| blob | a1284cb1df0fac88069cca204dd97597bd5b1e3d |
1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
2 // This Source Code Form is subject to the terms of the Mozilla Public
3 // License, v. 2.0. If a copy of the MPL was not distributed with this
4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
5 "use strict";
7 // Tests the certificate overrides we allow.
8 // add_cert_override_test will queue a test that does the following:
9 // 1. Attempt to connect to the given host. This should fail with the
10 // given error.
11 // 2. Add an override for that host/port/certificate.
12 // 3. Connect again. This should succeed.
14 do_get_profile();
16 // Enable the collection (during test) for all products so even products
17 // that don't collect the data will be able to run the test without failure.
18 Services.prefs.setBoolPref(
19 "toolkit.telemetry.testing.overrideProductsCheck",
20 true
21 );
23 function check_telemetry() {
24 let histogram = Services.telemetry
25 .getHistogramById("SSL_CERT_ERROR_OVERRIDES")
26 .snapshot();
27 equal(histogram.values[0], 0, "Should have 0 unclassified values");
28 equal(
29 histogram.values[2],
30 9,
31 "Actual and expected SEC_ERROR_UNKNOWN_ISSUER values should match"
32 );
33 equal(
34 histogram.values[3],
35 1,
36 "Actual and expected SEC_ERROR_CA_CERT_INVALID values should match"
37 );
38 equal(
39 histogram.values[4] || 0,
40 0,
41 "Actual and expected SEC_ERROR_UNTRUSTED_ISSUER values should match"
42 );
43 equal(
44 histogram.values[5],
45 1,
46 "Actual and expected SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE values should match"
47 );
48 equal(
49 histogram.values[6] || 0,
50 0,
51 "Actual and expected SEC_ERROR_UNTRUSTED_CERT values should match"
52 );
53 equal(
54 histogram.values[7] || 0,
55 0,
56 "Actual and expected SEC_ERROR_INADEQUATE_KEY_USAGE values should match"
57 );
58 equal(
59 histogram.values[8],
60 2,
61 "Actual and expected SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED values should match"
62 );
63 equal(
64 histogram.values[9],
65 gIsDebugBuild ? 9 : 8,
66 "Actual and expected SSL_ERROR_BAD_CERT_DOMAIN values should match"
67 );
68 equal(
69 histogram.values[10],
70 1,
71 "Actual and expected SEC_ERROR_EXPIRED_CERTIFICATE values should match"
72 );
73 equal(
74 histogram.values[11],
75 2,
76 "Actual and expected MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY values should match"
77 );
78 equal(
79 histogram.values[12],
80 1,
81 "Actual and expected MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA values should match"
82 );
83 equal(
84 histogram.values[13],
85 1,
86 "Actual and expected MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE values should match"
87 );
88 equal(
89 histogram.values[14],
90 1,
91 "Actual and expected MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE values should match"
92 );
93 equal(
94 histogram.values[15],
95 1,
96 "Actual and expected MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE values should match"
97 );
98 equal(
99 histogram.values[16],
100 2,
101 "Actual and expected SEC_ERROR_INVALID_TIME values should match"
102 );
103 equal(
104 histogram.values[17],
105 1,
106 "Actual and expected MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME values should match"
107 );
108 equal(
109 histogram.values[19],
110 4,
111 "Actual and expected MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT values should match"
112 );
113 equal(
114 histogram.values[20],
115 1,
116 "Actual and expected MOZILLA_PKIX_ERROR_MITM_DETECTED values should match"
117 );
119 let keySizeHistogram = Services.telemetry
120 .getHistogramById("CERT_CHAIN_KEY_SIZE_STATUS")
121 .snapshot();
122 equal(
123 keySizeHistogram.values[0],
124 0,
125 "Actual and expected unchecked key size values should match"
126 );
127 equal(
128 keySizeHistogram.values[1],
129 gIsDebugBuild ? 17 : 15,
130 "Actual and expected successful verifications of 2048-bit keys should match"
131 );
132 equal(
133 keySizeHistogram.values[2] || 0,
134 0,
135 "Actual and expected successful verifications of 1024-bit keys should match"
136 );
137 equal(
138 keySizeHistogram.values[3],
139 70,
140 "Actual and expected verification failures unrelated to key size should match"
141 );
143 run_next_test();
144 }
146 // Internally, specifying "port" -1 is the same as port 443. This tests that.
