1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
|
<!doctype html>
<meta charset="utf-8">
<meta name="timeout" content="long">
<title>Test RTCPeerConnection.generateCertificate</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="./third_party/sdp/sdp.js"></script>
<script>
'use strict';
// Test is based on the following editor draft:
// https://w3c.github.io/webrtc-pc/archives/20170515/webrtc.html
/*
* 4.10. Certificate Management
* partial interface RTCPeerConnection {
* static Promise<RTCCertificate> generateCertificate(
* AlgorithmIdentifier keygenAlgorithm);
* };
*
* 4.10.2. RTCCertificate Interface
* interface RTCCertificate {
* readonly attribute DOMTimeStamp expires;
* ...
* };
*
* [WebCrypto]
* 11. Algorithm Dictionary
* typedef (object or DOMString) AlgorithmIdentifier;
*/
/*
* 4.10. The following values must be supported by a user agent:
* { name: "RSASSA-PKCS1-v1_5", modulusLength: 2048,
* publicExponent: new Uint8Array([1, 0, 1]), hash: "SHA-256" },
* and { name: "ECDSA", namedCurve: "P-256" }.
*/
[1024, 2048].forEach(modulusLength => {
promise_test(t =>
// Test common RSA key sizes. Only 2048 is mandatory to support.
RTCPeerConnection.generateCertificate({
name: 'RSASSA-PKCS1-v1_5',
modulusLength,
publicExponent: new Uint8Array([1, 0, 1]),
hash: 'SHA-256'
}).then(cert => {
assert_true(cert instanceof RTCCertificate,
'Expect cert to be instance of RTCCertificate');
assert_greater_than(cert.expires, Date.now(),
'Expect generated certificate to expire reasonably long after current time');
}),
`generateCertificate({modulusLength: ${modulusLength}}) with RSASSA-PKCS1-v1_5 parameters should succeed`);
});
promise_test(t =>
RTCPeerConnection.generateCertificate({
name: 'ECDSA',
namedCurve: 'P-256'
}).then(cert => {
assert_true(cert instanceof RTCCertificate,
'Expect cert to be instance of RTCCertificate');
assert_greater_than(cert.expires, Date.now(),
'Expect generated certificate to expire reasonably long after current time');
}),
'generateCertificate() with compulsary ECDSA parameters should succeed');
/*
* 4.10. A user agent must reject a call to generateCertificate() with a
* DOMException of type NotSupportedError if the keygenAlgorithm
* parameter identifies an algorithm that the user agent cannot or
* will not use to generate a certificate for RTCPeerConnection.
*/
promise_test(t =>
promise_rejects_dom(t, 'NotSupportedError',
RTCPeerConnection.generateCertificate('invalid-algo')),
'generateCertificate() with invalid string algorithm should reject with NotSupportedError');
promise_test(t =>
promise_rejects_dom(t, 'NotSupportedError',
RTCPeerConnection.generateCertificate({
name: 'invalid-algo'
})),
'generateCertificate() with invalid algorithm dict should reject with NotSupportedError');
promise_test(t =>
promise_rejects_dom(t, 'NotSupportedError',
RTCPeerConnection.generateCertificate({
name: 'RSASSA-PKCS1-v1_5',
modulusLength: 2048,
publicExponent: new Uint8Array([1, 0, 1]),
hash: 'SHA-1'
})),
'generateCertificate with RSASSA-PKCS1-v1_5 parameters and SHA-1 signature should reject with NotSupportedError');
/*
* 4.10.1. Dictionary RTCCertificateExpiration
* dictionary RTCCertificateExpiration {
* [EnforceRange]
* DOMTimeStamp expires;
* };
*
* If this parameter is present it indicates the maximum time that
* the RTCCertificate is valid for relative to the current time.
*
* When generateCertificate is called with an object argument,
* the user agent attempts to convert the object into a
* RTCCertificateExpiration. If this is unsuccessful, immediately
* return a promise that is rejected with a newly created TypeError
* and abort processing.
*/
promise_test(t => {
const start = Date.now();
return RTCPeerConnection.generateCertificate({
name: 'ECDSA',
namedCurve: 'P-256',
expires: 2000
}).then(cert => {
assert_approx_equals(cert.expires, start+2000, 1000);
})
}, 'generateCertificate() with valid expires parameter should succeed');
promise_test(t => {
return RTCPeerConnection.generateCertificate({
name: 'ECDSA',
namedCurve: 'P-256',
expires: 0
}).then(cert => {
assert_less_than_equal(cert.expires, Date.now());
})
}, 'generateCertificate() with 0 expires parameter should generate expired cert');
promise_test(t => {
return promise_rejects_js(t, TypeError,
RTCPeerConnection.generateCertificate({
name: 'ECDSA',
namedCurve: 'P-256',
expires: -1
}))
}, 'generateCertificate() with invalid range for expires should reject with TypeError');
promise_test(t => {
return promise_rejects_js(t, TypeError,
RTCPeerConnection.generateCertificate({
name: 'ECDSA',
namedCurve: 'P-256',
expires: 'invalid'
}))
}, 'generateCertificate() with invalid type for expires should reject with TypeError');
promise_test(t => {
return RTCPeerConnection.generateCertificate({
name: 'ECDSA',
namedCurve: 'P-256',
}).then(async cert => {
const pc = new RTCPeerConnection({certificates: [cert]});
pc.createDataChannel('wpt');
const offer = await pc.createOffer();
const sections = SDPUtils.splitSections(offer.sdp);
const dtlsParameters = SDPUtils.getDtlsParameters(sections[1], sections[0]);
assert_equals(dtlsParameters.fingerprints[0].algorithm, cert.getFingerprints()[0].algorithm);
// https://www.rfc-editor.org/rfc/rfc4572#section-5 requires uppercase hex in the SDP.
assert_equals(dtlsParameters.fingerprints[0].value, cert.getFingerprints()[0].value.toUpperCase());
})
}, 'generateCertificate() certificate fingerprint shows up in the SDP');
</script>
|
