Bug 413909 - nsCertOverrideService IDN handling is broken; tests; r=kaie
authorHonza Bambas <honzab@allpeers.com>
Fri, 10 Oct 2008 16:41:38 +0200
changeset 20258 097bf47abbcde2ba53c62212eca60c5cb5d9ce9d
parent 20257 55ab8cb47c1f796a35add6a287f474ca7c262862
child 20259 95b40d8ba0e64e909da287b6ce21d4519fa4beac
push idunknown
push userunknown
push dateunknown
reviewerskaie
bugs413909
milestone1.9.1b2pre
Bug 413909 - nsCertOverrideService IDN handling is broken; tests; r=kaie
build/pgo/certs/Makefile.in
build/pgo/certs/bug413909cert.server
build/pgo/server-locations.txt
security/manager/ssl/Makefile.in
security/manager/ssl/tests/Makefile.in
security/manager/ssl/tests/mochitest/Makefile.in
security/manager/ssl/tests/mochitest/test_bug413909.html
security/manager/ssl/tests/test_datasignatureverifier.js
security/manager/ssl/tests/test_hash_algorithms.js
security/manager/ssl/tests/test_hmac.js
security/manager/ssl/tests/unit/test_datasignatureverifier.js
security/manager/ssl/tests/unit/test_hash_algorithms.js
security/manager/ssl/tests/unit/test_hmac.js
--- a/build/pgo/certs/Makefile.in
+++ b/build/pgo/certs/Makefile.in
@@ -43,16 +43,17 @@ VPATH		= @srcdir@
 
 include $(DEPTH)/config/autoconf.mk
 
 _PROFILE_DIR = $(DEPTH)/_profile/pgo
 _CERTS_DIR = $(_PROFILE_DIR)/certs
 
 # Extension of files must be '.server'
 _SERVER_CERTS = \
+    bug413909cert.server \
     $(NULL)
   
 # Extension of files must be '.ca'
 _CERT_AUTHORITIES = \
     pgoca.ca \
     $(NULL)
 
 _SERV_FILES = \
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..87e4bf53c284809d43aabd971ac6b6fe719626a6
GIT binary patch
literal 1664
zc${sMeLT~P9>;%sFi+!*Gqo(Nc^H!#(nd*QjYv+r$HP?{BO*1TRB~Et84jXaj>ht|
zMj4v4LLG-wo*H?|qHL8($3i6>$63d{uX}slUiW-nug^c9&-eBH>+>eCz#s^L1=Gc+
z`=l=zfV4p+EGrh24Z{&we-lGc1U3Y@VgyY8KNVaL1TJBN#RN9EieL%T`)|DR)&z>c
z7@rA<#t6RmP}<FHJc7f6K_Dm_%-UOMlz*mR=o7SvN`2my+dNilKkuKqduB|Zl(~EF
z%=*-;h*#cPM;MTy8Z=uFn`&ygWl&+;aJUgl+vXlz*g^Ghv45}rhIubfgqD@1#~&k;
