1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
"use strict";
// Tests that permanent certificate error overrides can be added even if the
// certificate/key databases are in read-only mode.
// Helper function for add_read_only_cert_override_test. Probably doesn't need
// to be called directly.
function add_read_only_cert_override(aHost, aSecurityInfo) {
let cert = aSecurityInfo.serverCert;
let certOverrideService = Cc[
"@mozilla.org/security/certoverride;1"
].getService(Ci.nsICertOverrideService);
// Setting the last argument to false here ensures that we attempt to store a
// permanent override (which is what was failing in bug 1427273).
certOverrideService.rememberValidityOverride(aHost, 8443, {}, cert, false);
}
// Given a host and an expected error code, tests that an initial connection to
// the host fails with the expected errors and that adding an override results
// in a subsequent connection succeeding.
function add_read_only_cert_override_test(aHost, aExpectedError) {
add_connection_test(
aHost,
aExpectedError,
null,
add_read_only_cert_override.bind(this, aHost)
);
add_connection_test(aHost, PRErrorCodeSuccess, null, aSecurityInfo => {
Assert.ok(
aSecurityInfo.securityState &
Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
"Cert override flag should be set on the security state"
);
});
}
function run_test() {
let profile = do_get_profile();
const KEY_DB_NAME = "key4.db";
const CERT_DB_NAME = "cert9.db";
let srcKeyDBFile = do_get_file(
`test_cert_overrides_read_only/${KEY_DB_NAME}`
);
srcKeyDBFile.copyTo(profile, KEY_DB_NAME);
let srcCertDBFile = do_get_file(
`test_cert_overrides_read_only/${CERT_DB_NAME}`
);
srcCertDBFile.copyTo(profile, CERT_DB_NAME);
// set the databases to read-only
let keyDBFile = do_get_profile();
keyDBFile.append(KEY_DB_NAME);
keyDBFile.permissions = 0o400;
let certDBFile = do_get_profile();
certDBFile.append(CERT_DB_NAME);
certDBFile.permissions = 0o400;
Services.prefs.setIntPref("security.OCSP.enabled", 1);
// Specifying false as the last argument means we don't try to add the default
// test root CA (which would fail).
add_tls_server_setup("BadCertAndPinningServer", "bad_certs", false);
let fakeOCSPResponder = new HttpServer();
fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
});
fakeOCSPResponder.start(8888);
// Since we can't add the root CA to the (read-only) trust db, all of these
// will result in an "unknown issuer error" and need the "untrusted" error bit
// set in addition to whatever other specific error bits are necessary.
add_read_only_cert_override_test(
"expired.example.com",
SEC_ERROR_UNKNOWN_ISSUER
);
add_read_only_cert_override_test(
"selfsigned.example.com",
MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
);
add_read_only_cert_override_test(
"mismatch.example.com",
SEC_ERROR_UNKNOWN_ISSUER
);
add_test(function () {
fakeOCSPResponder.stop(run_next_test);
});
run_next_test();
}
|