summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/tests/unit/test_session_resumption.js
diff options
context:
space:
mode:
Diffstat (limited to 'security/manager/ssl/tests/unit/test_session_resumption.js')
-rw-r--r--security/manager/ssl/tests/unit/test_session_resumption.js159
1 files changed, 159 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/test_session_resumption.js b/security/manager/ssl/tests/unit/test_session_resumption.js
new file mode 100644
index 000000000..eea6b5f54
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_session_resumption.js
@@ -0,0 +1,159 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that PSM makes the correct determination of the security status of
+// loads involving session resumption (i.e. when a TLS handshake bypasses the
+// AuthCertificate callback).
+
+do_get_profile();
+const certdb = Cc["@mozilla.org/security/x509certdb;1"]
+ .getService(Ci.nsIX509CertDB);
+
+do_register_cleanup(() => {
+ Services.prefs.clearUserPref("security.OCSP.enabled");
+});
+
+Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+addCertFromFile(certdb, "bad_certs/evroot.pem", "CTu,,");
+addCertFromFile(certdb, "bad_certs/ev-test-intermediate.pem", ",,");
+
+// For expired.example.com, the platform will make a connection that will fail.
+// Using information gathered at that point, an override will be added and
+// another connection will be made. This connection will succeed. At that point,
+// as long as the session cache isn't cleared, subsequent new connections should
+// use session resumption, thereby bypassing the AuthCertificate hook. We need
+// to ensure that the correct security state is propagated to the new connection
+// information object.
+function add_resume_non_ev_with_override_test() {
+ // This adds the override and makes one successful connection.
+ add_cert_override_test("expired.example.com",
+ Ci.nsICertOverrideService.ERROR_TIME,
+ SEC_ERROR_EXPIRED_CERTIFICATE);
+
+ // This connects again, using session resumption. Note that we don't clear
+ // the TLS session cache between these operations (that would defeat the
+ // purpose).
+ add_connection_test("expired.example.com", PRErrorCodeSuccess, null,
+ (transportSecurityInfo) => {
+ ok(transportSecurityInfo.securityState &
+ Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
+ "expired.example.com should have STATE_CERT_USER_OVERRIDDEN flag");
+ let sslStatus = transportSecurityInfo
+ .QueryInterface(Ci.nsISSLStatusProvider)
+ .SSLStatus;
+ ok(!sslStatus.isDomainMismatch,
+ "expired.example.com should not have isDomainMismatch set");
+ ok(sslStatus.isNotValidAtThisTime,
+ "expired.example.com should have isNotValidAtThisTime set");
+ ok(!sslStatus.isUntrusted,
+ "expired.example.com should not have isUntrusted set");
+ ok(!sslStatus.isExtendedValidation,
+ "expired.example.com should not have isExtendedValidation set");
+ }
+ );
+}
+
+// Helper function that adds a test that connects to ev-test.example.com and
+// verifies that it validates as EV (or not, if we're running a non-debug
+// build). This assumes that an appropriate OCSP responder is running or that
+// good responses are cached.
+function add_one_ev_test() {
+ add_connection_test("ev-test.example.com", PRErrorCodeSuccess, null,
+ (transportSecurityInfo) => {
+ ok(!(transportSecurityInfo.securityState &
+ Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN),
+ "ev-test.example.com should not have STATE_CERT_USER_OVERRIDDEN flag");
+ let sslStatus = transportSecurityInfo
+ .QueryInterface(Ci.nsISSLStatusProvider)
+ .SSLStatus;
+ ok(!sslStatus.isDomainMismatch,
+ "ev-test.example.com should not have isDomainMismatch set");
+ ok(!sslStatus.isNotValidAtThisTime,
+ "ev-test.example.com should not have isNotValidAtThisTime set");
+ ok(!sslStatus.isUntrusted,
+ "ev-test.example.com should not have isUntrusted set");
+ ok(!gEVExpected || sslStatus.isExtendedValidation,
+ "ev-test.example.com should have isExtendedValidation set " +
+ "(or this is a non-debug build)");
+ }
+ );
+}
+
+// This test is similar, except with extended validation. We should connect
+// successfully, and the certificate should be EV in debug builds. Without
+// clearing the session cache, we should connect successfully again, this time
+// with session resumption. The certificate should again be EV in debug builds.
+function add_resume_ev_test() {
+ const SERVER_PORT = 8888;
+ let expectedRequestPaths = gEVExpected ? [ "ev-test-intermediate", "ev-test" ]
+ : [ "ev-test" ];
+ let responseTypes = gEVExpected ? [ "good", "good" ] : [ "good" ];
+ // Since we cache OCSP responses, we only ever actually serve one set.
+ let ocspResponder = startOCSPResponder(SERVER_PORT, "localhost", "bad_certs",
+ expectedRequestPaths,
+ expectedRequestPaths.slice(),
+ null, responseTypes);
+ // We should be able to connect and verify the certificate as EV (in debug
+ // builds).
+ add_one_ev_test();
+ // We should be able to connect again (using session resumption). In debug
+ // builds, the certificate should be noted as EV. Again, it's important that
+ // nothing clears the TLS cache in between these two operations.
+ add_one_ev_test();
+
+ add_test(() => {
+ ocspResponder.stop(run_next_test);
+ });
+}
+
+const statsPtr = getSSLStatistics();
+const toInt32 = ctypes.Int64.lo;
+const GOOD_DOMAIN = "good.include-subdomains.pinning.example.com";
+
+// Connect to the same domain with two origin attributes and check if any ssl
+// session is resumed.
+function add_origin_attributes_test(originAttributes1, originAttributes2,
+ resumeExpected) {
+ add_connection_test(GOOD_DOMAIN, PRErrorCodeSuccess, clearSessionCache, null,
+ null, originAttributes1);
+
+ let hitsBeforeConnect;
+ let missesBeforeConnect;
+ let expectedHits = resumeExpected ? 1 : 0;
+ let expectedMisses = 1 - expectedHits;
+
+ add_connection_test(GOOD_DOMAIN, PRErrorCodeSuccess,
+ function() {
+ // Add the hits and misses before connection.
+ let stats = statsPtr.contents;
+ hitsBeforeConnect = toInt32(stats.sch_sid_cache_hits);
+ missesBeforeConnect =
+ toInt32(stats.sch_sid_cache_misses);
+ },
+ function() {
+ let stats = statsPtr.contents;
+ equal(toInt32(stats.sch_sid_cache_hits),
+ hitsBeforeConnect + expectedHits,
+ "Unexpected cache hits");
+ equal(toInt32(stats.sch_sid_cache_misses),
+ missesBeforeConnect + expectedMisses,
+ "Unexpected cache misses");
+ }, null, originAttributes2);
+}
+
+function run_test() {
+ add_tls_server_setup("BadCertServer", "bad_certs");
+ add_resume_non_ev_with_override_test();
+ add_resume_ev_test();
+ add_origin_attributes_test({}, {}, true);
+ add_origin_attributes_test({ userContextId: 1 }, { userContextId: 2 }, false);
+ add_origin_attributes_test({ userContextId: 3 }, { userContextId: 3 }, true);
+ add_origin_attributes_test({ firstPartyDomain: "foo.com" },
+ { firstPartyDomain: "bar.com" }, false);
+ add_origin_attributes_test({ firstPartyDomain: "baz.com" },
+ { firstPartyDomain: "baz.com" }, true);
+ run_next_test();
+}