test_cert_overrides.js (22441B)
1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*- 2 // This Source Code Form is subject to the terms of the Mozilla Public 3 // License, v. 2.0. If a copy of the MPL was not distributed with this 4 // file, You can obtain one at http://mozilla.org/MPL/2.0/. 5 "use strict"; 6 7 // Tests the certificate overrides we allow. 8 // add_cert_override_test will queue a test that does the following: 9 // 1. Attempt to connect to the given host. This should fail with the 10 // given error. 11 // 2. Add an override for that host/port/certificate. 12 // 3. Connect again. This should succeed. 13 14 do_get_profile(); 15 16 // Enable the collection (during test) for all products so even products 17 // that don't collect the data will be able to run the test without failure. 18 Services.prefs.setBoolPref( 19 "toolkit.telemetry.testing.overrideProductsCheck", 20 true 21 ); 22 23 function check_telemetry() { 24 let histogram = Services.telemetry 25 .getHistogramById("SSL_CERT_ERROR_OVERRIDES") 26 .snapshot(); 27 equal(histogram.values[0], 0, "Should have 0 unclassified values"); 28 equal( 29 histogram.values[2], 30 9, 31 "Actual and expected SEC_ERROR_UNKNOWN_ISSUER values should match" 32 ); 33 equal( 34 histogram.values[3], 35 1, 36 "Actual and expected SEC_ERROR_CA_CERT_INVALID values should match" 37 ); 38 equal( 39 histogram.values[4] || 0, 40 0, 41 "Actual and expected SEC_ERROR_UNTRUSTED_ISSUER values should match" 42 ); 43 equal( 44 histogram.values[5], 45 1, 46 "Actual and expected SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE values should match" 47 ); 48 equal( 49 histogram.values[6] || 0, 50 0, 51 "Actual and expected SEC_ERROR_UNTRUSTED_CERT values should match" 52 ); 53 equal( 54 histogram.values[7] || 0, 55 0, 56 "Actual and expected SEC_ERROR_INADEQUATE_KEY_USAGE values should match" 57 ); 58 equal( 59 histogram.values[8], 60 2, 61 "Actual and expected SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED values should match" 62 ); 63 equal( 64 histogram.values[9], 65 gIsDebugBuild ? 9 : 8, 66 "Actual and expected SSL_ERROR_BAD_CERT_DOMAIN values should match" 67 ); 68 equal( 69 histogram.values[10], 70 1, 71 "Actual and expected SEC_ERROR_EXPIRED_CERTIFICATE values should match" 72 ); 73 equal( 74 histogram.values[11], 75 2, 76 "Actual and expected MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY values should match" 77 ); 78 equal( 79 histogram.values[12], 80 1, 81 "Actual and expected MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA values should match" 82 ); 83 equal( 84 histogram.values[13], 85 1, 86 "Actual and expected MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE values should match" 87 ); 88 equal( 89 histogram.values[14], 90 1, 91 "Actual and expected MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE values should match" 92 ); 93 equal( 94 histogram.values[15], 95 1, 96 "Actual and expected MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE values should match" 97 ); 98 equal( 99 histogram.values[16], 100 2, 101 "Actual and expected SEC_ERROR_INVALID_TIME values should match" 102 ); 103 equal( 104 histogram.values[17], 105 1, 106 "Actual and expected MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME values should match" 107 ); 108 equal( 109 histogram.values[19], 110 4, 111 "Actual and expected MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT values should match" 112 ); 113 equal( 114 histogram.values[20], 115 1, 116 "Actual and expected MOZILLA_PKIX_ERROR_MITM_DETECTED values should match" 117 ); 118 119 let keySizeHistogram = Services.telemetry 120 .getHistogramById("CERT_CHAIN_KEY_SIZE_STATUS") 121 .snapshot(); 122 equal( 123 keySizeHistogram.values[0], 124 0, 125 "Actual and expected unchecked key size values should match" 126 ); 127 equal( 128 keySizeHistogram.values[1], 129 gIsDebugBuild ? 