--- a/netwerk/test/unit/test_altsvc.js
+++ b/netwerk/test/unit/test_altsvc.js
@@ -123,17 +123,17 @@ function readFile(file) {
let data = NetUtil.readInputStreamToString(fstream, fstream.available());
fstream.close();
return data;
}
function addCertFromFile(certdb, filename, trustString) {
let certFile = do_get_file(filename, false);
let der = readFile(certFile);
- certdb.addCert(der, trustString, null);
+ certdb.addCert(der, trustString);
}
function makeChan(origin) {
return NetUtil.newChannel({
uri: origin + "altsvc-test",
loadUsingSystemPrincipal: true
}).QueryInterface(Ci.nsIHttpChannel);
}
--- a/netwerk/test/unit/test_http2.js
+++ b/netwerk/test/unit/test_http2.js
@@ -1106,10 +1106,10 @@ function readFile(file) {
let data = NetUtil.readInputStreamToString(fstream, fstream.available());
fstream.close();
return data;
}
function addCertFromFile(certdb, filename, trustString) {
let certFile = do_get_file(filename, false);
let der = readFile(certFile);
- certdb.addCert(der, trustString, null);
+ certdb.addCert(der, trustString);
}
--- a/netwerk/test/unit/test_immutable.js
+++ b/netwerk/test/unit/test_immutable.js
@@ -47,17 +47,17 @@ function readFile(file) {
let data = NetUtil.readInputStreamToString(fstream, fstream.available());
fstream.close();
return data;
}
function addCertFromFile(certdb, filename, trustString) {
let certFile = do_get_file(filename, false);
let der = readFile(certFile);
- certdb.addCert(der, trustString, null);
+ certdb.addCert(der, trustString);
}
function makeChan(origin, path) {
return NetUtil.newChannel({
uri: origin + path,
loadUsingSystemPrincipal: true
}).QueryInterface(Ci.nsIHttpChannel);
}
--- a/security/manager/ssl/nsIX509CertDB.idl
+++ b/security/manager/ssl/nsIX509CertDB.idl
@@ -333,23 +333,23 @@ interface nsIX509CertDB : nsISupports {
in nsIInputStream aManifestStream,
in nsIInputStream aSignatureStream,
in nsIVerifySignedManifestCallback callback);
/*
* Add a cert to a cert DB from a binary string.
*
* @param certDER The raw DER encoding of a certificate.
- * @param aTrust decoded by CERT_DecodeTrustString. 3 comma separated characters,
- * indicating SSL, Email, and Obj signing trust
- * @param aName name of the cert for display purposes.
- * TODO(bug 857627): aName is currently ignored. It should either
- * not be ignored, or be removed.
+ * @param trust String describing the trust settings to assign the
+ * certificate. Decoded by CERT_DecodeTrustString. Consists of 3
+ * comma separated sets of characters, indicating SSL, Email, and
+ * Object signing trust.
+ * @return nsIX509Cert the resulting certificate
*/
- void addCert(in ACString certDER, in ACString aTrust, in AUTF8String aName);
+ nsIX509Cert addCert(in ACString certDER, in ACString trust);
// Flags for verifyCertNow (these must match the values in CertVerifier.cpp):
// Prevent network traffic. Doesn't work with classic verification.
const uint32_t FLAG_LOCAL_ONLY = 1 << 0;
// Do not fall back to DV verification after attempting EV validation.
// Actually does prevent network traffic, but can cause a valid EV
// certificate to not be considered valid.
const uint32_t FLAG_MUST_BE_EV = 1 << 1;
@@ -402,26 +402,24 @@ interface nsIX509CertDB : nsISupports {
// Clears the OCSP cache for the current certificate verification
// implementation.
void clearOCSPCache();
/*
* Add a cert to a cert DB from a base64 encoded string.
*
- * @param base64 The raw representation of a certificate,
- * encoded as Base 64.
- * @param aTrust decoded by CERT_DecodeTrustString. 3 comma separated characters,
- * indicating SSL, Email, and Obj signing trust
- * @param aName name of the cert for display purposes.
- * TODO(bug 857627): aName is currently ignored. It should either
- * not be ignored, or be removed.
