From 0afd46b48d5e7d1ca7109c687368b7de23e267c5 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Sat, 28 Mar 2020 11:02:10 +0100 Subject: Issue #1280 - Part 2: Remove HPKP tests. --- security/manager/ssl/tests/unit/test_pinning.js | 266 --------------------- .../manager/ssl/tests/unit/test_pinning_dynamic.js | 243 ------------------- .../a.pinning2.example.com-badca.pem | 18 -- .../a.pinning2.example.com-badca.pem.certspec | 5 - .../a.pinning2.example.com-pinningroot.pem | 18 -- ...a.pinning2.example.com-pinningroot.pem.certspec | 4 - .../a.preload.example.com-badca.pem | 18 -- .../a.preload.example.com-badca.pem.certspec | 5 - .../a.preload.example.com-pinningroot.pem | 18 -- .../a.preload.example.com-pinningroot.pem.certspec | 4 - .../b.pinning2.example.com-badca.pem | 18 -- .../b.pinning2.example.com-badca.pem.certspec | 5 - .../b.pinning2.example.com-pinningroot.pem | 18 -- ...b.pinning2.example.com-pinningroot.pem.certspec | 4 - .../b.preload.example.com-badca.pem | 18 -- .../b.preload.example.com-badca.pem.certspec | 5 - .../b.preload.example.com-pinningroot.pem | 18 -- .../b.preload.example.com-pinningroot.pem.certspec | 4 - .../ssl/tests/unit/test_pinning_dynamic/badca.pem | 17 -- .../unit/test_pinning_dynamic/badca.pem.certspec | 6 - .../ssl/tests/unit/test_pinning_dynamic/moz.build | 26 -- .../unit/test_pinning_dynamic/pinningroot.pem | 18 -- .../test_pinning_dynamic/pinningroot.pem.certspec | 4 - .../x.a.pinning2.example.com-badca.pem | 18 -- .../x.a.pinning2.example.com-badca.pem.certspec | 5 - .../x.a.pinning2.example.com-pinningroot.pem | 18 -- ...a.pinning2.example.com-pinningroot.pem.certspec | 4 - .../x.b.pinning2.example.com-badca.pem | 18 -- .../x.b.pinning2.example.com-badca.pem.certspec | 5 - .../x.b.pinning2.example.com-pinningroot.pem | 18 -- ...b.pinning2.example.com-pinningroot.pem.certspec | 4 - .../ssl/tests/unit/test_pinning_header_parsing.js | 147 ------------ .../manager/ssl/tests/unit/test_sts_holepunch.js | 34 --- security/manager/ssl/tests/unit/xpcshell.ini | 9 - 34 files changed, 1040 deletions(-) delete mode 100644 security/manager/ssl/tests/unit/test_pinning.js delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic.js delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-badca.pem delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-badca.pem.certspec delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem.certspec delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-badca.pem delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-badca.pem.certspec delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-pinningroot.pem delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-pinningroot.pem.certspec delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-badca.pem delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-badca.pem.certspec delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-pinningroot.pem delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-pinningroot.pem.certspec delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-badca.pem delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-badca.pem.certspec delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-pinningroot.pem delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-pinningroot.pem.certspec delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/badca.pem delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/badca.pem.certspec delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/moz.build delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/pinningroot.pem delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/pinningroot.pem.certspec delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-badca.pem delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-badca.pem.certspec delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-pinningroot.pem delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-pinningroot.pem.certspec delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-badca.pem delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-badca.pem.certspec delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-pinningroot.pem delete mode 100644 security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-pinningroot.pem.certspec delete mode 100644 security/manager/ssl/tests/unit/test_pinning_header_parsing.js delete mode 100644 security/manager/ssl/tests/unit/test_sts_holepunch.js (limited to 'security') diff --git a/security/manager/ssl/tests/unit/test_pinning.js b/security/manager/ssl/tests/unit/test_pinning.js deleted file mode 100644 index f18182002..000000000 --- a/security/manager/ssl/tests/unit/test_pinning.js +++ /dev/null @@ -1,266 +0,0 @@ -// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- -// This Source Code Form is subject to the terms of the Mozilla Public -// License, v. 2.0. If a copy of the MPL was not distributed with this -// file, You can obtain one at http://mozilla.org/MPL/2.0/. -// -// For all cases, the acceptable pinset includes only certificates pinned to -// Test End Entity Cert (signed by issuer testCA). Other certificates -// are issued by otherCA, which is never in the pinset but is a user-specified -// trust anchor. This test covers multiple cases: -// -// Pinned domain include-subdomains.pinning.example.com includes subdomains -// - PASS: include-subdomains.pinning.example.com serves a correct cert -// - PASS: good.include-subdomains.pinning.example.com serves a correct cert -// - FAIL (strict): bad.include-subdomains.pinning.example.com serves a cert -// not in the pinset -// - PASS (mitm): bad.include-subdomains.pinning.example.com serves a cert not -// in the pinset, but issued by a user-specified trust domain -// -// Pinned domain exclude-subdomains.pinning.example.com excludes subdomains -// - PASS: exclude-subdomains.pinning.example.com serves a correct cert -// - FAIL: exclude-subdomains.pinning.example.com serves an incorrect cert -// (TODO: test using verifyCertNow) -// - PASS: sub.exclude-subdomains.pinning.example.com serves an incorrect cert - -"use strict"; - -do_get_profile(); // must be called before getting nsIX509CertDB -const certdb = Cc["@mozilla.org/security/x509certdb;1"] - .getService(Ci.nsIX509CertDB); - -function add_clear_override(host) { - add_test(function() { - let certOverrideService = Cc["@mozilla.org/security/certoverride;1"] - .getService(Ci.nsICertOverrideService); - certOverrideService.clearValidityOverride(host, 8443); - run_next_test(); - }); -} - -function test_strict() { - // In strict mode, we always evaluate pinning data, regardless of whether the - // issuer is a built-in trust anchor. We only enforce pins that are not in - // test mode. - add_test(function() { - Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2); - run_next_test(); - }); - - // Normally this is overridable. But, since we have pinning information for - // this host, we don't allow overrides. - add_prevented_cert_override_test( - "unknownissuer.include-subdomains.pinning.example.com", - Ci.nsICertOverrideService.ERROR_UNTRUSTED, - SEC_ERROR_UNKNOWN_ISSUER); - add_clear_override("unknownissuer.include-subdomains.pinning.example.com"); - - // Issued by otherCA, which is not in the pinset for pinning.example.com. - add_connection_test("bad.include-subdomains.pinning.example.com", - MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE); - - // Check that using a FQDN doesn't bypass pinning. - add_connection_test("bad.include-subdomains.pinning.example.com.", - MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE); - // For some reason this is also navigable (see bug 1118522). - add_connection_test("bad.include-subdomains.pinning.example.com..", - MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE); - - // These