17 : 15, 130 "Actual and expected successful verifications of 2048-bit keys should match" 131 ); 132 equal( 133 keySizeHistogram.values[2] || 0, 134 0, 135 "Actual and expected successful verifications of 1024-bit keys should match" 136 ); 137 equal( 138 keySizeHistogram.values[3], 139 70, 140 "Actual and expected verification failures unrelated to key size should match" 141 ); 142 143 run_next_test(); 144 } 145 146 // Internally, specifying "port" -1 is the same as port 443. This tests that. 147 function run_port_equivalency_test(inPort, outPort) { 148 Assert.ok( 149 (inPort == 443 && outPort == -1) || (inPort == -1 && outPort == 443), 150 "The two specified ports must be -1 and 443 (in any order)" 151 ); 152 let certOverrideService = Cc[ 153 "@mozilla.org/security/certoverride;1" 154 ].getService(Ci.nsICertOverrideService); 155 let cert = constructCertFromFile("bad_certs/default-ee.pem"); 156 let expectedTemporary = true; 157 certOverrideService.rememberValidityOverride( 158 "example.com", 159 inPort, 160 {}, 161 cert, 162 expectedTemporary 163 ); 164 let actualTemporary = {}; 165 Assert.ok( 166 certOverrideService.hasMatchingOverride( 167 "example.com", 168 outPort, 169 {}, 170 cert, 171 actualTemporary 172 ), 173 `override set on port ${inPort} should match port ${outPort}` 174 ); 175 equal( 176 actualTemporary.value, 177 expectedTemporary, 178 "input override temporary value should match output temporary value" 179 ); 180 Assert.ok( 181 !certOverrideService.hasMatchingOverride("example.com", 563, {}, cert, {}), 182 `override set on port ${inPort} should not match port 563` 183 ); 184 certOverrideService.clearValidityOverride("example.com", inPort, {}); 185 Assert.ok( 186 !certOverrideService.hasMatchingOverride( 187 "example.com", 188 outPort, 189 {}, 190 cert, 191 {} 192 ), 193 `override cleared on port ${inPort} should match port ${outPort}` 194 ); 195 } 196 197 function run_test() { 198 run_port_equivalency_test(-1, 443); 199 run_port_equivalency_test(443, -1); 200 201 Services.prefs.setIntPref("security.OCSP.enabled", 1); 202 add_tls_server_setup("BadCertAndPinningServer", "bad_certs"); 203 204 let fakeOCSPResponder = new HttpServer(); 205 fakeOCSPResponder.registerPrefixHandler("/", function (request, response) { 206 response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); 207 }); 208 fakeOCSPResponder.start(8888); 209 210 add_simple_tests(); 211 add_localhost_tests(); 212 add_combo_tests(); 213 add_distrust_tests(); 214 215 add_test(function () { 216 fakeOCSPResponder.stop(check_telemetry); 217 }); 218 219 run_next_test(); 220 } 221 222 function add_simple_tests() { 223 add_cert_override_test("expired.example.com", SEC_ERROR_EXPIRED_CERTIFICATE); 224 add_cert_override_test( 225 "notyetvalid.example.com", 226 MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE 227 ); 228 add_cert_override_test("before-epoch.example.com", SEC_ERROR_INVALID_TIME); 229 add_cert_override_test( 230 "before-epoch-self-signed.example.com", 231 MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT 232 ); 233 add_cert_override_test( 234 "selfsigned.example.com", 235 MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT 236 ); 237 add_cert_override_test("unknownissuer.example.com", SEC_ERROR_UNKNOWN_ISSUER); 238 add_cert_override_test( 239 "expiredissuer.example.com", 240 SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE 241 ); 242 add_cert_override_test( 243 "notyetvalidissuer.example.com", 244 MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE 245 ); 246 add_cert_override_test( 247 "before-epoch-issuer.example.com", 248 SEC_ERROR_INVALID_TIME 249 ); 250 add_cert_override_test( 251 "md5signature.example.com", 252 SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED 253 ); 254 add_cert_override_test( 255 "emptyissuername.example.com", 256 MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME 257 ); 258 // This has name information in the subject alternative names extension, 259 // but not the subject common name. 260 add_cert_override_test("mismatch.example.com", SSL_ERROR_BAD_CERT_DOMAIN); 261 // This has name information in the subject common name but not the subject 262 // alternative names extension. 