security/manager/ssl/tests/unit/test_baseline_requirements_subject_common_name.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.

"use strict";

do_get_profile(); // must be called before getting nsIX509CertDB
const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
  Ci.nsIX509CertDB
);

function certFromFile(certName) {
  return constructCertFromFile(`test_baseline_requirements/${certName}.pem`);
}

function loadCertWithTrust(certName, trustString) {
  addCertFromFile(
    gCertDB,
    `test_baseline_requirements/${certName}.pem`,
    trustString
  );
}

function checkCertOn25August2016(cert, expectedResult) {
  // (new Date("2016-08-25T00:00:00Z")).getTime() / 1000
  const VALIDATION_TIME = 1472083200;
  return checkCertErrorGenericAtTime(
    gCertDB,
    cert,
    expectedResult,
    certificateUsageSSLServer,
    VALIDATION_TIME,
    false,
    "example.com"
  );
}

add_task(async function () {
  registerCleanupFunction(() => {
    Services.prefs.clearUserPref("privacy.reduceTimerPrecision");
  });

  Services.prefs.setBoolPref("privacy.reduceTimerPrecision", false);

  loadCertWithTrust("ca", "CTu,,");

  // At one time there was a preference security.pki.name_matching_mode that
  // controlled whether or not mozilla::pkix would fall back to using a
  // certificate's subject common name during name matching. This no longer
  // exists, and certificates that previously required the fallback should fail
  // to verify.

  await checkCertOn25August2016(
    certFromFile("no-san-recent"),
    SSL_ERROR_BAD_CERT_DOMAIN
  );
  await checkCertOn25August2016(
    certFromFile("no-san-old"),
    SSL_ERROR_BAD_CERT_DOMAIN
  );
  await checkCertOn25August2016(
    certFromFile("no-san-older"),
    SSL_ERROR_BAD_CERT_DOMAIN
  );
  await checkCertOn25August2016(
    certFromFile("san-contains-no-hostnames-recent"),
    SSL_ERROR_BAD_CERT_DOMAIN
  );
  await checkCertOn25August2016(
    certFromFile("san-contains-no-hostnames-old"),
    SSL_ERROR_BAD_CERT_DOMAIN
  );
  await checkCertOn25August2016(
    certFromFile("san-contains-no-hostnames-older"),
    SSL_ERROR_BAD_CERT_DOMAIN
  );
});