1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
"use strict";
do_get_profile();
const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
Ci.nsIX509CertDB
);
add_tls_server_setup(
"SanctionsTestServer",
"test_sanctions",
/* Don't try to load non-existent test-ca.pem */ false
);
addCertFromFile(certDB, "test_sanctions/symantec-test-ca.pem", "CTu,u,u");
// Add the necessary intermediates. This is important because the test server,
// though it will attempt to send along an intermediate, isn't able to reliably
// pick between the intermediate-other-crossigned and intermediate-other.
add_test(function () {
addCertFromFile(
certDB,
"test_sanctions/symantec-intermediate-allowlisted.pem",
",,"
);
addCertFromFile(
certDB,
"test_sanctions/symantec-intermediate-other.pem",
",,"
);
run_next_test();
});
add_connection_test(
"symantec-not-allowlisted-before-cutoff.example.com",
MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
null,
null
);
add_connection_test(
"symantec-not-allowlisted-after-cutoff.example.com",
MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
null,
null
);
// Add a cross-signed intermediate into the database, and ensure we still get
// the expected error.
add_test(function () {
addCertFromFile(
certDB,
"test_sanctions/symantec-intermediate-other-crossigned.pem",
",,"
);
run_next_test();
});
add_connection_test(
"symantec-not-allowlisted-before-cutoff.example.com",
MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
null,
null
);
// Load the Apple EE cert and its intermediate, then verify
// it at a reasonable time and make sure the allowlists work
add_task(async function () {
addCertFromFile(
certDB,
"test_sanctions/apple-ist-ca-8-g1-intermediate.pem",
",,"
);
let allowlistedCert = constructCertFromFile(
"test_sanctions/cds-apple-com.pem"
);
// Since we don't want to actually try to fetch OCSP for this certificate,
// (as an external fetch is bad in the tests), disable OCSP first.
Services.prefs.setIntPref("security.OCSP.enabled", 0);
// (new Date("2020-01-01")).getTime() / 1000
const VALIDATION_TIME = 1577836800;
await checkCertErrorGenericAtTime(
certDB,
allowlistedCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
VALIDATION_TIME
);
});
|