263 add_cert_override_test("mismatch-CN.example.com", SSL_ERROR_BAD_CERT_DOMAIN); 264 265 // A Microsoft IIS utility generates self-signed certificates with 266 // properties similar to the one this "host" will present. 267 add_cert_override_test( 268 "selfsigned-inadequateEKU.example.com", 269 MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT 270 ); 271 272 add_prevented_cert_override_test( 273 "inadequatekeyusage.example.com", 274 SEC_ERROR_INADEQUATE_KEY_USAGE 275 ); 276 277 // Test triggering the MitM detection. We don't set-up a proxy here. Just 278 // set the pref. Without the pref set we expect an unkown issuer error. 279 add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER); 280 add_test(function () { 281 Services.prefs.setStringPref( 282 "security.pki.mitm_canary_issuer", 283 "CN=Test MITM Root" 284 ); 285 let certOverrideService = Cc[ 286 "@mozilla.org/security/certoverride;1" 287 ].getService(Ci.nsICertOverrideService); 288 certOverrideService.clearValidityOverride("mitm.example.com", 8443, {}); 289 run_next_test(); 290 }); 291 add_cert_override_test("mitm.example.com", MOZILLA_PKIX_ERROR_MITM_DETECTED); 292 add_test(function () { 293 Services.prefs.setStringPref( 294 "security.pki.mitm_canary_issuer", 295 "CN=Other MITM Root" 296 ); 297 let certOverrideService = Cc[ 298 "@mozilla.org/security/certoverride;1" 299 ].getService(Ci.nsICertOverrideService); 300 certOverrideService.clearValidityOverride("mitm.example.com", 8443, {}); 301 run_next_test(); 302 }); 303 // If the canary issuer doesn't match the one we see, we exepct and unknown 304 // issuer error. 305 add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER); 306 // If security.pki.mitm_canary_issuer.enabled is false, there should always 307 // be an unknown issuer error. 308 add_test(function () { 309 Services.prefs.setBoolPref( 310 "security.pki.mitm_canary_issuer.enabled", 311 false 312 ); 313 let certOverrideService = Cc[ 314 "@mozilla.org/security/certoverride;1" 315 ].getService(Ci.nsICertOverrideService); 316 certOverrideService.clearValidityOverride("mitm.example.com", 8443, {}); 317 run_next_test(); 318 }); 319 add_cert_override_test("mitm.example.com", SEC_ERROR_UNKNOWN_ISSUER); 320 add_test(function () { 321 Services.prefs.clearUserPref("security.pki.mitm_canary_issuer"); 322 run_next_test(); 323 }); 324 325 // This is intended to test the case where a verification has failed for one 326 // overridable reason (e.g. unknown issuer) but then, in the process of 327 // reporting that error, a non-overridable error is encountered. The 328 // non-overridable error should be prioritized. 329 add_test(function () { 330 let rootCert = constructCertFromFile("bad_certs/test-ca.pem"); 331 setCertTrust(rootCert, ",,"); 332 run_next_test(); 333 }); 334 add_prevented_cert_override_test( 335 "nsCertTypeCritical.example.com", 336 SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION 337 ); 338 add_test(function () { 339 let rootCert = constructCertFromFile("bad_certs/test-ca.pem"); 340 setCertTrust(rootCert, "CTu,,"); 341 run_next_test(); 342 }); 343 344 // Bug 990603: Apache documentation has recommended generating a self-signed 345 // test certificate with basic constraints: CA:true. For compatibility, this 346 // is a scenario in which an override is allowed. 