michael@0: /* Any copyright is dedicated to the Public Domain. michael@0: http://creativecommons.org/publicdomain/zero/1.0/ */ michael@0: michael@0: function run_test() { michael@0: michael@0: /** michael@0: * Signs a MAR file. michael@0: * michael@0: * @param inMAR The MAR file that should be signed michael@0: * @param outMAR The MAR file to create michael@0: */ michael@0: function signMAR(inMAR, outMAR, certs, wantSuccess, useShortHandCmdLine) { michael@0: // Get a process to the signmar binary from the dist/bin directory. michael@0: let process = Cc["@mozilla.org/process/util;1"]. michael@0: createInstance(Ci.nsIProcess); michael@0: let signmarBin = do_get_file("signmar" + BIN_SUFFIX); michael@0: michael@0: // Make sure the signmar binary exists and is an executable. michael@0: do_check_true(signmarBin.exists()); michael@0: do_check_true(signmarBin.isExecutable()); michael@0: michael@0: // Setup the command line arguments to sign the MAR. michael@0: let NSSConfigDir = do_get_file("data"); michael@0: let args = ["-d", NSSConfigDir.path]; michael@0: if (certs.length == 1 && useShortHandCmdLine) { michael@0: args.push("-n", certs[0]); michael@0: } else { michael@0: for (var i = 0; i < certs.length; i++) { michael@0: args.push("-n" + i, certs[i]); michael@0: } michael@0: } michael@0: args.push("-s", inMAR.path, outMAR.path); michael@0: michael@0: process.init(signmarBin); michael@0: try { michael@0: process.run(true, args, args.length); michael@0: } catch(e) { michael@0: // On Windows negative return value throws an exception michael@0: process.exitValue = -1; michael@0: } michael@0: michael@0: // Verify signmar returned 0 for success. michael@0: if (wantSuccess) { michael@0: do_check_eq(process.exitValue, 0); michael@0: } else { michael@0: do_check_neq(process.exitValue, 0); michael@0: } michael@0: } michael@0: michael@0: michael@0: /** michael@0: * Extract a MAR signature. michael@0: * michael@0: * @param inMAR The MAR file who's signature should be extracted michael@0: * @param sigIndex The index of the signature to extract michael@0: * @param extractedSig The file where the extracted signature will be stored michael@0: * @param wantSuccess True if a successful signmar return code is desired michael@0: */ michael@0: function extractMARSignature(inMAR, sigIndex, extractedSig, wantSuccess) { michael@0: // Get a process to the signmar binary from the dist/bin directory. michael@0: let process = Cc["@mozilla.org/process/util;1"]. michael@0: createInstance(Ci.nsIProcess); michael@0: let signmarBin = do_get_file("signmar" + BIN_SUFFIX); michael@0: michael@0: // Make sure the signmar binary exists and is an executable. michael@0: do_check_true(signmarBin.exists()); michael@0: do_check_true(signmarBin.isExecutable()); michael@0: michael@0: // Setup the command line arguments to extract the signature in the MAR. michael@0: let args = ["-n" + sigIndex, "-X", inMAR.path, extractedSig.path]; michael@0: michael@0: process.init(signmarBin); michael@0: try { michael@0: process.run(true, args, args.length); michael@0: } catch(e) { michael@0: // On Windows negative return value throws an exception michael@0: process.exitValue = -1; michael@0: } michael@0: michael@0: // Verify signmar returned 0 for success. michael@0: if (wantSuccess) { michael@0: do_check_eq(process.exitValue, 0); michael@0: } else { michael@0: do_check_neq(process.exitValue, 0); michael@0: } michael@0: } michael@0: michael@0: /** michael@0: * Import a MAR signature. michael@0: * michael@0: * @param inMAR The MAR file who's signature should be imported to michael@0: * @param sigIndex The index of the signature to import to michael@0: * @param sigFile The file where the base64 signature exists michael@0: * @param outMAR The same as inMAR but with the specified