security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp

   1 /* This Source Code Form is subject to the terms of the Mozilla Public
   2  * License, v. 2.0. If a copy of the MPL was not distributed with this
   3  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   4
   5 // This is a standalone server that uses various bad certificates.
   6 // The client is expected to connect, initiate an SSL handshake (with SNI
   7 // to indicate which "server" to connect to), and verify the certificate.
   8 // If all is good, the client then sends one encrypted byte and receives that
   9 // same byte back.
  10 // This server also has the ability to "call back" another process waiting on
  11 // it. That is, when the server is all set up and ready to receive connections,
  12 // it will connect to a specified port and issue a simple HTTP request.
  13
  14 #include <stdio.h>
  15
  16 #include "TLSServer.h"
  17
  18 using namespace mozilla;
  19 using namespace mozilla::test;
  20
  21 struct BadCertAndPinningHost {
  22   const char* mHostName;
  23   const char* mCertName;
  24 };
  25
  26 // Hostname, cert nickname pairs.
  27 const BadCertAndPinningHost sBadCertAndPinningHosts[] = {
  28     {"expired.example.com", "expired-ee"},
  29     {"notyetvalid.example.com", "notYetValid"},
  30     {"before-epoch.example.com", "beforeEpoch"},
  31     {"before-epoch-self-signed.example.com", "beforeEpochSelfSigned"},
  32     {"selfsigned.example.com", "selfsigned"},
  33     {"unknownissuer.example.com", "unknownissuer"},
  34     {"mismatch.example.com", "mismatch"},
  35     {"mismatch-CN.example.com", "mismatchCN"},
  36     {"mitm.example.com", "mitm"},
  37     {"expiredissuer.example.com", "expiredissuer"},
  38     {"notyetvalidissuer.example.com", "notYetValidIssuer"},
  39     {"before-epoch-issuer.example.com", "beforeEpochIssuer"},
  40     {"md5signature.example.com", "md5signature"},
  41     {"untrusted.example.com", "default-ee"},
  42     {"untrustedissuer.example.com", "untrustedissuer"},
  43     {"mismatch-expired.example.com", "mismatch-expired"},
  44     {"mismatch-notYetValid.example.com", "mismatch-notYetValid"},
  45     {"mismatch-untrusted.example.com", "mismatch-untrusted"},
  46     {"untrusted-expired.example.com", "untrusted-expired"},
  47     {"md5signature-expired.example.com", "md5signature-expired"},
  48     {"mismatch-untrusted-expired.example.com", "mismatch-untrusted-expired"},
  49     {"inadequatekeyusage.example.com", "inadequatekeyusage-ee"},
  50     {"selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU"},
  51     {"self-signed-end-entity-with-cA-true.example.com",
  52      "self-signed-EE-with-cA-true"},
  53     {"ca-used-as-end-entity.example.com", "ca-used-as-end-entity"},
  54     {"ca-used-as-end-entity-name-mismatch.example.com",
  55      "ca-used-as-end-entity"},
  56     // All of include-subdomains.pinning.example.com is pinned to End Entity
  57     // Test Cert with nick default-ee. Any other nick will only
  58     // pass pinning when security.cert_pinning.enforcement.level != strict and
  59     // otherCA is added as a user-specified trust anchor. See StaticHPKPins.h.
  60     {"include-subdomains.pinning.example.com", "default-ee"},
  61     {"good.include-subdomains.pinning.example.com", "default-ee"},
  62     {"bad.include-subdomains.pinning.example.com", "other-issuer-ee"},
  63     {"bad.include-subdomains.pinning.example.com.", "other-issuer-ee"},
  64     {"bad.include-subdomains.pinning.example.com..", "other-issuer-ee"},
  65     {"exclude-subdomains.pinning.example.com", "default-ee"},
  66     {"sub.exclude-subdomains.pinning.example.com", "other-issuer-ee"},
  67     {"test-mode.pinning.example.com", "other-issuer-ee"},
  68     {"unknownissuer.include-subdomains.pinning.example.com", "unknownissuer"},
  69     {"unknownissuer.test-mode.pinning.example.com", "unknownissuer"},
  70     {"nsCertTypeNotCritical.example.com", "nsCertTypeNotCritical"},
  71     {"nsCertTypeCriticalWithExtKeyUsage.example.com",
  72      "nsCertTypeCriticalWithExtKeyUsage"},
  73     {"nsCertTypeCritical.example.com", "nsCertTypeCritical"},
  74     {"end-entity-issued-by-v1-cert.example.com", "eeIssuedByV1Cert"},
  75     {"end-entity-issued-by-non-CA.example.com", "eeIssuedByNonCA"},
  76     {"inadequate-key-size-ee.example.com", "inadequateKeySizeEE"},
  77     {"badSubjectAltNames.example.com", "badSubjectAltNames"},
  78     {"ipAddressAsDNSNameInSAN.example.com", "ipAddressAsDNSNameInSAN"},
  79     {"noValidNames.example.com", "noValidNames"},
  80     {"bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", "idn-certificate"},
  81     {"emptyissuername.example.com", "emptyIssuerName"},
  82     {"ev-test.example.com", "ev-test"},
  83     {"ee-from-missing-intermediate.example.com",
  84      "ee-from-missing-intermediate"},
  85     {"imminently-distrusted.example.com", "ee-imminently-distrusted"},
  86     {"localhost", "unknownissuer"},
  87     {"a.pinning.example.com", "default-ee"},
  88     {"b.pinning.example.com", "default-ee"},
  89     {"not-preloaded.example.com", "default-ee"},
  90     {"ee.example.com", "default-ee"},
  91     {nullptr, nullptr}};
  92
  93 int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd,
  94                                      const SECItem* aSrvNameArr,
  95                                      uint32_t aSrvNameArrSize) {
  96   for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
  97     UniquePORTString name(
  98         static_cast<char*>(PORT_ZAlloc(aSrvNameArr[i].len + 1)));
  99     if (name) {
 100       PORT_Memcpy(name.get(), aSrvNameArr[i].data, aSrvNameArr[i].len);
 101       if (ConfigSecureServerWithNamedCert(aFd, name.get(), nullptr, nullptr,
 102                                           nullptr) == SECSuccess) {
 103         return 0;
 104       }
 105     }
 106   }
 107
 108   return SSL_SNI_SEND_ALERT;
 109 }
 110
 111 int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
 112                           uint32_t aSrvNameArrSize, void* aArg) {
 113   const BadCertAndPinningHost* host =
 114       GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sBadCertAndPinningHosts);
 115   if (!host) {
 116     // No static cert <-> hostname mapping found. This happens when we use a
 117     // collection of certificates in a given directory and build a cert DB at
 118     // runtime, rather than using an NSS cert DB populated at build time.
 119     // (This will be the default in the future.)
 120     // For all given server names, check if the runtime-built cert DB contains
 121     // a certificate with a matching subject CN.
 122     return DoSNISocketConfigBySubjectCN(aFd, aSrvNameArr, aSrvNameArrSize);
 123   }
 124
 125   if (gDebugLevel >= DEBUG_VERBOSE) {
 126     fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
 127   }
 128
 129   UniqueCERTCertificate cert;
 130   SSLKEAType certKEA;
 131   if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert,
 132                                                     &certKEA, nullptr)) {
 133     return SSL_SNI_SEND_ALERT;
 134   }
 135
 136   return 0;
 137 }
 138
 139 int main(int argc, char* argv[]) {
 140   return StartServer(argc, argv, DoSNISocketConfig, nullptr);
 141 }