corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1944707 - Fix certificate verification and chain building for email usages. r=keeler

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D237021
This commit is contained in:
Kai Engert
2025-02-17 21:05:54 +00:00
parent 6afaa70c13
commit 22fc9feafc
36 changed files with 251 additions and 203 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
security/certverifier/CertVerifier.cpp
View File

@@ -464,7 +464,7 @@ Result CertVerifier::VerifyCertificateTransparencyPolicyInner(
} }
Result CertVerifier::VerifyCert( Result CertVerifier::VerifyCert(
const nsTArray<uint8_t>& certBytes, SECCertificateUsage usage, Time time, const nsTArray<uint8_t>& certBytes, VerifyUsage usage, Time time,
void* pinArg, const char* hostname, void* pinArg, const char* hostname,
/*out*/ nsTArray<nsTArray<uint8_t>>& builtChain, /*out*/ nsTArray<nsTArray<uint8_t>>& builtChain,
/*optional*/ const Flags flags, /*optional*/ const Flags flags,
@@ -482,8 +482,8 @@ Result CertVerifier::VerifyCert(
/*optional out*/ IssuerSources* issuerSources) { /*optional out*/ IssuerSources* issuerSources) {
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, ("Top of VerifyCert\n")); MOZ_LOG(gCertVerifierLog, LogLevel::Debug, ("Top of VerifyCert\n"));
MOZ_ASSERT(usage == certificateUsageSSLServer || !(flags & FLAG_MUST_BE_EV)); MOZ_ASSERT(usage == VerifyUsage::TLSServer || !(flags & FLAG_MUST_BE_EV));
MOZ_ASSERT(usage == certificateUsageSSLServer || !keySizeStatus); MOZ_ASSERT(usage == VerifyUsage::TLSServer || !keySizeStatus);
if (NS_FAILED(BlockUntilLoadableCertsLoaded())) { if (NS_FAILED(BlockUntilLoadableCertsLoaded())) {
return Result::FATAL_ERROR_LIBRARY_FAILURE; return Result::FATAL_ERROR_LIBRARY_FAILURE;
@@ -496,20 +496,20 @@ Result CertVerifier::VerifyCert(
*evStatus = EVStatus::NotEV; *evStatus = EVStatus::NotEV;
} }
if (ocspStaplingStatus) { if (ocspStaplingStatus) {
if (usage != certificateUsageSSLServer) { if (usage != VerifyUsage::TLSServer) {
return Result::FATAL_ERROR_INVALID_ARGS; return Result::FATAL_ERROR_INVALID_ARGS;
} }
*ocspStaplingStatus = OCSP_STAPLING_NEVER_CHECKED; *ocspStaplingStatus = OCSP_STAPLING_NEVER_CHECKED;
} }
if (keySizeStatus) { if (keySizeStatus) {
if (usage != certificateUsageSSLServer) { if (usage != VerifyUsage::TLSServer) {
return Result::FATAL_ERROR_INVALID_ARGS; return Result::FATAL_ERROR_INVALID_ARGS;
} }
*keySizeStatus = KeySizeStatus::NeverChecked; *keySizeStatus = KeySizeStatus::NeverChecked;
} }
if (usage != certificateUsageSSLServer && (flags & FLAG_MUST_BE_EV)) { if (usage != VerifyUsage::TLSServer && (flags & FLAG_MUST_BE_EV)) {
return Result::FATAL_ERROR_INVALID_ARGS; return Result::FATAL_ERROR_INVALID_ARGS;
} }
@@ -561,7 +561,7 @@ Result CertVerifier::VerifyCert(
} }
switch (usage) { switch (usage) {
case certificateUsageSSLClient: { case VerifyUsage::TLSClient: {
// XXX: We don't really have a trust bit for SSL client authentication so // XXX: We don't really have a trust bit for SSL client authentication so
// just use trustEmail as it is the closest alternative. // just use trustEmail as it is the closest alternative.
NSSCertDBTrustDomain trustDomain( NSSCertDBTrustDomain trustDomain(
@@ -583,7 +583,7 @@ Result CertVerifier::VerifyCert(
break; break;
} }
case certificateUsageSSLServer: { case VerifyUsage::TLSServer: {
// TODO: When verifying a certificate in an SSL handshake, we should // TODO: When verifying a certificate in an SSL handshake, we should
// restrict the acceptable key usage based on the key exchange method // restrict the acceptable key usage based on the key exchange method
// chosen by the server. // chosen by the server.
@@ -716,9 +716,25 @@ Result CertVerifier::VerifyCert(
break; break;
} }
case certificateUsageSSLCA: { case VerifyUsage::EmailCA:
case VerifyUsage::TLSClientCA:
case VerifyUsage::TLSServerCA: {
KeyPurposeId purpose;
SECTrustType trustType;
if (usage == VerifyUsage::EmailCA || usage == VerifyUsage::TLSClientCA) {
purpose = KeyPurposeId::id_kp_clientAuth;
trustType = trustEmail;
} else if (usage == VerifyUsage::TLSServerCA) {
purpose = KeyPurposeId::id_kp_serverAuth;
trustType = trustSSL;
} else {
MOZ_ASSERT_UNREACHABLE("coding error");
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
NSSCertDBTrustDomain trustDomain( NSSCertDBTrustDomain trustDomain(
trustSSL, defaultOCSPFetching, mOCSPCache, mSignatureCache.get(), trustType, defaultOCSPFetching, mOCSPCache, mSignatureCache.get(),
mTrustCache.get(), pinArg, mOCSPTimeoutSoft, mOCSPTimeoutHard, mTrustCache.get(), pinArg, mOCSPTimeoutSoft, mOCSPTimeoutHard,
mCertShortLifetimeInDays, MIN_RSA_BITS_WEAK, mCertShortLifetimeInDays, MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff, mNetscapeStepUpPolicy, mCRLiteMode, ValidityCheckingMode::CheckingOff, mNetscapeStepUpPolicy, mCRLiteMode,
@@ -726,7 +742,7 @@ Result CertVerifier::VerifyCert(
mThirdPartyIntermediateInputs, extraCertificates, builtChain, nullptr, mThirdPartyIntermediateInputs, extraCertificates, builtChain, nullptr,
nullptr); nullptr);
rv = BuildCertChain(trustDomain, certDER, time, EndEntityOrCA::MustBeCA, rv = BuildCertChain(trustDomain, certDER, time, EndEntityOrCA::MustBeCA,
KeyUsage::keyCertSign, KeyPurposeId::id_kp_serverAuth, KeyUsage::keyCertSign, purpose,
CertPolicyId::anyPolicy, stapledOCSPResponse); CertPolicyId::anyPolicy, stapledOCSPResponse);
if (madeOCSPRequests) { if (madeOCSPRequests) {
*madeOCSPRequests |= *madeOCSPRequests |=
@@ -735,7 +751,7 @@ Result CertVerifier::VerifyCert(
break; break;
} }
case certificateUsageEmailSigner: { case VerifyUsage::EmailSigner: {
NSSCertDBTrustDomain trustDomain( NSSCertDBTrustDomain trustDomain(
trustEmail, defaultOCSPFetching, mOCSPCache, mSignatureCache.get(), trustEmail, defaultOCSPFetching, mOCSPCache, mSignatureCache.get(),
mTrustCache.get(), pinArg, mOCSPTimeoutSoft, mOCSPTimeoutHard, mTrustCache.get(), pinArg, mOCSPTimeoutSoft, mOCSPTimeoutHard,
@@ -761,7 +777,7 @@ Result CertVerifier::VerifyCert(
break; break;
} }
case certificateUsageEmailRecipient: { case VerifyUsage::EmailRecipient: {
// TODO: The higher level S/MIME processing should pass in which key // TODO: The higher level S/MIME processing should pass in which key
// usage it is trying to verify for, and base its algorithm choices // usage it is trying to verify for, and base its algorithm choices
// based on the result of the verification(s). // based on the result of the verification(s).
@@ -880,7 +896,7 @@ Result CertVerifier::VerifySSLServerCert(
} }
bool isBuiltChainRootBuiltInRootLocal; bool isBuiltChainRootBuiltInRootLocal;
rv = VerifyCert( rv = VerifyCert(
peerCertBytes, certificateUsageSSLServer, time, pinarg, peerCertBytes, VerifyUsage::TLSServer, time, pinarg,
PromiseFlatCString(hostname).get(), builtChain, flags, extraCertificates, PromiseFlatCString(hostname).get(), builtChain, flags, extraCertificates,
stapledOCSPResponse, sctsFromTLS, originAttributes, evStatus, stapledOCSPResponse, sctsFromTLS, originAttributes, evStatus,
ocspStaplingStatus, keySizeStatus, pinningTelemetryInfo, ctInfo, ocspStaplingStatus, keySizeStatus, pinningTelemetryInfo, ctInfo,

