test_cert_overrides_read_only.js (3374B)
1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*- 2 // This Source Code Form is subject to the terms of the Mozilla Public 3 // License, v. 2.0. If a copy of the MPL was not distributed with this 4 // file, You can obtain one at http://mozilla.org/MPL/2.0/. 5 "use strict"; 6 7 // Tests that permanent certificate error overrides can be added even if the 8 // certificate/key databases are in read-only mode. 9 10 // Helper function for add_read_only_cert_override_test. Probably doesn't need 11 // to be called directly. 12 function add_read_only_cert_override(aHost, aSecurityInfo) { 13 let cert = aSecurityInfo.serverCert; 14 let certOverrideService = Cc[ 15 "@mozilla.org/security/certoverride;1" 16 ].getService(Ci.nsICertOverrideService); 17 // Setting the last argument to false here ensures that we attempt to store a 18 // permanent override (which is what was failing in bug 1427273). 19 certOverrideService.rememberValidityOverride(aHost, 8443, {}, cert, false); 20 } 21 22 // Given a host and an expected error code, tests that an initial connection to 23 // the host fails with the expected errors and that adding an override results 24 // in a subsequent connection succeeding. 25 function add_read_only_cert_override_test(aHost, aExpectedError) { 26 add_connection_test( 27 aHost, 28 aExpectedError, 29 null, 30 add_read_only_cert_override.bind(this, aHost) 31 ); 32 add_connection_test(aHost, PRErrorCodeSuccess, null, aSecurityInfo => { 33 Assert.ok( 34 aSecurityInfo.securityState & 35 Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN, 36 "Cert override flag should be set on the security state" 37 ); 38 }); 39 } 40 41 function run_test() { 42 let profile = do_get_profile(); 43 const KEY_DB_NAME = "key4.db"; 44 const CERT_DB_NAME = "cert9.db"; 45 let srcKeyDBFile = do_get_file( 46 `test_cert_overrides_read_only/${KEY_DB_NAME}` 47 ); 48 srcKeyDBFile.copyTo(profile, KEY_DB_NAME); 49 let srcCertDBFile = do_get_file( 50 `test_cert_overrides_read_only/${CERT_DB_NAME}` 51 ); 52 srcCertDBFile.copyTo(profile, CERT_DB_NAME); 53 54 // set the databases to read-only 55 let keyDBFile = do_get_profile(); 56 keyDBFile.append(KEY_DB_NAME); 57 keyDBFile.permissions = 0o400; 58 let certDBFile = do_get_profile(); 59 certDBFile.append(CERT_DB_NAME); 60 certDBFile.permissions = 0o400; 61 62 Services.prefs.setIntPref("security.OCSP.enabled", 1); 63 // Specifying false as the last argument means we don't try to add the default 64 // test root CA (which would fail). 65 add_tls_server_setup("BadCertAndPinningServer", "bad_certs", false); 66 67 let fakeOCSPResponder = new HttpServer(); 68 fakeOCSPResponder.registerPrefixHandler("/", function (request, response) { 69 response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); 70 }); 71 fakeOCSPResponder.start(8888); 72 73 // Since we can't add the root CA to the (read-only) trust db, all of these 74 // will result in an "unknown issuer error" and need the "untrusted" error bit 75 // set in addition to whatever other specific error bits are necessary. 76 add_read_only_cert_override_test( 77 "expired.example.com", 78 SEC_ERROR_UNKNOWN_ISSUER 79 ); 80 add_read_only_cert_override_test( 81 "selfsigned.example.com", 82 MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT 83 ); 84 add_read_only_cert_override_test( 85 "mismatch.example.com", 86 SEC_ERROR_UNKNOWN_ISSUER 87 ); 88 89 add_test(function () { 90 fakeOCSPResponder.stop(run_next_test); 91 }); 92 93 run_next_test(); 94 }