode);
}
virtual void CallCallback(nsresult rv) override
{
if (NS_FAILED(rv)) {
Unused << mCallback->VerifyCertFinished(SEC_ERROR_LIBRARY_FAILURE,
nullptr, false);
} else {
--- a/security/manager/ssl/tests/unit/head_psm.js
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -171,49 +171,63 @@ function setCertTrust(cert, trustString)
}
function getXPCOMStatusFromNSS(statusNSS) {
let nssErrorsService = Cc["@mozilla.org/nss_errors_service;1"]
.getService(Ci.nsINSSErrorsService);
return nssErrorsService.getXPCOMFromNSSError(statusNSS);
}
+// Helper for checkCertErrorGenericAtTime
+class CertVerificationExpectedErrorResult {
+ constructor(certName, expectedError, expectedEVStatus, resolve) {
+ this.certName = certName;
+ this.expectedError = expectedError;
+ this.expectedEVStatus = expectedEVStatus;
+ this.resolve = resolve;
+ }
+
+ verifyCertFinished(aPRErrorCode, aVerifiedChain, aHasEVPolicy) {
+ equal(aPRErrorCode, this.expectedError,
+ `verifying ${this.certName}: should get error ${this.expectedError}`);
+ if (this.expectedEVStatus != undefined) {
+ equal(aHasEVPolicy, this.expectedEVStatus,
+ `verifying ${this.certName}: ` +
+ `should ${this.expectedEVStatus ? "be" : "not be"} EV`);
+ }
+ this.resolve();
+ }
+}
+
// certdb implements nsIX509CertDB. See nsIX509CertDB.idl for documentation.
// In particular, hostname is optional.
function checkCertErrorGenericAtTime(certdb, cert, expectedError, usage, time,
- /* optional */ hasEVPolicy,
+ /* optional */ isEVExpected,
/* optional */ hostname) {
- info(`cert cn=${cert.commonName}`);
- info(`cert issuer cn=${cert.issuerCommonName}`);
- let verifiedChain = {};
- let error = certdb.verifyCertAtTime(cert, usage, NO_FLAGS, hostname, time,
- verifiedChain, hasEVPolicy || {});
- Assert.equal(error, expectedError,
- "Actual and expected error should match");
+ return new Promise((resolve, reject) => {
+ let result = new CertVerificationExpectedErrorResult(
+ cert.commonName, expectedError, isEVExpected, resolve);
+ certdb.asyncVerifyCertAtTime(cert, usage, NO_FLAGS, hostname, time,
+ result);
+ });
}
// certdb implements nsIX509CertDB. See nsIX509CertDB.idl for documentation.
// In particular, hostname is optional.
function checkCertErrorGeneric(certdb, cert, expectedError, usage,
- /* optional */ hasEVPolicy,
- /* optional */ hostname) {
- info(`cert cn=${cert.commonName}`);
- info(`cert issuer cn=${cert.issuerCommonName}`);
- let verifiedChain = {};
- let error = certdb.verifyCertNow(cert, usage, NO_FLAGS, hostname,
- verifiedChain, hasEVPolicy || {});
- Assert.equal(error, expectedError,
- "Actual and expected error should match");
+ /* optional */ isEVExpected,
+ /* optional */ hostname) {
+ let now = (new Date()).getTime() / 1000;
+ return checkCertErrorGenericAtTime(certdb, cert, expectedError, usage, now,
+ isEVExpected, hostname);
}
function checkEVStatus(certDB, cert, usage, isEVExpected) {
- let hasEVPolicy = {};
- checkCertErrorGeneric(certDB, cert, PRErrorCodeSuccess, usage, hasEVPolicy);
- Assert.equal(hasEVPolicy.value, isEVExpected,
- "Actual and expected EV status should match");
+ return checkCertErrorGeneric(certDB, cert, PRErrorCodeSuccess, usage,
+ isEVExpected);
}
function _getLibraryFunctionWithNoArguments(functionName, libraryName,
returnType) {
// Open the NSS library. copied from services/crypto/modules/WeaveCrypto.js
let path = ctypes.libraryName(libraryName);
// XXX really want to be able to pass specific dlopen flags here.
@@ -668,16 +682,25 @@ function startOCSPResponder(serverPort,
Assert.equal(expectedResponseTypes.length, 0,
"Should have 0 remaining expected response types");
}
httpServer.stop(callback);
}
};
}
+// Given an OCSP responder (see startOCSPResponder), returns a promise that
+// resolves when the responder has successfully stopped.
+function stopOCSPResponder(responder) {
+ return new Promise((resolve, reject) => {
+ responder.stop(resolve);
+ });
+}
+
+
// A prototype for a fake, error-free sslstatus
var FakeSSLStatus = function(certificate) {
this.serverCert = certificate;
};
FakeSSLStatus.prototype = {
serverCert: null,
cipherName: null,
--- a/security/manager/ssl/tests/unit/test_add_preexisting_cert.js
+++ b/security/manager/ssl/tests/unit/test_add_preexisting_cert.js
@@ -20,25 +20,25 @@ function load_cert(cert, trust) {
function getDERString(cert) {
let derString = "";
for (let rawByte of cert.getRawDER({})) {
derString += String.fromCharCode(rawByte);
}
return derString;
}
-function run_test() {
+add_task(async function() {
load_cert("ca", "CTu,CTu,CTu");
let int_cert = load_cert("int-limited-depth", "CTu,CTu,CTu");
let file = "test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem";
let cert_pem = readFile(do_get_file(file));
let ee = certDB.constructX509FromBase64(pemToBase64(cert_pem));
- checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
- certificateUsageSSLServer);
+ await checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
+ certificateUsageSSLServer);
// Change the already existing intermediate certificate's trust using
// addCertFromBase64().
notEqual(int_cert, null, "Intermediate cert should be in the cert DB");
let base64_cert = btoa(getDERString(int_cert));
let returnedEE = certDB.addCertFromBase64(base64_cert, "p,p,p");
notEqual(returnedEE, null, "addCertFromBase64 should return a certificate");
- checkCertErrorGeneric(certDB, ee, SEC_ERROR_UNTRUSTED_ISSUER,
- certificateUsageSSLServer);
-}
+ await checkCertErrorGeneric(certDB, ee, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLServer);
+});
--- a/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js
@@ -26,22 +26,22 @@ function certFromFile(certName) {
function loadCertWithTrust(certName, trustString) {
addCertFromFile(gCertDB, `test_baseline_requirements/${certName}.pem`,
trustString);
}
function checkCertOn25August2016(cert, expectedResult) {
// (new Date("2016-08-25T00:00:00Z")).getTime() / 1000
const VALIDATION_TIME = 1472083200;
- checkCertErrorGenericAtTime(gCertDB, cert, expectedResult,
- certificateUsageSSLServer, VALIDATION_TIME, {},
- "example.com");
+ return checkCertErrorGenericAtTime(gCertDB, cert, expectedResult,
+ certificateUsageSSLServer, VALIDATION_TIME,
+ false, "example.com");
}
-function run_test() {
+add_task(async function() {
registerCleanupFunction(() => {
Services.prefs.clearUserPref("security.pki.name_matching_mode");
Services.prefs.clearUserPref("security.test.built_in_root_hash");
Services.prefs.clearUserPref("privacy.reduceTimerPrecision");
});
Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false);
@@ -50,142 +50,142 @@ function run_test() {
// When verifying a certificate, if the trust anchor is not a built-in root,
// name matching will fall back to using the subject common name if necessary
// (i.e. if there is no subject alternative name extension or it does not
// contain any dNSName or iPAddress entries). Thus, since imported roots are
// not in general treated as built-ins, these should all successfully verify
// regardless of the value of the pref.
Services.prefs.setIntPref("security.pki.name_matching_mode", 0);
info("current mode: always fall back, root not built-in");
- checkCertOn25August2016(certFromFile("no-san-recent"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("no-san-old"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("no-san-older"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
- PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("no-san-recent"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("no-san-old"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("no-san-older"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
+ PRErrorCodeSuccess);
Services.prefs.setIntPref("security.pki.name_matching_mode", 1);
info("current mode: fall back for notBefore < August 23, 2016, root " +
"not built-in");
- checkCertOn25August2016(certFromFile("no-san-recent"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("no-san-old"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("no-san-older"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
- PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("no-san-recent"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("no-san-old"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("no-san-older"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
+ PRErrorCodeSuccess);
Services.prefs.setIntPref("security.pki.name_matching_mode", 2);
info("current mode: fall back for notBefore < August 23, 2015, root " +
"not built-in");
- checkCertOn25August2016(certFromFile("no-san-recent"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("no-san-old"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("no-san-older"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
- PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("no-san-recent"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("no-san-old"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("no-san-older"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
+ PRErrorCodeSuccess);
Services.prefs.setIntPref("security.pki.name_matching_mode", 3);
info("current mode: never fall back, root not built-in");
- checkCertOn25August2016(certFromFile("no-san-recent"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("no-san-old"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("no-san-older"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
- PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("no-san-recent"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("no-san-old"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("no-san-older"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
+ PRErrorCodeSuccess);
// In debug builds, we can treat an imported root as a built-in, and thus we
// can actually test the different values of the pref.
if (isDebugBuild) {
let root = certFromFile("ca");
Services.prefs.setCharPref("security.test.built_in_root_hash",
root.sha256Fingerprint);
// Always fall back if necessary.
Services.prefs.setIntPref("security.pki.name_matching_mode", 0);
info("current mode: always fall back, root built-in");
- checkCertOn25August2016(certFromFile("no-san-recent"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("no-san-old"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("no-san-older"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
- PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("no-san-recent"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("no-san-old"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("no-san-older"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
+ PRErrorCodeSuccess);
// Only fall back if notBefore < 23 August 2016
Services.prefs.setIntPref("security.pki.name_matching_mode", 1);
info("current mode: fall back for notBefore < August 23, 2016, root " +
"built-in");
- checkCertOn25August2016(certFromFile("no-san-recent"),
- SSL_ERROR_BAD_CERT_DOMAIN);
- checkCertOn25August2016(certFromFile("no-san-old"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("no-san-older"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
- SSL_ERROR_BAD_CERT_DOMAIN);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
- PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("no-san-recent"),
+ SSL_ERROR_BAD_CERT_DOMAIN);
+ await checkCertOn25August2016(certFromFile("no-san-old"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("no-san-older"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
+ SSL_ERROR_BAD_CERT_DOMAIN);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
+ PRErrorCodeSuccess);
// Only fall back if notBefore < 23 August 2015
Services.prefs.setIntPref("security.pki.name_matching_mode", 2);
info("current mode: fall back for notBefore < August 23, 2015, root " +
"built-in");
- checkCertOn25August2016(certFromFile("no-san-recent"),
- SSL_ERROR_BAD_CERT_DOMAIN);
- checkCertOn25August2016(certFromFile("no-san-old"),
- SSL_ERROR_BAD_CERT_DOMAIN);
- checkCertOn25August2016(certFromFile("no-san-older"),
- PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
- SSL_ERROR_BAD_CERT_DOMAIN);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
- SSL_ERROR_BAD_CERT_DOMAIN);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
- PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("no-san-recent"),
+ SSL_ERROR_BAD_CERT_DOMAIN);
+ await checkCertOn25August2016(certFromFile("no-san-old"),
+ SSL_ERROR_BAD_CERT_DOMAIN);
+ await checkCertOn25August2016(certFromFile("no-san-older"),
+ PRErrorCodeSuccess);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
+ SSL_ERROR_BAD_CERT_DOMAIN);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
+ SSL_ERROR_BAD_CERT_DOMAIN);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
+ PRErrorCodeSuccess);
// Never fall back.
