bug 1209695 - fold mochitest test_bug413909.html into xpcshell test_cert_overrides.js r=mgoodwin
authorDavid Keeler <dkeeler@mozilla.com>
Tue, 29 Sep 2015 13:24:19 -0700
changeset 300941 5b5b1921c0d6cb0d6251024b961ab931109f8439
parent 300940 140cb7bbca5f92565d4b11cc3abf170a5123ebc4
child 300942 7b9a08825f7db4197755a6ebb51f9a7f82c5167b
push id5392
push userraliiev@mozilla.com
push dateMon, 14 Dec 2015 20:08:23 +0000
treeherdermozilla-beta@16ce8562a975 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmgoodwin
bugs1209695, 413909
milestone44.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 1209695 - fold mochitest test_bug413909.html into xpcshell test_cert_overrides.js r=mgoodwin test_bug413909.html doesn't need to be a mochitest. Furthermore, test_cert_overrides.js tests a lot of the same functionality. This just moves the unique parts from the old test to a new home in the xpcshell test (to be specific, some IDN handling and that "port" -1 is the same as port 443).
security/manager/ssl/tests/mochitest/bugs/chrome.ini
security/manager/ssl/tests/mochitest/bugs/moz.build
security/manager/ssl/tests/mochitest/bugs/test_bug413909.html
security/manager/ssl/tests/mochitest/moz.build
security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec
security/manager/ssl/tests/unit/bad_certs/moz.build
security/manager/ssl/tests/unit/test_cert_overrides.js
security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
deleted file mode 100644
--- a/security/manager/ssl/tests/mochitest/bugs/chrome.ini
+++ /dev/null
@@ -1,6 +0,0 @@
-[DEFAULT]
-tags = psm
-skip-if = buildapp == 'b2g' || os == 'android'
-
-[test_bug413909.html]
-skip-if = buildapp == 'mulet'
deleted file mode 100644
--- a/security/manager/ssl/tests/mochitest/bugs/moz.build
+++ /dev/null
@@ -1,7 +0,0 @@
-# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-MOCHITEST_CHROME_MANIFESTS += ['chrome.ini']
deleted file mode 100644
--- a/security/manager/ssl/tests/mochitest/bugs/test_bug413909.html
+++ /dev/null
@@ -1,127 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <title>Test bug 413909</title>
-  <script type="text/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>        
-  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css" />
-</head>
-<body onload="onWindowLoad()">
-
-<script class="testbody" type="text/javascript">
-
-var certOverrideService = Components.classes["@mozilla.org/security/certoverride;1"]
-  .getService(Components.interfaces.nsICertOverrideService);
-var cert = null;
-var certListener = null;
-
-SimpleTest.waitForExplicitFinish();
-
-function badCertListener() 
-{
-}
-
-badCertListener.prototype = {
-  exceptionAdded: false,
-
-  getInterface: function (aIID) {
-    return this.QueryInterface(aIID);
-  },
-
-  QueryInterface: function(aIID) {
-    if (aIID.equals(Components.interfaces.nsIBadCertListener2) ||
-        aIID.equals(Components.interfaces.nsIInterfaceRequestor) ||
-        aIID.equals(Components.interfaces.nsISupports))
-      return this;
-
-    throw Components.results.NS_ERROR_NO_INTERFACE;
-  },  
-
-  notifyCertProblem: function MSR_notifyCertProblem(socketInfo, sslStatus, targetHost) {
-    cert = sslStatus.QueryInterface(Components.interfaces.nsISSLStatus)
-      .serverCert;
-  
-    certOverrideService.rememberValidityOverride(
-      "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp",
-      -1,
-      cert,
-      certOverrideService.ERROR_UNTRUSTED,
-      false);
-
-    this.exceptionAdded = true;
-    return true;
-  }
-}
-
-function apiTest(expected)
-{
-  var has;
-  var bits = {}, temp = {};
-  
-  has = certOverrideService.hasMatchingOverride(
-      "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", 
-      -1, cert, bits, temp);
-  is(has, expected, "hasMatchingOverride "+expected+" for default port value");
-  
-  has = certOverrideService.hasMatchingOverride(
-      "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", 
-      443, cert, bits, temp);
-  is(has, expected, "hasMatchingOverride "+expected+" for explicit port value");
-  
-  has = certOverrideService.hasMatchingOverride(
-      "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", 
-      563, cert, bits, temp);
-  ok(!has, "hasMatchingOverride false for invalid port value");
-  
-  has = certOverrideService.hasMatchingOverride(
-      window.frame1.location.hostname, 
-      -1, cert, bits, temp);
-  ok(!has, "hasMatchingOverride false for default port value and non-ascii host");
-  
-  has = certOverrideService.hasMatchingOverride(
-      window.frame1.location.hostname, 
-      443, cert, bits, temp);
-  ok(!has, "hasMatchingOverride false for explicit port value and non-ascii host");
-  
-  has = certOverrideService.hasMatchingOverride(
-      window.frame1.location.hostname, 
-      563, cert, bits, temp);
-  ok(!has, "hasMatchingOverride false for invalid port value and non-ascii host");
-}
-
-function onFrameLoad()
-{
-  ok(certListener.exceptionAdded, "Secure page loaded after exception was added and not sooner");
-  if (!certListener.exceptionAdded)
-    return;
-  
-  apiTest(true);
-  certOverrideService.clearValidityOverride(
-    "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", -1);
-  apiTest(false);
-
-  SimpleTest.finish();
-}
-
-function onWindowLoad()
-{
-  var req = new XMLHttpRequest();
-  try
-  {
-    certListener = new badCertListener();
-    
-    req.open("GET", "https://bug413909.xn--hxajbheg2az3al.xn--jxalpdlp/", false);
-    req.channel.notificationCallbacks = certListener;
-    req.send(null);
-  }
-  catch(ex)
-  {
-    // ignore
-  }
-
-  window.frame1.location.reload();
-}
-
-</script>
-<iframe name="frame1" src="https://bug413909.xn--hxajbheg2az3al.xn--jxalpdlp/" onload="onFrameLoad()"></iframe>
-</body>
-</html>
--- a/security/manager/ssl/tests/mochitest/moz.build
+++ b/security/manager/ssl/tests/mochitest/moz.build
@@ -1,13 +1,11 @@
 # -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 TEST_DIRS += [
     'browser',
-    'bugs',
     'mixedcontent',
     'stricttransportsecurity',
 ]
-
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec
@@ -0,0 +1,3 @@
+issuer:Unknown Issuer
+subject:IDN Certificate
+extension:subjectAlternativeName:bug413909.xn--hxajbheg2az3al.xn--jxalpdlp
--- a/security/manager/ssl/tests/unit/bad_certs/moz.build
+++ b/security/manager/ssl/tests/unit/bad_certs/moz.build
@@ -11,16 +11,17 @@ test_certificates = (
     'beforeEpochIssuer.pem',
     'ca-used-as-end-entity.pem',
     'default-ee.pem',
     'eeIssuedByNonCA.pem',
     'eeIssuedByV1Cert.pem',
     'expired-ee.pem',
     'expiredINT.pem',
     'expiredissuer.pem',
+    'idn-certificate.pem',
     'inadequateKeySizeEE.pem',
     'inadequatekeyusage-ee.pem',
     'ipAddressAsDNSNameInSAN.pem',
     'md5signature-expired.pem',
     'md5signature.pem',
     'mismatchCN.pem',
     'mismatch-expired.pem',
     'mismatch-notYetValid.pem',
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@@ -14,17 +14,17 @@
 do_get_profile();
 
