From fbaf0bb26397aa498eb9156f06d5a6fe34dd7dd8 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 03:14:29 +0200 Subject: Merging upstream version 125.0.1. Signed-off-by: Daniel Baumann --- security/manager/ssl/tests/unit/head_psm.js | 14 +- ...t_certDB_export_pkcs12_with_primary_password.js | 4 +- .../manager/ssl/tests/unit/test_certDB_import.js | 4 +- .../test_certDB_import_with_primary_password.js | 6 +- security/manager/ssl/tests/unit/test_cert_dbKey.js | 30 +- security/manager/ssl/tests/unit/test_cert_utf8.js | 5 +- security/manager/ssl/tests/unit/test_ev_certs.js | 4 +- .../manager/ssl/tests/unit/test_faulty_server.js | 2 +- .../ssl/tests/unit/test_logoutAndTeardown.js | 2 +- .../ssl/tests/unit/test_ocsp_private_caching.js | 11 +- .../manager/ssl/tests/unit/test_ocsp_timeout.js | 12 +- security/manager/ssl/tests/unit/test_oskeystore.js | 20 +- .../ssl/tests/unit/test_osreauthenticator.js | 5 +- .../manager/ssl/tests/unit/test_password_prompt.js | 2 +- .../manager/ssl/tests/unit/test_pkcs11_slot.js | 2 +- security/manager/ssl/tests/unit/test_sdr.js | 2 +- .../unit/test_sdr_preexisting_with_password.js | 2 +- .../ssl/tests/unit/test_self_signed_certs.js | 2 +- .../manager/ssl/tests/unit/test_signed_apps.js | 375 ++++++++++++++++----- .../addons-stage-tomato-clock-sha1-es256-es384.zip | Bin 0 -> 457632 bytes .../addons-stage-tomato-clock-sha1-es256-ps256.zip | Bin 0 -> 458467 bytes .../addons-stage-tomato-clock-sha1-es256.zip | Bin 0 -> 456863 bytes .../addons-stage-tomato-clock-sha1-ps256.zip | Bin 0 -> 457742 bytes ...8-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip | Bin 459192 -> 0 bytes ...8-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip | Bin 460028 -> 0 bytes ...14ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip | Bin 458426 -> 0 bytes ...14ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip | Bin 459315 -> 0 bytes .../tests/unit/test_sts_preloadlist_perwindowpb.js | 2 +- .../ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp | 2 +- 29 files changed, 352 insertions(+), 156 deletions(-) create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/addons-stage-tomato-clock-sha1-es256-es384.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/addons-stage-tomato-clock-sha1-es256-ps256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/addons-stage-tomato-clock-sha1-es256.zip create mode 100644 security/manager/ssl/tests/unit/test_signed_apps/addons-stage-tomato-clock-sha1-ps256.zip delete mode 100644 security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip delete mode 100644 security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip delete mode 100644 security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip delete mode 100644 security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip (limited to 'security/manager/ssl/tests/unit') diff --git a/security/manager/ssl/tests/unit/head_psm.js b/security/manager/ssl/tests/unit/head_psm.js index d34c7fdc1d..5667d2e020 100644 --- a/security/manager/ssl/tests/unit/head_psm.js +++ b/security/manager/ssl/tests/unit/head_psm.js @@ -300,7 +300,7 @@ function checkCertErrorGenericAtTime( /* optional */ hostname, /* optional */ flags = NO_FLAGS ) { - return new Promise((resolve, reject) => { + return new Promise(resolve => { let result = new CertVerificationExpectedErrorResult( cert.commonName, expectedError, @@ -570,7 +570,7 @@ async function asyncConnectTo( Connection.prototype = { // nsITransportEventSink - onTransportStatus(aTransport, aStatus, aProgress, aProgressMax) { + onTransportStatus(aTransport, aStatus) { if ( !this.connected && aStatus == Ci.nsISocketTransport.STATUS_CONNECTED_TO @@ -596,7 +596,7 @@ async function asyncConnectTo( }, // nsIOutputStreamCallback - onOutputStreamReady(aStream) { + onOutputStreamReady() { if (aAfterStreamOpen) { aAfterStreamOpen(this.transport); } @@ -774,7 +774,7 @@ function generateOCSPResponses(ocspRespArray, nssDBlocation) { // serverIdentities. function getFailingHttpServer(serverPort, serverIdentities) { let httpServer = new HttpServer(); - httpServer.registerPrefixHandler("/", function (request, response) { + httpServer.registerPrefixHandler("/", function () { Assert.ok(false, "HTTP responder should not have been queried"); }); httpServer.identity.setPrimary("http", serverIdentities.shift(), serverPort); @@ -902,7 +902,7 @@ function startOCSPResponder( // Given an OCSP responder (see startOCSPResponder), returns a promise that // resolves when the responder has successfully stopped. function stopOCSPResponder(responder) { - return new Promise((resolve, reject) => { + return new Promise(resolve => { responder.stop(resolve); }); } @@ -977,7 +977,7 @@ class CertVerificationResult { this.resolve = resolve; } - verifyCertFinished(aPRErrorCode, aVerifiedChain, aHasEVPolicy) { + verifyCertFinished(aPRErrorCode) { if (this.successExpected) { equal( aPRErrorCode, @@ -1017,7 +1017,7 @@ function asyncTestCertificateUsages(certdb, cert, expectedUsages) { let now = new Date().getTime() / 1000; let promises = []; Object.keys(allCertificateUsages).forEach(usageString => { - let promise = new Promise((resolve, reject) => { + let promise = new Promise(resolve => { let usage = allCertificateUsages[usageString]; let successExpected = expectedUsages.includes(usage); let result = new CertVerificationResult( diff --git a/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js index 25f4ab58bf..471330302f 100644 --- a/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js +++ b/security/manager/ssl/tests/unit/test_certDB_export_pkcs12_with_primary_password.js @@ -30,7 +30,7 @@ var gPrompt = { ok(false, "not expecting alert() to be called"); }, - promptPassword(dialogTitle, text, password, checkMsg, checkValue) { + promptPassword(dialogTitle, text, password, checkMsg) { equal( text, "Please enter your Primary Password.", @@ -44,7 +44,7 @@ var gPrompt = { const gPromptFactory = { QueryInterface: ChromeUtils.generateQI(["nsIPromptFactory"]), - getPrompt: (aWindow, aIID) => gPrompt, + getPrompt: () => gPrompt, }; function findCertByCommonName(commonName) { diff --git a/security/manager/ssl/tests/unit/test_certDB_import.js b/security/manager/ssl/tests/unit/test_certDB_import.js index 86c66f4989..f91a7b750f 100644 --- a/security/manager/ssl/tests/unit/test_certDB_import.js +++ b/security/manager/ssl/tests/unit/test_certDB_import.js @@ -28,11 +28,11 @@ const gCertificateDialogs = { trust.value = Ci.nsIX509CertDB.TRUSTED_EMAIL; return true; }, - setPKCS12FilePassword: (ctx, password) => { + setPKCS12FilePassword: () => { // This is only relevant to exporting. ok(false, "setPKCS12FilePassword() should not have been called"); }, - getPKCS12FilePassword: (ctx, password) => { + getPKCS12FilePassword: () => { // We don't test anything that calls this method yet. ok(false, "getPKCS12FilePassword() should not have been called"); }, diff --git a/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js b/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js index ab1ad36fd2..07e360fffd 100644 --- a/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js +++ b/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js @@ -28,11 +28,11 @@ const gCertificateDialogs = { trust.value = Ci.nsIX509CertDB.TRUSTED_EMAIL; return true; }, - setPKCS12FilePassword: (ctx, password) => { + setPKCS12FilePassword: () => { // This is only relevant to exporting. ok(false, "setPKCS12FilePassword() should not have been called"); }, - getPKCS12FilePassword: (ctx, password) => { + getPKCS12FilePassword: () => { // We don't test anything that calls this method yet. ok(false, "getPKCS12FilePassword() should not have been called"); }, @@ -47,7 +47,7 @@ var gMockPrompter = { // This intentionally does not use arrow function syntax to avoid an issue // where in the context of the arrow function, |this != gMockPrompter| due to // how objects get wrapped when going across xpcom boundaries. - promptPassword(dialogTitle, text, password, checkMsg, checkValue) { + promptPassword(dialogTitle, text, password, checkMsg) { this.numPrompts++; if (this.numPrompts > 1) { // don't keep retrying a bad password diff --git a/security/manager/ssl/tests/unit/test_cert_dbKey.js b/security/manager/ssl/tests/unit/test_cert_dbKey.js index 3ff36f905c..4f729b037e 100644 --- a/security/manager/ssl/tests/unit/test_cert_dbKey.js +++ b/security/manager/ssl/tests/unit/test_cert_dbKey.js @@ -34,8 +34,9 @@ function encodeCommonNameAsBytes(commonName) { // SEQUENCE must be 127. Everything not in the contents of the common name // will take up 11 bytes, so the value of the common name itself can be at // most 116 bytes. - ok( - commonName.length <= 116, + Assert.lessOrEqual( + commonName.length, + 116, "test assumption: common name can't be longer than 116 bytes (makes " + "DER encoding easier)" ); @@ -88,13 +89,15 @@ function run_test() { "consists only of a common name" ); let issuerBytes = encodeCommonNameAsBytes(cert.issuerCommonName); - ok( - issuerBytes.length < 256, + Assert.less( + issuerBytes.length, + 256, "test assumption: length of encoded issuer is less than 256 bytes" ); let serialNumberBytes = hexStringToBytes(cert.serialNumber); - ok( - serialNumberBytes.length < 256, + Assert.less( + serialNumberBytes.length, + 256, "test assumption: length of encoded serial number is less than 256 bytes" ); let dbKeyHeader = [ @@ -129,13 +132,15 @@ function run_test() { "nsIX509CertDB.findCertByDBKey should find the right certificate" ); - ok( - expectedDbKey.length > 64, + Assert.greater( + expectedDbKey.length, + 64, "test assumption: dbKey should be longer than 64 characters" ); let expectedDbKeyWithCRLF = expectedDbKey.replace(/(.{64})/, "$1\r\n"); - ok( - expectedDbKeyWithCRLF.indexOf("\r\n") == 64, + Assert.equal( + expectedDbKeyWithCRLF.indexOf("\r\n"), + 64, "test self-check: adding CRLF to dbKey should succeed" ); certFromDbKey = certDB.findCertByDBKey(expectedDbKeyWithCRLF); @@ -145,8 +150,9 @@ function run_test() { ); let expectedDbKeyWithSpaces = expectedDbKey.replace(/(.{64})/, "$1 "); - ok( - expectedDbKeyWithSpaces.indexOf(" ") == 64, + Assert.equal( + expectedDbKeyWithSpaces.indexOf(" "), + 64, "test self-check: adding spaces to dbKey should succeed" ); certFromDbKey = certDB.findCertByDBKey(expectedDbKeyWithSpaces); diff --git a/security/manager/ssl/tests/unit/test_cert_utf8.js b/security/manager/ssl/tests/unit/test_cert_utf8.js index caeddd8158..82677237a3 100644 --- a/security/manager/ssl/tests/unit/test_cert_utf8.js +++ b/security/manager/ssl/tests/unit/test_cert_utf8.js @@ -60,8 +60,9 @@ function testUTF8InField(field, replacementPrefix, certificateBytesToAlter) { let uniqueIssuerReplacement = "ALWAYS MAKE ME UNIQU" + String.fromCharCode(gUniqueIssuerCounter); bytes = bytes.replace("ALWAYS MAKE ME UNIQUE", uniqueIssuerReplacement); - ok( - gUniqueIssuerCounter < 127, + Assert.less( + gUniqueIssuerCounter, + 127, "should have enough ASCII replacements to make a unique issuer DN" ); gUniqueIssuerCounter++; diff --git a/security/manager/ssl/tests/unit/test_ev_certs.js b/security/manager/ssl/tests/unit/test_ev_certs.js index f163623919..99b5bda0f0 100644 --- a/security/manager/ssl/tests/unit/test_ev_certs.js +++ b/security/manager/ssl/tests/unit/test_ev_certs.js @@ -84,7 +84,7 @@ function asyncTestEV( ocspResponseTypes = undefined ) { let now = Date.now() / 1000; - return new Promise((resolve, reject) => { + return new Promise(resolve => { let ocspResponder = expectedOCSPRequestPaths.length ? startOCSPResponder( SERVER_PORT, @@ -157,7 +157,7 @@ function verifyWithFlags_LOCAL_ONLY_and_MUST_BE_EV(testcase, expectSuccess) { if (expectSuccess && gEVExpected) { expectedErrorCode = PRErrorCodeSuccess; } - return new Promise((resolve, reject) => { + return new Promise(resolve => { let ocspResponder = failingOCSPResponder(); let result = new EVCertVerificationResult( cert.subjectName, diff --git a/security/manager/ssl/tests/unit/test_faulty_server.js b/security/manager/ssl/tests/unit/test_faulty_server.js index 7536a91104..f617908e28 100644 --- a/security/manager/ssl/tests/unit/test_faulty_server.js +++ b/security/manager/ssl/tests/unit/test_faulty_server.js @@ -13,7 +13,7 @@ var httpServer = null; let handlerCallbacks = {}; -function listenHandler(metadata, response) { +function listenHandler(metadata) { info(metadata.path); handlerCallbacks[metadata.path] = (handlerCallbacks[metadata.path] || 0) + 1; } diff --git a/security/manager/ssl/tests/unit/test_logoutAndTeardown.js b/security/manager/ssl/tests/unit/test_logoutAndTeardown.js index 1582978398..531b1acb22 100644 --- a/security/manager/ssl/tests/unit/test_logoutAndTeardown.js +++ b/security/manager/ssl/tests/unit/test_logoutAndTeardown.js @@ -163,7 +163,7 @@ function storeCertOverride(port, cert) { function startClient(port) { let req = new XMLHttpRequest(); req.open("GET", `https://${hostname}:${port}`); - return new