1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/modules/libmar/tests/unit/test_sign_verify.js Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,580 @@
1.4 +/* Any copyright is dedicated to the Public Domain.
1.5 + http://creativecommons.org/publicdomain/zero/1.0/ */
1.6 +
1.7 +function run_test() {
1.8 +
1.9 + /**
1.10 + * Signs a MAR file.
1.11 + *
1.12 + * @param inMAR The MAR file that should be signed
1.13 + * @param outMAR The MAR file to create
1.14 + */
1.15 + function signMAR(inMAR, outMAR, certs, wantSuccess, useShortHandCmdLine) {
1.16 + // Get a process to the signmar binary from the dist/bin directory.
1.17 + let process = Cc["@mozilla.org/process/util;1"].
1.18 + createInstance(Ci.nsIProcess);
1.19 + let signmarBin = do_get_file("signmar" + BIN_SUFFIX);
1.20 +
1.21 + // Make sure the signmar binary exists and is an executable.
1.22 + do_check_true(signmarBin.exists());
1.23 + do_check_true(signmarBin.isExecutable());
1.24 +
1.25 + // Setup the command line arguments to sign the MAR.
1.26 + let NSSConfigDir = do_get_file("data");
1.27 + let args = ["-d", NSSConfigDir.path];
1.28 + if (certs.length == 1 && useShortHandCmdLine) {
1.29 + args.push("-n", certs[0]);
1.30 + } else {
1.31 + for (var i = 0; i < certs.length; i++) {
1.32 + args.push("-n" + i, certs[i]);
1.33 + }
1.34 + }
1.35 + args.push("-s", inMAR.path, outMAR.path);
1.36 +
1.37 + process.init(signmarBin);
1.38 + try {
1.39 + process.run(true, args, args.length);
1.40 + } catch(e) {
1.41 + // On Windows negative return value throws an exception
1.42 + process.exitValue = -1;
1.43 + }
1.44 +
1.45 + // Verify signmar returned 0 for success.
1.46 + if (wantSuccess) {
1.47 + do_check_eq(process.exitValue, 0);
1.48 + } else {
1.49 + do_check_neq(process.exitValue, 0);
1.50 + }
1.51 + }
1.52 +
1.53 +
1.54 + /**
1.55 + * Extract a MAR signature.
1.56 + *
1.57 + * @param inMAR The MAR file who's signature should be extracted
1.58 + * @param sigIndex The index of the signature to extract
1.59 + * @param extractedSig The file where the extracted signature will be stored
1.60 + * @param wantSuccess True if a successful signmar return code is desired
1.61 + */
1.62 + function extractMARSignature(inMAR, sigIndex, extractedSig, wantSuccess) {
1.63 + // Get a process to the signmar binary from the dist/bin directory.
1.64 + let process = Cc["@mozilla.org/process/util;1"].
1.65 + createInstance(Ci.nsIProcess);
1.66 + let signmarBin = do_get_file("signmar" + BIN_SUFFIX);
1.67 +
1.68 + // Make sure the signmar binary exists and is an executable.
1.69 + do_check_true(signmarBin.exists());
1.70 + do_check_true(signmarBin.isExecutable());
1.71 +
1.72 + // Setup the command line arguments to extract the signature in the MAR.
1.73 + let args = ["-n" + sigIndex, "-X", inMAR.path, extractedSig.path];
1.74 +
1.75 + process.init(signmarBin);
1.76 + try {
1.77 + process.run(true, args, args.length);
1.78 + } catch(e) {
1.79 + // On Windows negative return value throws an exception
1.80 + process.exitValue = -1;
1.81 + }
1.82 +
1.83 + // Verify signmar returned 0 for success.
1.84 + if (wantSuccess) {
1.85 + do_check_eq(process.exitValue, 0);
1.86 + } else {
1.87 + do_check_neq(process.exitValue, 0);
1.88 + }
1.89 + }
1.90 +
1.91 + /**
1.92 + * Import a MAR signature.
1.93 + *
1.94 + * @param inMAR The MAR file who's signature should be imported to
1.95 + * @param sigIndex The index of the signature to import to
1.96 + * @param sigFile The file where the base64 signature exists
1.97 + * @param outMAR The same as inMAR but with the specified signature
1.98 + * swapped at the specified index.
