| blob | 937a296a0012f06aa185c40ec73525e33d29ded5 |
1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
2 // This Source Code Form is subject to the terms of the Mozilla Public
3 // License, v. 2.0. If a copy of the MPL was not distributed with this
4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
6 "use strict";
8 do_get_profile(); // must be called before getting nsIX509CertDB
10 registerCleanupFunction(() => {
11 Services.prefs.clearUserPref("security.pki.certificate_transparency.mode");
12 Services.prefs.clearUserPref("security.test.built_in_root_hash");
13 let cert = constructCertFromFile("test_ct/ct-valid.example.com.pem");
14 setCertTrust(cert, ",,");
15 });
17 function add_tests_in_mode(mode) {
18 add_test(function set_mode() {
19 info(`setting CT to mode ${mode}`);
20 Services.prefs.setIntPref(
21 "security.pki.certificate_transparency.mode",
22 mode
23 );
24 run_next_test();
25 });
27 // Test that certificate transparency is not checked for certificates issued
28 // by roots that are not built-in.
29 add_ct_test(
30 "ct-unknown-log.example.com",
31 Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE,
32 true
33 );
35 add_test(function set_test_root_as_built_in() {
36 // Make the test root appear to be a built-in root, so that certificate
37 // transparency is checked.
38 let rootCert = constructCertFromFile("test_ct/test-ca.pem");
39 Services.prefs.setCharPref(
40 "security.test.built_in_root_hash",
41 rootCert.sha256Fingerprint
42 );
43 run_next_test();
44 });
46 // These certificates have a validity period of 800 days, which is greater
47 // than 180 days. Our policy requires 3 embedded SCTs for certificates with a
48 // validity period greater than 180 days.
49 add_ct_test(
50 "ct-valid.example.com",
51 Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT,
52 true
53 );
54 // This certificate has only 2 embedded SCTs, and so is not policy-compliant.
55 add_ct_test(
56 "ct-insufficient-scts.example.com",
57 Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
58 mode == CT_MODE_COLLECT_TELEMETRY
59 );
61 // Test that SCTs with timestamps from the future are not valid.
62 add_ct_test(
63 "ct-future-timestamp.example.com",
64 Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
65 mode == CT_MODE_COLLECT_TELEMETRY
66 );
68 // Test that additional SCTs from the same log do not contribute to meeting
69 // the requirements.
70 add_ct_test(
71 "ct-multiple-from-same-log.example.com",
72 Ci.nsITransportSecurityInfo
73 .CERTIFICATE_TRANSPARENCY_POLICY_NOT_DIVERSE_SCTS,
74 mode == CT_MODE_COLLECT_TELEMETRY
75 );
77 // Test that SCTs from an unknown log do not contribute to meeting the
78 // requirements.
79 add_ct_test(
80 "ct-unknown-log.example.com",
81 Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
82 mode == CT_MODE_COLLECT_TELEMETRY
83 );
85 add_ct_test(
86 "no-ct.example.com",
87 Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
88 mode == CT_MODE_COLLECT_TELEMETRY
89 );
90 add_test(function set_disable_ct_for_hosts_pref() {
91 // Disable CT enforcement for exactly 'ct-unknown-log.example.com' as well
92 // as 'sub.example.com' and all subdomains under 'sub.example.com'.
93 // CT will still be checked, and the security info of the connection will say
94 // the information is insufficient, but the connection will still succeed
95 // (essentially, it behaves like telemetry-only mode).
96 Services.prefs.setCharPref(
97 "security.pki.certificate_transparency.disable_for_hosts",
98 ".ct-unknown-log.example.com,no-ct.example.com"
99 );
100 clearSessionCache();
101 run_next_test();
102 });
103 add_ct_test(
104 "ct-unknown-log.example.com",
105 Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
106 true
107 );
108 add_ct_test(
109 "sub.ct-unknown-log.example.com",
110 Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
111 mode == CT_MODE_COLLECT_TELEMETRY
112 );
113 add_ct_test(
114 "no-ct.example.com",
115 Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
116 true
117 );
118 add_ct_test(
119 "sub.no-ct.example.com",
120 Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
121 true
122 );
123 add_ct_test(
124 "ct-insufficient-scts.example.com",
125 Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
126 mode == CT_MODE_COLLECT_TELEMETRY
127 );
128 add_test(function reset_disable_ct_for_hosts_pref() {
129 Services.prefs.clearUserPref(
130 "security.pki.certificate_transparency.disable_for_hosts"
131 );
132 clearSessionCache();
133 run_next_test();
134 });
136 add_test(function set_disable_ct_for_spki_hashes_pref_nonexistent_keys() {
137 // Disable CT enforcement for two SPKIs we don't actually have the private
138 // key for.
139 Services.prefs.setCharPref(
140 "security.pki.certificate_transparency.disable_for_spki_hashes",
141 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=,BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="
142 );
143 clearSessionCache();
144 run_next_test();
145 });
146 add_ct_test(
147 "ct-insufficient-scts.example.com",
148 Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
149 mode == CT_MODE_COLLECT_TELEMETRY
150 );
151 add_test(function set_disable_ct_for_spki_hashes_pref() {
152 // Disable CT enforcement for the default test key's SPKI.
153 // Again, the behavior will be that of telemetry-only mode.
154 Services.prefs.setCharPref(
155 "security.pki.certificate_transparency.disable_for_spki_hashes",
156 "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC=,VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8="
157 );
158 clearSessionCache();
159 run_next_test();
160 });
161 add_ct_test(
162 "ct-insufficient-scts.example.com",
163 Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
164 true
165 );
166 add_test(function set_disable_ct_for_spki_hashes_pref_alternate() {
167 // Disable CT enforcement for the alternate test key's SPKI.
168 Services.prefs.setCharPref(
169 "security.pki.certificate_transparency.disable_for_spki_hashes",
170 "MQj2tt1yGAfwFpWETYUCVrZxk2CD2705NKBQUlAaKJI=,DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD="
171 );
172 clearSessionCache();
173 run_next_test();
174 });
175 add_ct_test(
176 "no-ct.example.com",
177 Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
178 true
179 );
180 add_test(function reset_disable_ct_for_spki_hashes_pref() {
181 Services.prefs.clearUserPref(
182 "security.pki.certificate_transparency.disable_for_spki_hashes"
183 );
184 clearSessionCache();
185 run_next_test();
186 });
188 // Test that if an end-entity is marked as a trust anchor, CT verification
189 // returns a "not enough SCTs" result.
190 add_test(function set_up_end_entity_trust_anchor_test() {
191 let cert = constructCertFromFile("test_ct/ct-valid.example.com.pem");
192 Services.prefs.setCharPref(
193 "security.test.built_in_root_hash",
194 cert.sha256Fingerprint
195 );
196 setCertTrust(cert, "CTu,,");
197 clearSessionCache();
198 run_next_test();
199 });
200 add_ct_test(
201 "ct-valid.example.com",
202 Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
203 mode == CT_MODE_COLLECT_TELEMETRY
204 );
206 add_test(function reset_for_next_test_mode() {
207 Services.prefs.clearUserPref("security.test.built_in_root_hash");
208 let cert = constructCertFromFile("test_ct/ct-valid.example.com.pem");
209 setCertTrust(cert, "u,,");
210 clearSessionCache();
211 run_next_test();
212 });
213 }
215 function run_test() {
216 add_tls_server_setup("BadCertAndPinningServer", "test_ct");
217 add_tests_in_mode(CT_MODE_COLLECT_TELEMETRY);
218 add_tests_in_mode(CT_MODE_ENFORCE);
219 run_next_test();
220 }