test_cert_override_read.js (5565B)
1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 "use strict"; 5 6 // This test checks parsing of the the certificate override file 7 8 function run_test() { 9 // These are hard-coded to avoid initialization of NSS before setup is complete 10 // bad_certs/mitm.pem 11 let cert1 = { 12 sha256Fingerprint: 13 "B6:9F:87:57:A0:83:EF:E0:5F:2D:4D:81:2A:E2:04:A0:A7:E5:B2:F8:2D:44:E2:BC:FB:56:A5:41:F2:7E:D4:7A", 14 }; 15 // bad_certs/selfsigned.pem 16 let cert2 = { 17 sha256Fingerprint: 18 "79:38:FB:FE:A9:98:85:02:C4:36:C2:3D:9C:59:15:46:36:6A:29:84:96:83:1D:53:A0:68:3F:D9:01:01:61:6E", 19 }; 20 // bad_certs/noValidNames.pem 21 let cert3 = { 22 sha256Fingerprint: 23 "D2:75:19:5B:97:84:40:A8:34:AB:A4:FE:85:94:6F:7D:43:8D:90:86:7B:5D:41:F4:49:25:73:D1:CE:18:BB:9A", 24 }; 25 26 let profileDir = do_get_profile(); 27 let overrideFile = profileDir.clone(); 28 overrideFile.append(CERT_OVERRIDE_FILE_NAME); 29 // Assuming we're working with a clean slate, the file shouldn't exist 30 // until we create it. 31 ok(!overrideFile.exists()); 32 let outputStream = FileUtils.openFileOutputStream(overrideFile); 33 let lines = [ 34 "# PSM Certificate Override Settings file", 35 "# This is a generated file! Do not edit.", 36 "test.example.com:443:^privateBrowsingId=1\tOID.2.16.840.1.101.3.4.2.1\t" + 37 cert1.sha256Fingerprint + 38 "\t", 39 "test.example.com:443:^privateBrowsingId=2\tOID.2.16.840.1.101.3.4.2.1\t" + 40 cert1.sha256Fingerprint + 41 "\t", 42 "test.example.com:443:^privateBrowsingId=3\tOID.2.16.840.1.101.3.4.2.1\t" + // includes bits and dbKey (now obsolete) 43 cert1.sha256Fingerprint + 44 "\tM\t" + 45 "AAAAAAAAAAAAAAACAAAAFjA5MBQxEjAQBgNVBAMMCWxvY2FsaG9zdA==", 46 "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + 47 cert2.sha256Fingerprint + 48 "\t", 49 "[::1]:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // IPv6 50 cert2.sha256Fingerprint + 51 "\t", 52 "old.example.com:443\tOID.2.16.840.1.101.3.4.2.1\t" + // missing attributes (defaulted) 53 cert1.sha256Fingerprint + 54 "\t", 55 ":443:\tOID.2.16.840.1.101.3.4.2.1\t" + // missing host name 56 cert3.sha256Fingerprint + 57 "\t", 58 "example.com::\tOID.2.16.840.1.101.3.4.2.1\t" + // missing port 59 cert3.sha256Fingerprint + 60 "\t", 61 "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t" + // wrong fingerprint 62 cert2.sha256Fingerprint + 63 "\t", 64 "example.com:443:\tOID.0.00.000.0.000.0.0.0.0\t" + // bad OID 65 cert3.sha256Fingerprint + 66 "\t", 67 "example.com:443:\t.0.0.0.0\t" + // malformed OID 68 cert3.sha256Fingerprint + 69 "\t", 70 "example.com:443:\t\t" + // missing OID 71 cert3.sha256Fingerprint + 72 "\t", 73 "example.com:443:\tOID.2.16.840.1.101.3.4.2.1\t", // missing fingerprint 74 ]; 75 writeLinesAndClose(lines, outputStream); 76 let overrideService = Cc["@mozilla.org/security/certoverride;1"].getService( 77 Ci.nsICertOverrideService 78 ); 79 notEqual(overrideService, null); 80 81 // Now that the override service is initialized we can actually read the certificates 82 cert1 = constructCertFromFile("bad_certs/mitm.pem"); 83 info( 84 `if this test fails, try updating cert1.sha256Fingerprint to "${cert1.sha256Fingerprint}"` 85 ); 86 cert2 = constructCertFromFile("bad_certs/selfsigned.pem"); 87 info( 88 `if this test fails, try updating cert2.sha256Fingerprint to "${cert2.sha256Fingerprint}"` 89 ); 90 cert3 = constructCertFromFile("bad_certs/noValidNames.pem"); 91 info( 92 `if this test fails, try updating cert3.sha256Fingerprint to "${cert3.sha256Fingerprint}"` 93 ); 94 95 const OVERRIDES = [ 96 { 97 host: "test.example.com", 98 port: 443, 99 cert: cert1, 100 attributes: { privateBrowsingId: 1 }, 101 }, 102 { 103 host: "test.example.com", 104 port: 443, 105 cert: cert1, 106 attributes: { privateBrowsingId: 2 }, 107 }, 108 { 109 host: "test.example.com", 110 port: 443, 111 cert: cert1, 112 attributes: { privateBrowsingId: 3 }, 113 }, 114 { 115 host: "example.com", 116 port: 443, 117 cert: cert2, 118 attributes: {}, 119 }, 120 { 121 host: "::1", 122 port: 443, 123 cert: cert2, 124 attributes: {}, 125 }, 126 { 127 host: "example.com", 128 port: 443, 129 cert: cert2, 130 attributes: { userContextId: 1 }, // only privateBrowsingId is used 131 }, 132 { 133 host: "old.example.com", 134 port: 443, 135 cert: cert1, 136 attributes: {}, 137 }, 138 ]; 139 const BAD_OVERRIDES = [ 140 { 141 host: "test.example.com", 142 port: 443, 143 cert: cert1, 144 attributes: { privateBrowsingId: 4 }, // wrong attributes 145 }, 146 { 147 host: "test.example.com", 148 port: 443, 149 cert: cert3, // wrong certificate 150 attributes: { privateBrowsingId: 1 }, 151 }, 152 { 153 host: "example.com", 154 port: 443, 155 cert: cert3, 156 attributes: {}, 157 }, 158 ]; 159 160 for (let override of OVERRIDES) { 161 let temp = {}; 162 ok( 163 overrideService.hasMatchingOverride( 164 override.host, 165 override.port, 166 override.attributes, 167 override.cert, 168 temp 169 ), 170 `${JSON.stringify(override)} should have an override` 171 ); 172 equal(temp.value, false); 173 } 174 175 for (let override of BAD_OVERRIDES) { 176 let temp = {}; 177 ok( 178 !overrideService.hasMatchingOverride( 179 override.host, 180 override.port, 181 override.attributes, 182 override.cert, 183 temp 184 ), 185 `${override} should not have an override` 186 ); 187 } 188 }