The Tor Browser: security/manager/ssl/tests/mochitest/bugs/test_certificate

     1 <!DOCTYPE HTML>

     2 <html>

     3 <head>

     4   <title>Test certificate overrides</title>

     5   <script type="text/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>

     6   <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css" />

     7 </head>

     8 <body>

     9 <script class="testbody" type="text/javascript">

    11 const Cc = Components.classes;

    12 const Ci = Components.interfaces;

    13 const cos = Cc["@mozilla.org/security/certoverride;1"].

    14               getService(Ci.nsICertOverrideService);

    16 const eu = Ci.nsICertOverrideService.ERROR_UNTRUSTED;

    17 const em = Ci.nsICertOverrideService.ERROR_MISMATCH;

    18 const et = Ci.nsICertOverrideService.ERROR_TIME;

    20 // Note:  the host index matches the expected error.

    21 var testHost = [];

    22 testHost[           eu ] = "untrusted.example.com";

    23 testHost[      em      ] = "nocert.example.com";

    24 testHost[      em | eu ] = "mismatch.untrusted.example.com";

    25 testHost[ et           ] = "expired.example.com";

    26 testHost[ et      | eu ] = "untrusted-expired.example.com";

    27 testHost[ et | em      ] = "mismatch.expired.example.com";

    28 testHost[ et | em | eu ] = "mismatch.untrusted-expired.example.com";

    30 var gCertErrorBits;

    32 SimpleTest.waitForExplicitFinish();

    34 // Support for making sure we can talk to the invalid cert the server presents

    35 var CertOverrideListener = function(host, port, bits) {

    36   this.host = host;

    37   if (port) {

    38     this.port = port;

    39   }

    40   this.bits = bits;

    41 };

    43 CertOverrideListener.prototype = {

    44   host: null,

    45   port: -1,

    46   bits: null,

    47   getInterface: function(aIID) {

    48     return this.QueryInterface(aIID);

    49   },

    50   QueryInterface: function(aIID) {

    51     if (aIID.equals(Ci.nsIBadCertListener2) ||

    52         aIID.equals(Ci.nsIInterfaceRequestor) ||

    53         aIID.equals(Ci.nsISupports)) {

    54       return this;

    55     }

    56     throw Components.results.NS_ERROR_NO_INTERFACE;

    57   },

    58   notifyCertProblem: function(socketInfo, sslStatus, targetHost) {

    59     var cert = sslStatus.QueryInterface(Ci.nsISSLStatus).serverCert;

    60     cos.rememberValidityOverride(this.host, this.port, cert, this.bits, true);

    61     gCertErrorBits = 0;

    62     if (sslStatus.isUntrusted) {

    63       gCertErrorBits |= Ci.nsICertOverrideService.ERROR_UNTRUSTED;

    64     }

    65     if (sslStatus.isDomainMismatch) {

    66       gCertErrorBits |= Ci.nsICertOverrideService.ERROR_MISMATCH;

    67     }

    68     if (sslStatus.isNotValidAtThisTime) {

    69       gCertErrorBits |= Ci.nsICertOverrideService.ERROR_TIME;

    70     }

    71     return true;

    72   },

    73 }

    75 function addCertOverride(host, port, bits)

    76 {

    77   var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]

    78              .createInstance(Ci.nsIXMLHttpRequest);

    79   var url;

    80   if (port) {

    81     url = "https://" + host + ":" + port + "/";

    82   } else {

    83     url = "https://" + host + "/";

    84   }

    85   req.open("GET", url, false);

    86   req.channel.notificationCallbacks = new CertOverrideListener(host, port, bits);

    87   try {

    88     req.send(null);

    89     ok(false, "Connection to host " + host + " succeeded when it should have failed");

    90   } catch (e) {

    91     // Failure here is expected as the server is not trusted yet.

    92   }

    93 }

    95 function xhrConnect(domain,message,expectedSuccess)

    96 {

    97   var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]

    98              .createInstance(Ci.nsIXMLHttpRequest);

    99   req.open("GET", "https://" + domain + "/", false);

   100   try {

   101     req.send(null);

   102     ok(expectedSuccess, "Page Load success " + message + " expected=" + expectedSuccess);

   103   } catch (err) {

   104     ok(!expectedSuccess, "Page failed to load " + message + " expected=" + expectedSuccess);

   105   }

   106 }

   108 function checkHostConnect(host, overrideBits, successExpected, overridesMustEqualError)

   109 {

   110   var statusMessage = " overrideBits=" + overrideBits;

   111   addCertOverride(host, 443, overrideBits);

   112   if (overridesMustEqualError) {

   113     is(gCertErrorBits, overrideBits, "Reported Error match: errorbits=" + gCertErrorBits + " host=" + host);

   114   }

   115   xhrConnect(host, "override host=" + host + statusMessage, successExpected);

   116   cos.clearValidityOverride(host, 443);

   117 }

   119 function testCertOverrides()

   120 {

   121   for (var i = 1; i < testHost.length; ++i) {

   122     cos.clearValidityOverride(testHost[i], 443);

   123   }

   124   const allErrorBits = et | em | eu ;

   125   for (var i = 1; i < allErrorBits + 1; ++i) {

   126     var overrideBits = i;

   127     for (var j = 1; j < testHost.length; ++j){

   128       var expectedError = j;

   129       var successExpected = (0 == (expectedError & ~overrideBits));

   130       var errorMustMatch = (overrideBits == expectedError);

   131       checkHostConnect(testHost[j], overrideBits, successExpected, errorMustMatch);

   132     }

   133   }

   134   // Now we test the self-signed. Must return an overridable untrusted error.

   135   cos.clearValidityOverride("self-signed.example.com", 443);

   136   checkHostConnect("self-signed.example.com", eu, successExpected, true);

   137 }

   139 testCertOverrides();

   140 SimpleTest.finish();

   142 </script>

   144 </body>

   145 </html>

The Tor Browser / file revision