tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_crlite_preexisting.js (4368B)

      1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
      2 // This Source Code Form is subject to the terms of the Mozilla Public
      3 // License, v. 2.0. If a copy of the MPL was not distributed with this
      4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
      5 
      6 // Tests that starting a profile with a preexisting CRLite filter and stash
      7 // works correctly.
      8 
      9 "use strict";
     10 
     11 const CHECK_AT_TIME = new Date("2020-01-01T00:00:00Z").getTime() / 1000;
     12 
     13 async function test_crlite_preexisting(ctMode) {
     14  Services.prefs.setIntPref(
     15    "security.pki.certificate_transparency.mode",
     16    ctMode
     17  );
     18 
     19  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
     20    Ci.nsIX509CertDB
     21  );
     22 
     23  let validCert = constructCertFromFile(
     24    "test_crlite_filters/valid.example.com.pem"
     25  );
     26  await checkCertErrorGenericAtTime(
     27    certdb,
     28    validCert,
     29    PRErrorCodeSuccess,
     30    Ci.nsIX509CertDB.verifyUsageTLSServer,
     31    CHECK_AT_TIME,
     32    false,
     33    "valid.example.com",
     34    0
     35  );
     36 
     37  let revokedCert = constructCertFromFile(
     38    "test_crlite_filters/revoked.example.com.pem"
     39  );
     40  await checkCertErrorGenericAtTime(
     41    certdb,
     42    revokedCert,
     43    SEC_ERROR_REVOKED_CERTIFICATE,
     44    Ci.nsIX509CertDB.verifyUsageTLSServer,
     45    CHECK_AT_TIME,
     46    false,
     47    "revoked.example.com",
     48    0
     49  );
     50 
     51  let revokedInDeltaCert = constructCertFromFile(
     52    "test_crlite_filters/revoked-in-delta.example.com.pem"
     53  );
     54  await checkCertErrorGenericAtTime(
     55    certdb,
     56    revokedInDeltaCert,
     57    SEC_ERROR_REVOKED_CERTIFICATE,
     58    Ci.nsIX509CertDB.verifyUsageTLSServer,
     59    CHECK_AT_TIME,
     60    false,
     61    "revoked-in-delta.example.com",
     62    0
     63  );
     64 
     65  // This certificate has no embedded SCTs, but it should be considered revoked
     66  // if the appropriate SCT is side-loaded.
     67  let revokedNoSctCert = constructCertFromFile(
     68    "test_crlite_filters/revoked-no-sct.example.com.pem"
     69  );
     70 
     71  let sctFile = do_get_file(
     72    "test_crlite_filters/revoked-no-sct.example.com.sct",
     73    false
     74  );
     75  let sctBytes = readBinaryFile(sctFile);
     76  let sctList = new Uint8Array(2 + 2 + sctBytes.length);
     77  sctList[0] = (2 + sctBytes.length) / 256;
     78  sctList[1] = (2 + sctBytes.length) % 256;
     79  sctList[2] = sctBytes.length / 256;
     80  sctList[3] = sctBytes.length % 256;
     81  sctList.set(sctBytes, 4);
     82 
     83  await checkCertErrorGenericAtTime(
     84    certdb,
     85    revokedNoSctCert,
     86    PRErrorCodeSuccess,
     87    Ci.nsIX509CertDB.verifyUsageTLSServer,
     88    CHECK_AT_TIME,
     89    false,
     90    "revoked-no-sct.example.com",
     91    0,
     92    [] // no side-loaded SCTs
     93  );
     94 
     95  await checkCertErrorGenericAtTime(
     96    certdb,
     97    revokedNoSctCert,
     98    ctMode == CT_MODE_DISABLE
     99      ? PRErrorCodeSuccess
    100      : SEC_ERROR_REVOKED_CERTIFICATE,
    101    Ci.nsIX509CertDB.verifyUsageTLSServer,
    102    CHECK_AT_TIME,
    103    false,
    104    "revoked-no-sct.example.com",
    105    0,
    106    sctList
    107  );
    108 }
    109 
    110 add_task(async function () {
    111  Services.prefs.setIntPref(
    112    "security.pki.crlite_mode",
    113    CRLiteModeEnforcePrefValue
    114  );
    115 
    116  let securityStateDirectory = do_get_profile();
    117  securityStateDirectory.append("security_state");
    118 
    119  // For simplicity, re-use the filters from test_crlite_filters.js.
    120  do_get_file("test_crlite_filters/20200101-0-filter").copyTo(
    121    securityStateDirectory,
    122    "crlite.filter"
    123  );
    124 
    125  do_get_file("test_crlite_filters/20200101-1-filter.delta").copyTo(
    126    securityStateDirectory,
    127    "20201017-1-filter.delta"
    128  );
    129 
    130  let certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
    131    Ci.nsICertStorage
    132  );
    133 
    134  let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
    135    Ci.nsIX509CertDB
    136  );
    137 
    138  // These need to be available for path building.
    139  let ca = addCertFromFile(certdb, "test_crlite_filters/ca.pem", "C,C,");
    140  ok(ca, "ca certificate should decode successfully");
    141 
    142  let issuerCert = constructCertFromFile("test_crlite_filters/int.pem");
    143  ok(issuerCert, "issuer certificate should decode successfully");
    144 
    145  // Mark CRLite filter as fresh
    146  await new Promise(resolve => {
    147    certStorage.testNoteCRLiteUpdateTime((rv, _) => {
    148      Assert.equal(rv, Cr.NS_OK, "marked filter as fresh");
    149      resolve();
    150    });
    151  });
    152 
    153  info(`testing with CT disabled`);
    154  await test_crlite_preexisting(CT_MODE_DISABLE);
    155 
    156  info(`testing with CT in telemetry only mode`);
    157  await test_crlite_preexisting(CT_MODE_COLLECT_TELEMETRY);
    158 
    159  info(`testing with CT enabled`);
    160  await test_crlite_preexisting(CT_MODE_ENFORCE);
    161 });