Bug 1168695 - Add result strings to PSM xpcshell HPKP tests. r=keeler

--HG--
extra : rebase_source : 75fd17476020a68c60fd5e733c4d7a30fd05b8da
This commit is contained in:
Cykesiopka 2015-05-28 02:26:00 +02:00
Родитель c2bc81fbea
Коммит 563c609fd0
3 изменённых файлов: 70 добавлений и 56 удалений

Просмотреть файл

@ -214,24 +214,34 @@ function check_pinning_telemetry() {
.snapshot();
// Because all of our test domains are pinned to user-specified trust
// anchors, effectively only strict mode and enforce test-mode get evaluated
do_check_eq(prod_histogram.counts[0], 4); // Failure count
do_check_eq(prod_histogram.counts[1], 4); // Success count
do_check_eq(test_histogram.counts[0], 2); // Failure count
do_check_eq(test_histogram.counts[1], 0); // Success count
equal(prod_histogram.counts[0], 4,
"Actual and expected prod (non-Mozilla) failure count should match");
equal(prod_histogram.counts[1], 4,
"Actual and expected prod (non-Mozilla) success count should match");
equal(test_histogram.counts[0], 2,
"Actual and expected test (non-Mozilla) failure count should match");
equal(test_histogram.counts[1], 0,
"Actual and expected test (non-Mozilla) success count should match");
let moz_prod_histogram = service.getHistogramById("CERT_PINNING_MOZ_RESULTS")
.snapshot();
let moz_test_histogram =
service.getHistogramById("CERT_PINNING_MOZ_TEST_RESULTS").snapshot();
do_check_eq(moz_prod_histogram.counts[0], 0); // Failure count
do_check_eq(moz_prod_histogram.counts[1], 0); // Success count
do_check_eq(moz_test_histogram.counts[0], 0); // Failure count
do_check_eq(moz_test_histogram.counts[1], 0); // Success count
equal(moz_prod_histogram.counts[0], 0,
"Actual and expected prod (Mozilla) failure count should match");
equal(moz_prod_histogram.counts[1], 0,
"Actual and expected prod (Mozilla) success count should match");
equal(moz_test_histogram.counts[0], 0,
"Actual and expected test (Mozilla) failure count should match");
equal(moz_test_histogram.counts[1], 0,
"Actual and expected test (Mozilla) success count should match");
let per_host_histogram =
service.getHistogramById("CERT_PINNING_MOZ_RESULTS_BY_HOST").snapshot();
do_check_eq(per_host_histogram.counts[0], 0); // Failure count
do_check_eq(per_host_histogram.counts[1], 2); // Success count
equal(per_host_histogram.counts[0], 0,
"Actual and expected per host (Mozilla) failure count should match");
equal(per_host_histogram.counts[1], 2,
"Actual and expected per host (Mozilla) success count should match");
run_next_test();
}