12
security/certverifier/CertVerifier.h
View File

@@ -70,6 +70,16 @@ enum class CRLiteMode {
ConfirmRevocations = 3, ConfirmRevocations = 3,
}; };
enum class VerifyUsage {
TLSServer = 1,
TLSServerCA = 2,
TLSClient = 3,
TLSClientCA = 4,
EmailSigner = 5,
EmailRecipient = 6,
EmailCA = 7,
};
enum class NetscapeStepUpPolicy : uint32_t; enum class NetscapeStepUpPolicy : uint32_t;
// Describes the source of the associated issuer. // Describes the source of the associated issuer.
@@ -186,7 +196,7 @@ class CertVerifier {
// *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
// Only one usage per verification is supported. // Only one usage per verification is supported.
mozilla::pkix::Result VerifyCert( mozilla::pkix::Result VerifyCert(
const nsTArray<uint8_t>& certBytes, SECCertificateUsage usage, const nsTArray<uint8_t>& certBytes, VerifyUsage usage,
mozilla::pkix::Time time, void* pinArg, const char* hostname, mozilla::pkix::Time time, void* pinArg, const char* hostname,
/*out*/ nsTArray<nsTArray<uint8_t>>& builtChain, Flags flags = 0, /*out*/ nsTArray<nsTArray<uint8_t>>& builtChain, Flags flags = 0,
/*optional in*/ /*optional in*/

43
security/manager/pki/pippki.sys.mjs
View File

@@ -197,23 +197,16 @@ export async function exportToFile(parent, document, cert) {
const PRErrorCodeSuccess = 0; const PRErrorCodeSuccess = 0;
// Certificate usages we care about in the certificate viewer.
const certificateUsageSSLClient = 0x0001;
const certificateUsageSSLServer = 0x0002;
const certificateUsageSSLCA = 0x0008;
const certificateUsageEmailSigner = 0x0010;
const certificateUsageEmailRecipient = 0x0020;
// A map from the name of a certificate usage to the value of the usage. // A map from the name of a certificate usage to the value of the usage.
// Useful for printing debugging information and for enumerating all supported // Useful for printing debugging information and for enumerating all supported
// usages. // usages.
const certificateUsages = { const verifyUsages = new Map([
certificateUsageSSLClient, ["verifyUsageTLSClient", Ci.nsIX509CertDB.verifyUsageTLSClient],
certificateUsageSSLServer, ["verifyUsageTLSServer", Ci.nsIX509CertDB.verifyUsageTLSServer],
certificateUsageSSLCA, ["verifyUsageTLSServerCA", Ci.nsIX509CertDB.verifyUsageTLSServerCA],
certificateUsageEmailSigner, ["verifyUsageEmailSigner", Ci.nsIX509CertDB.verifyUsageEmailSigner],
certificateUsageEmailRecipient, ["verifyUsageEmailRecipient", Ci.nsIX509CertDB.verifyUsageEmailRecipient],
}; ]);
/** /**
* Returns a promise that will resolve with a results array consisting of what * Returns a promise that will resolve with a results array consisting of what
@@ -224,16 +217,16 @@ const certificateUsages = {
* @returns {Promise} * @returns {Promise}
* A promise that will resolve with the results of the verifications. * A promise that will resolve with the results of the verifications.
*/ */
function asyncDetermineUsages(cert) { export function asyncDetermineUsages(cert) {
let promises = []; let promises = [];
let now = Date.now() / 1000; let now = Date.now() / 1000;
let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService( let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
Ci.nsIX509CertDB Ci.nsIX509CertDB
); );
Object.keys(certificateUsages).forEach(usageString => { verifyUsages.keys().forEach(usageString => {
promises.push( promises.push(
new Promise(resolve => { new Promise(resolve => {
let usage = certificateUsages[usageString]; let usage = verifyUsages.get(usageString);
certdb.asyncVerifyCertAtTime( certdb.asyncVerifyCertAtTime(
cert, cert,
usage, usage,
@@ -266,13 +259,13 @@ function asyncDetermineUsages(cert) {
* @returns {Array} An array of `nsIX509Cert` representing the verified * @returns {Array} An array of `nsIX509Cert` representing the verified
* certificate chain for the given usage, or null if there is none. * certificate chain for the given usage, or null if there is none.
*/ */
function getBestChain(results) { export function getBestChain(results) {
let usages = [ let usages = [
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
certificateUsageSSLClient, Ci.nsIX509CertDB.verifyUsageTLSClient,
certificateUsageEmailSigner, Ci.nsIX509CertDB.verifyUsageEmailSigner,
certificateUsageEmailRecipient, Ci.nsIX509CertDB.verifyUsageEmailRecipient,
certificateUsageSSLCA, Ci.nsIX509CertDB.verifyUsageTLSServerCA,
]; ];
for (let usage of usages) { for (let usage of usages) {
let chain = getChainForUsage(results, usage); let chain = getChainForUsage(results, usage);
@@ -290,14 +283,14 @@ function getBestChain(results) {
* @param {Array} results * @param {Array} results
* An array of results from `asyncDetermineUsages`. See `displayUsages`. * An array of results from `asyncDetermineUsages`. See `displayUsages`.
* @param {number} usage * @param {number} usage
* A numerical value corresponding to a usage. See `certificateUsages`. * A usage, see `nsIX509CertDB::VerifyUsage`.
* @returns {Array} An array of `nsIX509Cert` representing the verified * @returns {Array} An array of `nsIX509Cert` representing the verified
* certificate chain for the given usage, or null if there is none. * certificate chain for the given usage, or null if there is none.
*/ */
function getChainForUsage(results, usage) { function getChainForUsage(results, usage) {
for (let result of results) { for (let result of results) {
if ( if (
certificateUsages[result.usageString] == usage && verifyUsages.get(result.usageString) == usage &&
result.errorCode == PRErrorCodeSuccess result.errorCode == PRErrorCodeSuccess
) { ) {
return result.chain; return result.chain;