1.99 + * @param wantSuccess True if a successful signmar return code is desired
1.100 + */
1.101 + function importMARSignature(inMAR, sigIndex, sigFile, outMAR, wantSuccess) {
1.102 + // Get a process to the signmar binary from the dist/bin directory.
1.103 + let process = Cc["@mozilla.org/process/util;1"].
1.104 + createInstance(Ci.nsIProcess);
1.105 + let signmarBin = do_get_file("signmar" + BIN_SUFFIX);
1.106 +
1.107 + // Make sure the signmar binary exists and is an executable.
1.108 + do_check_true(signmarBin.exists());
1.109 + do_check_true(signmarBin.isExecutable());
1.110 +
1.111 + // Setup the command line arguments to import the signature in the MAR.
1.112 + let args = ["-n" + sigIndex, "-I", inMAR.path, sigFile.path, outMAR.path];
1.113 +
1.114 + process.init(signmarBin);
1.115 + try {
1.116 + process.run(true, args, args.length);
1.117 + } catch(e) {
1.118 + // On Windows negative return value throws an exception
1.119 + process.exitValue = -1;
1.120 + }
1.121 +
1.122 + // Verify signmar returned 0 for success.
1.123 + if (wantSuccess) {
1.124 + do_check_eq(process.exitValue, 0);
1.125 + } else {
1.126 + do_check_neq(process.exitValue, 0);
1.127 + }
1.128 + }
1.129 +
1.130 + /**
1.131 + * Verifies a MAR file.
1.132 + *
1.133 + * @param signedMAR Verifies a MAR file
1.134 + */
1.135 + function verifyMAR(signedMAR, wantSuccess, certs, useShortHandCmdLine) {
1.136 + // Get a process to the signmar binary from the dist/bin directory.
1.137 + let process = Cc["@mozilla.org/process/util;1"].
1.138 + createInstance(Ci.nsIProcess);
1.139 + let signmarBin = do_get_file("signmar" + BIN_SUFFIX);
1.140 +
1.141 + // Make sure the signmar binary exists and is an executable.
1.142 + do_check_true(signmarBin.exists());
1.143 + do_check_true(signmarBin.isExecutable());
1.144 +
1.145 + // Will reference the arguments to use for verification in signmar
1.146 + let args = [];
1.147 +
1.148 + // The XPCShell test wiki indicates this is the preferred way for
1.149 + // Windows and OSX detection.
1.150 + var isWindows = ("@mozilla.org/windows-registry-key;1" in Cc);
1.151 + var isOSX = ("nsILocalFileMac" in Components.interfaces);
1.152 +
1.153 + // Setup the command line arguments to create the MAR.
1.154 + // Windows & Mac vs. Linux/... have different command line for verification
1.155 + // since on Windows we verify with CryptoAPI, on Mac with Security
1.156 + // Transforms or CDSA/CSSM and on all other platforms we verify with NSS. So
1.157 + // on Windows and Mac we use an exported DER file and on other platforms we
1.158 + // use the NSS config db.
1.159 + if (isWindows || isOSX) {
1.160 + if (certs.length == 1 && useShortHandCmdLine) {
1.161 + args.push("-D", "data/" + certs[0] + ".der");
1.162 + } else {
1.163 + for (var i = 0; i < certs.length; i++) {
1.164 + args.push("-D" + i, "data/" + certs[i] + ".der");
1.165 + }
1.166 + }
1.167 + } else {
1.168 + let NSSConfigDir = do_get_file("data");
1.169 + args = ["-d", NSSConfigDir.path];
1.170 + if (certs.length == 1 && useShortHandCmdLine) {
1.171 + args.push("-n", certs[0]);
1.172 + } else {
1.173 + for (var i = 0; i < certs.length; i++) {
1.174 + args.push("-n" + i, certs[i]);
1.175 + }
1.176 + }
1.177 + }
1.178 + args.push("-v", signedMAR.path);
1.179 +
1.180 + process.init(signmarBin);
1.181 + try {
1.182 + // We put this in a try block because nsIProcess doesn't like -1 returns
1.183 + process.run(true, args, args.length);
1.184 + } catch (e) {
1.185 + // On Windows negative return value throws an exception
1.186 + process.exitValue = -1;
1.187 + }
1.188 +
1.189 + // Verify signmar returned 0 for success.
