security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp@b8a032363ba2
security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
5 // This is a standalone server that uses various bad certificates.
6 // The client is expected to connect, initiate an SSL handshake (with SNI
7 // to indicate which "server" to connect to), and verify the certificate.
8 // If all is good, the client then sends one encrypted byte and receives that
9 // same byte back.
10 // This server also has the ability to "call back" another process waiting on
11 // it. That is, when the server is all set up and ready to receive connections,
12 // it will connect to a specified port and issue a simple HTTP request.
14 #include <stdio.h>
16 #include "TLSServer.h"
18 using namespace mozilla;
19 using namespace mozilla::test;
21 struct BadCertHost
22 {
23 const char *mHostName;
24 const char *mCertName;
25 };
27 // Hostname, cert nickname pairs.
28 const BadCertHost sBadCertHosts[] =
29 {
30 { "expired.example.com", "expired" },
31 { "selfsigned.example.com", "selfsigned" },
32 { "unknownissuer.example.com", "unknownissuer" },
33 { "mismatch.example.com", "mismatch" },
34 { "expiredissuer.example.com", "expiredissuer" },
35 { "md5signature.example.com", "md5signature" },
36 { "untrusted.example.com", "localhostAndExampleCom" },
37 { "untrustedissuer.example.com", "untrustedissuer" },
38 { "mismatch-expired.example.com", "mismatch-expired" },
39 { "mismatch-untrusted.example.com", "mismatch-untrusted" },
40 { "untrusted-expired.example.com", "untrusted-expired" },
41 { "md5signature-expired.example.com", "md5signature-expired" },
42 { "mismatch-untrusted-expired.example.com", "mismatch-untrusted-expired" },
43 { "inadequatekeyusage.example.com", "inadequatekeyusage" },
44 { "selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU" },
45 { "self-signed-end-entity-with-cA-true.example.com", "self-signed-EE-with-cA-true" },
46 // All of include-subdomains.pinning.example.com is pinned to End Entity
47 // Test Cert with nick localhostAndExampleCom. Any other nick will only
48 // pass pinning when security.cert_pinning.enforcement.level != strict and
49 // otherCA is added as a user-specified trust anchor. See StaticHPKPins.h.
50 { "include-subdomains.pinning.example.com", "localhostAndExampleCom" },
51 { "good.include-subdomains.pinning.example.com", "localhostAndExampleCom" },
52 { "bad.include-subdomains.pinning.example.com", "otherIssuerEE" },
53 { "exclude-subdomains.pinning.example.com", "localhostAndExampleCom" },
54 { "sub.exclude-subdomains.pinning.example.com", "otherIssuerEE" },
55 { "test-mode.pinning.example.com", "otherIssuerEE" },
56 { nullptr, nullptr }
57 };
59 int32_t
60 DoSNISocketConfig(PRFileDesc *aFd, const SECItem *aSrvNameArr,
61 uint32_t aSrvNameArrSize, void *aArg)
62 {
63 const BadCertHost *host = GetHostForSNI(aSrvNameArr, aSrvNameArrSize,
64 sBadCertHosts);
65 if (!host) {
66 return SSL_SNI_SEND_ALERT;
67 }
69 if (gDebugLevel >= DEBUG_VERBOSE) {
70 fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
71 }
73 ScopedCERTCertificate cert;
74 SSLKEAType certKEA;
75 if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, host->mCertName,
76 &cert, &certKEA)) {
77 return SSL_SNI_SEND_ALERT;
78 }
80 return 0;
81 }
83 int
84 main(int argc, char *argv[])
85 {
86 if (argc != 2) {
87 fprintf(stderr, "usage: %s <NSS DB directory>\n", argv[0]);
88 return 1;
89 }
91 return StartServer(argv[1], DoSNISocketConfig, nullptr);
92 }
