Adding upstream version 1:115.7.0.upstream/1%115.7.0upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

11 files changed, 500 insertions, 0 deletions

diff --git a/security/manager/ssl/tests/unit/test_certDB_import.js b/security/manager/ssl/tests/unit/test_certDB_import.js
new file mode 100644
index 0000000000..86c66f4989
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import.js
@@ -0,0 +1,187 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests the various nsIX509CertDB import methods.
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+const CA_CERT_COMMON_NAME = "importedCA";
+const TEST_EMAIL_ADDRESS = "test@example.com";
+
+let gCACertImportDialogCount = 0;
+
+// Mock implementation of nsICertificateDialogs.
+const gCertificateDialogs = {
+  confirmDownloadCACert: (ctx, cert, trust) => {
+    gCACertImportDialogCount++;
+    equal(
+      cert.commonName,
+      CA_CERT_COMMON_NAME,
+      "CA cert to import should have the correct CN"
+    );
+    trust.value = Ci.nsIX509CertDB.TRUSTED_EMAIL;
+    return true;
+  },
+  setPKCS12FilePassword: (ctx, password) => {
+    // This is only relevant to exporting.
+    ok(false, "setPKCS12FilePassword() should not have been called");
+  },
+  getPKCS12FilePassword: (ctx, password) => {
+    // We don't test anything that calls this method yet.
+    ok(false, "getPKCS12FilePassword() should not have been called");
+  },
+
+  QueryInterface: ChromeUtils.generateQI(["nsICertificateDialogs"]),
+};
+
+// Implements nsIInterfaceRequestor. Mostly serves to mock nsIPrompt.
+const gInterfaceRequestor = {
+  alert: (title, text) => {
+    // We don't test anything that calls this method yet.
+    ok(false, `alert() should not have been called: ${text}`);
+  },
+
+  getInterface: iid => {
+    if (iid.equals(Ci.nsIPrompt)) {
+      return this;
+    }
+
+    throw Components.Exception("", Cr.NS_ERROR_NO_INTERFACE);
+  },
+};
+
+function getCertAsByteArray(certPath) {
+  let certFile = do_get_file(certPath, false);
+  let certBytes = readFile(certFile);
+
+  let byteArray = [];
+  for (let i = 0; i < certBytes.length; i++) {
+    byteArray.push(certBytes.charCodeAt(i));
+  }
+
+  return byteArray;
+}
+
+function commonFindCertBy(propertyName, value) {
+  for (let cert of gCertDB.getCerts()) {
+    if (cert[propertyName] == value) {
+      return cert;
+    }
+  }
+  return null;
+}
+
+function findCertByCommonName(commonName) {
+  return commonFindCertBy("commonName", commonName);
+}
+
+function findCertByEmailAddress(emailAddress) {
+  return commonFindCertBy("emailAddress", emailAddress);
+}
+
+function testImportCACert() {
+  // Sanity check the CA cert is missing.
+  equal(
+    findCertByCommonName(CA_CERT_COMMON_NAME),
+    null,
+    "CA cert should not be in the database before import"
+  );
+
+  // Import and check for success.
+  let caArray = getCertAsByteArray("test_certDB_import/importedCA.pem");
+  gCertDB.importCertificates(
+    caArray,
+    caArray.length,
+    Ci.nsIX509Cert.CA_CERT,
+    gInterfaceRequestor
+  );
+  equal(
+    gCACertImportDialogCount,
+    1,
+    "Confirmation dialog for the CA cert should only be shown once"
+  );
+
+  let caCert = findCertByCommonName(CA_CERT_COMMON_NAME);
+  notEqual(caCert, null, "CA cert should now be found in the database");
+  ok(
+    gCertDB.isCertTrusted(
+      caCert,
+      Ci.nsIX509Cert.CA_CERT,
+      Ci.nsIX509CertDB.TRUSTED_EMAIL
+    ),
+    "CA cert should be trusted for e-mail"
+  );
+}
+
+function testImportEmptyCertPackage() {
+  // Because this is an empty cert package, nothing will be imported. We know it succeeded if no errors are thrown.
+  let byteArray = [
+    0x30, 0x0f, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x02,
+    0x05, 0xa0, 0x02, 0x30, 0x00,
+  ];
+  gCertDB.importCertificates(
+    byteArray,
+    byteArray.length,
+    Ci.nsIX509Cert.CA_CERT,
+    gInterfaceRequestor
+  );
+}
+
+function testImportEmptyUserCert() {
+  // Because this is an empty cert package, nothing will be imported. We know it succeeded if no errors are thrown.