147 function run_port_equivalency_test(inPort, outPort) {
148 Assert.ok(
149 (inPort == 443 && outPort == -1) || (inPort == -1 && outPort == 443),
150 "The two specified ports must be -1 and 443 (in any order)"
151 );
152 let certOverrideService = Cc[
153 "@mozilla.org/security/certoverride;1"
154 ].getService(Ci.nsICertOverrideService);
155 let cert = constructCertFromFile("bad_certs/default-ee.pem");
156 let expectedTemporary = true;
157 certOverrideService.rememberValidityOverride(
158 "example.com",
159 inPort,
160 {},
161 cert,
162 expectedTemporary
163 );
164 let actualTemporary = {};
165 Assert.ok(
166 certOverrideService.hasMatchingOverride(
167 "example.com",
168 outPort,
169 {},
170 cert,
171 actualTemporary
172 ),
173 `override set on port ${inPort} should match port ${outPort}`
174 );
175 equal(
176 actualTemporary.value,
177 expectedTemporary,
178 "input override temporary value should match output temporary value"
179 );
180 Assert.ok(
181 !certOverrideService.hasMatchingOverride("example.com", 563, {}, cert, {}),
182 `override set on port ${inPort} should not match port 563`
183 );
184 certOverrideService.clearValidityOverride("example.com", inPort, {});
185 Assert.ok(
186 !certOverrideService.hasMatchingOverride(
187 "example.com",
188 outPort,
189 {},
190 cert,
191 {}
192 ),
193 `override cleared on port ${inPort} should match port ${outPort}`
194 );
195 }
197 function run_test() {
198 run_port_equivalency_test(-1, 443);
199 run_port_equivalency_test(443, -1);
201 Services.prefs.setIntPref("security.OCSP.enabled", 1);
202 add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
204 let fakeOCSPResponder = new HttpServer();
205 fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
206 response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
207 });
208 fakeOCSPResponder.start(8888);
210 add_simple_tests();
211 add_localhost_tests();
212 add_combo_tests();
213 add_distrust_tests();
215 add_test(function () {
216 fakeOCSPResponder.stop(check_telemetry);
217 });
219 run_next_test();
220 }
222 function add_simple_tests() {
223 add_cert_override_test("expired.example.com", SEC_ERROR_EXPIRED_CERTIFICATE);
224 add_cert_override_test(
225 "notyetvalid.example.com",
226 MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE
227 );
228 add_cert_override_test("before-epoch.example.com", SEC_ERROR_INVALID_TIME);
229 add_cert_override_test(
230 "before-epoch-self-signed.example.com",
231 MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
232 );
233 add_cert_override_test(
234 "selfsigned.example.com",
235 MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
236 );
237 add_cert_override_test("unknownissuer.example.com", SEC_ERROR_UNKNOWN_ISSUER);
238 add_cert_override_test(
239 "expiredissuer.example.com",
240 SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
241 );
242 add_cert_override_test(
243 "notyetvalidissuer.example.com",
244 MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE
245 );
246 add_cert_override_test(
247 "before-epoch-issuer.example.com",
248 SEC_ERROR_INVALID_TIME
249 );
250 add_cert_override_test(
251 "md5signature.example.com",
252 SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
253 );
254 add_cert_override_test(
255 "emptyissuername.example.com",
256 MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME
257 );
258 // This has name information in the subject alternative names extension,
259 // but not the subject common name.
260 add_cert_override_test("mismatch.example.com", SSL_ERROR_BAD_CERT_DOMAIN);
261 // This has name information in the subject common name but not the subject
262 // alternative names extension.
263 add_cert_override_test("mismatch-CN.example.com", SSL_ERROR_BAD_CERT_DOMAIN);
265 // A Microsoft IIS utility generates self-signed certificates with
266 // properties similar to the one this "host" will present.
