| blob | c788a11b5495cd88d2a9d55f743a5f8a41a6debd |
1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
2 // This Source Code Form is subject to the terms of the Mozilla Public
3 // License, v. 2.0. If a copy of the MPL was not distributed with this
4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
6 // Tests that starting a profile with a preexisting CRLite filter and stash
7 // works correctly.
9 "use strict";
11 add_task(async function test_preexisting_crlite_data() {
12 Services.prefs.setIntPref(
13 "security.pki.crlite_mode",
14 CRLiteModeEnforcePrefValue
15 );
17 let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
18 Ci.nsICertStorage
19 );
21 let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
22 Ci.nsIX509CertDB
23 );
24 // These need to be available to be able to find them during path building
25 // for certificate verification.
26 let issuerCert = constructCertFromFile("test_crlite_filters/issuer.pem");
27 ok(issuerCert, "issuer certificate should decode successfully");
28 let noSCTCertIssuer = constructCertFromFile(
29 "test_crlite_filters/no-sct-issuer.pem"
30 );
31 ok(
32 noSCTCertIssuer,
33 "issuer certificate for certificate without SCTs should decode successfully"
34 );
36 let validCert = constructCertFromFile("test_crlite_filters/valid.pem");
37 let revokedCert = constructCertFromFile("test_crlite_filters/revoked.pem");
39 // We didn't load a data.bin file, so the filter is not considered fresh and
40 // we should get a "no filter" result. We later test that CRLite considers
41 // this cert to be revoked. So success here shows that CRLite is not
42 // consulted when the filter is stale.
43 await checkCertErrorGenericAtTime(
44 certdb,
45 revokedCert,
46 PRErrorCodeSuccess,
47 certificateUsageSSLServer,
48 new Date("2020-10-20T00:00:00Z").getTime() / 1000,
49 false,
50 "us-datarecovery.com",
51 Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
52 );
54 // Add an empty stash to ensure the filter is considered to be fresh.
55 await new Promise(resolve => {
56 certStorage.addCRLiteStash(new Uint8Array([]), (rv, _) => {
57 Assert.equal(rv, Cr.NS_OK, "marked filter as fresh");
58 resolve();
59 });
60 });
62 // NB: by not specifying Ci.nsIX509CertDB.FLAG_LOCAL_ONLY, this tests that
63 // the implementation does not fall back to OCSP fetching, because if it
64 // did, the implementation would attempt to connect to a server outside the
65 // test infrastructure, which would result in a crash in the test
66 // environment, which would be treated as a test failure.
67 await checkCertErrorGenericAtTime(
68 certdb,
69 validCert,
70 PRErrorCodeSuccess,
71 certificateUsageSSLServer,
72 new Date("2020-10-20T00:00:00Z").getTime() / 1000,
73 false,
74 "vpn.worldofspeed.org",
75 0
76 );
78 // NB: by not specifying Ci.nsIX509CertDB.FLAG_LOCAL_ONLY, this tests that
79 // the implementation does not fall back to OCSP fetching, because if it
80 // did, the implementation would attempt to connect to a server outside the
81 // test infrastructure, which would result in a crash in the test
82 // environment, which would be treated as a test failure.
83 await checkCertErrorGenericAtTime(
84 certdb,
85 validCert,
86 PRErrorCodeSuccess,
87 certificateUsageSSLServer,
88 new Date("2020-10-20T00:00:00Z").getTime() / 1000,
89 false,
90 "vpn.worldofspeed.org",
91 0
92 );
94 await checkCertErrorGenericAtTime(
95 certdb,
96 revokedCert,
97 SEC_ERROR_REVOKED_CERTIFICATE,
98 certificateUsageSSLServer,
99 new Date("2020-10-20T00:00:00Z").getTime() / 1000,
100 false,
101 "us-datarecovery.com",
102 0
103 );
105 let revokedInStashCert = constructCertFromFile(
106 "test_crlite_filters/revoked-in-stash.pem"
107 );
108 // The stash may not have loaded yet, so await a task that ensures the stash
109 // loading task has completed.