Promise((resolve, reject) => { + return new Promise(resolve => { req.onload = () => { ok(false, "should not have gotten load event"); resolve(); diff --git a/security/manager/ssl/tests/unit/test_ocsp_private_caching.js b/security/manager/ssl/tests/unit/test_ocsp_private_caching.js index 47b976cf71..3a56118bdf 100644 --- a/security/manager/ssl/tests/unit/test_ocsp_private_caching.js +++ b/security/manager/ssl/tests/unit/test_ocsp_private_caching.js @@ -74,16 +74,7 @@ function add_ocsp_necko_cache_test(loadContext) { let foundEntry = false; let visitor = { onCacheStorageInfo() {}, - onCacheEntryInfo( - aURI, - aIdEnhance, - aDataSize, - aFetchCount, - aLastModifiedTime, - aExpirationTime, - aPinned, - aInfo - ) { + onCacheEntryInfo(aURI) { Assert.equal( aURI.spec, "http://localhost:8888/", diff --git a/security/manager/ssl/tests/unit/test_ocsp_timeout.js b/security/manager/ssl/tests/unit/test_ocsp_timeout.js index 8d606bc028..5d3487bfe7 100644 --- a/security/manager/ssl/tests/unit/test_ocsp_timeout.js +++ b/security/manager/ssl/tests/unit/test_ocsp_timeout.js @@ -21,7 +21,7 @@ var gSocketListener = { socketTransport.setTimeout(Ci.nsISocketTransport.TIMEOUT_READ_WRITE, 30); }, - onStopListening(serverSocket, status) {}, + onStopListening() {}, }; function run_test() { @@ -77,8 +77,9 @@ function add_one_test(useHardFail, timeoutPrefName, timeoutMilliseconds) { // prevent intermittent failures (this only appeared to be a problem on // Windows XP). See Bug 1121117. const FUZZ_MS = 300; - ok( - timeDifference + FUZZ_MS > timeoutMilliseconds, + Assert.greater( + timeDifference + FUZZ_MS, + timeoutMilliseconds, `OCSP timeout should be ~${timeoutMilliseconds}s for ` + `${useHardFail ? "hard" : "soft"}-fail` ); @@ -86,8 +87,9 @@ function add_one_test(useHardFail, timeoutPrefName, timeoutMilliseconds) { // (Unfortunately, we probably can't have a tight upper bound on // how long is too long for this test, because we might be running // on slow hardware.) - ok( - timeDifference < 60000, + Assert.less( + timeDifference, + 60000, "Automatic OCSP timeout shouldn't be more than 60s" ); diff --git a/security/manager/ssl/tests/unit/test_oskeystore.js b/security/manager/ssl/tests/unit/test_oskeystore.js index fcc9de6c59..9efcaa69a6 100644 --- a/security/manager/ssl/tests/unit/test_oskeystore.js +++ b/security/manager/ssl/tests/unit/test_oskeystore.js @@ -51,8 +51,9 @@ async function encrypt_decrypt_test() { // Decrypting should give us the plaintext bytes again. try { let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext); - ok( - plaintext.toString() == text.toString(), + Assert.equal( + plaintext.toString(), + text.toString(), "Decrypted plaintext should be the same as text." ); } catch (e) { @@ -102,8 +103,9 @@ add_task(async function () { await keystore.asyncRecoverSecret(LABELS[0], recoveryPhrase); let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext); - ok( - plaintext.toString() == text.toString(), + Assert.equal( + plaintext.toString(), + text.toString(), "Decrypted plaintext should be the same as text." ); @@ -166,8 +168,9 @@ add_task(async function () { await keystore.asyncRecoverSecret(LABELS[0], recoveryPhrase); let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext); - ok( - plaintext.toString() == text.toString(), + Assert.equal( + plaintext.toString(), + text.toString(), "Decrypted plaintext should be the same as text (once we have the original key again)." ); @@ -204,8 +207,9 @@ add_task(async function () { await keystore.asyncRecoverSecret(LABELS[0], newRecoveryPhrase); let plaintext = await keystore.asyncDecryptBytes(LABELS[0], ciphertext); - ok( - plaintext.toString() == text.toString(), + Assert.equal( + plaintext.toString(), + text.toString(), "Decrypted plaintext should be the same as text (once we have the new key again)." ); diff --git a/security/manager/ssl/tests/unit/test_osreauthenticator.js b/security/manager/ssl/tests/unit/test_osreauthenticator.js index 01784a5fef..55d9710c0d 100644 --- a/security/manager/ssl/tests/unit/test_osreauthenticator.js +++ b/security/manager/ssl/tests/unit/test_osreauthenticator.js @@ -13,14 +13,15 @@ add_task(async function test_asyncReauthenticateUser() { ].getService(Ci.nsIOSReauthenticator); ok(reauthenticator, "nsIOSReauthenticator should be available"); const EXPECTED = false; // Change this variable to suit your needs while testing. - ok( + Assert.equal( ( await reauthenticator.asyncReauthenticateUser( "this is the prompt string", "this is the caption string", null ) - )[0] == EXPECTED, + )[0], + EXPECTED, "nsIOSReauthenticator.asyncReauthenticateUser should return a boolean array with the first item being the authentication result of: " + EXPECTED ); diff --git a/security/manager/ssl/tests/unit/test_password_prompt.js b/security/manager/ssl/tests/unit/test_password_prompt.js index cf4c6db7bf..a88dd67703 100644 --- a/security/manager/ssl/tests/unit/test_password_prompt.js +++ b/security/manager/ssl/tests/unit/test_password_prompt.js @@ -16,7 +16,7 @@ var gMockPrompter = { // This intentionally does not use arrow function syntax to avoid an issue // where in the context of the arrow function, |this != gMockPrompter| due to // how objects get wrapped when going across xpcom boundaries. - promptPassword(dialogTitle, text, password, checkMsg, checkValue) { + promptPassword(dialogTitle, text, password, checkMsg) { this.numPrompts++; if (this.numPrompts > 1) { // don't keep retrying a bad password diff --git a/security/manager/ssl/tests/unit/test_pkcs11_slot.js b/security/manager/ssl/tests/unit/test_pkcs11_slot.js index dba2a4d3a1..f04c296f9b 100644 --- a/security/manager/ssl/tests/unit/test_pkcs11_slot.js +++ b/security/manager/ssl/tests/unit/test_pkcs11_slot.js @@ -44,7 +44,7 @@ var gPrompt = { const gPromptFactory = { QueryInterface: ChromeUtils.generateQI(["nsIPromptFactory"]), - getPrompt: (aWindow, aIID) => gPrompt, + getPrompt: () => gPrompt, }; function run_test() { diff --git a/security/manager/ssl/tests/unit/test_sdr.js b/security/manager/ssl/tests/unit/test_sdr.js index e9e477efc5..73c2219fc6 100644 --- a/security/manager/ssl/tests/unit/test_sdr.js +++ b/security/manager/ssl/tests/unit/test_sdr.js @@ -22,7 +22,7 @@ const gTokenPasswordDialogs = { }; let gMockPrompter = { - promptPassword(dialogTitle, text, password, checkMsg, checkValue) { + promptPassword() { // Returning false simulates the user canceling the password prompt. return false; }, diff --git