domains serve certs that match the pinset. - add_connection_test("include-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("good.include-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("exclude-subdomains.pinning.example.com", - PRErrorCodeSuccess); - - // This domain serves a cert that doesn't match the pinset, but subdomains - // are excluded. - add_connection_test("sub.exclude-subdomains.pinning.example.com", - PRErrorCodeSuccess); - - // This domain's pinset is exactly the same as - // include-subdomains.pinning.example.com, serves the same cert as - // bad.include-subdomains.pinning.example.com, but it should pass because - // it's in test_mode. - add_connection_test("test-mode.pinning.example.com", - PRErrorCodeSuccess); - // Similarly, this pin is in test-mode, so it should be overridable. - add_cert_override_test("unknownissuer.test-mode.pinning.example.com", - Ci.nsICertOverrideService.ERROR_UNTRUSTED, - SEC_ERROR_UNKNOWN_ISSUER); - add_clear_override("unknownissuer.test-mode.pinning.example.com"); -} - -function test_mitm() { - // In MITM mode, we allow pinning to pass if the chain resolves to any - // user-specified trust anchor, even if it is not in the pinset. - add_test(function() { - Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 1); - run_next_test(); - }); - - add_connection_test("include-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("good.include-subdomains.pinning.example.com", - PRErrorCodeSuccess); - - // Normally this is overridable. But, since we have pinning information for - // this host, we don't allow overrides (since building a trusted chain fails, - // we have no reason to believe this was issued by a user-added trust - // anchor, so we can't allow overrides for it). - add_prevented_cert_override_test( - "unknownissuer.include-subdomains.pinning.example.com", - Ci.nsICertOverrideService.ERROR_UNTRUSTED, - SEC_ERROR_UNKNOWN_ISSUER); - add_clear_override("unknownissuer.include-subdomains.pinning.example.com"); - - // In this case, even though otherCA is not in the pinset, it is a - // user-specified trust anchor and the pinning check succeeds. - add_connection_test("bad.include-subdomains.pinning.example.com", - PRErrorCodeSuccess); - - add_connection_test("exclude-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("sub.exclude-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess); - add_cert_override_test("unknownissuer.test-mode.pinning.example.com", - Ci.nsICertOverrideService.ERROR_UNTRUSTED, - SEC_ERROR_UNKNOWN_ISSUER); - add_clear_override("unknownissuer.test-mode.pinning.example.com"); -} - -function test_disabled() { - // Disable pinning. - add_test(function() { - Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 0); - run_next_test(); - }); - - add_connection_test("include-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("good.include-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("bad.include-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("exclude-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("sub.exclude-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess); - - add_cert_override_test("unknownissuer.include-subdomains.pinning.example.com", - Ci.nsICertOverrideService.ERROR_UNTRUSTED, - SEC_ERROR_UNKNOWN_ISSUER); - add_clear_override("unknownissuer.include-subdomains.pinning.example.com"); - add_cert_override_test("unknownissuer.test-mode.pinning.example.com", - Ci.nsICertOverrideService.ERROR_UNTRUSTED, - SEC_ERROR_UNKNOWN_ISSUER); - add_clear_override("unknownissuer.test-mode.pinning.example.com"); -} - -function test_enforce_test_mode() { - // In enforce test mode, we always enforce all pins, even test pins. - add_test(function() { - Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 3); - run_next_test(); - }); - - // Normally this is overridable. But, since we have pinning information for - // this host, we don't allow overrides. - add_prevented_cert_override_test( - "unknownissuer.include-subdomains.pinning.example.com", - Ci.nsICertOverrideService.ERROR_UNTRUSTED, - SEC_ERROR_UNKNOWN_ISSUER); - add_clear_override("unknownissuer.include-subdomains.pinning.example.com"); - - // Issued by otherCA, which is not in the pinset for pinning.example.com. - add_connection_test("bad.include-subdomains.pinning.example.com", - MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE); - - // These domains serve certs that match the pinset. - add_connection_test("include-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("good.include-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("exclude-subdomains.pinning.example.com", - PRErrorCodeSuccess); - - // This domain serves a cert that doesn't match the pinset, but subdomains - // are excluded. - add_connection_test("sub.exclude-subdomains.pinning.example.com", - PRErrorCodeSuccess); - - // This domain's pinset is exactly the same as - // include-subdomains.pinning.example.com, serves the same cert as - // bad.include-subdomains.pinning.example.com, is in test-mode, but we are - // enforcing test mode pins. - add_connection_test("test-mode.pinning.example.com", - MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE); - // Normally this is overridable. But, since we have pinning information for - // this host (and since we're enforcing test mode), we don't allow overrides. - add_prevented_cert_override_test( - "unknownissuer.test-mode.pinning.example.com", - Ci.nsICertOverrideService.ERROR_UNTRUSTED, - SEC_ERROR_UNKNOWN_ISSUER); - add_clear_override("unknownissuer.test-mode.pinning.example.com"); -} - -function check_pinning_telemetry() { - let service = Cc["@mozilla.org/base/telemetry;1"].getService(Ci.nsITelemetry); - let prod_histogram = service.getHistogramById("CERT_PINNING_RESULTS") - .snapshot(); - let test_histogram = service.getHistogramById("CERT_PINNING_TEST_RESULTS") - .snapshot(); - // Because all of our test domains are pinned to user-specified trust - // anchors, effectively only strict mode and enforce test-mode get evaluated - equal(prod_histogram.counts[0], 4, - "Actual and expected prod (non-Mozilla) failure count should match"); - equal(prod_histogram.counts[1], 4, - "Actual and expected prod (non-Mozilla) success count should match"); - equal(test_histogram.counts[0], 2, - "Actual and expected test (non-Mozilla) failure count should match"); - equal(test_histogram.counts[1], 0, - "Actual and expected test (non-Mozilla) success count should match"); - - let moz_prod_histogram = service.getHistogramById("CERT_PINNING_MOZ_RESULTS") - .snapshot(); - let moz_test_histogram = - service.getHistogramById("CERT_PINNING_MOZ_TEST_RESULTS").snapshot(); - equal(moz_prod_histogram.counts[0], 0, - "Actual and expected prod (Mozilla) failure count should match"); - equal(moz_prod_histogram.counts[1], 0, - "Actual and expected prod (Mozilla) success count should match"); - equal(moz_test_histogram.counts[0], 0, - "Actual and expected test (Mozilla) failure count should match"); - equal(moz_test_histogram.counts[1], 0, - "Actual and expected test (Mozilla) success count should match"); - - let per_host_histogram = - service.getHistogramById("CERT_PINNING_MOZ_RESULTS_BY_HOST").snapshot(); - equal(per_host_histogram.counts[0], 0, - "Actual and expected per host (Mozilla) failure count should match"); - equal(per_host_histogram.counts[1], 2, - "Actual and expected per host (Mozilla) success count should match"); - run_next_test(); -} - -function run_test() { - // Ensure that static pinning works when HPKP is disabled. - Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", false); - - add_tls_server_setup("BadCertServer", "bad_certs"); - - // Add a user-specified trust anchor. - addCertFromFile(certdb, "bad_certs/other-test-ca.pem", "CTu,u,u"); - - test_strict(); - test_mitm(); - test_disabled(); - test_enforce_test_mode(); - - add_test(function () { - check_pinning_telemetry(); - }); - run_next_test(); -} diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic.js b/security/manager/ssl/tests/unit/test_pinning_dynamic.js deleted file mode 100644 index 60e85e041..