corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1944707 - Fix certificate verification and chain building for email usages. r=keeler

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D237021
This commit is contained in:
Kai Engert
2025-02-17 21:05:54 +00:00
parent 6afaa70c13
commit 22fc9feafc
36 changed files with 251 additions and 203 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
security/certverifier/CertVerifier.cpp
View File

@@ -464,7 +464,7 @@ Result CertVerifier::VerifyCertificateTransparencyPolicyInner(
}
Result CertVerifier::VerifyCert(
const nsTArray<uint8_t>& certBytes, SECCertificateUsage usage, Time time,
const nsTArray<uint8_t>& certBytes, VerifyUsage usage, Time time,
void* pinArg, const char* hostname,
/*out*/ nsTArray<nsTArray<uint8_t>>& builtChain,
/*optional*/ const Flags flags,
@@ -482,8 +482,8 @@ Result CertVerifier::VerifyCert(
/*optional out*/ IssuerSources* issuerSources) {
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, ("Top of VerifyCert\n"));
MOZ_ASSERT(usage == certificateUsageSSLServer || !(flags & FLAG_MUST_BE_EV));
MOZ_ASSERT(usage == certificateUsageSSLServer || !keySizeStatus);
MOZ_ASSERT(usage == VerifyUsage::TLSServer || !(flags & FLAG_MUST_BE_EV));
MOZ_ASSERT(usage == VerifyUsage::TLSServer || !keySizeStatus);
if (NS_FAILED(BlockUntilLoadableCertsLoaded())) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
@@ -496,20 +496,20 @@ Result CertVerifier::VerifyCert(
*evStatus = EVStatus::NotEV;
}
if (ocspStaplingStatus) {
if (usage != certificateUsageSSLServer) {
if (usage != VerifyUsage::TLSServer) {
return Result::FATAL_ERROR_INVALID_ARGS;
}
*ocspStaplingStatus = OCSP_STAPLING_NEVER_CHECKED;
}
if (keySizeStatus) {
if (usage != certificateUsageSSLServer) {
if (usage != VerifyUsage::TLSServer) {
return Result::FATAL_ERROR_INVALID_ARGS;
}
*keySizeStatus = KeySizeStatus::NeverChecked;
}
if (usage != certificateUsageSSLServer && (flags & FLAG_MUST_BE_EV)) {
if (usage != VerifyUsage::TLSServer && (flags & FLAG_MUST_BE_EV)) {
return Result::FATAL_ERROR_INVALID_ARGS;
}
@@ -561,7 +561,7 @@ Result CertVerifier::VerifyCert(
}
switch (usage) {
case certificateUsageSSLClient: {
case VerifyUsage::TLSClient: {
// XXX: We don't really have a trust bit for SSL client authentication so
// just use trustEmail as it is the closest alternative.
NSSCertDBTrustDomain trustDomain(
@@ -583,7 +583,7 @@ Result CertVerifier::VerifyCert(
break;
}
case certificateUsageSSLServer: {
case VerifyUsage::TLSServer: {
// TODO: When verifying a certificate in an SSL handshake, we should
// restrict the acceptable key usage based on the key exchange method
// chosen by the server.
@@ -716,9 +716,25 @@ Result CertVerifier::VerifyCert(
break;
}
case certificateUsageSSLCA: {
case VerifyUsage::EmailCA:
case VerifyUsage::TLSClientCA:
case VerifyUsage::TLSServerCA: {
KeyPurposeId purpose;
SECTrustType trustType;
if (usage == VerifyUsage::EmailCA || usage == VerifyUsage::TLSClientCA) {
purpose = KeyPurposeId::id_kp_clientAuth;
trustType = trustEmail;
} else if (usage == VerifyUsage::TLSServerCA) {
purpose = KeyPurposeId::id_kp_serverAuth;
trustType = trustSSL;
} else {
MOZ_ASSERT_UNREACHABLE("coding error");
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
NSSCertDBTrustDomain trustDomain(
trustSSL, defaultOCSPFetching, mOCSPCache, mSignatureCache.get(),
trustType, defaultOCSPFetching, mOCSPCache, mSignatureCache.get(),
mTrustCache.get(), pinArg, mOCSPTimeoutSoft, mOCSPTimeoutHard,
mCertShortLifetimeInDays, MIN_RSA_BITS_WEAK,
ValidityCheckingMode::CheckingOff, mNetscapeStepUpPolicy, mCRLiteMode,
@@ -726,7 +742,7 @@ Result CertVerifier::VerifyCert(
mThirdPartyIntermediateInputs, extraCertificates, builtChain, nullptr,
nullptr);
rv = BuildCertChain(trustDomain, certDER, time, EndEntityOrCA::MustBeCA,
KeyUsage::keyCertSign, KeyPurposeId::id_kp_serverAuth,
KeyUsage::keyCertSign, purpose,
CertPolicyId::anyPolicy, stapledOCSPResponse);
if (madeOCSPRequests) {
*madeOCSPRequests |=
@@ -735,7 +751,7 @@ Result CertVerifier::VerifyCert(
break;
}
case certificateUsageEmailSigner: {
case VerifyUsage::EmailSigner: {
NSSCertDBTrustDomain trustDomain(
trustEmail, defaultOCSPFetching, mOCSPCache, mSignatureCache.get(),
mTrustCache.get(), pinArg, mOCSPTimeoutSoft, mOCSPTimeoutHard,
@@ -761,7 +777,7 @@ Result CertVerifier::VerifyCert(
break;
}
case certificateUsageEmailRecipient: {
case VerifyUsage::EmailRecipient: {
// TODO: The higher level S/MIME processing should pass in which key
// usage it is trying to verify for, and base its algorithm choices
// based on the result of the verification(s).
@@ -880,7 +896,7 @@ Result CertVerifier::VerifySSLServerCert(
}
bool isBuiltChainRootBuiltInRootLocal;
rv = VerifyCert(
peerCertBytes, certificateUsageSSLServer, time, pinarg,
peerCertBytes, VerifyUsage::TLSServer, time, pinarg,
PromiseFlatCString(hostname).get(), builtChain, flags, extraCertificates,
stapledOCSPResponse, sctsFromTLS, originAttributes, evStatus,
ocspStaplingStatus, keySizeStatus, pinningTelemetryInfo, ctInfo,

