test_blocklist_onecrl.js (3898B)
1 "use strict"; 2 3 do_get_profile(); 4 5 const { Utils } = ChromeUtils.importESModule( 6 "resource://services-settings/Utils.sys.mjs" 7 ); 8 const { RemoteSettings } = ChromeUtils.importESModule( 9 "resource://services-settings/remote-settings.sys.mjs" 10 ); 11 const { RemoteSecuritySettings } = ChromeUtils.importESModule( 12 "resource://gre/modules/psm/RemoteSecuritySettings.sys.mjs" 13 ); 14 const { OneCRLBlocklistClient } = RemoteSecuritySettings.init(); 15 16 add_task(async function test_uses_a_custom_signer() { 17 Assert.notEqual( 18 OneCRLBlocklistClient.signerName, 19 RemoteSettings("not-specified").signerName 20 ); 21 }); 22 23 add_task(async function test_has_initial_dump() { 24 Assert.ok( 25 await Utils.hasLocalDump( 26 OneCRLBlocklistClient.bucketName, 27 OneCRLBlocklistClient.collectionName 28 ) 29 ); 30 }); 31 32 add_task(async function test_default_jexl_filter_is_used() { 33 Assert.deepEqual( 34 OneCRLBlocklistClient.filterCreator, 35 RemoteSettings("not-specified").filterCreator 36 ); 37 }); 38 39 add_task( 40 async function test_revocations_are_updated_on_sync_with_cert_storage() { 41 const certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( 42 Ci.nsICertStorage 43 ); 44 const has_revocations = () => 45 new Promise(resolve => { 46 certStorage.hasPriorData( 47 Ci.nsICertStorage.DATA_TYPE_REVOCATION, 48 (rv, hasPriorData) => { 49 if (rv == Cr.NS_OK) { 50 return resolve(hasPriorData); 51 } 52 return resolve(false); 53 } 54 ); 55 }); 56 57 Assert.ok(!(await has_revocations())); 58 59 await OneCRLBlocklistClient.emit("sync", { 60 data: { 61 current: [], 62 created: [ 63 { 64 issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=", 65 serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=", 66 }, 67 ], 68 updated: [], 69 deleted: [], 70 }, 71 }); 72 73 Assert.ok(await has_revocations()); 74 } 75 ); 76 77 add_task(async function test_updated_entry() { 78 // Revoke a particular issuer/serial number. 79 await OneCRLBlocklistClient.emit("sync", { 80 data: { 81 current: [], 82 created: [ 83 { 84 issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=", 85 serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=", 86 }, 87 ], 88 updated: [], 89 deleted: [], 90 }, 91 }); 92 const certStorage = Cc["@mozilla.org/security/certstorage;1"].getService( 93 Ci.nsICertStorage 94 ); 95 let issuerArray = [ 96 0x30, 0x12, 0x31, 0x10, 0x30, 0xe, 0x6, 0x3, 0x55, 0x4, 0x3, 0xc, 0x7, 0x54, 97 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 98 ]; 99 let serialArray = [ 100 0x6b, 0x45, 0xfb, 0xff, 0xb0, 0xe5, 0x4d, 0xa7, 0x9d, 0xa6, 0xa, 0xc8, 0x26, 101 0xd, 0xb9, 0x88, 0x13, 0xce, 0x90, 0x83, 102 ]; 103 let revocationState = certStorage.getRevocationState( 104 issuerArray, 105 serialArray, 106 [], 107 [] 108 ); 109 Assert.equal(revocationState, Ci.nsICertStorage.STATE_ENFORCE); 110 111 // Update the revocation to be a different serial number; the original 112 // (issuer, serial) pair should now not be revoked. 113 await OneCRLBlocklistClient.emit("sync", { 114 data: { 115 current: [], 116 created: [], 117 updated: [ 118 { 119 old: { 120 issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=", 121 serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=", 122 }, 123 new: { 124 issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=", 125 serialNumber: "ALtF+/+w5U0=", 126 }, 127 }, 128 ], 129 deleted: [], 130 }, 131 }); 132 let oldRevocationState = certStorage.getRevocationState( 133 issuerArray, 134 serialArray, 135 [], 136 [] 137 ); 138 Assert.equal(oldRevocationState, Ci.nsICertStorage.STATE_UNSET); 139 140 let newSerialArray = [0x00, 0xbb, 0x45, 0xfb, 0xff, 0xb0, 0xe5, 0x4d]; 141 let newRevocationState = certStorage.getRevocationState( 142 issuerArray, 143 newSerialArray, 144 [], 145 [] 146 ); 147 Assert.equal(newRevocationState, Ci.nsICertStorage.STATE_ENFORCE); 148 });