summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/tests/unit/test_missing_intermediate.js
diff options
context:
space:
mode:
Diffstat (limited to 'security/manager/ssl/tests/unit/test_missing_intermediate.js')
-rw-r--r--security/manager/ssl/tests/unit/test_missing_intermediate.js92
1 files changed, 92 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/test_missing_intermediate.js b/security/manager/ssl/tests/unit/test_missing_intermediate.js
new file mode 100644
index 0000000000..2a723b2a0f
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_missing_intermediate.js
@@ -0,0 +1,92 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests that if a server does not send a complete certificate chain, we can
+// make use of cached intermediates to build a trust path.
+
+const { TestUtils } = ChromeUtils.importESModule(
+ "resource://testing-common/TestUtils.sys.mjs"
+);
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+registerCleanupFunction(() => {
+ let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ certDir.append("bad_certs");
+ Assert.ok(certDir.exists(), "bad_certs should exist");
+ let args = ["-D", "-n", "manually-added-missing-intermediate"];
+ run_certutil_on_directory(certDir.path, args, false);
+});
+
+function run_test() {
+ add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+ // If we don't know about the intermediate, we'll get an unknown issuer error.
+ add_connection_test(
+ "ee-from-missing-intermediate.example.com",
+ SEC_ERROR_UNKNOWN_ISSUER
+ );
+
+ // Make BadCertAndPinningServer aware of the intermediate.
+ add_test(() => {
+ let args = [
+ "-A",
+ "-n",
+ "manually-added-missing-intermediate",
+ "-i",
+ "test_missing_intermediate/missing-intermediate.pem",
+ "-a",
+ "-t",
+ ",,",
+ ];
+ let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ certDir.append("bad_certs");
+ Assert.ok(certDir.exists(), "bad_certs should exist");
+ run_certutil_on_directory(certDir.path, args);
+ run_next_test();
+ });
+
+ // We have to start observing the topic before there's a chance it gets
+ // emitted.
+ add_test(() => {
+ TestUtils.topicObserved("psm:intermediate-certs-cached").then(
+ subjectAndData => {
+ Assert.equal(subjectAndData.length, 2, "expecting [subject, data]");
+ Assert.equal(subjectAndData[1], "1", `expecting "1" cert imported`);
+ run_next_test();
+ }
+ );
+ run_next_test();
+ });
+ // Connect and cache the intermediate.
+ add_connection_test(
+ "ee-from-missing-intermediate.example.com",
+ PRErrorCodeSuccess
+ );
+
+ // Add a dummy test so that the only way we advance from here is by observing
+ // "psm:intermediate-certs-cached".
+ add_test(() => {});
+
+ // Delete the intermediate on the server again.
+ add_test(() => {
+ clearSessionCache();
+ let certDir = Services.dirsvc.get("CurWorkD", Ci.nsIFile);
+ certDir.append("bad_certs");
+ Assert.ok(certDir.exists(), "bad_certs should exist");
+ let args = ["-D", "-n", "manually-added-missing-intermediate"];
+ run_certutil_on_directory(certDir.path, args);
+ run_next_test();
+ });
+
+ // Since we cached the intermediate in gecko, this should succeed.
+ add_connection_test(
+ "ee-from-missing-intermediate.example.com",
+ PRErrorCodeSuccess
+ );
+
+ run_next_test();
+}