signature michael@0: * swapped at the specified index. michael@0: * @param wantSuccess True if a successful signmar return code is desired michael@0: */ michael@0: function importMARSignature(inMAR, sigIndex, sigFile, outMAR, wantSuccess) { michael@0: // Get a process to the signmar binary from the dist/bin directory. michael@0: let process = Cc["@mozilla.org/process/util;1"]. michael@0: createInstance(Ci.nsIProcess); michael@0: let signmarBin = do_get_file("signmar" + BIN_SUFFIX); michael@0: michael@0: // Make sure the signmar binary exists and is an executable. michael@0: do_check_true(signmarBin.exists()); michael@0: do_check_true(signmarBin.isExecutable()); michael@0: michael@0: // Setup the command line arguments to import the signature in the MAR. michael@0: let args = ["-n" + sigIndex, "-I", inMAR.path, sigFile.path, outMAR.path]; michael@0: michael@0: process.init(signmarBin); michael@0: try { michael@0: process.run(true, args, args.length); michael@0: } catch(e) { michael@0: // On Windows negative return value throws an exception michael@0: process.exitValue = -1; michael@0: } michael@0: michael@0: // Verify signmar returned 0 for success. michael@0: if (wantSuccess) { michael@0: do_check_eq(process.exitValue, 0); michael@0: } else { michael@0: do_check_neq(process.exitValue, 0); michael@0: } michael@0: } michael@0: michael@0: /** michael@0: * Verifies a MAR file. michael@0: * michael@0: * @param signedMAR Verifies a MAR file michael@0: */ michael@0: function verifyMAR(signedMAR, wantSuccess, certs, useShortHandCmdLine) { michael@0: // Get a process to the signmar binary from the dist/bin directory. michael@0: let process = Cc["@mozilla.org/process/util;1"]. michael@0: createInstance(Ci.nsIProcess); michael@0: let signmarBin = do_get_file("signmar" + BIN_SUFFIX); michael@0: michael@0: // Make sure the signmar binary exists and is an executable. michael@0: do_check_true(signmarBin.exists()); michael@0: do_check_true(signmarBin.isExecutable()); michael@0: michael@0: // Will reference the arguments to use for verification in signmar michael@0: let args = []; michael@0: michael@0: // The XPCShell test wiki indicates this is the preferred way for michael@0: // Windows and OSX detection. michael@0: var isWindows = ("@mozilla.org/windows-registry-key;1" in Cc); michael@0: var isOSX = ("nsILocalFileMac" in Components.interfaces); michael@0: michael@0: // Setup the command line arguments to create the MAR. michael@0: // Windows & Mac vs. Linux/... have different command line for verification michael@0: // since on Windows we verify with CryptoAPI, on Mac with Security michael@0: // Transforms or CDSA/CSSM and on all other platforms we verify with NSS. So michael@0: // on Windows and Mac we use an exported DER file and on other platforms we michael@0: // use the NSS config db. michael@0: if (isWindows || isOSX) { michael@0: if (certs.length == 1 && useShortHandCmdLine) { michael@0: args.push("-D", "data/" + certs[0] + ".der"); michael@0: } else { michael@0: for (var i = 0; i < certs.length; i++) { michael@0: args.push("-D" + i, "data/" + certs[i] + ".der"); michael@0: } michael@0: } michael@0: } else { michael@0: let NSSConfigDir = do_get_file("data"); michael@0: args = ["-d", NSSConfigDir.path]; michael@0: if (certs.length == 1 && useShortHandCmdLine) { michael@0: args.push("-n", certs[0]); michael@0: } else { michael@0: for (var i = 0; i < certs.length; i++) { michael@0: args.push("-n" + i, certs[i]); michael@0: } michael@0: } michael@0: } michael@0: args.push("-v", signedMAR.path); michael@0: michael@0: process.init(signmarBin); michael@0: try { michael@0: // We put this in a try block because nsIProcess doesn't like -1 returns michael@0: process.run(true, args, args.length); michael@0: } catch (e) { michael@0: // On Windows negative return value throws an exception michael@0: process.exitValue = -1; michael@0: } michael@0: michael@0: // Verify signmar returned 0 for success. michael@0: if (wantSuccess) { michael@0: do_check_eq(process.exitValue, 0); michael@0: } else { michael@0: do_check_neq(process.exitValue, 0); michael@0: } michael@0: } michael@0: michael@0: /** michael@0: * Strips a MAR signature. michael@0: * michael@0: * @param signedMAR The MAR file that should be signed michael@0: * @param outMAR The MAR file to write to with signature stripped michael@0: */ michael@0: function stripMARSignature(signedMAR, outMAR, wantSuccess) { michael@0: // Get a process to the signmar binary from the dist/bin directory. michael@0: let process = Cc["@mozilla.org/process/util;1"]. michael@0: createInstance(Ci.nsIProcess); michael@0: let signmarBin = do_get_file("signmar" + BIN_SUFFIX); michael@0: michael@0: // Make sure the signmar binary exists and is an executable. michael@0: do_check_true(signmarBin.exists()); michael@0: do_check_true(signmarBin.isExecutable()); michael@0: michael@0: // Setup the command line arguments to create the MAR. michael@0: let args = ["-r", signedMAR.path, outMAR.path]; michael@0: michael@0: process.init(signmarBin); michael@0: try { michael@0: process.run(true, args, args.length); michael@0: } catch (e) { michael@0: // On Windows negative return value throws an exception michael@0: process.exitValue = -1; michael@0: } michael@0: michael@0: // Verify signmar returned 0 for success. michael@0: if (wantSuccess) { michael@0: do_check_eq(process.exitValue, 0); michael@0: } else { michael@0: do_check_neq(process.exitValue, 0); michael@0: } michael@0: } michael@0: michael@0: michael@0: function cleanup() { michael@0: let outMAR = tempDir.clone(); michael@0: outMAR.append("signed_out.mar"); michael@0: if (outMAR.exists()) { michael@0: outMAR.remove(false); michael@0: } michael@0: outMAR = tempDir.clone(); michael@0: outMAR.append("multiple_signed_out.mar"); michael@0: if (outMAR.exists()) { michael@0: outMAR.remove(false); michael@0: } michael@0: outMAR = tempDir.clone(); michael@0: outMAR.append("out.mar"); michael@0: if (outMAR.exists()) { michael@0: outMAR.remove(false); michael@0: } michael@0: michael@0: let outDir = tempDir.clone(); michael@0: outDir.append("out"); michael@0: if (outDir.exists()) { michael@0: outDir.remove(true); michael@0: } michael@0: } michael@0: michael@0: const wantFailure = false; michael@0: const wantSuccess = true; michael@0: // Define the unit tests to run. michael@0: let tests = { michael@0: // Test signing a MAR file with a single signature michael@0: test_sign_single: function() { michael@0: let inMAR = do_get_file("data/" + refMARPrefix + "binary_data_mar.mar"); michael@0: let outMAR = tempDir.clone(); michael@0: outMAR.append("signed_out.mar"); michael@0: if (outMAR.exists()) { michael@0: outMAR.remove(false); michael@0: } michael@0: signMAR(inMAR, outMAR, ["mycert"], wantSuccess, true); michael@0: do_check_true(outMAR.exists()); michael@0: let outMARData = getBinaryFileData(outMAR); michael@0: let refMAR = do_get_file("data/" + refMARPrefix + "signed_pib_mar.mar"); michael@0: let refMARData = getBinaryFileData(refMAR); michael@0: compareBinaryData(outMARData, refMARData); michael@0: }, michael@0: // Test signing a MAR file with multiple signatures michael@0: test_sign_multiple: function() { michael@0: let inMAR = do_get_file("data/" + refMARPrefix + "binary_data_mar.mar"); michael@0: let outMAR = tempDir.clone(); michael@0: outMAR.append("multiple_signed_out.mar"); michael@0: if (outMAR.exists()) { michael@0: outMAR.remove(false); michael@0: } michael@0: do_check_false(outMAR.exists()); michael@0: signMAR(inMAR, outMAR, ["mycert", "mycert2", "mycert3"], michael@0: wantSuccess, true); michael@0: do_check_true(outMAR.exists()); michael@0: let outMARData = getBinaryFileData(outMAR); michael@0: let refMAR = do_get_file("data/" + refMARPrefix + "multiple_signed_pib_mar.mar"); michael@0: let refMARData = getBinaryFileData(refMAR); michael@0: compareBinaryData(outMARData, refMARData); michael@0: }, michael@0: // Test verifying a signed MAR file michael@0: test_verify_single: function() { michael@0: let signedMAR = do_get_file("data/signed_pib_mar.mar"); michael@0: verifyMAR(signedMAR, wantSuccess, ["mycert"], true); michael@0: verifyMAR(signedMAR, wantSuccess, ["mycert"], false); michael@0: }, michael@0: // Test verifying a signed MAR file with too many certs fails. michael@0: // Or if you want to look at it another way, One mycert signature michael@0: // is missing. michael@0: test_verify_single_too_many_certs: function() { michael@0: let signedMAR = do_get_file("data/signed_pib_mar.mar"); michael@0: verifyMAR(signedMAR, wantFailure, ["mycert", "mycert"], true); michael@0: verifyMAR(signedMAR, wantFailure, ["mycert", "mycert"], false); michael@0: }, michael@0: // Test verifying a signed MAR file fails when using a wrong cert michael@0: test_verify_single_wrong_cert: function() { michael@0: let signedMAR = do_get_file("data/signed_pib_mar.mar"); michael@0: verifyMAR(signedMAR, wantFailure, ["mycert2"], true); michael@0: verifyMAR(signedMAR, wantFailure, ["mycert2"], false); michael@0: }, michael@0: // Test verifying a signed MAR file with multiple signatures michael@0: test_verify_multiple: function() { michael@0: let signedMAR = do_get_file("data/multiple_signed_pib_mar.mar"); michael@0: verifyMAR(signedMAR, wantSuccess, ["mycert", "mycert2", "mycert3"]); michael@0: }, michael@0: // Test verifying an unsigned MAR file fails michael@0: test_verify_unsigned_mar_file_fails: function() { michael@0: let unsignedMAR = do_get_file("data/binary_data_mar.mar"); michael@0: verifyMAR(unsignedMAR, wantFailure, ["mycert", "mycert2", "mycert3"]); michael@0: }, michael@0: // Test verifying a signed MAR file with the same signature multiple michael@0: // times fails. The input MAR has: mycert, mycert2, mycert3. michael@0: // we're checking to make sure the number of verified signatures michael@0: // is only 1 and not 3. Each signature should be verified once. michael@0: test_verify_multiple_same_cert: function() { michael@0: let signedMAR = do_get_file("data/multiple_signed_pib_mar.mar"); michael@0: verifyMAR(signedMAR, wantFailure, ["mycert", "mycert", "mycert"]); michael@0: }, michael@0: // Test verifying a signed MAR file with the correct signatures but in michael@0: // a different order fails michael@0: test_verify_multiple_wrong_order: function() { michael@0: let signedMAR = do_get_file("data/multiple_signed_pib_mar.mar"); michael@0: verifyMAR(signedMAR, wantSuccess, ["mycert", "mycert2", "mycert3"]); michael@0: verifyMAR(signedMAR, wantFailure, ["mycert", "mycert3", "mycert2"]); michael@0: verifyMAR(signedMAR, wantFailure, ["mycert2", "mycert", "mycert3"]); michael@0: verifyMAR(signedMAR, wantFailure, ["mycert2", "mycert3", "mycert"]); michael@0: verifyMAR(signedMAR, wantFailure, ["mycert3", "mycert", "mycert2"]); michael@0: verifyMAR(signedMAR, wantFailure, ["mycert3", "mycert2", "mycert"]); michael@0: }, michael@0: // Test verifying a signed MAR file without a PIB michael@0: test_verify_no_pib: function() { michael@0: let signedMAR = do_get_file("data/signed_no_pib_mar.mar"); michael@0: verifyMAR(signedMAR, wantSuccess, ["mycert"], true); michael@0: verifyMAR(signedMAR, wantSuccess, ["mycert"], false); michael@0: }, michael@0: // Test verifying a signed MAR file with multiple signatures without a PIB michael@0: test_verify_no_pib_multiple: function() { michael@0: let signedMAR = do_get_file("data/multiple_signed_no_pib_mar.mar"); michael@0: verifyMAR(signedMAR, wantSuccess, ["mycert", "mycert2", "mycert3"]); michael@0: }, michael@0: // Test verifying a crafted MAR file where the attacker tried to adjust michael@0: // the version number manually. michael@0: test_crafted_mar: function() { michael@0: let signedBadMAR = do_get_file("data/manipulated_signed_mar.mar"); michael@0: verifyMAR(signedBadMAR, wantFailure, ["mycert"], true); michael@0: verifyMAR(signedBadMAR, wantFailure, ["mycert"], false); michael@0: }, michael@0: // Test verifying a file that doesn't exist fails michael@0: test_bad_path_verify_fails: function() { michael@0: let noMAR = do_get_file("data/does_not_exist_.mar", true); michael@0: do_check_false(noMAR.exists()); michael@0: verifyMAR(noMAR, wantFailure, ["mycert"], true); michael@0: }, michael@0: // Test to make sure a stripped MAR is the same as the original MAR michael@0: test_strip_signature: function() { michael@0: let originalMAR = do_get_file("data/" + michael@0: refMARPrefix + michael@0: "binary_data_mar.mar"); michael@0: let signedMAR = tempDir.clone(); michael@0: signedMAR.append("signed_out.mar"); michael@0: let outMAR = tempDir.clone(); michael@0: outMAR.append("out.mar", true); michael@0: stripMARSignature(signedMAR, outMAR, wantSuccess); michael@0: michael@0: // Verify that the stripped MAR matches the original data MAR exactly michael@0: let outMARData = getBinaryFileData(outMAR); michael@0: let originalMARData = getBinaryFileData(originalMAR); michael@0: compareBinaryData(outMARData, originalMARData); michael@0: }, michael@0: // Test to make sure a stripped multi-signature-MAR is the same as the original MAR michael@0: test_strip_multiple_signatures: function() { michael@0: let originalMAR = do_get_file("data/" + michael@0: refMARPrefix + michael@0: "binary_data_mar.mar"); michael@0: let signedMAR = tempDir.clone(); michael@0: signedMAR.append("multiple_signed_out.mar"); michael@0: let outMAR = tempDir.clone(); michael@0: outMAR.append("out.mar"); michael@0: stripMARSignature(signedMAR, outMAR, wantSuccess); michael@0: michael@0: // Verify that the stripped MAR matches the original data MAR exactly michael@0: let outMARData = getBinaryFileData(outMAR); michael@0: let originalMARData = getBinaryFileData(originalMAR); michael@0: compareBinaryData(outMARData, originalMARData); michael@0: }, michael@0: // Test extracting the first signature in a MAR that has only a single signature michael@0: test_extract_sig_single: function() { michael@0: let inMAR = do_get_file("data/signed_pib_mar.mar"); michael@0: let extractedSig = do_get_file("extracted_signature", true); michael@0: if (extractedSig.exists()) { michael@0: extractedSig.remove(false); michael@0: } michael@0: extractMARSignature(inMAR, 0, extractedSig, wantSuccess); michael@0: do_check_true(extractedSig.exists()); michael@0: michael@0: let referenceSig = do_get_file("data/signed_pib_mar.signature.0"); + michael@0: compareBinaryData(extractedSig, referenceSig); michael@0: }, michael@0: // Test extracting the all signatures in a multi signature MAR michael@0: // The input MAR has 3 signatures. michael@0: test_extract_sig_multi: function() { michael@0: for (let i = 0; i < 3; i++) { michael@0: let inMAR = do_get_file("data/multiple_signed_pib_mar.mar"); michael@0: let extractedSig = do_get_file("extracted_signature", true); michael@0: if (extractedSig.exists()) { michael@0: extractedSig.remove(false); michael@0: } michael@0: extractMARSignature(inMAR, i, extractedSig, wantSuccess); michael@0: do_check_true(extractedSig.exists()); michael@0: michael@0: let referenceSig = do_get_file("data/multiple_signed_pib_mar.sig." + i); + michael@0: compareBinaryData(extractedSig, referenceSig); michael@0: } michael@0: }, michael@0: // Test extracting a signature that is out of range fails michael@0: test_extract_sig_out_of_range: function() { michael@0: let inMAR = do_get_file("data/signed_pib_mar.mar"); michael@0: let extractedSig = do_get_file("extracted_signature", true); michael@0: if (extractedSig.exists()) { michael@0: extractedSig.remove(false); michael@0: } michael@0: const outOfBoundsIndex = 5; michael@0: extractMARSignature(inMAR, outOfBoundsIndex, extractedSig, wantFailure); michael@0: do_check_false(extractedSig.exists()); michael@0: }, michael@0: // Test signing a file that doesn't exist fails michael@0: test_bad_path_sign_fails: function() { michael@0: let inMAR = do_get_file("data/does_not_exist_.mar", true); michael@0: let outMAR = tempDir.clone(); michael@0: outMAR.append("signed_out.mar"); michael@0: do_check_false(inMAR.exists()); michael@0: signMAR(inMAR, outMAR, ["mycert"], wantFailure, true); michael@0: do_check_false(outMAR.exists()); michael@0: }, michael@0: // Test verifying only a subset of the signatures fails. michael@0: // The input MAR has: mycert, mycert2, mycert3. michael@0: // We're only verifying 2 of the 3 signatures and that should fail. michael@0: test_verify_multiple_subset: function() { michael@0: let signedMAR = do_get_file("data/multiple_signed_pib_mar.mar"); michael@0: verifyMAR(signedMAR, wantFailure, ["mycert", "mycert2"]); michael@0: }, michael@0: // Test importing the first signature in a MAR that has only michael@0: // a single signature michael@0: test_import_sig_single: function() { michael@0: // Make sure the input MAR was signed with mycert only michael@0: let inMAR = do_get_file("data/signed_pib_mar.mar"); michael@0: verifyMAR(inMAR, wantSuccess, ["mycert"], false); michael@0: verifyMAR(inMAR, wantFailure, ["mycert2"], false); michael@0: verifyMAR(inMAR, wantFailure, ["mycert3"], false); michael@0: michael@0: // Get the signature file for this MAR signed with the key from mycert2 michael@0: let sigFile = do_get_file("data/signed_pib_mar.signature.mycert2"); michael@0: do_check_true(sigFile.exists()); michael@0: let outMAR = tempDir.clone(); michael@0: outMAR.append("sigchanged_signed_pib_mar.mar"); michael@0: if (outMAR.exists()) { michael@0: outMAR.remove(false); michael@0: } michael@0: michael@0: //Run the import operation michael@0: importMARSignature(inMAR, 0, sigFile, outMAR, wantSuccess); michael@0: michael@0: // Verify we have a new MAR file and that mycert no longer verifies michael@0: // and that mycert2 does verify michael@0: do_check_true(outMAR.exists()); michael@0: verifyMAR(outMAR, wantFailure, ["mycert"], false); michael@0: verifyMAR(outMAR, wantSuccess, ["mycert2"], false); michael@0: verifyMAR(outMAR, wantFailure, ["mycert3"], false); michael@0: michael@0: // Compare the binary data to something that was signed originally michael@0: // with the private key from mycert2 michael@0: let refMAR = do_get_file("data/signed_pib_mar_with_mycert2.mar"); michael@0: do_check_true(refMAR.exists()); michael@0: let refMARData = getBinaryFileData(refMAR); michael@0: let outMARData = getBinaryFileData(outMAR); michael@0: compareBinaryData(outMARData, refMARData); michael@0: }, michael@0: // Test importing a signature that doesn't belong to the file michael@0: // fails to verify. michael@0: test_import_wrong_sig: function() { michael@0: // Make sure the input MAR was signed with mycert only michael@0: let inMAR = do_get_file("data/signed_pib_mar.mar"); michael@0: verifyMAR(inMAR, wantSuccess, ["mycert"], false); michael@0: verifyMAR(inMAR, wantFailure, ["mycert2"], false); michael@0: verifyMAR(inMAR, wantFailure, ["mycert3"], false); michael@0: michael@0: // Get the signature file for this MAR signed with the key from mycert2 michael@0: let sigFile = do_get_file("data/multiple_signed_pib_mar.sig.0"); michael@0: do_check_true(sigFile.exists()); michael@0: let outMAR = tempDir.clone(); michael@0: outMAR.append("sigchanged_signed_pib_mar.mar"); michael@0: if (outMAR.exists()) { michael@0: outMAR.remove(false); michael@0: } michael@0: michael@0: //Run the import operation michael@0: importMARSignature(inMAR, 0, sigFile, outMAR, wantSuccess); michael@0: michael@0: // Verify we have a new MAR file and that mycert no longer verifies michael@0: // and that mycert2 does verify michael@0: do_check_true(outMAR.exists()); michael@0: verifyMAR(outMAR, wantFailure, ["mycert"], false); michael@0: verifyMAR(outMAR, wantFailure, ["mycert2"], false); michael@0: verifyMAR(outMAR, wantFailure, ["mycert3"], false); michael@0: }, michael@0: // Test importing to the second signature in a MAR that has multiple michael@0: // signature michael@0: test_import_sig_multiple: function() { michael@0: // Make sure the input MAR was signed with mycert only michael@0: let inMAR = do_get_file("data/multiple_signed_pib_mar.mar"); michael@0: verifyMAR(inMAR, wantSuccess, ["mycert", "mycert2", "mycert3"], false); michael@0: verifyMAR(inMAR, wantFailure, ["mycert", "mycert", "mycert3"], false); michael@0: michael@0: // Get the signature file for this MAR signed with the key from mycert michael@0: let sigFile = do_get_file("data/multiple_signed_pib_mar.sig.0"); michael@0: do_check_true(sigFile.exists()); michael@0: let outMAR = tempDir.clone(); michael@0: outMAR.append("sigchanged_signed_pib_mar.mar"); michael@0: if (outMAR.exists()) { michael@0: outMAR.remove(false); michael@0: } michael@0: michael@0: //Run the import operation michael@0: const secondSigPos = 1; michael@0: importMARSignature(inMAR, secondSigPos, sigFile, outMAR, wantSuccess); michael@0: michael@0: // Verify we have a new MAR file and that mycert no longer verifies michael@0: // and that mycert2 does verify michael@0: do_check_true(outMAR.exists()); michael@0: verifyMAR(outMAR, wantSuccess, ["mycert", "mycert", "mycert3"], false); michael@0: verifyMAR(outMAR, wantFailure, ["mycert", "mycert2", "mycert3"], false); michael@0: michael@0: // Compare the binary data to something that was signed originally michael@0: // with the private keys from mycert, mycert, mycert3 michael@0: let refMAR = do_get_file("data/multiple_signed_pib_mar_2.mar"); michael@0: do_check_true(refMAR.exists()); michael@0: let refMARData = getBinaryFileData(refMAR); michael@0: let outMARData = getBinaryFileData(outMAR); michael@0: compareBinaryData(outMARData, refMARData); michael@0: }, michael@0: // Test stripping a MAR that doesn't exist fails michael@0: test_bad_path_strip_fails: function() { michael@0: let noMAR = do_get_file("data/does_not_exist_mar", true); michael@0: do_check_false(noMAR.exists()); michael@0: let outMAR = tempDir.clone(); michael@0: outMAR.append("out.mar"); michael@0: stripMARSignature(noMAR, outMAR, wantFailure); michael@0: }, michael@0: // Test extracting from a bad path fails michael@0: test_extract_bad_path: function() { michael@0: let noMAR = do_get_file("data/does_not_exist.mar", true); michael@0: let extractedSig = do_get_file("extracted_signature", true); michael@0: do_check_false(noMAR.exists()); michael@0: if (extractedSig.exists()) { michael@0: extractedSig.remove(false); michael@0: } michael@0: extractMARSignature(noMAR, 0, extractedSig, wantFailure); michael@0: do_check_false(extractedSig.exists()); michael@0: }, michael@0: // Between each test make sure the out MAR does not exist. michael@0: cleanup_per_test: function() { michael@0: } michael@0: }; michael@0: michael@0: cleanup(); michael@0: michael@0: // Run all the tests michael@0: do_check_eq(run_tests(tests), Object.keys(tests).length - 1); michael@0: michael@0: do_register_cleanup(cleanup); michael@0: }