Bug 813418 - Centralize certificate validation (Part 1, tests). r=bsmith

--HG-- extra : rebase_source : a9d66d37da35b315097af6e20177188a3ef52ce0
2013-02-27 10:30:19 -08:00 · 2013-02-27 10:30:19 -08:00 · b27a45bc28
--- a/build/pgo/certs/cert8.db
+++ b/build/pgo/certs/cert8.db
--- a/build/pgo/certs/evintermediate.ca
+++ b/build/pgo/certs/evintermediate.ca
@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF9zCCBN+gAwIBAgIBAzANBgkqhkiG9w0BAQUFADCB4TELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MSMwIQYDVQQKExpN
+b3ppbGxhIC0gRVYgZGVidWcgdGVzdCBDQTEdMBsGA1UECxMUU2VjdXJpdHkgRW5n
+aW5lZXJpbmcxJjAkBgNVBAMTHUVWIFRlc3RpbmcgKHVudHJ1c3R3b3J0aHkpIENB
+MRMwEQYDVQQpEwpldi10ZXN0LWNhMSwwKgYJKoZIhvcNAQkBFh1jaGFybGF0YW5A
+dGVzdGluZy5leGFtcGxlLmNvbTAeFw0xMzAyMTQxNzU5MDlaFw0yMzAyMTIxNzU5
+MDlaMIHRMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50
+YWluIFZpZXcxIzAhBgNVBAoTGk1vemlsbGEgLSBFViBkZWJ1ZyB0ZXN0IENBMR0w
+GwYDVQQLExRTZWN1cml0eSBFbmdpbmVlcmluZzEWMBQGA1UEAxMNaW50ZXJtZWRp
+YXRlMzETMBEGA1UEKRMKZXYtdGVzdC1jYTEsMCoGCSqGSIb3DQEJARYdY2hhcmxh
+dGFuQHRlc3RpbmcuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDAfzrlJdawr7v8m7lslODk5FTqCiBO7tPxnWhAOEL5g05knLTZTc5J
+3ywmGoW6ae6RwPlWuqRuFd2Ea+yCawyjkUoLOpFH/xziDzvaS6LXNdJoxQqWk/LX
+8YYQVFfmxh8E11fz74IoCzX++mY1byaNONf3bLU2HU8vnVvENr1gy9Bzpm8wUuKm
+HkBYuG0SVzaeym2H/mo5PJICPVhPa+YxfEVS8EIFCigXGH7xrz/bPXnpfgsSJTnN
+4amBNkORfjf7H9x6IWkJGEkIvkVoYKT4iQ9q6/C4YDjWa9p5lA4F/qxnJefezH/I
+6hcqEODSaDsY+I6vsN8ks8r8MTTnd7BjAgMBAAGjggHGMIIBwjAdBgNVHQ4EFgQU
+fluXMAT0ZS21pV13vv46m8k7nRkwggEYBgNVHSMEggEPMIIBC4AUyJg651hwk+3B
+V0rQvQZv9n2bWPahgeekgeQwgeExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEW
+MBQGA1UEBxMNTW91bnRhaW4gVmlldzEjMCEGA1UEChMaTW96aWxsYSAtIEVWIGRl
+YnVnIHRlc3QgQ0ExHTAbBgNVBAsTFFNlY3VyaXR5IEVuZ2luZWVyaW5nMSYwJAYD
+VQQDEx1FViBUZXN0aW5nICh1bnRydXN0d29ydGh5KSBDQTETMBEGA1UEKRMKZXYt
+dGVzdC1jYTEsMCoGCSqGSIb3DQEJARYdY2hhcmxhdGFuQHRlc3RpbmcuZXhhbXBs
+ZS5jb22CCQCvxT0iZiZJMjAMBgNVHRMEBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeG
+JWh0dHA6Ly9leGFtcGxlLmNvbS9yb290LWV2LXRlc3Rlci5jcmwwPwYDVR0gBDgw
+NjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly9teXRlc3Rkb21haW4ubG9j
+YWwvY3BzOzANBgkqhkiG9w0BAQUFAAOCAQEAC4grNTV5K8yqiAJ/0f6oIkTMqyJ4
+lyHXvvKXMHTpRZ7Jdy0aq5KTSHswx64ZRN7V2ds+czzDWgxX3rBuZZAgOW1JYva3
+Ps3XRYUiaTW8eeaWjuVRFAp7ytRmSsOGeOtHbez8jDmTqPRQ1mTMsMzpY4bFD8do
+5y0xsbz4DYIeeNnX9+XGB5u2ml8t5L8Cj65wwMAx9HlsjTrfQTMIwpwbNle6GuZ3
+9FzmE2piAND73yCgU5W66K2lZg8N6vHBq0UhPDCF72y8MlHxQOpTr3/jIGr4X7k9
+uyYq0Pw5Y/LKyGbyW5iMFdLzabm1ua8IWAf7DSFMH6L3WlK8mngCfJ1icQ==
+-----END CERTIFICATE-----
--- a/build/pgo/certs/evroot.ca
+++ b/build/pgo/certs/evroot.ca
@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFljCCBH6gAwIBAgIJAK/FPSJmJkkyMA0GCSqGSIb3DQEBBQUAMIHhMQswCQYD
+VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxIzAh
+BgNVBAoTGk1vemlsbGEgLSBFViBkZWJ1ZyB0ZXN0IENBMR0wGwYDVQQLExRTZWN1
+cml0eSBFbmdpbmVlcmluZzEmMCQGA1UEAxMdRVYgVGVzdGluZyAodW50cnVzdHdv
+cnRoeSkgQ0ExEzARBgNVBCkTCmV2LXRlc3QtY2ExLDAqBgkqhkiG9w0BCQEWHWNo
+YXJsYXRhbkB0ZXN0aW5nLmV4YW1wbGUuY29tMB4XDTEzMDIxNDE3NDkwMFoXDTIz
+MDIxMjE3NDkwMFowgeExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UE
+BxMNTW91bnRhaW4gVmlldzEjMCEGA1UEChMaTW96aWxsYSAtIEVWIGRlYnVnIHRl
+c3QgQ0ExHTAbBgNVBAsTFFNlY3VyaXR5IEVuZ2luZWVyaW5nMSYwJAYDVQQDEx1F
+ViBUZXN0aW5nICh1bnRydXN0d29ydGh5KSBDQTETMBEGA1UEKRMKZXYtdGVzdC1j
+YTEsMCoGCSqGSIb3DQEJARYdY2hhcmxhdGFuQHRlc3RpbmcuZXhhbXBsZS5jb20w
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCk+k5mvnrxhVdVnhaxCeDG
+ZC5kcC8951K3xTkh2JMtUpSQL2IoGLOZOWTNY+2wGNyHbdJjKDv1d0bzZfz3yDkB
+AbY6OcxS4WkwccKsyIzkdacpYWhi7kEFevm9p7TI8jdrpKmItrlqfZKfteh+K+DF
+XZF7xp6zpoUis6dykmk5v8RivpCZl7HIlsOW0wSqCocXWH/WWFgAQyozjW8MgGOL
+/eV2aLsx+yg7it9GMMtyidggwvlYM7O8vY0gJqQKXntbHq1zV7jIJ3bXzJceur+G
+Ce4HvsRHAQUSl6jUfm00aKkqS+1t3svZURIKM6qWAuIKMGcspv+L8lyn1KImG8M5
+AgMBAAGjggFNMIIBSTAdBgNVHQ4EFgQUyJg651hwk+3BV0rQvQZv9n2bWPYwggEY
+BgNVHSMEggEPMIIBC4AUyJg651hwk+3BV0rQvQZv9n2bWPahgeekgeQwgeExCzAJ
+BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEj
+MCEGA1UEChMaTW96aWxsYSAtIEVWIGRlYnVnIHRlc3QgQ0ExHTAbBgNVBAsTFFNl
+Y3VyaXR5IEVuZ2luZWVyaW5nMSYwJAYDVQQDEx1FViBUZXN0aW5nICh1bnRydXN0
+d29ydGh5KSBDQTETMBEGA1UEKRMKZXYtdGVzdC1jYTEsMCoGCSqGSIb3DQEJARYd
+Y2hhcmxhdGFuQHRlc3RpbmcuZXhhbXBsZS5jb22CCQCvxT0iZiZJMjAMBgNVHRME
+BTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAcKVLC9MbdSZjzkVBseCm6t49aIIBm
+xQrsTNV2Gnp5eIXBfUhNAfD0zbBcKHK9AfHmNT8ZK6iABjiOrnn6yQNufW5MMdNx
+/4FtTmdlBPLpyuBY7re+XbIaPxr/jB9jJ1pmh52xH3wMkO7ATDQ2fqFnODFrUKS
+UpXzuydPnsCdu32KPSnewIrkDB10Sah7vw3uwASO2GWqaFtUDFWGpt6rYQTcOF8g
+7a6Zj0johBMQFHE3HDRebWxiOf21ppN/tvv0gtGiA0ZIXBezeLaJ+Hob1xTbi4sw
+sGYDKHPCrLuTZWXmkv0rAIkLLK4VHbsA5xYPQNJJsTpX3u0Z0vZxJd9/
+-----END CERTIFICATE-----
--- a/build/pgo/certs/key3.db
+++ b/build/pgo/certs/key3.db
--- a/build/pgo/server-locations.txt
+++ b/build/pgo/server-locations.txt
@ -101,6 +101,8 @@ https://mismatch.expired.example.com:443	privileged,cert=expired
 https://mismatch.untrusted.example.com:443	privileged,cert=untrusted
 https://untrusted-expired.example.com:443	privileged,cert=untrustedandexpired
 https://mismatch.untrusted-expired.example.com:443	privileged,cert=untrustedandexpired
+https://ev-valid.example.com:443	privileged,cert=evvalid
+https://ev-invalid.example.com:443      priviliged,cert=evinvalid

 # This is here so that we don't load the default live bookmark over
 # the network in every test suite.
--- a/security/manager/ssl/src/nsIdentityChecking.cpp
+++ b/security/manager/ssl/src/nsIdentityChecking.cpp
@ -109,6 +109,21 @@ static struct nsMyTrustedEVInfo myTrustedEVInfos[] = {