+ * @param base64 The raw representation of a certificate, encoded as Base 64.
+ * @param trust String describing the trust settings to assign the
+ * certificate. Decoded by CERT_DecodeTrustString. Consists of 3
+ * comma separated sets of characters, indicating SSL, Email, and
+ * Object signing trust.
+ * @return nsIX509Cert the resulting certificate
*/
- void addCertFromBase64(in ACString base64, in ACString aTrust,
- in AUTF8String aName);
+ nsIX509Cert addCertFromBase64(in ACString base64, in ACString trust);
/*
* Get all the known certs in the database
*/
nsIX509CertList getCerts();
/*
* Get a list of imported enterprise root certificates (currently only
--- a/security/manager/ssl/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@@ -6,16 +6,17 @@
#include "CertVerifier.h"
#include "CryptoTask.h"
#include "ExtendedValidation.h"
#include "NSSCertDBTrustDomain.h"
#include "SharedSSLState.h"
#include "certdb.h"
#include "mozilla/Base64.h"
+#include "mozilla/Assertions.h"
#include "mozilla/Casting.h"
#include "mozilla/Unused.h"
#include "nsArray.h"
#include "nsArrayUtils.h"
#include "nsCOMPtr.h"
#include "nsCRT.h"
#include "nsComponentManagerUtils.h"
#include "nsICertificateDialogs.h"
@@ -1327,18 +1328,24 @@ nsNSSCertificateDB::get_default_nickname
}
count++;
}
}
NS_IMETHODIMP
nsNSSCertificateDB::AddCertFromBase64(const nsACString& aBase64,
const nsACString& aTrust,
- const nsACString& /*aName*/)
+ nsIX509Cert** addedCertificate)
{
+ MOZ_ASSERT(addedCertificate);
+ if (!addedCertificate) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ *addedCertificate = nullptr;
+
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown()) {
return NS_ERROR_NOT_AVAILABLE;
}
nsNSSCertTrust trust;
if (CERT_DecodeTrustString(trust.GetTrust(), PromiseFlatCString(aTrust).get())
!= SECSuccess) {
@@ -1354,41 +1361,51 @@ nsNSSCertificateDB::AddCertFromBase64(co
UniqueCERTCertificate tmpCert(newCert->GetCert());
if (!tmpCert) {
return NS_ERROR_FAILURE;
}
// If there's already a certificate that matches this one in the database, we
// still want to set its trust to the given value.
if (tmpCert->isperm) {
- return SetCertTrustFromString(newCert, aTrust);
+ rv = SetCertTrustFromString(newCert, aTrust);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ newCert.forget(addedCertificate);
+ return NS_OK;
}
UniquePORTString nickname(CERT_MakeCANickname(tmpCert.get()));
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Created nick \"%s\"\n", nickname.get()));
rv = attemptToLogInWithDefaultPassword();
if (NS_WARN_IF(rv != NS_OK)) {
return rv;
}
SECStatus srv = CERT_AddTempCertToPerm(tmpCert.get(), nickname.get(),
trust.GetTrust());
- return MapSECStatus(srv);
+ if (srv != SECSuccess) {
+ return MapSECStatus(srv);
+ }
+ newCert.forget(addedCertificate);
+ return NS_OK;
}
NS_IMETHODIMP
-nsNSSCertificateDB::AddCert(const nsACString& aCertDER, const nsACString& aTrust,
- const nsACString& aName)
+nsNSSCertificateDB::AddCert(const nsACString& aCertDER,
+ const nsACString& aTrust,
+ nsIX509Cert** addedCertificate)
{
nsCString base64;
nsresult rv = Base64Encode(aCertDER, base64);
NS_ENSURE_SUCCESS(rv, rv);
- return AddCertFromBase64(base64, aTrust, aName);
+ return AddCertFromBase64(base64, aTrust, addedCertificate);
}
NS_IMETHODIMP
nsNSSCertificateDB::SetCertTrustFromString(nsIX509Cert* cert,
const nsACString& trustString)
{
NS_ENSURE_ARG(cert);
--- a/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js
+++ b/security/manager/ssl/tests/mochitest/browser/browser_clientAuth_ui.js
@@ -85,18 +85,29 @@ function checkDialogContents(win, notBef
Assert.equal(issuer,
"Issued by: CN=Temporary Certificate Authority,O=Mozilla " +
"Testing,OU=Profile Guided Optimization",
"Actual and expected issuer should be equal");
Assert.equal(tokenName, "Stored on: Software Security Device",
"Actual and expected token name should be equal");
}
+function findCertByCommonName(commonName) {
+ let certEnumerator = certDB.getCerts().getEnumerator();
+ while (certEnumerator.hasMoreElements()) {
+ let cert = certEnumerator.getNext().QueryInterface(Ci.nsIX509Cert);
+ if (cert.commonName == commonName) {
+ return cert;
+ }
+ }
+ return null;
+}
+
add_task(function* setup() {
- cert = certDB.findCertByNickname("test client certificate");
+ cert = findCertByCommonName("Mochitest client");
Assert.notEqual(cert, null, "Should be able to find the test client cert");
});
// Test that the contents of the dialog correspond to the details of the
// provided cert.