+  let byteArray = [
+    0x30, 0x0f, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x02,
+    0x05, 0xa0, 0x02, 0x30, 0x00,
+  ];
+  gCertDB.importUserCertificate(
+    byteArray,
+    byteArray.length,
+    gInterfaceRequestor
+  );
+}
+
+function run_test() {
+  let certificateDialogsCID = MockRegistrar.register(
+    "@mozilla.org/nsCertificateDialogs;1",
+    gCertificateDialogs
+  );
+  registerCleanupFunction(() => {
+    MockRegistrar.unregister(certificateDialogsCID);
+  });
+
+  // Sanity check the e-mail cert is missing.
+  equal(
+    findCertByEmailAddress(TEST_EMAIL_ADDRESS),
+    null,
+    "E-mail cert should not be in the database before import"
+  );
+
+  // Import the CA cert so that the e-mail import succeeds.
+  testImportCACert();
+  testImportEmptyCertPackage();
+  testImportEmptyUserCert();
+
+  // Import the e-mail cert and check for success.
+  let emailArray = getCertAsByteArray("test_certDB_import/emailEE.pem");
+  gCertDB.importEmailCertificate(
+    emailArray,
+    emailArray.length,
+    gInterfaceRequestor
+  );
+  let emailCert = findCertByEmailAddress(TEST_EMAIL_ADDRESS);
+  notEqual(emailCert, null, "E-mail cert should now be found in the database");
+  let bundle = Services.strings.createBundle(
+    "chrome://pipnss/locale/pipnss.properties"
+  );
+  equal(
+    emailCert.tokenName,
+    bundle.GetStringFromName("PrivateTokenDescription"),
+    "cert's tokenName should be the expected localized value"
+  );
+}
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfx b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfx
new file mode 100644
index 0000000000..e969d672d7
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows.pfx
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfx b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfx
new file mode 100644
index 0000000000..879d424b85
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_emptypass.pfx
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfx b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfx
new file mode 100644
index 0000000000..7dcd668121
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/cert_from_windows_nopass.pfx
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem
new file mode 100644
index 0000000000..a3e58933f0
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAgIUO3XveEEK2bu0gx8Lu8vi1NxEGdIwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaW1wb3J0ZWRDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw
+MjQwMjA1MDAwMDAwWjAhMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29t
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2
+ED08E9nq5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdF
+h/cc1SScAn7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6n
+cOAPDY39ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAv
+OnsQgAYkzBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2nj
+tIqVYR3uJtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXt
+jQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAnhH0WY14SMcVDXj6OvvxHuaRRO8lA
+A6vDrn/AmWg0gN7e0aQgvonedXY4OgefAj17X345yZj8VpPFgOjUIb7PYErMxdeB
+biKGv/psCB1uDk68Gn1KrFMZ2BtlLeYRWRejgSo53GYH1PBpZZ6owjicqIKKo9cW
+Y/EFyauQCQGhWub+tshNFbucSrNDk1Q0uu1Ogs8QFve3x+YbdceAwK835XzLROvS
+pWBeWDK1Eqvqun1yWUHVn6aAbZZgKn9yUG7kZqWoBc1InRwaZcImttQF//OJw08y
+b0KVWoM5qo2c20qaxNW66GW/tpWnDfUvSTIHZuaDiar4mlSK/0O2aGa8
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec
new file mode 100644
index 0000000000..0528bc624a
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem.certspec
@@ -0,0 +1,2 @@
+issuer:importedCA
+subject:/emailAddress=test@example.com
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12 b/security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12
new file mode 100644
index 0000000000..105f918782
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/encrypted_with_aes.p12
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem
new file mode 100644
index 0000000000..e45812f786
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICzDCCAbSgAwIBAgIUd0wCxJoXOgEeMrd0+AIGybyqYgEwDQYJKoZIhvcNAQEL
+BQAwFTETMBEGA1UEAwwKaW1wb3J0ZWRDQTAiGA8yMDIxMTEyNzAwMDAwMFoYDzIw
+MjQwMjA1MDAwMDAwWjAVMRMwEQYDVQQDDAppbXBvcnRlZENBMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq5DVKtOz1
+aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SScAn7NQ/we
+adA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39ZgsrsCSS
+pH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYkzBxsl62W
+YVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3uJtYlnauR
+CE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQABoxAwDjAM
+BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB5N5HCphrUqEmwLj+1graV
+zneZbDyL2nb1ooITiJj+i+NaOg383Sr/lvWyhw+51o5qx1hnBu8JZ/HlBhFsz/OH
+mujJmot+jVg/MRpaTdxZNfpxVZqfroyx1qzr7TC8wgHggxI/DWeCifQmEgNdKIgI
+JL0BvVLasGOMhmprRRK3DabjzOjW5xMbY1B3+msbtQtxB6eCXa4byNIZ7vAUdg8L
+x2+TovO4c1cs8AzLdpgECImdcHaBFyOYd5sK7f6gcJHtiEx+7JkIF+53wHbFIFlp
+s7zkbDA4v97bm5oYMmaW4JEZ8rW07a62ILrNOezvEZCccOnfo+miHcr1AwuJSx9z
+-----END CERTIFICATE-----
diff --git a/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec
new file mode 100644
index 0000000000..b168253544
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem.certspec
@@ -0,0 +1,3 @@
+issuer:importedCA
+subject:importedCA
+extension:basicConstraints:cA,
diff --git a/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js b/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js
new file mode 100644
index 0000000000..9ddba36c4e
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import_pkcs12.js
@@ -0,0 +1,126 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests import PKCS12 file by nsIX509CertDB.
