1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,92 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +
1.8 +// This is a standalone server that uses various bad certificates.
1.9 +// The client is expected to connect, initiate an SSL handshake (with SNI
1.10 +// to indicate which "server" to connect to), and verify the certificate.
1.11 +// If all is good, the client then sends one encrypted byte and receives that
1.12 +// same byte back.
1.13 +// This server also has the ability to "call back" another process waiting on
1.14 +// it. That is, when the server is all set up and ready to receive connections,
1.15 +// it will connect to a specified port and issue a simple HTTP request.
1.16 +
1.17 +#include <stdio.h>
1.18 +
1.19 +#include "TLSServer.h"
1.20 +
1.21 +using namespace mozilla;
1.22 +using namespace mozilla::test;
1.23 +
1.24 +struct BadCertHost
1.25 +{
1.26 + const char *mHostName;
1.27 + const char *mCertName;
1.28 +};
1.29 +
1.30 +// Hostname, cert nickname pairs.
1.31 +const BadCertHost sBadCertHosts[] =
1.32 +{
1.33 + { "expired.example.com", "expired" },
1.34 + { "selfsigned.example.com", "selfsigned" },
1.35 + { "unknownissuer.example.com", "unknownissuer" },
1.36 + { "mismatch.example.com", "mismatch" },
1.37 + { "expiredissuer.example.com", "expiredissuer" },
1.38 + { "md5signature.example.com", "md5signature" },
1.39 + { "untrusted.example.com", "localhostAndExampleCom" },
1.40 + { "untrustedissuer.example.com", "untrustedissuer" },
1.41 + { "mismatch-expired.example.com", "mismatch-expired" },
1.42 + { "mismatch-untrusted.example.com", "mismatch-untrusted" },
1.43 + { "untrusted-expired.example.com", "untrusted-expired" },
1.44 + { "md5signature-expired.example.com", "md5signature-expired" },
1.45 + { "mismatch-untrusted-expired.example.com", "mismatch-untrusted-expired" },
1.46 + { "inadequatekeyusage.example.com", "inadequatekeyusage" },
1.47 + { "selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU" },
1.48 + { "self-signed-end-entity-with-cA-true.example.com", "self-signed-EE-with-cA-true" },
1.49 + // All of include-subdomains.pinning.example.com is pinned to End Entity
1.50 + // Test Cert with nick localhostAndExampleCom. Any other nick will only
1.51 + // pass pinning when security.cert_pinning.enforcement.level != strict and
1.52 + // otherCA is added as a user-specified trust anchor. See StaticHPKPins.h.
1.53 + { "include-subdomains.pinning.example.com", "localhostAndExampleCom" },
1.54 + { "good.include-subdomains.pinning.example.com", "localhostAndExampleCom" },
1.55 + { "bad.include-subdomains.pinning.example.com", "otherIssuerEE" },
1.56 + { "exclude-subdomains.pinning.example.com", "localhostAndExampleCom" },
1.57 + { "sub.exclude-subdomains.pinning.example.com", "otherIssuerEE" },
1.58 + { "test-mode.pinning.example.com", "otherIssuerEE" },
1.59 + { nullptr, nullptr }
1.60 +};
1.61 +
1.62 +int32_t
1.63 +DoSNISocketConfig(PRFileDesc *aFd, const SECItem *aSrvNameArr,
1.64 + uint32_t aSrvNameArrSize, void *aArg)
1.65 +{
1.66 + const BadCertHost *host = GetHostForSNI(aSrvNameArr, aSrvNameArrSize,
1.67 + sBadCertHosts);
1.68 + if (!host) {
1.69 + return SSL_SNI_SEND_ALERT;
1.70 + }
1.71 +
1.72 + if (gDebugLevel >= DEBUG_VERBOSE) {
1.73 + fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
1.74 + }
1.75 +
1.76 + ScopedCERTCertificate cert;
1.77 + SSLKEAType certKEA;
1.78 + if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName,
1.79 + &cert, &certKEA)) {
1.80 + return SSL_SNI_SEND_ALERT;
1.81 + }
1.82 +
1.83 + return 0;
1.84 +}
1.85 +
1.86 +int
1.87 +main(int argc, char *argv[])
1.88 +{
1.89 + if (argc != 2) {
1.90 + fprintf(stderr, "usage: %s <NSS DB directory>\n", argv[0]);
1.91 + return 1;
1.92 + }
1.93 +
1.94 + return StartServer(argv[1], DoSNISocketConfig, nullptr);
1.95 +}