add_task(function* testContents() {
let [win, retVals] = yield openClientAuthDialog(cert);
checkDialogContents(win, cert.validity.notBeforeLocalTime,
--- a/security/manager/ssl/tests/mochitest/browser/head.js
+++ b/security/manager/ssl/tests/mochitest/browser/head.js
@@ -46,14 +46,14 @@ function pemToBase64(pem) {
*/
function readCertificate(filename, trustString) {
return OS.File.read(getTestFilePath(filename)).then(data => {
let decoder = new TextDecoder();
let pem = decoder.decode(data);
let certdb = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
let base64 = pemToBase64(pem);
- certdb.addCertFromBase64(base64, trustString, "unused");
+ certdb.addCertFromBase64(base64, trustString);
let cert = certdb.constructX509FromBase64(base64);
gImportedCerts.push(cert);
return cert;
}, error => { throw error; });
}
--- a/security/manager/ssl/tests/unit/head_psm.js
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -134,25 +134,21 @@ function readFile(file) {
let data = NetUtil.readInputStreamToString(fstream, fstream.available());
fstream.close();
return data;
}
function addCertFromFile(certdb, filename, trustString) {
let certFile = do_get_file(filename, false);
let certBytes = readFile(certFile);
- let successful = false;
try {
- certdb.addCert(certBytes, trustString, null);
- successful = true;
+ return certdb.addCert(certBytes, trustString);
} catch (e) {}
- if (!successful) {
- // It might be PEM instead of DER.
- certdb.addCertFromBase64(pemToBase64(certBytes), trustString, null);
- }
+ // It might be PEM instead of DER.
+ return certdb.addCertFromBase64(pemToBase64(certBytes), trustString);
}
function constructCertFromFile(filename) {
let certFile = do_get_file(filename, false);
let certBytes = readFile(certFile);
let certdb = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
try {
--- a/security/manager/ssl/tests/unit/test_add_preexisting_cert.js
+++ b/security/manager/ssl/tests/unit/test_add_preexisting_cert.js
@@ -9,37 +9,36 @@
// in the new trust bits being ignored.
do_get_profile();
var certDB = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
function load_cert(cert, trust) {
let file = "test_intermediate_basic_usage_constraints/" + cert + ".pem";
- addCertFromFile(certDB, file, trust);
+ return addCertFromFile(certDB, file, trust);
}
function getDERString(cert) {
let derString = "";
for (let rawByte of cert.getRawDER({})) {
derString += String.fromCharCode(rawByte);
}
return derString;
}
function run_test() {
load_cert("ca", "CTu,CTu,CTu");
- load_cert("int-limited-depth", "CTu,CTu,CTu");
+ let int_cert = load_cert("int-limited-depth", "CTu,CTu,CTu");
let file = "test_intermediate_basic_usage_constraints/ee-int-limited-depth.pem";
let cert_pem = readFile(do_get_file(file));
let ee = certDB.constructX509FromBase64(pemToBase64(cert_pem));
checkCertErrorGeneric(certDB, ee, PRErrorCodeSuccess,
certificateUsageSSLServer);
// Change the already existing intermediate certificate's trust using
- // addCertFromBase64(). We use findCertByNickname first to ensure that the
- // certificate already exists.