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic.js +++ /dev/null @@ -1,243 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -"use strict"; - -// The purpose of this test is to create a site security service state file -// and see that the site security service reads it properly. - -function writeLine(aLine, aOutputStream) { - aOutputStream.write(aLine, aLine.length); -} - -var gSSService = null; -var gSSSStateSeen = false; -var gPreloadStateSeen = false; - -var profileDir = do_get_profile(); -var certdb; - -function certFromFile(cert_name) { - return constructCertFromFile("test_pinning_dynamic/" + cert_name + ".pem"); -} - -function loadCert(cert_name, trust_string) { - let cert_filename = "test_pinning_dynamic/" + cert_name + ".pem"; - addCertFromFile(certdb, cert_filename, trust_string); - return constructCertFromFile(cert_filename); -} - -function checkOK(cert, hostname) { - return checkCertErrorGeneric(certdb, cert, PRErrorCodeSuccess, - certificateUsageSSLServer, {}, hostname); -} - -function checkFail(cert, hostname) { - return checkCertErrorGeneric(certdb, cert, MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE, - certificateUsageSSLServer, {}, hostname); -} - -const NON_ISSUED_KEY_HASH = "KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN="; -const PINNING_ROOT_KEY_HASH = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8="; - -function run_test() { - Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true); - Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2); - - let stateFile = profileDir.clone(); - stateFile.append(SSS_STATE_FILE_NAME); - // Assuming we're working with a clean slate, the SSS_STATE file shouldn't - // exist until we create it. - ok(!stateFile.exists(), - "State file should not exist when working with a clean slate"); - let outputStream = FileUtils.openFileOutputStream(stateFile); - let now = (new Date()).getTime(); - writeLine(`a.pinning2.example.com:HPKP\t0\t0\t${now + 100000},1,0,${PINNING_ROOT_KEY_HASH}\n`, outputStream); - writeLine(`b.pinning2.example.com:HPKP\t0\t0\t${now + 100000},1,1,${PINNING_ROOT_KEY_HASH}\n`, outputStream); - - outputStream.close(); - - let preloadFile = profileDir.clone(); - preloadFile.append(PRELOAD_STATE_FILE_NAME); - ok(!preloadFile.exists(), - "Preload file should not exist when working with a clean slate"); - - outputStream = FileUtils.openFileOutputStream(preloadFile); - writeLine(`a.preload.example.com:HPKP\t0\t0\t${now + 100000},1,1,${PINNING_ROOT_KEY_HASH}\n`, outputStream); - outputStream.close(); - - Services.obs.addObserver(checkStateRead, "data-storage-ready", false); - do_test_pending(); - gSSService = Cc["@mozilla.org/ssservice;1"] - .getService(Ci.nsISiteSecurityService); - notEqual(gSSService, null, - "SiteSecurityService should have initialized successfully using" + - " the generated state file"); -} - -function checkDefaultSiteHPKPStatus() { - ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "a.pinning2.example.com", 0), - "a.pinning2.example.com should have HPKP status"); - ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "x.a.pinning2.example.com", 0), - "x.a.pinning2.example.com should not have HPKP status"); - ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "b.pinning2.example.com", 0), - "b.pinning2.example.com should have HPKP status"); - ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "x.b.pinning2.example.com", 0), - "x.b.pinning2.example.com should have HPKP status"); -} - -function checkStateRead(aSubject, aTopic, aData) { - if (aData == SSS_STATE_FILE_NAME) { - gSSSStateSeen = true; - } else if (aData == PRELOAD_STATE_FILE_NAME) { - gPreloadStateSeen = true; - } else { - throw new Error("Observed data should either be the Site Security " + - "Service state file name or the preload file name"); - } - - if (!gSSSStateSeen || !gPreloadStateSeen) { - return; - } - - notEqual(gSSService, null, "SiteSecurityService should be initialized"); - - // Initializing the certificate DB will cause NSS-initialization, which in - // turn initializes the site security service. Since we're in part testing - // that the site security service correctly reads its state file, we have to - // make sure it doesn't start up before we've populated the file - certdb = Cc["@mozilla.org/security/x509certdb;1"] - .getService(Ci.nsIX509CertDB); - - loadCert("pinningroot", "CTu,CTu,CTu"); - loadCert("badca", "CTu,CTu,CTu"); - - // the written entry is for a.pinning2.example.com without subdomains - // and b.pinning2.example.com with subdomains - checkFail(certFromFile('a.pinning2.example.com-badca'), "a.pinning2.example.com"); - checkOK(certFromFile('a.pinning2.example.com-pinningroot'), "a.pinning2.example.com"); - checkOK(certFromFile('x.a.pinning2.example.com-badca'), "x.a.pinning2.example.com"); - checkOK(certFromFile('x.a.pinning2.example.com-pinningroot'), "x.a.pinning2.example.com"); - - checkFail(certFromFile('b.pinning2.example.com-badca'), "b.pinning2.example.com"); - checkOK(certFromFile('b.pinning2.example.com-pinningroot'), "b.pinning2.example.com"); - checkFail(certFromFile('x.b.pinning2.example.com-badca'), "x.b.pinning2.example.com"); - checkOK(certFromFile('x.b.pinning2.example.com-pinningroot'), "x.b.pinning2.example.com"); - - checkDefaultSiteHPKPStatus(); - - - // add includeSubdomains to a.pinning2.example.com - gSSService.setKeyPins("a.pinning2.example.com", true, - new Date().getTime() + 1000000, 2, - [NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH]); - checkFail(certFromFile('a.pinning2.example.com-badca'), "a.pinning2.example.com"); - checkOK(certFromFile('a.pinning2.example.com-pinningroot'), "a.pinning2.example.com"); - checkFail(certFromFile('x.a.pinning2.example.com-badca'), "x.a.pinning2.example.com"); - checkOK(certFromFile('x.a.pinning2.example.com-pinningroot'), "x.a.pinning2.example.com"); - checkFail(certFromFile('b.pinning2.example.com-badca'), "b.pinning2.example.com"); - checkOK(certFromFile('b.pinning2.example.com-pinningroot'), "b.pinning2.example.com"); - checkFail(certFromFile('x.b.pinning2.example.com-badca'), "x.b.pinning2.example.com"); - checkOK(certFromFile('x.b.pinning2.example.com-pinningroot'), "x.b.pinning2.example.com"); - - ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "a.pinning2.example.com", 0), - "a.pinning2.example.com should still have HPKP status after adding" + - " includeSubdomains to a.pinning2.example.com"); - ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "x.a.pinning2.example.com", 0), - "x.a.pinning2.example.com should now have HPKP status after adding" + - " includeSubdomains to a.pinning2.example.com"); - - // Now setpins without subdomains - gSSService.setKeyPins("a.pinning2.example.com", false, - new Date().getTime() + 1000000, 2, - [NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH]); - checkFail(certFromFile('a.pinning2.example.com-badca'), "a.pinning2.example.com"); - checkOK(certFromFile('a.pinning2.example.com-pinningroot'), "a.pinning2.example.com"); - checkOK(certFromFile('x.a.pinning2.example.com-badca'), "x.a.pinning2.example.com"); - checkOK(certFromFile('x.a.pinning2.example.com-pinningroot'), "x.a.pinning2.example.com"); - - checkFail(certFromFile('b.pinning2.example.com-badca'), "b.pinning2.example.com"); - checkOK(certFromFile('b.pinning2.example.com-pinningroot'), "b.pinning2.example.com"); - checkFail(certFromFile('x.b.pinning2.example.com-badca'), "x.b.pinning2.example.com"); - checkOK(certFromFile('x.b.pinning2.example.com-pinningroot'), "x.b.pinning2.example.com"); - - checkDefaultSiteHPKPStatus(); - - // failure