Services.prefs.setIntPref("security.pki.name_matching_mode", 3);
info("current mode: never fall back, root built-in");
- checkCertOn25August2016(certFromFile("no-san-recent"),
- SSL_ERROR_BAD_CERT_DOMAIN);
- checkCertOn25August2016(certFromFile("no-san-old"),
- SSL_ERROR_BAD_CERT_DOMAIN);
- checkCertOn25August2016(certFromFile("no-san-older"),
- SSL_ERROR_BAD_CERT_DOMAIN);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
- SSL_ERROR_BAD_CERT_DOMAIN);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
- SSL_ERROR_BAD_CERT_DOMAIN);
- checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
- SSL_ERROR_BAD_CERT_DOMAIN);
+ await checkCertOn25August2016(certFromFile("no-san-recent"),
+ SSL_ERROR_BAD_CERT_DOMAIN);
+ await checkCertOn25August2016(certFromFile("no-san-old"),
+ SSL_ERROR_BAD_CERT_DOMAIN);
+ await checkCertOn25August2016(certFromFile("no-san-older"),
+ SSL_ERROR_BAD_CERT_DOMAIN);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-recent"),
+ SSL_ERROR_BAD_CERT_DOMAIN);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-old"),
+ SSL_ERROR_BAD_CERT_DOMAIN);
+ await checkCertOn25August2016(certFromFile("san-contains-no-hostnames-older"),
+ SSL_ERROR_BAD_CERT_DOMAIN);
}
-}
+});
--- a/security/manager/ssl/tests/unit/test_cert_blocklist.js
+++ b/security/manager/ssl/tests/unit/test_cert_blocklist.js
@@ -161,28 +161,29 @@ var addonManager = Cc["@mozilla.org/addo
addonManager.observe(null, "addons-startup", null);
var converter = Cc["@mozilla.org/intl/scriptableunicodeconverter"]
.createInstance(Ci.nsIScriptableUnicodeConverter);
converter.charset = "UTF-8";
function verify_cert(file, expectedError) {
let ee = constructCertFromFile(file);
- checkCertErrorGeneric(certDB, ee, expectedError, certificateUsageSSLServer);
+ return checkCertErrorGeneric(certDB, ee, expectedError,
+ certificateUsageSSLServer);
}
// The certificate blocklist currently only applies to TLS server certificates.
-function verify_non_tls_usage_succeeds(file) {
+async function verify_non_tls_usage_succeeds(file) {
let ee = constructCertFromFile(file);
- checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
- certificateUsageSSLClient);
- checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
- certificateUsageEmailSigner);
- checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
- certificateUsageEmailRecipient);
+ await checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
+ certificateUsageSSLClient);
+ await checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
+ certificateUsageEmailSigner);
+ await checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
+ certificateUsageEmailRecipient);
}
function load_cert(cert, trust) {
let file = "bad_certs/" + cert + ".pem";
addCertFromFile(certDB, file, trust);
}
function test_is_revoked(certList, issuerString, serialString, subjectString,
@@ -304,17 +305,17 @@ function run_test() {
{ " Rym6o+VN9xgZXT/QLrvN/nv1ZN4=": true},
"MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=":
{ " a0X7/7DlTaedpgrIJg25iBPOkIM=": true},
"YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy":
{ " YW5vdGhlciBzZXJpYWwu": true,
" c2VyaWFsMi4=": true }
};
- add_test(function () {
+ add_task(async function() {
// check some existing items in revocations.txt are blocked. Since the
// CertBlocklistItems don't know about the data they contain, we can use
// arbitrary data (not necessarily DER) to test if items are revoked or not.
// This test corresponds to:
// issuer: c29tZSBpbWFnaW5hcnkgaXNzdWVy
// serial: c2VyaWFsLg==
ok(test_is_revoked(certList, "some imaginary issuer", "serial."),
"issuer / serial pair should be blocked");
@@ -331,35 +332,33 @@ function run_test() {
// (we test this issuer twice to ensure we can read multiple serials)
ok(test_is_revoked(certList, "another imaginary issuer", "serial2."),
"issuer / serial pair should be blocked");
// Soon we'll load a blocklist which revokes test-int.pem, which issued
// test-int-ee.pem.
// Check the cert validates before we load the blocklist
let file = "test_onecrl/test-int-ee.pem";
- verify_cert(file, PRErrorCodeSuccess);
+ await verify_cert(file, PRErrorCodeSuccess);
// The blocklist also revokes other-test-ca.pem, which issued
// other-ca-ee.pem. Check the cert validates before we load the blocklist
file = "bad_certs/other-issuer-ee.pem";
- verify_cert(file, PRErrorCodeSuccess);
+ await verify_cert(file, PRErrorCodeSuccess);
// The blocklist will revoke same-issuer-ee.pem via subject / pubKeyHash.
// Check the cert validates before we load the blocklist
file = "test_onecrl/same-issuer-ee.pem";
- verify_cert(file, PRErrorCodeSuccess);
-
- run_next_test();
+ await verify_cert(file, PRErrorCodeSuccess);
});
// blocklist load is async so we must use add_test from here
add_task(fetch_blocklist);
- add_test(function() {
+ add_task(async function() {
// The blocklist will be loaded now. Let's check the data is sane.
// In particular, we should still have the revoked issuer / serial pair
// that was in both revocations.txt and the blocklist.
ok(test_is_revoked(certList, "another imaginary issuer", "serial2."),
"issuer / serial pair should be blocked");
// Check that both serials in the certItem with multiple serials were read
// properly
@@ -374,48 +373,46 @@ function run_test() {
"issuer / serial pair should be blocked");
// Check the blocklist entry has been persisted properly to the backing
// file
check_revocations_txt_contents(expected);
// Check the blocklisted intermediate now causes a failure
let file = "test_onecrl/test-int-ee.pem";
- verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
- verify_non_tls_usage_succeeds(file);
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+ await verify_non_tls_usage_succeeds(file);
// Check the ee with the blocklisted root also causes a failure
file = "bad_certs/other-issuer-ee.pem";
- verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
- verify_non_tls_usage_succeeds(file);
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+ await verify_non_tls_usage_succeeds(file);
// Check the ee blocked by subject / pubKey causes a failure
file = "test_onecrl/same-issuer-ee.pem";
- verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
- verify_non_tls_usage_succeeds(file);
+ await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+ await verify_non_tls_usage_succeeds(file);
// Check a non-blocklisted chain still validates OK
file = "bad_certs/default-ee.pem";
- verify_cert(file, PRErrorCodeSuccess);
+ await verify_cert(file, PRErrorCodeSuccess);
// Check a bad cert is still bad (unknown issuer)
file = "bad_certs/unknownissuer.pem";
- verify_cert(file, SEC_ERROR_UNKNOWN_ISSUER);
+ await verify_cert(file, SEC_ERROR_UNKNOWN_ISSUER);
// check that save with no further update is a no-op
let lastModified = gRevocations.lastModifiedTime;
// add an already existing entry
certList.revokeCertByIssuerAndSerial("YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy",
"c2VyaWFsMi4=");
certList.saveEntries();
let newModified = gRevocations.lastModifiedTime;
equal(lastModified, newModified,
"saveEntries with no modifications should not update the backing file");
-
- run_next_test();
});
add_test(function() {
// Check the blocklist entry has not changed
check_revocations_txt_contents(expected);
run_next_test();
});
--- a/security/manager/ssl/tests/unit/test_cert_eku.js
+++ b/security/manager/ssl/tests/unit/test_cert_eku.js
@@ -18,120 +18,122 @@ function certFromFile(certName) {
return constructCertFromFile(`test_cert_eku/${certName}.pem`);
}
function loadCertWithTrust(certName, trustString) {
addCertFromFile(certdb, `test_cert_eku/${certName}.pem`, trustString);
}
function checkEndEntity(cert, expectedResult) {
- checkCertErrorGeneric(certdb, cert, expectedResult, certificateUsageSSLServer);
+ return checkCertErrorGeneric(certdb, cert, expectedResult,
+ certificateUsageSSLServer);
}
function checkCertOn25August2016(cert, expectedResult) {
// (new Date("2016-08-25T00:00:00Z")).getTime() / 1000
const VALIDATION_TIME = 1472083200;
- checkCertErrorGenericAtTime(certdb, cert, expectedResult,
- certificateUsageSSLServer, VALIDATION_TIME);
+ return checkCertErrorGenericAtTime(certdb, cert, expectedResult,
+ certificateUsageSSLServer,
+ VALIDATION_TIME);
}
-function run_test() {
+add_task(async function() {
registerCleanupFunction(() => {
Services.prefs.clearUserPref("privacy.reduceTimerPrecision");
});
Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false);
loadCertWithTrust("ca", "CTu,,");
// end-entity has id-kp-serverAuth => success
- checkEndEntity(certFromFile("ee-SA"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-SA"), PRErrorCodeSuccess);
// end-entity has id-kp-serverAuth => success
- checkEndEntity(certFromFile("ee-SA-CA"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-SA-CA"), PRErrorCodeSuccess);
// end-entity has extended key usage, but id-kp-serverAuth is not present =>
// failure
- checkEndEntity(certFromFile("ee-CA"), SEC_ERROR_INADEQUATE_CERT_TYPE);
+ await checkEndEntity(certFromFile("ee-CA"), SEC_ERROR_INADEQUATE_CERT_TYPE);
// end-entity has id-kp-serverAuth => success
- checkEndEntity(certFromFile("ee-SA-nsSGC"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-SA-nsSGC"), PRErrorCodeSuccess);
// end-entity has extended key usage, but id-kp-serverAuth is not present =>
// failure (in particular, Netscape Server Gated Crypto (also known as
// Netscape Step Up) is not an acceptable substitute for end-entity
// certificates).
// Verify this for all Netscape Step Up policy configurations.
// 0 = "always accept nsSGC in place of serverAuth for CA certificates"
Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0);
- checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE);
+ await checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE);
// 1 = "accept nsSGC before 23 August 2016"
Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1);
- checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE);
+ await checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE);
// 2 = "accept nsSGC before 23 August 2015"
Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2);
- checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE);
+ await checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE);
// 3 = "never accept nsSGC"
Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3);
- checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE);
+ await checkEndEntity(certFromFile("ee-nsSGC"), SEC_ERROR_INADEQUATE_CERT_TYPE);
// end-entity has id-kp-OCSPSigning, which is not acceptable for end-entity
// certificates being verified as TLS server certificates => failure
- checkEndEntity(certFromFile("ee-SA-OCSP"), SEC_ERROR_INADEQUATE_CERT_TYPE);
+ await checkEndEntity(certFromFile("ee-SA-OCSP"), SEC_ERROR_INADEQUATE_CERT_TYPE);
// intermediate has id-kp-serverAuth => success
loadCertWithTrust("int-SA", ",,");
- checkEndEntity(certFromFile("ee-int-SA"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-int-SA"), PRErrorCodeSuccess);
// intermediate has id-kp-serverAuth => success
loadCertWithTrust("int-SA-CA", ",,");
- checkEndEntity(certFromFile("ee-int-SA-CA"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-int-SA-CA"), PRErrorCodeSuccess);
// intermediate has extended key usage, but id-kp-serverAuth is not present
// => failure
loadCertWithTrust("int-CA", ",,");
- checkEndEntity(certFromFile("ee-int-CA"), SEC_ERROR_INADEQUATE_CERT_TYPE);
+ await checkEndEntity(certFromFile("ee-int-CA"), SEC_ERROR_INADEQUATE_CERT_TYPE);
// intermediate has id-kp-serverAuth => success
loadCertWithTrust("int-SA-nsSGC", ",,");
- checkEndEntity(certFromFile("ee-int-SA-nsSGC"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-int-SA-nsSGC"), PRErrorCodeSuccess);
// Intermediate has Netscape Server Gated Crypto. Success will depend on the
// Netscape Step Up policy configuration and the notBefore property of the
// intermediate.
loadCertWithTrust("int-nsSGC-recent", ",,");
loadCertWithTrust("int-nsSGC-old", ",,");
loadCertWithTrust("int-nsSGC-older", ",,");
// 0 = "always accept nsSGC in place of serverAuth for CA certificates"
Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 0);
info("Netscape Step Up policy: always accept");
- checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"),
+ await checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"),
PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"),
+ await checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"),
PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"),
+ await checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"),
PRErrorCodeSuccess);
// 1 = "accept nsSGC before 23 August 2016"
info("Netscape Step Up policy: accept before 23 August 2016");
Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 1);
- checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"),
+ await checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"),
SEC_ERROR_INADEQUATE_CERT_TYPE);
- checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"),
+ await checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"),
PRErrorCodeSuccess);
- checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"),
+ await checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"),
PRErrorCodeSuccess);
// 2 = "accept nsSGC before 23 August 2015"
info("Netscape Step Up policy: accept before 23 August 2015");
Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 2);
- checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"),
+ await checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"),
SEC_ERROR_INADEQUATE_CERT_TYPE);
- checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"),
+ await checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"),
SEC_ERROR_INADEQUATE_CERT_TYPE);
- checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"),
+ await checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"),
PRErrorCodeSuccess);
// 3 = "never accept nsSGC"
info("Netscape Step Up policy: never accept");
Services.prefs.setIntPref("security.pki.netscape_step_up_policy", 3);
- checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"),
+ await checkCertOn25August2016(certFromFile("ee-int-nsSGC-recent"),
SEC_ERROR_INADEQUATE_CERT_TYPE);
- checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"),
+ await checkCertOn25August2016(certFromFile("ee-int-nsSGC-old"),
SEC_ERROR_INADEQUATE_CERT_TYPE);
- checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"),
+ await checkCertOn25August2016(certFromFile("ee-int-nsSGC-older"),
SEC_ERROR_INADEQUATE_CERT_TYPE);
// intermediate has id-kp-OCSPSigning, which is acceptable for CA
// certificates => success
loadCertWithTrust("int-SA-OCSP", ",,");
- checkEndEntity(certFromFile("ee-int-SA-OCSP"), PRErrorCodeSuccess);
-}
+ await checkEndEntity(certFromFile("ee-int-SA-OCSP"), PRErrorCodeSuccess);
+});
--- a/security/manager/ssl/tests/unit/test_cert_embedded_null.js
+++ b/security/manager/ssl/tests/unit/test_cert_embedded_null.js
@@ -9,30 +9,32 @@
// Includes a similar test case but for the subject alternative name extension.