- let int_cert = certDB.findCertByNickname("int-limited-depth");
+ // addCertFromBase64().
notEqual(int_cert, null, "Intermediate cert should be in the cert DB");
let base64_cert = btoa(getDERString(int_cert));
- certDB.addCertFromBase64(base64_cert, "p,p,p", "ignored_argument");
+ let returnedEE = certDB.addCertFromBase64(base64_cert, "p,p,p");
+ notEqual(returnedEE, null, "addCertFromBase64 should return a certificate");
checkCertErrorGeneric(certDB, ee, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer);
}
--- a/security/manager/ssl/tests/unit/test_certDB_import.js
+++ b/security/manager/ssl/tests/unit/test_certDB_import.js
@@ -63,30 +63,40 @@ function getCertAsByteArray(certPath) {
let byteArray = [];
for (let i = 0; i < certBytes.length; i++) {
byteArray.push(certBytes.charCodeAt(i));
}
return byteArray;
}
+function findCertByCommonName(commonName) {
+ let certEnumerator = gCertDB.getCerts().getEnumerator();
+ while (certEnumerator.hasMoreElements()) {
+ let cert = certEnumerator.getNext().QueryInterface(Ci.nsIX509Cert);
+ if (cert.commonName == commonName) {
+ return cert;
+ }
+ }
+ return null;
+}
+
function testImportCACert() {
// Sanity check the CA cert is missing.
- throws(() => gCertDB.findCertByNickname(CA_CERT_COMMON_NAME),
- /NS_ERROR_FAILURE/,
- "CA cert should not be in the database before import");
+ equal(findCertByCommonName(CA_CERT_COMMON_NAME), null,
+ "CA cert should not be in the database before import");
// Import and check for success.
let caArray = getCertAsByteArray("test_certDB_import/importedCA.pem");
gCertDB.importCertificates(caArray, caArray.length, Ci.nsIX509Cert.CA_CERT,
gInterfaceRequestor);
equal(gCACertImportDialogCount, 1,
"Confirmation dialog for the CA cert should only be shown once");
- let caCert = gCertDB.findCertByNickname(CA_CERT_COMMON_NAME);
+ let caCert = findCertByCommonName(CA_CERT_COMMON_NAME);
notEqual(caCert, null, "CA cert should now be found in the database");
ok(gCertDB.isCertTrusted(caCert, Ci.nsIX509Cert.CA_CERT,
Ci.nsIX509CertDB.TRUSTED_EMAIL),
"CA cert should be trusted for e-mail");
}
function run_test() {
// We have to set a password and login before we attempt to import anything.
--- a/security/manager/ssl/tests/unit/test_cert_signatures.js
+++ b/security/manager/ssl/tests/unit/test_cert_signatures.js
@@ -34,17 +34,17 @@ function readAndTamperWithNthByte(certif
}
// The signature on certificates appears last. This should modify the contents
// of the signature such that it no longer validates correctly while still
// resulting in a structurally valid certificate.
const BYTE_IN_SIGNATURE = -8;
function addSignatureTamperedCertificate(certificatePath) {
let base64 = readAndTamperWithNthByte(certificatePath, BYTE_IN_SIGNATURE);
- certdb.addCertFromBase64(base64, ",,", null);
+ certdb.addCertFromBase64(base64, ",,");
}
function ensureSignatureVerificationFailure(certificatePath) {
let cert = constructCertFromFile(certificatePath);
checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE,
certificateUsageSSLServer);
}
@@ -69,17 +69,17 @@ function tamperWithSignatureAndEnsureVer
// something from byte 15 to byte 30 will still get us what we want. Since the
// serial number is a DER INTEGER and because it must be positive, it's best to
// skip the first two bytes of the serial number so as to not run into any
// issues there. Thus byte 17 is a good byte to modify.