to insert new pin entry leaves previous pin behavior - throws(() => { - gSSService.setKeyPins("a.pinning2.example.com", true, - new Date().getTime() + 1000000, 1, ["not a hash"]); - }, /NS_ERROR_ILLEGAL_VALUE/, "Attempting to set an invalid pin should fail"); - checkFail(certFromFile('a.pinning2.example.com-badca'), "a.pinning2.example.com"); - checkOK(certFromFile('a.pinning2.example.com-pinningroot'), "a.pinning2.example.com"); - checkOK(certFromFile('x.a.pinning2.example.com-badca'), "x.a.pinning2.example.com"); - checkOK(certFromFile('x.a.pinning2.example.com-pinningroot'), "x.a.pinning2.example.com"); - - checkFail(certFromFile('b.pinning2.example.com-badca'), "b.pinning2.example.com"); - checkOK(certFromFile('b.pinning2.example.com-pinningroot'), "b.pinning2.example.com"); - checkFail(certFromFile('x.b.pinning2.example.com-badca'), "x.b.pinning2.example.com"); - checkOK(certFromFile('x.b.pinning2.example.com-pinningroot'), "x.b.pinning2.example.com"); - - checkDefaultSiteHPKPStatus(); - - // Incorrect size results in failure - throws(() => { - gSSService.setKeyPins("a.pinning2.example.com", true, - new Date().getTime() + 1000000, 2, ["not a hash"]); - }, /NS_ERROR_XPC_NOT_ENOUGH_ELEMENTS_IN_ARRAY/, - "Attempting to set a pin with an incorrect size should fail"); - - // Ensure built-in pins work as expected - ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "nonexistent.example.com", 0), - "Not built-in nonexistent.example.com should not have HPKP status"); - ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "include-subdomains.pinning.example.com", 0), - "Built-in include-subdomains.pinning.example.com should have HPKP status"); - - gSSService.setKeyPins("a.pinning2.example.com", false, new Date().getTime(), - 1, [NON_ISSUED_KEY_HASH]); - - // Check that a preload pin loaded from file works as expected - checkFail(certFromFile("a.preload.example.com-badca"), "a.preload.example.com"); - checkOK(certFromFile("a.preload.example.com-pinningroot"), "a.preload.example.com"); - - // Check a dynamic addition works as expected - // first, it should succeed with the badCA - because there's no pin - checkOK(certFromFile('b.preload.example.com-badca'), "b.preload.example.com"); - // then we add a pin, and we should get a failure (ensuring the expiry is - // after the test timeout) - gSSService.setKeyPins("b.preload.example.com", false, - new Date().getTime() + 1000000, 2, - [NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH], true); - checkFail(certFromFile('b.preload.example.com-badca'), "b.preload.example.com"); - - do_timeout(1250, checkExpiredState); -} - -function checkExpiredState() { - checkOK(certFromFile('a.pinning2.example.com-badca'), "a.pinning2.example.com"); - checkOK(certFromFile('a.pinning2.example.com-pinningroot'), "a.pinning2.example.com"); - checkOK(certFromFile('x.a.pinning2.example.com-badca'), "x.a.pinning2.example.com"); - checkOK(certFromFile('x.a.pinning2.example.com-pinningroot'), "x.a.pinning2.example.com"); - - checkFail(certFromFile('b.pinning2.example.com-badca'), "b.pinning2.example.com"); - checkOK(certFromFile('b.pinning2.example.com-pinningroot'), "b.pinning2.example.com"); - checkFail(certFromFile('x.b.pinning2.example.com-badca'), "x.b.pinning2.example.com"); - checkOK(certFromFile('x.b.pinning2.example.com-pinningroot'), "x.b.pinning2.example.com"); - checkPreloadClear(); -} - -function checkPreloadClear() { - // Check that the preloaded pins still work after private data is cleared - gSSService.clearAll(); - checkFail(certFromFile('b.preload.example.com-badca'), "b.preload.example.com"); - - do_test_finished(); -} diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-badca.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-badca.pem deleted file mode 100644 index 102a3bbda..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-badca.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC3TCCAcegAwIBAgIUXdB7LgBGZoRV1UmEFcsOhMigpB0wCwYJKoZIhvcNAQEL -MBAxDjAMBgNVBAMMBWJhZGNhMCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAxODAyMDUw -MDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9Rv -plraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYn -YLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ -ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM -5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2Fn -JCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMlMCMwIQYD -VR0RBBowGIIWYS5waW5uaW5nMi5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEB -AAKhpX2t/Bz9//u1DYyLZ6dLSJt121Vb58s8gQvI/7n6MdUP1IniQLbtPW+7wnV0 -6LYagJQ11ZUJMxYUs6lB91yhwAO9NoN4QJWWB0i23DoZ6cg4dHmYKmQQ/HRndwm+ -EATkJSnBAk8O2xmIm8CXbJ0W0lvaXEjzRfeoiEjQ0/THeo4hXvGOMPm31d+r4ji5 -/u2+9jrpTII0kjCwFjqC97lPID14s9QRMqMB1CCV6fgT19EGYi9I7H6mnyukkmfX -9wOhLHSk6A2l5+5eJrZYXLOhcS31VBd54sb1Vvg+Bp05HMYjo051JcRlvxoIUsHT -JQDn8QrzwZBDBh4Pie3AwOM= ------END CERTIFICATE----- \ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-badca.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-badca.pem.certspec deleted file mode 100644 index f365b8a18..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-badca.pem.certspec +++ /dev/null @@ -1,5 +0,0 @@ -issuer:badca -subject:test end-entity -issuerKey:alternate -subjectKey:alternate -extension:subjectAlternativeName:a.pinning2.example.com diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem deleted file mode 100644 index 2439b5775..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC4zCCAc2gAwIBAgIUPQgjdPeWdWy/0oKRi+5Lr7JJorMwCwYJKoZIhvcNAQEL -MBYxFDASBgNVBAMMC3Bpbm5pbmdyb290MCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAx -ODAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxK -zSKxy9RvplraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEG -zwi+moYnYLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHX -KVp/ccW+ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBp -mIpD/uSM5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6 -kKqLx2FnJCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMl -MCMwIQYDVR0RBBowGIIWYS5waW5uaW5nMi5leGFtcGxlLmNvbTALBgkqhkiG9w0B -AQsDggEBAFUlxnwpxOFbSxtsBthWu6xmDxeFAzP+u5YOfuKeiIGnAx70k8ODQufJ -Vm1rXvKtN5r8jR6AZh/hdA+tGhnu4+pGi9/aqWnaF1FEs2mW0saUV8atQZwNGRBO -E9FXdAHA8WmGIfRf8TOuWpmEWejjJt5Zsfs+V3ARIxjCrVE7ixyfJ/hYpmthLtYJ -5vgp0iiPjzorKeFnqooLVAfzeayRX0bE5H79NISIWq4CN/9J50ZFkRORURlANU95 -2Dcuw416b3BGrWVmWlKWOpA6NZ+Rj+AI+z9UTDpqCczTfMXMabX4EveW1GKMMYiA -eLD8SY4VQ4403eaCp6rxYFrCNOeDczs= ------END CERTIFICATE----- \ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem.certspec deleted file mode 100644 index aef72ce39..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem.certspec +++ /dev/null @@ -1,4 +0,0 @@ -issuer:pinningroot -subject:test end-entity -subjectKey:alternate -extension:subjectAlternativeName:a.pinning2.example.com diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-badca.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-badca.pem deleted file mode 100644 index 2a157d8e6..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-badca.