1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
"use strict";
do_get_profile();
const { Utils } = ChromeUtils.importESModule(
"resource://services-settings/Utils.sys.mjs"
);
const { RemoteSettings } = ChromeUtils.importESModule(
"resource://services-settings/remote-settings.sys.mjs"
);
const { RemoteSecuritySettings } = ChromeUtils.importESModule(
"resource://gre/modules/psm/RemoteSecuritySettings.sys.mjs"
);
const { OneCRLBlocklistClient } = RemoteSecuritySettings.init();
add_task(async function test_uses_a_custom_signer() {
Assert.notEqual(
OneCRLBlocklistClient.signerName,
RemoteSettings("not-specified").signerName
);
});
add_task(async function test_has_initial_dump() {
Assert.ok(
await Utils.hasLocalDump(
OneCRLBlocklistClient.bucketName,
OneCRLBlocklistClient.collectionName
)
);
});
add_task(async function test_default_jexl_filter_is_used() {
Assert.deepEqual(
OneCRLBlocklistClient.filterFunc,
RemoteSettings("not-specified").filterFunc
);
});
add_task(
async function test_revocations_are_updated_on_sync_with_cert_storage() {
const certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
Ci.nsICertStorage
);
const has_revocations = () =>
new Promise(resolve => {
certStorage.hasPriorData(
Ci.nsICertStorage.DATA_TYPE_REVOCATION,
(rv, hasPriorData) => {
if (rv == Cr.NS_OK) {
return resolve(hasPriorData);
}
return resolve(false);
}
);
});
Assert.ok(!(await has_revocations()));
await OneCRLBlocklistClient.emit("sync", {
data: {
current: [],
created: [
{
issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=",
},
],
updated: [],
deleted: [],
},
});
Assert.ok(await has_revocations());
}
);
add_task(async function test_updated_entry() {
// Revoke a particular issuer/serial number.
await OneCRLBlocklistClient.emit("sync", {
data: {
current: [],
created: [
{
issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=",
},
],
updated: [],
deleted: [],
},
});
const certStorage = Cc["@mozilla.org/security/certstorage;1"].getService(
Ci.nsICertStorage
);
let issuerArray = [
0x30, 0x12, 0x31, 0x10, 0x30, 0xe, 0x6, 0x3, 0x55, 0x4, 0x3, 0xc, 0x7, 0x54,
0x65, 0x73, 0x74, 0x20, 0x43, 0x41,
];
let serialArray = [
0x6b, 0x45, 0xfb, 0xff, 0xb0, 0xe5, 0x4d, 0xa7, 0x9d, 0xa6, 0xa, 0xc8, 0x26,
0xd, 0xb9, 0x88, 0x13, 0xce, 0x90, 0x83,
];
let revocationState = certStorage.getRevocationState(
issuerArray,
serialArray,
[],
[]
);
Assert.equal(revocationState, Ci.nsICertStorage.STATE_ENFORCE);
// Update the revocation to be a different serial number; the original
// (issuer, serial) pair should now not be revoked.
await OneCRLBlocklistClient.emit("sync", {
data: {
current: [],
created: [],
updated: [
{
old: {
issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=",
},
new: {
issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
serialNumber: "ALtF+/+w5U0=",
},
},
],
deleted: [],
},
});
let oldRevocationState = certStorage.getRevocationState(
issuerArray,
serialArray,
[],
[]
);
Assert.equal(oldRevocationState, Ci.nsICertStorage.STATE_UNSET);
let newSerialArray = [0x00, 0xbb, 0x45, 0xfb, 0xff, 0xb0, 0xe5, 0x4d];
let newRevocationState = certStorage.getRevocationState(
issuerArray,
newSerialArray,
[],
[]
);
Assert.equal(newRevocationState, Ci.nsICertStorage.STATE_ENFORCE);
});
|