"use strict";
do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
-function do_testcase(certname, checkCommonName) {
+async function do_testcase(certname, checkCommonName) {
let cert = constructCertFromFile(`test_cert_embedded_null/${certname}.pem`);
// Where applicable, check that the testcase is meaningful (i.e. that the
// certificate's subject common name has an embedded NUL in it).
if (checkCommonName) {
equal(cert.commonName, "www.bank1.com\\00www.bad-guy.com",
"certificate subject common name should have an embedded NUL byte");
}
- checkCertErrorGeneric(certdb, cert, SSL_ERROR_BAD_CERT_DOMAIN,
- certificateUsageSSLServer, {}, "www.bank1.com");
- checkCertErrorGeneric(certdb, cert, SSL_ERROR_BAD_CERT_DOMAIN,
- certificateUsageSSLServer, {}, "www.bad-guy.com");
+ await checkCertErrorGeneric(certdb, cert, SSL_ERROR_BAD_CERT_DOMAIN,
+ certificateUsageSSLServer, undefined,
+ "www.bank1.com");
+ await checkCertErrorGeneric(certdb, cert, SSL_ERROR_BAD_CERT_DOMAIN,
+ certificateUsageSSLServer, undefined,
+ "www.bad-guy.com");
}
-function run_test() {
+add_task(async function() {
addCertFromFile(certdb, "test_cert_embedded_null/ca.pem", "CTu,,");
- do_testcase("embeddedNull", true);
- do_testcase("embeddedNullSAN", false);
- do_testcase("embeddedNullCNAndSAN", true);
- do_testcase("embeddedNullSAN2", false);
-}
+ await do_testcase("embeddedNull", true);
+ await do_testcase("embeddedNullSAN", false);
+ await do_testcase("embeddedNullCNAndSAN", true);
+ await do_testcase("embeddedNullSAN2", false);
+});
--- a/security/manager/ssl/tests/unit/test_cert_sha1.js
+++ b/security/manager/ssl/tests/unit/test_cert_sha1.js
@@ -22,21 +22,22 @@ function certFromFile(certName) {
return constructCertFromFile("test_cert_sha1/" + certName + ".pem");
}
function loadCertWithTrust(certName, trustString) {
addCertFromFile(certdb, "test_cert_sha1/" + certName + ".pem", trustString);
}
function checkEndEntity(cert, expectedResult) {
- checkCertErrorGenericAtTime(certdb, cert, expectedResult,
- certificateUsageSSLServer, VALIDATION_TIME);
+ return checkCertErrorGenericAtTime(certdb, cert, expectedResult,
+ certificateUsageSSLServer,
+ VALIDATION_TIME);
}
-function run_test() {
+add_task(async function() {
loadCertWithTrust("ca", "CTu,,");
loadCertWithTrust("int-pre", ",,");
loadCertWithTrust("int-post", ",,");
// Test cases per pref setting
//
// root intermed. end entity
// ===========================
@@ -82,61 +83,61 @@ function run_test() {
// verifier does not take into account the currently configured SHA-1 policy.
// This is in part due to implementation complexity and because this isn't
// actually how TLS web server certificates are verified in the TLS handshake
// (which makes a full implementation that supports heeding the SHA-1 policy
// unnecessary).
// SHA-1 allowed
Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 0);
- checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee-post_int-pre"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee-post_int-post"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-post_int-pre"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-post_int-post"), PRErrorCodeSuccess);
// SHA-1 forbidden
Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 1);
- checkEndEntity(certFromFile("ee-pre_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
- checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
- checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+ await checkEndEntity(certFromFile("ee-pre_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+ await checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+ await checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
// SHA-1 forbidden (test the case where the pref has been set to 2)
Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 2);
- checkEndEntity(certFromFile("ee-pre_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
- checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
- checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+ await checkEndEntity(certFromFile("ee-pre_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+ await checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+ await checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
// SHA-1 allowed only when issued by an imported root. First test with the
// test root considered a built-in (on debug only - this functionality is
// disabled on non-debug builds).
Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 3);
if (isDebugBuild) {
let root = certFromFile("ca");
Services.prefs.setCharPref("security.test.built_in_root_hash", root.sha256Fingerprint);
- checkEndEntity(certFromFile("ee-pre_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
- checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
- checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+ await checkEndEntity(certFromFile("ee-pre_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+ await checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+ await checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
Services.prefs.clearUserPref("security.test.built_in_root_hash");
}
// SHA-1 still allowed only when issued by an imported root.
// Now test with the test root considered a non-built-in.
- checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee-post_int-pre"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee-post_int-post"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-post_int-pre"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-post_int-post"), PRErrorCodeSuccess);
// SHA-1 allowed before 2016 or when issued by an imported root. First test
// with the test root considered a built-in.
Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 4);
if (isDebugBuild) {
let root = certFromFile("ca");
Services.prefs.setCharPref("security.test.built_in_root_hash", root.sha256Fingerprint);
- checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
- checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+ await checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-post_int-pre"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+ await checkEndEntity(certFromFile("ee-post_int-post"), SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
Services.prefs.clearUserPref("security.test.built_in_root_hash");
}
// SHA-1 still only allowed before 2016 or when issued by an imported root.
// Now test with the test root considered a non-built-in.
- checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee-post_int-pre"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee-post_int-post"), PRErrorCodeSuccess);
-}
+ await checkEndEntity(certFromFile("ee-pre_int-pre"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-post_int-pre"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-post_int-post"), PRErrorCodeSuccess);
+});
--- a/security/manager/ssl/tests/unit/test_cert_signatures.js
+++ b/security/manager/ssl/tests/unit/test_cert_signatures.js
@@ -39,25 +39,25 @@ function readAndTamperWithNthByte(certif
const BYTE_IN_SIGNATURE = -8;
function addSignatureTamperedCertificate(certificatePath) {
let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SIGNATURE);
certdb.addCertFromBase64(base64, ",,");
}
function ensureSignatureVerificationFailure(certificatePath) {
let cert = constructCertFromFile(certificatePath);
- checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE,
- certificateUsageSSLServer);
+ return checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE,
+ certificateUsageSSLServer);
}
function tamperWithSignatureAndEnsureVerificationFailure(certificatePath) {
let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SIGNATURE);
let cert = certdb.constructX509FromBase64(base64);
- checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE,
- certificateUsageSSLServer);
+ return checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE,
+ certificateUsageSSLServer);
}
// The beginning of a certificate looks like this (in hex, using DER):
// 30 XX XX XX [the XX encode length - there are probably 3 bytes here]
// 30 XX XX XX [length again]
// A0 03
// 02 01
// 02
@@ -76,46 +76,46 @@ function addSerialNumberTamperedCertific
BYTE_IN_SERIAL_NUMBER);
certdb.addCertFromBase64(base64, ",,");
}
function tamperWithSerialNumberAndEnsureVerificationFailure(certificatePath) {
let base64 = readAndTamperWithNthByte(certificatePath,
BYTE_IN_SERIAL_NUMBER);
let cert = certdb.constructX509FromBase64(base64);
- checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE,
- certificateUsageSSLServer);
+ return checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE,
+ certificateUsageSSLServer);
}
-function run_test() {
+add_task(async function() {
addCertFromFile(certdb, "test_cert_signatures/ca-rsa.pem", "CTu,,");
addCertFromFile(certdb, "test_cert_signatures/ca-secp384r1.pem", "CTu,,");
// Tamper with the signatures on intermediate certificates and ensure that
// end-entity certificates issued by those intermediates do not validate
// successfully.
addSignatureTamperedCertificate("test_cert_signatures/int-rsa.pem");
addSignatureTamperedCertificate("test_cert_signatures/int-secp384r1.pem");
- ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem");
- ensureSignatureVerificationFailure("test_cert_signatures/ee-secp384r1.pem");
+ await ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem");
+ await ensureSignatureVerificationFailure("test_cert_signatures/ee-secp384r1.pem");
// Tamper with the signatures on end-entity certificates and ensure that they
// do not validate successfully.
- tamperWithSignatureAndEnsureVerificationFailure(
+ await tamperWithSignatureAndEnsureVerificationFailure(
"test_cert_signatures/ee-rsa-direct.pem");
- tamperWithSignatureAndEnsureVerificationFailure(
+ await tamperWithSignatureAndEnsureVerificationFailure(
"test_cert_signatures/ee-secp384r1-direct.pem");
// Tamper with the serial numbers of intermediate certificates and ensure
// that end-entity certificates issued by those intermediates do not validate
// successfully.
addSerialNumberTamperedCertificate("test_cert_signatures/int-rsa.pem");
addSerialNumberTamperedCertificate("test_cert_signatures/int-secp384r1.pem");
- ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem");
- ensureSignatureVerificationFailure("test_cert_signatures/ee-secp384r1.pem");
+ await ensureSignatureVerificationFailure("test_cert_signatures/ee-rsa.pem");
+ await ensureSignatureVerificationFailure("test_cert_signatures/ee-secp384r1.pem");
// Tamper with the serial numbers of end-entity certificates and ensure that
// they do not validate successfully.
- tamperWithSerialNumberAndEnsureVerificationFailure(
+ await tamperWithSerialNumberAndEnsureVerificationFailure(
"test_cert_signatures/ee-rsa-direct.pem");
- tamperWithSerialNumberAndEnsureVerificationFailure(
+ await tamperWithSerialNumberAndEnsureVerificationFailure(
"test_cert_signatures/ee-secp384r1-direct.pem");
-}
+});
--- a/security/manager/ssl/tests/unit/test_cert_trust.js
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@@ -18,129 +18,129 @@ function load_cert(cert_name, trust_stri
function setup_basic_trusts(ca_cert, int_cert) {
certdb.setCertTrust(ca_cert, Ci.nsIX509Cert.CA_CERT,
Ci.nsIX509CertDB.TRUSTED_SSL |
Ci.nsIX509CertDB.TRUSTED_EMAIL);
certdb.setCertTrust(int_cert, Ci.nsIX509Cert.CA_CERT, 0);
}
-function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
+async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
// On reset most usages are successful
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageSSLServer);
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageSSLClient);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
- certificateUsageSSLCA);
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageEmailSigner);
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageEmailRecipient);
+ await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageSSLServer);
+ await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageSSLClient);
+ await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA);
+ await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageEmailSigner);
+ await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageEmailRecipient);
// Test of active distrust. No usage should pass.
setCertTrust(cert_to_modify_trust, "p,p,p");
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
- certificateUsageSSLServer);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
- certificateUsageSSLClient);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
- certificateUsageSSLCA);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
- certificateUsageEmailSigner);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
- certificateUsageEmailRecipient);
+ await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLServer);
+ await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLClient);
+ await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA);
+ await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailSigner);
+ await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailRecipient);
// Trust set to T - trusted CA to issue client certs, where client cert is
// usageSSLClient.