1.190 + if (wantSuccess) {
1.191 + do_check_eq(process.exitValue, 0);
1.192 + } else {
1.193 + do_check_neq(process.exitValue, 0);
1.194 + }
1.195 + }
1.196 +
1.197 + /**
1.198 + * Strips a MAR signature.
1.199 + *
1.200 + * @param signedMAR The MAR file that should be signed
1.201 + * @param outMAR The MAR file to write to with signature stripped
1.202 + */
1.203 + function stripMARSignature(signedMAR, outMAR, wantSuccess) {
1.204 + // Get a process to the signmar binary from the dist/bin directory.
1.205 + let process = Cc["@mozilla.org/process/util;1"].
1.206 + createInstance(Ci.nsIProcess);
1.207 + let signmarBin = do_get_file("signmar" + BIN_SUFFIX);
1.208 +
1.209 + // Make sure the signmar binary exists and is an executable.
1.210 + do_check_true(signmarBin.exists());
1.211 + do_check_true(signmarBin.isExecutable());
1.212 +
1.213 + // Setup the command line arguments to create the MAR.
1.214 + let args = ["-r", signedMAR.path, outMAR.path];
1.215 +
1.216 + process.init(signmarBin);
1.217 + try {
1.218 + process.run(true, args, args.length);
1.219 + } catch (e) {
1.220 + // On Windows negative return value throws an exception
1.221 + process.exitValue = -1;
1.222 + }
1.223 +
1.224 + // Verify signmar returned 0 for success.
1.225 + if (wantSuccess) {
1.226 + do_check_eq(process.exitValue, 0);
1.227 + } else {
1.228 + do_check_neq(process.exitValue, 0);
1.229 + }
1.230 + }
1.231 +
1.232 +
1.233 + function cleanup() {
1.234 + let outMAR = tempDir.clone();
1.235 + outMAR.append("signed_out.mar");
1.236 + if (outMAR.exists()) {
1.237 + outMAR.remove(false);
1.238 + }
1.239 + outMAR = tempDir.clone();
1.240 + outMAR.append("multiple_signed_out.mar");
1.241 + if (outMAR.exists()) {
1.242 + outMAR.remove(false);
1.243 + }
1.244 + outMAR = tempDir.clone();
1.245 + outMAR.append("out.mar");
1.246 + if (outMAR.exists()) {
1.247 + outMAR.remove(false);
1.248 + }
1.249 +
1.250 + let outDir = tempDir.clone();
1.251 + outDir.append("out");
1.252 + if (outDir.exists()) {
1.253 + outDir.remove(true);
1.254 + }
1.255 + }
1.256 +
1.257 + const wantFailure = false;
1.258 + const wantSuccess = true;
1.259 + // Define the unit tests to run.
1.260 + let tests = {
1.261 + // Test signing a MAR file with a single signature
1.262 + test_sign_single: function() {
1.263 + let inMAR = do_get_file("data/" + refMARPrefix + "binary_data_mar.mar");
1.264 + let outMAR = tempDir.clone();
1.265 + outMAR.append("signed_out.mar");
1.266 + if (outMAR.exists()) {
1.267 + outMAR.remove(false);
1.268 + }
1.269 + signMAR(inMAR, outMAR, ["mycert"], wantSuccess, true);
1.270 + do_check_true(outMAR.exists());
1.271 + let outMARData = getBinaryFileData(outMAR);
1.272 + let refMAR = do_get_file("data/" + refMARPrefix + "signed_pib_mar.mar");
1.273 + let refMARData = getBinaryFileData(refMAR);
1.274 + compareBinaryData(outMARData, refMARData);
1.275 + },
1.276 + // Test signing a MAR file with multiple signatures
1.277 + test_sign_multiple: function() {
1.278 + let inMAR = do_get_file("data/" + refMARPrefix + "binary_data_mar.mar");
1.279 + let outMAR = tempDir.clone();
1.280 + outMAR.append("multiple_signed_out.mar");
1.281 + if (outMAR.exists()) {
1.282 + outMAR.remove(false);
1.283 + }
1.284 + do_check_false(outMAR.exists());
1.285 + signMAR(inMAR, outMAR, ["mycert", "mycert2", "mycert3"],
1.286 + wantSuccess, true);
1.287 + do_check_true(outMAR.exists());
1.288 + let outMARData = getBinaryFileData(outMAR);
1.289 + let refMAR = do_get_file("data/" + refMARPrefix + "multiple_signed_pib_mar.mar");
1.290 + let refMARData = getBinaryFileData(refMAR);
1.291 + compareBinaryData(outMARData, refMARData);
1.292 + },
1.293 + // Test verifying a signed MAR file
1.294 + test_verify_single: function() {
1.295 + let signedMAR = do_get_file("data/signed_pib_mar.mar");
1.296 + verifyMAR(signedMAR, wantSuccess, ["mycert"], true);
1.297 + verifyMAR(signedMAR, wantSuccess, ["mycert"], false);
1.298 + },
1.299 + // Test verifying a signed MAR file with too many certs fails.
