tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_baseline_requirements_subject_common_name.js (2271B)

      1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
      2 // This Source Code Form is subject to the terms of the Mozilla Public
      3 // License, v. 2.0. If a copy of the MPL was not distributed with this
      4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
      5 
      6 "use strict";
      7 
      8 do_get_profile(); // must be called before getting nsIX509CertDB
      9 const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
     10  Ci.nsIX509CertDB
     11 );
     12 
     13 function certFromFile(certName) {
     14  return constructCertFromFile(`test_baseline_requirements/${certName}.pem`);
     15 }
     16 
     17 function loadCertWithTrust(certName, trustString) {
     18  addCertFromFile(
     19    gCertDB,
     20    `test_baseline_requirements/${certName}.pem`,
     21    trustString
     22  );
     23 }
     24 
     25 function checkCertOn25August2016(cert, expectedResult) {
     26  // (new Date("2016-08-25T00:00:00Z")).getTime() / 1000
     27  const VALIDATION_TIME = 1472083200;
     28  return checkCertErrorGenericAtTime(
     29    gCertDB,
     30    cert,
     31    expectedResult,
     32    Ci.nsIX509CertDB.verifyUsageTLSServer,
     33    VALIDATION_TIME,
     34    false,
     35    "example.com"
     36  );
     37 }
     38 
     39 add_task(async function () {
     40  registerCleanupFunction(() => {
     41    Services.prefs.clearUserPref("privacy.reduceTimerPrecision");
     42  });
     43 
     44  Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false);
     45 
     46  loadCertWithTrust("ca", "CTu,,");
     47 
     48  // At one time there was a preference security.pki.name_matching_mode that
     49  // controlled whether or not mozilla::pkix would fall back to using a
     50  // certificate's subject common name during name matching. This no longer
     51  // exists, and certificates that previously required the fallback should fail
     52  // to verify.
     53 
     54  await checkCertOn25August2016(
     55    certFromFile("no-san-recent"),
     56    SSL_ERROR_BAD_CERT_DOMAIN
     57  );
     58  await checkCertOn25August2016(
     59    certFromFile("no-san-old"),
     60    SSL_ERROR_BAD_CERT_DOMAIN
     61  );
     62  await checkCertOn25August2016(
     63    certFromFile("no-san-older"),
     64    SSL_ERROR_BAD_CERT_DOMAIN
     65  );
     66  await checkCertOn25August2016(
     67    certFromFile("san-contains-no-hostnames-recent"),
     68    SSL_ERROR_BAD_CERT_DOMAIN
     69  );
     70  await checkCertOn25August2016(
     71    certFromFile("san-contains-no-hostnames-old"),
     72    SSL_ERROR_BAD_CERT_DOMAIN
     73  );
     74  await checkCertOn25August2016(
     75    certFromFile("san-contains-no-hostnames-older"),
     76    SSL_ERROR_BAD_CERT_DOMAIN
     77  );
     78 });