setCertTrust(cert_to_modify_trust, "T,T,T");
- checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
- : PRErrorCodeSuccess,
- certificateUsageSSLServer);
+ await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+ : PRErrorCodeSuccess,
+ certificateUsageSSLServer);
// XXX(Bug 982340)
- checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
- : PRErrorCodeSuccess,
- certificateUsageSSLClient);
+ await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+ : PRErrorCodeSuccess,
+ certificateUsageSSLClient);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
- certificateUsageSSLCA);
+ await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA);
- checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
- : PRErrorCodeSuccess,
- certificateUsageEmailSigner);
- checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
- : PRErrorCodeSuccess,
- certificateUsageEmailRecipient);
+ await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+ : PRErrorCodeSuccess,
+ certificateUsageEmailSigner);
+ await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+ : PRErrorCodeSuccess,
+ certificateUsageEmailRecipient);
// Now tests on the SSL trust bit
setCertTrust(cert_to_modify_trust, "p,C,C");
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
- certificateUsageSSLServer);
+ await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLServer);
// XXX(Bug 982340)
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageSSLClient);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
- certificateUsageSSLCA);
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageEmailSigner);
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageEmailRecipient);
+ await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageSSLClient);
+ await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA);
+ await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageEmailSigner);
+ await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageEmailRecipient);
// Inherited trust SSL
setCertTrust(cert_to_modify_trust, ",C,C");
- checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
- : PRErrorCodeSuccess,
- certificateUsageSSLServer);
+ await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+ : PRErrorCodeSuccess,
+ certificateUsageSSLServer);
// XXX(Bug 982340)
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageSSLClient);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
- certificateUsageSSLCA);
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageEmailSigner);
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageEmailRecipient);
+ await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageSSLClient);
+ await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA);
+ await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageEmailSigner);
+ await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageEmailRecipient);
// Now tests on the EMAIL trust bit
setCertTrust(cert_to_modify_trust, "C,p,C");
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageSSLServer);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
- certificateUsageSSLClient);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
- certificateUsageSSLCA);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
- certificateUsageEmailSigner);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
- certificateUsageEmailRecipient);
+ await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageSSLServer);
+ await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageSSLClient);
+ await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA);
+ await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailSigner);
+ await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
+ certificateUsageEmailRecipient);
// inherited EMAIL Trust
setCertTrust(cert_to_modify_trust, "C,,C");
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageSSLServer);
- checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
- : PRErrorCodeSuccess,
- certificateUsageSSLClient);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
- certificateUsageSSLCA);
- checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
- : PRErrorCodeSuccess,
- certificateUsageEmailSigner);
- checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
- : PRErrorCodeSuccess,
- certificateUsageEmailRecipient);
+ await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageSSLServer);
+ await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+ : PRErrorCodeSuccess,
+ certificateUsageSSLClient);
+ await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
+ certificateUsageSSLCA);
+ await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+ : PRErrorCodeSuccess,
+ certificateUsageEmailSigner);
+ await checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
+ : PRErrorCodeSuccess,
+ certificateUsageEmailRecipient);
}
-function run_test() {
+add_task(async function() {
let certList = [
"ca",
"int",
"ee",
];
let loadedCerts = [];
for (let certName of certList) {
loadedCerts.push(load_cert(certName, ",,"));
@@ -149,41 +149,41 @@ function run_test() {
let ca_cert = loadedCerts[0];
notEqual(ca_cert, null, "CA cert should have successfully loaded");
let int_cert = loadedCerts[1];
notEqual(int_cert, null, "Intermediate cert should have successfully loaded");
let ee_cert = loadedCerts[2];
notEqual(ee_cert, null, "EE cert should have successfully loaded");
setup_basic_trusts(ca_cert, int_cert);
- test_ca_distrust(ee_cert, ca_cert, true);
+ await test_ca_distrust(ee_cert, ca_cert, true);
setup_basic_trusts(ca_cert, int_cert);
- test_ca_distrust(ee_cert, int_cert, false);
+ await test_ca_distrust(ee_cert, int_cert, false);
// Reset trust to default ("inherit trust")
setCertTrust(ca_cert, ",,");
setCertTrust(int_cert, ",,");
// If an end-entity certificate is manually trusted, it may not be the root of
// its own verified chain. In general this will cause "unknown issuer" errors
// unless a CA trust anchor can be found.
setCertTrust(ee_cert, "CTu,CTu,CTu");
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
- certificateUsageSSLServer);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
- certificateUsageSSLClient);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
- certificateUsageEmailSigner);
- checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
- certificateUsageEmailRecipient);
+ await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLServer);
+ await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageSSLClient);
+ await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageEmailSigner);
+ await checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
+ certificateUsageEmailRecipient);
// Now make a CA trust anchor available.
setCertTrust(ca_cert, "CTu,CTu,CTu");
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageSSLServer);
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageSSLClient);
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageEmailSigner);
- checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
- certificateUsageEmailRecipient);
-}
+ await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageSSLServer);
+ await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageSSLClient);
+ await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageEmailSigner);
+ await checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
+ certificateUsageEmailRecipient);
+});
--- a/security/manager/ssl/tests/unit/test_cert_version.js
+++ b/security/manager/ssl/tests/unit/test_cert_version.js
@@ -37,154 +37,156 @@ function certFromFile(certName) {
return constructCertFromFile("test_cert_version/" + certName + ".pem");
}
function loadCertWithTrust(certName, trustString) {
addCertFromFile(certdb, "test_cert_version/" + certName + ".pem", trustString);
}
function checkEndEntity(cert, expectedResult) {
- checkCertErrorGeneric(certdb, cert, expectedResult, certificateUsageSSLServer);
+ return checkCertErrorGeneric(certdb, cert, expectedResult,
+ certificateUsageSSLServer);
}
function checkIntermediate(cert, expectedResult) {
- checkCertErrorGeneric(certdb, cert, expectedResult, certificateUsageSSLCA);
+ return checkCertErrorGeneric(certdb, cert, expectedResult,
+ certificateUsageSSLCA);
}
// Test that the code that decodes certificates to display them in the
// certificate manager correctly handles the version field.
function checkCertVersion(cert, expectedVersionString) {
let asn1 = cert.ASN1Structure.QueryInterface(Ci.nsIASN1Sequence);
let tbsCertificate = asn1.ASN1Objects.queryElementAt(0, Ci.nsIASN1Sequence);
let version = tbsCertificate.ASN1Objects.queryElementAt(0, Ci.nsIASN1Object);
equal(version.displayValue, expectedVersionString,
"Actual and expected version strings should match");
}
-function run_test() {
+add_task(async function() {
loadCertWithTrust("ca", "CTu,,");
// Section for CAs lacking the basicConstraints extension entirely:
loadCertWithTrust("int-v1-noBC_ca", ",,");
- checkIntermediate(certFromFile("int-v1-noBC_ca"), MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA);
- checkEndEntity(certFromFile("ee_int-v1-noBC"), MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA);
+ await checkIntermediate(certFromFile("int-v1-noBC_ca"), MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA);
+ await checkEndEntity(certFromFile("ee_int-v1-noBC"), MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA);
// A v1 certificate with no basicConstraints extension may issue certificates
// if it is a trust anchor.
loadCertWithTrust("int-v1-noBC_ca", "CTu,,");
- checkIntermediate(certFromFile("int-v1-noBC_ca"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee_int-v1-noBC"), PRErrorCodeSuccess);
+ await checkIntermediate(certFromFile("int-v1-noBC_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v1-noBC"), PRErrorCodeSuccess);
loadCertWithTrust("int-v2-noBC_ca", ",,");
- checkIntermediate(certFromFile("int-v2-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
- checkEndEntity(certFromFile("ee_int-v2-noBC"), SEC_ERROR_CA_CERT_INVALID);
+ await checkIntermediate(certFromFile("int-v2-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
+ await checkEndEntity(certFromFile("ee_int-v2-noBC"), SEC_ERROR_CA_CERT_INVALID);
loadCertWithTrust("int-v2-noBC_ca", "CTu,,");
- checkIntermediate(certFromFile("int-v2-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
- checkEndEntity(certFromFile("ee_int-v2-noBC"), SEC_ERROR_CA_CERT_INVALID);
+ await checkIntermediate(certFromFile("int-v2-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
+ await checkEndEntity(certFromFile("ee_int-v2-noBC"), SEC_ERROR_CA_CERT_INVALID);
loadCertWithTrust("int-v3-noBC_ca", ",,");
- checkIntermediate(certFromFile("int-v3-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
- checkEndEntity(certFromFile("ee_int-v3-noBC"), SEC_ERROR_CA_CERT_INVALID);
+ await checkIntermediate(certFromFile("int-v3-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
+ await checkEndEntity(certFromFile("ee_int-v3-noBC"), SEC_ERROR_CA_CERT_INVALID);
loadCertWithTrust("int-v3-noBC_ca", "CTu,,");
- checkIntermediate(certFromFile("int-v3-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
- checkEndEntity(certFromFile("ee_int-v3-noBC"), SEC_ERROR_CA_CERT_INVALID);
+ await checkIntermediate(certFromFile("int-v3-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
+ await checkEndEntity(certFromFile("ee_int-v3-noBC"), SEC_ERROR_CA_CERT_INVALID);
loadCertWithTrust("int-v4-noBC_ca", ",,");
- checkIntermediate(certFromFile("int-v4-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
- checkEndEntity(certFromFile("ee_int-v4-noBC"), SEC_ERROR_CA_CERT_INVALID);
+ await checkIntermediate(certFromFile("int-v4-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
+ await checkEndEntity(certFromFile("ee_int-v4-noBC"), SEC_ERROR_CA_CERT_INVALID);
loadCertWithTrust("int-v4-noBC_ca", "CTu,,");
- checkIntermediate(certFromFile("int-v4-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
- checkEndEntity(certFromFile("ee_int-v4-noBC"), SEC_ERROR_CA_CERT_INVALID);
+ await checkIntermediate(certFromFile("int-v4-noBC_ca"), SEC_ERROR_CA_CERT_INVALID);
+ await checkEndEntity(certFromFile("ee_int-v4-noBC"), SEC_ERROR_CA_CERT_INVALID);
// Section for CAs with basicConstraints not specifying cA:
loadCertWithTrust("int-v1-BC-not-cA_ca", ",,");
- checkIntermediate(certFromFile("int-v1-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
- checkEndEntity(certFromFile("ee_int-v1-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
+ await checkIntermediate(certFromFile("int-v1-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
+ await checkEndEntity(certFromFile("ee_int-v1-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
loadCertWithTrust("int-v1-BC-not-cA_ca", "CTu,,");
- checkIntermediate(certFromFile("int-v1-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
- checkEndEntity(certFromFile("ee_int-v1-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
+ await checkIntermediate(certFromFile("int-v1-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
+ await checkEndEntity(certFromFile("ee_int-v1-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
loadCertWithTrust("int-v2-BC-not-cA_ca", ",,");
- checkIntermediate(certFromFile("int-v2-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
- checkEndEntity(certFromFile("ee_int-v2-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
+ await checkIntermediate(certFromFile("int-v2-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
+ await checkEndEntity(certFromFile("ee_int-v2-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
loadCertWithTrust("int-v2-BC-not-cA_ca", "CTu,,");
- checkIntermediate(certFromFile("int-v2-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
- checkEndEntity(certFromFile("ee_int-v2-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
+ await checkIntermediate(certFromFile("int-v2-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
+ await checkEndEntity(certFromFile("ee_int-v2-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
loadCertWithTrust("int-v3-BC-not-cA_ca", ",,");
- checkIntermediate(certFromFile("int-v3-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
- checkEndEntity(certFromFile("ee_int-v3-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
+ await checkIntermediate(certFromFile("int-v3-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
+ await checkEndEntity(certFromFile("ee_int-v3-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
loadCertWithTrust("int-v3-BC-not-cA_ca", "CTu,,");
- checkIntermediate(certFromFile("int-v3-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
- checkEndEntity(certFromFile("ee_int-v3-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
+ await checkIntermediate(certFromFile("int-v3-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
+ await checkEndEntity(certFromFile("ee_int-v3-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
loadCertWithTrust("int-v4-BC-not-cA_ca", ",,");
- checkIntermediate(certFromFile("int-v4-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
- checkEndEntity(certFromFile("ee_int-v4-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
+ await checkIntermediate(certFromFile("int-v4-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
+ await checkEndEntity(certFromFile("ee_int-v4-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
loadCertWithTrust("int-v4-BC-not-cA_ca", "CTu,,");
- checkIntermediate(certFromFile("int-v4-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
- checkEndEntity(certFromFile("ee_int-v4-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
+ await checkIntermediate(certFromFile("int-v4-BC-not-cA_ca"), SEC_ERROR_CA_CERT_INVALID);
+ await checkEndEntity(certFromFile("ee_int-v4-BC-not-cA"), SEC_ERROR_CA_CERT_INVALID);
// Section for CAs with basicConstraints specifying cA:
loadCertWithTrust("int-v1-BC-cA_ca", ",,");
- checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
+ await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
loadCertWithTrust("int-v1-BC-cA_ca", "CTu,,");
- checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
+ await checkIntermediate(certFromFile("int-v1-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v1-BC-cA"), PRErrorCodeSuccess);
loadCertWithTrust("int-v2-BC-cA_ca", ",,");
- checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
+ await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
loadCertWithTrust("int-v2-BC-cA_ca", "CTu,,");
- checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
+ await checkIntermediate(certFromFile("int-v2-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v2-BC-cA"), PRErrorCodeSuccess);
loadCertWithTrust("int-v3-BC-cA_ca", ",,");
- checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
+ await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
loadCertWithTrust("int-v3-BC-cA_ca", "CTu,,");
- checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
+ await checkIntermediate(certFromFile("int-v3-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v3-BC-cA"), PRErrorCodeSuccess);
loadCertWithTrust("int-v4-BC-cA_ca", ",,");
- checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
+ await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
loadCertWithTrust("int-v4-BC-cA_ca", "CTu,,");
- checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
+ await checkIntermediate(certFromFile("int-v4-BC-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee_int-v4-BC-cA"), PRErrorCodeSuccess);
// Section for end-entity certificates with various basicConstraints:
- checkEndEntity(certFromFile("ee-v1-noBC_ca"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee-v2-noBC_ca"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee-v3-noBC_ca"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee-v4-noBC_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v1-noBC_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v2-noBC_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v3-noBC_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v4-noBC_ca"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee-v1-BC-not-cA_ca"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee-v2-BC-not-cA_ca"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee-v3-BC-not-cA_ca"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee-v4-BC-not-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v1-BC-not-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v2-BC-not-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v3-BC-not-cA_ca"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("ee-v4-BC-not-cA_ca"), PRErrorCodeSuccess);
- checkEndEntity(certFromFile("ee-v1-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
- checkEndEntity(certFromFile("ee-v2-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
- checkEndEntity(certFromFile("ee-v3-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
- checkEndEntity(certFromFile("ee-v4-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
+ await checkEndEntity(certFromFile("ee-v1-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
+ await checkEndEntity(certFromFile("ee-v2-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
+ await checkEndEntity(certFromFile("ee-v3-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
+ await checkEndEntity(certFromFile("ee-v4-BC-cA_ca"), MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
// Section for self-signed certificates:
- checkEndEntity(certFromFile("ss-v1-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
- checkEndEntity(certFromFile("ss-v2-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
- checkEndEntity(certFromFile("ss-v3-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
- checkEndEntity(certFromFile("ss-v4-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v1-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v2-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v3-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v4-noBC"), SEC_ERROR_UNKNOWN_ISSUER);
- checkEndEntity(certFromFile("ss-v1-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
- checkEndEntity(certFromFile("ss-v2-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
- checkEndEntity(certFromFile("ss-v3-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
- checkEndEntity(certFromFile("ss-v4-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v1-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v2-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v3-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v4-BC-not-cA"), SEC_ERROR_UNKNOWN_ISSUER);
- checkEndEntity(certFromFile("ss-v1-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
- checkEndEntity(certFromFile("ss-v2-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
- checkEndEntity(certFromFile("ss-v3-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
- checkEndEntity(certFromFile("ss-v4-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v1-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v2-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v3-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
+ await checkEndEntity(certFromFile("ss-v4-BC-cA"), SEC_ERROR_UNKNOWN_ISSUER);
checkCertVersion(certFromFile("ss-v1-noBC"), "Version 1");
checkCertVersion(certFromFile("int-v2-BC-cA_ca"), "Version 2");
checkCertVersion(certFromFile("ee-v3-BC-not-cA_ca"), "Version 3");
checkCertVersion(certFromFile("int-v4-BC-not-cA_ca"), "Version 4");
-}
+});
--- a/security/manager/ssl/tests/unit/test_keysize.js
+++ b/security/manager/ssl/tests/unit/test_keysize.js
@@ -19,109 +19,109 @@ const certdb = Cc["@mozilla.org/security
* The key type of the root certificate, or the name of an elliptic
* curve, as output by the 'openssl ecparam -list_curves' command.
