moebius#119: (Windows) Security - Certificate Stores - NSSCertDBTrustDomain allows end-entities to be their own trust anchors

https://github.com/MoonchildProductions/moebius/pull/119
This commit is contained in:
janekptacijarabaci
2018-04-23 09:10:12 +02:00
parent c30ebdac27
commit c3ec00a152
3 changed files with 31 additions and 6 deletions
@@ -208,9 +208,31 @@ function run_test() {
setCertTrust(ca_cert, ",,");
setCertTrust(int_cert, ",,");
// It turns out that if an end-entity certificate is manually trusted, it can
// be the root of its own verified chain. This will be removed in bug 1294580.
setCertTrust(ee_cert, "C,,");
// If an end-entity certificate is manually trusted, it may not be the root of
// its own verified chain. In general this will cause "unknown issuer" errors
// unless a CA trust anchor can be found.
setCertTrust(ee_cert, "CTu,CTu,CTu");
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageEmailRecipient);
checkCertErrorGeneric(certdb, ee_cert, SEC_ERROR_UNKNOWN_ISSUER,
certificateUsageObjectSigner);
// Now make a CA trust anchor available.
setCertTrust(ca_cert, "CTu,CTu,CTu");
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLServer);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageSSLClient);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailSigner);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageEmailRecipient);
checkCertErrorGeneric(certdb, ee_cert, PRErrorCodeSuccess,
certificateUsageObjectSigner);
}