security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js

   1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
   2 // This Source Code Form is subject to the terms of the Mozilla Public
   3 // License, v. 2.0. If a copy of the MPL was not distributed with this
   4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
   5
   6 "use strict";
   7
   8 do_get_profile(); // must be called before getting nsIX509CertDB
   9 const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
  10   Ci.nsIX509CertDB
  11 );
  12
  13 function certFromFile(certName) {
  14   return constructCertFromFile(`test_baseline_requirements/${certName}.pem`);
  15 }
  16
  17 function loadCertWithTrust(certName, trustString) {
  18   addCertFromFile(
  19     gCertDB,
  20     `test_baseline_requirements/${certName}.pem`,
  21     trustString
  22   );
  23 }
  24
  25 function checkCertOn25August2016(cert, expectedResult) {
  26   // (new Date("2016-08-25T00:00:00Z")).getTime() / 1000
  27   const VALIDATION_TIME = 1472083200;
  28   return checkCertErrorGenericAtTime(
  29     gCertDB,
  30     cert,
  31     expectedResult,
  32     certificateUsageSSLServer,
  33     VALIDATION_TIME,
  34     false,
  35     "example.com"
  36   );
  37 }
  38
  39 add_task(async function () {
  40   registerCleanupFunction(() => {
  41     Services.prefs.clearUserPref("privacy.reduceTimerPrecision");
  42   });
  43
  44   Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false);
  45
  46   loadCertWithTrust("ca", "CTu,,");
  47
  48   // At one time there was a preference security.pki.name_matching_mode that
  49   // controlled whether or not mozilla::pkix would fall back to using a
  50   // certificate's subject common name during name matching. This no longer
  51   // exists, and certificates that previously required the fallback should fail
  52   // to verify.
  53
  54   await checkCertOn25August2016(
  55     certFromFile("no-san-recent"),
  56     SSL_ERROR_BAD_CERT_DOMAIN
  57   );
  58   await checkCertOn25August2016(
  59     certFromFile("no-san-old"),
  60     SSL_ERROR_BAD_CERT_DOMAIN
  61   );
  62   await checkCertOn25August2016(
  63     certFromFile("no-san-older"),
  64     SSL_ERROR_BAD_CERT_DOMAIN
  65   );
  66   await checkCertOn25August2016(
  67     certFromFile("san-contains-no-hostnames-recent"),
  68     SSL_ERROR_BAD_CERT_DOMAIN
  69   );
  70   await checkCertOn25August2016(
  71     certFromFile("san-contains-no-hostnames-old"),
  72     SSL_ERROR_BAD_CERT_DOMAIN
  73   );
  74   await checkCertOn25August2016(
  75     certFromFile("san-contains-no-hostnames-older"),
  76     SSL_ERROR_BAD_CERT_DOMAIN
  77   );
  78 });