1 files changed, 141 insertions, 0 deletions

diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp
new file mode 100644
index 0000000000..1ccd5e876b
--- /dev/null
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp
@@ -0,0 +1,141 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// This is a standalone server that uses various bad certificates.
+// The client is expected to connect, initiate an SSL handshake (with SNI
+// to indicate which "server" to connect to), and verify the certificate.
+// If all is good, the client then sends one encrypted byte and receives that
+// same byte back.
+// This server also has the ability to "call back" another process waiting on
+// it. That is, when the server is all set up and ready to receive connections,
+// it will connect to a specified port and issue a simple HTTP request.
+
+#include <stdio.h>
+
+#include "TLSServer.h"
+
+using namespace mozilla;
+using namespace mozilla::test;
+
+struct BadCertAndPinningHost {
+  const char* mHostName;
+  const char* mCertName;
+};
+
+// Hostname, cert nickname pairs.
+const BadCertAndPinningHost sBadCertAndPinningHosts[] = {
+    {"expired.example.com", "expired-ee"},
+    {"notyetvalid.example.com", "notYetValid"},
+    {"before-epoch.example.com", "beforeEpoch"},
+    {"before-epoch-self-signed.example.com", "beforeEpochSelfSigned"},
+    {"selfsigned.example.com", "selfsigned"},
+    {"unknownissuer.example.com", "unknownissuer"},
+    {"mismatch.example.com", "mismatch"},
+    {"mismatch-CN.example.com", "mismatchCN"},
+    {"mitm.example.com", "mitm"},
+    {"expiredissuer.example.com", "expiredissuer"},
+    {"notyetvalidissuer.example.com", "notYetValidIssuer"},
+    {"before-epoch-issuer.example.com", "beforeEpochIssuer"},
+    {"md5signature.example.com", "md5signature"},
+    {"untrusted.example.com", "default-ee"},
+    {"untrustedissuer.example.com", "untrustedissuer"},
+    {"mismatch-expired.example.com", "mismatch-expired"},
+    {"mismatch-notYetValid.example.com", "mismatch-notYetValid"},
+    {"mismatch-untrusted.example.com", "mismatch-untrusted"},
+    {"untrusted-expired.example.com", "untrusted-expired"},
+    {"md5signature-expired.example.com", "md5signature-expired"},
+    {"mismatch-untrusted-expired.example.com", "mismatch-untrusted-expired"},
+    {"inadequatekeyusage.example.com", "inadequatekeyusage-ee"},
+    {"selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU"},
+    {"self-signed-end-entity-with-cA-true.example.com",
+     "self-signed-EE-with-cA-true"},
+    {"ca-used-as-end-entity.example.com", "ca-used-as-end-entity"},
+    {"ca-used-as-end-entity-name-mismatch.example.com",
+     "ca-used-as-end-entity"},
+    // All of include-subdomains.pinning.example.com is pinned to End Entity
+    // Test Cert with nick default-ee. Any other nick will only
+    // pass pinning when security.cert_pinning.enforcement.level != strict and
+    // otherCA is added as a user-specified trust anchor. See StaticHPKPins.h.
+    {"include-subdomains.pinning.example.com", "default-ee"},
+    {"good.include-subdomains.pinning.example.com", "default-ee"},
+    {"bad.include-subdomains.pinning.example.com", "other-issuer-ee"},
+    {"bad.include-subdomains.pinning.example.com.", "other-issuer-ee"},
+    {"bad.include-subdomains.pinning.example.com..", "other-issuer-ee"},
+    {"exclude-subdomains.pinning.example.com", "default-ee"},
+    {"sub.exclude-subdomains.pinning.example.com", "other-issuer-ee"},
+    {"test-mode.pinning.example.com", "other-issuer-ee"},
+    {"unknownissuer.include-subdomains.pinning.example.com", "unknownissuer"},
+    {"unknownissuer.test-mode.pinning.example.com", "unknownissuer"},
+    {"nsCertTypeNotCritical.example.com", "nsCertTypeNotCritical"},
+    {"nsCertTypeCriticalWithExtKeyUsage.example.com",
+     "nsCertTypeCriticalWithExtKeyUsage"},
+    {"nsCertTypeCritical.example.com", "nsCertTypeCritical"},
+    {"end-entity-issued-by-v1-cert.example.com", "eeIssuedByV1Cert"},
+    {"end-entity-issued-by-non-CA.example.com", "eeIssuedByNonCA"},
+    {"inadequate-key-size-ee.example.com", "inadequateKeySizeEE"},
+    {"badSubjectAltNames.example.com", "badSubjectAltNames"},
+    {"ipAddressAsDNSNameInSAN.example.com", "ipAddressAsDNSNameInSAN"},
+    {"noValidNames.example.com", "noValidNames"},
+    {"bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", "idn-certificate"},
+    {"emptyissuername.example.com", "emptyIssuerName"},
+    {"ev-test.example.com", "ev-test"},
+    {"ee-from-missing-intermediate.example.com",
+     "ee-from-missing-intermediate"},
+    {"imminently-distrusted.example.com", "ee-imminently-distrusted"},
+    {"localhost", "unknownissuer"},
+    {"a.pinning.example.com", "default-ee"},
+    {"b.pinning.example.com", "default-ee"},
+    {"not-preloaded.example.com", "default-ee"},
+    {"ee.example.com", "default-ee"},
+    {nullptr, nullptr}};
+
+int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd,
+                                     const SECItem* aSrvNameArr,
+                                     uint32_t aSrvNameArrSize) {
+  for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
+    UniquePORTString name(
+        static_cast<char*>(PORT_ZAlloc(aSrvNameArr[i].len + 1)));
+    if (name) {
+      PORT_Memcpy(name.get(), aSrvNameArr[i].data, aSrvNameArr[i].len);
+      if (ConfigSecureServerWithNamedCert(aFd, name.get(), nullptr, nullptr,
+                                          nullptr) == SECSuccess) {
+        return 0;
+      }
+    }
+  }
+
+  return SSL_SNI_SEND_ALERT;
+}
+
+int32_t DoSNISocketConfig(PRFileDesc* aFd, const SECItem* aSrvNameArr,
+                          uint32_t aSrvNameArrSize, void* aArg) {
+  const BadCertAndPinningHost* host =
+      GetHostForSNI(aSrvNameArr, aSrvNameArrSize, sBadCertAndPinningHosts);
+  if (!host) {
+    // No static cert <-> hostname mapping found. This happens when we use a
+    // collection of certificates in a given directory and build a cert DB at
+    // runtime, rather than using an NSS cert DB populated at build time.
+    // (This will be the default in the future.)
+    // For all given server names, check if the runtime-built cert DB contains
+    // a certificate with a matching subject CN.
+    return DoSNISocketConfigBySubjectCN(aFd, aSrvNameArr, aSrvNameArrSize);
+  }
+
+  if (gDebugLevel >= DEBUG_VERBOSE) {
+    fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
+  }
+
+  UniqueCERTCertificate cert;
+  SSLKEAType certKEA;
+  if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, &cert,
+                                                    &certKEA, nullptr)) {
+    return SSL_SNI_SEND_ALERT;
+  }
+
+  return 0;
+}
+
+int main(int argc, char* argv[]) {
+  return StartServer(argc, argv, DoSNISocketConfig, nullptr);
+}