tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_trust_anchors.js (3135B)

      1 // Any copyright is dedicated to the Public Domain.
      2 // http://creativecommons.org/publicdomain/zero/1.0/
      3 "use strict";
      4 
      5 // Tests that use a mock builtins module.
      6 
      7 // Ensure that the appropriate initialization has happened.
      8 do_get_profile();
      9 const gCertDb = Cc["@mozilla.org/security/x509certdb;1"].getService(
     10  Ci.nsIX509CertDB
     11 );
     12 
     13 add_setup(function load_nssckbi_testlib() {
     14  let moduleName = "Mock Builtins";
     15  let libraryName = "test_trust_anchors";
     16 
     17  checkPKCS11ModuleNotPresent(moduleName, libraryName);
     18 
     19  let libraryFile = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
     20  libraryFile.append("test_trust_anchors");
     21  libraryFile.append(ctypes.libraryName(libraryName));
     22  loadPKCS11Module(libraryFile, moduleName, true);
     23  let testModule = checkPKCS11ModuleExists(moduleName, libraryName);
     24 
     25  // Check that listing the slots for the test module works.
     26  let testModuleSlotNames = Array.from(
     27    testModule.listSlots(),
     28    slot => slot.name
     29  );
     30  testModuleSlotNames.sort();
     31  const expectedSlotNames = ["NSS Builtin Objects"];
     32  deepEqual(
     33    testModuleSlotNames,
     34    expectedSlotNames,
     35    "Actual and expected slot names should be equal"
     36  );
     37 });
     38 
     39 let gEEPreDistrustCert;
     40 
     41 add_task(async function test_distrust_after() {
     42  gEEPreDistrustCert = addCertFromFile(
     43    gCertDb,
     44    "test_trust_anchors/ee-notBefore-2021.pem",
     45    ",,"
     46  );
     47  notEqual(gEEPreDistrustCert, null, "EE cert should have successfully loaded");
     48 
     49  let ee_post_distrust_cert = addCertFromFile(
     50    gCertDb,
     51    "test_trust_anchors/ee-notBefore-2023.pem",
     52    ",,"
     53  );
     54  notEqual(
     55    ee_post_distrust_cert,
     56    null,
     57    "EE cert should have successfully loaded"
     58  );
     59 
     60  let int_cert = addCertFromFile(gCertDb, "test_trust_anchors/int.pem", ",,");
     61  notEqual(int_cert, null, "Intermediate cert should have successfully loaded");
     62  let int_cert_by_ca2 = addCertFromFile(
     63    gCertDb,
     64    "test_trust_anchors/int-by-ca2.pem",
     65    ",,"
     66  );
     67  notEqual(
     68    int_cert_by_ca2,
     69    null,
     70    "Intermediate cert issued by ca2 should have successfully loaded"
     71  );
     72 
     73  // A certificate with a notBefore before the distrustAfter date
     74  // should verify.
     75  await checkCertErrorGeneric(
     76    gCertDb,
     77    gEEPreDistrustCert,
     78    PRErrorCodeSuccess,
     79    Ci.nsIX509CertDB.verifyUsageTLSServer
     80  );
     81 
     82  // A certificate with a notBefore after the distrustAfter date
     83  // should not verify.
     84  await checkCertErrorGeneric(
     85    gCertDb,
     86    ee_post_distrust_cert,
     87    MOZILLA_PKIX_ERROR_ISSUER_NO_LONGER_TRUSTED,
     88    Ci.nsIX509CertDB.verifyUsageTLSServer
     89  );
     90 });
     91 
     92 add_task(
     93  { skip_if: () => !AppConstants.DEBUG },
     94  async function test_ct_notes_distrust_after() {
     95    Services.prefs.setIntPref(
     96      "security.pki.certificate_transparency.mode",
     97      CT_MODE_ENFORCE
     98    );
     99    // This certificate, which has a notBefore before the distrustAfter date, has
    100    // an embedded SCT with a timestamp after the distrustAfter date, so this
    101    // should result in a CT error.
    102    await checkCertErrorGeneric(
    103      gCertDb,
    104      gEEPreDistrustCert,
    105      MOZILLA_PKIX_ERROR_INSUFFICIENT_CERTIFICATE_TRANSPARENCY,
    106      Ci.nsIX509CertDB.verifyUsageTLSServer
    107    );
    108  }
    109 );