tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_ct.js (7907B)

      1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
      2 // This Source Code Form is subject to the terms of the Mozilla Public
      3 // License, v. 2.0. If a copy of the MPL was not distributed with this
      4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
      5 
      6 "use strict";
      7 
      8 do_get_profile(); // must be called before getting nsIX509CertDB
      9 
     10 registerCleanupFunction(() => {
     11  Services.prefs.clearUserPref("security.pki.certificate_transparency.mode");
     12  Services.prefs.clearUserPref("security.test.built_in_root_hash");
     13  let cert = constructCertFromFile("test_ct/ct-valid.example.com.pem");
     14  setCertTrust(cert, ",,");
     15 });
     16 
     17 function add_tests_in_mode(mode) {
     18  add_test(function set_mode() {
     19    info(`setting CT to mode ${mode}`);
     20    Services.prefs.setIntPref(
     21      "security.pki.certificate_transparency.mode",
     22      mode
     23    );
     24    run_next_test();
     25  });
     26 
     27  // Test that certificate transparency is not checked for certificates issued
     28  // by roots that are not built-in.
     29  add_ct_test(
     30    "ct-unknown-log.example.com",
     31    Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE,
     32    true
     33  );
     34 
     35  add_test(function set_test_root_as_built_in() {
     36    // Make the test root appear to be a built-in root, so that certificate
     37    // transparency is checked.
     38    let rootCert = constructCertFromFile("test_ct/test-ca.pem");
     39    Services.prefs.setCharPref(
     40      "security.test.built_in_root_hash",
     41      rootCert.sha256Fingerprint
     42    );
     43    run_next_test();
     44  });
     45 
     46  // These certificates have a validity period of 800 days, which is greater
     47  // than 180 days. Our policy requires 3 embedded SCTs for certificates with a
     48  // validity period greater than 180 days.
     49  add_ct_test(
     50    "ct-valid.example.com",
     51    Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT,
     52    true
     53  );
     54  // This certificate has an embedded SCT from a tiled log.
     55  add_ct_test(
     56    "ct-tiled-valid.example.com",
     57    Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT,
     58    true
     59  );
     60  // This certificate has only 2 embedded SCTs, and so is not policy-compliant.
     61  add_ct_test(
     62    "ct-insufficient-scts.example.com",
     63    Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
     64    mode == CT_MODE_COLLECT_TELEMETRY
     65  );
     66 
     67  // Test that SCTs with timestamps from the future are not valid.
     68  add_ct_test(
     69    "ct-future-timestamp.example.com",
     70    Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
     71    mode == CT_MODE_COLLECT_TELEMETRY
     72  );
     73 
     74  // Test that additional SCTs from the same log do not contribute to meeting
     75  // the requirements.
     76  add_ct_test(
     77    "ct-multiple-from-same-log.example.com",
     78    Ci.nsITransportSecurityInfo
     79      .CERTIFICATE_TRANSPARENCY_POLICY_NOT_DIVERSE_SCTS,
     80    mode == CT_MODE_COLLECT_TELEMETRY
     81  );
     82 
     83  // Test that SCTs from an unknown log do not contribute to meeting the
     84  // requirements.
     85  add_ct_test(
     86    "ct-unknown-log.example.com",
     87    Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
     88    mode == CT_MODE_COLLECT_TELEMETRY
     89  );
     90 
     91  add_ct_test(
     92    "no-ct.example.com",
     93    Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
     94    mode == CT_MODE_COLLECT_TELEMETRY
     95  );
     96  add_test(function set_disable_ct_for_hosts_pref() {
     97    // Disable CT enforcement for exactly 'ct-unknown-log.example.com' as well
     98    // as 'sub.example.com' and all subdomains under 'sub.example.com'.
     99    // CT will still be checked, and the security info of the connection will say
    100    // the information is insufficient, but the connection will still succeed
    101    // (essentially, it behaves like telemetry-only mode).