* @param {Number} rootKeySize
* @param {String} intKeyType
* @param {Number} intKeySize
* @param {String} eeKeyType
* @param {Number} eeKeySize
* @param {PRErrorCode} eeExpectedError
+ * @return {Promise} a promise that will resolve when the verification has
+ * completed
*/
function checkChain(rootKeyType, rootKeySize, intKeyType, intKeySize,
eeKeyType, eeKeySize, eeExpectedError) {
let rootName = "root_" + rootKeyType + "_" + rootKeySize;
let intName = "int_" + intKeyType + "_" + intKeySize;
let eeName = "ee_" + eeKeyType + "_" + eeKeySize;
let intFullName = intName + "-" + rootName;
let eeFullName = eeName + "-" + intName + "-" + rootName;
addCertFromFile(certdb, `test_keysize/${rootName}.pem`, "CTu,CTu,CTu");
addCertFromFile(certdb, `test_keysize/${intFullName}.pem`, ",,");
let eeCert = constructCertFromFile(`test_keysize/${eeFullName}.pem`);
info("cert o=" + eeCert.organization);
info("cert issuer o=" + eeCert.issuerOrganization);
- checkCertErrorGeneric(certdb, eeCert, eeExpectedError,
- certificateUsageSSLServer);
+ return checkCertErrorGeneric(certdb, eeCert, eeExpectedError,
+ certificateUsageSSLServer);
}
/**
* Tests various RSA chains.
*
* @param {Number} inadequateKeySize
* @param {Number} adequateKeySize
*/
-function checkRSAChains(inadequateKeySize, adequateKeySize) {
+async function checkRSAChains(inadequateKeySize, adequateKeySize) {
// Chain with certs that have adequate sizes for DV
- checkChain("rsa", adequateKeySize,
- "rsa", adequateKeySize,
- "rsa", adequateKeySize,
- PRErrorCodeSuccess);
+ await checkChain("rsa", adequateKeySize,
+ "rsa", adequateKeySize,
+ "rsa", adequateKeySize,
+ PRErrorCodeSuccess);
// Chain with a root cert that has an inadequate size for DV
- checkChain("rsa", inadequateKeySize,
- "rsa", adequateKeySize,
- "rsa", adequateKeySize,
- MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
+ await checkChain("rsa", inadequateKeySize,
+ "rsa", adequateKeySize,
+ "rsa", adequateKeySize,
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
// Chain with an intermediate cert that has an inadequate size for DV
- checkChain("rsa", adequateKeySize,
- "rsa", inadequateKeySize,
- "rsa", adequateKeySize,
- MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
+ await checkChain("rsa", adequateKeySize,
+ "rsa", inadequateKeySize,
+ "rsa", adequateKeySize,
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
// Chain with an end entity cert that has an inadequate size for DV
- checkChain("rsa", adequateKeySize,
- "rsa", adequateKeySize,
- "rsa", inadequateKeySize,
- MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
+ await checkChain("rsa", adequateKeySize,
+ "rsa", adequateKeySize,
+ "rsa", inadequateKeySize,
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
}
-function checkECCChains() {
- checkChain("secp256r1", 256,
- "secp384r1", 384,
- "secp521r1", 521,
- PRErrorCodeSuccess);
- checkChain("secp256r1", 256,
- "secp224r1", 224,
- "secp256r1", 256,
- SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
- checkChain("secp256r1", 256,
- "secp256r1", 256,
- "secp224r1", 224,
- SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
- checkChain("secp224r1", 224,
- "secp256r1", 256,
- "secp256r1", 256,
- SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
- checkChain("secp256r1", 256,
- "secp256r1", 256,
- "secp256k1", 256,
- SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
- checkChain("secp256k1", 256,
- "secp256r1", 256,
- "secp256r1", 256,
- SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+async function checkECCChains() {
+ await checkChain("secp256r1", 256,
+ "secp384r1", 384,
+ "secp521r1", 521,
+ PRErrorCodeSuccess);
+ await checkChain("secp256r1", 256,
+ "secp224r1", 224,
+ "secp256r1", 256,
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+ await checkChain("secp256r1", 256,
+ "secp256r1", 256,
+ "secp224r1", 224,
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+ await checkChain("secp224r1", 224,
+ "secp256r1", 256,
+ "secp256r1", 256,
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+ await checkChain("secp256r1", 256,
+ "secp256r1", 256,
+ "secp256k1", 256,
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+ await checkChain("secp256k1", 256,
+ "secp256r1", 256,
+ "secp256r1", 256,
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
}
-function checkCombinationChains() {
- checkChain("rsa", 2048,
- "secp256r1", 256,
- "secp384r1", 384,
- PRErrorCodeSuccess);
- checkChain("rsa", 2048,
- "secp256r1", 256,
- "secp224r1", 224,
- SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
- checkChain("secp256r1", 256,
- "rsa", 1016,
- "secp256r1", 256,
- MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
+async function checkCombinationChains() {
+ await checkChain("rsa", 2048,
+ "secp256r1", 256,
+ "secp384r1", 384,
+ PRErrorCodeSuccess);
+ await checkChain("rsa", 2048,
+ "secp256r1", 256,
+ "secp224r1", 224,
+ SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+ await checkChain("secp256r1", 256,
+ "rsa", 1016,
+ "secp256r1", 256,
+ MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
}
-function run_test() {
- checkRSAChains(1016, 1024);
- checkECCChains();
- checkCombinationChains();
-
- run_next_test();
-}
+add_task(async function() {
+ await checkRSAChains(1016, 1024);
+ await checkECCChains();
+ await checkCombinationChains();
+});
--- a/security/manager/ssl/tests/unit/test_keysize_ev.js
+++ b/security/manager/ssl/tests/unit/test_keysize_ev.js
@@ -20,49 +20,47 @@ function getOCSPResponder(expectedCertNa
function loadCert(certName, trustString) {
let certFilename = "test_keysize_ev/" + certName + ".pem";
addCertFromFile(certDB, certFilename, trustString);
return constructCertFromFile(certFilename);
}
/**
- * Adds a single EV key size test.
+ * Asynchronously runs a single EV key size test.
*
* @param {Array} expectedNamesForOCSP
* An array of nicknames of the certs to be responded to.
* @param {String} rootCertFileName
* The file name of the root cert. Can begin with ".." to reference
* certs in folders other than "test_keysize_ev/".
* @param {Array} intCertFileNames
* An array of file names of any intermediate certificates.
* @param {String} endEntityCertFileName
* The file name of the end entity cert.
* @param {Boolean} expectedResult
* Whether the chain is expected to validate as EV.
*/
-function addKeySizeTestForEV(expectedNamesForOCSP,
- rootCertFileName, intCertFileNames,
- endEntityCertFileName, expectedResult) {
- add_test(function() {
- clearOCSPCache();
- let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
+async function keySizeTestForEV(expectedNamesForOCSP,
+ rootCertFileName, intCertFileNames,
+ endEntityCertFileName, expectedResult) {
+ clearOCSPCache();
+ let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
- loadCert(rootCertFileName, "CTu,CTu,CTu");
- for (let intCertFileName of intCertFileNames) {
- loadCert(intCertFileName, ",,");
- }
- checkEVStatus(
- certDB,
- constructCertFromFile(`test_keysize_ev/${endEntityCertFileName}.pem`),
- certificateUsageSSLServer,
- expectedResult);
+ loadCert(rootCertFileName, "CTu,CTu,CTu");
+ for (let intCertFileName of intCertFileNames) {
+ loadCert(intCertFileName, ",,");
+ }
+ await checkEVStatus(
+ certDB,
+ constructCertFromFile(`test_keysize_ev/${endEntityCertFileName}.pem`),
+ certificateUsageSSLServer,
+ expectedResult);
- ocspResponder.stop(run_next_test);
- });
+ await stopOCSPResponder(ocspResponder);
}
/**
* For debug builds which have the test EV roots compiled in, checks RSA chains
* which contain certs with key sizes adequate for EV are validated as such,
* while chains that contain any cert with an inadequate key size fail EV and
* validate as DV.
* For opt builds which don't have the test EV roots compiled in, checks that
@@ -71,17 +69,17 @@ function addKeySizeTestForEV(expectedNam
* Note: This function assumes that the key size requirements for EV are greater
* than the requirements for DV.
*
* @param {Number} inadequateKeySize
* The inadequate key size of the generated certs.
* @param {Number} adequateKeySize
* The adequate key size of the generated certs.
