| blob | 2587c5dad9e390480d2cf2ffb3101f2302d20b03 |
1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
2 // This Source Code Form is subject to the terms of the Mozilla Public
3 // License, v. 2.0. If a copy of the MPL was not distributed with this
4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
6 // Helper file for tests that initialize CRLite with corrupted `security_state`
7 // files.
8 //
9 // Usage:
10 // Define nsILocalFile variables for the `crlite.filter`, `crlite.coverage`,
11 // and `crlite.enrollment` files that should be copied to the new profile, and
12 // then load this file. The variables should be called `filter`, `coverage`,
13 // and `enrollment`, respectively. To omit a file, leave the corresponding
14 // variable `undefined`.
15 //
16 // Example:
17 // let filter = do_get_file("some_test_dir/crlite.filter");
18 // let coverage = undefined;
19 // let enrollment = do_get_file("some_test_dir/crlite.enrollment");
20 // load("./corrupted_crlite_helper.js");
21 //
22 // Note:
23 // The cert_storage library only attempts to read security_state once. So
24 // this task can only be included once per test file.
26 "use strict";
28 /* eslint-disable no-undef */
30 add_task(async function test_crlite_corrupted() {
31 let securityStateDirectory = do_get_profile();
32 securityStateDirectory.append("security_state");
34 Services.prefs.setIntPref(
35 "security.pki.crlite_mode",
36 CRLiteModeEnforcePrefValue
37 );
39 if (coverage != undefined) {
40 coverage.copyTo(securityStateDirectory, "crlite.coverage");
41 }
42 if (enrollment != undefined) {
43 enrollment.copyTo(securityStateDirectory, "crlite.enrollment");
44 }
45 if (filter != undefined) {
46 filter.copyTo(securityStateDirectory, "crlite.filter");
47 }
49 let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
50 Ci.nsIX509CertDB
51 );
53 let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
54 Ci.nsICertStorage
55 );
57 // This certificate is revoked according to `test_crlite_filters/20201017-0-filter`.
58 // Its issuer is enrolled according to `test_crlite_preexisting/crlite.enrollment`,
59 // and it is covered according to `test_crlite_preexisting/crlite.coverage`.
60 let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem");
62 // The issuer's certificate needs to be available for path building.
63 let issuerCert = constructCertFromFile("test_crlite_filters/issuer.pem");
64 ok(issuerCert, "issuer certificate should decode successfully");
66 // If we copied a corrupted file to security_state, then CRLite should not be
67 // initialized, and we should fall back to OCSP. By setting
68 // Ci.nsIX509CertDB.FLAG_LOCAL_ONLY here we skip the OCSP test, so there's no
69 // revocation checking, and the revoked certificate should pass inspection.
70 await checkCertErrorGenericAtTime(
71 certdb,
72 revokedCert,
73 PRErrorCodeSuccess,
74 certificateUsageSSLServer,
75 new Date("2020-10-20T00:00:00Z").getTime() / 1000,
76 undefined,
77 "us-datarecovery.com",
78 Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
79 );
81 // We should not have a filter or a stash.
82 let hasFilter = await new Promise(resolve => {
83 certStorage.hasPriorData(
84 Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_FULL,
85 (rv, result) => {
86 Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
87 resolve(result);
88 }
89 );
90 });
91 Assert.equal(hasFilter, false, "CRLite should not have a filter");
93 let hasStash = await new Promise(resolve => {
94 certStorage.hasPriorData(
95 Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL,
96 (rv, result) => {
97 Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
98 resolve(result);
99 }
100 );
101 });
102 Assert.equal(hasStash, false, "CRLite should not have a stash");
103 });