security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp@b8a032363ba2 (annotated)
security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | /* This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| michael@0 | 4 | |
| michael@0 | 5 | // This is a standalone server that uses various bad certificates. |
| michael@0 | 6 | // The client is expected to connect, initiate an SSL handshake (with SNI |
| michael@0 | 7 | // to indicate which "server" to connect to), and verify the certificate. |
| michael@0 | 8 | // If all is good, the client then sends one encrypted byte and receives that |
| michael@0 | 9 | // same byte back. |
| michael@0 | 10 | // This server also has the ability to "call back" another process waiting on |
| michael@0 | 11 | // it. That is, when the server is all set up and ready to receive connections, |
| michael@0 | 12 | // it will connect to a specified port and issue a simple HTTP request. |
| michael@0 | 13 | |
| michael@0 | 14 | #include <stdio.h> |
| michael@0 | 15 | |
| michael@0 | 16 | #include "TLSServer.h" |
| michael@0 | 17 | |
| michael@0 | 18 | using namespace mozilla; |
| michael@0 | 19 | using namespace mozilla::test; |
| michael@0 | 20 | |
| michael@0 | 21 | struct BadCertHost |
| michael@0 | 22 | { |
| michael@0 | 23 | const char *mHostName; |
| michael@0 | 24 | const char *mCertName; |
| michael@0 | 25 | }; |
| michael@0 | 26 | |
| michael@0 | 27 | // Hostname, cert nickname pairs. |
| michael@0 | 28 | const BadCertHost sBadCertHosts[] = |
| michael@0 | 29 | { |
| michael@0 | 30 | { "expired.example.com", "expired" }, |
| michael@0 | 31 | { "selfsigned.example.com", "selfsigned" }, |
| michael@0 | 32 | { "unknownissuer.example.com", "unknownissuer" }, |
| michael@0 | 33 | { "mismatch.example.com", "mismatch" }, |
| michael@0 | 34 | { "expiredissuer.example.com", "expiredissuer" }, |
| michael@0 | 35 | { "md5signature.example.com", "md5signature" }, |
| michael@0 | 36 | { "untrusted.example.com", "localhostAndExampleCom" }, |
| michael@0 | 37 | { "untrustedissuer.example.com", "untrustedissuer" }, |
| michael@0 | 38 | { "mismatch-expired.example.com", "mismatch-expired" }, |
| michael@0 | 39 | { "mismatch-untrusted.example.com", "mismatch-untrusted" }, |
| michael@0 | 40 | { "untrusted-expired.example.com", "untrusted-expired" }, |
| michael@0 | 41 | { "md5signature-expired.example.com", "md5signature-expired" }, |
| michael@0 | 42 | { "mismatch-untrusted-expired.example.com", "mismatch-untrusted-expired" }, |
| michael@0 | 43 | { "inadequatekeyusage.example.com", "inadequatekeyusage" }, |
| michael@0 | 44 | { "selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU" }, |
| michael@0 | 45 | { "self-signed-end-entity-with-cA-true.example.com", "self-signed-EE-with-cA-true" }, |
| michael@0 | 46 | // All of include-subdomains.pinning.example.com is pinned to End Entity |
| michael@0 | 47 | // Test Cert with nick localhostAndExampleCom. Any other nick will only |
| michael@0 | 48 | // pass pinning when security.cert_pinning.enforcement.level != strict and |
| michael@0 | 49 | // otherCA is added as a user-specified trust anchor. See StaticHPKPins.h. |
| michael@0 | 50 | { "include-subdomains.pinning.example.com", "localhostAndExampleCom" }, |
| michael@0 | 51 | { "good.include-subdomains.pinning.example.com", "localhostAndExampleCom" }, |
| michael@0 | 52 | { "bad.include-subdomains.pinning.example.com", "otherIssuerEE" }, |
| michael@0 | 53 | { "exclude-subdomains.pinning.example.com", "localhostAndExampleCom" }, |
| michael@0 | 54 | { "sub.exclude-subdomains.pinning.example.com", "otherIssuerEE" }, |
| michael@0 | 55 | { "test-mode.pinning.example.com", "otherIssuerEE" }, |
| michael@0 | 56 | { nullptr, nullptr } |
| michael@0 | 57 | }; |
| michael@0 | 58 | |
| michael@0 | 59 | int32_t |
| michael@0 | 60 | DoSNISocketConfig(PRFileDesc *aFd, const SECItem *aSrvNameArr, |
| michael@0 | 61 | uint32_t aSrvNameArrSize, void *aArg) |
| michael@0 | 62 | { |
| michael@0 | 63 | const BadCertHost *host = GetHostForSNI(aSrvNameArr, aSrvNameArrSize, |
| michael@0 | 64 | sBadCertHosts); |
| michael@0 | 65 | if (!host) { |
| michael@0 | 66 | return SSL_SNI_SEND_ALERT; |
| michael@0 | 67 | } |
| michael@0 | 68 | |
| michael@0 | 69 | if (gDebugLevel >= DEBUG_VERBOSE) { |
| michael@0 | 70 | fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName); |
| michael@0 | 71 | } |
| michael@0 | 72 | |
| michael@0 | 73 | ScopedCERTCertificate cert; |
| michael@0 | 74 | SSLKEAType certKEA; |
| michael@0 | 75 | if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName, |
| michael@0 | 76 | &cert, &certKEA)) { |
| michael@0 | 77 | return SSL_SNI_SEND_ALERT; |
| michael@0 | 78 | } |
| michael@0 | 79 | |
| michael@0 | 80 | return 0; |
| michael@0 | 81 | } |
| michael@0 | 82 | |
| michael@0 | 83 | int |
| michael@0 | 84 | main(int argc, char *argv[]) |
| michael@0 | 85 | { |
| michael@0 | 86 | if (argc != 2) { |
| michael@0 | 87 | fprintf(stderr, "usage: %s <NSS DB directory>\n", argv[0]); |
| michael@0 | 88 | return 1; |
| michael@0 | 89 | } |
| michael@0 | 90 | |
| michael@0 | 91 | return StartServer(argv[1], DoSNISocketConfig, nullptr); |
| michael@0 | 92 | } |