const BYTE_IN_SERIAL_NUMBER = 17;
function addSerialNumberTamperedCertificate(certificatePath) {
let base64 = readAndTamperWithNthByte(certificatePath,
BYTE_IN_SERIAL_NUMBER);
- certdb.addCertFromBase64(base64, ",,", null);
+ certdb.addCertFromBase64(base64, ",,");
}
function tamperWithSerialNumberAndEnsureVerificationFailure(certificatePath) {
let base64 = readAndTamperWithNthByte(certificatePath,
BYTE_IN_SERIAL_NUMBER);
let cert = certdb.constructX509FromBase64(base64);
checkCertErrorGeneric(certdb, cert, SEC_ERROR_BAD_SIGNATURE,
certificateUsageSSLServer);
--- a/security/manager/ssl/tests/unit/test_cert_trust.js
+++ b/security/manager/ssl/tests/unit/test_cert_trust.js
@@ -4,25 +4,20 @@
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
"use strict";
do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
-var certList = [
- 'ee',
- 'int',
- 'ca',
-];
-
function load_cert(cert_name, trust_string) {
let cert_filename = cert_name + ".pem";
- addCertFromFile(certdb, "test_cert_trust/" + cert_filename, trust_string);
+ return addCertFromFile(certdb, "test_cert_trust/" + cert_filename,
+ trust_string);
}
function setup_basic_trusts(ca_cert, int_cert) {
certdb.setCertTrust(ca_cert, Ci.nsIX509Cert.CA_CERT,
Ci.nsIX509CertDB.TRUSTED_SSL |
Ci.nsIX509CertDB.TRUSTED_EMAIL |
Ci.nsIX509CertDB.TRUSTED_OBJSIGN);
@@ -45,17 +40,17 @@ function test_ca_distrust(ee_cert, cert_
certificateUsageObjectSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
// Test of active distrust. No usage should pass.
- setCertTrust(cert_to_modify_trust, 'p,p,p');
+ setCertTrust(cert_to_modify_trust, "p,p,p");
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner);
@@ -65,17 +60,17 @@ function test_ca_distrust(ee_cert, cert_
certificateUsageObjectSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageStatusResponder);
// Trust set to T - trusted CA to issue client certs, where client cert is
// usageSSLClient.
- setCertTrust(cert_to_modify_trust, 'T,T,T');
+ setCertTrust(cert_to_modify_trust, "T,T,T");
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageSSLServer);
// XXX(Bug 982340)
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageSSLClient);
@@ -96,17 +91,17 @@ function test_ca_distrust(ee_cert, cert_
certificateUsageVerifyCA);
checkCertErrorGeneric(certdb, ee_cert,
isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
// Now tests on the SSL trust bit
- setCertTrust(cert_to_modify_trust, 'p,C,C');
+ setCertTrust(cert_to_modify_trust, "p,C,C");
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer);
//XXX(Bug 982340)
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
@@ -117,17 +112,17 @@ function test_ca_distrust(ee_cert, cert_
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageObjectSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageStatusResponder);
// Inherited trust SSL
- setCertTrust(cert_to_modify_trust, ',C,C');
+ setCertTrust(cert_to_modify_trust, ",C,C");
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageSSLServer);
// XXX(Bug 982340)
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
@@ -138,17 +133,17 @@ function test_ca_distrust(ee_cert, cert_
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageObjectSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
// Now tests on the EMAIL trust bit
- setCertTrust(cert_to_modify_trust, 'C,p,C');
+ setCertTrust(cert_to_modify_trust, "C,p,C");
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner);
@@ -158,17 +153,17 @@ function test_ca_distrust(ee_cert, cert_
certificateUsageObjectSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
//inherited EMAIL Trust
- setCertTrust(cert_to_modify_trust, 'C,,C');
+ setCertTrust(cert_to_modify_trust, "C,,C");
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
: PRErrorCodeSuccess,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA);
checkCertErrorGeneric(certdb, ee_cert, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER
@@ -182,25 +177,31 @@ function test_ca_distrust(ee_cert, cert_
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_CA_CERT_INVALID,
certificateUsageVerifyCA);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_INADEQUATE_CERT_TYPE,
certificateUsageStatusResponder);
}
function run_test() {
+ let certList = [
+ "ca",
+ "int",
+ "ee",
+ ];
+ let loadedCerts = [];
for (let i = 0 ; i < certList.length; i++) {
- load_cert(certList[i], ',,');
+ loadedCerts.push(load_cert(certList[i], ",,"));
}
- let ca_cert = certdb.findCertByNickname('ca');
- notEqual(ca_cert, null, "CA cert should be in the cert DB");
- let int_cert = certdb.findCertByNickname('int');
- notEqual(int_cert, null, "Intermediate cert should be in the cert DB");
- let ee_cert = certdb.findCertByNickname('ee');
- notEqual(ee_cert, null, "EE cert should be in the cert DB");
+ let ca_cert = loadedCerts[0];
+ notEqual(ca_cert, null, "CA cert should have successfully loaded");
+ let int_cert = loadedCerts[1];
+ notEqual(int_cert, null, "Intermediate cert should have successfully loaded");
+ let ee_cert = loadedCerts[2];
+ notEqual(ee_cert, null, "EE cert should have successfully loaded");
setup_basic_trusts(ca_cert, int_cert);
test_ca_distrust(ee_cert, ca_cert, true);
setup_basic_trusts(ca_cert, int_cert);
test_ca_distrust(ee_cert, int_cert, false);
}
--- a/security/manager/ssl/tests/unit/test_ev_certs.js
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@@ -31,17 +31,17 @@ const certdb = Cc["@mozilla.org/security
do_register_cleanup(() => {
Services.prefs.clearUserPref("network.dns.localDomains");
Services.prefs.clearUserPref("security.OCSP.enabled");
});
Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
Services.prefs.setIntPref("security.OCSP.enabled", 1);
-addCertFromFile(certdb, "test_ev_certs/evroot.pem", "CTu,,");
+const evroot = addCertFromFile(certdb, "test_ev_certs/evroot.pem", "CTu,,");
addCertFromFile(certdb, "test_ev_certs/non-evroot-ca.pem", "CTu,,");
const SERVER_PORT = 8888;
function failingOCSPResponder() {
return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
}
@@ -209,17 +209,16 @@ add_task(function* expectDVFallbackTests
yield ensureVerifiesAsDV("test-and-cabforum-oid-ee-cabforum-oid-int-path");
});
// Test that removing the trust bits from an EV root causes verifications
// relying on that root to fail (and then test that adding back the trust bits
// causes the verifications to succeed again).
add_task(function* evRootTrustTests() {
clearOCSPCache();
- let evroot = certdb.findCertByNickname("evroot");
do_print("untrusting evroot");
certdb.setCertTrust(evroot, Ci.nsIX509Cert.CA_CERT,
Ci.nsIX509CertDB.UNTRUSTED);
yield ensureVerificationFails("test-oid-path", SEC_ERROR_UNKNOWN_ISSUER);
do_print("re-trusting evroot");
certdb.setCertTrust(evroot, Ci.nsIX509Cert.CA_CERT,
Ci.nsIX509CertDB.TRUSTED_SSL);
yield ensureVerifiesAsEV("test-oid-path");
--- a/security/manager/ssl/tests/unit/test_getchain.js
+++ b/security/manager/ssl/tests/unit/test_getchain.js
@@ -62,21 +62,24 @@ function check_getchain(ee_cert, ssl_ca,
// be consistent (the actual value is non-deterministic).
check_matching_issuer_and_getchain(ee_cert.issuer.serialNumber, ee_cert);
}
function run_test() {
clearOCSPCache();
clearSessionCache();
+ let ee_cert = null;
for (let cert of certList) {
- addCertFromFile(certdb, `test_getchain/${cert}.pem`, ",,");
+ let result = addCertFromFile(certdb, `test_getchain/${cert}.pem`, ",,");
+ if (cert == "ee") {
+ ee_cert = result;
+ }
}
- let ee_cert = certdb.findCertByNickname('ee');
- notEqual(ee_cert, null, "EE cert should be in the cert DB");
+ notEqual(ee_cert, null, "EE cert should have successfully loaded");
let ca = get_ca_array();
check_getchain(ee_cert, ca[1], ca[2]);
// Swap ca certs to deal alternate trust settings.
check_getchain(ee_cert, ca[2], ca[1]);
}