1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
"use strict";
// The purpose of this test is to check that parsing of HPKP headers
// is correct.
var profileDir = do_get_profile();
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
var gSSService = Cc["@mozilla.org/ssservice;1"]
.getService(Ci.nsISiteSecurityService);
function certFromFile(cert_name) {
return constructCertFromFile("test_pinning_dynamic/" + cert_name + ".pem");
}
function loadCert(cert_name, trust_string) {
let cert_filename = "test_pinning_dynamic/" + cert_name + ".pem";
addCertFromFile(certdb, cert_filename, trust_string);
return constructCertFromFile(cert_filename);
}
function checkFailParseInvalidPin(pinValue) {
let sslStatus = new FakeSSLStatus(
certFromFile('a.pinning2.example.com-pinningroot'));
let uri = Services.io.newURI("https://a.pinning2.example.com", null, null);
throws(() => {
gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri,
pinValue, sslStatus, 0);
}, /NS_ERROR_FAILURE/, `Invalid pin "${pinValue}" should be rejected`);
}
function checkPassValidPin(pinValue, settingPin, expectedMaxAge) {
let sslStatus = new FakeSSLStatus(
certFromFile('a.pinning2.example.com-pinningroot'));
let uri = Services.io.newURI("https://a.pinning2.example.com", null, null);
let maxAge = {};
// setup preconditions for the test, if setting ensure there is no previous
// state, if removing ensure there is a valid pin in place.
if (settingPin) {
gSSService.removeState(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0);
} else {
// add a known valid pin!
let validPinValue = "max-age=5000;" + VALID_PIN1 + BACKUP_PIN1;
gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri,
validPinValue, sslStatus, 0);
}
try {
gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri,
pinValue, sslStatus, 0, maxAge);
ok(true, "Valid pin should be accepted");
} catch (e) {
ok(false, "Valid pin should have been accepted");
}
// check that maxAge was processed correctly
if (settingPin && expectedMaxAge) {
ok(maxAge.value == expectedMaxAge, `max-age value should be ${expectedMaxAge}`);
}
// after processing ensure that the postconditions are true, if setting
// the host must be pinned, if removing the host must not be pinned
let hostIsPinned = gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"a.pinning2.example.com", 0);
if (settingPin) {
ok(hostIsPinned, "Host should be considered pinned");
} else {
ok(!hostIsPinned, "Host should not be considered pinned");
}
}
function checkPassSettingPin(pinValue, expectedMaxAge) {
return checkPassValidPin(pinValue, true, expectedMaxAge);
}
function checkPassRemovingPin(pinValue) {
return checkPassValidPin(pinValue, false);
}
const MAX_MAX_AGE_SECONDS = 100000;
const GOOD_MAX_AGE_SECONDS = 69403;
const LONG_MAX_AGE_SECONDS = 2 * MAX_MAX_AGE_SECONDS;
const NON_ISSUED_KEY_HASH1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
const NON_ISSUED_KEY_HASH2 = "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ=";
const PINNING_ROOT_KEY_HASH = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=";
const MAX_AGE_ZERO = "max-age=0;";
const VALID_PIN1 = `pin-sha256="${PINNING_ROOT_KEY_HASH}";`;
const BACKUP_PIN1 = `pin-sha256="${NON_ISSUED_KEY_HASH1}";`;
const BACKUP_PIN2 = `pin-sha256="${NON_ISSUED_KEY_HASH2}";`;
const BROKEN_PIN1 = "pin-sha256=\"jdjsjsjs\";";
const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`;
const LONG_MAX_AGE = `max-age=${LONG_MAX_AGE_SECONDS};`;
const INCLUDE_SUBDOMAINS = "includeSubdomains;";
const REPORT_URI = "report-uri=\"https://www.example.com/report/\";";
const UNRECOGNIZED_DIRECTIVE = "unreconized-dir=12343;";
function run_test() {
Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);
Services.prefs.setIntPref("security.cert_pinning.max_max_age_seconds", MAX_MAX_AGE_SECONDS);
Services.prefs.setBoolPref("security.cert_pinning.process_headers_from_non_builtin_roots", true);
loadCert("pinningroot", "CTu,CTu,CTu");
loadCert("badca", "CTu,CTu,CTu");
checkFailParseInvalidPin("max-age=INVALID");
// check that incomplete headers are failure
checkFailParseInvalidPin(GOOD_MAX_AGE);
checkFailParseInvalidPin(VALID_PIN1);
checkFailParseInvalidPin(REPORT_URI);
checkFailParseInvalidPin(UNRECOGNIZED_DIRECTIVE);
checkFailParseInvalidPin(VALID_PIN1 + BACKUP_PIN1);
checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1);
checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + BROKEN_PIN1);
// next ensure a backup pin is present
checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + VALID_PIN1);
// next section ensure duplicate directives result in failure
checkFailParseInvalidPin(GOOD_MAX_AGE + GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1);
checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1 + INCLUDE_SUBDOMAINS + INCLUDE_SUBDOMAINS);
checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1 + REPORT_URI + REPORT_URI);
checkFailParseInvalidPin("thisisinvalidtest");
checkFailParseInvalidPin("invalid" + GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1);
checkPassRemovingPin("max-age=0"); //test removal without terminating ';'
checkPassRemovingPin(MAX_AGE_ZERO);
checkPassRemovingPin(MAX_AGE_ZERO + VALID_PIN1);
checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1, GOOD_MAX_AGE_SECONDS);
checkPassSettingPin(LONG_MAX_AGE + VALID_PIN1 + BACKUP_PIN1, MAX_MAX_AGE_SECONDS);
checkPassRemovingPin(VALID_PIN1 + MAX_AGE_ZERO + VALID_PIN1);
checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1);
checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN2);
checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN2 + INCLUDE_SUBDOMAINS);
checkPassSettingPin(VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2 + INCLUDE_SUBDOMAINS);
checkPassSettingPin(VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2 + REPORT_URI + INCLUDE_SUBDOMAINS);
checkPassSettingPin(INCLUDE_SUBDOMAINS + VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2);
checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1 + UNRECOGNIZED_DIRECTIVE);
Services.prefs.clearUserPref("security.cert_pinning.hpkp.enabled");
Services.prefs.clearUserPref("security.cert_pinning.enforcement_level");
Services.prefs.clearUserPref("security.cert_pinning.max_max_age_seconds");
Services.prefs.clearUserPref("security.cert_pinning.process_headers_from_non_builtin_roots");
}
|
