summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp')
-rw-r--r--security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp141
1 files changed, 141 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
new file mode 100644
index 000000000..348dcfc5c
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
@@ -0,0 +1,141 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a standalone server that uses various bad certificates.
+// The client is expected to connect, initiate an SSL handshake (with SNI
+// to indicate which "server" to connect to), and verify the certificate.
+// If all is good, the client then sends one encrypted byte and receives that
+// same byte back.
+// This server also has the ability to "call back" another process waiting on
+// it. That is, when the server is all set up and ready to receive connections,
+// it will connect to a specified port and issue a simple HTTP request.
+
+#include <stdio.h>
+
+#include "TLSServer.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+struct BadCertHost
+{
+ const char *mHostName;
+ const char *mCertName;
+};
+
+// Hostname, cert nickname pairs.
+const BadCertHost sBadCertHosts[] =
+{
+ { "expired.example.com", "expired-ee" },
+ { "notyetvalid.example.com", "notYetValid" },
+ { "before-epoch.example.com", "beforeEpoch" },
+ { "selfsigned.example.com", "selfsigned" },
+ { "unknownissuer.example.com", "unknownissuer" },
+ { "mismatch.example.com", "mismatch" },
+ { "mismatch-CN.example.com", "mismatchCN" },
+ { "expiredissuer.example.com", "expiredissuer" },
+ { "notyetvalidissuer.example.com", "notYetValidIssuer" },
+ { "before-epoch-issuer.example.com", "beforeEpochIssuer" },
+ { "md5signature.example.com", "md5signature" },
+ { "untrusted.example.com", "default-ee" },
+ { "untrustedissuer.example.com", "untrustedissuer" },
+ { "mismatch-expired.example.com", "mismatch-expired" },
+ { "mismatch-notYetValid.example.com", "mismatch-notYetValid" },
+ { "mismatch-untrusted.example.com", "mismatch-untrusted" },
+ { "untrusted-expired.example.com", "untrusted-expired" },
+ { "md5signature-expired.example.com", "md5signature-expired" },
+ { "mismatch-untrusted-expired.example.com", "mismatch-untrusted-expired" },
+ { "inadequatekeyusage.example.com", "inadequatekeyusage-ee" },
+ { "selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU" },
+ { "self-signed-end-entity-with-cA-true.example.com", "self-signed-EE-with-cA-true" },
+ { "ca-used-as-end-entity.example.com", "ca-used-as-end-entity" },
+ { "ca-used-as-end-entity-name-mismatch.example.com", "ca-used-as-end-entity" },
+ // All of include-subdomains.pinning.example.com is pinned to End Entity
+ // Test Cert with nick default-ee. Any other nick will only
+ // pass pinning when security.cert_pinning.enforcement.level != strict and
+ // otherCA is added as a user-specified trust anchor. See StaticHPKPins.h.
+ { "include-subdomains.pinning.example.com", "default-ee" },
+ { "good.include-subdomains.pinning.example.com", "default-ee" },
+ { "bad.include-subdomains.pinning.example.com", "other-issuer-ee" },
+ { "bad.include-subdomains.pinning.example.com.", "other-issuer-ee" },
+ { "bad.include-subdomains.pinning.example.com..", "other-issuer-ee" },
+ { "exclude-subdomains.pinning.example.com", "default-ee" },
+ { "sub.exclude-subdomains.pinning.example.com", "other-issuer-ee" },
+ { "test-mode.pinning.example.com", "other-issuer-ee" },
+ { "unknownissuer.include-subdomains.pinning.example.com", "unknownissuer" },
+ { "unknownissuer.test-mode.pinning.example.com", "unknownissuer" },
+ { "nsCertTypeNotCritical.example.com", "nsCertTypeNotCritical" },
+ { "nsCertTypeCriticalWithExtKeyUsage.example.com", "nsCertTypeCriticalWithExtKeyUsage" },
+ { "nsCertTypeCritical.example.com", "nsCertTypeCritical" },
+ { "end-entity-issued-by-v1-cert.example.com", "eeIssuedByV1Cert" },
+ { "end-entity-issued-by-non-CA.example.com", "eeIssuedByNonCA" },
+ { "inadequate-key-size-ee.example.com", "inadequateKeySizeEE" },
+ { "badSubjectAltNames.example.com", "badSubjectAltNames" },
+ { "ipAddressAsDNSNameInSAN.example.com", "ipAddressAsDNSNameInSAN" },
+ { "noValidNames.example.com", "noValidNames" },
+ { "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", "idn-certificate" },
+ { "emptyissuername.example.com", "emptyIssuerName" },
+ { "ev-test.example.com", "ev-test" },
+ { nullptr, nullptr }
+};
+
+int32_t
+DoSNISocketConfigBySubjectCN(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize)
+{
+ for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
+ UniquePORTString name(
+ static_cast<char*>(PORT_ZAlloc(aSrvNameArr[i].len + 1)));
+ if (name) {
+ PORT_Memcpy(name.get(), aSrvNameArr[i].data, aSrvNameArr[i].len);
+ if (ConfigSecureServerWithNamedCert(aFd, name.get(), nullptr, nullptr)
+ == SECSuccess) {
+ return 0;
+ }
+ }
+ }
+
+ return SSL_SNI_SEND_ALERT;
+}
+
+int32_t
+DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+ uint32_t aSrvNameArrSize, void* aArg)
+{
+ const BadCertHost* host = GetHostForSNI(aSrvNameArr, aSrvNameArrSize,
+ sBadCertHosts);
+ if (!host) {
+ // No static cert <-> hostname mapping found. This happens when we use a
+ // collection of certificates in a given directory and build a cert DB at
+ // runtime, rather than using an NSS cert DB populated at build time.
+ // (This will be the default in the future.)
+ // For all given server names, check if the runtime-built cert DB contains
+ // a certificate with a matching subject CN.
+ return DoSNISocketConfigBySubjectCN(aFd, aSrvNameArr, aSrvNameArrSize);
+ }
+
+ if (gDebugLevel >= DEBUG_VERBOSE) {
+ fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+ }
+
+ UniqueCERTCertificate cert;
+ SSLKEAType certKEA;
+ if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName,
+ &cert, &certKEA)) {
+ return SSL_SNI_SEND_ALERT;
+ }
+
+ return 0;
+}
+
+int
+main(int argc, char *argv[])
+{
+ if (argc != 2) {
+ fprintf(stderr, "usage: %s <NSS DB directory>\n", argv[0]);
+ return 1;
+ }
+
+ return StartServer(argv[1], DoSNISocketConfig, nullptr);
+}