Bug 1564221 - Do not use FakeTransportSecurityInfo in test_sss_enumerate.js r=keeler

As part of making `nsITranportSecurityInfo` builtinclass, we can no longer
use JS-implemented `nsITransportSecurityInfo` instances in test cases.
This patch migrates `test_sss_enumerate.js` to use `add_connection_test()` to
get a valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40350

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Barret Rennie 2019-08-20 21:38:04 +00:00
Родитель e206c0bf71
Коммит f94a2e2dd7
3 изменённых файлов: 79 добавлений и 73 удалений

Просмотреть файл

@ -3,6 +3,8 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
"use strict";
do_get_profile(); // must be done before instantiating nsIX509CertDB
// This had better not be larger than the maximum maxAge for HPKP.
const NON_ISSUED_KEY_HASH = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
const PINNING_ROOT_KEY_HASH = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=";
@ -10,78 +12,19 @@ const KEY_HASHES = [NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH];
const SECS_IN_A_WEEK = 7 * 24 * 60 * 60 * 1000;
const TESTCASES = [
{
hostname: "a.pinning2.example.com",
hostname: "a.pinning.example.com",
includeSubdomains: true,
expireTime: Date.now() + 12 * SECS_IN_A_WEEK * 1000,
},
{
hostname: "b.pinning2.example.com",
hostname: "b.pinning.example.com",
includeSubdomains: false,
expireTime: Date.now() + 13 * SECS_IN_A_WEEK * 1000,
},
].sort((a, b) => a.expireTime - b.expireTime);
registerCleanupFunction(() => {
Services.prefs.clearUserPref(
"security.cert_pinning.process_headers_from_non_builtin_roots"
);
Services.prefs.clearUserPref("security.cert_pinning.max_max_age_seconds");
});
do_get_profile();
Services.prefs.setBoolPref(
"security.cert_pinning.process_headers_from_non_builtin_roots",
true
);
Services.prefs.setIntPref(
"security.cert_pinning.max_max_age_seconds",
20 * SECS_IN_A_WEEK
);
let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
Ci.nsIX509CertDB
);
addCertFromFile(certdb, "test_pinning_dynamic/pinningroot.pem", "CTu,CTu,CTu");
let sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService);
function insertEntries() {
for (let testcase of TESTCASES) {
let uri = Services.io.newURI("https://" + testcase.hostname);
let secInfo = new FakeTransportSecurityInfo(
constructCertFromFile(
`test_pinning_dynamic/${testcase.hostname}-pinningroot.pem`
)
);
// MaxAge is in seconds.
let maxAge = Math.round((testcase.expireTime - Date.now()) / 1000);
let header = `max-age=${maxAge}`;
if (testcase.includeSubdomains) {
header += "; includeSubdomains";
}
sss.processHeader(
Ci.nsISiteSecurityService.HEADER_HSTS,
uri,
header,
secInfo,
0,
Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST
);
for (let key of KEY_HASHES) {
header += `; pin-sha256="${key}"`;
}
sss.processHeader(
Ci.nsISiteSecurityService.HEADER_HPKP,
uri,
header,
secInfo,
0,
Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST
);
}
}
function getEntries(type) {
return Array.from(sss.enumerate(type));
}
@ -129,23 +72,84 @@ function checkSha256Keys(hpkpEntries) {
}
}
function run_test() {
registerCleanupFunction(() => {
Services.prefs.clearUserPref(
"security.cert_pinning.process_headers_from_non_builtin_roots"
);
Services.prefs.clearUserPref("security.cert_pinning.max_max_age_seconds");
});
function add_tests() {
sss.clearAll();
insertEntries();
for (const testcase of TESTCASES) {
add_connection_test(
testcase.hostname,
PRErrorCodeSuccess,
undefined,
function insertEntry(secInfo) {
const uri = Services.io.newURI(`https://${testcase.hostname}`);
let hstsEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HSTS);
let hpkpEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HPKP);
// MaxAge is in seconds.
let maxAge = Math.round((testcase.expireTime - Date.now()) / 1000);
let header = `max-age=${maxAge}`;
if (testcase.includeSubdomains) {
header += "; includeSubdomains";
}
sss.processHeader(
Ci.nsISiteSecurityService.HEADER_HSTS,
uri,
header,
secInfo,
0,
Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST
);
for (let key of KEY_HASHES) {
header += `; pin-sha256="${key}"`;
}
sss.processHeader(
Ci.nsISiteSecurityService.HEADER_HPKP,
uri,
header,
secInfo,
0,
Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST
);
}
);
}
checkSiteSecurityStateAttrs(hstsEntries);
checkSiteSecurityStateAttrs(hpkpEntries);
add_task(() => {
let hstsEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HSTS);
let hpkpEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HPKP);
checkSha256Keys(hpkpEntries);
checkSiteSecurityStateAttrs(hstsEntries);
checkSiteSecurityStateAttrs(hpkpEntries);
sss.clearAll();
hstsEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HSTS);
hpkpEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HPKP);
checkSha256Keys(hpkpEntries);
equal(hstsEntries.length, 0, "Should clear all HSTS entries");
equal(hpkpEntries.length, 0, "Should clear all HPKP entries");
sss.clearAll();
hstsEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HSTS);
hpkpEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HPKP);
equal(hstsEntries.length, 0, "Should clear all HSTS entries");
equal(hpkpEntries.length, 0, "Should clear all HPKP entries");
});
}
function run_test() {
Services.prefs.setBoolPref(
"security.cert_pinning.process_headers_from_non_builtin_roots",
true
);
Services.prefs.setIntPref(
"security.cert_pinning.max_max_age_seconds",
20 * SECS_IN_A_WEEK
);
add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
add_tests();
run_next_test();
}

Просмотреть файл

@ -84,6 +84,7 @@ const BadCertAndPinningHost sBadCertAndPinningHosts[] = {
{"imminently-distrusted.example.com", "ee-imminently-distrusted"},
{"localhost", "unknownissuer"},
{"a.pinning.example.com", "default-ee"},
{"b.pinning.example.com", "default-ee"},
{nullptr, nullptr}};
int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd,

Просмотреть файл

@ -191,6 +191,7 @@ run-sequentially = hardcoded ports
[test_ssl_status.js]
run-sequentially = hardcoded ports
[test_sss_enumerate.js]
run-sequentially = hardcoded ports
[test_sss_eviction.js]
[test_sss_originAttributes.js]
[test_sss_readstate.js]