1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
"use strict";
// Tests enterprise root certificate support. When configured to do so, the
// platform will attempt to find and import enterprise root certificates. This
// feature is specific to Windows.
do_get_profile(); // must be called before getting nsIX509CertDB
const { TestUtils } = ChromeUtils.importESModule(
"resource://testing-common/TestUtils.sys.mjs"
);
async function check_no_enterprise_roots_imported(
nssComponent,
certDB,
dbKey = undefined
) {
let enterpriseRoots = nssComponent.getEnterpriseRoots();
notEqual(enterpriseRoots, null, "enterprise roots list should not be null");
equal(
enterpriseRoots.length,
0,
"should not have imported any enterprise roots"
);
if (dbKey) {
let cert = certDB.findCertByDBKey(dbKey);
// If the garbage-collector hasn't run, there may be reachable copies of
// imported enterprise root certificates. If so, they shouldn't be trusted
// to issue TLS server auth certificates.
if (cert) {
await asyncTestCertificateUsages(certDB, cert, []);
}
}
}
async function check_some_enterprise_roots_imported(nssComponent, certDB) {
let enterpriseRoots = nssComponent.getEnterpriseRoots();
notEqual(enterpriseRoots, null, "enterprise roots list should not be null");
notEqual(
enterpriseRoots.length,
0,
"should have imported some enterprise roots"
);
let foundNonBuiltIn = false;
let savedDBKey = null;
for (let certDer of enterpriseRoots) {
let cert = certDB.constructX509(certDer);
notEqual(cert, null, "should be able to decode cert from DER");
if (!cert.isBuiltInRoot && !savedDBKey) {
foundNonBuiltIn = true;
savedDBKey = cert.dbKey;
info("saving dbKey from " + cert.commonName);
await asyncTestCertificateUsages(certDB, cert, [certificateUsageSSLCA]);
break;
}
}
ok(foundNonBuiltIn, "should have found non-built-in root");
return savedDBKey;
}
add_task(async function run_test() {
let nssComponent = Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent);
let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
Ci.nsIX509CertDB
);
nssComponent.getEnterpriseRoots(); // blocks until roots are loaded
Services.prefs.setBoolPref("security.enterprise_roots.enabled", false);
await check_no_enterprise_roots_imported(nssComponent, certDB);
Services.prefs.setBoolPref("security.enterprise_roots.enabled", true);
await TestUtils.topicObserved("psm:enterprise-certs-imported");
let savedDBKey = await check_some_enterprise_roots_imported(
nssComponent,
certDB
);
Services.prefs.setBoolPref("security.enterprise_roots.enabled", false);
await check_no_enterprise_roots_imported(nssComponent, certDB, savedDBKey);
});
|