15
security/manager/ssl/nsIX509CertDB.idl
View File

@@ -297,6 +297,16 @@ interface nsIX509CertDB : nsISupports {
// Do not fall back to DV verification after attempting EV validation. // Do not fall back to DV verification after attempting EV validation.
const uint32_t FLAG_MUST_BE_EV = 1 << 1; const uint32_t FLAG_MUST_BE_EV = 1 << 1;
cenum VerifyUsage : 8 {
verifyUsageTLSServer = 1,
verifyUsageTLSServerCA = 2,
verifyUsageTLSClient = 3,
verifyUsageTLSClientCA = 4,
verifyUsageEmailSigner = 5,
verifyUsageEmailRecipient = 6,
verifyUsageEmailCA = 7,
};
/* /*
* Asynchronously verify a certificate given a set of parameters. Calls the * Asynchronously verify a certificate given a set of parameters. Calls the
* `verifyCertFinished` function on the provided `nsICertVerificationCallback` * `verifyCertFinished` function on the provided `nsICertVerificationCallback`
@@ -304,8 +314,7 @@ interface nsIX509CertDB : nsISupports {
* See the documentation for nsICertVerificationCallback. * See the documentation for nsICertVerificationCallback.
* *
* @param aCert the certificate to verify * @param aCert the certificate to verify
* @param aUsage an integer representing the usage to verify for (see * @param aUsage see VerifyUsage, the usage to verify for
* SECCertificateUsage in certt.h from NSS)
* @param aFlags flags as described above * @param aFlags flags as described above
* @param aHostname the (optional) hostname to verify for * @param aHostname the (optional) hostname to verify for
* @param aTime the time at which to verify, in seconds since the epoch * @param aTime the time at which to verify, in seconds since the epoch
@@ -315,7 +324,7 @@ interface nsIX509CertDB : nsISupports {
*/ */
[must_use] [must_use]
void asyncVerifyCertAtTime(in nsIX509Cert aCert, void asyncVerifyCertAtTime(in nsIX509Cert aCert,
in int64_t /*SECCertificateUsage*/ aUsage, in nsIX509CertDB_VerifyUsage aUsage,
in uint32_t aFlags, in uint32_t aFlags,
in ACString aHostname, in ACString aHostname,
in uint64_t aTime, in uint64_t aTime,

40
security/manager/ssl/nsNSSCertificateDB.cpp
View File

@@ -1277,8 +1277,28 @@ nsNSSCertificateDB::AsyncHasThirdPartyRoots(nsIAsyncBoolCallback* aCallback) {
NS_DISPATCH_EVENT_MAY_BLOCK); NS_DISPATCH_EVENT_MAY_BLOCK);
} }
nsresult VerifyCertAtTime(nsIX509Cert* aCert, static mozilla::Result<VerifyUsage, nsresult> MapX509UsageToVerifierUsage(
int64_t /*SECCertificateUsage*/ aUsage, nsIX509CertDB::VerifyUsage usage) {
switch (usage) {
case nsIX509CertDB::verifyUsageTLSServer:
return VerifyUsage::TLSServer;
case nsIX509CertDB::verifyUsageTLSServerCA:
return VerifyUsage::TLSServerCA;
case nsIX509CertDB::verifyUsageTLSClient:
return VerifyUsage::TLSClient;
case nsIX509CertDB::verifyUsageTLSClientCA:
return VerifyUsage::TLSClientCA;
case nsIX509CertDB::verifyUsageEmailSigner:
return VerifyUsage::EmailSigner;
case nsIX509CertDB::verifyUsageEmailRecipient:
return VerifyUsage::EmailRecipient;
case nsIX509CertDB::verifyUsageEmailCA:
return VerifyUsage::EmailCA;
}
return Err(NS_ERROR_INVALID_ARG);
}
nsresult VerifyCertAtTime(nsIX509Cert* aCert, nsIX509CertDB::VerifyUsage aUsage,
uint32_t aFlags, const nsACString& aHostname, uint32_t aFlags, const nsACString& aHostname,
mozilla::pkix::Time aTime, mozilla::pkix::Time aTime,
nsTArray<RefPtr<nsIX509Cert>>& aVerifiedChain, nsTArray<RefPtr<nsIX509Cert>>& aVerifiedChain,
@@ -1308,7 +1328,7 @@ nsresult VerifyCertAtTime(nsIX509Cert* aCert,
return nsrv; return nsrv;
} }
if (!aHostname.IsVoid() && aUsage == certificateUsageSSLServer) { if (!aHostname.IsVoid() && aUsage == nsIX509CertDB::verifyUsageTLSServer) {
result = result =
certVerifier->VerifySSLServerCert(certBytes, aTime, certVerifier->VerifySSLServerCert(certBytes, aTime,
nullptr, // Assume no context nullptr, // Assume no context
@@ -1320,8 +1340,10 @@ nsresult VerifyCertAtTime(nsIX509Cert* aCert,
OriginAttributes(), &evStatus); OriginAttributes(), &evStatus);
} else { } else {
const nsCString& flatHostname = PromiseFlatCString(aHostname); const nsCString& flatHostname = PromiseFlatCString(aHostname);
VerifyUsage vu;
MOZ_TRY_VAR(vu, MapX509UsageToVerifierUsage(aUsage));
result = certVerifier->VerifyCert( result = certVerifier->VerifyCert(
certBytes, aUsage, aTime, certBytes, vu, aTime,
nullptr, // Assume no context nullptr, // Assume no context
aHostname.IsVoid() ? nullptr : flatHostname.get(), resultChain, aFlags, aHostname.IsVoid() ? nullptr : flatHostname.get(), resultChain, aFlags,
Nothing(), // extraCertificates Nothing(), // extraCertificates
@@ -1348,9 +1370,9 @@ nsresult VerifyCertAtTime(nsIX509Cert* aCert,
class VerifyCertAtTimeTask final : public CryptoTask { class VerifyCertAtTimeTask final : public CryptoTask {
public: public:
VerifyCertAtTimeTask(nsIX509Cert* aCert, int64_t aUsage, uint32_t aFlags, VerifyCertAtTimeTask(nsIX509Cert* aCert, nsIX509CertDB::VerifyUsage aUsage,
const nsACString& aHostname, uint64_t aTime, uint32_t aFlags, const nsACString& aHostname,
nsICertVerificationCallback* aCallback) uint64_t aTime, nsICertVerificationCallback* aCallback)
: mCert(aCert), : mCert(aCert),
mUsage(aUsage), mUsage(aUsage),
mFlags(aFlags), mFlags(aFlags),
@@ -1384,7 +1406,7 @@ class VerifyCertAtTimeTask final : public CryptoTask {
} }
nsCOMPtr<nsIX509Cert> mCert; nsCOMPtr<nsIX509Cert> mCert;
int64_t mUsage; nsIX509CertDB::VerifyUsage mUsage;
uint32_t mFlags; uint32_t mFlags;
nsCString mHostname; nsCString mHostname;
uint64_t mTime; uint64_t mTime;
@@ -1396,7 +1418,7 @@ class VerifyCertAtTimeTask final : public CryptoTask {
NS_IMETHODIMP NS_IMETHODIMP
nsNSSCertificateDB::AsyncVerifyCertAtTime( nsNSSCertificateDB::AsyncVerifyCertAtTime(
nsIX509Cert* aCert, int64_t /*SECCertificateUsage*/ aUsage, uint32_t aFlags, nsIX509Cert* aCert, nsIX509CertDB::VerifyUsage aUsage, uint32_t aFlags,
const nsACString& aHostname, uint64_t aTime, const nsACString& aHostname, uint64_t aTime,
nsICertVerificationCallback* aCallback) { nsICertVerificationCallback* aCallback) {
RefPtr<VerifyCertAtTimeTask> task(new VerifyCertAtTimeTask( RefPtr<VerifyCertAtTimeTask> task(new VerifyCertAtTimeTask(