 function check_telemetry() {
   let histogram = Cc["@mozilla.org/base/telemetry;1"]
                     .getService(Ci.nsITelemetry)
                     .getHistogramById("SSL_CERT_ERROR_OVERRIDES")
                     .snapshot();
   equal(histogram.counts[ 0], 0, "Should have 0 unclassified counts");
-  equal(histogram.counts[ 2], 7,
+  equal(histogram.counts[ 2], 8,
         "Actual and expected SEC_ERROR_UNKNOWN_ISSUER counts should match");
   equal(histogram.counts[ 3], 1,
         "Actual and expected SEC_ERROR_CA_CERT_INVALID counts should match");
   equal(histogram.counts[ 4], 0,
         "Actual and expected SEC_ERROR_UNTRUSTED_ISSUER counts should match");
   equal(histogram.counts[ 5], 1,
         "Actual and expected SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE counts should match");
   equal(histogram.counts[ 6], 0,
@@ -55,23 +55,57 @@ function check_telemetry() {
                            .getHistogramById("CERT_CHAIN_KEY_SIZE_STATUS")
                            .snapshot();
   equal(keySizeHistogram.counts[0], 0,
         "Actual and expected unchecked key size counts should match");
   equal(keySizeHistogram.counts[1], 12,
         "Actual and expected successful verifications of 2048-bit keys should match");
   equal(keySizeHistogram.counts[2], 0,
         "Actual and expected successful verifications of 1024-bit keys should match");
-  equal(keySizeHistogram.counts[3], 54,
-        "Actual and expected key size verification failures should match");
+  equal(keySizeHistogram.counts[3], 56,
+        "Actual and expected verification failures unrelated to key size should match");
 
