Bug 1690331 - enable AES for importing PKCS12 files r=bbeurdouche

InitializeCipherSuite() in nsNSSComponent.cpp controls which encryption schemes
are allowed when decrypting PKCS12 files. Before this patch, the AES ciphers
were not enabled, which prevented importing PKCS12 files that used AES.
This patch fixes this and adds a test.

Differential Revision: https://phabricator.services.mozilla.com/D104567

security/manager/ssl/nsNSSComponent.cpp

@@ -2737,6 +2737,9 @@ nsresult InitializeCipherSuite() {
   SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1);
   SEC_PKCS12EnableCipher(PKCS12_DES_56, 1);
   SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1);
+  SEC_PKCS12EnableCipher(PKCS12_AES_CBC_128, 1);
+  SEC_PKCS12EnableCipher(PKCS12_AES_CBC_192, 1);
+  SEC_PKCS12EnableCipher(PKCS12_AES_CBC_256, 1);
   SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1);
   PORT_SetUCS2_ASCIIConversionFunction(pkcs12StringEndiannessConversion);
 

security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js

@@ -31,6 +31,7 @@ let gTestcases = [
     successExpected: false,
     errorCode: Ci.nsIX509CertDB.ERROR_BAD_PASSWORD,
     checkCertExist: true,
+    certCommonName: CERT_COMMON_NAME,
   },
   // Test that importing something that isn't a PKCS12 file fails.
   {
@@ -40,6 +41,7 @@ let gTestcases = [
     successExpected: false,
     errorCode: Ci.nsIX509CertDB.ERROR_DECODE_ERROR,
     checkCertExist: true,
+    certCommonName: CERT_COMMON_NAME,
   },
   // Test that importing a PKCS12 file with the correct password succeeds.
   // This needs to be last because currently there isn't a way to delete the
@@ -52,6 +54,7 @@ let gTestcases = [
     successExpected: true,
     errorCode: Ci.nsIX509CertDB.Success,
     checkCertExist: true,
+    certCommonName: CERT_COMMON_NAME,
   },
   // Same cert file protected with empty string password
   {
@@ -61,6 +64,7 @@ let gTestcases = [
     successExpected: true,
     errorCode: Ci.nsIX509CertDB.Success,
     checkCertExist: false,
+    certCommonName: CERT_COMMON_NAME,
   },
   // Same cert file protected with no password
   {
@@ -70,6 +74,17 @@ let gTestcases = [
     successExpected: true,
     errorCode: Ci.nsIX509CertDB.Success,
     checkCertExist: false,
+    certCommonName: CERT_COMMON_NAME,
+  },
+  // Test a PKCS12 file encrypted using AES
+  {
+    name: "import PKCS12 file using AES",
+    filename: "test_certDB_import/encrypted_with_aes.p12",
+    passwordToUse: "password",
+    successExpected: true,
+    errorCode: Ci.nsIX509CertDB.Success,
+    checkCertExist: true,
+    certCommonName: "John Doe",
   },
 ];
 
@@ -91,7 +106,7 @@ function runOneTestcase(testcase) {
   info(`running ${testcase.name}`);
   if (testcase.checkCertExist) {
     ok(
-      !doesCertExist(CERT_COMMON_NAME),
+      !doesCertExist(testcase.certCommonName),
       "cert should not be in the database before import"
     );
   }
@@ -104,7 +119,7 @@ function runOneTestcase(testcase) {
   let errorCode = gCertDB.importPKCS12File(certFile, testcase.passwordToUse);
   equal(errorCode, testcase.errorCode, `verifying error code`);
   equal(
-    doesCertExist(CERT_COMMON_NAME),
+    doesCertExist(testcase.certCommonName),
     testcase.successExpected,
     `cert should${testcase.successExpected ? "" : " not"} be found now`
   );