1.300 + // Or if you want to look at it another way, One mycert signature
1.301 + // is missing.
1.302 + test_verify_single_too_many_certs: function() {
1.303 + let signedMAR = do_get_file("data/signed_pib_mar.mar");
1.304 + verifyMAR(signedMAR, wantFailure, ["mycert", "mycert"], true);
1.305 + verifyMAR(signedMAR, wantFailure, ["mycert", "mycert"], false);
1.306 + },
1.307 + // Test verifying a signed MAR file fails when using a wrong cert
1.308 + test_verify_single_wrong_cert: function() {
1.309 + let signedMAR = do_get_file("data/signed_pib_mar.mar");
1.310 + verifyMAR(signedMAR, wantFailure, ["mycert2"], true);
1.311 + verifyMAR(signedMAR, wantFailure, ["mycert2"], false);
1.312 + },
1.313 + // Test verifying a signed MAR file with multiple signatures
1.314 + test_verify_multiple: function() {
1.315 + let signedMAR = do_get_file("data/multiple_signed_pib_mar.mar");
1.316 + verifyMAR(signedMAR, wantSuccess, ["mycert", "mycert2", "mycert3"]);
1.317 + },
1.318 + // Test verifying an unsigned MAR file fails
1.319 + test_verify_unsigned_mar_file_fails: function() {
1.320 + let unsignedMAR = do_get_file("data/binary_data_mar.mar");
1.321 + verifyMAR(unsignedMAR, wantFailure, ["mycert", "mycert2", "mycert3"]);
1.322 + },
1.323 + // Test verifying a signed MAR file with the same signature multiple
1.324 + // times fails. The input MAR has: mycert, mycert2, mycert3.
1.325 + // we're checking to make sure the number of verified signatures
1.326 + // is only 1 and not 3. Each signature should be verified once.
1.327 + test_verify_multiple_same_cert: function() {
1.328 + let signedMAR = do_get_file("data/multiple_signed_pib_mar.mar");
1.329 + verifyMAR(signedMAR, wantFailure, ["mycert", "mycert", "mycert"]);
1.330 + },
1.331 + // Test verifying a signed MAR file with the correct signatures but in
1.332 + // a different order fails
1.333 + test_verify_multiple_wrong_order: function() {
1.334 + let signedMAR = do_get_file("data/multiple_signed_pib_mar.mar");
1.335 + verifyMAR(signedMAR, wantSuccess, ["mycert", "mycert2", "mycert3"]);
1.336 + verifyMAR(signedMAR, wantFailure, ["mycert", "mycert3", "mycert2"]);
1.337 + verifyMAR(signedMAR, wantFailure, ["mycert2", "mycert", "mycert3"]);
1.338 + verifyMAR(signedMAR, wantFailure, ["mycert2", "mycert3", "mycert"]);
1.339 + verifyMAR(signedMAR, wantFailure, ["mycert3", "mycert", "mycert2"]);
1.340 + verifyMAR(signedMAR, wantFailure, ["mycert3", "mycert2", "mycert"]);
1.341 + },
1.342 + // Test verifying a signed MAR file without a PIB
1.343 + test_verify_no_pib: function() {
1.344 + let signedMAR = do_get_file("data/signed_no_pib_mar.mar");
1.345 + verifyMAR(signedMAR, wantSuccess, ["mycert"], true);
1.346 + verifyMAR(signedMAR, wantSuccess, ["mycert"], false);
1.347 + },
1.348 + // Test verifying a signed MAR file with multiple signatures without a PIB
1.349 + test_verify_no_pib_multiple: function() {
1.350 + let signedMAR = do_get_file("data/multiple_signed_no_pib_mar.mar");
1.351 + verifyMAR(signedMAR, wantSuccess, ["mycert", "mycert2", "mycert3"]);
1.352 + },
1.353 + // Test verifying a crafted MAR file where the attacker tried to adjust
1.354 + // the version number manually.