12
security/certverifier/CertVerifier.h
View File

@@ -70,6 +70,16 @@ enum class CRLiteMode {
ConfirmRevocations = 3,
};
enum class VerifyUsage {
TLSServer = 1,
TLSServerCA = 2,
TLSClient = 3,
TLSClientCA = 4,
EmailSigner = 5,
EmailRecipient = 6,
EmailCA = 7,
};
enum class NetscapeStepUpPolicy : uint32_t;
// Describes the source of the associated issuer.
@@ -186,7 +196,7 @@ class CertVerifier {
// *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
// Only one usage per verification is supported.
mozilla::pkix::Result VerifyCert(
const nsTArray<uint8_t>& certBytes, SECCertificateUsage usage,
const nsTArray<uint8_t>& certBytes, VerifyUsage usage,
mozilla::pkix::Time time, void* pinArg, const char* hostname,
/*out*/ nsTArray<nsTArray<uint8_t>>& builtChain, Flags flags = 0,
/*optional in*/

43
security/manager/pki/pippki.sys.mjs
View File

@@ -197,23 +197,16 @@ export async function exportToFile(parent, document, cert) {
const PRErrorCodeSuccess = 0;
// Certificate usages we care about in the certificate viewer.
const certificateUsageSSLClient = 0x0001;
const certificateUsageSSLServer = 0x0002;
const certificateUsageSSLCA = 0x0008;
const certificateUsageEmailSigner = 0x0010;
const certificateUsageEmailRecipient = 0x0020;
// A map from the name of a certificate usage to the value of the usage.
// Useful for printing debugging information and for enumerating all supported
// usages.
const certificateUsages = {
certificateUsageSSLClient,
certificateUsageSSLServer,
certificateUsageSSLCA,
certificateUsageEmailSigner,
certificateUsageEmailRecipient,
};
const verifyUsages = new Map([
["verifyUsageTLSClient", Ci.nsIX509CertDB.verifyUsageTLSClient],
["verifyUsageTLSServer", Ci.nsIX509CertDB.verifyUsageTLSServer],
["verifyUsageTLSServerCA", Ci.nsIX509CertDB.verifyUsageTLSServerCA],
["verifyUsageEmailSigner", Ci.nsIX509CertDB.verifyUsageEmailSigner],
["verifyUsageEmailRecipient", Ci.nsIX509CertDB.verifyUsageEmailRecipient],
]);
/**
* Returns a promise that will resolve with a results array consisting of what
@@ -224,16 +217,16 @@ const certificateUsages = {
* @returns {Promise}
* A promise that will resolve with the results of the verifications.
*/
function asyncDetermineUsages(cert) {
export function asyncDetermineUsages(cert) {
let promises = [];
let now = Date.now() / 1000;
let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
Ci.nsIX509CertDB
);
Object.keys(certificateUsages).forEach(usageString => {
verifyUsages.keys().forEach(usageString => {
promises.push(
new Promise(resolve => {
let usage = certificateUsages[usageString];
let usage = verifyUsages.get(usageString);
certdb.asyncVerifyCertAtTime(
cert,
usage,
@@ -266,13 +259,13 @@ function asyncDetermineUsages(cert) {
* @returns {Array} An array of `nsIX509Cert` representing the verified
* certificate chain for the given usage, or null if there is none.
*/
function getBestChain(results) {
export function getBestChain(results) {
let usages = [
certificateUsageSSLServer,
certificateUsageSSLClient,
certificateUsageEmailSigner,
certificateUsageEmailRecipient,
certificateUsageSSLCA,
Ci.nsIX509CertDB.verifyUsageTLSServer,
Ci.nsIX509CertDB.verifyUsageTLSClient,
Ci.nsIX509CertDB.verifyUsageEmailSigner,
Ci.nsIX509CertDB.verifyUsageEmailRecipient,
Ci.nsIX509CertDB.verifyUsageTLSServerCA,
];
for (let usage of usages) {
let chain = getChainForUsage(results, usage);
@@ -290,14 +283,14 @@ function getBestChain(results) {
* @param {Array} results
* An array of results from `asyncDetermineUsages`. See `displayUsages`.
* @param {number} usage
* A numerical value corresponding to a usage. See `certificateUsages`.
* A usage, see `nsIX509CertDB::VerifyUsage`.
* @returns {Array} An array of `nsIX509Cert` representing the verified
* certificate chain for the given usage, or null if there is none.
*/
function getChainForUsage(results, usage) {
for (let result of results) {
if (
certificateUsages[result.usageString] == usage &&
verifyUsages.get(result.usageString) == usage &&
result.errorCode == PRErrorCodeSuccess
) {
return result.chain;

