diff options
Diffstat (limited to 'security/manager/ssl/tests/unit/test_session_resumption.js')
-rw-r--r-- | security/manager/ssl/tests/unit/test_session_resumption.js | 159 |
1 files changed, 159 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/test_session_resumption.js b/security/manager/ssl/tests/unit/test_session_resumption.js new file mode 100644 index 000000000..eea6b5f54 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_session_resumption.js @@ -0,0 +1,159 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Tests that PSM makes the correct determination of the security status of +// loads involving session resumption (i.e. when a TLS handshake bypasses the +// AuthCertificate callback). + +do_get_profile(); +const certdb = Cc["@mozilla.org/security/x509certdb;1"] + .getService(Ci.nsIX509CertDB); + +do_register_cleanup(() => { + Services.prefs.clearUserPref("security.OCSP.enabled"); +}); + +Services.prefs.setIntPref("security.OCSP.enabled", 1); + +addCertFromFile(certdb, "bad_certs/evroot.pem", "CTu,,"); +addCertFromFile(certdb, "bad_certs/ev-test-intermediate.pem", ",,"); + +// For expired.example.com, the platform will make a connection that will fail. +// Using information gathered at that point, an override will be added and +// another connection will be made. This connection will succeed. At that point, +// as long as the session cache isn't cleared, subsequent new connections should +// use session resumption, thereby bypassing the AuthCertificate hook. We need +// to ensure that the correct security state is propagated to the new connection +// information object. +function add_resume_non_ev_with_override_test() { + // This adds the override and makes one successful connection. + add_cert_override_test("expired.example.com", + Ci.nsICertOverrideService.ERROR_TIME, + SEC_ERROR_EXPIRED_CERTIFICATE); + + // This connects again, using session resumption. Note that we don't clear + // the TLS session cache between these operations (that would defeat the + // purpose). + add_connection_test("expired.example.com", PRErrorCodeSuccess, null, + (transportSecurityInfo) => { + ok(transportSecurityInfo.securityState & + Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN, + "expired.example.com should have STATE_CERT_USER_OVERRIDDEN flag"); + let sslStatus = transportSecurityInfo + .QueryInterface(Ci.nsISSLStatusProvider) + .SSLStatus; + ok(!sslStatus.isDomainMismatch, + "expired.example.com should not have isDomainMismatch set"); + ok(sslStatus.isNotValidAtThisTime, + "expired.example.com should have isNotValidAtThisTime set"); + ok(!sslStatus.isUntrusted, + "expired.example.com should not have isUntrusted set"); + ok(!sslStatus.isExtendedValidation, + "expired.example.com should not have isExtendedValidation set"); + } + ); +} + +// Helper function that adds a test that connects to ev-test.example.com and +// verifies that it validates as EV (or not, if we're running a non-debug +// build). This assumes that an appropriate OCSP responder is running or that +// good responses are cached. +function add_one_ev_test() { + add_connection_test("ev-test.example.com", PRErrorCodeSuccess, null, + (transportSecurityInfo) => { + ok(!(transportSecurityInfo.securityState & + Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN), + "ev-test.example.com should not have STATE_CERT_USER_OVERRIDDEN flag"); + let sslStatus = transportSecurityInfo + .QueryInterface(Ci.nsISSLStatusProvider) + .SSLStatus; + ok(!sslStatus.isDomainMismatch, + "ev-test.example.com should not have isDomainMismatch set"); + ok(!sslStatus.isNotValidAtThisTime, + "ev-test.example.com should not have isNotValidAtThisTime set"); + ok(!sslStatus.isUntrusted, + "ev-test.example.com should not have isUntrusted set"); + ok(!gEVExpected || sslStatus.isExtendedValidation, + "ev-test.example.com should have isExtendedValidation set " + + "(or this is a non-debug build)"); + } + ); +} + +// This test is similar, except with extended validation. We should connect +// successfully, and the certificate should be EV in debug builds. Without +// clearing the session cache, we should connect successfully again, this time +// with session resumption. The certificate should again be EV in debug builds. +function add_resume_ev_test() { + const SERVER_PORT = 8888; + let expectedRequestPaths = gEVExpected ? [ "ev-test-intermediate", "ev-test" ] + : [ "ev-test" ]; + let responseTypes = gEVExpected ? [ "good", "good" ] : [ "good" ]; + // Since we cache OCSP responses, we only ever actually serve one set. + let ocspResponder = startOCSPResponder(SERVER_PORT, "localhost", "bad_certs", + expectedRequestPaths, + expectedRequestPaths.slice(), + null, responseTypes); + // We should be able to connect and verify the certificate as EV (in debug + // builds). + add_one_ev_test(); + // We should be able to connect again (using session resumption). In debug + // builds, the certificate should be noted as EV. Again, it's important that + // nothing clears the TLS cache in between these two operations. + add_one_ev_test(); + + add_test(() => { + ocspResponder.stop(run_next_test); + }); +} + +const statsPtr = getSSLStatistics(); +const toInt32 = ctypes.Int64.lo; +const GOOD_DOMAIN = "good.include-subdomains.pinning.example.com"; + +// Connect to the same domain with two origin attributes and check if any ssl +// session is resumed. +function add_origin_attributes_test(originAttributes1, originAttributes2, + resumeExpected) { + add_connection_test(GOOD_DOMAIN, PRErrorCodeSuccess, clearSessionCache, null, + null, originAttributes1); + + let hitsBeforeConnect; + let missesBeforeConnect; + let expectedHits = resumeExpected ? 1 : 0; + let expectedMisses = 1 - expectedHits; + + add_connection_test(GOOD_DOMAIN, PRErrorCodeSuccess, + function() { + // Add the hits and misses before connection. + let stats = statsPtr.contents; + hitsBeforeConnect = toInt32(stats.sch_sid_cache_hits); + missesBeforeConnect = + toInt32(stats.sch_sid_cache_misses); + }, + function() { + let stats = statsPtr.contents; + equal(toInt32(stats.sch_sid_cache_hits), + hitsBeforeConnect + expectedHits, + "Unexpected cache hits"); + equal(toInt32(stats.sch_sid_cache_misses), + missesBeforeConnect + expectedMisses, + "Unexpected cache misses"); + }, null, originAttributes2); +} + +function run_test() { + add_tls_server_setup("BadCertServer", "bad_certs"); + add_resume_non_ev_with_override_test(); + add_resume_ev_test(); + add_origin_attributes_test({}, {}, true); + add_origin_attributes_test({ userContextId: 1 }, { userContextId: 2 }, false); + add_origin_attributes_test({ userContextId: 3 }, { userContextId: 3 }, true); + add_origin_attributes_test({ firstPartyDomain: "foo.com" }, + { firstPartyDomain: "bar.com" }, false); + add_origin_attributes_test({ firstPartyDomain: "baz.com" }, + { firstPartyDomain: "baz.com" }, true); + run_next_test(); +} |