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC3DCCAcagAwIBAgIUKUG7kBZ72CvuLQ0uPfjKHLkKDQAwCwYJKoZIhvcNAQEL -MBAxDjAMBgNVBAMMBWJhZGNhMCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAxODAyMDUw -MDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9Rv -plraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYn -YLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ -ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM -5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2Fn -JCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMkMCIwIAYD -VR0RBBkwF4IVYS5wcmVsb2FkLmV4YW1wbGUuY29tMAsGCSqGSIb3DQEBCwOCAQEA -tx5YO8uvYac92scnMEswv4ZIslou8UYV/2mtxA+MaXf/g+MizOKeZgTI1+b9hR48 -IDOgvrqPCbn1hKY6gb2gtRI1mC5dg9T8EYEXcC1TM+ncY/l4SZUjfMhzY2iOf62x -jhDqMMt4V5uaHUxVmJQI82X5qpxH3yJ3WOC87iGZNfMB8MSbLM3lxor9OHeTlTHQ -vPb/r7cLW+ikxirDGyBBvThkvDA/8qyN5Qp6Ae1BiPeEMoScNf3fChvNV6Jyb8g8 -e9q0LnTlTuVgaDWtg7PVOxeiI+wf3Jhv9uqXQLX8JHZDKebLbQEkNcbR4DK/8wsP -uFhj0j8DY6+/YZbcF7Jgfw== ------END CERTIFICATE----- \ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-badca.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-badca.pem.certspec deleted file mode 100644 index c1cb36576..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-badca.pem.certspec +++ /dev/null @@ -1,5 +0,0 @@ -issuer:badca -subject:test end-entity -issuerKey:alternate -subjectKey:alternate -extension:subjectAlternativeName:a.preload.example.com diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-pinningroot.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-pinningroot.pem deleted file mode 100644 index 5fa43f052..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-pinningroot.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC4jCCAcygAwIBAgIURV3mf9Dz42lALe31OAm2SYbpFaEwCwYJKoZIhvcNAQEL -MBYxFDASBgNVBAMMC3Bpbm5pbmdyb290MCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAx -ODAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxK -zSKxy9RvplraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEG -zwi+moYnYLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHX -KVp/ccW+ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBp -mIpD/uSM5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6 -kKqLx2FnJCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMk -MCIwIAYDVR0RBBkwF4IVYS5wcmVsb2FkLmV4YW1wbGUuY29tMAsGCSqGSIb3DQEB -CwOCAQEATOA0bbfg81JieQkTzr4oxBqPuFamtLSAsLpbKakikYQo2znMGNnHV7Xe -uxMGMhCIPRsiJ6jj6ZTQJNqQRKzXWEiBgREsarmJxA53ITIcO2cK2rqyetNAAwzZ -oViENmK3tLA5KT2VC9IGgMXdSE7IfXn+5yCdpKZ2ohwtkYHNkCbQIU+4KaCPa/dB -yAelZZPE0mVHJLkd5HoOsFmjFOBQuOkn9/AAOmkgBZIk1Dp833ywn/mnwLZdVsdV -+TjqWKenDJXxhO2+aCCtZbUVxKMn0TACpAA+rhjS5vigCyIZh7V4rxki9UXaOfVq -EVy4rFlRIYYtXV40HavDZoPgxuCHDw== ------END CERTIFICATE----- \ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-pinningroot.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-pinningroot.pem.certspec deleted file mode 100644 index 5c1865314..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/a.preload.example.com-pinningroot.pem.certspec +++ /dev/null @@ -1,4 +0,0 @@ -issuer:pinningroot -subject:test end-entity -subjectKey:alternate -extension:subjectAlternativeName:a.preload.example.com diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-badca.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-badca.pem deleted file mode 100644 index cffb37c1f..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-badca.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC3TCCAcegAwIBAgIUV89JsAhywp3graSGqjeSpMzd1B0wCwYJKoZIhvcNAQEL -MBAxDjAMBgNVBAMMBWJhZGNhMCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAxODAyMDUw -MDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9Rv -plraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYn -YLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ -ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM -5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2Fn -JCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMlMCMwIQYD -VR0RBBowGIIWYi5waW5uaW5nMi5leGFtcGxlLmNvbTALBgkqhkiG9w0BAQsDggEB -ABevzhH9/hjTBgTtUk4ytZX0A7Tu0DR5F9ooFnlUwzupHFihO+9NzEoCSIvCy3L9 -+i3LbkaiUWEHQItLjIg+aice13ZkuMp+DeZ+D/YR9ulxyY1QBYeZLQj/gSdkj/fK -uDm0Izgt8OBsgP+KFX2c2cGZyOcXmFFAwSfkLz7p2qzrmuM7r5ploNpxeHBUIxUW -jJzSFeQMfy5wflcKDBY+PDejzN9Ik4weRyERsckVgmZSJXuodb8xgYkNPvl/GOVJ -o+eDw+E3uOsdBIDrsyb+bcQTG7nBkQoSqG8M0610h0OqFhksfv/0HcB/wfW8VdU+ -+C4+tR2KfvqTCm3T6gzRWX8= ------END CERTIFICATE----- \ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-badca.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-badca.pem.certspec deleted file mode 100644 index 5aa8aaa5e..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-badca.pem.certspec +++ /dev/null @@ -1,5 +0,0 @@ -issuer:badca -subject:test end-entity -issuerKey:alternate -subjectKey:alternate -extension:subjectAlternativeName:b.pinning2.example.com diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-pinningroot.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-pinningroot.pem deleted file mode 100644 index 791f64b4c..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-pinningroot.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC4zCCAc2gAwIBAgIUVQNTrx+mRE96ggRLuZeFm+9uBdcwCwYJKoZIhvcNAQEL -MBYxFDASBgNVBAMMC3Bpbm5pbmdyb290MCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAx -ODAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxK -zSKxy9RvplraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEG -zwi+moYnYLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHX -KVp/ccW+ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBp -mIpD/uSM5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6 -kKqLx2FnJCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMl -MCMwIQYDVR0RBBowGIIWYi5waW5uaW5nMi5leGFtcGxlLmNvbTALBgkqhkiG9w0B -AQsDggEBAHYCfQaolF6z4IicBDTEQQVfYi4A3BcCNLTdInQlal/DHNytNRufM5TB -ccNpau5U9e10NBYWbMqRUBb/7wtYE4O7jhEWxjaHBOz5KTYLv8hjEc2wcHXfhlYM -QKmxOnA7SguSNYBdfXywav//ssLmDnB06nc2vv5NaKvIWbUv3HvfM8oRAr+NICUs -UMcIb+hjY+u/qrnOeFJxXzeqPYKMa7H+33baRgy7xnL95PxAwkz0XL8vcMFupTX5 -dL5HsSKku23C0BoE6pK39TVh758fQjCAnD+QRTH/o+dfE2sIFpRiyszdXGmh2IRR -gMSy+gJbH+zh0D9ncL0Kev0PyEuBYR4= ------END CERTIFICATE----- \ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-pinningroot.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-pinningroot.pem.certspec deleted file mode 100644 index 17f22dab5..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.pinning2.example.com-pinningroot.pem.certspec +++ /dev/null @@ -1,4 +0,0 @@ -issuer:pinningroot -subject:test end-entity -subjectKey:alternate -extension:subjectAlternativeName:b.pinning2.example.com diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-badca.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-badca.pem deleted file mode 100644 index 4ef23a2c2..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-badca.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC3DCCAcagAwIBAgIUf2T4BVvxeCgWVp/FL3tCFNjuZYQwCwYJKoZIhvcNAQEL -MBAxDjAMBgNVBAMMBWJhZGNhMCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAxODAyMDUw -MDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9Rv -plraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYn -YLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ -ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM -5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2Fn -JCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMkMCIwIAYD -VR0RBBkwF4IVYi5wcmVsb2FkLmV4YW1wbGUuY29tMAsGCSqGSIb3DQEBCwOCAQEA -okmxK2NDRYWSAn6b1YZpLiZnoaNrM0HXHY6fkARY/9EiAApvNPxT663EKtTZn27a -JtwXP2zzlYQDRc9cxa1zBX9Tp+0sn5aqokqzoVWx4VIe/emzi9FDf3lgaYewHLez -RINv3kUZmqlw6tmMQxjd51UGyvNsi52+gcet1cPr5kBzGQv/q7iNs/lcetL3+KQF -klJ3PfI4VjFwRRYNhScxiRczklPVDySvxSNw+csUxNRunFLXIi3+WqQzYhw7R8ga -ASwozTfvVAUySOmDipCZZXAHFtlpBr6vAllfD9v8hAsrE7Bkivafr+i5HMD3DtJE -4ZedqFCkTkqKvd0fMIbOIA== ------END CERTIFICATE----- \ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-badca.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-badca.pem.certspec deleted file mode 100644 index 9901ead60..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-badca.pem.certspec +++ /dev/null @@ -1,5 +0,0 @@ -issuer:badca -subject:test end-entity -issuerKey:alternate -subjectKey:alternate -extension:subjectAlternativeName:b.preload.example.com diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-pinningroot.