2
security/manager/ssl/tests/unit/corrupted_crlite_helper.js
View File

@@ -71,7 +71,7 @@ add_task(async function test_crlite_corrupted() {
certdb, certdb,
revokedCert, revokedCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
undefined, undefined,
"us-datarecovery.com", "us-datarecovery.com",

25
security/manager/ssl/tests/unit/head_psm.js
View File

@@ -116,23 +116,16 @@ const MOZILLA_PKIX_ERROR_INSUFFICIENT_CERTIFICATE_TRANSPARENCY =
const MOZILLA_PKIX_ERROR_ISSUER_NO_LONGER_TRUSTED = const MOZILLA_PKIX_ERROR_ISSUER_NO_LONGER_TRUSTED =
MOZILLA_PKIX_ERROR_BASE + 17; MOZILLA_PKIX_ERROR_BASE + 17;
// Supported Certificate Usages
const certificateUsageSSLClient = 0x0001;
const certificateUsageSSLServer = 0x0002;
const certificateUsageSSLCA = 0x0008;
const certificateUsageEmailSigner = 0x0010;
const certificateUsageEmailRecipient = 0x0020;
// A map from the name of a certificate usage to the value of the usage. // A map from the name of a certificate usage to the value of the usage.
// Useful for printing debugging information and for enumerating all supported // Useful for printing debugging information and for enumerating all supported
// usages. // usages.
const allCertificateUsages = { const verifyUsages = new Map([
certificateUsageSSLClient, ["verifyUsageTLSClient", Ci.nsIX509CertDB.verifyUsageTLSClient],
certificateUsageSSLServer, ["verifyUsageTLSServer", Ci.nsIX509CertDB.verifyUsageTLSServer],
certificateUsageSSLCA, ["verifyUsageTLSServerCA", Ci.nsIX509CertDB.verifyUsageTLSServerCA],
certificateUsageEmailSigner, ["verifyUsageEmailSigner", Ci.nsIX509CertDB.verifyUsageEmailSigner],
certificateUsageEmailRecipient, ["verifyUsageEmailRecipient", Ci.nsIX509CertDB.verifyUsageEmailRecipient],
}; ]);
const NO_FLAGS = 0; const NO_FLAGS = 0;
@@ -1020,9 +1013,9 @@ class CertVerificationResult {
function asyncTestCertificateUsages(certdb, cert, expectedUsages) { function asyncTestCertificateUsages(certdb, cert, expectedUsages) {
let now = new Date().getTime() / 1000; let now = new Date().getTime() / 1000;
let promises = []; let promises = [];
Object.keys(allCertificateUsages).forEach(usageString => { verifyUsages.keys().forEach(usageString => {
let promise = new Promise(resolve => { let promise = new Promise(resolve => {
let usage = allCertificateUsages[usageString]; let usage = verifyUsages.get(usageString);
let successExpected = expectedUsages.includes(usage); let successExpected = expectedUsages.includes(usage);
let result = new CertVerificationResult( let result = new CertVerificationResult(
cert.commonName, cert.commonName,

4
security/manager/ssl/tests/unit/test_add_preexisting_cert.js
View File

@@ -29,7 +29,7 @@ add_task(async function () {
certDB, certDB,
ee, ee,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
// Change the already existing intermediate certificate's trust using // Change the already existing intermediate certificate's trust using
// addCertFromBase64(). // addCertFromBase64().
@@ -41,6 +41,6 @@ add_task(async function () {
certDB, certDB,
ee, ee,
SEC_ERROR_UNTRUSTED_ISSUER, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
}); });

2
security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js
View File

@@ -29,7 +29,7 @@ function checkCertOn25August2016(cert, expectedResult) {
gCertDB, gCertDB,
cert, cert,
expectedResult, expectedResult,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
VALIDATION_TIME, VALIDATION_TIME,
false, false,
"example.com" "example.com"

4
security/manager/ssl/tests/unit/test_builtins.js
View File

@@ -68,7 +68,7 @@ add_task(async function test_distrust_after() {
gCertDb, gCertDb,
ee_pre_distrust_cert, ee_pre_distrust_cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
// A certificate with a notBefore after the distrustAfter date // A certificate with a notBefore after the distrustAfter date
@@ -77,6 +77,6 @@ add_task(async function test_distrust_after() {
gCertDb, gCertDb,
ee_post_distrust_cert, ee_post_distrust_cert,
MOZILLA_PKIX_ERROR_ISSUER_NO_LONGER_TRUSTED, MOZILLA_PKIX_ERROR_ISSUER_NO_LONGER_TRUSTED,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
}); });

4
security/manager/ssl/tests/unit/test_cert_eku.js
View File

@@ -28,7 +28,7 @@ function checkEndEntity(cert, expectedResult) {
certdb, certdb,
cert, cert,
expectedResult, expectedResult,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
} }
@@ -39,7 +39,7 @@ function checkCertOn25August2016(cert, expectedResult) {
certdb, certdb,
cert, cert,
expectedResult, expectedResult,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
VALIDATION_TIME VALIDATION_TIME
); );
} }

