security/manager/ssl/tests/mochitest/bugs/test_certificate_overrides.html@b8a032363ba2 (annotated)
security/manager/ssl/tests/mochitest/bugs/test_certificate_overrides.html
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | <!DOCTYPE HTML> |
| michael@0 | 2 | <html> |
| michael@0 | 3 | <head> |
| michael@0 | 4 | <title>Test certificate overrides</title> |
| michael@0 | 5 | <script type="text/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script> |
| michael@0 | 6 | <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css" /> |
| michael@0 | 7 | </head> |
| michael@0 | 8 | <body> |
| michael@0 | 9 | <script class="testbody" type="text/javascript"> |
| michael@0 | 10 | |
| michael@0 | 11 | const Cc = Components.classes; |
| michael@0 | 12 | const Ci = Components.interfaces; |
| michael@0 | 13 | const cos = Cc["@mozilla.org/security/certoverride;1"]. |
| michael@0 | 14 | getService(Ci.nsICertOverrideService); |
| michael@0 | 15 | |
| michael@0 | 16 | const eu = Ci.nsICertOverrideService.ERROR_UNTRUSTED; |
| michael@0 | 17 | const em = Ci.nsICertOverrideService.ERROR_MISMATCH; |
| michael@0 | 18 | const et = Ci.nsICertOverrideService.ERROR_TIME; |
| michael@0 | 19 | |
| michael@0 | 20 | // Note: the host index matches the expected error. |
| michael@0 | 21 | var testHost = []; |
| michael@0 | 22 | testHost[ eu ] = "untrusted.example.com"; |
| michael@0 | 23 | testHost[ em ] = "nocert.example.com"; |
| michael@0 | 24 | testHost[ em | eu ] = "mismatch.untrusted.example.com"; |
| michael@0 | 25 | testHost[ et ] = "expired.example.com"; |
| michael@0 | 26 | testHost[ et | eu ] = "untrusted-expired.example.com"; |
| michael@0 | 27 | testHost[ et | em ] = "mismatch.expired.example.com"; |
| michael@0 | 28 | testHost[ et | em | eu ] = "mismatch.untrusted-expired.example.com"; |
| michael@0 | 29 | |
| michael@0 | 30 | var gCertErrorBits; |
| michael@0 | 31 | |
| michael@0 | 32 | SimpleTest.waitForExplicitFinish(); |
| michael@0 | 33 | |
| michael@0 | 34 | // Support for making sure we can talk to the invalid cert the server presents |
| michael@0 | 35 | var CertOverrideListener = function(host, port, bits) { |
| michael@0 | 36 | this.host = host; |
| michael@0 | 37 | if (port) { |
| michael@0 | 38 | this.port = port; |
| michael@0 | 39 | } |
| michael@0 | 40 | this.bits = bits; |
| michael@0 | 41 | }; |
| michael@0 | 42 | |
| michael@0 | 43 | CertOverrideListener.prototype = { |
| michael@0 | 44 | host: null, |
| michael@0 | 45 | port: -1, |
| michael@0 | 46 | bits: null, |
| michael@0 | 47 | getInterface: function(aIID) { |
| michael@0 | 48 | return this.QueryInterface(aIID); |
| michael@0 | 49 | }, |
| michael@0 | 50 | QueryInterface: function(aIID) { |
| michael@0 | 51 | if (aIID.equals(Ci.nsIBadCertListener2) || |
| michael@0 | 52 | aIID.equals(Ci.nsIInterfaceRequestor) || |
| michael@0 | 53 | aIID.equals(Ci.nsISupports)) { |
| michael@0 | 54 | return this; |
| michael@0 | 55 | } |
| michael@0 | 56 | throw Components.results.NS_ERROR_NO_INTERFACE; |
| michael@0 | 57 | }, |
| michael@0 | 58 | notifyCertProblem: function(socketInfo, sslStatus, targetHost) { |
| michael@0 | 59 | var cert = sslStatus.QueryInterface(Ci.nsISSLStatus).serverCert; |
| michael@0 | 60 | cos.rememberValidityOverride(this.host, this.port, cert, this.bits, true); |
| michael@0 | 61 | gCertErrorBits = 0; |
| michael@0 | 62 | if (sslStatus.isUntrusted) { |
| michael@0 | 63 | gCertErrorBits |= Ci.nsICertOverrideService.ERROR_UNTRUSTED; |
| michael@0 | 64 | } |
| michael@0 | 65 | if (sslStatus.isDomainMismatch) { |
| michael@0 | 66 | gCertErrorBits |= Ci.nsICertOverrideService.ERROR_MISMATCH; |
| michael@0 | 67 | } |
| michael@0 | 68 | if (sslStatus.isNotValidAtThisTime) { |
| michael@0 | 69 | gCertErrorBits |= Ci.nsICertOverrideService.ERROR_TIME; |
| michael@0 | 70 | } |