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-pinningroot.pem deleted file mode 100644 index c6ea38a12..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-pinningroot.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC4jCCAcygAwIBAgIUI5rdRX/x0w0bDx6hQhc8ZhGLfqQwCwYJKoZIhvcNAQEL -MBYxFDASBgNVBAMMC3Bpbm5pbmdyb290MCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAx -ODAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxK -zSKxy9RvplraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEG -zwi+moYnYLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHX -KVp/ccW+ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBp -mIpD/uSM5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6 -kKqLx2FnJCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMk -MCIwIAYDVR0RBBkwF4IVYi5wcmVsb2FkLmV4YW1wbGUuY29tMAsGCSqGSIb3DQEB -CwOCAQEAg2VdHBLmFLJ03N9VT4uUrnpjuYY9bsvPJF2JCk9817nxBbeMf+Qn0C/o -OeoQnZRqsaFbKZ80JXmh/j4RO6T/aaQUMpk+NXrdSPddy2B3eUByF/NJqipV3M2a -CRNWUUVF+msjRWwbzJafju2nEZcD4d4cUkHHYAaRRxAHH3ylEvWmdv/brgfAPCPH -WDVaCMc3OXgHkyrLAfkMKSYTNPJ7DJn/BXET5tCzqYGRUgRnME4ON2Mmp19lsdig -dIFbm76wg6l5M+s9pqiYzODUxJXUOd6BkAR5pqB9WyIRVfBr5LGT72nv00LHVcSm -hnsti9nAtFdJx4E1lJilrnQwu0q4Iw== ------END CERTIFICATE----- \ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-pinningroot.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-pinningroot.pem.certspec deleted file mode 100644 index 6f5807700..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/b.preload.example.com-pinningroot.pem.certspec +++ /dev/null @@ -1,4 +0,0 @@ -issuer:pinningroot -subject:test end-entity -subjectKey:alternate -extension:subjectAlternativeName:b.preload.example.com diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/badca.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/badca.pem deleted file mode 100644 index 9443a4c91..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/badca.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICyzCCAbWgAwIBAgIUXQevdaeXMieCrG6ZqhI2yfACBq4wCwYJKoZIhvcNAQEL -MBAxDjAMBgNVBAMMBWJhZGNhMCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAxODAyMDUw -MDAwMDBaMBAxDjAMBgNVBAMMBWJhZGNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEAwXXGUmYJn3cIKmeR8bh2w39c5TiwbErNIrHL1G+mWtoq3UHIwkmK -xKOzwfYUh/QbaYlBvYClHDwSAkTFhKTESDMF5ROMAQbPCL6ahidguuai6PNvI8XZ -gxO53683g0XazlHU1tzSpss8xwbrzTBw7JjM5AqlkdcpWn9xxb5maR0rLf7ISURZ -C8Wj6kn9k7HXU0BfF3N2mZWGZiVHl+1CaQiICBFCIGmYikP+5Izmh4HdIramnNKD -dRMfkysSjOKG+n0lHAYq0n7wFvGHzdVOgys1uJMPdLqQqovHYWckKrH9bWIUDRjE -wLjGj8N0hFcyStfehuZVLx0eGR1xIWjTuwIDAQABox0wGzAMBgNVHRMEBTADAQH/ -MAsGA1UdDwQEAwIBBjALBgkqhkiG9w0BAQsDggEBAHitWfZzPxR/UWEKQgz9zzm2 -NXszG7nV82w8qfC9pq8mU3f7eqbHJ2HNFkZzttJsH9DNl30OK2Y5IVLUiZHckz2e -OFUyxK0tBCCBYd79FiK4BgP/Ys/7LK+4UaDhbRQP//MGuofwjsrNxgPgtkNaeKtF -EXKCuDrHoa4ua7afrkUWKzPZ6JbDOEjJIyuJ3ISI0Q20Oc3ERxGwG1SQ1EldgWBr -0dJJWBHZtNpIVvSm1dRfjMYtSrBoUXwbn6kDrdk4T98OHnFP0V0KW4j4umLHK7Gi -OSAwvWtir3fSJaLJClTCFe1XoNvJnQ53PJs0JR26mAixV2VuylStO2KlbYy7fOc= ------END CERTIFICATE----- \ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/badca.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/badca.pem.certspec deleted file mode 100644 index 311bbb3f8..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/badca.pem.certspec +++ /dev/null @@ -1,6 +0,0 @@ -issuer:badca -subject:badca -issuerKey:alternate -subjectKey:alternate -extension:basicConstraints:cA, -extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/moz.build b/security/manager/ssl/tests/unit/test_pinning_dynamic/moz.build deleted file mode 100644 index eb8b582f5..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/moz.build +++ /dev/null @@ -1,26 +0,0 @@ -# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- -# vim: set filetype=python: -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -# Temporarily disabled. See bug 1256495. -#test_certificates = ( -# 'badca.pem', -# 'a.pinning2.example.com-badca.pem', -# 'a.pinning2.example.com-pinningroot.pem', -# 'a.preload.example.com-badca.pem', -# 'a.preload.example.com-pinningroot.pem', -# 'b.pinning2.example.com-badca.pem', -# 'b.pinning2.example.com-pinningroot.pem', -# 'b.preload.example.com-badca.pem', -# 'b.preload.example.com-pinningroot.pem', -# 'x.a.pinning2.example.com-badca.pem', -# 'x.a.pinning2.example.com-pinningroot.pem', -# 'x.b.pinning2.example.com-badca.pem', -# 'x.b.pinning2.example.com-pinningroot.pem', -# 'pinningroot.pem', -#) -# -#for test_certificate in test_certificates: -# GeneratedTestCertificate(test_certificate) diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/pinningroot.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/pinningroot.pem deleted file mode 100644 index 9a041991a..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/pinningroot.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC1zCCAcGgAwIBAgIUMwSUmBShbg5sMNZSTiPd5Tb1udkwCwYJKoZIhvcNAQEL -MBYxFDASBgNVBAMMC3Bpbm5pbmdyb290MCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAx -ODAyMDUwMDAwMDBaMBYxFDASBgNVBAMMC3Bpbm5pbmdyb290MIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1 -aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we -adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS -pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W -YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR -CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABox0wGzAM -BgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjALBgkqhkiG9w0BAQsDggEBADNuQnKg -y8zWnKlfBq/50UOtdSlvevg6u6tsUTvay2kVgB8BRTvm76aw4yOLgk84eHHkrX5c -TqdutWh2JZarUWbO7JnPTdDE2CAkDh1smSe9L/XJENbgVXleg/VYLgnfnuSQCCnK -WjjExcorX6IKDks1ZoBJ1HIvBzMRMWzIQgBL9B2Y1V05lgfn0bwZD+TjUJBmN1w0 -NTaPgrxE7FWZ2CTcowrYRKEEDAUX4cTFoce5YMwALCgW59KfVQfQdHaiCCcdNbfi -qSQGZu+59JrrasmgK9VTahukYWcaQCz8HBCasdknGodLAzThuWMkjXU3D2IZYl15 -GfE5yrRFop/89xo= ------END CERTIFICATE----- \ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/pinningroot.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/pinningroot.pem.certspec deleted file mode 100644 index 86500e16b..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/pinningroot.pem.certspec +++ /dev/null @@ -1,4 +0,0 @@ -issuer:pinningroot -subject:pinningroot -extension:basicConstraints:cA, -extension:keyUsage:keyCertSign,cRLSign diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-badca.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-badca.pem deleted file mode 100644 index e4b6e72c0..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-badca.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC3zCCAcmgAwIBAgIUe11LKIzCrdnRTgrLsfuGMoOpL1QwCwYJKoZIhvcNAQEL -MBAxDjAMBgNVBAMMBWJhZGNhMCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAxODAyMDUw -MDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9Rv -plraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYn -YLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ -ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM -5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2Fn -JCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMnMCUwIwYD -VR0RBBwwGoIYeC5hLnBpbm5pbmcyLmV4YW1wbGUuY29tMAsGCSqGSIb3DQEBCwOC -AQEAgdFC/SwBLRp6A+n3znR+sEuU8UvmbgbXp7pIFVh6cbC6lNF0nXk9ywPeIWyh -B7TCn3YHj4uc/PbvzRj9Py0gQLXcimKpmLoxclV5g1uTAydgXPiPulv/kaL9NOME -lm88pyQeDwfEkUz7VijabIzFRTEVRmOudb8mX4SuzjhxsdzSMjffpae335beJ4Im -lxgJgMsuJdEoK0WyG5nlBhVdzrT/kwdiwULeVNV//UHid1YZy56G5Lo22Hgd4wT3 -1W3LXQelBdHhee7Hf7mg4rjCUPulFAr8qBLdywf1Hnu1o7rXUcn46PLwKLOWJPOM -SKpiqRKqvzlrzLaHPejfT0IMrw== ------END CERTIFICATE----- \ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-badca.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-badca.pem.certspec deleted file mode 100644 index ad8636d43..