1.355 + test_crafted_mar: function() {
1.356 + let signedBadMAR = do_get_file("data/manipulated_signed_mar.mar");
1.357 + verifyMAR(signedBadMAR, wantFailure, ["mycert"], true);
1.358 + verifyMAR(signedBadMAR, wantFailure, ["mycert"], false);
1.359 + },
1.360 + // Test verifying a file that doesn't exist fails
1.361 + test_bad_path_verify_fails: function() {
1.362 + let noMAR = do_get_file("data/does_not_exist_.mar", true);
1.363 + do_check_false(noMAR.exists());
1.364 + verifyMAR(noMAR, wantFailure, ["mycert"], true);
1.365 + },
1.366 + // Test to make sure a stripped MAR is the same as the original MAR
1.367 + test_strip_signature: function() {
1.368 + let originalMAR = do_get_file("data/" +
1.369 + refMARPrefix +
1.370 + "binary_data_mar.mar");
1.371 + let signedMAR = tempDir.clone();
1.372 + signedMAR.append("signed_out.mar");
1.373 + let outMAR = tempDir.clone();
1.374 + outMAR.append("out.mar", true);
1.375 + stripMARSignature(signedMAR, outMAR, wantSuccess);
1.376 +
1.377 + // Verify that the stripped MAR matches the original data MAR exactly
1.378 + let outMARData = getBinaryFileData(outMAR);
1.379 + let originalMARData = getBinaryFileData(originalMAR);
1.380 + compareBinaryData(outMARData, originalMARData);
1.381 + },
1.382 + // Test to make sure a stripped multi-signature-MAR is the same as the original MAR
1.383 + test_strip_multiple_signatures: function() {
1.384 + let originalMAR = do_get_file("data/" +
1.385 + refMARPrefix +
1.386 + "binary_data_mar.mar");
1.387 + let signedMAR = tempDir.clone();
1.388 + signedMAR.append("multiple_signed_out.mar");
1.389 + let outMAR = tempDir.clone();
1.390 + outMAR.append("out.mar");
1.391 + stripMARSignature(signedMAR, outMAR, wantSuccess);
1.392 +
1.393 + // Verify that the stripped MAR matches the original data MAR exactly
1.394 + let outMARData = getBinaryFileData(outMAR);
1.395 + let originalMARData = getBinaryFileData(originalMAR);
1.396 + compareBinaryData(outMARData, originalMARData);
1.397 + },
1.398 + // Test extracting the first signature in a MAR that has only a single signature
1.399 + test_extract_sig_single: function() {
1.400 + let inMAR = do_get_file("data/signed_pib_mar.mar");
1.401 + let extractedSig = do_get_file("extracted_signature", true);
1.402 + if (extractedSig.exists()) {
1.403 + extractedSig.remove(false);
1.404 + }
1.405 + extractMARSignature(inMAR, 0, extractedSig, wantSuccess);
1.406 + do_check_true(extractedSig.exists());
1.407 +
1.408 + let referenceSig = do_get_file("data/signed_pib_mar.signature.0"); +
1.409 + compareBinaryData(extractedSig, referenceSig);
1.410 + },
1.411 + // Test extracting the all signatures in a multi signature MAR
1.412 + // The input MAR has 3 signatures.