Просмотреть файл

@ -45,7 +45,8 @@ function run_test() {
stateFile.append(SSS_STATE_FILE_NAME);
// Assuming we're working with a clean slate, the file shouldn't exist
// until we create it.
do_check_false(stateFile.exists());
ok(!stateFile.exists(),
"State file should not exist when working with a clean slate");
let outputStream = FileUtils.openFileOutputStream(stateFile);
let now = (new Date()).getTime();
writeLine("a.pinning2.example.com:HPKP\t0\t0\t" + (now + 100000) + ",1,0,kXoHD1ZGyMuowchJwy+xgHlzh0kJFoI9KX0o0IrzTps=\n", outputStream);
@ -56,12 +57,30 @@ function run_test() {
do_test_pending();
gSSService = Cc["@mozilla.org/ssservice;1"]
.getService(Ci.nsISiteSecurityService);
do_check_true(gSSService != null);
notEqual(gSSService, null,
"SiteSecurityService should have initialized successfully using" +
" the generated state file");
}
function checkDefaultSiteHPKPStatus() {
ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"a.pinning2.example.com", 0),
"a.pinning2.example.com should have HPKP status");
ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"x.a.pinning2.example.com", 0),
"x.a.pinning2.example.com should not have HPKP status");
ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"b.pinning2.example.com", 0),
"b.pinning2.example.com should have HPKP status");
ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"x.b.pinning2.example.com", 0),
"x.b.pinning2.example.com should have HPKP status");
}
function checkStateRead(aSubject, aTopic, aData) {
do_check_eq(aData, SSS_STATE_FILE_NAME);
do_check_neq(gSSService, null);
equal(aData, SSS_STATE_FILE_NAME,
"Observed data should be the Site Security Service state file name");
notEqual(gSSService, null, "SiteSecurityService should be initialized");
// Initializing the certificate DB will cause NSS-initialization, which in
// turn initializes the site security service. Since we're in part testing
@ -87,17 +106,10 @@ function checkStateRead(aSubject, aTopic, aData) {
checkFail(certFromFile('cn-x.b.pinning2.example.com-badca.der'), "x.b.pinning2.example.com");
checkOK(certFromFile('cn-x.b.pinning2.example.com-pinningroot.der'), "x.b.pinning2.example.com");
do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"a.pinning2.example.com", 0));
do_check_false(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"x.a.pinning2.example.com", 0));
do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"b.pinning2.example.com", 0));
do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"x.b.pinning2.example.com", 0));
checkDefaultSiteHPKPStatus();
// add withSubdomains to a.pinning2.example.com
// add includeSubdomains to a.pinning2.example.com
gSSService.setKeyPins("a.pinning2.example.com", true, 1000, 2,
[NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH]);
checkFail(certFromFile('cn-a.pinning2.example.com-badca.der'), "a.pinning2.example.com");
@ -111,10 +123,14 @@ function checkStateRead(aSubject, aTopic, aData) {
checkFail(certFromFile('cn-x.b.pinning2.example.com-badca.der'), "x.b.pinning2.example.com");
checkOK(certFromFile('cn-x.b.pinning2.example.com-pinningroot.der'), "x.b.pinning2.example.com");
do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"a.pinning2.example.com", 0));
do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"x.a.pinning2.example.com", 0));
ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"a.pinning2.example.com", 0),
"a.pinning2.example.com should still have HPKP status after adding" +
" includeSubdomains to a.pinning2.example.com");
ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"x.a.pinning2.example.com", 0),
"x.a.pinning2.example.com should now have HPKP status after adding" +
" includeSubdomains to a.pinning2.example.com");
// Now setpins without subdomains
gSSService.setKeyPins("a.pinning2.example.com", false, 1000, 2,
@ -131,20 +147,13 @@ function checkStateRead(aSubject, aTopic, aData) {
checkFail(certFromFile('cn-x.b.pinning2.example.com-badca.der'), "x.b.pinning2.example.com");
checkOK(certFromFile('cn-x.b.pinning2.example.com-pinningroot.der'), "x.b.pinning2.example.com");
do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"a.pinning2.example.com", 0));
do_check_false(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"x.a.pinning2.example.com", 0));
do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"b.pinning2.example.com", 0));
do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"x.b.pinning2.example.com", 0));
checkDefaultSiteHPKPStatus();
// failure to insert new pin entry leaves previous pin behavior
try {
gSSService.setKeyPins("a.pinning2.example.com", true, 1000, 1,
["not a hash"]);
do_check_true(false); // this shouldn't run
ok(false, "Attempting to set an invalid pin should have failed");
} catch(e) {
}
checkFail(certFromFile('cn-a.pinning2.example.com-badca.der'), "a.pinning2.example.com");
@ -159,28 +168,23 @@ function checkStateRead(aSubject, aTopic, aData) {
checkFail(certFromFile('cn-x.b.pinning2.example.com-badca.der'), "x.b.pinning2.example.com");
checkOK(certFromFile('cn-x.b.pinning2.example.com-pinningroot.der'), "x.b.pinning2.example.com");
do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"a.pinning2.example.com", 0));
do_check_false(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"x.a.pinning2.example.com", 0));
do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"b.pinning2.example.com", 0));
do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"x.b.pinning2.example.com", 0));
checkDefaultSiteHPKPStatus();
// Incorrect size results in failure
try {
gSSService.setKeyPins("a.pinning2.example.com", true, 1000, 2,
["not a hash"]);
do_check_true(false); // this shouldn't run
ok(false, "Attempting to set a pin with an incorrect size should have failed");
} catch(e) {
}
// Ensure built-in pins work as expected
do_check_false(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"nonexistent.example.com", 0));
do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"include-subdomains.pinning.example.com", 0));
ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"nonexistent.example.com", 0),
"Not built-in nonexistent.example.com should not have HPKP status");
ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"include-subdomains.pinning.example.com", 0),
"Built-in include-subdomains.pinning.example.com should have HPKP status");
gSSService.setKeyPins("a.pinning2.example.com", false, 0, 1,
[NON_ISSUED_KEY_HASH]);

Просмотреть файл

@ -29,9 +29,9 @@ function checkFailParseInvalidPin(pinValue) {
try {
gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri,
pinValue, sslStatus, 0);
do_check_true(false); // this should not run
ok(false, "Invalid pin should have been rejected");
} catch (e) {
do_check_true(true);
ok(true, "Invalid pin should be rejected");
}
}
@ -40,7 +40,7 @@ function checkPassValidPin(pinValue, settingPin) {
certFromFile('cn-a.pinning2.example.com-pinningroot.der'));
let uri = Services.io.newURI("https://a.pinning2.example.com", null, null);
// setup preconditions for the test, if setting ensure there is no previors
// setup preconditions for the test, if setting ensure there is no previous
// state, if removing ensure there is a valid pin in place.
if (settingPin) {
gSSService.removeState(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0);
@ -53,18 +53,18 @@ function checkPassValidPin(pinValue, settingPin) {
try {
gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri,
pinValue, sslStatus, 0);
do_check_true(true);
ok(true, "Valid pin should be accepted");
} catch (e) {
do_check_true(false);
ok(false, "Valid pin should have been accepted");
}
// after processing ensure that the postconditions are true, if setting
// the host must be pinned, if removing the host must not be pinned
let hostIsPinned = gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
"a.pinning2.example.com", 0);
if (settingPin) {
do_check_true(hostIsPinned);
ok(hostIsPinned, "Host should be considered pinned");
} else {
do_check_true(!hostIsPinned);
ok(!hostIsPinned, "Host should not be considered pinned");
}
}