1 files changed, 82 insertions, 0 deletions

diff --git a/security/manager/ssl/tests/unit/test_enterprise_roots.js b/security/manager/ssl/tests/unit/test_enterprise_roots.js
new file mode 100644
index 0000000000..6abd7161ae
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_enterprise_roots.js
@@ -0,0 +1,82 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// Tests enterprise root certificate support. When configured to do so, the
+// platform will attempt to find and import enterprise root certificates. This
+// feature is specific to Windows.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+const { TestUtils } = ChromeUtils.importESModule(
+  "resource://testing-common/TestUtils.sys.mjs"
+);
+
+async function check_no_enterprise_roots_imported(
+  nssComponent,
+  certDB,
+  dbKey = undefined
+) {
+  let enterpriseRoots = nssComponent.getEnterpriseRoots();
+  notEqual(enterpriseRoots, null, "enterprise roots list should not be null");
+  equal(
+    enterpriseRoots.length,
+    0,
+    "should not have imported any enterprise roots"
+  );
+  if (dbKey) {
+    let cert = certDB.findCertByDBKey(dbKey);
+    // If the garbage-collector hasn't run, there may be reachable copies of
+    // imported enterprise root certificates. If so, they shouldn't be trusted
+    // to issue TLS server auth certificates.
+    if (cert) {
+      await asyncTestCertificateUsages(certDB, cert, []);
+    }
+  }
+}
+
+async function check_some_enterprise_roots_imported(nssComponent, certDB) {
+  let enterpriseRoots = nssComponent.getEnterpriseRoots();
+  notEqual(enterpriseRoots, null, "enterprise roots list should not be null");
+  notEqual(
+    enterpriseRoots.length,
+    0,
+    "should have imported some enterprise roots"
+  );
+  let foundNonBuiltIn = false;
+  let savedDBKey = null;
+  for (let certDer of enterpriseRoots) {
+    let cert = certDB.constructX509(certDer);
+    notEqual(cert, null, "should be able to decode cert from DER");
+    if (!cert.isBuiltInRoot && !savedDBKey) {
+      foundNonBuiltIn = true;
+      savedDBKey = cert.dbKey;
+      info("saving dbKey from " + cert.commonName);
+      await asyncTestCertificateUsages(certDB, cert, [certificateUsageSSLCA]);
+      break;
+    }
+  }
+  ok(foundNonBuiltIn, "should have found non-built-in root");
+  return savedDBKey;
+}
+
+add_task(async function run_test() {
+  let nssComponent = Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent);
+  let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
+    Ci.nsIX509CertDB
+  );
+  nssComponent.getEnterpriseRoots(); // blocks until roots are loaded
+  Services.prefs.setBoolPref("security.enterprise_roots.enabled", false);
+  await check_no_enterprise_roots_imported(nssComponent, certDB);
+  Services.prefs.setBoolPref("security.enterprise_roots.enabled", true);
+  await TestUtils.topicObserved("psm:enterprise-certs-imported");
+  let savedDBKey = await check_some_enterprise_roots_imported(
+    nssComponent,
+    certDB
+  );
+  Services.prefs.setBoolPref("security.enterprise_roots.enabled", false);
+  await check_no_enterprise_roots_imported(nssComponent, certDB, savedDBKey);
+});