1.413 + test_extract_sig_multi: function() {
1.414 + for (let i = 0; i < 3; i++) {
1.415 + let inMAR = do_get_file("data/multiple_signed_pib_mar.mar");
1.416 + let extractedSig = do_get_file("extracted_signature", true);
1.417 + if (extractedSig.exists()) {
1.418 + extractedSig.remove(false);
1.419 + }
1.420 + extractMARSignature(inMAR, i, extractedSig, wantSuccess);
1.421 + do_check_true(extractedSig.exists());
1.422 +
1.423 + let referenceSig = do_get_file("data/multiple_signed_pib_mar.sig." + i); +
1.424 + compareBinaryData(extractedSig, referenceSig);
1.425 + }
1.426 + },
1.427 + // Test extracting a signature that is out of range fails
1.428 + test_extract_sig_out_of_range: function() {
1.429 + let inMAR = do_get_file("data/signed_pib_mar.mar");
1.430 + let extractedSig = do_get_file("extracted_signature", true);
1.431 + if (extractedSig.exists()) {
1.432 + extractedSig.remove(false);
1.433 + }
1.434 + const outOfBoundsIndex = 5;
1.435 + extractMARSignature(inMAR, outOfBoundsIndex, extractedSig, wantFailure);
1.436 + do_check_false(extractedSig.exists());
1.437 + },
1.438 + // Test signing a file that doesn't exist fails
1.439 + test_bad_path_sign_fails: function() {
1.440 + let inMAR = do_get_file("data/does_not_exist_.mar", true);
1.441 + let outMAR = tempDir.clone();
1.442 + outMAR.append("signed_out.mar");
1.443 + do_check_false(inMAR.exists());
1.444 + signMAR(inMAR, outMAR, ["mycert"], wantFailure, true);
1.445 + do_check_false(outMAR.exists());
1.446 + },
1.447 + // Test verifying only a subset of the signatures fails.
1.448 + // The input MAR has: mycert, mycert2, mycert3.
1.449 + // We're only verifying 2 of the 3 signatures and that should fail.
1.450 + test_verify_multiple_subset: function() {
1.451 + let signedMAR = do_get_file("data/multiple_signed_pib_mar.mar");
1.452 + verifyMAR(signedMAR, wantFailure, ["mycert", "mycert2"]);
1.453 + },
1.454 + // Test importing the first signature in a MAR that has only
1.455 + // a single signature
1.456 + test_import_sig_single: function() {
1.457 + // Make sure the input MAR was signed with mycert only
1.458 + let inMAR = do_get_file("data/signed_pib_mar.mar");
1.459 + verifyMAR(inMAR, wantSuccess, ["mycert"], false);
1.460 + verifyMAR(inMAR, wantFailure, ["mycert2"], false);
1.461 + verifyMAR(inMAR, wantFailure, ["mycert3"], false);
1.462 +
1.463 + // Get the signature file for this MAR signed with the key from mycert2
1.464 + let sigFile = do_get_file("data/signed_pib_mar.signature.mycert2");
1.465 + do_check_true(sigFile.exists());
1.466 + let outMAR = tempDir.clone();
1.467 + outMAR.append("sigchanged_signed_pib_mar.mar");
1.468 + if (outMAR.exists()) {
1.469 + outMAR.remove(false);
1.470 + }
1.471 +
1.472 + //Run the import operation
1.473 + importMARSignature(inMAR, 0, sigFile, outMAR, wantSuccess);
1.474 +
1.475 + // Verify we have a new MAR file and that mycert no longer verifies
1.476 + // and that mycert2 does verify
1.477 + do_check_true(outMAR.exists());
1.478 + verifyMAR(outMAR, wantFailure, ["mycert"], false);
1.479 + verifyMAR(outMAR, wantSuccess, ["mycert2"], false);
1.480 + verifyMAR(outMAR, wantFailure, ["mycert3"], false);
1.481 +
1.482 + // Compare the binary data to something that was signed originally
1.483 + // with the private key from mycert2
1.484 + let refMAR = do_get_file("data/signed_pib_mar_with_mycert2.mar");
1.485 + do_check_true(refMAR.exists());
1.486 + let refMARData = getBinaryFileData(refMAR);
1.487 + let outMARData = getBinaryFileData(outMAR);
1.488 + compareBinaryData(outMARData, refMARData);
1.489 + },
1.490 + // Test importing a signature that doesn't belong to the file
1.491 + // fails to verify.
