| blob | 3c21601eb80bd20c2fdf058d05584398da6a3d2d |
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 "use strict";
6 // This test checks parsing of the the certificate override file
8 function run_test() {
9 // These are hard-coded to avoid initialization of NSS before setup is complete
10 // bad_certs/mitm.pem
11 let cert1 = {
12 sha256Fingerprint:
13 "E3:E3:56:4C:6D:81:DA:29:E4:52:20:A1:7A:31:E2:03:F1:82:A6:D5:B1:5B:6A:86:D6:10:CF:AE:BA:3B:35:2A",
14 };
15 // bad_certs/selfsigned.pem
16 let cert2 = {
17 sha256Fingerprint:
18 "9A:C8:37:86:6F:1A:20:A2:31:6F:FE:92:68:CE:05:D2:8C:72:F3:A3:E0:23:3B:AD:8A:28:19:93:82:E8:AE:24",
19 };
20 // bad_certs/noValidNames.pem
21 let cert3 = {
22 sha256Fingerprint:
23 "67:7C:84:51:32:B5:0B:63:E4:40:B4:1A:33:FD:20:34:0A:B3:1D:61:24:F1:7A:40:14:39:05:66:42:FD:C2:EA",
24 };
26 let profileDir = do_get_profile();
27 let overrideFile = profileDir.clone();
28 overrideFile.append(CERT_OVERRIDE_FILE_NAME);
29 // Assuming we're working with a clean slate, the file shouldn't exist
30 // until we create it.
31 ok(!overrideFile.exists());
32 let outputStream = FileUtils.openFileOutputStream(overrideFile);
33 let lines = [
34 "# PSM Certificate Override Settings file",
35 "# This is a generated file! Do not edit.",
36 "test.example.com:443:^privateBrowsingId=1\tOID.2.16.840.1.101.3.4.2.1\t" +
37 cert1.sha256Fingerprint +
38 "\t",
39 "test.example.com:443:^privateBrowsingId=2\tOID.2.16.840.1.101.3.4.2.1\t" +
40 cert1.sha256Fingerprint +
41 "\t",
42 "test.example.com:443:^privateBrowsingId=3\tOID.2.16.840.1.101.3.4.2.1\t" + // includes bits and dbKey (now obsolete)
43 cert1.sha256Fingerprint +
44 "\tM\t" +
45 "AAAAAAAAAAAAAAACAAAAFjA5MBQxEjAQBgNVBAMMCWxvY2FsaG9zdA==",
46 "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" +
47 cert2.sha256Fingerprint +
48 "\t",
49 "[::1]:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // IPv6
50 cert2.sha256Fingerprint +
51 "\t",
52 "old.example.com:443\tOID.2.16.840.1.101.3.4.2.1\t" + // missing attributes (defaulted)
53 cert1.sha256Fingerprint +
54 "\t",
55 ":443:\tOID.2.16.840.1.101.3.4.2.1\t" + // missing host name
56 cert3.sha256Fingerprint +
57 "\t",
58 "example.com::\tOID.2.16.840.1.101.3.4.2.1\t" + // missing port
59 cert3.sha256Fingerprint +
60 "\t",
61 "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // wrong fingerprint
62 cert2.sha256Fingerprint +
63 "\t",
64 "example.com:443:\tOID.0.00.000.0.000.0.0.0.0\t" + // bad OID
65 cert3.sha256Fingerprint +
66 "\t",
67 "example.com:443:\t.0.0.0.0\t" + // malformed OID
68 cert3.sha256Fingerprint +
69 "\t",
70 "example.com:443:\t\t" + // missing OID
71 cert3.sha256Fingerprint +
72 "\t",
73 "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t", // missing fingerprint
74 ];
75 writeLinesAndClose(lines, outputStream);
76 let overrideService = Cc["@mozilla.org/security/certoverride;1"].getService(
77 Ci.nsICertOverrideService
78 );
79 notEqual(overrideService, null);
81 // Now that the override service is initialized we can actually read the certificates
82 cert1 = constructCertFromFile("bad_certs/mitm.pem");
83 info(
84 `if this test fails, try updating cert1.sha256Fingerprint to "${cert1.sha256Fingerprint}"`
85 );
86 cert2 = constructCertFromFile("bad_certs/selfsigned.pem");
87 info(
88 `if this test fails, try updating cert2.sha256Fingerprint to "${cert2.sha256Fingerprint}"`
89 );
90 cert3 = constructCertFromFile("bad_certs/noValidNames.pem");
91 info(
92 `if this test fails, try updating cert3.sha256Fingerprint to "${cert3.sha256Fingerprint}"`
93 );
95 const OVERRIDES = [
96 {
97 host: "test.example.com",
98 port: 443,
99 cert: cert1,
100 attributes: { privateBrowsingId: 1 },
101 },
102 {
103 host: "test.example.com",
104 port: 443,
105 cert: cert1,
106 attributes: { privateBrowsingId: 2 },
107 },
108 {
109 host: "test.example.com",
110 port: 443,
111 cert: cert1,
112 attributes: { privateBrowsingId: 3 },
113 },
114 {
115 host: "example.com",
116 port: 443,
117 cert: cert2,
118 attributes: {},
119 },
120 {
121 host: "::1",
122 port: 443,
123 cert: cert2,
124 attributes: {},
125 },
126 {
127 host: "example.com",
128 port: 443,
129 cert: cert2,
130 attributes: { userContextId: 1 }, // only privateBrowsingId is used
131 },
132 {
133 host: "old.example.com",
134 port: 443,
135 cert: cert1,
136 attributes: {},
137 },
138 ];
139 const BAD_OVERRIDES = [
140 {
141 host: "test.example.com",
142 port: 443,
143 cert: cert1,
144 attributes: { privateBrowsingId: 4 }, // wrong attributes
145 },
146 {
147 host: "test.example.com",
148 port: 443,
149 cert: cert3, // wrong certificate
150 attributes: { privateBrowsingId: 1 },
151 },
152 {
153 host: "example.com",
154 port: 443,
155 cert: cert3,
156 attributes: {},
157 },
158 ];
160 for (let override of OVERRIDES) {
161 let temp = {};
162 ok(
163 overrideService.hasMatchingOverride(
164 override.host,
165 override.port,
166 override.attributes,
167 override.cert,
168 temp
169 ),
170 `${JSON.stringify(override)} should have an override`
171 );
172 equal(temp.value, false);
173 }
175 for (let override of BAD_OVERRIDES) {
176 let temp = {};
177 ok(
178 !overrideService.hasMatchingOverride(
179 override.host,
180 override.port,
181 override.attributes,
182 override.cert,
183 temp
184 ),
185 `${override} should not have an override`
186 );
187 }
188 }