15
security/manager/ssl/nsIX509CertDB.idl
View File

@@ -297,6 +297,16 @@ interface nsIX509CertDB : nsISupports {
// Do not fall back to DV verification after attempting EV validation.
const uint32_t FLAG_MUST_BE_EV = 1 << 1;
cenum VerifyUsage : 8 {
verifyUsageTLSServer = 1,
verifyUsageTLSServerCA = 2,
verifyUsageTLSClient = 3,
verifyUsageTLSClientCA = 4,
verifyUsageEmailSigner = 5,
verifyUsageEmailRecipient = 6,
verifyUsageEmailCA = 7,
};
/*
* Asynchronously verify a certificate given a set of parameters. Calls the
* `verifyCertFinished` function on the provided `nsICertVerificationCallback`
@@ -304,8 +314,7 @@ interface nsIX509CertDB : nsISupports {
* See the documentation for nsICertVerificationCallback.
*
* @param aCert the certificate to verify
* @param aUsage an integer representing the usage to verify for (see
* SECCertificateUsage in certt.h from NSS)
* @param aUsage see VerifyUsage, the usage to verify for
* @param aFlags flags as described above
* @param aHostname the (optional) hostname to verify for
* @param aTime the time at which to verify, in seconds since the epoch
@@ -315,7 +324,7 @@ interface nsIX509CertDB : nsISupports {
*/
[must_use]
void asyncVerifyCertAtTime(in nsIX509Cert aCert,
in int64_t /*SECCertificateUsage*/ aUsage,
in nsIX509CertDB_VerifyUsage aUsage,
in uint32_t aFlags,
in ACString aHostname,
in uint64_t aTime,

40
security/manager/ssl/nsNSSCertificateDB.cpp
View File

@@ -1277,8 +1277,28 @@ nsNSSCertificateDB::AsyncHasThirdPartyRoots(nsIAsyncBoolCallback* aCallback) {
NS_DISPATCH_EVENT_MAY_BLOCK);
}
nsresult VerifyCertAtTime(nsIX509Cert* aCert,
int64_t /*SECCertificateUsage*/ aUsage,
static mozilla::Result<VerifyUsage, nsresult> MapX509UsageToVerifierUsage(
nsIX509CertDB::VerifyUsage usage) {
switch (usage) {
case nsIX509CertDB::verifyUsageTLSServer:
return VerifyUsage::TLSServer;
case nsIX509CertDB::verifyUsageTLSServerCA:
return VerifyUsage::TLSServerCA;
case nsIX509CertDB::verifyUsageTLSClient:
return VerifyUsage::TLSClient;
case nsIX509CertDB::verifyUsageTLSClientCA:
return VerifyUsage::TLSClientCA;
case nsIX509CertDB::verifyUsageEmailSigner:
return VerifyUsage::EmailSigner;
case nsIX509CertDB::verifyUsageEmailRecipient:
return VerifyUsage::EmailRecipient;
case nsIX509CertDB::verifyUsageEmailCA:
return VerifyUsage::EmailCA;
}
return Err(NS_ERROR_INVALID_ARG);
}
nsresult VerifyCertAtTime(nsIX509Cert* aCert, nsIX509CertDB::VerifyUsage aUsage,
uint32_t aFlags, const nsACString& aHostname,
mozilla::pkix::Time aTime,
nsTArray<RefPtr<nsIX509Cert>>& aVerifiedChain,
@@ -1308,7 +1328,7 @@ nsresult VerifyCertAtTime(nsIX509Cert* aCert,
return nsrv;
}
if (!aHostname.IsVoid() && aUsage == certificateUsageSSLServer) {
if (!aHostname.IsVoid() && aUsage == nsIX509CertDB::verifyUsageTLSServer) {
result =
certVerifier->VerifySSLServerCert(certBytes, aTime,
nullptr, // Assume no context
@@ -1320,8 +1340,10 @@ nsresult VerifyCertAtTime(nsIX509Cert* aCert,
OriginAttributes(), &evStatus);
} else {
const nsCString& flatHostname = PromiseFlatCString(aHostname);
VerifyUsage vu;
MOZ_TRY_VAR(vu, MapX509UsageToVerifierUsage(aUsage));
result = certVerifier->VerifyCert(
certBytes, aUsage, aTime,
certBytes, vu, aTime,
nullptr, // Assume no context
aHostname.IsVoid() ? nullptr : flatHostname.get(), resultChain, aFlags,
Nothing(), // extraCertificates
@@ -1348,9 +1370,9 @@ nsresult VerifyCertAtTime(nsIX509Cert* aCert,
class VerifyCertAtTimeTask final : public CryptoTask {
public:
VerifyCertAtTimeTask(nsIX509Cert* aCert, int64_t aUsage, uint32_t aFlags,
const nsACString& aHostname, uint64_t aTime,
nsICertVerificationCallback* aCallback)
VerifyCertAtTimeTask(nsIX509Cert* aCert, nsIX509CertDB::VerifyUsage aUsage,
uint32_t aFlags, const nsACString& aHostname,
uint64_t aTime, nsICertVerificationCallback* aCallback)
: mCert(aCert),
mUsage(aUsage),
mFlags(aFlags),
@@ -1384,7 +1406,7 @@ class VerifyCertAtTimeTask final : public CryptoTask {
}
nsCOMPtr<nsIX509Cert> mCert;
int64_t mUsage;
nsIX509CertDB::VerifyUsage mUsage;
uint32_t mFlags;
nsCString mHostname;
uint64_t mTime;
@@ -1396,7 +1418,7 @@ class VerifyCertAtTimeTask final : public CryptoTask {
NS_IMETHODIMP
nsNSSCertificateDB::AsyncVerifyCertAtTime(
nsIX509Cert* aCert, int64_t /*SECCertificateUsage*/ aUsage, uint32_t aFlags,
nsIX509Cert* aCert, nsIX509CertDB::VerifyUsage aUsage, uint32_t aFlags,
const nsACString& aHostname, uint64_t aTime,
nsICertVerificationCallback* aCallback) {
RefPtr<VerifyCertAtTimeTask> task(new VerifyCertAtTimeTask(