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+const PKCS12_FILE = "test_certDB_import/cert_from_windows.pfx";
+const PKCS12_FILE_EMPTY_PASS =
+  "test_certDB_import/cert_from_windows_emptypass.pfx";
+const PKCS12_FILE_NO_PASS = "test_certDB_import/cert_from_windows_nopass.pfx";
+const CERT_COMMON_NAME = "test_cert_from_windows";
+const TEST_CERT_PASSWORD = "黒い";
+
+let gTestcases = [
+  // Test that importing a PKCS12 file with the wrong password fails.
+  {
+    name: "import using incorrect password",
+    filename: PKCS12_FILE,
+    passwordToUse: "this is the wrong password",
+    successExpected: false,
+    errorCode: Ci.nsIX509CertDB.ERROR_BAD_PASSWORD,
+    checkCertExist: true,
+    certCommonName: CERT_COMMON_NAME,
+  },
+  // Test that importing something that isn't a PKCS12 file fails.
+  {
+    name: "import non-PKCS12 file",
+    filename: "test_certDB_import_pkcs12.js",
+    passwordToUse: TEST_CERT_PASSWORD,
+    successExpected: false,
+    errorCode: Ci.nsIX509CertDB.ERROR_DECODE_ERROR,
+    checkCertExist: true,
+    certCommonName: CERT_COMMON_NAME,
+  },
+  // Test that importing a PKCS12 file with the correct password succeeds.
+  // This needs to be last because currently there isn't a way to delete the
+  // imported certificate (and thus reset the test state) that doesn't depend on
+  // the garbage collector running.
+  {
+    name: "import PKCS12 file",
+    filename: PKCS12_FILE,
+    passwordToUse: TEST_CERT_PASSWORD,
+    successExpected: true,
+    errorCode: Ci.nsIX509CertDB.Success,
+    checkCertExist: true,
+    certCommonName: CERT_COMMON_NAME,
+  },
+  // Same cert file protected with empty string password
+  {
+    name: "import PKCS12 file empty password",
+    filename: PKCS12_FILE_EMPTY_PASS,
+    passwordToUse: "",
+    successExpected: true,
+    errorCode: Ci.nsIX509CertDB.Success,
+    checkCertExist: false,
+    certCommonName: CERT_COMMON_NAME,
+  },
+  // Same cert file protected with no password
+  {
+    name: "import PKCS12 file no password",
+    filename: PKCS12_FILE_NO_PASS,
+    passwordToUse: null,
+    successExpected: true,
+    errorCode: Ci.nsIX509CertDB.Success,
+    checkCertExist: false,
+    certCommonName: CERT_COMMON_NAME,
+  },
+  // Test a PKCS12 file encrypted using AES
+  {
+    name: "import PKCS12 file using AES",
+    filename: "test_certDB_import/encrypted_with_aes.p12",
+    passwordToUse: "password",
+    successExpected: true,
+    errorCode: Ci.nsIX509CertDB.Success,
+    checkCertExist: true,
+    certCommonName: "John Doe",
+  },
+];
+
+function doesCertExist(commonName) {
+  let allCerts = gCertDB.getCerts();
+  for (let cert of allCerts) {
+    if (cert.isBuiltInRoot) {
+      continue;
+    }
+    if (cert.commonName == commonName) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+function runOneTestcase(testcase) {
+  info(`running ${testcase.name}`);
+  if (testcase.checkCertExist) {
+    ok(
+      !doesCertExist(testcase.certCommonName),
+      "cert should not be in the database before import"
+    );
+  }
+
+  // Import and check for failure.
+  let certFile = do_get_file(testcase.filename);
+  ok(certFile, `${testcase.filename} should exist`);
+  let errorCode = gCertDB.importPKCS12File(certFile, testcase.passwordToUse);
+  equal(errorCode, testcase.errorCode, `verifying error code`);
+  equal(
+    doesCertExist(testcase.certCommonName),
+    testcase.successExpected,
+    `cert should${testcase.successExpected ? "" : " not"} be found now`
+  );
+}
+
+function run_test() {
+  for (let testcase of gTestcases) {
+    runOneTestcase(testcase);
+  }
+}
diff --git a/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js b/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js
new file mode 100644
index 0000000000..ab1ad36fd2
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_certDB_import_with_primary_password.js
@@ -0,0 +1,148 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that a CA certificate can still be imported if the user has a primary
+// password set.
