diff options
Diffstat (limited to 'security/manager/ssl/tests/unit/test_cert_override_bits_mismatches.js')
| -rw-r--r-- | security/manager/ssl/tests/unit/test_cert_override_bits_mismatches.js | 89 |
1 files changed, 89 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/test_cert_override_bits_mismatches.js b/security/manager/ssl/tests/unit/test_cert_override_bits_mismatches.js new file mode 100644 index 000000000..83b4fdbc6 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_cert_override_bits_mismatches.js @@ -0,0 +1,89 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. +"use strict"; + +// Test that when an override exists for a (host, certificate) pair, +// connections will succeed only if the set of error bits in the override +// contains each bit in the set of encountered error bits. +// Strangely, it is possible to store an override with an empty set of error +// bits, so this tests that too. + +do_get_profile(); + +function add_override_bits_mismatch_test(host, certPath, expectedBits, + expectedError) { + const MAX_BITS = Ci.nsICertOverrideService.ERROR_UNTRUSTED | + Ci.nsICertOverrideService.ERROR_MISMATCH | + Ci.nsICertOverrideService.ERROR_TIME; + let cert = constructCertFromFile(certPath); + let certOverrideService = Cc["@mozilla.org/security/certoverride;1"] + .getService(Ci.nsICertOverrideService); + for (let overrideBits = 0; overrideBits <= MAX_BITS; overrideBits++) { + add_test(function() { + certOverrideService.clearValidityOverride(host, 8443); + certOverrideService.rememberValidityOverride(host, 8443, cert, + overrideBits, true); + run_next_test(); + }); + // The override will succeed only if the set of error bits in the override + // contains each bit in the set of expected error bits. + let successExpected = (overrideBits | expectedBits) == overrideBits; + add_connection_test(host, successExpected ? PRErrorCodeSuccess + : expectedError); + } +} + +function run_test() { + Services.prefs.setIntPref("security.OCSP.enabled", 1); + add_tls_server_setup("BadCertServer", "bad_certs"); + + let fakeOCSPResponder = new HttpServer(); + fakeOCSPResponder.registerPrefixHandler("/", function (request, response) { + response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); + }); + fakeOCSPResponder.start(8888); + + add_override_bits_mismatch_test("unknownissuer.example.com", + "bad_certs/unknownissuer.pem", + Ci.nsICertOverrideService.ERROR_UNTRUSTED, + SEC_ERROR_UNKNOWN_ISSUER); + add_override_bits_mismatch_test("mismatch.example.com", + "bad_certs/mismatch.pem", + Ci.nsICertOverrideService.ERROR_MISMATCH, + SSL_ERROR_BAD_CERT_DOMAIN); + add_override_bits_mismatch_test("expired.example.com", + "bad_certs/expired-ee.pem", + Ci.nsICertOverrideService.ERROR_TIME, + SEC_ERROR_EXPIRED_CERTIFICATE); + + add_override_bits_mismatch_test("mismatch-untrusted.example.com", + "bad_certs/mismatch-untrusted.pem", + Ci.nsICertOverrideService.ERROR_UNTRUSTED | + Ci.nsICertOverrideService.ERROR_MISMATCH, + SEC_ERROR_UNKNOWN_ISSUER); + add_override_bits_mismatch_test("untrusted-expired.example.com", + "bad_certs/untrusted-expired.pem", + Ci.nsICertOverrideService.ERROR_UNTRUSTED | + Ci.nsICertOverrideService.ERROR_TIME, + SEC_ERROR_UNKNOWN_ISSUER); + add_override_bits_mismatch_test("mismatch-expired.example.com", + "bad_certs/mismatch-expired.pem", + Ci.nsICertOverrideService.ERROR_MISMATCH | + Ci.nsICertOverrideService.ERROR_TIME, + SSL_ERROR_BAD_CERT_DOMAIN); + + add_override_bits_mismatch_test("mismatch-untrusted-expired.example.com", + "bad_certs/mismatch-untrusted-expired.pem", + Ci.nsICertOverrideService.ERROR_UNTRUSTED | + Ci.nsICertOverrideService.ERROR_MISMATCH | + Ci.nsICertOverrideService.ERROR_TIME, + SEC_ERROR_UNKNOWN_ISSUER); + + add_test(function () { + fakeOCSPResponder.stop(run_next_test); + }); + + run_next_test(); +} |