4
security/manager/ssl/tests/unit/test_cert_embedded_null.js
View File

@@ -30,7 +30,7 @@ async function do_testcase(certname, checkCommonName) {
certdb, certdb,
cert, cert,
SSL_ERROR_BAD_CERT_DOMAIN, SSL_ERROR_BAD_CERT_DOMAIN,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
undefined, undefined,
"www.bank1.com" "www.bank1.com"
); );
@@ -38,7 +38,7 @@ async function do_testcase(certname, checkCommonName) {
certdb, certdb,
cert, cert,
SSL_ERROR_BAD_CERT_DOMAIN, SSL_ERROR_BAD_CERT_DOMAIN,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
undefined, undefined,
"www.bad-guy.com" "www.bad-guy.com"
); );

2
security/manager/ssl/tests/unit/test_cert_expiration_canary.js
View File

@@ -32,7 +32,7 @@ add_task(async function () {
certDB, certDB,
ee, ee,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
threeWeeksFromNowInSeconds, threeWeeksFromNowInSeconds,
false, false,
"test.example.com" "test.example.com"

14
security/manager/ssl/tests/unit/test_cert_keyUsage.js
View File

@@ -22,16 +22,16 @@ const eeList = [
"ee-keyCertSign-and-keyEncipherment", "ee-keyCertSign-and-keyEncipherment",
]; ];
const caUsage = [certificateUsageSSLCA]; const caUsage = [Ci.nsIX509CertDB.verifyUsageTLSServerCA];
const allEEUsages = [ const allEEUsages = [
certificateUsageSSLClient, Ci.nsIX509CertDB.verifyUsageTLSClient,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
certificateUsageEmailSigner, Ci.nsIX509CertDB.verifyUsageEmailSigner,
certificateUsageEmailRecipient, Ci.nsIX509CertDB.verifyUsageEmailRecipient,
]; ];
const serverEEUsages = [ const serverEEUsages = [
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
certificateUsageEmailRecipient, Ci.nsIX509CertDB.verifyUsageEmailRecipient,
]; ];
const expectedUsagesMap = { const expectedUsagesMap = {

2
security/manager/ssl/tests/unit/test_cert_sha1.js
View File

@@ -28,7 +28,7 @@ function checkEndEntity(cert, expectedResult) {
certdb, certdb,
cert, cert,
expectedResult, expectedResult,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
VALIDATION_TIME VALIDATION_TIME
); );
} }

6
security/manager/ssl/tests/unit/test_cert_signatures.js
View File

@@ -49,7 +49,7 @@ function ensureSignatureVerificationFailure(certificatePath) {
certdb, certdb,
cert, cert,
SEC_ERROR_BAD_SIGNATURE, SEC_ERROR_BAD_SIGNATURE,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
} }
@@ -60,7 +60,7 @@ function tamperWithSignatureAndEnsureVerificationFailure(certificatePath) {
certdb, certdb,
cert, cert,
SEC_ERROR_BAD_SIGNATURE, SEC_ERROR_BAD_SIGNATURE,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
} }
@@ -92,7 +92,7 @@ function tamperWithSerialNumberAndEnsureVerificationFailure(certificatePath) {
certdb, certdb,
cert, cert,
SEC_ERROR_BAD_SIGNATURE, SEC_ERROR_BAD_SIGNATURE,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
} }

8
security/manager/ssl/tests/unit/test_cert_storage.js
View File

@@ -106,7 +106,7 @@ function verify_cert(file, expectedError) {
certDB, certDB,
ee, ee,
expectedError, expectedError,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
} }
@@ -117,19 +117,19 @@ async function verify_non_tls_usage_succeeds(file) {
certDB, certDB,
ee, ee,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLClient Ci.nsIX509CertDB.verifyUsageTLSClient
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certDB, certDB,
ee, ee,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageEmailSigner Ci.nsIX509CertDB.verifyUsageEmailSigner
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certDB, certDB,
ee, ee,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageEmailRecipient Ci.nsIX509CertDB.verifyUsageEmailRecipient
); );
} }

16
security/manager/ssl/tests/unit/test_cert_storage_direct.js
View File

@@ -300,7 +300,7 @@ add_task(async function test_crlite_filter() {
certdb, certdb,
validCert, validCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-11-04T00:00:00Z").getTime() / 1000, new Date("2019-11-04T00:00:00Z").getTime() / 1000,
false, false,
"skynew.jp", "skynew.jp",
@@ -310,7 +310,7 @@ add_task(async function test_crlite_filter() {
certdb, certdb,
revokedCert, revokedCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-11-04T00:00:00Z").getTime() / 1000, new Date("2019-11-04T00:00:00Z").getTime() / 1000,
false, false,
"schunk-group.com", "schunk-group.com",
@@ -346,7 +346,7 @@ add_task(async function test_crlite_filter() {
certdb, certdb,
validCert, validCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-11-04T00:00:00Z").getTime() / 1000, new Date("2019-11-04T00:00:00Z").getTime() / 1000,
false, false,
"skynew.jp", "skynew.jp",
@@ -356,7 +356,7 @@ add_task(async function test_crlite_filter() {
certdb, certdb,
revokedCert, revokedCert,
SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-11-04T00:00:00Z").getTime() / 1000, new Date("2019-11-04T00:00:00Z").getTime() / 1000,
false, false,
"schunk-group.com", "schunk-group.com",
@@ -372,7 +372,7 @@ add_task(async function test_crlite_filter() {
certdb, certdb,
validCert, validCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-11-04T00:00:00Z").getTime() / 1000, new Date("2019-11-04T00:00:00Z").getTime() / 1000,
false, false,
"skynew.jp", "skynew.jp",
@@ -382,7 +382,7 @@ add_task(async function test_crlite_filter() {
certdb, certdb,
revokedCert, revokedCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-11-04T00:00:00Z").getTime() / 1000, new Date("2019-11-04T00:00:00Z").getTime() / 1000,
false, false,
"schunk-group.com", "schunk-group.com",
@@ -398,7 +398,7 @@ add_task(async function test_crlite_filter() {
certdb, certdb,
validCert, validCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-11-04T00:00:00Z").getTime() / 1000, new Date("2019-11-04T00:00:00Z").getTime() / 1000,
false, false,
"skynew.jp", "skynew.jp",
@@ -408,7 +408,7 @@ add_task(async function test_crlite_filter() {
certdb, certdb,
revokedCert, revokedCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-11-04T00:00:00Z").getTime() / 1000, new Date("2019-11-04T00:00:00Z").getTime() / 1000,
false, false,
"schunk-group.com", "schunk-group.com",

4
security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js
View File

@@ -57,7 +57,7 @@ add_task(async function () {
certdb, certdb,
validCert, validCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-10-28T00:00:00Z").getTime() / 1000, new Date("2019-10-28T00:00:00Z").getTime() / 1000,
false, false,
"skynew.jp", "skynew.jp",
@@ -74,7 +74,7 @@ add_task(async function () {
certdb, certdb,
revokedCert, revokedCert,
SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-11-04T00:00:00Z").getTime() / 1000, new Date("2019-11-04T00:00:00Z").getTime() / 1000,
false, false,
"schunk-group.com", "schunk-group.com",

