Adding upstream version 124.0.1.upstream/124.0.1

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 78 insertions, 0 deletions

diff --git a/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js b/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js
new file mode 100644
index 0000000000..514964b5fb
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js
@@ -0,0 +1,78 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+function certFromFile(certName) {
+  return constructCertFromFile(`test_baseline_requirements/${certName}.pem`);
+}
+
+function loadCertWithTrust(certName, trustString) {
+  addCertFromFile(
+    gCertDB,
+    `test_baseline_requirements/${certName}.pem`,
+    trustString
+  );
+}
+
+function checkCertOn25August2016(cert, expectedResult) {
+  // (new Date("2016-08-25T00:00:00Z")).getTime() / 1000
+  const VALIDATION_TIME = 1472083200;
+  return checkCertErrorGenericAtTime(
+    gCertDB,
+    cert,
+    expectedResult,
+    certificateUsageSSLServer,
+    VALIDATION_TIME,
+    false,
+    "example.com"
+  );
+}
+
+add_task(async function () {
+  registerCleanupFunction(() => {
+    Services.prefs.clearUserPref("privacy.reduceTimerPrecision");
+  });
+
+  Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false);
+
+  loadCertWithTrust("ca", "CTu,,");
+
+  // At one time there was a preference security.pki.name_matching_mode that
+  // controlled whether or not mozilla::pkix would fall back to using a
+  // certificate's subject common name during name matching. This no longer
+  // exists, and certificates that previously required the fallback should fail
+  // to verify.
+
+  await checkCertOn25August2016(
+    certFromFile("no-san-recent"),
+    SSL_ERROR_BAD_CERT_DOMAIN
+  );
+  await checkCertOn25August2016(
+    certFromFile("no-san-old"),
+    SSL_ERROR_BAD_CERT_DOMAIN
+  );
+  await checkCertOn25August2016(
+    certFromFile("no-san-older"),
+    SSL_ERROR_BAD_CERT_DOMAIN
+  );
+  await checkCertOn25August2016(
+    certFromFile("san-contains-no-hostnames-recent"),
+    SSL_ERROR_BAD_CERT_DOMAIN
+  );
+  await checkCertOn25August2016(
+    certFromFile("san-contains-no-hostnames-old"),
+    SSL_ERROR_BAD_CERT_DOMAIN
+  );
+  await checkCertOn25August2016(
+    certFromFile("san-contains-no-hostnames-older"),
+    SSL_ERROR_BAD_CERT_DOMAIN
+  );
+});