1.492 + test_import_wrong_sig: function() {
1.493 + // Make sure the input MAR was signed with mycert only
1.494 + let inMAR = do_get_file("data/signed_pib_mar.mar");
1.495 + verifyMAR(inMAR, wantSuccess, ["mycert"], false);
1.496 + verifyMAR(inMAR, wantFailure, ["mycert2"], false);
1.497 + verifyMAR(inMAR, wantFailure, ["mycert3"], false);
1.498 +
1.499 + // Get the signature file for this MAR signed with the key from mycert2
1.500 + let sigFile = do_get_file("data/multiple_signed_pib_mar.sig.0");
1.501 + do_check_true(sigFile.exists());
1.502 + let outMAR = tempDir.clone();
1.503 + outMAR.append("sigchanged_signed_pib_mar.mar");
1.504 + if (outMAR.exists()) {
1.505 + outMAR.remove(false);
1.506 + }
1.507 +
1.508 + //Run the import operation
1.509 + importMARSignature(inMAR, 0, sigFile, outMAR, wantSuccess);
1.510 +
1.511 + // Verify we have a new MAR file and that mycert no longer verifies
1.512 + // and that mycert2 does verify
1.513 + do_check_true(outMAR.exists());
1.514 + verifyMAR(outMAR, wantFailure, ["mycert"], false);
1.515 + verifyMAR(outMAR, wantFailure, ["mycert2"], false);
1.516 + verifyMAR(outMAR, wantFailure, ["mycert3"], false);
1.517 + },
1.518 + // Test importing to the second signature in a MAR that has multiple
1.519 + // signature
1.520 + test_import_sig_multiple: function() {
1.521 + // Make sure the input MAR was signed with mycert only
1.522 + let inMAR = do_get_file("data/multiple_signed_pib_mar.mar");
1.523 + verifyMAR(inMAR, wantSuccess, ["mycert", "mycert2", "mycert3"], false);
1.524 + verifyMAR(inMAR, wantFailure, ["mycert", "mycert", "mycert3"], false);
1.525 +
1.526 + // Get the signature file for this MAR signed with the key from mycert
1.527 + let sigFile = do_get_file("data/multiple_signed_pib_mar.sig.0");
1.528 + do_check_true(sigFile.exists());
1.529 + let outMAR = tempDir.clone();
1.530 + outMAR.append("sigchanged_signed_pib_mar.mar");
1.531 + if (outMAR.exists()) {
1.532 + outMAR.remove(false);
1.533 + }
1.534 +
1.535 + //Run the import operation
1.536 + const secondSigPos = 1;
1.537 + importMARSignature(inMAR, secondSigPos, sigFile, outMAR, wantSuccess);
1.538 +
1.539 + // Verify we have a new MAR file and that mycert no longer verifies
1.540 + // and that mycert2 does verify
1.541 + do_check_true(outMAR.exists());
1.542 + verifyMAR(outMAR, wantSuccess, ["mycert", "mycert", "mycert3"], false);
1.543 + verifyMAR(outMAR, wantFailure, ["mycert", "mycert2", "mycert3"], false);
1.544 +
1.545 + // Compare the binary data to something that was signed originally
1.546 + // with the private keys from mycert, mycert, mycert3
1.547 + let refMAR = do_get_file("data/multiple_signed_pib_mar_2.mar");
1.548 + do_check_true(refMAR.exists());
1.549 + let refMARData = getBinaryFileData(refMAR);
1.550 + let outMARData = getBinaryFileData(outMAR);
1.551 + compareBinaryData(outMARData, refMARData);
1.552 + },
1.553 + // Test stripping a MAR that doesn't exist fails
1.554 + test_bad_path_strip_fails: function() {
1.555 + let noMAR = do_get_file("data/does_not_exist_mar", true);
1.556 + do_check_false(noMAR.exists());
1.557 + let outMAR = tempDir.clone();
1.558 + outMAR.append("out.mar");
1.559 + stripMARSignature(noMAR, outMAR, wantFailure);
1.560 + },
1.561 + // Test extracting from a bad path fails
1.562 + test_extract_bad_path: function() {
1.563 + let noMAR = do_get_file("data/does_not_exist.mar", true);
1.564 + let extractedSig = do_get_file("extracted_signature", true);
1.565 + do_check_false(noMAR.exists());
1.566 + if (extractedSig.exists()) {
1.567 + extractedSig.remove(false);
1.568 + }
1.569 + extractMARSignature(noMAR, 0, extractedSig, wantFailure);
1.570 + do_check_false(extractedSig.exists());
1.571 + },
1.572 + // Between each test make sure the out MAR does not exist.
1.573 + cleanup_per_test: function() {
1.574 + }
1.575 + };
1.576 +
1.577 + cleanup();
1.578 +
1.579 + // Run all the tests
1.580 + do_check_eq(run_tests(tests), Object.keys(tests).length - 1);
1.581 +
1.582 + do_register_cleanup(cleanup);
1.583 +}