267 add_cert_override_test(
268 "selfsigned-inadequateEKU.example.com",
269 MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
270 );
272 add_prevented_cert_override_test(
273 "inadequatekeyusage.example.com",
274 SEC_ERROR_INADEQUATE_KEY_USAGE
275 );
277 // Test triggering the MitM detection. We don't set-up a proxy here. Just
278 // set the pref. Without the pref set we expect an unkown issuer error.
279 add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER);
280 add_test(function () {
281 Services.prefs.setStringPref(
282 "security.pki.mitm_canary_issuer",
283 "CN=Test MITM Root"
284 );
285 let certOverrideService = Cc[
286 "@mozilla.org/security/certoverride;1"
287 ].getService(Ci.nsICertOverrideService);
288 certOverrideService.clearValidityOverride("mitm.example.com", 8443, {});
289 run_next_test();
290 });
291 add_cert_override_test("mitm.example.com", MOZILLA_PKIX_ERROR_MITM_DETECTED);
292 add_test(function () {
293 Services.prefs.setStringPref(
294 "security.pki.mitm_canary_issuer",
295 "CN=Other MITM Root"
296 );
297 let certOverrideService = Cc[
298 "@mozilla.org/security/certoverride;1"
299 ].getService(Ci.nsICertOverrideService);
300 certOverrideService.clearValidityOverride("mitm.example.com", 8443, {});
301 run_next_test();
302 });
303 // If the canary issuer doesn't match the one we see, we exepct and unknown
304 // issuer error.
305 add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER);
306 // If security.pki.mitm_canary_issuer.enabled is false, there should always
307 // be an unknown issuer error.
308 add_test(function () {
309 Services.prefs.setBoolPref(
310 "security.pki.mitm_canary_issuer.enabled",
311 false
312 );
313 let certOverrideService = Cc[
314 "@mozilla.org/security/certoverride;1"
315 ].getService(Ci.nsICertOverrideService);
316 certOverrideService.clearValidityOverride("mitm.example.com", 8443, {});
317 run_next_test();
318 });
319 add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER);
320 add_test(function () {
321 Services.prefs.clearUserPref("security.pki.mitm_canary_issuer");
322 run_next_test();
323 });
325 // This is intended to test the case where a verification has failed for one
326 // overridable reason (e.g. unknown issuer) but then, in the process of
327 // reporting that error, a non-overridable error is encountered. The
328 // non-overridable error should be prioritized.
329 add_test(function () {
330 let rootCert = constructCertFromFile("bad_certs/test-ca.pem");
331 setCertTrust(rootCert, ",,");
332 run_next_test();
333 });
334 add_prevented_cert_override_test(
335 "nsCertTypeCritical.example.com",
336 SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION
337 );
338 add_test(function () {
339 let rootCert = constructCertFromFile("bad_certs/test-ca.pem");
340 setCertTrust(rootCert, "CTu,,");
341 run_next_test();
342 });
344 // Bug 990603: Apache documentation has recommended generating a self-signed
345 // test certificate with basic constraints: CA:true. For compatibility, this
346 // is a scenario in which an override is allowed.
347 add_cert_override_test(
348 "self-signed-end-entity-with-cA-true.example.com",
349 MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
350 );
352 add_cert_override_test(
353 "ca-used-as-end-entity.example.com",
354 MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
355 );
357 // If an X.509 version 1 certificate is not a trust anchor, we will
358 // encounter an overridable error.
359 add_cert_override_test(
360 "end-entity-issued-by-v1-cert.example.com",
361 MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA
362 );
363 // If we make that certificate a trust anchor, the connection will succeed.
364 add_test(function () {
365 let certOverrideService = Cc[
366 "@mozilla.org/security/certoverride;1"
367 ].getService(Ci.nsICertOverrideService);
368 certOverrideService.clearValidityOverride(
369 "end-entity-issued-by-v1-cert.example.com",
370 8443,
371 {}
372 );
373 let v1Cert = constructCertFromFile("bad_certs/v1Cert.pem");
374 setCertTrust(v1Cert, "CTu,,");
375 clearSessionCache();
376 run_next_test();
377 });
378 add_connection_test(
379 "end-entity-issued-by-v1-cert.example.com",
380 PRErrorCodeSuccess
381 );
382 // Reset the trust for that certificate.