347 add_cert_override_test( 348 "self-signed-end-entity-with-cA-true.example.com", 349 MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT 350 ); 351 352 add_cert_override_test( 353 "ca-used-as-end-entity.example.com", 354 MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY 355 ); 356 357 // If an X.509 version 1 certificate is not a trust anchor, we will 358 // encounter an overridable error. 359 add_cert_override_test( 360 "end-entity-issued-by-v1-cert.example.com", 361 MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA 362 ); 363 // If we make that certificate a trust anchor, the connection will succeed. 364 add_test(function () { 365 let certOverrideService = Cc[ 366 "@mozilla.org/security/certoverride;1" 367 ].getService(Ci.nsICertOverrideService); 368 certOverrideService.clearValidityOverride( 369 "end-entity-issued-by-v1-cert.example.com", 370 8443, 371 {} 372 ); 373 let v1Cert = constructCertFromFile("bad_certs/v1Cert.pem"); 374 setCertTrust(v1Cert, "CTu,,"); 375 clearSessionCache(); 376 run_next_test(); 377 }); 378 add_connection_test( 379 "end-entity-issued-by-v1-cert.example.com", 380 PRErrorCodeSuccess 381 ); 382 // Reset the trust for that certificate. 383 add_test(function () { 384 let v1Cert = constructCertFromFile("bad_certs/v1Cert.pem"); 385 setCertTrust(v1Cert, ",,"); 386 clearSessionCache(); 387 run_next_test(); 388 }); 389 390 // Due to compatibility issues, we allow overrides for certificates issued by 391 // certificates that are not valid CAs. 392 add_cert_override_test( 393 "end-entity-issued-by-non-CA.example.com", 394 SEC_ERROR_CA_CERT_INVALID 395 ); 396 397 // This host presents a 1016-bit RSA key. 398 add_cert_override_test( 399 "inadequate-key-size-ee.example.com", 400 MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE 401 ); 402 403 // The test root is not a built-in (by default), so the invalid dNSName entry 404 // in the subject alternative name extension is skipped. 405 add_connection_test( 406 "ipAddressAsDNSNameInSAN.example.com", 407 PRErrorCodeSuccess 408 ); 409 410 if (gIsDebugBuild) { 411 // Treat the test root like a built-in. 412 add_test(function () { 413 let rootCert = constructCertFromFile("bad_certs/test-ca.pem"); 414 Services.prefs.setCharPref( 415 "security.test.built_in_root_hash", 416 rootCert.sha256Fingerprint 417 ); 418 run_next_test(); 419 }); 420 // If the root is a built-in, the invalid dNSName entry in the subject 421 // alternative name extension is not skipped, and this result in an error. 422 add_cert_override_test( 423 "ipAddressAsDNSNameInSAN.example.com", 424 SSL_ERROR_BAD_CERT_DOMAIN 425 ); 426 // Reset the test root's built-in status. 427 add_test(function () { 428 Services.prefs.clearUserPref("security.test.built_in_root_hash"); 429 run_next_test(); 430 }); 431 } 432 433 add_cert_override_test("noValidNames.example.com", SSL_ERROR_BAD_CERT_DOMAIN); 434 add_cert_override_test( 435 "badSubjectAltNames.example.com", 436 SSL_ERROR_BAD_CERT_DOMAIN 437 ); 438 439 add_cert_override_test( 440 "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", 441 SEC_ERROR_UNKNOWN_ISSUER 442 ); 443 add_test(function () { 444 // At this point, the override for bug413909.xn--hxajbheg2az3al.xn--jxalpdlp 445 // is still valid. Do some additional tests relating to IDN handling. 