diff options
author | Moonchild <git-repo@palemoon.org> | 2020-03-29 10:26:15 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-29 10:26:15 +0200 |
commit | f2b6fd2481ae5e7381a938d52f7d8f14bfc4f5c2 (patch) | |
tree | be450c52feb21fc7807208ae54a792fdc53c2994 /security/manager/ssl/tests/unit/test_pinning_header_parsing.js | |
parent | 568ea8deaa4fa5f07b6987e75d35e53eb3af66dd (diff) | |
parent | 0afd46b48d5e7d1ca7109c687368b7de23e267c5 (diff) | |
download | UXP-f2b6fd2481ae5e7381a938d52f7d8f14bfc4f5c2.tar UXP-f2b6fd2481ae5e7381a938d52f7d8f14bfc4f5c2.tar.gz UXP-f2b6fd2481ae5e7381a938d52f7d8f14bfc4f5c2.tar.lz UXP-f2b6fd2481ae5e7381a938d52f7d8f14bfc4f5c2.tar.xz UXP-f2b6fd2481ae5e7381a938d52f7d8f14bfc4f5c2.zip |
Merge pull request #1500 from MoonchildProductions/1280
Remove HPKP
Diffstat (limited to 'security/manager/ssl/tests/unit/test_pinning_header_parsing.js')
-rw-r--r-- | security/manager/ssl/tests/unit/test_pinning_header_parsing.js | 147 |
1 files changed, 0 insertions, 147 deletions
diff --git a/security/manager/ssl/tests/unit/test_pinning_header_parsing.js b/security/manager/ssl/tests/unit/test_pinning_header_parsing.js deleted file mode 100644 index 0dcf6993b..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_header_parsing.js +++ /dev/null @@ -1,147 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -"use strict"; - -// The purpose of this test is to check that parsing of HPKP headers -// is correct. - -var profileDir = do_get_profile(); -const certdb = Cc["@mozilla.org/security/x509certdb;1"] - .getService(Ci.nsIX509CertDB); -var gSSService = Cc["@mozilla.org/ssservice;1"] - .getService(Ci.nsISiteSecurityService); - -function certFromFile(cert_name) { - return constructCertFromFile("test_pinning_dynamic/" + cert_name + ".pem"); -} - -function loadCert(cert_name, trust_string) { - let cert_filename = "test_pinning_dynamic/" + cert_name + ".pem"; - addCertFromFile(certdb, cert_filename, trust_string); - return constructCertFromFile(cert_filename); -} - -function checkFailParseInvalidPin(pinValue) { - let sslStatus = new FakeSSLStatus( - certFromFile('a.pinning2.example.com-pinningroot')); - let uri = Services.io.newURI("https://a.pinning2.example.com", null, null); - throws(() => { - gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri, - pinValue, sslStatus, 0); - }, /NS_ERROR_FAILURE/, `Invalid pin "${pinValue}" should be rejected`); -} - -function checkPassValidPin(pinValue, settingPin, expectedMaxAge) { - let sslStatus = new FakeSSLStatus( - certFromFile('a.pinning2.example.com-pinningroot')); - let uri = Services.io.newURI("https://a.pinning2.example.com", null, null); - let maxAge = {}; - - // setup preconditions for the test, if setting ensure there is no previous - // state, if removing ensure there is a valid pin in place. - if (settingPin) { - gSSService.removeState(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0); - } else { - // add a known valid pin! - let validPinValue = "max-age=5000;" + VALID_PIN1 + BACKUP_PIN1; - gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri, - validPinValue, sslStatus, 0); - } - try { - gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri, - pinValue, sslStatus, 0, maxAge); - ok(true, "Valid pin should be accepted"); - } catch (e) { - ok(false, "Valid pin should have been accepted"); - } - - // check that maxAge was processed correctly - if (settingPin && expectedMaxAge) { - ok(maxAge.value == expectedMaxAge, `max-age value should be ${expectedMaxAge}`); - } - - // after processing ensure that the postconditions are true, if setting - // the host must be pinned, if removing the host must not be pinned - let hostIsPinned = gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "a.pinning2.example.com", 0); - if (settingPin) { - ok(hostIsPinned, "Host should be considered pinned"); - } else { - ok(!hostIsPinned, "Host should not be considered pinned"); - } -} - -function checkPassSettingPin(pinValue, expectedMaxAge) { - return