+
+do_get_profile();
+
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+  Ci.nsIX509CertDB
+);
+
+const CA_CERT_COMMON_NAME = "importedCA";
+
+let gCACertImportDialogCount = 0;
+
+// Mock implementation of nsICertificateDialogs.
+const gCertificateDialogs = {
+  confirmDownloadCACert: (ctx, cert, trust) => {
+    gCACertImportDialogCount++;
+    equal(
+      cert.commonName,
+      CA_CERT_COMMON_NAME,
+      "CA cert to import should have the correct CN"
+    );
+    trust.value = Ci.nsIX509CertDB.TRUSTED_EMAIL;
+    return true;
+  },
+  setPKCS12FilePassword: (ctx, password) => {
+    // This is only relevant to exporting.
+    ok(false, "setPKCS12FilePassword() should not have been called");
+  },
+  getPKCS12FilePassword: (ctx, password) => {
+    // We don't test anything that calls this method yet.
+    ok(false, "getPKCS12FilePassword() should not have been called");
+  },
+
+  QueryInterface: ChromeUtils.generateQI(["nsICertificateDialogs"]),
+};
+
+var gMockPrompter = {
+  passwordToTry: "password",
+  numPrompts: 0,
+
+  // This intentionally does not use arrow function syntax to avoid an issue
+  // where in the context of the arrow function, |this != gMockPrompter| due to
+  // how objects get wrapped when going across xpcom boundaries.
+  promptPassword(dialogTitle, text, password, checkMsg, checkValue) {
+    this.numPrompts++;
+    if (this.numPrompts > 1) {
+      // don't keep retrying a bad password
+      return false;
+    }
+    equal(
+      text,
+      "Please enter your Primary Password.",
+      "password prompt text should be as expected"
+    );
+    equal(checkMsg, null, "checkMsg should be null");
+    ok(this.passwordToTry, "passwordToTry should be non-null");
+    password.value = this.passwordToTry;
+    return true;
+  },
+
+  QueryInterface: ChromeUtils.generateQI(["nsIPrompt"]),
+
+  // Again with the arrow function issue.
+  getInterface(iid) {
+    if (iid.equals(Ci.nsIPrompt)) {
+      return this;
+    }
+
+    throw Components.Exception("", Cr.NS_ERROR_NO_INTERFACE);
+  },
+};
+
+function getCertAsByteArray(certPath) {
+  let certFile = do_get_file(certPath, false);
+  let certBytes = readFile(certFile);
+
+  let byteArray = [];
+  for (let i = 0; i < certBytes.length; i++) {
+    byteArray.push(certBytes.charCodeAt(i));
+  }
+
+  return byteArray;
+}
+
+function findCertByCommonName(commonName) {
+  for (let cert of gCertDB.getCerts()) {
+    if (cert.commonName == commonName) {
+      return cert;
+    }
+  }
+  return null;
+}
+
+function run_test() {
+  let certificateDialogsCID = MockRegistrar.register(
+    "@mozilla.org/nsCertificateDialogs;1",
+    gCertificateDialogs
+  );
+  registerCleanupFunction(() => {
+    MockRegistrar.unregister(certificateDialogsCID);
+  });
+
+  // Set a primary password.
+  let tokenDB = Cc["@mozilla.org/security/pk11tokendb;1"].getService(
+    Ci.nsIPK11TokenDB
+  );
+  let token = tokenDB.getInternalKeyToken();
+  token.initPassword("password");
+  token.logoutSimple();
+
+  // Sanity check the CA cert is missing.
+  equal(
+    findCertByCommonName(CA_CERT_COMMON_NAME),
+    null,
+    "CA cert should not be in the database before import"
+  );
+
+  // Import and check for success.
+  let caArray = getCertAsByteArray("test_certDB_import/importedCA.pem");
+  gCertDB.importCertificates(
+    caArray,
+    caArray.length,
+    Ci.nsIX509Cert.CA_CERT,
+    gMockPrompter
+  );
+  equal(
+    gCACertImportDialogCount,
+    1,
+    "Confirmation dialog for the CA cert should only be shown once"
+  );
+
+  let caCert = findCertByCommonName(CA_CERT_COMMON_NAME);
+  notEqual(caCert, null, "CA cert should now be found in the database");
+  ok(
+    gCertDB.isCertTrusted(
+      caCert,
+      Ci.nsIX509Cert.CA_CERT,
+      Ci.nsIX509CertDB.TRUSTED_EMAIL
+    ),
+    "CA cert should be trusted for e-mail"
+  );
+}