2
security/manager/ssl/tests/unit/corrupted_crlite_helper.js
View File

@@ -71,7 +71,7 @@ add_task(async function test_crlite_corrupted() {
certdb,
revokedCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
undefined,
"us-datarecovery.com",

25
security/manager/ssl/tests/unit/head_psm.js
View File

@@ -116,23 +116,16 @@ const MOZILLA_PKIX_ERROR_INSUFFICIENT_CERTIFICATE_TRANSPARENCY =
const MOZILLA_PKIX_ERROR_ISSUER_NO_LONGER_TRUSTED =
MOZILLA_PKIX_ERROR_BASE + 17;
// Supported Certificate Usages
const certificateUsageSSLClient = 0x0001;
const certificateUsageSSLServer = 0x0002;
const certificateUsageSSLCA = 0x0008;
const certificateUsageEmailSigner = 0x0010;
const certificateUsageEmailRecipient = 0x0020;
// A map from the name of a certificate usage to the value of the usage.
// Useful for printing debugging information and for enumerating all supported
// usages.
const allCertificateUsages = {
certificateUsageSSLClient,
certificateUsageSSLServer,
certificateUsageSSLCA,
certificateUsageEmailSigner,
certificateUsageEmailRecipient,
};
const verifyUsages = new Map([
["verifyUsageTLSClient", Ci.nsIX509CertDB.verifyUsageTLSClient],
["verifyUsageTLSServer", Ci.nsIX509CertDB.verifyUsageTLSServer],
["verifyUsageTLSServerCA", Ci.nsIX509CertDB.verifyUsageTLSServerCA],
["verifyUsageEmailSigner", Ci.nsIX509CertDB.verifyUsageEmailSigner],
["verifyUsageEmailRecipient", Ci.nsIX509CertDB.verifyUsageEmailRecipient],
]);
const NO_FLAGS = 0;
@@ -1020,9 +1013,9 @@ class CertVerificationResult {
function asyncTestCertificateUsages(certdb, cert, expectedUsages) {
let now = new Date().getTime() / 1000;
let promises = [];
Object.keys(allCertificateUsages).forEach(usageString => {
verifyUsages.keys().forEach(usageString => {
let promise = new Promise(resolve => {
let usage = allCertificateUsages[usageString];
let usage = verifyUsages.get(usageString);
let successExpected = expectedUsages.includes(usage);
let result = new CertVerificationResult(
cert.commonName,

4
security/manager/ssl/tests/unit/test_add_preexisting_cert.js
View File

@@ -29,7 +29,7 @@ add_task(async function () {
certDB,
ee,
PRErrorCodeSuccess,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
// Change the already existing intermediate certificate's trust using
// addCertFromBase64().
@@ -41,6 +41,6 @@ add_task(async function () {
certDB,
ee,
SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
});

2
security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js
View File

@@ -29,7 +29,7 @@ function checkCertOn25August2016(cert, expectedResult) {
gCertDB,
cert,
expectedResult,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
VALIDATION_TIME,
false,
"example.com"

4
security/manager/ssl/tests/unit/test_builtins.js
View File

@@ -68,7 +68,7 @@ add_task(async function test_distrust_after() {
gCertDb,
ee_pre_distrust_cert,
PRErrorCodeSuccess,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
// A certificate with a notBefore after the distrustAfter date
@@ -77,6 +77,6 @@ add_task(async function test_distrust_after() {
gCertDb,
ee_post_distrust_cert,
MOZILLA_PKIX_ERROR_ISSUER_NO_LONGER_TRUSTED,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
});

4
security/manager/ssl/tests/unit/test_cert_eku.js
View File

@@ -28,7 +28,7 @@ function checkEndEntity(cert, expectedResult) {
certdb,
cert,
expectedResult,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
}
@@ -39,7 +39,7 @@ function checkCertOn25August2016(cert, expectedResult) {
certdb,
cert,
expectedResult,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
VALIDATION_TIME
);
}

4
security/manager/ssl/tests/unit/test_cert_embedded_null.js
View File

@@ -30,7 +30,7 @@ async function do_testcase(certname, checkCommonName) {
certdb,
cert,
SSL_ERROR_BAD_CERT_DOMAIN,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
undefined,
"www.bank1.com"
);
@@ -38,7 +38,7 @@ async function do_testcase(certname, checkCommonName) {
certdb,
cert,
SSL_ERROR_BAD_CERT_DOMAIN,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
undefined,
"www.bad-guy.com"
);

2
security/manager/ssl/tests/unit/test_cert_expiration_canary.js
View File

@@ -32,7 +32,7 @@ add_task(async function () {
certDB,
ee,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
threeWeeksFromNowInSeconds,
false,
"test.example.com"

14
security/manager/ssl/tests/unit/test_cert_keyUsage.js
View File

@@ -22,16 +22,16 @@ const eeList = [
"ee-keyCertSign-and-keyEncipherment",
];
const caUsage = [certificateUsageSSLCA];
const caUsage = [Ci.nsIX509CertDB.verifyUsageTLSServerCA];
const allEEUsages = [
certificateUsageSSLClient,
certificateUsageSSLServer,
certificateUsageEmailSigner,
certificateUsageEmailRecipient,
Ci.nsIX509CertDB.verifyUsageTLSClient,
Ci.nsIX509CertDB.verifyUsageTLSServer,
Ci.nsIX509CertDB.verifyUsageEmailSigner,
Ci.nsIX509CertDB.verifyUsageEmailRecipient,
];
const serverEEUsages = [
certificateUsageSSLServer,
certificateUsageEmailRecipient,
Ci.nsIX509CertDB.verifyUsageTLSServer,
Ci.nsIX509CertDB.verifyUsageEmailRecipient,
];
const expectedUsagesMap = {

