зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1564221 - Do not use FakeTransportSecurityInfo in test_sss_enumerate.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch migrates `test_sss_enumerate.js` to use `add_connection_test()` to get a valid `nsITransportSecurityInfo` instance for the unit tests. Differential Revision: https://phabricator.services.mozilla.com/D40350 --HG-- extra : moz-landing-system : lando
This commit is contained in:
Родитель
e206c0bf71
Коммит
f94a2e2dd7
|
@ -3,6 +3,8 @@
|
|||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
"use strict";
|
||||
|
||||
do_get_profile(); // must be done before instantiating nsIX509CertDB
|
||||
|
||||
// This had better not be larger than the maximum maxAge for HPKP.
|
||||
const NON_ISSUED_KEY_HASH = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
|
||||
const PINNING_ROOT_KEY_HASH = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=";
|
||||
|
@ -10,78 +12,19 @@ const KEY_HASHES = [NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH];
|
|||
const SECS_IN_A_WEEK = 7 * 24 * 60 * 60 * 1000;
|
||||
const TESTCASES = [
|
||||
{
|
||||
hostname: "a.pinning2.example.com",
|
||||
hostname: "a.pinning.example.com",
|
||||
includeSubdomains: true,
|
||||
expireTime: Date.now() + 12 * SECS_IN_A_WEEK * 1000,
|
||||
},
|
||||
{
|
||||
hostname: "b.pinning2.example.com",
|
||||
hostname: "b.pinning.example.com",
|
||||
includeSubdomains: false,
|
||||
expireTime: Date.now() + 13 * SECS_IN_A_WEEK * 1000,
|
||||
},
|
||||
].sort((a, b) => a.expireTime - b.expireTime);
|
||||
|
||||
registerCleanupFunction(() => {
|
||||
Services.prefs.clearUserPref(
|
||||
"security.cert_pinning.process_headers_from_non_builtin_roots"
|
||||
);
|
||||
Services.prefs.clearUserPref("security.cert_pinning.max_max_age_seconds");
|
||||
});
|
||||
|
||||
do_get_profile();
|
||||
|
||||
Services.prefs.setBoolPref(
|
||||
"security.cert_pinning.process_headers_from_non_builtin_roots",
|
||||
true
|
||||
);
|
||||
Services.prefs.setIntPref(
|
||||
"security.cert_pinning.max_max_age_seconds",
|
||||
20 * SECS_IN_A_WEEK
|
||||
);
|
||||
|
||||
let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
|
||||
Ci.nsIX509CertDB
|
||||
);
|
||||
addCertFromFile(certdb, "test_pinning_dynamic/pinningroot.pem", "CTu,CTu,CTu");
|
||||
|
||||
let sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService);
|
||||
|
||||
function insertEntries() {
|
||||
for (let testcase of TESTCASES) {
|
||||
let uri = Services.io.newURI("https://" + testcase.hostname);
|
||||
let secInfo = new FakeTransportSecurityInfo(
|
||||
constructCertFromFile(
|
||||
`test_pinning_dynamic/${testcase.hostname}-pinningroot.pem`
|
||||
)
|
||||
);
|
||||
// MaxAge is in seconds.
|
||||
let maxAge = Math.round((testcase.expireTime - Date.now()) / 1000);
|
||||
let header = `max-age=${maxAge}`;
|
||||
if (testcase.includeSubdomains) {
|
||||
header += "; includeSubdomains";
|
||||
}
|
||||
sss.processHeader(
|
||||
Ci.nsISiteSecurityService.HEADER_HSTS,
|
||||
uri,
|
||||
header,
|
||||
secInfo,
|
||||
0,
|
||||
Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST
|
||||
);
|
||||
for (let key of KEY_HASHES) {
|
||||
header += `; pin-sha256="${key}"`;
|
||||
}
|
||||
sss.processHeader(
|
||||
Ci.nsISiteSecurityService.HEADER_HPKP,
|
||||
uri,
|
||||
header,
|
||||
secInfo,
|
||||
0,
|
||||
Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
function getEntries(type) {
|
||||
return Array.from(sss.enumerate(type));
|
||||
}
|
||||
|
@ -129,23 +72,84 @@ function checkSha256Keys(hpkpEntries) {
|
|||
}
|
||||
}
|
||||
|
||||
function run_test() {
|
||||
registerCleanupFunction(() => {
|
||||
Services.prefs.clearUserPref(
|
||||
"security.cert_pinning.process_headers_from_non_builtin_roots"
|
||||
);
|
||||
Services.prefs.clearUserPref("security.cert_pinning.max_max_age_seconds");
|
||||
});
|
||||
|
||||
function add_tests() {
|
||||
sss.clearAll();
|
||||
|
||||
insertEntries();
|
||||
for (const testcase of TESTCASES) {
|
||||
add_connection_test(
|
||||
testcase.hostname,
|
||||
PRErrorCodeSuccess,
|
||||
undefined,
|
||||
function insertEntry(secInfo) {
|
||||
const uri = Services.io.newURI(`https://${testcase.hostname}`);
|
||||
|
||||
let hstsEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HSTS);
|
||||
let hpkpEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HPKP);
|
||||
// MaxAge is in seconds.
