// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
"use strict";
// Test that when an override exists for a (host, certificate) pair,
// connections will succeed only if the set of error bits in the override
// contains each bit in the set of encountered error bits.
// Strangely, it is possible to store an override with an empty set of error
// bits, so this tests that too.
do_get_profile();
function add_override_bits_mismatch_test(host, certPath, expectedBits,
expectedError) {
const MAX_BITS = Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_TIME;
let cert = constructCertFromFile(certPath);
let certOverrideService = Cc["@mozilla.org/security/certoverride;1"]
.getService(Ci.nsICertOverrideService);
for (let overrideBits = 0; overrideBits <= MAX_BITS; overrideBits++) {
add_test(function() {
certOverrideService.clearValidityOverride(host, 8443);
certOverrideService.rememberValidityOverride(host, 8443, cert,
overrideBits, true);
run_next_test();
});
// The override will succeed only if the set of error bits in the override
// contains each bit in the set of expected error bits.
let successExpected = (overrideBits | expectedBits) == overrideBits;
add_connection_test(host, successExpected ? PRErrorCodeSuccess
: expectedError);
}
}
function run_test() {
Services.prefs.setIntPref("security.OCSP.enabled", 1);
add_tls_server_setup("BadCertServer", "bad_certs");
let fakeOCSPResponder = new HttpServer();
fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
});
fakeOCSPResponder.start(8888);
add_override_bits_mismatch_test("unknownissuer.example.com",
"bad_certs/unknownissuer.pem",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
SEC_ERROR_UNKNOWN_ISSUER);
add_override_bits_mismatch_test("mismatch.example.com",
"bad_certs/mismatch.pem",
Ci.nsICertOverrideService.ERROR_MISMATCH,
SSL_ERROR_BAD_CERT_DOMAIN);
add_override_bits_mismatch_test("expired.example.com",
"bad_certs/expired-ee.pem",
Ci.nsICertOverrideService.ERROR_TIME,
SEC_ERROR_EXPIRED_CERTIFICATE);
add_override_bits_mismatch_test("mismatch-untrusted.example.com",
"bad_certs/mismatch-untrusted.pem",
Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_MISMATCH,
SEC_ERROR_UNKNOWN_ISSUER);
add_override_bits_mismatch_test("untrusted-expired.example.com",
"bad_certs/untrusted-expired.pem",
Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_TIME,
SEC_ERROR_UNKNOWN_ISSUER);
add_override_bits_mismatch_test("mismatch-expired.example.com",
"bad_certs/mismatch-expired.pem",
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_TIME,
SSL_ERROR_BAD_CERT_DOMAIN);
add_override_bits_mismatch_test("mismatch-untrusted-expired.example.com",
"bad_certs/mismatch-untrusted-expired.pem",
Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_TIME,
SEC_ERROR_UNKNOWN_ISSUER);
add_test(function () {
fakeOCSPResponder.stop(run_next_test);
});
run_next_test();
}