*/
-function checkRSAChains(inadequateKeySize, adequateKeySize) {
+async function checkRSAChains(inadequateKeySize, adequateKeySize) {
// Reuse the existing test RSA EV root
let rootOKCertFileName = "../test_ev_certs/evroot";
let rootOKName = "evroot";
let rootNotOKName = "ev_root_rsa_" + inadequateKeySize;
let intOKName = "ev_int_rsa_" + adequateKeySize;
let intNotOKName = "ev_int_rsa_" + inadequateKeySize;
let eeOKName = "ev_ee_rsa_" + adequateKeySize;
let eeNotOKName = "ev_ee_rsa_" + inadequateKeySize;
@@ -91,55 +89,53 @@ function checkRSAChains(inadequateKeySiz
// will for example not be done for the "ev_int_rsa_2048-evroot" intermediate
// in such a build.
let intFullName = intOKName + "-" + rootOKName;
let eeFullName = eeOKName + "-" + intOKName + "-" + rootOKName;
let expectedNamesForOCSP = gEVExpected
? [ intFullName,
eeFullName ]
: [ eeFullName ];
- addKeySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName,
- [ intFullName ], eeFullName, gEVExpected);
+ await keySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName,
+ [ intFullName ], eeFullName, gEVExpected);
// Chain with a root cert that has an inadequate size for EV, but
// adequate size for DV
intFullName = intOKName + "-" + rootNotOKName;
eeFullName = eeOKName + "-" + intOKName + "-" + rootNotOKName;
expectedNamesForOCSP = [ eeFullName ];
- addKeySizeTestForEV(expectedNamesForOCSP, rootNotOKName,
- [ intFullName ], eeFullName, false);
+ await keySizeTestForEV(expectedNamesForOCSP, rootNotOKName,
+ [ intFullName ], eeFullName, false);
// Chain with an intermediate cert that has an inadequate size for EV, but
// adequate size for DV
intFullName = intNotOKName + "-" + rootOKName;
eeFullName = eeOKName + "-" + intNotOKName + "-" + rootOKName;
expectedNamesForOCSP = [ eeFullName ];
- addKeySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName,
- [ intFullName ], eeFullName, false);
+ await keySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName,
+ [ intFullName ], eeFullName, false);
// Chain with an end entity cert that has an inadequate size for EV, but
// adequate size for DV
intFullName = intOKName + "-" + rootOKName;
eeFullName = eeNotOKName + "-" + intOKName + "-" + rootOKName;
expectedNamesForOCSP = gEVExpected
? [ intFullName,
eeFullName ]
: [ eeFullName ];
- addKeySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName,
- [ intFullName ], eeFullName, false);
+ await keySizeTestForEV(expectedNamesForOCSP, rootOKCertFileName,
+ [ intFullName ], eeFullName, false);
}
-function run_test() {
+add_task(async function() {
Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
Services.prefs.setIntPref("security.OCSP.enabled", 1);
let smallKeyEVRoot =
constructCertFromFile("test_keysize_ev/ev_root_rsa_2040.pem");
equal(smallKeyEVRoot.sha256Fingerprint,
"40:AB:5D:A5:89:15:A9:4B:82:87:B8:A6:9A:84:B1:DB:" +
"7A:9D:DB:B8:4E:E1:23:E3:C6:64:E7:50:DC:35:8C:68",
"test sanity check: the small-key EV root must have the same " +
"fingerprint as the corresponding entry in ExtendedValidation.cpp");
- checkRSAChains(2040, 2048);
-
- run_next_test();
-}
+ await checkRSAChains(2040, 2048);
+});
--- a/security/manager/ssl/tests/unit/test_name_constraints.js
+++ b/security/manager/ssl/tests/unit/test_name_constraints.js
@@ -33,31 +33,31 @@ function certFromFile(name) {
}
function loadCertWithTrust(certName, trustString) {
addCertFromFile(certdb, `test_name_constraints/${certName}.pem`,
trustString);
}
function checkCertNotInNameSpace(cert) {
- checkCertErrorGeneric(certdb, cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
- certificateUsageSSLServer);
+ return checkCertErrorGeneric(certdb, cert, SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
+ certificateUsageSSLServer);
}
function checkCertInNameSpace(cert) {
- checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess,
- certificateUsageSSLServer);
+ return checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess,
+ certificateUsageSSLServer);
}
-function run_test() {
+add_task(async function() {
// Test that name constraints from the entire certificate chain are enforced.
loadCertWithTrust("ca-example-com-permitted", "CTu,,");
loadCertWithTrust("int-example-org-permitted", ",,");
- checkCertNotInNameSpace(certFromFile("ee-example-com-and-org"));
- checkCertNotInNameSpace(certFromFile("ee-example-com"));
- checkCertNotInNameSpace(certFromFile("ee-example-org"));
- checkCertNotInNameSpace(certFromFile("ee-example-test"));
+ await checkCertNotInNameSpace(certFromFile("ee-example-com-and-org"));
+ await checkCertNotInNameSpace(certFromFile("ee-example-com"));
+ await checkCertNotInNameSpace(certFromFile("ee-example-org"));
+ await checkCertNotInNameSpace(certFromFile("ee-example-test"));
// Test that externally-imposed name constraints are enforced (DCISS tests).
loadCertWithTrust("dciss", "CTu,,");
- checkCertInNameSpace(certFromFile("NameConstraints.dcissallowed"));
- checkCertNotInNameSpace(certFromFile("NameConstraints.dcissblocked"));
-}
+ await checkCertInNameSpace(certFromFile("NameConstraints.dcissallowed"));
+ await checkCertNotInNameSpace(certFromFile("NameConstraints.dcissblocked"));
+});
--- a/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
@@ -25,117 +25,94 @@ function getFailingOCSPResponder() {
}
function getOCSPResponder(expectedCertNames) {
return startOCSPResponder(SERVER_PORT, "www.example.com", "test_ev_certs",
expectedCertNames, []);
}
// Tests that in ocspOff mode, OCSP fetches are never done.
-function testOff() {
- add_test(() => {
- Services.prefs.setIntPref("security.OCSP.enabled", 0);
- info("Setting security.OCSP.enabled to 0");
- run_next_test();
- });
+async function testOff() {
+ Services.prefs.setIntPref("security.OCSP.enabled", 0);
+ info("Setting security.OCSP.enabled to 0");
// EV chains should verify successfully but never get EV status.
- add_test(() => {
- clearOCSPCache();
- let ocspResponder = getFailingOCSPResponder();
- checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
- false);
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ let ocspResponder = getFailingOCSPResponder();
+ await checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"),
+ certificateUsageSSLServer, false);
+ await stopOCSPResponder(ocspResponder);
// A DV chain should verify successfully.
- add_test(() => {
- clearOCSPCache();
- let ocspResponder = getFailingOCSPResponder();
- checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
- PRErrorCodeSuccess, certificateUsageSSLServer);
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ ocspResponder = getFailingOCSPResponder();
+ await checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
+ PRErrorCodeSuccess, certificateUsageSSLServer);
+ await stopOCSPResponder(ocspResponder);
}
// Tests that in ocspOn mode, OCSP fetches are done for both EV and DV certs.
-function testOn() {
- add_test(() => {
- Services.prefs.setIntPref("security.OCSP.enabled", 1);
- info("Setting security.OCSP.enabled to 1");
- run_next_test();
- });
+async function testOn() {
+ Services.prefs.setIntPref("security.OCSP.enabled", 1);
+ info("Setting security.OCSP.enabled to 1");
// If a successful OCSP response is fetched, then an EV chain should verify
// successfully and get EV status as well.
- add_test(() => {
- clearOCSPCache();
- let ocspResponder =
+ clearOCSPCache();
+ let ocspResponder =
getOCSPResponder(gEVExpected ? ["test-oid-path-int", "test-oid-path-ee"]
: ["test-oid-path-ee"]);
- checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
- gEVExpected);
- ocspResponder.stop(run_next_test);
- });
+ await checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"),
+ certificateUsageSSLServer, gEVExpected);
+ await stopOCSPResponder(ocspResponder);
// If a successful OCSP response is fetched, then a DV chain should verify
// successfully.
- add_test(() => {
- clearOCSPCache();
- let ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]);
- checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
- PRErrorCodeSuccess, certificateUsageSSLServer);
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]);
+ await checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
+ PRErrorCodeSuccess, certificateUsageSSLServer);
+ await stopOCSPResponder(ocspResponder);
}
// Tests that in ocspEVOnly mode, OCSP fetches are done for EV certs only.
-function testEVOnly() {
- add_test(() => {
- Services.prefs.setIntPref("security.OCSP.enabled", 2);
- info("Setting security.OCSP.enabled to 2");
- run_next_test();
- });
+async function testEVOnly() {
+ Services.prefs.setIntPref("security.OCSP.enabled", 2);
+ info("Setting security.OCSP.enabled to 2");
// If a successful OCSP response is fetched, then an EV chain should verify
// successfully and get EV status as well.
- add_test(() => {
- clearOCSPCache();
- let ocspResponder = gEVExpected
- ? getOCSPResponder(["test-oid-path-int", "test-oid-path-ee"])
- : getFailingOCSPResponder();
- checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
- gEVExpected);
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ let ocspResponder = gEVExpected
+ ? getOCSPResponder(["test-oid-path-int", "test-oid-path-ee"])
+ : getFailingOCSPResponder();
+ await checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"),
+ certificateUsageSSLServer, gEVExpected);
+ await stopOCSPResponder(ocspResponder);
// A DV chain should verify successfully even without doing OCSP fetches.
- add_test(() => {
- clearOCSPCache();
- let ocspResponder = getFailingOCSPResponder();
- checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
- PRErrorCodeSuccess, certificateUsageSSLServer);
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ ocspResponder = getFailingOCSPResponder();
+ await checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
+ PRErrorCodeSuccess, certificateUsageSSLServer);
+ await stopOCSPResponder(ocspResponder);
}
-function run_test() {
+add_task(async function() {
registerCleanupFunction(() => {
Services.prefs.clearUserPref("network.dns.localDomains");
Services.prefs.clearUserPref("security.OCSP.enabled");
Services.prefs.clearUserPref("security.OCSP.require");
});
Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
// Enable hard fail to ensure chains that should only succeed because they get
// a good OCSP response do not succeed due to soft fail leniency.
Services.prefs.setBoolPref("security.OCSP.require", true);
loadCert("evroot", "CTu,,");
loadCert("test-oid-path-int", ",,");
loadCert("non-evroot-ca", "CTu,,");
loadCert("non-ev-root-path-int", ",,");
- testOff();
- testOn();
- testEVOnly();
-
- run_next_test();
-}
+ await testOff();
+ await testOn();
+ await testEVOnly();
+});
--- a/security/manager/ssl/tests/unit/test_ocsp_fetch_method.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_fetch_method.js
@@ -23,37 +23,31 @@ function start_ocsp_responder(expectedCe
}
function check_cert_err(cert_name, expected_error) {
let cert = constructCertFromFile("test_ocsp_fetch_method/" + cert_name + ".pem");
return checkCertErrorGeneric(certdb, cert, expected_error,
certificateUsageSSLServer);
}
-function run_test() {
+add_task(async function() {
addCertFromFile(certdb, "test_ocsp_fetch_method/ca.pem", "CTu,CTu,CTu");
addCertFromFile(certdb, "test_ocsp_fetch_method/int.pem", ",,");
// Enabled so that we can force ocsp failure responses.
Services.prefs.setBoolPref("security.OCSP.require", true);
Services.prefs.setCharPref("network.dns.localDomains",
"www.example.com");
Services.prefs.setIntPref("security.OCSP.enabled", 1);
- add_test(function() {
- clearOCSPCache();
- Services.prefs.setBoolPref("security.OCSP.GET.enabled", false);
- let ocspResponder = start_ocsp_responder(["a"], [], ["POST"]);
- check_cert_err("a", PRErrorCodeSuccess);
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ Services.prefs.setBoolPref("security.OCSP.GET.enabled", false);
+ let ocspResponder = start_ocsp_responder(["a"], [], ["POST"]);
+ await check_cert_err("a", PRErrorCodeSuccess);
+ await stopOCSPResponder(ocspResponder);
- add_test(function() {
- clearOCSPCache();
- Services.prefs.setBoolPref("security.OCSP.GET.enabled", true);
- let ocspResponder = start_ocsp_responder(["a"], [], ["GET"]);
- check_cert_err("a", PRErrorCodeSuccess);
- ocspResponder.stop(run_next_test);
- });
-
- run_next_test();
-}
+ clearOCSPCache();
+ Services.prefs.setBoolPref("security.OCSP.GET.enabled", true);
+ ocspResponder = start_ocsp_responder(["a"], [], ["GET"]);
+ await check_cert_err("a", PRErrorCodeSuccess);
+ await stopOCSPResponder(ocspResponder);
+});
--- a/security/manager/ssl/tests/unit/test_ocsp_private_caching.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_private_caching.js
@@ -18,22 +18,16 @@ const SERVER_PORT = 8888;
function start_ocsp_responder(expectedCertNames, expectedPaths,
expectedMethods) {
return startOCSPResponder(SERVER_PORT, "www.example.com",
"test_ocsp_fetch_method", expectedCertNames,
expectedPaths, expectedMethods);
}
-function check_cert_err(cert_name, expected_error) {
- let cert = constructCertFromFile("test_ocsp_fetch_method/" + cert_name + ".pem");
- return checkCertErrorGeneric(certdb, cert, expected_error,
- certificateUsageSSLServer);
-}
-
function add_flush_cache() {
add_test(() => {
// This appears to either fire multiple times or fire once for every
// observer that has ever been passed to flush. To prevent multiple calls to
// run_next_test, keep track of if this observer has already called it.
let observed = false;
let observer = { observe: () => {
if (!observed) {
--- a/security/manager/ssl/tests/unit/test_ocsp_url.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_url.js
@@ -25,113 +25,87 @@ function start_ocsp_responder(expectedCe
}
function check_cert_err(cert_name, expected_error) {
let cert = constructCertFromFile("test_ocsp_url/" + cert_name + ".pem");
return checkCertErrorGeneric(certdb, cert, expected_error,
certificateUsageSSLServer);
}
-function run_test() {
+add_task(async function() {
addCertFromFile(certdb, "test_ocsp_url/ca.pem", "CTu,CTu,CTu");
addCertFromFile(certdb, "test_ocsp_url/int.pem", ",,");
// Enabled so that we can force ocsp failure responses.