2
security/manager/ssl/tests/unit/test_cert_sha1.js
View File

@@ -28,7 +28,7 @@ function checkEndEntity(cert, expectedResult) {
certdb,
cert,
expectedResult,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
VALIDATION_TIME
);
}

6
security/manager/ssl/tests/unit/test_cert_signatures.js
View File

@@ -49,7 +49,7 @@ function ensureSignatureVerificationFailure(certificatePath) {
certdb,
cert,
SEC_ERROR_BAD_SIGNATURE,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
}
@@ -60,7 +60,7 @@ function tamperWithSignatureAndEnsureVerificationFailure(certificatePath) {
certdb,
cert,
SEC_ERROR_BAD_SIGNATURE,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
}
@@ -92,7 +92,7 @@ function tamperWithSerialNumberAndEnsureVerificationFailure(certificatePath) {
certdb,
cert,
SEC_ERROR_BAD_SIGNATURE,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
}

8
security/manager/ssl/tests/unit/test_cert_storage.js
View File

@@ -106,7 +106,7 @@ function verify_cert(file, expectedError) {
certDB,
ee,
expectedError,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
}
@@ -117,19 +117,19 @@ async function verify_non_tls_usage_succeeds(file) {
certDB,
ee,
PRErrorCodeSuccess,
certificateUsageSSLClient
Ci.nsIX509CertDB.verifyUsageTLSClient
);
await checkCertErrorGeneric(
certDB,
ee,
PRErrorCodeSuccess,
certificateUsageEmailSigner
Ci.nsIX509CertDB.verifyUsageEmailSigner
);
await checkCertErrorGeneric(
certDB,
ee,
PRErrorCodeSuccess,
certificateUsageEmailRecipient
Ci.nsIX509CertDB.verifyUsageEmailRecipient
);
}

16
security/manager/ssl/tests/unit/test_cert_storage_direct.js
View File

@@ -300,7 +300,7 @@ add_task(async function test_crlite_filter() {
certdb,
validCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-11-04T00:00:00Z").getTime() / 1000,
false,
"skynew.jp",
@@ -310,7 +310,7 @@ add_task(async function test_crlite_filter() {
certdb,
revokedCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-11-04T00:00:00Z").getTime() / 1000,
false,
"schunk-group.com",
@@ -346,7 +346,7 @@ add_task(async function test_crlite_filter() {
certdb,
validCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-11-04T00:00:00Z").getTime() / 1000,
false,
"skynew.jp",
@@ -356,7 +356,7 @@ add_task(async function test_crlite_filter() {
certdb,
revokedCert,
SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-11-04T00:00:00Z").getTime() / 1000,
false,
"schunk-group.com",
@@ -372,7 +372,7 @@ add_task(async function test_crlite_filter() {
certdb,
validCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-11-04T00:00:00Z").getTime() / 1000,
false,
"skynew.jp",
@@ -382,7 +382,7 @@ add_task(async function test_crlite_filter() {
certdb,
revokedCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-11-04T00:00:00Z").getTime() / 1000,
false,
"schunk-group.com",
@@ -398,7 +398,7 @@ add_task(async function test_crlite_filter() {
certdb,
validCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-11-04T00:00:00Z").getTime() / 1000,
false,
"skynew.jp",
@@ -408,7 +408,7 @@ add_task(async function test_crlite_filter() {
certdb,
revokedCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-11-04T00:00:00Z").getTime() / 1000,
false,
"schunk-group.com",

4
security/manager/ssl/tests/unit/test_cert_storage_preexisting_crlite.js
View File

@@ -57,7 +57,7 @@ add_task(async function () {
certdb,
validCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-10-28T00:00:00Z").getTime() / 1000,
false,
"skynew.jp",
@@ -74,7 +74,7 @@ add_task(async function () {
certdb,
revokedCert,
SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2019-11-04T00:00:00Z").getTime() / 1000,
false,
"schunk-group.com",