383 add_test(function () {
384 let v1Cert = constructCertFromFile("bad_certs/v1Cert.pem");
385 setCertTrust(v1Cert, ",,");
386 clearSessionCache();
387 run_next_test();
388 });
390 // Due to compatibility issues, we allow overrides for certificates issued by
391 // certificates that are not valid CAs.
392 add_cert_override_test(
393 "end-entity-issued-by-non-CA.example.com",
394 SEC_ERROR_CA_CERT_INVALID
395 );
397 // This host presents a 1016-bit RSA key.
398 add_cert_override_test(
399 "inadequate-key-size-ee.example.com",
400 MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
401 );
403 // The test root is not a built-in (by default), so the invalid dNSName entry
404 // in the subject alternative name extension is skipped.
405 add_connection_test(
406 "ipAddressAsDNSNameInSAN.example.com",
407 PRErrorCodeSuccess
408 );
410 if (gIsDebugBuild) {
411 // Treat the test root like a built-in.
412 add_test(function () {
413 let rootCert = constructCertFromFile("bad_certs/test-ca.pem");
414 Services.prefs.setCharPref(
415 "security.test.built_in_root_hash",
416 rootCert.sha256Fingerprint
417 );
418 run_next_test();
419 });
420 // If the root is a built-in, the invalid dNSName entry in the subject
421 // alternative name extension is not skipped, and this result in an error.
422 add_cert_override_test(
423 "ipAddressAsDNSNameInSAN.example.com",
424 SSL_ERROR_BAD_CERT_DOMAIN
425 );
426 // Reset the test root's built-in status.
427 add_test(function () {
428 Services.prefs.clearUserPref("security.test.built_in_root_hash");
429 run_next_test();
430 });
431 }
433 add_cert_override_test("noValidNames.example.com", SSL_ERROR_BAD_CERT_DOMAIN);
434 add_cert_override_test(
435 "badSubjectAltNames.example.com",
436 SSL_ERROR_BAD_CERT_DOMAIN
437 );
439 add_cert_override_test(
440 "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp",
441 SEC_ERROR_UNKNOWN_ISSUER
442 );
443 add_test(function () {
444 // At this point, the override for bug413909.xn--hxajbheg2az3al.xn--jxalpdlp
445 // is still valid. Do some additional tests relating to IDN handling.
446 let certOverrideService = Cc[
447 "@mozilla.org/security/certoverride;1"
448 ].getService(Ci.nsICertOverrideService);
449 let uri = Services.io.newURI(
450 "https://bug413909.xn--hxajbheg2az3al.xn--jxalpdlp"
451 );
452 let cert = constructCertFromFile("bad_certs/idn-certificate.pem");
453 Assert.ok(
454 certOverrideService.hasMatchingOverride(
455 uri.asciiHost,
456 8443,
457 {},
458 cert,
459 {}
460 ),
461 "IDN certificate should have matching override using ascii host"
462 );
463 Assert.throws(
464 () =>
465 !certOverrideService.hasMatchingOverride(
466 uri.displayHost,
467 8443,
468 {},
469 cert,
470 {}
471 ),
472 /NS_ERROR_ILLEGAL_VALUE/,
473 "IDN certificate should not have matching override using (non-ascii) host"
474 );
475 let invalidHost = uri.asciiHost.replace(/./g, c =>
476 String.fromCharCode(c.charCodeAt(0) | 0x100)
477 );
478 Assert.throws(
479 () =>
480 !certOverrideService.hasMatchingOverride(
481 invalidHost,
482 8443,
483 {},
484 cert,
485 {}
486 ),
487 /NS_ERROR_ILLEGAL_VALUE/,
488 "hasMatchingOverride should not truncate high-bytes"
489 );
490 run_next_test();
491 });
493 add_test(function () {
494 // Add a bunch of overrides...