Services.prefs.setBoolPref("security.OCSP.require", true);
Services.prefs.setCharPref("network.dns.localDomains",
"www.example.com");
Services.prefs.setIntPref("security.OCSP.enabled", 1);
// Note: We don't test the case of a well-formed HTTP URL with an empty port
// because the OCSP code would then send a request to port 80, which we
// can't use in tests.
- add_test(function() {
- clearOCSPCache();
- let ocspResponder = failingOCSPResponder();
- check_cert_err("bad-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ let ocspResponder = failingOCSPResponder();
+ await check_cert_err("bad-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
- add_test(function() {
- clearOCSPCache();
- let ocspResponder = failingOCSPResponder();
- check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
- add_test(() => {
- clearOCSPCache();
- let ocspResponder = failingOCSPResponder();
- check_cert_err("ftp-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("ftp-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
- add_test(function() {
- clearOCSPCache();
- let ocspResponder = failingOCSPResponder();
- check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
- add_test(function() {
- clearOCSPCache();
- let ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]);
- check_cert_err("hTTp-url", PRErrorCodeSuccess);
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]);
+ await check_cert_err("hTTp-url", PRErrorCodeSuccess);
+ await stopOCSPResponder(ocspResponder);
- add_test(function() {
- clearOCSPCache();
- let ocspResponder = failingOCSPResponder();
- check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
- add_test(function() {
- clearOCSPCache();
- let ocspResponder = failingOCSPResponder();
- // XXX Bug 1013615 parser accepts ":8888" as hostname
- check_cert_err("no-host-url", SEC_ERROR_OCSP_SERVER_ERROR);
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ // XXX Bug 1013615 parser accepts ":8888" as hostname
+ await check_cert_err("no-host-url", SEC_ERROR_OCSP_SERVER_ERROR);
+ await stopOCSPResponder(ocspResponder);
- add_test(function() {
- clearOCSPCache();
- let ocspResponder = start_ocsp_responder(["no-path-url"], [""]);
- check_cert_err("no-path-url", PRErrorCodeSuccess);
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ ocspResponder = start_ocsp_responder(["no-path-url"], [""]);
+ await check_cert_err("no-path-url", PRErrorCodeSuccess);
+ await stopOCSPResponder(ocspResponder);
- add_test(function() {
- clearOCSPCache();
- let ocspResponder = failingOCSPResponder();
- check_cert_err("no-scheme-host-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("no-scheme-host-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
- add_test(function() {
- clearOCSPCache();
- let ocspResponder = failingOCSPResponder();
- check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
- add_test(function() {
- clearOCSPCache();
- let ocspResponder = failingOCSPResponder();
- check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
- ocspResponder.stop(run_next_test);
- });
+ clearOCSPCache();
+ ocspResponder = failingOCSPResponder();
+ await check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
+ await stopOCSPResponder(ocspResponder);
// Note: We currently don't have anything that ensures user:pass sections
// weren't sent. The following test simply checks that such sections
// don't cause failures.
- add_test(() => {
- clearOCSPCache();
- let ocspResponder = start_ocsp_responder(["user-pass"], [""]);
- check_cert_err("user-pass", PRErrorCodeSuccess);
- ocspResponder.stop(run_next_test);
- });
-
- run_next_test();
-}
+ clearOCSPCache();
+ ocspResponder = start_ocsp_responder(["user-pass"], [""]);
+ await check_cert_err("user-pass", PRErrorCodeSuccess);
+ await stopOCSPResponder(ocspResponder);
+});
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic.js
+++ b/security/manager/ssl/tests/unit/test_pinning_dynamic.js
@@ -20,22 +20,22 @@ function certFromFile(cert_name) {
function loadCert(cert_name, trust_string) {
let cert_filename = "test_pinning_dynamic/" + cert_name + ".pem";
addCertFromFile(certdb, cert_filename, trust_string);
return constructCertFromFile(cert_filename);
}
function checkOK(cert, hostname) {
return checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess,
- certificateUsageSSLServer, {}, hostname);
+ certificateUsageSSLServer, false, hostname);
}
function checkFail(cert, hostname) {
return checkCertErrorGeneric(certdb, cert, MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE,
- certificateUsageSSLServer, {}, hostname);
+ certificateUsageSSLServer, false, hostname);
}
const NON_ISSUED_KEY_HASH = "KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN=";
const PINNING_ROOT_KEY_HASH = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=";
function run_test() {
Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);
@@ -101,129 +101,141 @@ function checkStateRead(aSubject, aTopic
throw new Error("Observed data should either be the Site Security " +
"Service state file name or the preload file name");
}
if (!gSSSStateSeen || !gPreloadStateSeen) {
return;
}
+ async_check_pins()
+ .then(function() {
+ return new Promise((resolve, reject) => {
+ do_timeout(1250, resolve);
+ });
+ })
+ .then(checkExpiredState)
+ .then(checkPreloadClear)
+ .then(do_test_finished);
+}
+
+async function async_check_pins() {
notEqual(gSSService, null, "SiteSecurityService should be initialized");
// Initializing the certificate DB will cause NSS-initialization, which in
// turn initializes the site security service. Since we're in part testing
// that the site security service correctly reads its state file, we have to
// make sure it doesn't start up before we've populated the file
certdb = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
loadCert("pinningroot", "CTu,CTu,CTu");
loadCert("badca", "CTu,CTu,CTu");
// the written entry is for a.pinning2.example.com without subdomains
// and b.pinning2.example.com with subdomains
- checkFail(certFromFile("a.pinning2.example.com-badca"),
- "a.pinning2.example.com");
- checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
- "a.pinning2.example.com");
- checkOK(certFromFile("x.a.pinning2.example.com-badca"),
- "x.a.pinning2.example.com");
- checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
- "x.a.pinning2.example.com");
+ await checkFail(certFromFile("a.pinning2.example.com-badca"),
+ "a.pinning2.example.com");
+ await checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
+ "a.pinning2.example.com");
+ await checkOK(certFromFile("x.a.pinning2.example.com-badca"),
+ "x.a.pinning2.example.com");
+ await checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
+ "x.a.pinning2.example.com");
- checkFail(certFromFile("b.pinning2.example.com-badca"),
- "b.pinning2.example.com");
- checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
- "b.pinning2.example.com");
- checkFail(certFromFile("x.b.pinning2.example.com-badca"),
- "x.b.pinning2.example.com");
- checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
- "x.b.pinning2.example.com");
+ await checkFail(certFromFile("b.pinning2.example.com-badca"),
+ "b.pinning2.example.com");
+ await checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
+ "b.pinning2.example.com");
+ await checkFail(certFromFile("x.b.pinning2.example.com-badca"),
+ "x.b.pinning2.example.com");
+ await checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
+ "x.b.pinning2.example.com");
checkDefaultSiteHPKPStatus();
// add includeSubdomains to a.pinning2.example.com
gSSService.setKeyPins("a.pinning2.example.com", true,
new Date().getTime() + 1000000, 2,
[NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH]);
- checkFail(certFromFile("a.pinning2.example.com-badca"),
- "a.pinning2.example.com");
- checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
- "a.pinning2.example.com");
- checkFail(certFromFile("x.a.pinning2.example.com-badca"),
- "x.a.pinning2.example.com");
- checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
- "x.a.pinning2.example.com");
- checkFail(certFromFile("b.pinning2.example.com-badca"),
- "b.pinning2.example.com");
- checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
- "b.pinning2.example.com");
- checkFail(certFromFile("x.b.pinning2.example.com-badca"),
- "x.b.pinning2.example.com");
- checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
- "x.b.pinning2.example.com");
+ await checkFail(certFromFile("a.pinning2.example.com-badca"),
+ "a.pinning2.example.com");
+ await checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
+ "a.pinning2.example.com");
+ await checkFail(certFromFile("x.a.pinning2.example.com-badca"),
+ "x.a.pinning2.example.com");
+ await checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
+ "x.a.pinning2.example.com");
+ await checkFail(certFromFile("b.pinning2.example.com-badca"),
+ "b.pinning2.example.com");
+ await checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
+ "b.pinning2.example.com");
+ await checkFail(certFromFile("x.b.pinning2.example.com-badca"),
+ "x.b.pinning2.example.com");
+ await checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
+ "x.b.pinning2.example.com");
ok(gSSService.isSecureURI(
Ci.nsISiteSecurityService.HEADER_HPKP,
Services.io.newURI("https://a.pinning2.example.com"), 0),
"a.pinning2.example.com should still have HPKP status after adding" +
" includeSubdomains to a.pinning2.example.com");
ok(gSSService.isSecureURI(
Ci.nsISiteSecurityService.HEADER_HPKP,
Services.io.newURI("https://x.a.pinning2.example.com"), 0),
"x.a.pinning2.example.com should now have HPKP status after adding" +
" includeSubdomains to a.pinning2.example.com");
// Now setpins without subdomains
gSSService.setKeyPins("a.pinning2.example.com", false,
new Date().getTime() + 1000000, 2,
[NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH]);
- checkFail(certFromFile("a.pinning2.example.com-badca"),
- "a.pinning2.example.com");
- checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
- "a.pinning2.example.com");
- checkOK(certFromFile("x.a.pinning2.example.com-badca"),
- "x.a.pinning2.example.com");
- checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
- "x.a.pinning2.example.com");
+ await checkFail(certFromFile("a.pinning2.example.com-badca"),
+ "a.pinning2.example.com");
+ await checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
+ "a.pinning2.example.com");
+ await checkOK(certFromFile("x.a.pinning2.example.com-badca"),
+ "x.a.pinning2.example.com");
+ await checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
+ "x.a.pinning2.example.com");
- checkFail(certFromFile("b.pinning2.example.com-badca"),
- "b.pinning2.example.com");
- checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
- "b.pinning2.example.com");
- checkFail(certFromFile("x.b.pinning2.example.com-badca"),
- "x.b.pinning2.example.com");
- checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
- "x.b.pinning2.example.com");
+ await checkFail(certFromFile("b.pinning2.example.com-badca"),
+ "b.pinning2.example.com");
+ await checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
+ "b.pinning2.example.com");
+ await checkFail(certFromFile("x.b.pinning2.example.com-badca"),
+ "x.b.pinning2.example.com");
+ await checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
+ "x.b.pinning2.example.com");
checkDefaultSiteHPKPStatus();
// failure to insert new pin entry leaves previous pin behavior
throws(() => {
gSSService.setKeyPins("a.pinning2.example.com", true,
new Date().getTime() + 1000000, 1, ["not a hash"]);
}, /NS_ERROR_ILLEGAL_VALUE/, "Attempting to set an invalid pin should fail");
- checkFail(certFromFile("a.pinning2.example.com-badca"),
- "a.pinning2.example.com");
- checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
- "a.pinning2.example.com");
- checkOK(certFromFile("x.a.pinning2.example.com-badca"),
- "x.a.pinning2.example.com");
- checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
- "x.a.pinning2.example.com");
+ await checkFail(certFromFile("a.pinning2.example.com-badca"),
+ "a.pinning2.example.com");
+ await checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
+ "a.pinning2.example.com");
+ await checkOK(certFromFile("x.a.pinning2.example.com-badca"),
+ "x.a.pinning2.example.com");
+ await checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