446 let certOverrideService = Cc[ 447 "@mozilla.org/security/certoverride;1" 448 ].getService(Ci.nsICertOverrideService); 449 let uri = Services.io.newURI( 450 "https://bug413909.xn--hxajbheg2az3al.xn--jxalpdlp" 451 ); 452 let cert = constructCertFromFile("bad_certs/idn-certificate.pem"); 453 Assert.ok( 454 certOverrideService.hasMatchingOverride( 455 uri.asciiHost, 456 8443, 457 {}, 458 cert, 459 {} 460 ), 461 "IDN certificate should have matching override using ascii host" 462 ); 463 Assert.throws( 464 () => 465 !certOverrideService.hasMatchingOverride( 466 uri.displayHost, 467 8443, 468 {}, 469 cert, 470 {} 471 ), 472 /NS_ERROR_ILLEGAL_VALUE/, 473 "IDN certificate should not have matching override using (non-ascii) host" 474 ); 475 let invalidHost = uri.asciiHost.replace(/./g, c => 476 String.fromCharCode(c.charCodeAt(0) | 0x100) 477 ); 478 Assert.throws( 479 () => 480 !certOverrideService.hasMatchingOverride( 481 invalidHost, 482 8443, 483 {}, 484 cert, 485 {} 486 ), 487 /NS_ERROR_ILLEGAL_VALUE/, 488 "hasMatchingOverride should not truncate high-bytes" 489 ); 490 run_next_test(); 491 }); 492 493 add_test(function () { 494 // Add a bunch of overrides... 495 let certOverrideService = Cc[ 496 "@mozilla.org/security/certoverride;1" 497 ].getService(Ci.nsICertOverrideService); 498 let cert = constructCertFromFile("bad_certs/default-ee.pem"); 499 certOverrideService.rememberValidityOverride( 500 "example.com", 501 443, 502 {}, 503 cert, 504 false 505 ); 506 Assert.ok( 507 certOverrideService.hasMatchingOverride("example.com", 443, {}, cert, {}), 508 "Should have added override for example.com:443" 509 ); 510 certOverrideService.rememberValidityOverride( 511 "example.com", 512 80, 513 {}, 514 cert, 515 false 516 ); 517 certOverrideService.rememberValidityOverride("::1", 80, {}, cert, false); 518 Assert.ok( 519 certOverrideService.hasMatchingOverride("example.com", 80, {}, cert, {}), 520 "Should have added override for example.com:80" 521 ); 522 certOverrideService.rememberValidityOverride( 523 "example.org", 524 443, 525 {}, 526 cert, 527 false 528 ); 529 Assert.ok( 530 certOverrideService.hasMatchingOverride("example.org", 443, {}, cert, {}), 531 "Should have added override for example.org:443" 532 ); 533 Assert.ok( 534 certOverrideService.hasMatchingOverride("::1", 80, {}, cert, {}), 535 "Should have added override for [::1]:80" 536 ); 537 // When in a private browsing context, overrides added in non-private 538 // contexts should match (but not vice-versa). 539 Assert.ok( 540 certOverrideService.hasMatchingOverride( 541 "example.org", 542 443, 543 { privateBrowsingId: 1 }, 544 cert, 545 {} 546 ), 547 "Should have override for example.org:443 with privateBrowsingId 1" 548 ); 549 Assert.ok( 550 certOverrideService.hasMatchingOverride( 551 "example.org", 552 443, 553 { privateBrowsingId: 2 }, 554 cert, 555 {} 556 ), 557 "Should have override for example.org:443 with privateBrowsingId 2" 558 ); 559 Assert.ok( 560 certOverrideService.hasMatchingOverride( 561 "example.org", 562 443, 563 { firstPartyDomain: "example.org", userContextId: 1 }, 564 cert, 565 {} 566 ), 567 "Should ignore firstPartyDomain and userContextId when checking overrides" 568 ); 569 certOverrideService.rememberValidityOverride( 570 "example.org", 571 80, 572 {}, 573 cert, 574 true 575 ); 576 Assert.ok( 577 certOverrideService.hasMatchingOverride("example.org", 80, {}, cert, {}), 578 "Should have added override for example.org:80" 579 ); 580 certOverrideService.rememberValidityOverride( 581 "test.example.org", 582 443, 583 { firstPartyDomain: "example.org", userContextId: 1 }, 584 cert, 585 false 586 ); 587 Assert.ok( 588 certOverrideService.hasMatchingOverride( 589 "test.example.org", 590 443, 591 {}, 592 cert, 593 {} 594 ), 595 "Should ignore firstPartyDomain and userContextId when adding overrides" 596 ); 597 Assert.ok( 598 certOverrideService.hasMatchingOverride( 599 "test.example.org", 600 443, 601 { firstPartyDomain: "example.com", userContextId: 2 }, 602 cert, 603 {} 604 ), 605 "Should ignore firstPartyDomain and userContextId when checking overrides" 606 ); 607 certOverrideService.rememberValidityOverride( 608 "example.test", 609 443, 610 { privateBrowsingId: 1 }, 611 cert, 612 false 613 ); 614 Assert.ok( 615 certOverrideService.hasMatchingOverride( 616 "example.test", 617 443, 618 { privateBrowsingId: 