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-badca.pem.certspec +++ /dev/null @@ -1,5 +0,0 @@ -issuer:badca -subject:test end-entity -issuerKey:alternate -subjectKey:alternate -extension:subjectAlternativeName:x.a.pinning2.example.com diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-pinningroot.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-pinningroot.pem deleted file mode 100644 index ed58de323..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-pinningroot.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC5TCCAc+gAwIBAgIUefEeE+Sj5fBSec+97B6UmZFQEncwCwYJKoZIhvcNAQEL -MBYxFDASBgNVBAMMC3Bpbm5pbmdyb290MCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAx -ODAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxK -zSKxy9RvplraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEG -zwi+moYnYLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHX -KVp/ccW+ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBp -mIpD/uSM5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6 -kKqLx2FnJCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMn -MCUwIwYDVR0RBBwwGoIYeC5hLnBpbm5pbmcyLmV4YW1wbGUuY29tMAsGCSqGSIb3 -DQEBCwOCAQEAT2fxisiLJvVdFTba07a2Pc6UHBE+O0tOaLfMmHx/ET2FZdd9sLTL -X2f+hQCmXEBQ7Au2eYTew8hTyXYGYFauMJNk+XHHUIaSOhmnYTccye4d6j5bXRCp -7zA1qPlReCDLjp7o/34whkvngvdgdLYf60EkBO/NJfj+zsR1JTVfyVzIKXl6veLz -0xKicBAq9vS0Yqq10japVYKKqAw6gDpbNkSAd3xsl4+EbMRq+BnMB4W2anw1gM/e -hV11JQVA/MREtmUiTkvJFF6chHVCn5aL7JzVM2miZjZC8Ix59LUBoyO3SrxgrzZw -xeYuwoDhzTCrcFxn8gdKNajbGHuW5ekQpg== ------END CERTIFICATE----- \ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-pinningroot.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-pinningroot.pem.certspec deleted file mode 100644 index 260f2184b..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.a.pinning2.example.com-pinningroot.pem.certspec +++ /dev/null @@ -1,4 +0,0 @@ -issuer:pinningroot -subject:test end-entity -subjectKey:alternate -extension:subjectAlternativeName:x.a.pinning2.example.com diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-badca.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-badca.pem deleted file mode 100644 index dc24247e8..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-badca.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC3zCCAcmgAwIBAgIUYcTc5Pz7KlQldGOO+KzbuBdf8TswCwYJKoZIhvcNAQEL -MBAxDjAMBgNVBAMMBWJhZGNhMCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAxODAyMDUw -MDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxKzSKxy9Rv -plraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEGzwi+moYn -YLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHXKVp/ccW+ -ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBpmIpD/uSM -5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6kKqLx2Fn -JCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMnMCUwIwYD -VR0RBBwwGoIYeC5iLnBpbm5pbmcyLmV4YW1wbGUuY29tMAsGCSqGSIb3DQEBCwOC -AQEAd6HusXqftFBpSUzivIY6icTZ95+wY+xIOsf1QOgyzZ/CDx4Tly+rgue2xSNT -59FmnFvh8jW202K8TykamsAX20A8ArzubNoc/+soA752YEvrMmOgWjmH2arqTfqg -zcfNdgUDESwnOoy123F+PkT3rRDXwINzCwftxhKbvmqhO6YENteqyWWmSZoMClsJ -xtm+bmPN+m26k6zMMYWzIu2HIXI3CgqOmJltfyqea02Y58S1+XlajrcewPpC17xD -r5a1sizecCFrmV0ssbK8wvEYo9Xs+PNj8Vhi1DUwGjtnjrYn/WQ6v/luMEEO7EMD -b3BbEziS3Pqej2JyprUKqOjv1g== ------END CERTIFICATE----- \ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-badca.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-badca.pem.certspec deleted file mode 100644 index 592bdcc58..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-badca.pem.certspec +++ /dev/null @@ -1,5 +0,0 @@ -issuer:badca -subject:test end-entity -issuerKey:alternate -subjectKey:alternate -extension:subjectAlternativeName:x.b.pinning2.example.com diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-pinningroot.pem b/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-pinningroot.pem deleted file mode 100644 index 642135994..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-pinningroot.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC5TCCAc+gAwIBAgIUNXGolw8M2HU/gP4dOSMD2bdTQ+MwCwYJKoZIhvcNAQEL -MBYxFDASBgNVBAMMC3Bpbm5pbmdyb290MCIYDzIwMTUxMTI4MDAwMDAwWhgPMjAx -ODAyMDUwMDAwMDBaMBoxGDAWBgNVBAMMD3Rlc3QgZW5kLWVudGl0eTCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMF1xlJmCZ93CCpnkfG4dsN/XOU4sGxK -zSKxy9RvplraKt1ByMJJisSjs8H2FIf0G2mJQb2ApRw8EgJExYSkxEgzBeUTjAEG -zwi+moYnYLrmoujzbyPF2YMTud+vN4NF2s5R1Nbc0qbLPMcG680wcOyYzOQKpZHX -KVp/ccW+ZmkdKy3+yElEWQvFo+pJ/ZOx11NAXxdzdpmVhmYlR5ftQmkIiAgRQiBp -mIpD/uSM5oeB3SK2ppzSg3UTH5MrEozihvp9JRwGKtJ+8Bbxh83VToMrNbiTD3S6 -kKqLx2FnJCqx/W1iFA0YxMC4xo/DdIRXMkrX3obmVS8dHhkdcSFo07sCAwEAAaMn -MCUwIwYDVR0RBBwwGoIYeC5iLnBpbm5pbmcyLmV4YW1wbGUuY29tMAsGCSqGSIb3 -DQEBCwOCAQEAevN1gW64H2kCjW5W4wbQFkJIITjcdEUsw+8GPzDuBDJCvgGirhOi -ArBie8Bz+JlqzgNCXSe6pFVLoNfLosG5xksLwHljEit/7gFQ5twFazdg7dwPXs9Z -MIV2iv3vHmKYTFTcjfw07UWy0rHHt6EH+zXqpZFtFkJHqSgngKxAHgQlvSKeyynM -albu5YAX/hzJ7TyAVGxVN8uxnvYqPbLCy3wKf9ILFiDer6B9pE4Ii+dUyUbqVQFZ -tY2ac1474nkcfj3uj5qbV0TTpd9EL9HMvixTnoUrT3bqkRX7orvL4gXpnJJyRjvC -/LvTh/Vt1mYKkNLc/ruOj7WfUUC0SJIDzQ== ------END CERTIFICATE----- \ No newline at end of file diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-pinningroot.pem.certspec b/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-pinningroot.pem.certspec deleted file mode 100644 index 7e6d33d50..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic/x.b.pinning2.example.com-pinningroot.pem.certspec +++ /dev/null @@ -1,4 +0,0 @@ -issuer:pinningroot -subject:test end-entity -subjectKey:alternate -extension:subjectAlternativeName:x.b.pinning2.example.com diff --git a/security/manager/ssl/tests/unit/test_pinning_header_parsing.js b/security/manager/ssl/tests/unit/test_pinning_header_parsing.js deleted file mode 100644 index 0dcf6993b..000000000 --- a/security/manager/ssl/tests/unit/test_pinning_header_parsing.js +++ /dev/null @@ -1,147 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -"use strict"; - -// The purpose of this test is to check that parsing of HPKP headers -// is correct. - -var profileDir = do_get_profile(); -const certdb = Cc["@mozilla.org/security/x509certdb;1"] - .getService(Ci.nsIX509CertDB); -var gSSService = Cc["@mozilla.org/ssservice;1"] - .getService(Ci.nsISiteSecurityService); - -function certFromFile(cert_name) { - return constructCertFromFile("test_pinning_dynamic/" + cert_name + ".pem"); -} - -function loadCert(cert_name, trust_string) { - let cert_filename = "test_pinning_dynamic/" + cert_name + ".pem"; - addCertFromFile(certdb, cert_filename, trust_string); - return constructCertFromFile(cert_filename); -} - -function checkFailParseInvalidPin(pinValue) { - let sslStatus = new FakeSSLStatus( - certFromFile('a.pinning2.example.com-pinningroot')); - let uri = Services.io.newURI("https://a.pinning2.example.com", null, null); - throws(() => { - gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri, - pinValue, sslStatus, 0); - }, /NS_ERROR_FAILURE/, `Invalid pin "${pinValue}" should be rejected`); -} - -function checkPassValidPin(pinValue, settingPin, expectedMaxAge) { - let sslStatus = new FakeSSLStatus( - certFromFile('a.pinning2.example.com-pinningroot')); - let uri = Services.io.newURI("https://a.pinning2.example.com", null, null); - let maxAge = {}; - - // setup preconditions for the test, if setting ensure there is no previous - // state, if removing ensure there is a valid pin in place. - if (settingPin) { - gSSService.removeState(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0); - } else { - // add a known valid pin! - let validPinValue = "max-age=5000;" + VALID_PIN1 + BACKUP_PIN1; - gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri, - validPinValue, sslStatus, 0); - } - try { - gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri, - pinValue, sslStatus, 0, maxAge); - ok(true, "Valid pin should be accepted"); - } catch (e) { - ok(false, "Valid pin should have been accepted"); - } - - // check that maxAge was processed correctly - if (settingPin && expectedMaxAge) { - ok(maxAge.value == expectedMaxAge, `max-age value should be ${expectedMaxAge}`); - } - - // after processing ensure that the postconditions are true, if setting - // the host must be pinned, if removing the host must not be pinned - let hostIsPinned = gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "a.pinning2.example.com", 0); - if (settingPin) { - ok(hostIsPinned, "Host should be considered pinned"); - } else { - ok(!hostIsPinned, "Host should not be considered pinned"); - } -} - -function checkPassSettingPin(pinValue, expectedMaxAge) { - return checkPassValidPin(pinValue, true, expectedMaxAge); -} - -function checkPassRemovingPin(pinValue) { - return checkPassValidPin(pinValue, false); -} - -const MAX_MAX_AGE_SECONDS = 100000; -const GOOD_MAX_AGE_SECONDS = 69403; -const LONG_MAX_AGE_SECONDS = 2 * MAX_MAX_AGE_SECONDS; -const NON_ISSUED_KEY_HASH1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; -const NON_ISSUED_KEY_HASH2 = "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ="; -const PINNING_ROOT_KEY_HASH = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8="; -const MAX_AGE_ZERO = "max-age=0;"; -const VALID_PIN1 = `pin-sha256="${PINNING_ROOT_KEY_HASH}";`; -const BACKUP_PIN1 = `pin-sha256="${NON_ISSUED_KEY_HASH1}";`; -const BACKUP_PIN2 = `pin-sha256="${NON_ISSUED_KEY_HASH2}";`; -const BROKEN_PIN1 = "pin-sha256=\"jdjsjsjs\";"; -const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`; -const LONG_MAX_AGE = `max-age=${LONG_MAX_AGE_SECONDS};`; -const INCLUDE_SUBDOMAINS = "includeSubdomains;"; -const REPORT_URI = "report-uri=\"https://www.example.com/report/\";"; -const UNRECOGNIZED_DIRECTIVE = "unreconized-dir=12343;"; - -function run_test() { - Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true); - Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2); - Services.prefs.setIntPref("security.cert_pinning.max_max_age_seconds", MAX_MAX_AGE_SECONDS); - Services.prefs.setBoolPref("security.cert_pinning.process_headers_from_non_builtin_roots", true); - - loadCert("pinningroot", "CTu,CTu,CTu"); - loadCert("badca", "CTu,CTu,CTu"); - - checkFailParseInvalidPin("max-age=INVALID"); - // check that incomplete headers are failure - checkFailParseInvalidPin(GOOD_MAX_AGE); - checkFailParseInvalidPin(VALID_PIN1); - checkFailParseInvalidPin(REPORT_URI); - checkFailParseInvalidPin(UNRECOGNIZED_DIRECTIVE); - checkFailParseInvalidPin(VALID_PIN1 + BACKUP_PIN1); - checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1); - checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + BROKEN_PIN1); - // next ensure a backup pin is present - checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + VALID_PIN1); - // next section ensure duplicate directives result in failure - checkFailParseInvalidPin(GOOD_MAX_AGE + GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1); - checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1 + INCLUDE_SUBDOMAINS + INCLUDE_SUBDOMAINS); - checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1 + REPORT_URI + REPORT_URI); - checkFailParseInvalidPin("thisisinvalidtest"); - checkFailParseInvalidPin("invalid" + GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1); - - checkPassRemovingPin("max-age=0"); //test removal without terminating ';' - checkPassRemovingPin(MAX_AGE_ZERO); - checkPassRemovingPin(MAX_AGE_ZERO + VALID_PIN1); - - checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1, GOOD_MAX_AGE_SECONDS); - checkPassSettingPin(LONG_MAX_AGE + VALID_PIN1 + BACKUP_PIN1, MAX_MAX_AGE_SECONDS); - - checkPassRemovingPin(VALID_PIN1 + MAX_AGE_ZERO + VALID_PIN1); - checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1); - checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN2); - checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN2 + INCLUDE_SUBDOMAINS); - checkPassSettingPin(VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2 + INCLUDE_SUBDOMAINS); - checkPassSettingPin(VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2 + REPORT_URI + INCLUDE_SUBDOMAINS); - checkPassSettingPin(INCLUDE_SUBDOMAINS + VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2); - checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1 + UNRECOGNIZED_DIRECTIVE); - - Services.prefs.clearUserPref("security.cert_pinning.hpkp.enabled"); - Services.prefs.clearUserPref("security.cert_pinning.enforcement_level"); - Services.prefs.clearUserPref("security.cert_pinning.max_max_age_seconds"); - Services.prefs.clearUserPref("security.cert_pinning.process_headers_from_non_builtin_roots"); -} diff --git a/security/manager/ssl/tests/unit/test_sts_holepunch.js b/security/manager/ssl/tests/unit/test_sts_holepunch.js deleted file mode 100644 index b7e643148..000000000 --- a/security/manager/ssl/tests/unit/test_sts_holepunch.js +++ /dev/null @@ -1,34 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - */ -"use strict"; - -// bug 961528: chart.apis.google.com doesn't handle https. Check that -// it isn't considered HSTS (other example.apis.google.com hosts should be -// HSTS as long as they're on the preload list, however). -function run_test() { - let SSService = Cc["@mozilla.org/ssservice;1"] - .getService(Ci.nsISiteSecurityService); - ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS, - "chart.apis.google.com", 0)); - ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS, - "CHART.APIS.GOOGLE.COM", 0)); - ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS, - "sub.chart.apis.google.com", 0)); - ok(!SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS, - "SUB.CHART.APIS.GOOGLE.COM", 0)); - ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS, - "example.apis.google.com", 0)); - ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS, - "EXAMPLE.APIS.GOOGLE.COM", 0)); - ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS, - "sub.example.apis.google.com", 0)); - ok(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS, - "SUB.EXAMPLE.APIS.GOOGLE.COM", 0)); - // also check isSecureURI - let chartURI = Services.io.newURI("http://chart.apis.google.com", null, null); - ok(!SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, chartURI, 0)); - let otherURI = Services.io.newURI("http://other.apis.google.com", null, null); - ok(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS, otherURI, 0)); -} diff --git a/security/manager/ssl/tests/unit/xpcshell.ini b/security/manager/ssl/tests/unit/xpcshell.ini index bdf9933f4..01384b19a 100644 --- a/security/manager/ssl/tests/unit/xpcshell.ini +++ b/security/manager/ssl/tests/unit/xpcshell.ini @@ -26,7 +26,6 @@ support-files = test_ocsp_fetch_method/** test_ocsp_url/** test_onecrl/** - test_pinning_dynamic/** test_signed_apps/** test_signed_dir/** test_startcom_wosign/** @@ -111,13 +110,6 @@ run-sequentially = hardcoded ports [test_ocsp_url.js] run-sequentially = hardcoded ports [test_password_prompt.js] -[test_pinning.js] -run-sequentially = hardcoded ports -# This test can take longer than 300 seconds on B2G emulator debug builds, so -# give it enough time to finish. See bug 1081128. -requesttimeoutfactor = 2 -[test_pinning_dynamic.js] -[test_pinning_header_parsing.js] [test_sdr.js] [test_session_resumption.js] run-sequentially = hardcoded ports @@ -137,7 +129,6 @@ skip-if = toolkit == 'android' [test_sss_savestate.js] [test_startcom_wosign.js] [test_sts_fqdn.js] -[test_sts_holepunch.js] [test_sts_ipv4_ipv6.js] [test_sts_preloadlist_perwindowpb.js] [test_sts_preloadlist_selfdestruct.js] -- cgit v1.2.3