1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
"use strict";
// Tests that if a server does not send a complete certificate chain, we can
// make use of cached intermediates to build a trust path.
const { TestUtils } = ChromeUtils.import(
"resource://testing-common/TestUtils.jsm"
);
do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
Ci.nsIX509CertDB
);
registerCleanupFunction(() => {
let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
certDir.append("bad_certs");
Assert.ok(certDir.exists(), "bad_certs should exist");
let args = ["-D", "-n", "manually-added-missing-intermediate"];
run_certutil_on_directory(certDir.path, args, false);
});
function run_test() {
add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
// If we don't know about the intermediate, we'll get an unknown issuer error.
add_connection_test(
"ee-from-missing-intermediate.example.com",
SEC_ERROR_UNKNOWN_ISSUER
);
// Make BadCertAndPinningServer aware of the intermediate.
add_test(() => {
let args = [
"-A",
"-n",
"manually-added-missing-intermediate",
"-i",
"test_missing_intermediate/missing-intermediate.pem",
"-a",
"-t",
",,",
];
let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
certDir.append("bad_certs");
Assert.ok(certDir.exists(), "bad_certs should exist");
run_certutil_on_directory(certDir.path, args);
run_next_test();
});
// We have to start observing the topic before there's a chance it gets
// emitted.
add_test(() => {
TestUtils.topicObserved("psm:intermediate-certs-cached").then(
subjectAndData => {
Assert.equal(subjectAndData.length, 2, "expecting [subject, data]");
Assert.equal(subjectAndData[1], "1", `expecting "1" cert imported`);
run_next_test();
}
);
run_next_test();
});
// Connect and cache the intermediate.
add_connection_test(
"ee-from-missing-intermediate.example.com",
PRErrorCodeSuccess
);
// Add a dummy test so that the only way we advance from here is by observing
// "psm:intermediate-certs-cached".
add_test(() => {});
// Delete the intermediate on the server again.
add_test(() => {
clearSessionCache();
let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
certDir.append("bad_certs");
Assert.ok(certDir.exists(), "bad_certs should exist");
let args = ["-D", "-n", "manually-added-missing-intermediate"];
run_certutil_on_directory(certDir.path, args);
run_next_test();
});
// Since we cached the intermediate in gecko, this should succeed.
add_connection_test(
"ee-from-missing-intermediate.example.com",
PRErrorCodeSuccess
);
run_next_test();
}
|