   * In other words, if you add another list, that uses the same dotted_oid
   * as an existing entry, then please use the same oid_name.
   */
+  {
+    // This is the testing EV signature.
+    // C=US, ST=CA, L=Mountain View, O=Mozilla - EV debug test CA, OU=Security Engineering, CN=EV Testing (untrustworthy) CA/name=ev-test-ca/emailAddress=charlatan@testing.example.com
+    "1.3.6.1.4.1.13769.666.666.666.1.500.9.1",
+    "DEBUGtesting EV OID",
+    SEC_OID_UNKNOWN,
+    "AD:FE:0E:44:16:45:B0:17:46:8B:76:01:74:B7:FF:64:5A:EC:35:91",
+    "MIHhMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWlu"
+    "IFZpZXcxIzAhBgNVBAoTGk1vemlsbGEgLSBFViBkZWJ1ZyB0ZXN0IENBMR0wGwYD"
+    "VQQLExRTZWN1cml0eSBFbmdpbmVlcmluZzEmMCQGA1UEAxMdRVYgVGVzdGluZyAo"
+    "dW50cnVzdHdvcnRoeSkgQ0ExEzARBgNVBCkTCmV2LXRlc3QtY2ExLDAqBgkqhkiG"
+    "9w0BCQEWHWNoYXJsYXRhbkB0ZXN0aW5nLmV4YW1wbGUuY29t",
+    "AK/FPSJmJkky",
+    nullptr
+  },
  {
    // CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US
    "2.16.840.1.114171.500.9",
@ -1061,7 +1076,11 @@ nsNSSComponent::IdentityInfoInit()
    ias.serialNumber.type = siUnsignedInteger;

    entry.cert = CERT_FindCertByIssuerAndSN(nullptr, &ias);
-    NS_ASSERTION(entry.cert, "Could not find EV root in NSS storage");
+
+    // The debug CA info is at position 0, and is NOT on the NSS root db
+    if (iEV != 0) {
+       NS_ASSERTION(entry.cert, "Could not find EV root in NSS storage");
+    }

    SECITEM_FreeItem(&ias.derIssuer, false);
    SECITEM_FreeItem(&ias.serialNumber, false);
--- a/security/manager/ssl/tests/mochitest/bugs/Makefile.in
+++ b/security/manager/ssl/tests/mochitest/bugs/Makefile.in
@ -15,6 +15,8 @@ MOCHITEST_FILES = \
        test_bug480509.html \
        test_bug483440.html \
        test_bug484111.html \
+	test_ev_validation.html \
+	test_ev_validation_child.html \
        $(NULL)

 MOCHITEST_CHROME_FILES = \
--- a/security/manager/ssl/tests/mochitest/bugs/test_ev_validation.html
+++ b/security/manager/ssl/tests/mochitest/bugs/test_ev_validation.html
@ -0,0 +1,52 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=813418
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 813418</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript">
+
+  </script>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=813418">Mozilla Bug 813418</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+</div>
+<pre id="test">
+<script type="application/javascript">
+  SimpleTest.waitForExplicitFinish();
+
+  var wnd = window.open("https://ev-valid.example.com/tests/security/ssl/bugs/test_ev_validation_child.html");
+  window.addEventListener("message", function(event) {
+     if (event.origin == "https://ev-valid.example.com") {
+       is(event.data, "EV", "Child was EV valid.");
+       wnd.close();
+       wnd = window.open("https://example.com/tests/security/ssl/bugs/test_ev_validation_child.html");