zj9hiC=hfi)X+EkUN+3zIVfRK;Gc1>$$flf)Xm%m!WaopEfcAQbXI6<SqTIfC%j$&I
zk%<kwE0i;m-hO$;i1At?o0?y0TQ1@>Jt+1>C(erfoPRaza+x3!xheJePR{J0o*yn1
zREW=5k;T{axd4K!UV1Sq3Hq=vicxX1Ea;XnT{Se?<kd?NUpX*wZ}RehlW^GPa7n<f
z&V9yB6T=lmwQa3pMz13~^DaQwy>O>)M-7~C*H<svgI9yhG!zAV-ZXrf-f^}&IKM{d
z$oyeID^k0d(d(nz#{9PQqSiJ4ehbY$naM|k+Ed$AuTVK5TlU00g~!jTZ$irlQwC$x
z7*>W28IV6Ealm>7_=PXKidjceq(@E_9LgjqiWqO+hF$6J)_c1XKJM;z@$iX=oiCda
z2!-^?C9N`e<9L0Th4;C%MMZzr*=Dn;8XO{mgTnXgo_4USoz!p98H#*ZDspqf+6#u`
z;KCmXC`gldU*of_S~p=eo`(z<2FP^2ksB^=mfNrBwQMk}9=J<XKUWTqV(4NFm-#`U
zt__~;-tjxOJnav?baX8C@{PGV!l?%>ZdsJUJ;|mG-$#LtsvKgmWfM1`Y`CT`Ojhn_
zev%*6O*?_DvU}u|`Z(<NpeUiKtUWvFM*Ja+u(G=C5&0x(wG?@$vq1b}xTSY&dXf})
z)m^#eL%ekret82J>UYw1C*jR}i+5&X0j|RxZ_;%Y>KI6{`!a4_q~lt1Q-A>+17d(p
zfFs}xxB`R~M*;_cqd@Y?s=u6?IIe;sD~_KweRcLR(qQvP-t$k~@luD_P~hMCUu0k<
zD+GZ-UuB@L2!Z{J5byEH$8uvqzV*7ol=^11e1(vb71F?Y=a+Vww^O$Ut#J|sE8a1?
zMtwa3*vNp&m<YPYroL3$TH`ks-WKP+ar;A!&$HhstG7!!t}`M~{|wL$YHi^aTQ3QJ
zUT&W~`jbIOoqj-Dj9Qfw;uYsKj}d;Z)+bJq;T^5#QU298W~9Hvm>UB*o+{)0@*e-7
zHcHWc(OX*Ucd(e4qoLTLZibw=FjH_$y1WX1AMhczrxmh?`uFn__DsP#u_Ky8r;q#b
zHE0|~naTSoz{|p|aEzMiD;gnlTceS3Jh4)RICyp3`chwIu14~b9KmZSX{L)i&KHYR
zRsJKMN!u)nPDr?==44Jd7@MB8D%{g|dJn5fEDF2b1G%)?>vb!?QQO-6oasbf4<spq
z#r(POo2P(`pB0iW4g?=ap(?yJpGX2?WDL1=)SsK}*7r`-pWn^Dzqomm-?FRJi8a4S
z9K#1vjgBQW??xrM+~TBWmyPc_uZe|oG;!0Pxstu_G0LvM(wDhdZOZaxRek6mCLYK;
zxvWx`v#$K|oHyib&=4)jY-AkQB_}Fzx3eSieFls(v^TEG0IWz!a<8(dF>5Zg`+RO0
zi8l^jYsP&tsuykXsQjRJ=t9Z--gmuKr#fYx(#<NF7i}hQ3G>T|a7tqFFTJ$3;}6%}
z<6J=8y5B;Xe9=c+@Sby+zAkV}pcMMQe)NGuN?y`Avcq8{8QpVtgMqKP+CwI+M^CK@
zUEHxoi?%@rG<DL2UJNem1FDp<v&gvjo!fZUI?uX7^75vu<$iTHbIKI1O(O@_W>_Y6
zdt#X9Z005^_tTL<`W1iHA}{7H%B1XNvD}Fh8CpxXx&O{$?o-0%2U`oFgA0P+Y^lHI
z6iJk`-cme{>|X)Zso*88H+@d_1^!P27s5J%E=<eb5CS&U0-(r{C?4c+WqrzPbyoRx
f6jGX8^p9{Tg0nL^(s1gWWoG!b@1#RAGywbsgeUF+
--- a/build/pgo/server-locations.txt
+++ b/build/pgo/server-locations.txt
@@ -124,16 +124,19 @@ https://xn--hxajbheg2az3al.xn--jxalpdlp:
 https://sub1.xn--hxajbheg2az3al.xn--jxalpdlp:443   privileged
 