1 }, 619 cert, 620 {} 621 ), 622 "Should have added override for example.test:443 with privateBrowsingId 1" 623 ); 624 Assert.ok( 625 !certOverrideService.hasMatchingOverride( 626 "example.test", 627 443, 628 { privateBrowsingId: 2 }, 629 cert, 630 {} 631 ), 632 "Should not have override for example.test:443 with privateBrowsingId 2" 633 ); 634 Assert.ok( 635 !certOverrideService.hasMatchingOverride( 636 "example.test", 637 443, 638 {}, 639 cert, 640 {} 641 ), 642 "Should not have override for example.test:443 with non-private OriginAttributes" 643 ); 644 // Clear them all... 645 certOverrideService.clearAllOverrides(); 646 647 // And ensure they're all gone. 648 Assert.ok( 649 !certOverrideService.hasMatchingOverride( 650 "example.com", 651 443, 652 {}, 653 cert, 654 {} 655 ), 656 "Should have removed override for example.com:443" 657 ); 658 Assert.ok( 659 !certOverrideService.hasMatchingOverride("example.com", 80, {}, cert, {}), 660 "Should have removed override for example.com:80" 661 ); 662 Assert.ok( 663 !certOverrideService.hasMatchingOverride( 664 "example.org", 665 443, 666 {}, 667 cert, 668 {} 669 ), 670 "Should have removed override for example.org:443" 671 ); 672 Assert.ok( 673 !certOverrideService.hasMatchingOverride("example.org", 80, {}, cert, {}), 674 "Should have removed override for example.org:80" 675 ); 676 Assert.ok( 677 !certOverrideService.hasMatchingOverride( 678 "example.org", 679 443, 680 { privateBrowsingId: 1 }, 681 cert, 682 {} 683 ), 684 "Should have removed override for example.org:443 with privateBrowsingId 1" 685 ); 686 687 run_next_test(); 688 }); 689 } 690 691 function add_localhost_tests() { 692 add_cert_override_test("localhost", SEC_ERROR_UNKNOWN_ISSUER); 693 add_cert_override_test("127.0.0.1", SSL_ERROR_BAD_CERT_DOMAIN); 694 add_cert_override_test("::1", SSL_ERROR_BAD_CERT_DOMAIN); 695 } 696 697 function add_combo_tests() { 698 add_cert_override_test( 699 "mismatch-expired.example.com", 700 SSL_ERROR_BAD_CERT_DOMAIN 701 ); 702 add_cert_override_test( 703 "mismatch-notYetValid.example.com", 704 SSL_ERROR_BAD_CERT_DOMAIN 705 ); 706 add_cert_override_test( 707 "mismatch-untrusted.example.com", 708 SEC_ERROR_UNKNOWN_ISSUER 709 ); 710 add_cert_override_test( 711 "untrusted-expired.example.com", 712 SEC_ERROR_UNKNOWN_ISSUER 713 ); 714 add_cert_override_test( 715 "mismatch-untrusted-expired.example.com", 716 SEC_ERROR_UNKNOWN_ISSUER 717 ); 718 719 add_cert_override_test( 720 "md5signature-expired.example.com", 721 SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED 722 ); 723 724 add_cert_override_test( 725 "ca-used-as-end-entity-name-mismatch.example.com", 726 MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY 727 ); 728 } 729 730 function add_distrust_tests() { 731 // Before we specifically distrust this certificate, it should be trusted. 732 add_connection_test("untrusted.example.com", PRErrorCodeSuccess); 733 734 add_distrust_test( 735 "bad_certs/default-ee.pem", 736 "untrusted.example.com", 737 SEC_ERROR_UNTRUSTED_CERT 738 ); 739 740 add_distrust_test( 741 "bad_certs/other-test-ca.pem", 742 "untrustedissuer.example.com", 743 SEC_ERROR_UNTRUSTED_ISSUER 744 ); 745 746 add_distrust_test( 747 "bad_certs/test-ca.pem", 748 "ca-used-as-end-entity.example.com", 749 SEC_ERROR_UNTRUSTED_ISSUER 750 ); 751 } 752 753 function add_distrust_test(certFileName, hostName, expectedResult) { 754 let certToDistrust = constructCertFromFile(certFileName); 755 756 add_test(function () { 757 // Add an entry to the NSS certDB that says to distrust the cert 758 setCertTrust(certToDistrust, "pu,,"); 759 clearSessionCache(); 760 run_next_test(); 761 }); 762 add_prevented_cert_override_test(hostName, expectedResult); 763 add_test(function () { 764 setCertTrust(certToDistrust, "u,,"); 765 run_next_test(); 766 }); 767 }