The Tor Browser / file comparison
comparison: security/manager/ssl/tests/unit/test_pinning.js
security/manager/ssl/tests/unit/test_pinning.js
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
equal
deleted
inserted
replaced
| -1:000000000000 | 0:bd1034edcbd0 |
|---|---|
| 1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*- | |
| 2 // This Source Code Form is subject to the terms of the Mozilla Public | |
| 3 // License, v. 2.0. If a copy of the MPL was not distributed with this | |
| 4 // file, You can obtain one at http://mozilla.org/MPL/2.0/. | |
| 5 // | |
| 6 // For all cases, the acceptable pinset includes only certificates pinned to | |
| 7 // Test End Entity Cert (signed by issuer testCA). Other certificates | |
| 8 // are issued by otherCA, which is never in the pinset but is a user-specified | |
| 9 // trust anchor. This test covers multiple cases: | |
| 10 // | |
| 11 // Pinned domain include-subdomains.pinning.example.com includes subdomains | |
| 12 // - PASS: include-subdomains.pinning.example.com serves a correct cert | |
| 13 // - PASS: good.include-subdomains.pinning.example.com serves a correct cert | |
| 14 // - FAIL (strict): bad.include-subdomains.pinning.example.com serves a cert | |
| 15 // not in the pinset | |
| 16 // - PASS (mitm): bad.include-subdomains.pinning.example.com serves a cert not | |
| 17 // in the pinset, but issued by a user-specified trust domain | |
| 18 // | |
| 19 // Pinned domain exclude-subdomains.pinning.example.com excludes subdomains | |
| 20 // - PASS: exclude-subdomains.pinning.example.com serves a correct cert | |
| 21 // - FAIL: exclude-subdomains.pinning.example.com services an incorrect cert | |
| 22 // (TODO: test using verifyCertnow) | |
| 23 // - PASS: sub.exclude-subdomains.pinning.example.com serves an incorrect cert | |
| 24 | |
| 25 "use strict"; | |
| 26 | |
| 27 do_get_profile(); // must be called before getting nsIX509CertDB | |
| 28 const certdb = Cc["@mozilla.org/security/x509certdb;1"] | |
| 29 .getService(Ci.nsIX509CertDB); | |
| 30 | |
| 31 function test_strict() { | |
| 32 // In strict mode, we always evaluate pinning data, regardless of whether the | |
| 33 // issuer is a built-in trust anchor. We only enforce pins that are not in | |
| 34 // test mode. | |
| 35 add_test(function() { | |
| 36 Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2); | |
| 37 run_next_test(); | |
| 38 }); | |
| 39 | |
| 40 // If a host should be pinned but other errors (particularly overridable | |
| 41 // errors) like 'unknown issuer' are encountered, the pinning error takes | |
| 42 // precedence. This prevents overrides for such hosts. | |
| 43 add_connection_test("unknownissuer.include-subdomains.pinning.example.com", | |
| 44 getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE)); | |
| 45 | |
| 46 // Issued by otherCA, which is not in the pinset for pinning.example.com. | |
| 47 add_connection_test("bad.include-subdomains.pinning.example.com", | |
| 48 getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE)); | |
| 49 | |
| 50 // These domains serve certs that match the pinset. | |
| 51 add_connection_test("include-subdomains.pinning.example.com", Cr.NS_OK); | |
| 52 add_connection_test("good.include-subdomains.pinning.example.com", Cr.NS_OK); | |
| 53 add_connection_test("exclude-subdomains.pinning.example.com", Cr.NS_OK); | |
| 54 | |
| 55 // This domain serves a cert that doesn't match the pinset, but subdomains | |
| 56 // are excluded. | |
| 57 add_connection_test("sub.exclude-subdomains.pinning.example.com", Cr.NS_OK); | |
| 58 | |
| 59 // This domain's pinset is exactly the same as | |
| 60 // include-subdomains.pinning.example.com, serves the same cert as | |
| 61 // bad.include-subdomains.pinning.example.com, but it should pass because | |
| 62 // it's in test_mode. | |
| 63 add_connection_test("test-mode.pinning.example.com", Cr.NS_OK); | |
| 64 } | |
| 65 | |
| 66 function test_mitm() { | |
| 67 // In MITM mode, we allow pinning to pass if the chain resolves to any | |
| 68 // user-specified trust anchor, even if it is not in the pinset. | |
| 69 add_test(function() { | |
| 70 Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 1); | |
| 71 run_next_test(); | |
| 72 }); | |
| 73 | |
| 74 add_connection_test("include-subdomains.pinning.example.com", Cr.NS_OK); | |
| 75 add_connection_test("good.include-subdomains.pinning.example.com", Cr.NS_OK); | |
| 76 | |
| 77 add_connection_test("unknownissuer.include-subdomains.pinning.example.com", | |
| 78 getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); | |
| 79 | |
| 80 // In this case, even though otherCA is not in the pinset, it is a | |
| 81 // user-specified trust anchor and the pinning check succeeds. | |
| 82 add_connection_test("bad.include-subdomains.pinning.example.com", Cr.NS_OK); | |
| 83 | |
