test_ct_stapled.js (1629B)
1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*- 2 // This Source Code Form is subject to the terms of the Mozilla Public 3 // License, v. 2.0. If a copy of the MPL was not distributed with this 4 // file, You can obtain one at http://mozilla.org/MPL/2.0/. 5 6 "use strict"; 7 8 do_get_profile(); // must be called before getting nsIX509CertDB 9 10 function add_tests_in_mode(mode) { 11 add_test(function set_mode() { 12 info(`setting CT to mode ${mode}`); 13 Services.prefs.setIntPref( 14 "security.pki.certificate_transparency.mode", 15 mode 16 ); 17 run_next_test(); 18 }); 19 20 add_ct_test( 21 "ct-via-ocsp.example.com", 22 Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT, 23 true 24 ); 25 26 add_ct_test( 27 "ct-via-tls.example.com", 28 Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT, 29 true 30 ); 31 32 // One of the presented SCTs has a signature that has been tampered with, so 33 // overall there are not enough SCTs to be compliant with the policy. 34 add_ct_test( 35 "ct-tampered.example.com", 36 Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS, 37 mode == CT_MODE_COLLECT_TELEMETRY 38 ); 39 } 40 41 function run_test() { 42 // Make the test root appear to be a built-in root, so that certificate 43 // transparency is checked. 44 let rootCert = constructCertFromFile("test_ct/test-ca.pem"); 45 Services.prefs.setCharPref( 46 "security.test.built_in_root_hash", 47 rootCert.sha256Fingerprint 48 ); 49 50 add_tls_server_setup("OCSPStaplingServer", "test_ct"); 51 add_tests_in_mode(CT_MODE_COLLECT_TELEMETRY); 52 add_tests_in_mode(CT_MODE_ENFORCE); 53 run_next_test(); 54 }