78
security/manager/ssl/tests/unit/test_cert_trust.js
View File

@@ -35,31 +35,31 @@ async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
certdb, certdb,
ee_cert, ee_cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLClient Ci.nsIX509CertDB.verifyUsageTLSClient
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
SEC_ERROR_CA_CERT_INVALID, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA Ci.nsIX509CertDB.verifyUsageTLSServerCA
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageEmailSigner Ci.nsIX509CertDB.verifyUsageEmailSigner
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageEmailRecipient Ci.nsIX509CertDB.verifyUsageEmailRecipient
); );
// Test of active distrust. No usage should pass. // Test of active distrust. No usage should pass.
@@ -68,31 +68,31 @@ async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
certdb, certdb,
ee_cert, ee_cert,
SEC_ERROR_UNTRUSTED_ISSUER, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
SEC_ERROR_UNTRUSTED_ISSUER, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient Ci.nsIX509CertDB.verifyUsageTLSClient
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
SEC_ERROR_CA_CERT_INVALID, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA Ci.nsIX509CertDB.verifyUsageTLSServerCA
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
SEC_ERROR_UNTRUSTED_ISSUER, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner Ci.nsIX509CertDB.verifyUsageEmailSigner
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
SEC_ERROR_UNTRUSTED_ISSUER, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient Ci.nsIX509CertDB.verifyUsageEmailRecipient
); );
// Trust set to T - trusted CA to issue client certs, where client cert is // Trust set to T - trusted CA to issue client certs, where client cert is
@@ -102,7 +102,7 @@ async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
certdb, certdb,
ee_cert, ee_cert,
isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
// XXX(Bug 982340) // XXX(Bug 982340)
@@ -110,27 +110,27 @@ async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
certdb, certdb,
ee_cert, ee_cert,
isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
certificateUsageSSLClient Ci.nsIX509CertDB.verifyUsageTLSClient
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
SEC_ERROR_CA_CERT_INVALID, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA Ci.nsIX509CertDB.verifyUsageTLSServerCA
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
certificateUsageEmailSigner Ci.nsIX509CertDB.verifyUsageEmailSigner
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
certificateUsageEmailRecipient Ci.nsIX509CertDB.verifyUsageEmailRecipient
); );
// Now tests on the SSL trust bit // Now tests on the SSL trust bit
@@ -139,7 +139,7 @@ async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
certdb, certdb,
ee_cert, ee_cert,
SEC_ERROR_UNTRUSTED_ISSUER, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
// XXX(Bug 982340) // XXX(Bug 982340)
@@ -147,25 +147,25 @@ async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
certdb, certdb,
ee_cert, ee_cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLClient Ci.nsIX509CertDB.verifyUsageTLSClient
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
SEC_ERROR_CA_CERT_INVALID, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA Ci.nsIX509CertDB.verifyUsageTLSServerCA
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageEmailSigner Ci.nsIX509CertDB.verifyUsageEmailSigner
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageEmailRecipient Ci.nsIX509CertDB.verifyUsageEmailRecipient
); );
// Inherited trust SSL // Inherited trust SSL
@@ -174,32 +174,32 @@ async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
certdb, certdb,
ee_cert, ee_cert,
isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
// XXX(Bug 982340) // XXX(Bug 982340)
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLClient Ci.nsIX509CertDB.verifyUsageTLSClient
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
SEC_ERROR_CA_CERT_INVALID, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA Ci.nsIX509CertDB.verifyUsageTLSServerCA
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageEmailSigner Ci.nsIX509CertDB.verifyUsageEmailSigner
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageEmailRecipient Ci.nsIX509CertDB.verifyUsageEmailRecipient
); );
// Now tests on the EMAIL trust bit // Now tests on the EMAIL trust bit
@@ -208,31 +208,31 @@ async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
certdb, certdb,
ee_cert, ee_cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
SEC_ERROR_UNTRUSTED_ISSUER, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient Ci.nsIX509CertDB.verifyUsageTLSClient
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
SEC_ERROR_CA_CERT_INVALID, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA Ci.nsIX509CertDB.verifyUsageTLSServerCA
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
SEC_ERROR_UNTRUSTED_ISSUER, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner Ci.nsIX509CertDB.verifyUsageEmailSigner
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
SEC_ERROR_UNTRUSTED_ISSUER, SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient Ci.nsIX509CertDB.verifyUsageEmailRecipient
); );
// inherited EMAIL Trust // inherited EMAIL Trust
@@ -241,31 +241,31 @@ async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
certdb, certdb,
ee_cert, ee_cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
certificateUsageSSLClient Ci.nsIX509CertDB.verifyUsageTLSClient
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
SEC_ERROR_CA_CERT_INVALID, SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA Ci.nsIX509CertDB.verifyUsageTLSServerCA
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
certificateUsageEmailSigner Ci.nsIX509CertDB.verifyUsageEmailSigner
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess, isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
certificateUsageEmailRecipient Ci.nsIX509CertDB.verifyUsageEmailRecipient
); );
} }
@@ -310,24 +310,24 @@ add_task(async function () {
certdb, certdb,
ee_cert, ee_cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLClient Ci.nsIX509CertDB.verifyUsageTLSClient
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageEmailSigner Ci.nsIX509CertDB.verifyUsageEmailSigner
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certdb, certdb,
ee_cert, ee_cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageEmailRecipient Ci.nsIX509CertDB.verifyUsageEmailRecipient
); );
}); });

4
security/manager/ssl/tests/unit/test_cert_version.js
View File

@@ -51,7 +51,7 @@ function checkEndEntity(cert, expectedResult) {
certdb, certdb,
cert, cert,
expectedResult, expectedResult,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
} }
@@ -60,7 +60,7 @@ function checkIntermediate(cert, expectedResult) {
certdb, certdb,
cert, cert,
expectedResult, expectedResult,
certificateUsageSSLCA Ci.nsIX509CertDB.verifyUsageTLSServerCA
); );
} }