 #
 # These are subdomains of <παράδειγμα.δοκιμή>, the Greek IDN for example.test.
 #
 http://xn--hxajbheg2az3al.xn--jxalpdlp:80        privileged
 http://sub1.xn--hxajbheg2az3al.xn--jxalpdlp:80   privileged
 
+# Bug 413909 test host
+https://bug413909.xn--hxajbheg2az3al.xn--jxalpdlp:443   privileged,cert=bug413909cert
+
 #
 # These hosts are used in tests which exercise privilege-granting functionality;
 # we could reuse some of the names above, but specific names make it easier to
 # distinguish one from the other in tests (as well as what functionality is
 # being tested).
 #
 http://sectest1.example.org:80       privileged
 http://sub.sectest2.example.org:80   privileged
--- a/security/manager/ssl/Makefile.in
+++ b/security/manager/ssl/Makefile.in
@@ -37,13 +37,11 @@
 # ***** END LICENSE BLOCK *****
 
 DEPTH		= ../../..
 topsrcdir	= @top_srcdir@
 srcdir		= @srcdir@
 VPATH		= @srcdir@
 
 MODULE		= pipnss
-DIRS		= src public
-
-XPCSHELL_TESTS  = tests
+DIRS		  = src public tests
 
 include $(topsrcdir)/config/rules.mk
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/Makefile.in
@@ -0,0 +1,48 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is mozilla.org code.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1998
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Jan Bambas <honzab@firemni.cz>
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+DEPTH		= ../../../..
+topsrcdir	= @top_srcdir@
+srcdir		= @srcdir@
+VPATH		= @srcdir@
+
+MODULE		= pipnss
+DIRS		= mochitest
+XPCSHELL_TESTS  = unit
+
+include $(topsrcdir)/config/rules.mk
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/Makefile.in
@@ -0,0 +1,53 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is mozilla.org code.
+#
+# The Initial Developer of the Original Code is
+# Mozilla Foundation.
+# Portions created by the Initial Developer are Copyright (C) 2007
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Jan Bambas <honzab@firemni.cz>
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either of the GNU General Public License Version 2 or later (the "GPL"),
+# or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+DEPTH		= ../../../../..
+topsrcdir	= @top_srcdir@
+srcdir		= @srcdir@
+VPATH		= @srcdir@
+relativesrcdir	= security/ssl
+
+include $(DEPTH)/config/autoconf.mk
+include $(topsrcdir)/config/rules.mk
+
+_CHROME_FILES	= \
+    test_bug413909.html \
+		$(NULL)
+
+libs:: $(_CHROME_FILES)
+	$(INSTALL) $(foreach f,$^,"$f") $(DEPTH)/_tests/testing/mochitest/chrome/$(relativesrcdir)
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/mochitest/test_bug413909.html
@@ -0,0 +1,139 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test bug 413909</title>
+  <script type="text/javascript" src="chrome://mochikit/content/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>        
+  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css" />
+</head>
+<body onload="onWindowLoad()">
+
+<iframe name="frame1" src="https://bug413909.xn--hxajbheg2az3al.xn--jxalpdlp/" onload="onFrameLoad()"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+var certOverrideService = Components.classes["@mozilla.org/security/certoverride;1"]
+  .getService(Components.interfaces.nsICertOverrideService);
+var cert = null;
+var certListener = null;
+var frameLoadTimeout = null;
+
+SimpleTest.waitForExplicitFinish();
+
+function badCertListener() 
+{
+}
+
+badCertListener.prototype = {
+  exceptionAdded: false,
+
+  getInterface: function (aIID) {
+    return this.QueryInterface(aIID);
+  },
+
+  QueryInterface: function(aIID) {
+    if (aIID.equals(Components.interfaces.nsIBadCertListener2) ||
+        aIID.equals(Components.interfaces.nsIInterfaceRequestor) ||
+        aIID.equals(Components.interfaces.nsISupports))
+      return this;
+
+    throw Components.results.NS_ERROR_NO_INTERFACE;
+  },  
+
+  notifyCertProblem: function MSR_notifyCertProblem(socketInfo, sslStatus, targetHost) {
+    cert = sslStatus.QueryInterface(Components.interfaces.nsISSLStatus)
+      .serverCert;
+  
+    certOverrideService.rememberValidityOverride(
+      "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp",
+      -1,
+      cert,
+      certOverrideService.ERROR_UNTRUSTED,
+      false);
+
+    this.exceptionAdded = true;
+    return true;
+  }
+}
+
+function apiTest(expected)
+{
+  var has;
+  var bits = {}, temp = {};
+  
+  has = certOverrideService.hasMatchingOverride(
+      "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", 
+      -1, cert, bits, temp);
+  is(has, expected, "hasMatchingOverride "+expected+" for default port value");
+  
+  has = certOverrideService.hasMatchingOverride(
+      "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", 
+      443, cert, bits, temp);
+  is(has, expected, "hasMatchingOverride "+expected+" for explicit port value");
+  
+  has = certOverrideService.hasMatchingOverride(
+      "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", 
+      563, cert, bits, temp);
+  ok(!has, "hasMatchingOverride false for invalid port value");
+  
+  has = certOverrideService.hasMatchingOverride(
+      window.frame1.location.hostname, 
+      -1, cert, bits, temp);
+  ok(!has, "hasMatchingOverride false for default port value and non-ascii host");
+  
+  has = certOverrideService.hasMatchingOverride(
+      window.frame1.location.hostname, 
+      443, cert, bits, temp);
+  ok(!has, "hasMatchingOverride false for explicit port value and non-ascii host");
+  
+  has = certOverrideService.hasMatchingOverride(
+      window.frame1.location.hostname, 
+      563, cert, bits, temp);
+  ok(!has, "hasMatchingOverride false for invalid port value and non-ascii host");
+}
+
+function onFrameLoad()
+{
+  ok(certListener.exceptionAdded, "Secure page loaded after exception was added and not sooner");
+  if (!certListener.exceptionAdded)
+    return;
+  
+  apiTest(true);
+  certOverrideService.clearValidityOverride(
+    "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", -1);
+  apiTest(false);
+
+  clearTimeout(frameLoadTimeout);
+  SimpleTest.finish();
+}
+
+function onWindowLoad()
+{
+  var req = new XMLHttpRequest();
+  try
+  {
+    certListener = new badCertListener();
+    
+    req.open("GET", "https://bug413909.xn--hxajbheg2az3al.xn--jxalpdlp/", false);
+    req.channel.notificationCallbacks = certListener;
+    req.send(null);
+  }
+  catch(ex)
+  {
+    // ignore
+  }
+  
+  // There is no error event indicating frame load error,
+  // simulate using timeout.
+  frameLoadTimeout = setTimeout(function() 
+  {
+    ok(false, "Secure page did not load, adding exception failed?");
+    SimpleTest.finish();
+  }, 5000);
+
+  window.frame1.location.reload();
+}
+
+</script>
+</body>
+</html>
rename from security/manager/ssl/tests/test_datasignatureverifier.js
rename to security/manager/ssl/tests/unit/test_datasignatureverifier.js
rename from security/manager/ssl/tests/test_hash_algorithms.js
rename to security/manager/ssl/tests/unit/test_hash_algorithms.js
rename from security/manager/ssl/tests/test_hmac.js
rename to security/manager/ssl/tests/unit/test_hmac.js