summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/tests/unit/test_ct.js
blob: 59db48f858f5ee7ab873c44553d9426f1936d5b2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.

"use strict";

do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
  Ci.nsIX509CertDB
);

function expectCT(value) {
  return securityInfo => {
    Assert.equal(
      securityInfo.certificateTransparencyStatus,
      value,
      "actual and expected CT status should match"
    );
  };
}

registerCleanupFunction(() => {
  Services.prefs.clearUserPref("security.pki.certificate_transparency.mode");
  let cert = constructCertFromFile("test_ct/ct-valid.example.com.pem");
  setCertTrust(cert, ",,");
});

function run_test() {
  Services.prefs.setIntPref("security.pki.certificate_transparency.mode", 1);
  add_tls_server_setup("BadCertAndPinningServer", "test_ct");
  // These certificates have a validity period of 800 days, which is a little
  // over 2 years and 2 months. This gets rounded down to 2 years (since it's
  // less than 2 years and 3 months). Our policy requires N + 1 embedded SCTs,
  // where N is 2 in this case. So, a policy-compliant certificate would have at
  // least 3 SCTs.
  add_connection_test(
    "ct-valid.example.com",
    PRErrorCodeSuccess,
    null,
    expectCT(
      Ci.nsITransportSecurityInfo.CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT
    )
  );
  // This certificate has only 2 embedded SCTs, and so is not policy-compliant.
  add_connection_test(
    "ct-insufficient-scts.example.com",
    PRErrorCodeSuccess,
    null,
    expectCT(
      Ci.nsITransportSecurityInfo
        .CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS
    )
  );

  // Test that if an end-entity is marked as a trust anchor, CT verification
  // returns a "not enough SCTs" result.
  add_test(() => {
    let cert = constructCertFromFile("test_ct/ct-valid.example.com.pem");
    setCertTrust(cert, "CTu,,");
    clearSessionCache();
    run_next_test();
  });
  add_connection_test(
    "ct-valid.example.com",
    PRErrorCodeSuccess,
    null,
    expectCT(
      Ci.nsITransportSecurityInfo
        .CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS
    )
  );

  run_next_test();
}