34
security/manager/ssl/tests/unit/test_crlite_filters.js
View File

@@ -543,7 +543,7 @@ add_task(async function test_crlite_confirm_revocations_mode() {
certdb, certdb,
validCert, validCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
undefined, undefined,
"vpn.worldofspeed.org", "vpn.worldofspeed.org",
@@ -558,7 +558,7 @@ add_task(async function test_crlite_confirm_revocations_mode() {
certdb, certdb,
revokedCert, revokedCert,
SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
undefined, undefined,
"us-datarecovery.com", "us-datarecovery.com",
@@ -587,7 +587,7 @@ add_task(async function test_crlite_confirm_revocations_mode() {
certdb, certdb,
revokedCert, revokedCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
undefined, undefined,
"us-datarecovery.com", "us-datarecovery.com",
@@ -653,7 +653,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb, certdb,
validCert, validCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"vpn.worldofspeed.org", "vpn.worldofspeed.org",
@@ -665,7 +665,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb, certdb,
revokedCert, revokedCert,
SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"us-datarecovery.com", "us-datarecovery.com",
@@ -680,7 +680,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb, certdb,
revokedInStashCert, revokedInStashCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"stokedmoto.com", "stokedmoto.com",
@@ -709,7 +709,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb, certdb,
revokedInStashCert, revokedInStashCert,
SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"stokedmoto.com", "stokedmoto.com",
@@ -724,7 +724,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb, certdb,
revokedInStash2Cert, revokedInStash2Cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"icsreps.com", "icsreps.com",
@@ -753,7 +753,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb, certdb,
revokedInStash2Cert, revokedInStash2Cert,
SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"icsreps.com", "icsreps.com",
@@ -765,7 +765,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb, certdb,
validCert, validCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"vpn.worldofspeed.org", "vpn.worldofspeed.org",
@@ -776,7 +776,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb, certdb,
revokedCert, revokedCert,
SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"us-datarecovery.com", "us-datarecovery.com",
@@ -787,7 +787,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb, certdb,
revokedInStashCert, revokedInStashCert,
SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"stokedmoto.com", "stokedmoto.com",
@@ -814,7 +814,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb, certdb,
noSCTCert, noSCTCert,
SEC_ERROR_OCSP_SERVER_ERROR, SEC_ERROR_OCSP_SERVER_ERROR,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"mail233.messagelabs.com", "mail233.messagelabs.com",
@@ -828,7 +828,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb, certdb,
validCert, validCert,
SEC_ERROR_OCSP_SERVER_ERROR, SEC_ERROR_OCSP_SERVER_ERROR,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"vpn.worldofspeed.org", "vpn.worldofspeed.org",
@@ -875,7 +875,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb, certdb,
revokedCert, revokedCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"us-datarecovery.com", "us-datarecovery.com",
@@ -938,7 +938,7 @@ add_task(async function test_crlite_clubcard_bad_coverage_in_remote_settings() {
certdb, certdb,
validCert, validCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"vpn.worldofspeed.org", "vpn.worldofspeed.org",
@@ -950,7 +950,7 @@ add_task(async function test_crlite_clubcard_bad_coverage_in_remote_settings() {
certdb, certdb,
revokedCert, revokedCert,
SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"us-datarecovery.com", "us-datarecovery.com",

16
security/manager/ssl/tests/unit/test_crlite_preexisting.js
View File

@@ -44,7 +44,7 @@ add_task(async function test_preexisting_crlite_data() {
certdb, certdb,
revokedCert, revokedCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"us-datarecovery.com", "us-datarecovery.com",
@@ -68,7 +68,7 @@ add_task(async function test_preexisting_crlite_data() {
certdb, certdb,
validCert, validCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"vpn.worldofspeed.org", "vpn.worldofspeed.org",
@@ -84,7 +84,7 @@ add_task(async function test_preexisting_crlite_data() {
certdb, certdb,
validCert, validCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"vpn.worldofspeed.org", "vpn.worldofspeed.org",
@@ -95,7 +95,7 @@ add_task(async function test_preexisting_crlite_data() {
certdb, certdb,
revokedCert, revokedCert,
SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"us-datarecovery.com", "us-datarecovery.com",
@@ -120,7 +120,7 @@ add_task(async function test_preexisting_crlite_data() {
certdb, certdb,
revokedInStashCert, revokedInStashCert,
SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"stokedmoto.com", "stokedmoto.com",
@@ -134,7 +134,7 @@ add_task(async function test_preexisting_crlite_data() {
certdb, certdb,
revokedInStash2Cert, revokedInStash2Cert,
SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"icsreps.com", "icsreps.com",
@@ -157,7 +157,7 @@ add_task(async function test_preexisting_crlite_data() {
certdb, certdb,
noSCTCert, noSCTCert,
SEC_ERROR_OCSP_SERVER_ERROR, SEC_ERROR_OCSP_SERVER_ERROR,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false, false,
"mail233.messagelabs.com", "mail233.messagelabs.com",
@@ -174,7 +174,7 @@ add_task(async function test_preexisting_crlite_data() {
certdb, certdb,
notCoveredCert, notCoveredCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2022-01-07T00:00:00Z").getTime() / 1000, new Date("2022-01-07T00:00:00Z").getTime() / 1000,
false, false,
"peekaboophonics.com", "peekaboophonics.com",

2
security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js
View File

@@ -71,7 +71,7 @@ add_task(async function test_crlite_stash_corrupted() {
certdb, certdb,
revokedCert, revokedCert,
SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000, new Date("2020-10-20T00:00:00Z").getTime() / 1000,
undefined, undefined,
"us-datarecovery.com", "us-datarecovery.com",

4
security/manager/ssl/tests/unit/test_enterprise_roots.js
View File

@@ -55,7 +55,9 @@ async function check_some_enterprise_roots_imported(nssComponent, certDB) {
foundNonBuiltIn = true; foundNonBuiltIn = true;
savedDBKey = cert.dbKey; savedDBKey = cert.dbKey;
info("saving dbKey from " + cert.commonName); info("saving dbKey from " + cert.commonName);
await asyncTestCertificateUsages(certDB, cert, [certificateUsageSSLCA]); await asyncTestCertificateUsages(certDB, cert, [
Ci.nsIX509CertDB.verifyUsageTLSServerCA,
]);
break; break;
} }
} }

4
security/manager/ssl/tests/unit/test_ev_certs.js
View File

@@ -105,7 +105,7 @@ function asyncTestEV(
); );
certdb.asyncVerifyCertAtTime( certdb.asyncVerifyCertAtTime(
cert, cert,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
0, 0,
"ev-test.example.com", "ev-test.example.com",
now, now,
@@ -170,7 +170,7 @@ function verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, expectSuccess) {
Ci.nsIX509CertDB.FLAG_LOCAL_ONLY | Ci.nsIX509CertDB.FLAG_MUST_BE_EV; Ci.nsIX509CertDB.FLAG_LOCAL_ONLY | Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
certdb.asyncVerifyCertAtTime( certdb.asyncVerifyCertAtTime(
cert, cert,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
flags, flags,
"ev-test.example.com", "ev-test.example.com",
now, now,

15
security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
View File

@@ -29,13 +29,16 @@ function test_cert_for_usages(certChainNicks, expected_usages) {
add_task(async function () { add_task(async function () {
let ee_usages = [ let ee_usages = [
certificateUsageSSLClient, Ci.nsIX509CertDB.verifyUsageTLSClient,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
certificateUsageEmailSigner, Ci.nsIX509CertDB.verifyUsageEmailSigner,
certificateUsageEmailRecipient, Ci.nsIX509CertDB.verifyUsageEmailRecipient,
];
let ca_usages = [Ci.nsIX509CertDB.verifyUsageTLSServerCA];
let eku_usages = [
Ci.nsIX509CertDB.verifyUsageTLSClient,
Ci.nsIX509CertDB.verifyUsageTLSServer,
]; ];
let ca_usages = [certificateUsageSSLCA];
let eku_usages = [certificateUsageSSLClient, certificateUsageSSLServer];
// Load the ca into mem // Load the ca into mem
let ca_name = "ca"; let ca_name = "ca";