78
security/manager/ssl/tests/unit/test_cert_trust.js
View File

@@ -35,31 +35,31 @@ async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
certdb,
ee_cert,
PRErrorCodeSuccess,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
await checkCertErrorGeneric(
certdb,
ee_cert,
PRErrorCodeSuccess,
certificateUsageSSLClient
Ci.nsIX509CertDB.verifyUsageTLSClient
);
await checkCertErrorGeneric(
certdb,
ee_cert,
SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA
Ci.nsIX509CertDB.verifyUsageTLSServerCA
);
await checkCertErrorGeneric(
certdb,
ee_cert,
PRErrorCodeSuccess,
certificateUsageEmailSigner
Ci.nsIX509CertDB.verifyUsageEmailSigner
);
await checkCertErrorGeneric(
certdb,
ee_cert,
PRErrorCodeSuccess,
certificateUsageEmailRecipient
Ci.nsIX509CertDB.verifyUsageEmailRecipient
);
// Test of active distrust. No usage should pass.
@@ -68,31 +68,31 @@ async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
certdb,
ee_cert,
SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
await checkCertErrorGeneric(
certdb,
ee_cert,
SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient
Ci.nsIX509CertDB.verifyUsageTLSClient
);
await checkCertErrorGeneric(
certdb,
ee_cert,
SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA
Ci.nsIX509CertDB.verifyUsageTLSServerCA
);
await checkCertErrorGeneric(
certdb,
ee_cert,
SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner
Ci.nsIX509CertDB.verifyUsageEmailSigner
);
await checkCertErrorGeneric(
certdb,
ee_cert,
SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient
Ci.nsIX509CertDB.verifyUsageEmailRecipient
);
// Trust set to T - trusted CA to issue client certs, where client cert is
@@ -102,7 +102,7 @@ async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
certdb,
ee_cert,
isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
// XXX(Bug 982340)
@@ -110,27 +110,27 @@ async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
certdb,
ee_cert,
isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
certificateUsageSSLClient
Ci.nsIX509CertDB.verifyUsageTLSClient
);
await checkCertErrorGeneric(
certdb,
ee_cert,
SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA
Ci.nsIX509CertDB.verifyUsageTLSServerCA
);
await checkCertErrorGeneric(
certdb,
ee_cert,
isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
certificateUsageEmailSigner
Ci.nsIX509CertDB.verifyUsageEmailSigner
);
await checkCertErrorGeneric(
certdb,
ee_cert,
isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
certificateUsageEmailRecipient
Ci.nsIX509CertDB.verifyUsageEmailRecipient
);
// Now tests on the SSL trust bit
@@ -139,7 +139,7 @@ async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
certdb,
ee_cert,
SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
// XXX(Bug 982340)
@@ -147,25 +147,25 @@ async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
certdb,
ee_cert,
PRErrorCodeSuccess,
certificateUsageSSLClient
Ci.nsIX509CertDB.verifyUsageTLSClient
);
await checkCertErrorGeneric(
certdb,
ee_cert,
SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA
Ci.nsIX509CertDB.verifyUsageTLSServerCA
);
await checkCertErrorGeneric(
certdb,
ee_cert,
PRErrorCodeSuccess,
certificateUsageEmailSigner
Ci.nsIX509CertDB.verifyUsageEmailSigner
);
await checkCertErrorGeneric(
certdb,
ee_cert,
PRErrorCodeSuccess,
certificateUsageEmailRecipient
Ci.nsIX509CertDB.verifyUsageEmailRecipient
);
// Inherited trust SSL
@@ -174,32 +174,32 @@ async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
certdb,
ee_cert,
isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
// XXX(Bug 982340)
await checkCertErrorGeneric(
certdb,
ee_cert,
PRErrorCodeSuccess,
certificateUsageSSLClient
Ci.nsIX509CertDB.verifyUsageTLSClient
);
await checkCertErrorGeneric(
certdb,
ee_cert,
SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA
Ci.nsIX509CertDB.verifyUsageTLSServerCA
);
await checkCertErrorGeneric(
certdb,
ee_cert,
PRErrorCodeSuccess,
certificateUsageEmailSigner
Ci.nsIX509CertDB.verifyUsageEmailSigner
);
await checkCertErrorGeneric(
certdb,
ee_cert,
PRErrorCodeSuccess,
certificateUsageEmailRecipient
Ci.nsIX509CertDB.verifyUsageEmailRecipient
);
// Now tests on the EMAIL trust bit
@@ -208,31 +208,31 @@ async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
certdb,
ee_cert,
PRErrorCodeSuccess,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
await checkCertErrorGeneric(
certdb,
ee_cert,
SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageSSLClient
Ci.nsIX509CertDB.verifyUsageTLSClient
);
await checkCertErrorGeneric(
certdb,
ee_cert,
SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA
Ci.nsIX509CertDB.verifyUsageTLSServerCA
);
await checkCertErrorGeneric(
certdb,
ee_cert,
SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailSigner
Ci.nsIX509CertDB.verifyUsageEmailSigner
);
await checkCertErrorGeneric(
certdb,
ee_cert,
SEC_ERROR_UNTRUSTED_ISSUER,
certificateUsageEmailRecipient
Ci.nsIX509CertDB.verifyUsageEmailRecipient
);
// inherited EMAIL Trust
@@ -241,31 +241,31 @@ async function test_ca_distrust(ee_cert, cert_to_modify_trust, isRootCA) {
certdb,
ee_cert,
PRErrorCodeSuccess,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
await checkCertErrorGeneric(
certdb,
ee_cert,
isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
certificateUsageSSLClient
Ci.nsIX509CertDB.verifyUsageTLSClient
);
await checkCertErrorGeneric(
certdb,
ee_cert,
SEC_ERROR_CA_CERT_INVALID,
certificateUsageSSLCA
Ci.nsIX509CertDB.verifyUsageTLSServerCA
);
await checkCertErrorGeneric(
certdb,
ee_cert,
isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
certificateUsageEmailSigner
Ci.nsIX509CertDB.verifyUsageEmailSigner
);
await checkCertErrorGeneric(
certdb,
ee_cert,
isRootCA ? SEC_ERROR_UNKNOWN_ISSUER : PRErrorCodeSuccess,
certificateUsageEmailRecipient
Ci.nsIX509CertDB.verifyUsageEmailRecipient
);
}
@@ -310,24 +310,24 @@ add_task(async function () {
certdb,
ee_cert,
PRErrorCodeSuccess,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
await checkCertErrorGeneric(
certdb,
ee_cert,
PRErrorCodeSuccess,
certificateUsageSSLClient
Ci.nsIX509CertDB.verifyUsageTLSClient
);
await checkCertErrorGeneric(
certdb,
ee_cert,
PRErrorCodeSuccess,
certificateUsageEmailSigner
Ci.nsIX509CertDB.verifyUsageEmailSigner
);
await checkCertErrorGeneric(
certdb,
ee_cert,
PRErrorCodeSuccess,
certificateUsageEmailRecipient
Ci.nsIX509CertDB.verifyUsageEmailRecipient
);
});