    102    Services.prefs.setCharPref(
    103      "security.pki.certificate_transparency.disable_for_hosts",
    104      ".ct-unknown-log.example.com,no-ct.example.com"
    105    );
    106    clearSessionCache();
    107    run_next_test();
    108  });
    109  add_ct_test(
    110    "ct-unknown-log.example.com",
    111    Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
    112    true
    113  );
    114  add_ct_test(
    115    "sub.ct-unknown-log.example.com",
    116    Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
    117    mode == CT_MODE_COLLECT_TELEMETRY
    118  );
    119  add_ct_test(
    120    "no-ct.example.com",
    121    Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
    122    true
    123  );
    124  add_ct_test(
    125    "sub.no-ct.example.com",
    126    Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
    127    true
    128  );
    129  add_ct_test(
    130    "ct-insufficient-scts.example.com",
    131    Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
    132    mode == CT_MODE_COLLECT_TELEMETRY
    133  );
    134  add_test(function reset_disable_ct_for_hosts_pref() {
    135    Services.prefs.clearUserPref(
    136      "security.pki.certificate_transparency.disable_for_hosts"
    137    );
    138    clearSessionCache();
    139    run_next_test();
    140  });
    141 
    142  add_test(function set_disable_ct_for_spki_hashes_pref_nonexistent_keys() {
    143    // Disable CT enforcement for two SPKIs we don't actually have the private
    144    // key for.
    145    Services.prefs.setCharPref(
    146      "security.pki.certificate_transparency.disable_for_spki_hashes",
    147      "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=,BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="
    148    );
    149    clearSessionCache();
    150    run_next_test();
    151  });
    152  add_ct_test(
    153    "ct-insufficient-scts.example.com",
    154    Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
    155    mode == CT_MODE_COLLECT_TELEMETRY
    156  );
    157  add_test(function set_disable_ct_for_spki_hashes_pref() {
    158    // Disable CT enforcement for the default test key's SPKI.
    159    // Again, the behavior will be that of telemetry-only mode.
    160    Services.prefs.setCharPref(
    161      "security.pki.certificate_transparency.disable_for_spki_hashes",
    162      "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC=,VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8="
    163    );
    164    clearSessionCache();
    165    run_next_test();
    166  });
    167  add_ct_test(
    168    "ct-insufficient-scts.example.com",
    169    Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
    170    true
    171  );
    172  add_test(function set_disable_ct_for_spki_hashes_pref_alternate() {
    173    // Disable CT enforcement for the alternate test key's SPKI.
    174    Services.prefs.setCharPref(
    175      "security.pki.certificate_transparency.disable_for_spki_hashes",
    176      "MQj2tt1yGAfwFpWETYUCVrZxk2CD2705NKBQUlAaKJI=,DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD="
    177    );
    178    clearSessionCache();
    179    run_next_test();
    180  });
    181  add_ct_test(
    182    "no-ct.example.com",
    183    Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
    184    true
    185  );
    186  add_test(function reset_disable_ct_for_spki_hashes_pref() {
    187    Services.prefs.clearUserPref(
    188      "security.pki.certificate_transparency.disable_for_spki_hashes"
    189    );
    190    clearSessionCache();
    191    run_next_test();
    192  });
    193 
    194  // Test that if an end-entity is marked as a trust anchor, CT verification
    195  // returns a "not enough SCTs" result.
    196  add_test(function set_up_end_entity_trust_anchor_test() {
    197    let cert = constructCertFromFile("test_ct/ct-valid.example.com.pem");
    198    Services.prefs.setCharPref(
    199      "security.test.built_in_root_hash",
    200      cert.sha256Fingerprint
    201    );
    202    setCertTrust(cert, "CTu,,");
    203    clearSessionCache();
    204    run_next_test();
    205  });
    206  add_ct_test(
    207    "ct-valid.example.com",
    208    Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
    209    mode == CT_MODE_COLLECT_TELEMETRY
    210  );
    211 
    212  add_test(function reset_for_next_test_mode() {
    213    Services.prefs.clearUserPref("security.test.built_in_root_hash");
    214    let cert = constructCertFromFile("test_ct/ct-valid.example.com.pem");
    215    setCertTrust(cert, "u,,");
    216    clearSessionCache();
    217    run_next_test();
    218  });
    219 }
    220 
    221 function run_test() {
    222  add_tls_server_setup("BadCertAndPinningServer", "test_ct");
    223  add_tests_in_mode(CT_MODE_COLLECT_TELEMETRY);
    224  add_tests_in_mode(CT_MODE_ENFORCE);
    225  run_next_test();
    226 }