   run_next_test();
 }
 
+// Internally, specifying "port" -1 is the same as port 443. This tests that.
+function run_port_equivalency_test(inPort, outPort) {
+  Assert.ok((inPort == 443 && outPort == -1) || (inPort == -1 && outPort == 443),
+            "The two specified ports must be -1 and 443 (in any order)");
+  let certOverrideService = Cc["@mozilla.org/security/certoverride;1"]
+                              .getService(Ci.nsICertOverrideService);
+  let cert = constructCertFromFile("bad_certs/default-ee.pem");
+  let expectedBits = Ci.nsICertOverrideService.ERROR_UNTRUSTED
+  let expectedTemporary = true;
+  certOverrideService.rememberValidityOverride("example.com", inPort, cert,
+                                               expectedBits, expectedTemporary);
+  let actualBits = {};
+  let actualTemporary = {};
+  Assert.ok(certOverrideService.hasMatchingOverride("example.com", outPort,
+                                                    cert, actualBits,
+                                                    actualTemporary),
+            `override set on port ${inPort} should match port ${outPort}`);
+  equal(actualBits.value, expectedBits,
+        "input override bits should match output bits");
+  equal(actualTemporary.value, expectedTemporary,
+        "input override temporary value should match output temporary value");
+  Assert.ok(!certOverrideService.hasMatchingOverride("example.com", 563,
+                                                     cert, {}, {}),
+            `override set on port ${inPort} should not match port 563`);
+  certOverrideService.clearValidityOverride("example.com", inPort);
+  Assert.ok(!certOverrideService.hasMatchingOverride("example.com", outPort,
+                                                     cert, actualBits, {}),
+            `override cleared on port ${inPort} should match port ${outPort}`);
+  equal(actualBits.value, 0, "should have no bits set if there is no override");
+}
+
 function run_test() {
+  run_port_equivalency_test(-1, 443);
+  run_port_equivalency_test(443, -1);
+
   Services.prefs.setIntPref("security.OCSP.enabled", 1);
   add_tls_server_setup("BadCertServer", "bad_certs");
 
   let fakeOCSPResponder = new HttpServer();
   fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
     response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
   });
   fakeOCSPResponder.start(8888);
@@ -206,16 +240,33 @@ function add_simple_tests() {
                          Ci.nsICertOverrideService.ERROR_MISMATCH,
                          SSL_ERROR_BAD_CERT_DOMAIN);
   add_cert_override_test("noValidNames.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH,
                          SSL_ERROR_BAD_CERT_DOMAIN);
   add_cert_override_test("badSubjectAltNames.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH,
                          SSL_ERROR_BAD_CERT_DOMAIN);
+
+  add_cert_override_test("bug413909.xn--hxajbheg2az3al.xn--jxalpdlp",
+                         Ci.nsICertOverrideService.ERROR_UNTRUSTED,
+                         SEC_ERROR_UNKNOWN_ISSUER);
+  add_test(function() {
+    // At this point, the override for bug413909.xn--hxajbheg2az3al.xn--jxalpdlp
+    // is still valid. Do some additional tests relating to IDN handling.
+    let certOverrideService = Cc["@mozilla.org/security/certoverride;1"]
+                                .getService(Ci.nsICertOverrideService);
+    let uri = Services.io.newURI("https://bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", null, null);
+    let cert = constructCertFromFile("bad_certs/idn-certificate.pem");
+    Assert.ok(certOverrideService.hasMatchingOverride(uri.asciiHost, 8443, cert, {}, {}),
+              "IDN certificate should have matching override using ascii host");
+    Assert.ok(!certOverrideService.hasMatchingOverride(uri.host, 8443, cert, {}, {}),
+              "IDN certificate should not have matching override using (non-ascii) host");
+    run_next_test();
+  });
 }
 
 function add_combo_tests() {
   add_cert_override_test("mismatch-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
                          Ci.nsICertOverrideService.ERROR_TIME,
                          SSL_ERROR_BAD_CERT_DOMAIN);
   add_cert_override_test("mismatch-notYetValid.example.com",
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
@@ -69,16 +69,17 @@ const BadCertHost sBadCertHosts[] =
   { "nsCertTypeCriticalWithExtKeyUsage.example.com", "nsCertTypeCriticalWithExtKeyUsage" },
   { "nsCertTypeCritical.example.com", "nsCertTypeCritical" },
   { "end-entity-issued-by-v1-cert.example.com", "eeIssuedByV1Cert" },
   { "end-entity-issued-by-non-CA.example.com", "eeIssuedByNonCA" },
   { "inadequate-key-size-ee.example.com", "inadequateKeySizeEE" },
   { "badSubjectAltNames.example.com", "badSubjectAltNames" },
   { "ipAddressAsDNSNameInSAN.example.com", "ipAddressAsDNSNameInSAN" },
   { "noValidNames.example.com", "noValidNames" },
+  { "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", "idn-certificate" },
   { nullptr, nullptr }
 };
 
 int32_t
 DoSNISocketConfigBySubjectCN(PRFileDesc* aFd, const SECItem* aSrvNameArr,
                              uint32_t aSrvNameArrSize)
 {
   for (uint32_t i = 0; i < aSrvNameArrSize; i++) {