a/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js index 5c1b2bb653..fa2b536036 100644 --- a/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js +++ b/security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js @@ -17,7 +17,7 @@ var gMockPrompter = { // This intentionally does not use arrow function syntax to avoid an issue // where in the context of the arrow function, |this != gMockPrompter| due to // how objects get wrapped when going across xpcom boundaries. - promptPassword(dialogTitle, text, password, checkMsg, checkValue) { + promptPassword(dialogTitle, text, password, checkMsg) { this.numPrompts++; if (this.numPrompts > 1) { // don't keep retrying a bad password diff --git a/security/manager/ssl/tests/unit/test_self_signed_certs.js b/security/manager/ssl/tests/unit/test_self_signed_certs.js index ef0a38f9bc..2500ea38a5 100644 --- a/security/manager/ssl/tests/unit/test_self_signed_certs.js +++ b/security/manager/ssl/tests/unit/test_self_signed_certs.js @@ -65,7 +65,7 @@ add_task(async function test_no_overlong_path_building() { } let timeAfter = Date.now(); let secondsElapsed = (timeAfter - timeBefore) / 1000; - ok(secondsElapsed < 120, "verifications shouldn't take too long"); + Assert.less(secondsElapsed, 120, "verifications shouldn't take too long"); }); add_task(async function test_no_bad_signature() { diff --git a/security/manager/ssl/tests/unit/test_signed_apps.js b/security/manager/ssl/tests/unit/test_signed_apps.js index 4893bfd714..3ec35a8608 100644 --- a/security/manager/ssl/tests/unit/test_signed_apps.js +++ b/security/manager/ssl/tests/unit/test_signed_apps.js @@ -96,7 +96,7 @@ function tamper(inFilePath, outFilePath, modifications, newEntries) { } } -function removeEntry(entry, entryInput) { +function removeEntry() { return [null, null]; } @@ -116,8 +116,8 @@ function truncateEntry(entry, entryInput) { return [entry, content]; } -function check_open_result(name, expectedRv) { - return function openSignedAppFileCallback(rv, aZipReader, aSignerCert) { +function check_open_result(name, expectedRv, expectedSignatureAlgorithms) { + return function openSignedAppFileCallback(rv, aZipReader, aSignatureInfos) { info("openSignedAppFileCallback called for " + name); equal(rv, expectedRv, "Actual and expected return value should match"); equal( @@ -126,10 +126,17 @@ function check_open_result(name, expectedRv) { "ZIP reader should be null only if the return value denotes failure" ); equal( - aSignerCert != null, - Components.isSuccessCode(expectedRv), - "Signer cert should be null only if the return value denotes failure" + aSignatureInfos.length, + expectedSignatureAlgorithms.length, + "Should have the same number of expected signature infos" ); + for (let i = 0; i < expectedSignatureAlgorithms.length; i++) { + equal( + aSignatureInfos[i].signatureAlgorithm, + expectedSignatureAlgorithms[i], + "Should have expected signature algorithm" + ); + } run_next_test(); }; } @@ -149,89 +156,152 @@ function tampered_app_path(test_name) { var hashTestcases = [ // SHA-256 in PKCS#7 + SHA-256 present elsewhere => OK - { name: "app_mf-1-256_sf-1-256_p7-1-256", expectedResult: Cr.NS_OK }, - { name: "app_mf-1-256_sf-1-256_p7-256", expectedResult: Cr.NS_OK }, - { name: "app_mf-1-256_sf-256_p7-1-256", expectedResult: Cr.NS_OK }, - { name: "app_mf-1-256_sf-256_p7-256", expectedResult: Cr.NS_OK }, - { name: "app_mf-256_sf-1-256_p7-1-256", expectedResult: Cr.NS_OK }, - { name: "app_mf-256_sf-1-256_p7-256", expectedResult: Cr.NS_OK }, - { name: "app_mf-256_sf-256_p7-1-256", expectedResult: Cr.NS_OK }, - { name: "app_mf-256_sf-256_p7-256", expectedResult: Cr.NS_OK }, + { + name: "app_mf-1-256_sf-1-256_p7-1-256", + expectedResult: Cr.NS_OK, + expectedSignatureAlgorithms: [Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA256], + }, + { + name: "app_mf-1-256_sf-1-256_p7-256", + expectedResult: Cr.NS_OK, + expectedSignatureAlgorithms: [Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA256], + }, + { + name: "app_mf-1-256_sf-256_p7-1-256", + expectedResult: Cr.NS_OK, + expectedSignatureAlgorithms: [Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA256], + }, + { + name: "app_mf-1-256_sf-256_p7-256", + expectedResult: Cr.NS_OK, + expectedSignatureAlgorithms: [Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA256], + }, + { + name: "app_mf-256_sf-1-256_p7-1-256", + expectedResult: Cr.NS_OK, + expectedSignatureAlgorithms: [Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA256], + }, + { + name: "app_mf-256_sf-1-256_p7-256", + expectedResult: Cr.NS_OK, + expectedSignatureAlgorithms: [Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA256], + }, + { + name: "app_mf-256_sf-256_p7-1-256", + expectedResult: Cr.NS_OK, + expectedSignatureAlgorithms: [Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA256], + }, + { + name: "app_mf-256_sf-256_p7-256", + expectedResult: Cr.NS_OK, + expectedSignatureAlgorithms: [Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA256], + }, // SHA-1 in PKCS#7 + SHA-1 present elsewhere => OK - { name: "app_mf-1-256_sf-1-256_p7-1", expectedResult: Cr.NS_OK }, - { name: "app_mf-1-256_sf-1_p7-1", expectedResult: Cr.NS_OK }, - { name: "app_mf-1_sf-1-256_p7-1", expectedResult: Cr.NS_OK }, - { name: "app_mf-1_sf-1_p7-1", expectedResult: Cr.NS_OK }, + { + name: "app_mf-1-256_sf-1-256_p7-1", + expectedResult: Cr.NS_OK, + expectedSignatureAlgorithms: [Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA1], + }, + { + name: "app_mf-1-256_sf-1_p7-1", + expectedResult: Cr.NS_OK, + expectedSignatureAlgorithms: [Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA1], + }, + { + name: "app_mf-1_sf-1-256_p7-1", + expectedResult: Cr.NS_OK, + expectedSignatureAlgorithms: [Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA1], + }, + { + name: "app_mf-1_sf-1_p7-1", + expectedResult: Cr.NS_OK, + expectedSignatureAlgorithms: [Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA1], + }, // SHA-256 in PKCS#7 + SHA-256 not present elsewhere => INVALID { name: "app_mf-1-256_sf-1_p7-1-256", expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + expectedSignatureAlgorithms: [], }, { name: "app_mf-1-256_sf-1_p7-256", expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + expectedSignatureAlgorithms: [], }, { name: "app_mf-1_sf-1-256_p7-1-256", expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + expectedSignatureAlgorithms: [], }, { name: "app_mf-1_sf-1-256_p7-256", expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + expectedSignatureAlgorithms: [], }, { name: "app_mf-1_sf-1_p7-1-256", expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + expectedSignatureAlgorithms: [], }, { name: "app_mf-1_sf-1_p7-256", expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + expectedSignatureAlgorithms: [], }, { name: "app_mf-1_sf-256_p7-1-256", expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + expectedSignatureAlgorithms: [], }, { name: "app_mf-1_sf-256_p7-256", expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + expectedSignatureAlgorithms: [], }, { name: "app_mf-256_sf-1_p7-1-256", expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + expectedSignatureAlgorithms: [], }, { name: "app_mf-256_sf-1_p7-256", expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + expectedSignatureAlgorithms: [], }, // SHA-1 in PKCS#7 + SHA-1 not present elsewhere => INVALID { name: "app_mf-1-256_sf-256_p7-1", expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + expectedSignatureAlgorithms: [], }, { name: "app_mf-1_sf-256_p7-1", expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + expectedSignatureAlgorithms: [], }, { name: "app_mf-256_sf-1-256_p7-1", expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + expectedSignatureAlgorithms: [], }, { name: "app_mf-256_sf-1_p7-1", expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + expectedSignatureAlgorithms: [], }, { name: "app_mf-256_sf-256_p7-1", expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + expectedSignatureAlgorithms: [], }, ]; // Policy values for the preference "security.signed_app_signatures.policy" const PKCS7WithSHA1OrSHA256 = 0b0; -const PKCS7WithSHA256 = 0b1; +const PKCS7_WITH_SHA256 = 0b1; const COSEAndPKCS7WithSHA1OrSHA256 = 0b10; const COSEAndPKCS7WithSHA256 = 0b11; const COSERequiredAndPKCS7WithSHA1OrSHA256 = 0b100; @@ -254,7 +324,11 @@ for (let testcase of hashTestcases) { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path(testcase.name), - check_open_result(testcase.name, testcase.expectedResult) + check_open_result( + testcase.name, + testcase.expectedResult, + testcase.expectedSignatureAlgorithms + ) ); }); } @@ -265,7 +339,8 @@ add_signature_test(PKCS7WithSHA1OrSHA256, function () { original_app_path("empty_signerInfos"), check_open_result( "the signerInfos in the PKCS#7 signature is empty", - Cr.NS_ERROR_CMS_VERIFY_NOT_SIGNED + Cr.NS_ERROR_CMS_VERIFY_NOT_SIGNED, + [] ) ); }); @@ -274,7 +349,7 @@ add_signature_test(PKCS7WithSHA1OrSHA256, function () { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("unsigned_app"), - check_open_result("unsigned", Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED) + check_open_result("unsigned", Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED, []) ); }); @@ -284,7 +359,8 @@ add_signature_test(PKCS7WithSHA1OrSHA256, function () { original_app_path("unknown_issuer_app"), check_open_result( "unknown_issuer", - getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER) + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER), + [] ) ); }); @@ -293,7 +369,10 @@ add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("cose_signed_with_pkcs7"), - check_open_result("cose_signed_with_pkcs7", Cr.NS_OK) + check_open_result("cose_signed_with_pkcs7", Cr.NS_OK, [ + Ci.nsIAppSignatureInfo.COSE_WITH_SHA256, + Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA256, + ]) ); }); @@ -301,7 +380,9 @@ add_signature_test(COSEAndPKCS7WithSHA256, function () { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("app_mf-256_sf-256_p7-256"), - check_open_result("no COSE but correct PK#7", Cr.NS_OK) + check_open_result("no COSE but correct PK#7", Cr.NS_OK, [ + Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA256, + ]) ); }); @@ -311,7 +392,8 @@ add_signature_test(COSEAndPKCS7WithSHA256, function () { original_app_path("app_mf-1_sf-256_p7-256"), check_open_result( "no COSE and wrong PK#7 hash", - Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID + Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + [] ) ); }); @@ -322,7 +404,8 @@ add_signature_test(COSERequiredAndPKCS7WithSHA1OrSHA256, function () { original_app_path("app_mf-256_sf-256_p7-256"), check_open_result( "COSE signature missing (SHA1 or 256)", - Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE + Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE, + [] ) ); }); @@ -333,7 +416,8 @@ add_signature_test(COSERequiredAndPKCS7WithSHA256, function () { original_app_path("app_mf-256_sf-256_p7-256"), check_open_result( "COSE signature missing (SHA256)", - Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE + Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE, + [] ) ); }); @@ -344,7 +428,8 @@ add_signature_test(COSERequiredAndPKCS7WithSHA256, function () { original_app_path("only_cose_signed"), check_open_result( "COSE signature only (PK#7 allowed, not present)", - Cr.NS_OK + Cr.NS_OK, + [Ci.nsIAppSignatureInfo.COSE_WITH_SHA256] ) ); }); @@ -355,7 +440,8 @@ add_signature_test(COSERequiredAndPKCS7WithSHA1OrSHA256, function () { original_app_path("only_cose_signed"), check_open_result( "COSE signature only (PK#7 allowed, not present)", - Cr.NS_OK + Cr.NS_OK, + [Ci.nsIAppSignatureInfo.COSE_WITH_SHA256] ) ); }); @@ -364,7 +450,10 @@ add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("cose_multiple_signed_with_pkcs7"), - check_open_result("cose_multiple_signed_with_pkcs7", Cr.NS_OK) + check_open_result("cose_multiple_signed_with_pkcs7", Cr.NS_OK, [ + Ci.nsIAppSignatureInfo.COSE_WITH_SHA256, + Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA256, + ]) ); }); @@ -372,7 +461,10 @@ add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("cose_int_signed_with_pkcs7"), - check_open_result("COSE signed with an intermediate", Cr.NS_OK) + check_open_result("COSE signed with an intermediate", Cr.NS_OK, [ + Ci.nsIAppSignatureInfo.COSE_WITH_SHA256, + Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA256, + ]) ); }); @@ -382,7 +474,8 @@ add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () { original_app_path("only_cose_signed"), check_open_result( "PK7 signature missing", - Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED + Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED, + [] ) ); }); @@ -393,7 +486,8 @@ add_signature_test(COSEOnly, function () { original_app_path("cose_multiple_signed_with_pkcs7"), check_open_result( "Expected only COSE signature", - Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY + Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY, + [] ) ); }); @@ -402,7 +496,9 @@ add_signature_test(COSEOnly, function () { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("only_cose_multiple_signed"), - check_open_result("only Multiple COSE signatures", Cr.NS_OK) + check_open_result("only Multiple COSE signatures", Cr.NS_OK, [ + Ci.nsIAppSignatureInfo.COSE_WITH_SHA256, + ]) ); }); @@ -410,7 +506,9 @@ add_signature_test(COSEOnly, function () { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("only_cose_signed"), - check_open_result("only_cose_signed", Cr.NS_OK) + check_open_result("only_cose_signed", Cr.NS_OK, [ + Ci.nsIAppSignatureInfo.COSE_WITH_SHA256, + ]) ); }); @@ -418,7 +516,9 @@ add_signature_test(COSEOnlyAgain, function () { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("only_cose_signed"), - check_open_result("only_cose_signed (again)", Cr.NS_OK) + check_open_result("only_cose_signed (again)", Cr.NS_OK, [ + Ci.nsIAppSignatureInfo.COSE_WITH_SHA256, + ]) ); }); @@ -428,7 +528,8 @@ add_signature_test(COSEOnly, function () { original_app_path("cose_signed_with_pkcs7"), check_open_result( "COSE only expected but also PK#7 signed", - Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY + Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY, + [] ) ); }); @@ -440,7 +541,9 @@ add_signature_test(PKCS7WithSHA1OrSHA256, function () { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("app_mf-1_sf-1_p7-1"), - check_open_result("identity_tampering", Cr.NS_OK) + check_open_result("identity_tampering", Cr.NS_OK, [ + Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA1, + ]) ); }); @@ -455,7 +558,7 @@ add_signature_test(PKCS7WithSHA1OrSHA256, function () { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, tampered, - check_open_result("missing_rsa", Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED) + check_open_result("missing_rsa", Cr.NS_ERROR_SIGNED_JAR_NOT_SIGNED, []) ); }); @@ -470,7 +573,7 @@ add_signature_test(PKCS7WithSHA1OrSHA256, function () { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, tampered, - check_open_result("missing_sf", Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID) + check_open_result("missing_sf", Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, []) ); }); @@ -487,7 +590,8 @@ add_signature_test(PKCS7WithSHA1OrSHA256, function () { tampered, check_open_result( "missing_manifest_mf", - Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID + Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + [] ) ); }); @@ -503,7 +607,7 @@ add_signature_test(PKCS7WithSHA1OrSHA256, function () { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, tampered, - check_open_result("missing_entry", Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING) + check_open_result("missing_entry", Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING, []) ); }); @@ -518,7 +622,11 @@ add_signature_test(PKCS7WithSHA1OrSHA256, function () { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, tampered, - check_open_result("truncated_entry", Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY) + check_open_result( + "truncated_entry", + Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY, + [] + ) ); }); @@ -535,7 +643,8 @@ add_signature_test(PKCS7WithSHA1OrSHA256, function () { tampered, check_open_result( "truncated_manifestFile", - Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID + Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + [] ) ); }); @@ -553,7 +662,8 @@ add_signature_test(PKCS7WithSHA1OrSHA256, function () { tampered, check_open_result( "truncated_signatureFile", - getXPCOMStatusFromNSS(SEC_ERROR_PKCS7_BAD_SIGNATURE) + getXPCOMStatusFromNSS(SEC_ERROR_PKCS7_BAD_SIGNATURE), + [] ) ); }); @@ -569,7 +679,11 @@ add_signature_test(PKCS7WithSHA1OrSHA256, function () { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, tampered, - check_open_result("truncated_pkcs7File", Cr.NS_ERROR_CMS_VERIFY_NOT_SIGNED) + check_open_result( + "truncated_pkcs7File", + Cr.NS_ERROR_CMS_VERIFY_NOT_SIGNED, + [] + ) ); }); @@ -581,7 +695,11 @@ add_signature_test(PKCS7WithSHA1OrSHA256, function () { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, tampered, - check_open_result("unsigned_entry", Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY) + check_open_result( + "unsigned_entry", + Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY, + [] + ) ); }); @@ -595,35 +713,41 @@ add_signature_test(PKCS7WithSHA1OrSHA256, function () { tampered, check_open_result( "unsigned_metainf_entry", - Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY + Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY, + [] ) ); }); -add_signature_test(PKCS7WithSHA256, function testSHA1Disabled() { +add_signature_test(PKCS7_WITH_SHA256, function testSHA1Disabled() { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("app_mf-1_sf-1_p7-1"), check_open_result( "SHA-1 should not be accepted if disabled by policy", - Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE + Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE, + [] ) ); }); -add_signature_test(PKCS7WithSHA256, function testSHA256WorksWithSHA1Disabled() { - certdb.openSignedAppFileAsync( - Ci.nsIX509CertDB.AppXPCShellRoot, - original_app_path("app_mf-256_sf-256_p7-256"), - check_open_result( - "SHA-256 should work if SHA-1 is disabled by policy", - Cr.NS_OK - ) - ); -}); +add_signature_test( + PKCS7_WITH_SHA256, + function testSHA256WorksWithSHA1Disabled() { + certdb.openSignedAppFileAsync( + Ci.nsIX509CertDB.AppXPCShellRoot, + original_app_path("app_mf-256_sf-256_p7-256"), + check_open_result( + "SHA-256 should work if SHA-1 is disabled by policy", + Cr.NS_OK, + [Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA256] + ) + ); + } +); add_signature_test( - PKCS7WithSHA256, + PKCS7_WITH_SHA256, function testMultipleSignaturesWorkWithSHA1Disabled() { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, @@ -631,7 +755,8 @@ add_signature_test( check_open_result( "Multiple signatures should work if SHA-1 is " + "disabled by policy (if SHA-256 signature verifies)", - Cr.NS_OK + Cr.NS_OK, + [Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA256] ) ); } @@ -642,26 +767,43 @@ var cosePolicies = [ COSERequiredAndPKCS7WithSHA1OrSHA256, ]; -// PS256 is not yet supported. +// NOTE: The zip files referenced in coseTestcasesStage and coseTestcasesProd +// were originally generated with +// https://github.com/mozilla-services/autograph/blob/c890e14de5b04dcff9be0d07fdea4ae6bbb58557/tools/autograph-client/build_test_xpis.sh +// Since then, the mechanism to sign these packages have changed, see +// https://bugzilla.mozilla.org/show_bug.cgi?id=1885457 for details. + var coseTestcasesStage = [ { - name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384", + name: "addons-stage-tomato-clock-sha1-es256-es384", expectedResult: Cr.NS_OK, + expectedSignatureAlgorithms: [ + Ci.nsIAppSignatureInfo.COSE_WITH_SHA256, + Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA1, + ], root: Ci.nsIX509CertDB.AddonsStageRoot, }, { - name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256", + name: "addons-stage-tomato-clock-sha1-es256-ps256", + // PS256 is not yet supported. expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + expectedSignatureAlgorithms: [], root: Ci.nsIX509CertDB.AddonsStageRoot, }, { - name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256", + name: "addons-stage-tomato-clock-sha1-es256", expectedResult: Cr.NS_OK, + expectedSignatureAlgorithms: [ + Ci.nsIAppSignatureInfo.COSE_WITH_SHA256, + Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA1, + ], root: Ci.nsIX509CertDB.AddonsStageRoot, }, { - name: "autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256", + name: "addons-stage-tomato-clock-sha1-ps256", + // PS256 is not yet supported. expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + expectedSignatureAlgorithms: [], root: Ci.nsIX509CertDB.AddonsStageRoot, }, ]; @@ -670,21 +812,33 @@ var coseTestcasesProd = [ { name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-ES384", expectedResult: Cr.NS_OK, + expectedSignatureAlgorithms: [ + Ci.nsIAppSignatureInfo.COSE_WITH_SHA256, + Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA1, + ], root: Ci.nsIX509CertDB.AddonsPublicRoot, }, { name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256-PS256", + // PS256 is not yet supported. expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + expectedSignatureAlgorithms: [], root: Ci.nsIX509CertDB.AddonsPublicRoot, }, { name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-ES256", expectedResult: Cr.NS_OK, + expectedSignatureAlgorithms: [ + Ci.nsIAppSignatureInfo.COSE_WITH_SHA256, + Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA1, + ], root: Ci.nsIX509CertDB.AddonsPublicRoot, }, { name: "autograph-714ba248-prod-tomato-clock-PKCS7-SHA1-PS256", + // PS256 is not yet supported. expectedResult: Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + expectedSignatureAlgorithms: [], root: Ci.nsIX509CertDB.AddonsPublicRoot, }, ]; @@ -695,7 +849,11 @@ for (let policy of cosePolicies) { certdb.openSignedAppFileAsync( testcase.root, original_app_path(testcase.name), - check_open_result(testcase.name, testcase.expectedResult) + check_open_result( + testcase.name, + testcase.expectedResult, + testcase.expectedSignatureAlgorithms + ) ); }); } @@ -714,7 +872,8 @@ add_signature_test(COSEAndPKCS7WithSHA256, function testCOSESigTampered() { tampered, check_open_result( "cose_sig_tampered", - Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY + Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY, + [] ) ); }); @@ -732,7 +891,11 @@ add_signature_test(COSEAndPKCS7WithSHA256, function testCOSESigRemoved() { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, tampered, - check_open_result("cose_sig_removed", Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING) + check_open_result( + "cose_sig_removed", + Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING, + [] + ) ); }); @@ -749,7 +912,8 @@ add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEManifestTampered() { tampered, check_open_result( "cose_manifest_tampered", - Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY + Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY, + [] ) ); }); @@ -767,7 +931,8 @@ add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEManifestRemoved() { tampered, check_open_result( "cose_manifest_removed", - Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING + Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING, + [] ) ); }); @@ -780,7 +945,11 @@ add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEFileAdded() { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, tampered, - check_open_result("cose_file_added", Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY) + check_open_result( + "cose_file_added", + Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY, + [] + ) ); }); @@ -795,7 +964,11 @@ add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEFileRemoved() { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, tampered, - check_open_result("cose_file_removed", Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING) + check_open_result( + "cose_file_removed", + Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING, + [] + ) ); }); @@ -812,7 +985,8 @@ add_signature_test(COSEAndPKCS7WithSHA256, function testCOSEFileTampered() { tampered, check_open_result( "cose_file_tampered", - Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY + Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY, + [] ) ); }); @@ -830,7 +1004,8 @@ add_signature_test(COSEOnly, function testOnlyCOSESigTampered() { tampered, check_open_result( "only_cose_sig_tampered", - Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID + Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + [] ) ); }); @@ -848,7 +1023,8 @@ add_signature_test(COSEOnly, function testOnlyCOSESigRemoved() { tampered, check_open_result( "only_cose_sig_removed", - Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE + Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE, + [] ) ); }); @@ -866,7 +1042,8 @@ add_signature_test(COSEOnly, function testOnlyCOSEManifestTampered() { tampered, check_open_result( "only_cose_manifest_tampered", - Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID + Cr.NS_ERROR_SIGNED_JAR_MANIFEST_INVALID, + [] ) ); }); @@ -884,7 +1061,8 @@ add_signature_test(COSEOnly, function testOnlyCOSEManifestRemoved() { tampered, check_open_result( "only_cose_manifest_removed", - Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE + Cr.NS_ERROR_SIGNED_JAR_WRONG_SIGNATURE, + [] ) ); }); @@ -899,7 +1077,8 @@ add_signature_test(COSEOnly, function testOnlyCOSEFileAdded() { tampered, check_open_result( "only_cose_file_added", - Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY + Cr.NS_ERROR_SIGNED_JAR_UNSIGNED_ENTRY, + [] ) ); }); @@ -917,7 +1096,8 @@ add_signature_test(COSEOnly, function testOnlyCOSEFileRemoved() { tampered, check_open_result( "only_cose_file_removed", - Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING + Cr.NS_ERROR_SIGNED_JAR_ENTRY_MISSING, + [] ) ); }); @@ -935,7 +1115,8 @@ add_signature_test(COSEOnly, function testOnlyCOSEFileTampered() { tampered, check_open_result( "only_cose_file_tampered", - Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY + Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY, + [] ) ); }); @@ -951,7 +1132,8 @@ add_signature_test(COSEAndPKCS7WithSHA1OrSHA256, function () { check_open_result( "tampered COSE with good PKCS7 signature should fail " + "when COSE and PKCS7 is processed", - Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY + Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY, + [] ) ); }); @@ -963,7 +1145,8 @@ add_signature_test(COSEOnly, function () { check_open_result( "tampered COSE with good PKCS7 signature should fail " + "when only COSE is processed", - Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY + Cr.NS_ERROR_SIGNED_JAR_MODIFIED_ENTRY, + [] ) ); }); @@ -974,9 +1157,10 @@ add_signature_test(PKCS7WithSHA1OrSHA256, function () { Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("cose_tampered_good_pkcs7"), check_open_result( - "tampered COSE with good PKCS7 signature should succeed" + + "tampered COSE with good PKCS7 signature should succeed " + "when COSE is not processed", - Cr.NS_OK + Cr.NS_OK, + [Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA1] ) ); }); @@ -985,7 +1169,7 @@ add_test(function () { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("bug_1411458"), - check_open_result("bug 1411458", Cr.NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO) + check_open_result("bug 1411458", Cr.NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO, []) ); }); @@ -994,7 +1178,9 @@ add_test(function () { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("big_manifest"), - check_open_result("add-on with big manifest file", Cr.NS_OK) + check_open_result("add-on with big manifest file", Cr.NS_OK, [ + Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA256, + ]) ); }); @@ -1006,7 +1192,8 @@ add_test(function () { original_app_path("huge_manifest"), check_open_result( "add-on with huge manifest file", - Cr.NS_ERROR_SIGNED_JAR_ENTRY_INVALID + Cr.NS_ERROR_SIGNED_JAR_ENTRY_INVALID, + [] ) ); }); @@ -1017,7 +1204,9 @@ add_test(function () { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("validity_not_yet_valid"), - check_open_result("validity_not_yet_valid", Cr.NS_OK) + check_open_result("validity_not_yet_valid", Cr.NS_OK, [ + Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA256, + ]) ); }); @@ -1027,7 +1216,9 @@ add_test(function () { certdb.openSignedAppFileAsync( Ci.nsIX509CertDB.AppXPCShellRoot, original_app_path("validity_expired"), - check_open_result("validity_expired", Cr.NS_OK) + check_open_result("validity_expired", Cr.NS_OK, [ + Ci.nsIAppSignatureInfo.PKCS7_WITH_SHA256, + ]) ); }); diff --git a/security/manager/ssl/tests/unit/test_signed_apps/addons-stage-tomato-clock-sha1-es256-es384.zip b/security/manager/ssl/tests/unit/test_signed_apps/addons-stage-tomato-clock-sha1-es256-es384.zip new file mode 100644 index 0000000000..cb6767385c Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/addons-stage-tomato-clock-sha1-es256-es384.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/addons-stage-tomato-clock-sha1-es256-ps256.zip b/security/manager/ssl/tests/unit/test_signed_apps/addons-stage-tomato-clock-sha1-es256-ps256.zip new file mode 100644 index 0000000000..d67b405ff7 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/addons-stage-tomato-clock-sha1-es256-ps256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/addons-stage-tomato-clock-sha1-es256.zip b/security/manager/ssl/tests/unit/test_signed_apps/addons-stage-tomato-clock-sha1-es256.zip new file mode 100644 index 0000000000..146bc0caf9 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/addons-stage-tomato-clock-sha1-es256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/addons-stage-tomato-clock-sha1-ps256.zip b/security/manager/ssl/tests/unit/test_signed_apps/addons-stage-tomato-clock-sha1-ps256.zip new file mode 100644 index 0000000000..6f16f2c4f7 Binary files /dev/null and b/security/manager/ssl/tests/unit/test_signed_apps/addons-stage-tomato-clock-sha1-ps256.zip differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip deleted file mode 100644 index b74e087620..0000000000 Binary files a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-ES384.zip and /dev/null differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip deleted file mode 100644 index 772c42e494..0000000000 Binary files a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256-PS256.zip and /dev/null differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip deleted file mode 100644 index b1d1999551..0000000000 Binary files a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-ES256.zip and /dev/null differ diff --git a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip b/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip deleted file mode 100644 index 0ce563680d..0000000000 Binary files a/security/manager/ssl/tests/unit/test_signed_apps/autograph-714ba248-stage-tomato-clock-PKCS7-SHA1-PS256.zip and /dev/null differ diff --git a/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js b/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js index 6b1b4a5ba6..f5f4a4ace7 100644 --- a/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js +++ b/security/manager/ssl/tests/unit/test_sts_preloadlist_perwindowpb.js @@ -6,7 +6,7 @@ var gSSService = Cc["@mozilla.org/ssservice;1"].getService( function Observer() {} Observer.prototype = { - observe(subject, topic, data) { + observe(subject, topic) { if (topic == "last-pb-context-exited") { run_next_test(); } diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp index 38bfa87e1a..4764ed921d 100644 --- a/security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/FaultyServer.cpp @@ -157,7 +157,7 @@ void SecretCallbackFailZeroRtt(PRFileDesc* fd, PRUint16 epoch, } else if (!strcmp(host->mHostName, kHostZeroRttAlertVersion)) { SSL3_SendAlert(ss, alert_fatal, protocol_version); } else if (!strcmp(host->mHostName, kHostZeroRttAlertUnexpected)) { - SSL3_SendAlert(ss, alert_fatal, no_alert); + SSL3_SendAlert(ss, alert_fatal, unexpected_message); } } } -- cgit v1.2.3