|
||||
let maxAge = Math.round((testcase.expireTime - Date.now()) / 1000);
|
||||
let header = `max-age=${maxAge}`;
|
||||
if (testcase.includeSubdomains) {
|
||||
header += "; includeSubdomains";
|
||||
}
|
||||
sss.processHeader(
|
||||
Ci.nsISiteSecurityService.HEADER_HSTS,
|
||||
uri,
|
||||
header,
|
||||
secInfo,
|
||||
0,
|
||||
Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST
|
||||
);
|
||||
for (let key of KEY_HASHES) {
|
||||
header += `; pin-sha256="${key}"`;
|
||||
}
|
||||
sss.processHeader(
|
||||
Ci.nsISiteSecurityService.HEADER_HPKP,
|
||||
uri,
|
||||
header,
|
||||
secInfo,
|
||||
0,
|
||||
Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST
|
||||
);
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
checkSiteSecurityStateAttrs(hstsEntries);
|
||||
checkSiteSecurityStateAttrs(hpkpEntries);
|
||||
add_task(() => {
|
||||
let hstsEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HSTS);
|
||||
let hpkpEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HPKP);
|
||||
|
||||
checkSha256Keys(hpkpEntries);
|
||||
checkSiteSecurityStateAttrs(hstsEntries);
|
||||
checkSiteSecurityStateAttrs(hpkpEntries);
|
||||
|
||||
sss.clearAll();
|
||||
hstsEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HSTS);
|
||||
hpkpEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HPKP);
|
||||
checkSha256Keys(hpkpEntries);
|
||||
|
||||
equal(hstsEntries.length, 0, "Should clear all HSTS entries");
|
||||
equal(hpkpEntries.length, 0, "Should clear all HPKP entries");
|
||||
sss.clearAll();
|
||||
hstsEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HSTS);
|
||||
hpkpEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HPKP);
|
||||
|
||||
equal(hstsEntries.length, 0, "Should clear all HSTS entries");
|
||||
equal(hpkpEntries.length, 0, "Should clear all HPKP entries");
|
||||
});
|
||||
}
|
||||
|
||||
function run_test() {
|
||||
Services.prefs.setBoolPref(
|
||||
"security.cert_pinning.process_headers_from_non_builtin_roots",
|
||||
true
|
||||
);
|
||||
Services.prefs.setIntPref(
|
||||
"security.cert_pinning.max_max_age_seconds",
|
||||
20 * SECS_IN_A_WEEK
|
||||
);
|
||||
|
||||
add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
|
||||
|
||||
add_tests();
|
||||
|
||||
run_next_test();
|
||||
}
|
||||
|
|
|
@ -84,6 +84,7 @@ const BadCertAndPinningHost sBadCertAndPinningHosts[] = {
|
|||
{"imminently-distrusted.example.com", "ee-imminently-distrusted"},
|
||||
{"localhost", "unknownissuer"},
|
||||
{"a.pinning.example.com", "default-ee"},
|
||||
{"b.pinning.example.com", "default-ee"},
|
||||
{nullptr, nullptr}};
|
||||
|
||||
int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd,
|
||||
|
|
|
@ -191,6 +191,7 @@ run-sequentially = hardcoded ports
|
|||
[test_ssl_status.js]
|
||||
run-sequentially = hardcoded ports
|
||||
[test_sss_enumerate.js]
|
||||
run-sequentially = hardcoded ports
|
||||
[test_sss_eviction.js]
|
||||
[test_sss_originAttributes.js]
|
||||
[test_sss_readstate.js]
|
||||
|
|
Загрузка…
Ссылка в новой задаче