495 let certOverrideService = Cc[
496 "@mozilla.org/security/certoverride;1"
497 ].getService(Ci.nsICertOverrideService);
498 let cert = constructCertFromFile("bad_certs/default-ee.pem");
499 certOverrideService.rememberValidityOverride(
500 "example.com",
501 443,
502 {},
503 cert,
504 false
505 );
506 Assert.ok(
507 certOverrideService.hasMatchingOverride("example.com", 443, {}, cert, {}),
508 "Should have added override for example.com:443"
509 );
510 certOverrideService.rememberValidityOverride(
511 "example.com",
512 80,
513 {},
514 cert,
515 false
516 );
517 certOverrideService.rememberValidityOverride("::1", 80, {}, cert, false);
518 Assert.ok(
519 certOverrideService.hasMatchingOverride("example.com", 80, {}, cert, {}),
520 "Should have added override for example.com:80"
521 );
522 certOverrideService.rememberValidityOverride(
523 "example.org",
524 443,
525 {},
526 cert,
527 false
528 );
529 Assert.ok(
530 certOverrideService.hasMatchingOverride("example.org", 443, {}, cert, {}),
531 "Should have added override for example.org:443"
532 );
533 Assert.ok(
534 certOverrideService.hasMatchingOverride("::1", 80, {}, cert, {}),
535 "Should have added override for [::1]:80"
536 );
537 // When in a private browsing context, overrides added in non-private
538 // contexts should match (but not vice-versa).
539 Assert.ok(
540 certOverrideService.hasMatchingOverride(
541 "example.org",
542 443,
543 { privateBrowsingId: 1 },
544 cert,
545 {}
546 ),
547 "Should have override for example.org:443 with privateBrowsingId 1"
548 );
549 Assert.ok(
550 certOverrideService.hasMatchingOverride(
551 "example.org",
552 443,
553 { privateBrowsingId: 2 },
554 cert,
555 {}
556 ),
557 "Should have override for example.org:443 with privateBrowsingId 2"
558 );
559 Assert.ok(
560 certOverrideService.hasMatchingOverride(
561 "example.org",
562 443,
563 { firstPartyDomain: "example.org", userContextId: 1 },
564 cert,
565 {}
566 ),
567 "Should ignore firstPartyDomain and userContextId when checking overrides"
568 );
569 certOverrideService.rememberValidityOverride(
570 "example.org",
571 80,
572 {},
573 cert,
574 true
575 );
576 Assert.ok(
577 certOverrideService.hasMatchingOverride("example.org", 80, {}, cert, {}),
578 "Should have added override for example.org:80"
579 );
580 certOverrideService.rememberValidityOverride(
581 "test.example.org",
582 443,
583 { firstPartyDomain: "example.org", userContextId: 1 },
584 cert,
585 false
586 );
587 Assert.ok(
588 certOverrideService.hasMatchingOverride(
589 "test.example.org",
590 443,
591 {},
592 cert,
593 {}
594 ),
595 "Should ignore firstPartyDomain and userContextId when adding overrides"
596 );
597 Assert.ok(
598 certOverrideService.hasMatchingOverride(
599 "test.example.org",
600 443,
601 { firstPartyDomain: "example.com", userContextId: 2 },
602 cert,
603 {}
604 ),
605 "Should ignore firstPartyDomain and userContextId when checking overrides"
606 );
607 certOverrideService.rememberValidityOverride(
608 "example.test",
609 443,
610 { privateBrowsingId: 1 },
611 cert,
612 false
613 );
614 Assert.ok(
615 certOverrideService.hasMatchingOverride(
616 "example.test",
617 443,
618 { privateBrowsingId: 1 },
619 cert,
620 {}
621 ),
622 "Should have added override for example.test:443 with privateBrowsingId 1"
623 );
624 Assert.ok(
625 !certOverrideService.hasMatchingOverride(
626 "example.test",
627 443,
628 { privateBrowsingId: 2 },
629 cert,
630 {}
631 ),
632 "Should not have override for example.test:443 with privateBrowsingId 2"
633 );
634 Assert.ok(
635 !certOverrideService.hasMatchingOverride(
636 "example.test",
637 443,
638 {},
639 cert,
640 {}
641 ),
642 "Should not have override for example.test:443 with non-private OriginAttributes"
643 );
644 // Clear them all...
