tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_enterprise_roots.js (3084B)

      1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
      2 // This Source Code Form is subject to the terms of the Mozilla Public
      3 // License, v. 2.0. If a copy of the MPL was not distributed with this
      4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
      5 
      6 "use strict";
      7 
      8 // Tests enterprise root certificate support. When configured to do so, the
      9 // platform will attempt to find and import enterprise root certificates. This
     10 // feature is specific to Windows.
     11 
     12 do_get_profile(); // must be called before getting nsIX509CertDB
     13 
     14 const { TestUtils } = ChromeUtils.importESModule(
     15  "resource://testing-common/TestUtils.sys.mjs"
     16 );
     17 
     18 async function check_no_enterprise_roots_imported(
     19  nssComponent,
     20  certDB,
     21  dbKey = undefined
     22 ) {
     23  let enterpriseRoots = nssComponent.getEnterpriseRoots();
     24  notEqual(enterpriseRoots, null, "enterprise roots list should not be null");
     25  equal(
     26    enterpriseRoots.length,
     27    0,
     28    "should not have imported any enterprise roots"
     29  );
     30  if (dbKey) {
     31    let cert = certDB.findCertByDBKey(dbKey);
     32    // If the garbage-collector hasn't run, there may be reachable copies of
     33    // imported enterprise root certificates. If so, they shouldn't be trusted
     34    // to issue TLS server auth certificates.
     35    if (cert) {
     36      await asyncTestCertificateUsages(certDB, cert, []);
     37    }
     38  }
     39 }
     40 
     41 async function check_some_enterprise_roots_imported(nssComponent, certDB) {
     42  let enterpriseRoots = nssComponent.getEnterpriseRoots();
     43  notEqual(enterpriseRoots, null, "enterprise roots list should not be null");
     44  notEqual(
     45    enterpriseRoots.length,
     46    0,
     47    "should have imported some enterprise roots"
     48  );
     49  let foundNonBuiltIn = false;
     50  let savedDBKey = null;
     51  for (let certDer of enterpriseRoots) {
     52    let cert = certDB.constructX509(certDer);
     53    notEqual(cert, null, "should be able to decode cert from DER");
     54    if (!savedDBKey) {
     55      foundNonBuiltIn = true;
     56      savedDBKey = cert.dbKey;
     57      info("saving dbKey from " + cert.commonName);
     58      await asyncTestCertificateUsages(certDB, cert, [
     59        Ci.nsIX509CertDB.verifyUsageTLSServerCA,
     60      ]);
     61      break;
     62    }
     63  }
     64  ok(foundNonBuiltIn, "should have found non-built-in root");
     65  return savedDBKey;
     66 }
     67 
     68 add_task(async function run_test() {
     69  let nssComponent = Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent);
     70  let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
     71    Ci.nsIX509CertDB
     72  );
     73  nssComponent.getEnterpriseRoots(); // blocks until roots are loaded
     74  await check_some_enterprise_roots_imported(nssComponent, certDB);
     75  Services.prefs.setBoolPref("security.enterprise_roots.enabled", false);
     76  await check_no_enterprise_roots_imported(nssComponent, certDB);
     77  Services.prefs.setBoolPref("security.enterprise_roots.enabled", true);
     78  await TestUtils.topicObserved("psm:enterprise-certs-imported");
     79  let savedDBKey = await check_some_enterprise_roots_imported(
     80    nssComponent,
     81    certDB
     82  );
     83  Services.prefs.setBoolPref("security.enterprise_roots.enabled", false);
     84  await check_no_enterprise_roots_imported(nssComponent, certDB, savedDBKey);
     85 });