search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
history | raw | HEAD
Bug 1940967 - Vendor glean_parser v16.2.0 r=TravisLong,mach-reviewers,ahal
[gecko.git] / security / manager / ssl / tests / unit / test_sanctions_symantec_apple_google.js
blob4c3b9f406f691338f597e6d0b91a393103ea11c6
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2  * License, v. 2.0. If a copy of the MPL was not distributed with this
3  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 "use strict";
5
6 do_get_profile();
7
8 const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
9   Ci.nsIX509CertDB
10 );
11
12 add_tls_server_setup(
13   "SanctionsTestServer",
14   "test_sanctions",
15   /* Don't try to load non-existent test-ca.pem */ false
16 );
17
18 addCertFromFile(certDB, "test_sanctions/symantec-test-ca.pem", "CTu,u,u");
19
20 // Add the necessary intermediates. This is important because the test server,
21 // though it will attempt to send along an intermediate, isn't able to reliably
22 // pick between the intermediate-other-crossigned and intermediate-other.
23 add_test(function () {
24   addCertFromFile(
25     certDB,
26     "test_sanctions/symantec-intermediate-allowlisted.pem",
27     ",,"
28   );
29   addCertFromFile(
30     certDB,
31     "test_sanctions/symantec-intermediate-other.pem",
32     ",,"
33   );
34   run_next_test();
35 });
36
37 add_connection_test(
38   "symantec-not-allowlisted-before-cutoff.example.com",
39   MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
40   null,
41   null
42 );
43
44 add_connection_test(
45   "symantec-not-allowlisted-after-cutoff.example.com",
46   MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
47   null,
48   null
49 );
50
51 // Add a cross-signed intermediate into the database, and ensure we still get
52 // the expected error.
53 add_test(function () {
54   addCertFromFile(
55     certDB,
56     "test_sanctions/symantec-intermediate-other-crossigned.pem",
57     ",,"
58   );
59   run_next_test();
60 });
61
62 add_connection_test(
63   "symantec-not-allowlisted-before-cutoff.example.com",
64   MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
65   null,
66   null
67 );
68
69 // Load the Apple EE cert and its intermediate, then verify
70 // it at a reasonable time and make sure the allowlists work
71 add_task(async function () {
72   addCertFromFile(
73     certDB,
74     "test_sanctions/apple-ist-ca-8-g1-intermediate.pem",
75     ",,"
76   );
77   let allowlistedCert = constructCertFromFile(
78     "test_sanctions/cds-apple-com.pem"
79   );
80
81   // Since we don't want to actually try to fetch OCSP for this certificate,
82   // (as an external fetch is bad in the tests), disable OCSP first.
83   Services.prefs.setIntPref("security.OCSP.enabled", 0);
84
85   // (new Date("2020-01-01")).getTime() / 1000
86   const VALIDATION_TIME = 1577836800;
87
88   await checkCertErrorGenericAtTime(
89     certDB,
90     allowlistedCert,
91     PRErrorCodeSuccess,
92     certificateUsageSSLServer,
93     VALIDATION_TIME
94   );
95 });