+     }
+     else if (event.origin == "https://example.com") {
+       is(event.data, "secure", "Child was just secure (NO EV) no ev flags present.");
+       wnd.close();
+       wnd = window.open("https://ev-invalid.example.com/tests/security/ssl/bugs/test_ev_validation_child.html");
+     }
+     else if (event.origin == "https://ev-invalid.example.com") {
+       is(event.data, "secure", "Child was just secure (NO EV ev cert from invalid anchor).");
+       wnd.close();
+       SimpleTest.finish(); //expected end of tests.
+     }
+     else{
+       ok(false,"something is broken");
+       SimpleTest.finish();
+     }
+
+    }, false);
+
+</script>
+</pre>
+</body>
+</html>
--- a/security/manager/ssl/tests/mochitest/bugs/test_ev_validation_child.html
+++ b/security/manager/ssl/tests/mochitest/bugs/test_ev_validation_child.html
@ -0,0 +1,62 @@
+<html>
+<head>
+<title></title>
+<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+<script type="text/javascript">
+
+function finish(state) {
+  try {
+    window.opener.postMessage(state, "*");
+    //the opener should close this window, no
+    // need to call simpletest.finish()
+    return;
+  }
+  catch(e){
+    if (window.opener) {
+      //could not sent the message?
+      ok(false,"could no opener window");
+    }
+  }
+}
+
+function onWindowLoad()
+{
+  if (!window.opener) {
+    ok(true, "Direct call, nothing to do");
+    SimpleTest.finish();
+  }
+
+  var ui = SpecialPowers.wrap(window)
+     .QueryInterface(SpecialPowers.Ci.nsIInterfaceRequestor)
+     .getInterface(SpecialPowers.Ci.nsIWebNavigation)
+     .QueryInterface(SpecialPowers.Ci.nsIDocShell)
+     .securityUI;
+
+  var isInsecure = !ui ||
+     (ui.state & SpecialPowers.Ci.nsIWebProgressListener.STATE_IS_INSECURE);
+  var isBroken = ui &&
+     (ui.state & SpecialPowers.Ci.nsIWebProgressListener.STATE_IS_BROKEN);
+  var isEV = ui &&
+     (ui.state & SpecialPowers.Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL);
+ 
+  var gotState;
+  if (isInsecure)
+    gotState = "insecure";
+  else if (isBroken)
+    gotState = "broken";
+  else if (isEV)
+    gotState = "EV";
+  else
+    gotState = "secure";
+
+  finish(gotState);
+}
+
+</script>
+</head>
+
+<body onload="onWindowLoad()">
+ <h1>Security_state_child</h1>
+</body>
+</html>
+
--- a/testing/mochitest/Makefile.in
+++ b/testing/mochitest/Makefile.in
@ -61,6 +61,8 @@ _SERV_FILES = 	\
 	 	plain-loop.html \
 		android.json \
 		b2g.json \
+		root-ev-tester.crl \
+		intermediate-ev-tester.crl \
 		$(NULL)	

 ifeq ($(MOZ_BUILD_APP),mobile/android)
--- a/testing/mochitest/intermediate-ev-tester.crl
+++ b/testing/mochitest/intermediate-ev-tester.crl
--- a/testing/mochitest/root-ev-tester.crl
+++ b/testing/mochitest/root-ev-tester.crl