checkPassValidPin(pinValue, true, expectedMaxAge); -} - -function checkPassRemovingPin(pinValue) { - return checkPassValidPin(pinValue, false); -} - -const MAX_MAX_AGE_SECONDS = 100000; -const GOOD_MAX_AGE_SECONDS = 69403; -const LONG_MAX_AGE_SECONDS = 2 * MAX_MAX_AGE_SECONDS; -const NON_ISSUED_KEY_HASH1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; -const NON_ISSUED_KEY_HASH2 = "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ="; -const PINNING_ROOT_KEY_HASH = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8="; -const MAX_AGE_ZERO = "max-age=0;"; -const VALID_PIN1 = `pin-sha256="${PINNING_ROOT_KEY_HASH}";`; -const BACKUP_PIN1 = `pin-sha256="${NON_ISSUED_KEY_HASH1}";`; -const BACKUP_PIN2 = `pin-sha256="${NON_ISSUED_KEY_HASH2}";`; -const BROKEN_PIN1 = "pin-sha256=\"jdjsjsjs\";"; -const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`; -const LONG_MAX_AGE = `max-age=${LONG_MAX_AGE_SECONDS};`; -const INCLUDE_SUBDOMAINS = "includeSubdomains;"; -const REPORT_URI = "report-uri=\"https://www.example.com/report/\";"; -const UNRECOGNIZED_DIRECTIVE = "unreconized-dir=12343;"; - -function run_test() { - Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true); - Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2); - Services.prefs.setIntPref("security.cert_pinning.max_max_age_seconds", MAX_MAX_AGE_SECONDS); - Services.prefs.setBoolPref("security.cert_pinning.process_headers_from_non_builtin_roots", true); - - loadCert("pinningroot", "CTu,CTu,CTu"); - loadCert("badca", "CTu,CTu,CTu"); - - checkFailParseInvalidPin("max-age=INVALID"); - // check that incomplete headers are failure - checkFailParseInvalidPin(GOOD_MAX_AGE); - checkFailParseInvalidPin(VALID_PIN1); - checkFailParseInvalidPin(REPORT_URI); - checkFailParseInvalidPin(UNRECOGNIZED_DIRECTIVE); - checkFailParseInvalidPin(VALID_PIN1 + BACKUP_PIN1); - checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1); - checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + BROKEN_PIN1); - // next ensure a backup pin is present - checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + VALID_PIN1); - // next section ensure duplicate directives result in failure - checkFailParseInvalidPin(GOOD_MAX_AGE + GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1); - checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1 + INCLUDE_SUBDOMAINS + INCLUDE_SUBDOMAINS); - checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1 + REPORT_URI + REPORT_URI); - checkFailParseInvalidPin("thisisinvalidtest"); - checkFailParseInvalidPin("invalid" + GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1); - - checkPassRemovingPin("max-age=0"); //test removal without terminating ';' - checkPassRemovingPin(MAX_AGE_ZERO); - checkPassRemovingPin(MAX_AGE_ZERO + VALID_PIN1); - - checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1, GOOD_MAX_AGE_SECONDS); - checkPassSettingPin(LONG_MAX_AGE + VALID_PIN1 + BACKUP_PIN1, MAX_MAX_AGE_SECONDS); - - checkPassRemovingPin(VALID_PIN1 + MAX_AGE_ZERO + VALID_PIN1); - checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1); - checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN2); - checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN2 + INCLUDE_SUBDOMAINS); - checkPassSettingPin(VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2 + INCLUDE_SUBDOMAINS); - checkPassSettingPin(VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2 + REPORT_URI + INCLUDE_SUBDOMAINS); - checkPassSettingPin(INCLUDE_SUBDOMAINS + VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2); - checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1 + UNRECOGNIZED_DIRECTIVE); - - Services.prefs.clearUserPref("security.cert_pinning.hpkp.enabled"); - Services.prefs.clearUserPref("security.cert_pinning.enforcement_level"); - Services.prefs.clearUserPref("security.cert_pinning.max_max_age_seconds"); - Services.prefs.clearUserPref("security.cert_pinning.process_headers_from_non_builtin_roots"); -} |