14
security/manager/ssl/tests/unit/test_intermediate_preloads.js
View File

@@ -157,7 +157,7 @@ add_task(async function test_preload_empty() {
certDB, certDB,
ee_cert, ee_cert,
SEC_ERROR_UNKNOWN_ISSUER, SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
}); });
@@ -210,7 +210,7 @@ add_task(async function test_preload_invalid_hash() {
certDB, certDB,
ee_cert, ee_cert,
SEC_ERROR_UNKNOWN_ISSUER, SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
}); });
@@ -245,7 +245,7 @@ add_task(async function test_preload_invalid_length() {
certDB, certDB,
ee_cert, ee_cert,
SEC_ERROR_UNKNOWN_ISSUER, SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
}); });
@@ -275,13 +275,13 @@ add_task(async function test_preload_basic() {
certDB, certDB,
ee_cert, ee_cert,
SEC_ERROR_UNKNOWN_ISSUER, SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
await checkCertErrorGeneric( await checkCertErrorGeneric(
certDB, certDB,
ee_cert_2, ee_cert_2,
SEC_ERROR_UNKNOWN_ISSUER, SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
let intermediateBytes = readFile( let intermediateBytes = readFile(
@@ -323,7 +323,7 @@ add_task(async function test_preload_basic() {
certDB, certDB,
ee_cert, ee_cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
let localDB = await IntermediatePreloadsClient.client.db; let localDB = await IntermediatePreloadsClient.client.db;
@@ -345,7 +345,7 @@ add_task(async function test_preload_basic() {
certDB, certDB,
ee_cert_2, ee_cert_2,
SEC_ERROR_UNKNOWN_ISSUER, SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
}); });

2
security/manager/ssl/tests/unit/test_keysize.js
View File

@@ -54,7 +54,7 @@ function checkChain(
certdb, certdb,
eeCert, eeCert,
eeExpectedError, eeExpectedError,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
} }

2
security/manager/ssl/tests/unit/test_keysize_ev.js
View File

@@ -62,7 +62,7 @@ async function keySizeTestForEV(
await checkEVStatus( await checkEVStatus(
certDB, certDB,
constructCertFromFile(`test_keysize_ev/${endEntityCertFileName}.pem`), constructCertFromFile(`test_keysize_ev/${endEntityCertFileName}.pem`),
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
expectedResult expectedResult
); );

4
security/manager/ssl/tests/unit/test_name_constraints.js
View File

@@ -42,7 +42,7 @@ function checkCertNotInNameSpace(cert) {
certdb, certdb,
cert, cert,
SEC_ERROR_CERT_NOT_IN_NAME_SPACE, SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
} }
@@ -51,7 +51,7 @@ function checkCertInNameSpace(cert) {
certdb, certdb,
cert, cert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
} }

12
security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
View File

@@ -46,7 +46,7 @@ async function testOff() {
await checkEVStatus( await checkEVStatus(
gCertDB, gCertDB,
certFromFile("test-oid-path-ee"), certFromFile("test-oid-path-ee"),
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
false false
); );
await stopOCSPResponder(ocspResponder); await stopOCSPResponder(ocspResponder);
@@ -58,7 +58,7 @@ async function testOff() {
gCertDB, gCertDB,
certFromFile("non-ev-root-path-ee"), certFromFile("non-ev-root-path-ee"),
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
await stopOCSPResponder(ocspResponder); await stopOCSPResponder(ocspResponder);
} }
@@ -75,7 +75,7 @@ async function testOn() {
await checkEVStatus( await checkEVStatus(
gCertDB, gCertDB,
certFromFile("test-oid-path-ee"), certFromFile("test-oid-path-ee"),
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
gEVExpected gEVExpected
); );
await stopOCSPResponder(ocspResponder); await stopOCSPResponder(ocspResponder);
@@ -88,7 +88,7 @@ async function testOn() {
gCertDB, gCertDB,
certFromFile("non-ev-root-path-ee"), certFromFile("non-ev-root-path-ee"),
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
await stopOCSPResponder(ocspResponder); await stopOCSPResponder(ocspResponder);
} }
@@ -107,7 +107,7 @@ async function testEVOnly() {
await checkEVStatus( await checkEVStatus(
gCertDB, gCertDB,
certFromFile("test-oid-path-ee"), certFromFile("test-oid-path-ee"),
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
gEVExpected gEVExpected
); );
await stopOCSPResponder(ocspResponder); await stopOCSPResponder(ocspResponder);
@@ -119,7 +119,7 @@ async function testEVOnly() {
gCertDB, gCertDB,
certFromFile("non-ev-root-path-ee"), certFromFile("non-ev-root-path-ee"),
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
await stopOCSPResponder(ocspResponder); await stopOCSPResponder(ocspResponder);
} }

2
security/manager/ssl/tests/unit/test_ocsp_url.js
View File

@@ -36,7 +36,7 @@ function check_cert_err(cert_name, expected_error) {
certdb, certdb,
cert, cert,
expected_error, expected_error,
certificateUsageSSLServer Ci.nsIX509CertDB.verifyUsageTLSServer
); );
} }

2
security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js
View File

@@ -89,7 +89,7 @@ add_task(async function () {
certDB, certDB,
allowlistedCert, allowlistedCert,
PRErrorCodeSuccess, PRErrorCodeSuccess,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
VALIDATION_TIME VALIDATION_TIME
); );
}); });

6
security/manager/ssl/tests/unit/test_self_signed_certs.js
View File

@@ -59,7 +59,7 @@ add_task(async function test_no_overlong_path_building() {
certDB, certDB,
certToVerify, certToVerify,
SEC_ERROR_UNKNOWN_ISSUER, SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageSSLCA, Ci.nsIX509CertDB.verifyUsageTLSServerCA,
date.getTime() / 1000 date.getTime() / 1000
); );
} }
@@ -82,7 +82,7 @@ add_task(async function test_no_bad_signature() {
certDB, certDB,
selfSignedCert, selfSignedCert,
MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT, MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
false, false,
"example.com" "example.com"
); );
@@ -102,7 +102,7 @@ add_task(async function test_no_inadequate_key_usage() {
certDB, certDB,
selfSignedCert, selfSignedCert,
MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT, MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT,
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
false, false,
"example.com" "example.com"
); );

2
security/manager/ssl/tests/unit/test_validity.js
View File

@@ -64,7 +64,7 @@ async function doEVTest(
await checkEVStatus( await checkEVStatus(
certDB, certDB,
certFromFile(`${endEntityCertFileName}.pem`), certFromFile(`${endEntityCertFileName}.pem`),
certificateUsageSSLServer, Ci.nsIX509CertDB.verifyUsageTLSServer,
expectedResult expectedResult
); );