645 certOverrideService.clearAllOverrides();
647 // And ensure they're all gone.
648 Assert.ok(
649 !certOverrideService.hasMatchingOverride(
650 "example.com",
651 443,
652 {},
653 cert,
654 {}
655 ),
656 "Should have removed override for example.com:443"
657 );
658 Assert.ok(
659 !certOverrideService.hasMatchingOverride("example.com", 80, {}, cert, {}),
660 "Should have removed override for example.com:80"
661 );
662 Assert.ok(
663 !certOverrideService.hasMatchingOverride(
664 "example.org",
665 443,
666 {},
667 cert,
668 {}
669 ),
670 "Should have removed override for example.org:443"
671 );
672 Assert.ok(
673 !certOverrideService.hasMatchingOverride("example.org", 80, {}, cert, {}),
674 "Should have removed override for example.org:80"
675 );
676 Assert.ok(
677 !certOverrideService.hasMatchingOverride(
678 "example.org",
679 443,
680 { privateBrowsingId: 1 },
681 cert,
682 {}
683 ),
684 "Should have removed override for example.org:443 with privateBrowsingId 1"
685 );
687 run_next_test();
688 });
689 }
691 function add_localhost_tests() {
692 add_cert_override_test("localhost", SEC_ERROR_UNKNOWN_ISSUER);
693 add_cert_override_test("127.0.0.1", SSL_ERROR_BAD_CERT_DOMAIN);
694 add_cert_override_test("::1", SSL_ERROR_BAD_CERT_DOMAIN);
695 }
697 function add_combo_tests() {
698 add_cert_override_test(
699 "mismatch-expired.example.com",
700 SSL_ERROR_BAD_CERT_DOMAIN
701 );
702 add_cert_override_test(
703 "mismatch-notYetValid.example.com",
704 SSL_ERROR_BAD_CERT_DOMAIN
705 );
706 add_cert_override_test(
707 "mismatch-untrusted.example.com",
708 SEC_ERROR_UNKNOWN_ISSUER
709 );
710 add_cert_override_test(
711 "untrusted-expired.example.com",
712 SEC_ERROR_UNKNOWN_ISSUER
713 );
714 add_cert_override_test(
715 "mismatch-untrusted-expired.example.com",
716 SEC_ERROR_UNKNOWN_ISSUER
717 );
719 add_cert_override_test(
720 "md5signature-expired.example.com",
721 SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
722 );
724 add_cert_override_test(
725 "ca-used-as-end-entity-name-mismatch.example.com",
726 MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
727 );
728 }
730 function add_distrust_tests() {
731 // Before we specifically distrust this certificate, it should be trusted.
732 add_connection_test("untrusted.example.com", PRErrorCodeSuccess);
734 add_distrust_test(
735 "bad_certs/default-ee.pem",
736 "untrusted.example.com",
737 SEC_ERROR_UNTRUSTED_CERT
738 );
740 add_distrust_test(
741 "bad_certs/other-test-ca.pem",
742 "untrustedissuer.example.com",
743 SEC_ERROR_UNTRUSTED_ISSUER
744 );
746 add_distrust_test(
747 "bad_certs/test-ca.pem",
748 "ca-used-as-end-entity.example.com",
749 SEC_ERROR_UNTRUSTED_ISSUER
750 );
751 }
753 function add_distrust_test(certFileName, hostName, expectedResult) {
754 let certToDistrust = constructCertFromFile(certFileName);
756 add_test(function () {
757 // Add an entry to the NSS certDB that says to distrust the cert
758 setCertTrust(certToDistrust, "pu,,");
759 clearSessionCache();
760 run_next_test();
761 });
762 add_prevented_cert_override_test(hostName, expectedResult);
763 add_test(function () {
764 setCertTrust(certToDistrust, "u,,");
765 run_next_test();
766 });
767 }