diff options
9 files changed, 46 insertions, 5 deletions
diff --git a/devtools/client/webconsole/test/browser_webconsole_hpkp_invalid-headers.js b/devtools/client/webconsole/test/browser_webconsole_hpkp_invalid-headers.js index 3ee33669d..39870fd54 100644 --- a/devtools/client/webconsole/test/browser_webconsole_hpkp_invalid-headers.js +++ b/devtools/client/webconsole/test/browser_webconsole_hpkp_invalid-headers.js @@ -14,14 +14,18 @@ const SJS_URL = "https://example.com/browser/devtools/client/webconsole/" + "test/test_hpkp-invalid-headers.sjs"; const LEARN_MORE_URI = "https://developer.mozilla.org/docs/Web/Security/" + "Public_Key_Pinning" + DOCS_GA_PARAMS; +const HPKP_ENABLED_PREF = "security.cert_pinning.hpkp.enabled"; const NON_BUILTIN_ROOT_PREF = "security.cert_pinning.process_headers_from_" + "non_builtin_roots"; add_task(function* () { registerCleanupFunction(() => { + Services.prefs.clearUserPref(HPKP_ENABLED_PREF); Services.prefs.clearUserPref(NON_BUILTIN_ROOT_PREF); }); + Services.prefs.setBoolPref(HPKP_ENABLED_PREF, true); + yield loadTab(TEST_URI); let hud = yield openConsole(); diff --git a/devtools/shared/webconsole/test/test_network_security-hpkp.html b/devtools/shared/webconsole/test/test_network_security-hpkp.html index 55e2621a8..bc1a9642c 100644 --- a/devtools/shared/webconsole/test/test_network_security-hpkp.html +++ b/devtools/shared/webconsole/test/test_network_security-hpkp.html @@ -17,7 +17,8 @@ SimpleTest.waitForExplicitFinish(); let gCurrentTestCase = -1; -const HPKP_PREF = "security.cert_pinning.process_headers_from_non_builtin_roots"; +const HPKP_ENABLED_PREF = "security.cert_pinning.hpkp.enabled"; +const PROCESS_HPKP_FROM_NON_BUILTIN_ROOTS_PREF = "security.cert_pinning.process_headers_from_non_builtin_roots"; // Static pins tested by unit/test_security-info-static-hpkp.js. const TEST_CASES = [ @@ -41,11 +42,11 @@ const TEST_CASES = [ function startTest() { - // Need to enable this pref or pinning headers are rejected due test - // certificate. - Services.prefs.setBoolPref(HPKP_PREF, true); + Services.prefs.setBoolPref(HPKP_ENABLED_PREF, true); + Services.prefs.setBoolPref(PROCESS_HPKP_FROM_NON_BUILTIN_ROOTS_PREF, true); SimpleTest.registerCleanupFunction(() => { - Services.prefs.setBoolPref(HPKP_PREF, false); + Services.prefs.setBoolPref(HPKP_ENABLED_PREF, false); + Services.prefs.setBoolPref(PROCESS_HPKP_FROM_NON_BUILTIN_ROOTS_PREF, false); // Reset pinning state. let gSSService = Cc["@mozilla.org/ssservice;1"] diff --git a/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js index 4db133e43..c075428ee 100644 --- a/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js +++ b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js @@ -12,6 +12,7 @@ var { ForgetAboutSite } = Cu.import("resource://gre/modules/ForgetAboutSite.jsm", {}); do_register_cleanup(() => { + Services.prefs.clearUserPref("security.cert_pinning.hpkp.enabled"); Services.prefs.clearUserPref("security.cert_pinning.enforcement_level"); Services.prefs.clearUserPref( "security.cert_pinning.process_headers_from_non_builtin_roots"); @@ -26,6 +27,7 @@ const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`; do_get_profile(); // must be done before instantiating nsIX509CertDB +Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true); Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2); Services.prefs.setBoolPref( "security.cert_pinning.process_headers_from_non_builtin_roots", true); @@ -44,6 +46,26 @@ var uri = Services.io.newURI("https://a.pinning2.example.com", null, null); var sslStatus = new FakeSSLStatus(constructCertFromFile( "test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem")); + // Test that with HPKP disabled, processing HPKP headers results in no + // information being saved. + add_task(async function() { + Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", false); + sss.processHeader( + Ci.nsISiteSecurityService.HEADER_HPKP, + uri, + GOOD_MAX_AGE + VALID_PIN + BACKUP_PIN, + secInfo, + 0, + Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST + ); + + Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true); + Assert.ok( + !sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0), + "a.pinning.example.com should not be HPKP" + ); + }); + // Test the normal case of processing HSTS and HPKP headers for // a.pinning2.example.com, using "Forget About Site" on a.pinning2.example.com, // and then checking that the platform doesn't consider a.pinning2.example.com diff --git a/security/manager/ssl/tests/unit/test_ocsp_must_staple.js b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js index 24b32d6bc..ece1757ac 100644 --- a/security/manager/ssl/tests/unit/test_ocsp_must_staple.js +++ b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js @@ -28,6 +28,7 @@ function add_tests() { PRErrorCodeSuccess, true); add_test(() => { + Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true); Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 1); Services.prefs.setBoolPref("security.cert_pinning.process_headers_from_non_builtin_roots", true); let uri = Services.io.newURI("https://ocsp-stapling-must-staple-ee-with-must-staple-int.example.com", @@ -45,6 +46,7 @@ function add_tests() { // Clear accumulated state. ssservice.removeState(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0); + Services.prefs.clearUserPref("security.cert_pinning.hpkp.enabled"); Services.prefs.clearUserPref("security.cert_pinning.process_headers_from_non_builtin_roots"); Services.prefs.clearUserPref("security.cert_pinning.enforcement_level"); run_next_test(); diff --git a/security/manager/ssl/tests/unit/test_pinning.js b/security/manager/ssl/tests/unit/test_pinning.js index 4d3c2fac8..f18182002 100644 --- a/security/manager/ssl/tests/unit/test_pinning.js +++ b/security/manager/ssl/tests/unit/test_pinning.js @@ -246,6 +246,9 @@ function check_pinning_telemetry() { } function run_test() { + // Ensure that static pinning works when HPKP is disabled. + Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", false); + add_tls_server_setup("BadCertServer", "bad_certs"); // Add a user-specified trust anchor. diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic.js b/security/manager/ssl/tests/unit/test_pinning_dynamic.js index 2c314b53a..7333ad6b3 100644 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic.js +++ b/security/manager/ssl/tests/unit/test_pinning_dynamic.js @@ -41,6 +41,7 @@ const NON_ISSUED_KEY_HASH = "KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN="; const PINNING_ROOT_KEY_HASH = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8="; function run_test() { + Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true); Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2); let stateFile = profileDir.clone(); diff --git a/security/manager/ssl/tests/unit/test_pinning_header_parsing.js b/security/manager/ssl/tests/unit/test_pinning_header_parsing.js index fb4b32353..0dcf6993b 100644 --- a/security/manager/ssl/tests/unit/test_pinning_header_parsing.js +++ b/security/manager/ssl/tests/unit/test_pinning_header_parsing.js @@ -98,6 +98,7 @@ const REPORT_URI = "report-uri=\"https://www.example.com/report/\";"; const UNRECOGNIZED_DIRECTIVE = "unreconized-dir=12343;"; function run_test() { + Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true); Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2); Services.prefs.setIntPref("security.cert_pinning.max_max_age_seconds", MAX_MAX_AGE_SECONDS); Services.prefs.setBoolPref("security.cert_pinning.process_headers_from_non_builtin_roots", true); @@ -138,4 +139,9 @@ function run_test() { checkPassSettingPin(VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2 + REPORT_URI + INCLUDE_SUBDOMAINS); checkPassSettingPin(INCLUDE_SUBDOMAINS + VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2); checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1 + UNRECOGNIZED_DIRECTIVE); + + Services.prefs.clearUserPref("security.cert_pinning.hpkp.enabled"); + Services.prefs.clearUserPref("security.cert_pinning.enforcement_level"); + Services.prefs.clearUserPref("security.cert_pinning.max_max_age_seconds"); + Services.prefs.clearUserPref("security.cert_pinning.process_headers_from_non_builtin_roots"); } diff --git a/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js b/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js index d4165f7f4..1ca277da4 100644 --- a/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js +++ b/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js @@ -31,6 +31,7 @@ function checkStateRead(aSubject, aTopic, aData) { } function run_test() { + Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true); let profileDir = do_get_profile(); let stateFile = profileDir.clone(); stateFile.append(SSS_STATE_FILE_NAME); diff --git a/security/manager/ssl/tests/unit/test_sss_savestate.js b/security/manager/ssl/tests/unit/test_sss_savestate.js index a4d8b5297..fefa64ea6 100644 --- a/security/manager/ssl/tests/unit/test_sss_savestate.js +++ b/security/manager/ssl/tests/unit/test_sss_savestate.js @@ -96,6 +96,7 @@ function checkStateWritten(aSubject, aTopic, aData) { } function run_test() { + Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true); Services.prefs.setIntPref("test.datastorage.write_timer_ms", 100); gProfileDir = do_get_profile(); let SSService = Cc["@mozilla.org/ssservice;1"] |