110 await new Promise(resolve => {
111 certStorage.hasPriorData(
112 Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL,
113 (rv, _) => {
114 Assert.equal(rv, Cr.NS_OK, "hasPriorData should succeed");
115 resolve();
116 }
117 );
118 });
119 await checkCertErrorGenericAtTime(
120 certdb,
121 revokedInStashCert,
122 SEC_ERROR_REVOKED_CERTIFICATE,
123 certificateUsageSSLServer,
124 new Date("2020-10-20T00:00:00Z").getTime() / 1000,
125 false,
126 "stokedmoto.com",
127 0
128 );
130 let revokedInStash2Cert = constructCertFromFile(
131 "test_crlite_filters/revoked-in-stash-2.pem"
132 );
133 await checkCertErrorGenericAtTime(
134 certdb,
135 revokedInStash2Cert,
136 SEC_ERROR_REVOKED_CERTIFICATE,
137 certificateUsageSSLServer,
138 new Date("2020-10-20T00:00:00Z").getTime() / 1000,
139 false,
140 "icsreps.com",
141 0
142 );
144 // This certificate has no embedded SCTs, so it is not guaranteed to be in
145 // CT, so CRLite can't be guaranteed to give the correct answer, so it is
146 // not consulted, and the implementation falls back to OCSP. Since the real
147 // OCSP responder can't be reached, this results in a
148 // SEC_ERROR_OCSP_SERVER_ERROR.
149 let noSCTCert = constructCertFromFile("test_crlite_filters/no-sct.pem");
150 // NB: this will cause an OCSP request to be sent to localhost:80, but
151 // since an OCSP responder shouldn't be running on that port, this should
152 // fail safely.
153 Services.prefs.setCharPref("network.dns.localDomains", "ocsp.digicert.com");
154 Services.prefs.setBoolPref("security.OCSP.require", true);
155 Services.prefs.setIntPref("security.OCSP.enabled", 1);
156 await checkCertErrorGenericAtTime(
157 certdb,
158 noSCTCert,
159 SEC_ERROR_OCSP_SERVER_ERROR,
160 certificateUsageSSLServer,
161 new Date("2020-10-20T00:00:00Z").getTime() / 1000,
162 false,
163 "mail233.messagelabs.com",
164 0
165 );
166 Services.prefs.clearUserPref("network.dns.localDomains");
167 Services.prefs.clearUserPref("security.OCSP.require");
168 Services.prefs.clearUserPref("security.OCSP.enabled");
170 let notCoveredCert = constructCertFromFile(
171 "test_crlite_filters/notcovered.pem"
172 );
173 await checkCertErrorGenericAtTime(
174 certdb,
175 notCoveredCert,
176 PRErrorCodeSuccess,
177 certificateUsageSSLServer,
178 new Date("2022-01-07T00:00:00Z").getTime() / 1000,
179 false,
180 "peekaboophonics.com",
181 Ci.nsIX509CertDB.FLAG_LOCAL_ONLY
182 );
183 });
185 function run_test() {
186 let securityStateDirectory = do_get_profile();
187 securityStateDirectory.append("security_state");
188 // For simplicity, re-use the filter from test_crlite_filters.js.
189 let crilteFile = do_get_file("test_crlite_filters/20201017-0-filter");
190 crilteFile.copyTo(securityStateDirectory, "crlite.filter");
191 // This stash file and the following cert storage file were obtained by
192 // running just the task `test_crlite_filters_and_check_revocation` in
193 // test_crlite_filters.js, causing it to hang (by adding something like
194 // `add_test(() => {});`), and then copying the files from the temporary
195 // profile directory.
196 let stashFile = do_get_file("test_crlite_preexisting/crlite.stash");
197 stashFile.copyTo(securityStateDirectory, "crlite.stash");
198 let coverageFile = do_get_file("test_crlite_preexisting/crlite.coverage");
199 coverageFile.copyTo(securityStateDirectory, "crlite.coverage");
200 let enrollmentFile = do_get_file("test_crlite_preexisting/crlite.enrollment");
201 enrollmentFile.copyTo(securityStateDirectory, "crlite.enrollment");
202 let certStorageFile = do_get_file(
203 "test_crlite_preexisting/crlite.enrollment"
204 );
205 certStorageFile.copyTo(securityStateDirectory, "crlite.enrollment");
207 run_next_test();
208 }