54 lines
1.6 KiB
JavaScript
54 lines
1.6 KiB
JavaScript
// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
|
|
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
"use strict";
|
|
|
|
do_get_profile(); // must be called before getting nsIX509CertDB
|
|
|
|
function add_tests_in_mode(mode) {
|
|
add_test(function set_mode() {
|
|
info(`setting CT to mode ${mode}`);
|
|
Services.prefs.setIntPref(
|
|
"security.pki.certificate_transparency.mode",
|
|
mode
|
|
);
|
|
run_next_test();
|
|
});
|
|
|
|
add_ct_test(
|
|
"ct-via-ocsp.example.com",
|
|
Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT,
|
|
true
|
|
);
|
|
|
|
add_ct_test(
|
|
"ct-via-tls.example.com",
|
|
Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT,
|
|
true
|
|
);
|
|
|
|
// One of the presented SCTs has a signature that has been tampered with, so
|
|
// overall there are not enough SCTs to be compliant with the policy.
|
|
add_ct_test(
|
|
"ct-tampered.example.com",
|
|
Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS,
|
|
mode == CT_MODE_COLLECT_TELEMETRY
|
|
);
|
|
}
|
|
|
|
function run_test() {
|
|
// Make the test root appear to be a built-in root, so that certificate
|
|
// transparency is checked.
|
|
let rootCert = constructCertFromFile("test_ct/test-ca.pem");
|
|
Services.prefs.setCharPref(
|
|
"security.test.built_in_root_hash",
|
|
rootCert.sha256Fingerprint
|
|
);
|
|
|
|
add_tls_server_setup("OCSPStaplingServer", "test_ct");
|
|
add_tests_in_mode(CT_MODE_COLLECT_TELEMETRY);
|
|
add_tests_in_mode(CT_MODE_ENFORCE);
|
|
run_next_test();
|
|
}
|