4
security/manager/ssl/tests/unit/test_cert_version.js
View File

@@ -51,7 +51,7 @@ function checkEndEntity(cert, expectedResult) {
certdb,
cert,
expectedResult,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
}
@@ -60,7 +60,7 @@ function checkIntermediate(cert, expectedResult) {
certdb,
cert,
expectedResult,
certificateUsageSSLCA
Ci.nsIX509CertDB.verifyUsageTLSServerCA
);
}

34
security/manager/ssl/tests/unit/test_crlite_filters.js
View File

@@ -543,7 +543,7 @@ add_task(async function test_crlite_confirm_revocations_mode() {
certdb,
validCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
undefined,
"vpn.worldofspeed.org",
@@ -558,7 +558,7 @@ add_task(async function test_crlite_confirm_revocations_mode() {
certdb,
revokedCert,
SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
undefined,
"us-datarecovery.com",
@@ -587,7 +587,7 @@ add_task(async function test_crlite_confirm_revocations_mode() {
certdb,
revokedCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
undefined,
"us-datarecovery.com",
@@ -653,7 +653,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb,
validCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"vpn.worldofspeed.org",
@@ -665,7 +665,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb,
revokedCert,
SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"us-datarecovery.com",
@@ -680,7 +680,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb,
revokedInStashCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"stokedmoto.com",
@@ -709,7 +709,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb,
revokedInStashCert,
SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"stokedmoto.com",
@@ -724,7 +724,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb,
revokedInStash2Cert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"icsreps.com",
@@ -753,7 +753,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb,
revokedInStash2Cert,
SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"icsreps.com",
@@ -765,7 +765,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb,
validCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"vpn.worldofspeed.org",
@@ -776,7 +776,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb,
revokedCert,
SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"us-datarecovery.com",
@@ -787,7 +787,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb,
revokedInStashCert,
SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"stokedmoto.com",
@@ -814,7 +814,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb,
noSCTCert,
SEC_ERROR_OCSP_SERVER_ERROR,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"mail233.messagelabs.com",
@@ -828,7 +828,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb,
validCert,
SEC_ERROR_OCSP_SERVER_ERROR,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"vpn.worldofspeed.org",
@@ -875,7 +875,7 @@ async function test_crlite_filters_and_check_revocation(filter_type) {
certdb,
revokedCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"us-datarecovery.com",
@@ -938,7 +938,7 @@ add_task(async function test_crlite_clubcard_bad_coverage_in_remote_settings() {
certdb,
validCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"vpn.worldofspeed.org",
@@ -950,7 +950,7 @@ add_task(async function test_crlite_clubcard_bad_coverage_in_remote_settings() {
certdb,
revokedCert,
SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"us-datarecovery.com",

16
security/manager/ssl/tests/unit/test_crlite_preexisting.js
View File

@@ -44,7 +44,7 @@ add_task(async function test_preexisting_crlite_data() {
certdb,
revokedCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"us-datarecovery.com",
@@ -68,7 +68,7 @@ add_task(async function test_preexisting_crlite_data() {
certdb,
validCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"vpn.worldofspeed.org",
@@ -84,7 +84,7 @@ add_task(async function test_preexisting_crlite_data() {
certdb,
validCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"vpn.worldofspeed.org",
@@ -95,7 +95,7 @@ add_task(async function test_preexisting_crlite_data() {
certdb,
revokedCert,
SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"us-datarecovery.com",
@@ -120,7 +120,7 @@ add_task(async function test_preexisting_crlite_data() {
certdb,
revokedInStashCert,
SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"stokedmoto.com",
@@ -134,7 +134,7 @@ add_task(async function test_preexisting_crlite_data() {
certdb,
revokedInStash2Cert,
SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"icsreps.com",
@@ -157,7 +157,7 @@ add_task(async function test_preexisting_crlite_data() {
certdb,
noSCTCert,
SEC_ERROR_OCSP_SERVER_ERROR,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
false,
"mail233.messagelabs.com",
@@ -174,7 +174,7 @@ add_task(async function test_preexisting_crlite_data() {
certdb,
notCoveredCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2022-01-07T00:00:00Z").getTime() / 1000,
false,
"peekaboophonics.com",

2
security/manager/ssl/tests/unit/test_crlite_stash_corrupted.js
View File

@@ -71,7 +71,7 @@ add_task(async function test_crlite_stash_corrupted() {
certdb,
revokedCert,
SEC_ERROR_REVOKED_CERTIFICATE,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
new Date("2020-10-20T00:00:00Z").getTime() / 1000,
undefined,
"us-datarecovery.com",

4
security/manager/ssl/tests/unit/test_enterprise_roots.js
View File

@@ -55,7 +55,9 @@ async function check_some_enterprise_roots_imported(nssComponent, certDB) {
foundNonBuiltIn = true;
savedDBKey = cert.dbKey;
info("saving dbKey from " + cert.commonName);
await asyncTestCertificateUsages(certDB, cert, [certificateUsageSSLCA]);
await asyncTestCertificateUsages(certDB, cert, [
Ci.nsIX509CertDB.verifyUsageTLSServerCA,
]);
break;
}
}

4
security/manager/ssl/tests/unit/test_ev_certs.js
View File

@@ -105,7 +105,7 @@ function asyncTestEV(
);
certdb.asyncVerifyCertAtTime(
cert,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
0,
"ev-test.example.com",
now,
@@ -170,7 +170,7 @@ function verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, expectSuccess) {
Ci.nsIX509CertDB.FLAG_LOCAL_ONLY | Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
certdb.asyncVerifyCertAtTime(
cert,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
flags,
"ev-test.example.com",
now,

15
security/manager/ssl/tests/unit/test_intermediate_basic_usage_constraints.js
View File