+ "x.a.pinning2.example.com");
- checkFail(certFromFile("b.pinning2.example.com-badca"),
- "b.pinning2.example.com");
- checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
- "b.pinning2.example.com");
- checkFail(certFromFile("x.b.pinning2.example.com-badca"),
- "x.b.pinning2.example.com");
- checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
- "x.b.pinning2.example.com");
+ await checkFail(certFromFile("b.pinning2.example.com-badca"),
+ "b.pinning2.example.com");
+ await checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
+ "b.pinning2.example.com");
+ await checkFail(certFromFile("x.b.pinning2.example.com-badca"),
+ "x.b.pinning2.example.com");
+ await checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
+ "x.b.pinning2.example.com");
checkDefaultSiteHPKPStatus();
// Incorrect size results in failure
throws(() => {
gSSService.setKeyPins("a.pinning2.example.com", true,
new Date().getTime() + 1000000, 2, ["not a hash"]);
}, /NS_ERROR_XPC_NOT_ENOUGH_ELEMENTS_IN_ARRAY/,
@@ -238,56 +250,51 @@ function checkStateRead(aSubject, aTopic
Ci.nsISiteSecurityService.HEADER_HPKP,
Services.io.newURI("https://include-subdomains.pinning.example.com"), 0),
"Built-in include-subdomains.pinning.example.com should have HPKP status");
gSSService.setKeyPins("a.pinning2.example.com", false, new Date().getTime(),
1, [NON_ISSUED_KEY_HASH]);
// Check that a preload pin loaded from file works as expected
- checkFail(certFromFile("a.preload.example.com-badca"), "a.preload.example.com");
- checkOK(certFromFile("a.preload.example.com-pinningroot"), "a.preload.example.com");
+ await checkFail(certFromFile("a.preload.example.com-badca"), "a.preload.example.com");
+ await checkOK(certFromFile("a.preload.example.com-pinningroot"), "a.preload.example.com");
// Check a dynamic addition works as expected
// first, it should succeed with the badCA - because there's no pin
- checkOK(certFromFile("b.preload.example.com-badca"), "b.preload.example.com");
+ await checkOK(certFromFile("b.preload.example.com-badca"), "b.preload.example.com");
// then we add a pin, and we should get a failure (ensuring the expiry is
// after the test timeout)
gSSService.setKeyPins("b.preload.example.com", false,
new Date().getTime() + 1000000, 2,
[NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH], true);
- checkFail(certFromFile("b.preload.example.com-badca"), "b.preload.example.com");
-
- do_timeout(1250, checkExpiredState);
+ await checkFail(certFromFile("b.preload.example.com-badca"), "b.preload.example.com");
}
-function checkExpiredState() {
- checkOK(certFromFile("a.pinning2.example.com-badca"),
- "a.pinning2.example.com");
- checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
- "a.pinning2.example.com");
- checkOK(certFromFile("x.a.pinning2.example.com-badca"),
- "x.a.pinning2.example.com");
- checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
- "x.a.pinning2.example.com");
+async function checkExpiredState() {
+ await checkOK(certFromFile("a.pinning2.example.com-badca"),
+ "a.pinning2.example.com");
+ await checkOK(certFromFile("a.pinning2.example.com-pinningroot"),
+ "a.pinning2.example.com");
+ await checkOK(certFromFile("x.a.pinning2.example.com-badca"),
+ "x.a.pinning2.example.com");
+ await checkOK(certFromFile("x.a.pinning2.example.com-pinningroot"),
+ "x.a.pinning2.example.com");
- checkFail(certFromFile("b.pinning2.example.com-badca"),
- "b.pinning2.example.com");
- checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
- "b.pinning2.example.com");
- checkFail(certFromFile("x.b.pinning2.example.com-badca"),
- "x.b.pinning2.example.com");
- checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
- "x.b.pinning2.example.com");
- checkPreloadClear();
+ await checkFail(certFromFile("b.pinning2.example.com-badca"),
+ "b.pinning2.example.com");
+ await checkOK(certFromFile("b.pinning2.example.com-pinningroot"),
+ "b.pinning2.example.com");
+ await checkFail(certFromFile("x.b.pinning2.example.com-badca"),
+ "x.b.pinning2.example.com");
+ await checkOK(certFromFile("x.b.pinning2.example.com-pinningroot"),
+ "x.b.pinning2.example.com");
}
-function checkPreloadClear() {
+async function checkPreloadClear() {
// Check that the preloaded pins still work after private data is cleared
gSSService.clearAll();
- checkFail(certFromFile("b.preload.example.com-badca"), "b.preload.example.com");
+ await checkFail(certFromFile("b.preload.example.com-badca"), "b.preload.example.com");
// Check that the preloaded pins are cleared when we clear preloads
gSSService.clearPreloads();
- checkOK(certFromFile("b.preload.example.com-badca"), "b.preload.example.com");
-
- do_test_finished();
+ await checkOK(certFromFile("b.preload.example.com-badca"), "b.preload.example.com");
}
--- a/security/manager/ssl/tests/unit/test_startcom_wosign.js
+++ b/security/manager/ssl/tests/unit/test_startcom_wosign.js
@@ -7,37 +7,41 @@
// certificates have a notBefore before 21 October 2016, they are handled
// normally. Otherwise, they are treated as revoked.
do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
function loadCertWithTrust(certName, trustString) {
- addCertFromFile(certdb, "test_startcom_wosign/" + certName + ".pem", trustString);
+ addCertFromFile(certdb, "test_startcom_wosign/" + certName + ".pem",
+ trustString);
}
function certFromFile(certName) {
return constructCertFromFile("test_startcom_wosign/" + certName + ".pem");
}
function checkEndEntity(cert, expectedResult) {
// (new Date("2016-11-01")).getTime() / 1000
const VALIDATION_TIME = 1477958400;
- checkCertErrorGenericAtTime(certdb, cert, expectedResult,
- certificateUsageSSLServer, VALIDATION_TIME);
+ return checkCertErrorGenericAtTime(certdb, cert, expectedResult,
+ certificateUsageSSLServer,
+ VALIDATION_TIME);
}
-loadCertWithTrust("ca", "CTu,,");
-// This is not a real StartCom CA - it merely has the same distinguished name as
-// one (namely "/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2",
-// encoded with PrintableStrings). By checking for specific DNs, we can enforce
-// the date-based policy in a way that is testable.
-loadCertWithTrust("StartComCA", ",,");
-checkEndEntity(certFromFile("StartCom-before-cutoff"), PRErrorCodeSuccess);
-checkEndEntity(certFromFile("StartCom-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE);
+add_task(async function() {
+ loadCertWithTrust("ca", "CTu,,");
+ // This is not a real StartCom CA - it merely has the same distinguished name
+ // as one (namely "/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority
+ // G2", encoded with PrintableStrings). By checking for specific DNs, we can
+ // enforce the date-based policy in a way that is testable.
+ loadCertWithTrust("StartComCA", ",,");
+ await checkEndEntity(certFromFile("StartCom-before-cutoff"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("StartCom-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE);
-// Similarly, this is not a real WoSign CA. It has the same distinguished name
-// as "/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign", encoded
-// with PrintableStrings).
-loadCertWithTrust("WoSignCA", ",,");
-checkEndEntity(certFromFile("WoSign-before-cutoff"), PRErrorCodeSuccess);
-checkEndEntity(certFromFile("WoSign-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE);
+ // Similarly, this is not a real WoSign CA. It has the same distinguished name
+ // as "/C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign",
+ // encoded with PrintableStrings).
+ loadCertWithTrust("WoSignCA", ",,");
+ await checkEndEntity(certFromFile("WoSign-before-cutoff"), PRErrorCodeSuccess);
+ await checkEndEntity(certFromFile("WoSign-after-cutoff"), SEC_ERROR_REVOKED_CERTIFICATE);
+});
--- a/security/manager/ssl/tests/unit/test_symantec_apple_google.js
+++ b/security/manager/ssl/tests/unit/test_symantec_apple_google.js
@@ -64,27 +64,25 @@ add_test(function() {
});
add_connection_test("symantec-not-whitelisted-before-cutoff.example.com",
MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
null, null);
// Load the wildcard *.google.com cert and its intermediate, then verify
// it at a reasonable time and make sure the whitelists work
-function run_test() {
+add_task(async function() {
addCertFromFile(certDB, "test_symantec_apple_google/real-google-g2-intermediate.pem", ",,");
let whitelistedCert = constructCertFromFile("test_symantec_apple_google/real-googlecom.pem");
// Since we don't want to actually try to fetch OCSP for this certificate,
// (as an external fetch is bad in the tests), disable OCSP first.
Services.prefs.setIntPref("security.OCSP.enabled", 0);
Services.prefs.setIntPref("security.pki.distrust_ca_policy",
/* DistrustedCAPolicy::DistrustSymantecRoots */ 1);
// (new Date("2018-02-16")).getTime() / 1000
const VALIDATION_TIME = 1518739200;
- checkCertErrorGenericAtTime(certDB, whitelistedCert, PRErrorCodeSuccess,
- certificateUsageSSLServer, VALIDATION_TIME);
-
- run_next_test();
-}
+ await checkCertErrorGenericAtTime(certDB, whitelistedCert, PRErrorCodeSuccess,
+ certificateUsageSSLServer, VALIDATION_TIME);
+});
--- a/security/manager/ssl/tests/unit/test_validity.js
+++ b/security/manager/ssl/tests/unit/test_validity.js
@@ -22,70 +22,66 @@ function certFromFile(filename) {
return constructCertFromFile(`test_validity/${filename}`);
}
function loadCert(certFilename, trustString) {
addCertFromFile(certDB, `test_validity/${certFilename}`, trustString);
}
/**
- * Adds a single EV test.
+ * Asynchronously runs a single EV test.
*
* @param {Array} expectedNamesForOCSP
* An array of nicknames of the certs to be responded to.
* @param {String} rootCertFileName
* The file name of the root cert. Can begin with ".." to reference
* certs in folders other than "test_validity/".
* @param {Array} intCertFileNames
* An array of file names of any intermediate certificates.
* @param {String} endEntityCertFileName
* The file name of the end entity cert.
* @param {Boolean} expectedResult
* Whether the chain is expected to validate as EV.
*/
-function addEVTest(expectedNamesForOCSP, rootCertFileName, intCertFileNames,
- endEntityCertFileName, expectedResult) {
- add_test(function() {
- clearOCSPCache();
- let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
+async function doEVTest(expectedNamesForOCSP, rootCertFileName, intCertFileNames,
+ endEntityCertFileName, expectedResult) {
+ clearOCSPCache();
+ let ocspResponder = getOCSPResponder(expectedNamesForOCSP);
- loadCert(`${rootCertFileName}.pem`, "CTu,CTu,CTu");
- for (let intCertFileName of intCertFileNames) {
- loadCert(`${intCertFileName}.pem`, ",,");
- }
- checkEVStatus(certDB, certFromFile(`${endEntityCertFileName}.pem`),
- certificateUsageSSLServer, expectedResult);
+ loadCert(`${rootCertFileName}.pem`, "CTu,CTu,CTu");
+ for (let intCertFileName of intCertFileNames) {
+ loadCert(`${intCertFileName}.pem`, ",,");
+ }
+ await checkEVStatus(certDB, certFromFile(`${endEntityCertFileName}.pem`),
+ certificateUsageSSLServer, expectedResult);
- ocspResponder.stop(run_next_test);
- });
+ await stopOCSPResponder(ocspResponder);
}
-function checkEVChains() {
+async function checkEVChains() {
// Chain with an end entity cert with a validity period that is acceptable
// for EV.
const intFullName = "ev_int_60_months-evroot";
let eeFullName = `ev_ee_27_months-${intFullName}`;
let expectedNamesForOCSP = gEVExpected
? [ intFullName,
eeFullName ]
: [ eeFullName ];
- addEVTest(expectedNamesForOCSP, "../test_ev_certs/evroot", [ intFullName ],
- eeFullName, gEVExpected);
+ await doEVTest(expectedNamesForOCSP, "../test_ev_certs/evroot",
+ [ intFullName ], eeFullName, gEVExpected);
// Chain with an end entity cert with a validity period that is too long
// for EV.
eeFullName = `ev_ee_28_months-${intFullName}`;
expectedNamesForOCSP = gEVExpected
? [ intFullName,
eeFullName ]
: [ eeFullName ];
- addEVTest(expectedNamesForOCSP, "../test_ev_certs/evroot", [ intFullName ],
- eeFullName, false);
+ await doEVTest(expectedNamesForOCSP, "../test_ev_certs/evroot",
+ [ intFullName ], eeFullName, false);
}
-function run_test() {
+add_task(async function () {
Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
Services.prefs.setIntPref("security.OCSP.enabled", 1);
- checkEVChains();
-
- run_next_test();
-}
+ await checkEVChains();
+});