| 84 add_connection_test("exclude-subdomains.pinning.example.com", Cr.NS_OK); | |
| 85 add_connection_test("sub.exclude-subdomains.pinning.example.com", Cr.NS_OK); | |
| 86 add_connection_test("test-mode.pinning.example.com", Cr.NS_OK); | |
| 87 }; | |
| 88 | |
| 89 function test_disabled() { | |
| 90 // Disable pinning. | |
| 91 add_test(function() { | |
| 92 Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 0); | |
| 93 run_next_test(); | |
| 94 }); | |
| 95 | |
| 96 add_connection_test("include-subdomains.pinning.example.com", Cr.NS_OK); | |
| 97 add_connection_test("good.include-subdomains.pinning.example.com", Cr.NS_OK); | |
| 98 add_connection_test("bad.include-subdomains.pinning.example.com", Cr.NS_OK); | |
| 99 add_connection_test("exclude-subdomains.pinning.example.com", Cr.NS_OK); | |
| 100 add_connection_test("sub.exclude-subdomains.pinning.example.com", Cr.NS_OK); | |
| 101 add_connection_test("test-mode.pinning.example.com", Cr.NS_OK); | |
| 102 | |
| 103 add_connection_test("unknownissuer.include-subdomains.pinning.example.com", | |
| 104 getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); | |
| 105 } | |
| 106 | |
| 107 function test_enforce_test_mode() { | |
| 108 // In enforce test mode, we always enforce all pins, even test pins. | |
| 109 add_test(function() { | |
| 110 Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 3); | |
| 111 run_next_test(); | |
| 112 }); | |
| 113 | |
| 114 add_connection_test("unknownissuer.include-subdomains.pinning.example.com", | |
| 115 getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE)); | |
| 116 | |
| 117 // Issued by otherCA, which is not in the pinset for pinning.example.com. | |
| 118 add_connection_test("bad.include-subdomains.pinning.example.com", | |
| 119 getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE)); | |
| 120 | |
| 121 // These domains serve certs that match the pinset. | |
| 122 add_connection_test("include-subdomains.pinning.example.com", Cr.NS_OK); | |
| 123 add_connection_test("good.include-subdomains.pinning.example.com", Cr.NS_OK); | |
| 124 add_connection_test("exclude-subdomains.pinning.example.com", Cr.NS_OK); | |
| 125 | |
| 126 // This domain serves a cert that doesn't match the pinset, but subdomains | |
| 127 // are excluded. | |
| 128 add_connection_test("sub.exclude-subdomains.pinning.example.com", Cr.NS_OK); | |
| 129 | |
| 130 // This domain's pinset is exactly the same as | |
| 131 // include-subdomains.pinning.example.com, serves the same cert as | |
| 132 // bad.include-subdomains.pinning.example.com, is in test-mode, but we are | |
| 133 // enforcing test mode pins. | |
| 134 add_connection_test("test-mode.pinning.example.com", | |
| 135 getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE)); | |
| 136 } | |
| 137 | |
| 138 function check_pinning_telemetry() { | |
| 139 let service = Cc["@mozilla.org/base/telemetry;1"].getService(Ci.nsITelemetry); | |
| 140 let prod_histogram = service.getHistogramById("CERT_PINNING_RESULTS") | |
| 141 .snapshot(); | |
| 142 let test_histogram = service.getHistogramById("CERT_PINNING_TEST_RESULTS") | |
| 143 .snapshot(); | |
| 144 // Because all of our test domains are pinned to user-specified trust | |
| 145 // anchors, effectively only strict mode and enforce test-mode get evaluated | |
| 146 do_check_eq(prod_histogram.counts[0], 4); // Failure count | |
| 147 do_check_eq(prod_histogram.counts[1], 4); // Success count | |
| 148 do_check_eq(test_histogram.counts[0], 2); // Failure count | |
| 149 do_check_eq(test_histogram.counts[1], 0); // Success count | |
| 150 | |
| 151 let moz_prod_histogram = service.getHistogramById("CERT_PINNING_MOZ_RESULTS") | |
| 152 .snapshot(); | |
| 153 let moz_test_histogram = | |
| 154 service.getHistogramById("CERT_PINNING_MOZ_TEST_RESULTS").snapshot(); | |
| 155 do_check_eq(moz_prod_histogram.counts[0], 0); // Failure count | |
| 156 do_check_eq(moz_prod_histogram.counts[1], 0); // Success count | |
| 157 do_check_eq(moz_test_histogram.counts[0], 0); // Failure count | |
| 158 do_check_eq(moz_test_histogram.counts[1], 0); // Success count | |
| 159 | |
| 160 let per_host_histogram = | |
| 161 service.getHistogramById("CERT_PINNING_MOZ_RESULTS_BY_HOST").snapshot(); | |
| 162 do_check_eq(per_host_histogram.counts[0], 0); // Failure count | |
| 163 do_check_eq(per_host_histogram.counts[1], 2); // Success count | |
| 164 run_next_test(); | |
| 165 } | |
| 166 | |
| 167 function run_test() { | |
| 168 add_tls_server_setup("BadCertServer"); | |
| 169 | |
| 170 // Add a user-specified trust anchor. | |
| 171 addCertFromFile(certdb, "tlsserver/other-test-ca.der", "CTu,u,u"); | |
| 172 | |
| 173 test_strict(); | |
| 174 test_mitm(); | |
| 175 test_disabled(); | |
| 176 test_enforce_test_mode(); | |
| 177 | |
| 178 add_test(function () { | |
| 179 check_pinning_telemetry(); | |
| 180 }); | |
| 181 run_next_test(); | |
| 182 } |