@@ -29,13 +29,16 @@ function test_cert_for_usages(certChainNicks, expected_usages) {
add_task(async function () {
let ee_usages = [
certificateUsageSSLClient,
certificateUsageSSLServer,
certificateUsageEmailSigner,
certificateUsageEmailRecipient,
Ci.nsIX509CertDB.verifyUsageTLSClient,
Ci.nsIX509CertDB.verifyUsageTLSServer,
Ci.nsIX509CertDB.verifyUsageEmailSigner,
Ci.nsIX509CertDB.verifyUsageEmailRecipient,
];
let ca_usages = [Ci.nsIX509CertDB.verifyUsageTLSServerCA];
let eku_usages = [
Ci.nsIX509CertDB.verifyUsageTLSClient,
Ci.nsIX509CertDB.verifyUsageTLSServer,
];
let ca_usages = [certificateUsageSSLCA];
let eku_usages = [certificateUsageSSLClient, certificateUsageSSLServer];
// Load the ca into mem
let ca_name = "ca";

14
security/manager/ssl/tests/unit/test_intermediate_preloads.js
View File

@@ -157,7 +157,7 @@ add_task(async function test_preload_empty() {
certDB,
ee_cert,
SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
});
@@ -210,7 +210,7 @@ add_task(async function test_preload_invalid_hash() {
certDB,
ee_cert,
SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
});
@@ -245,7 +245,7 @@ add_task(async function test_preload_invalid_length() {
certDB,
ee_cert,
SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
});
@@ -275,13 +275,13 @@ add_task(async function test_preload_basic() {
certDB,
ee_cert,
SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
await checkCertErrorGeneric(
certDB,
ee_cert_2,
SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
let intermediateBytes = readFile(
@@ -323,7 +323,7 @@ add_task(async function test_preload_basic() {
certDB,
ee_cert,
PRErrorCodeSuccess,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
let localDB = await IntermediatePreloadsClient.client.db;
@@ -345,7 +345,7 @@ add_task(async function test_preload_basic() {
certDB,
ee_cert_2,
SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
});

2
security/manager/ssl/tests/unit/test_keysize.js
View File

@@ -54,7 +54,7 @@ function checkChain(
certdb,
eeCert,
eeExpectedError,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
}

2
security/manager/ssl/tests/unit/test_keysize_ev.js
View File

@@ -62,7 +62,7 @@ async function keySizeTestForEV(
await checkEVStatus(
certDB,
constructCertFromFile(`test_keysize_ev/${endEntityCertFileName}.pem`),
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
expectedResult
);

4
security/manager/ssl/tests/unit/test_name_constraints.js
View File

@@ -42,7 +42,7 @@ function checkCertNotInNameSpace(cert) {
certdb,
cert,
SEC_ERROR_CERT_NOT_IN_NAME_SPACE,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
}
@@ -51,7 +51,7 @@ function checkCertInNameSpace(cert) {
certdb,
cert,
PRErrorCodeSuccess,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
}

12
security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
View File

@@ -46,7 +46,7 @@ async function testOff() {
await checkEVStatus(
gCertDB,
certFromFile("test-oid-path-ee"),
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
false
);
await stopOCSPResponder(ocspResponder);
@@ -58,7 +58,7 @@ async function testOff() {
gCertDB,
certFromFile("non-ev-root-path-ee"),
PRErrorCodeSuccess,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
await stopOCSPResponder(ocspResponder);
}
@@ -75,7 +75,7 @@ async function testOn() {
await checkEVStatus(
gCertDB,
certFromFile("test-oid-path-ee"),
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
gEVExpected
);
await stopOCSPResponder(ocspResponder);
@@ -88,7 +88,7 @@ async function testOn() {
gCertDB,
certFromFile("non-ev-root-path-ee"),
PRErrorCodeSuccess,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
await stopOCSPResponder(ocspResponder);
}
@@ -107,7 +107,7 @@ async function testEVOnly() {
await checkEVStatus(
gCertDB,
certFromFile("test-oid-path-ee"),
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
gEVExpected
);
await stopOCSPResponder(ocspResponder);
@@ -119,7 +119,7 @@ async function testEVOnly() {
gCertDB,
certFromFile("non-ev-root-path-ee"),
PRErrorCodeSuccess,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
await stopOCSPResponder(ocspResponder);
}

2
security/manager/ssl/tests/unit/test_ocsp_url.js
View File

@@ -36,7 +36,7 @@ function check_cert_err(cert_name, expected_error) {
certdb,
cert,
expected_error,
certificateUsageSSLServer
Ci.nsIX509CertDB.verifyUsageTLSServer
);
}

2
security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js
View File

@@ -89,7 +89,7 @@ add_task(async function () {
certDB,
allowlistedCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
VALIDATION_TIME
);
});

6
security/manager/ssl/tests/unit/test_self_signed_certs.js
View File

@@ -59,7 +59,7 @@ add_task(async function test_no_overlong_path_building() {
certDB,
certToVerify,
SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageSSLCA,
Ci.nsIX509CertDB.verifyUsageTLSServerCA,
date.getTime() / 1000
);
}
@@ -82,7 +82,7 @@ add_task(async function test_no_bad_signature() {
certDB,
selfSignedCert,
MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
false,
"example.com"
);
@@ -102,7 +102,7 @@ add_task(async function test_no_inadequate_key_usage() {
certDB,
selfSignedCert,
MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT,
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
false,
"example.com"
);

2
security/manager/ssl/tests/unit/test_validity.js
View File

@@ -64,7 +64,7 @@ async function doEVTest(
await checkEVStatus(
certDB,
certFromFile(`${endEntityCertFileName}.pem`),
certificateUsageSSLServer,
Ci.nsIX509CertDB.verifyUsageTLSServer,
expectedResult
);