| michael@0 | 71 | return true; |
| michael@0 | 72 | }, |
| michael@0 | 73 | } |
| michael@0 | 74 | |
| michael@0 | 75 | function addCertOverride(host, port, bits) |
| michael@0 | 76 | { |
| michael@0 | 77 | var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"] |
| michael@0 | 78 | .createInstance(Ci.nsIXMLHttpRequest); |
| michael@0 | 79 | var url; |
| michael@0 | 80 | if (port) { |
| michael@0 | 81 | url = "https://" + host + ":" + port + "/"; |
| michael@0 | 82 | } else { |
| michael@0 | 83 | url = "https://" + host + "/"; |
| michael@0 | 84 | } |
| michael@0 | 85 | req.open("GET", url, false); |
| michael@0 | 86 | req.channel.notificationCallbacks = new CertOverrideListener(host, port, bits); |
| michael@0 | 87 | try { |
| michael@0 | 88 | req.send(null); |
| michael@0 | 89 | ok(false, "Connection to host " + host + " succeeded when it should have failed"); |
| michael@0 | 90 | } catch (e) { |
| michael@0 | 91 | // Failure here is expected as the server is not trusted yet. |
| michael@0 | 92 | } |
| michael@0 | 93 | } |
| michael@0 | 94 | |
| michael@0 | 95 | function xhrConnect(domain,message,expectedSuccess) |
| michael@0 | 96 | { |
| michael@0 | 97 | var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"] |
| michael@0 | 98 | .createInstance(Ci.nsIXMLHttpRequest); |
| michael@0 | 99 | req.open("GET", "https://" + domain + "/", false); |
| michael@0 | 100 | try { |
| michael@0 | 101 | req.send(null); |
| michael@0 | 102 | ok(expectedSuccess, "Page Load success " + message + " expected=" + expectedSuccess); |
| michael@0 | 103 | } catch (err) { |
| michael@0 | 104 | ok(!expectedSuccess, "Page failed to load " + message + " expected=" + expectedSuccess); |
| michael@0 | 105 | } |
| michael@0 | 106 | } |
| michael@0 | 107 | |
| michael@0 | 108 | function checkHostConnect(host, overrideBits, successExpected, overridesMustEqualError) |
| michael@0 | 109 | { |
| michael@0 | 110 | var statusMessage = " overrideBits=" + overrideBits; |
| michael@0 | 111 | addCertOverride(host, 443, overrideBits); |
| michael@0 | 112 | if (overridesMustEqualError) { |
| michael@0 | 113 | is(gCertErrorBits, overrideBits, "Reported Error match: errorbits=" + gCertErrorBits + " host=" + host); |
| michael@0 | 114 | } |
| michael@0 | 115 | xhrConnect(host, "override host=" + host + statusMessage, successExpected); |
| michael@0 | 116 | cos.clearValidityOverride(host, 443); |
| michael@0 | 117 | } |
| michael@0 | 118 | |
| michael@0 | 119 | function testCertOverrides() |
| michael@0 | 120 | { |
| michael@0 | 121 | for (var i = 1; i < testHost.length; ++i) { |
| michael@0 | 122 | cos.clearValidityOverride(testHost[i], 443); |
| michael@0 | 123 | } |
| michael@0 | 124 | const allErrorBits = et | em | eu ; |
| michael@0 | 125 | for (var i = 1; i < allErrorBits + 1; ++i) { |
| michael@0 | 126 | var overrideBits = i; |
| michael@0 | 127 | for (var j = 1; j < testHost.length; ++j){ |
| michael@0 | 128 | var expectedError = j; |
| michael@0 | 129 | var successExpected = (0 == (expectedError & ~overrideBits)); |
| michael@0 | 130 | var errorMustMatch = (overrideBits == expectedError); |
| michael@0 | 131 | checkHostConnect(testHost[j], overrideBits, successExpected, errorMustMatch); |
| michael@0 | 132 | } |
| michael@0 | 133 | } |
| michael@0 | 134 | // Now we test the self-signed. Must return an overridable untrusted error. |
| michael@0 | 135 | cos.clearValidityOverride("self-signed.example.com", 443); |
| michael@0 | 136 | checkHostConnect("self-signed.example.com", eu, successExpected, true); |
| michael@0 | 137 | } |
| michael@0 | 138 | |
| michael@0 | 139 | testCertOverrides(); |
| michael@0 | 140 | SimpleTest.finish(); |
| michael@0 | 141 | |
| michael@0 | 142 | </script> |
| michael@0 | 143 | |
| michael@0 | 144 | </body> |
| michael@0 | 145 | </html> |
