| author | David Keeler <dkeeler@mozilla.com> |
| Tue, 29 Sep 2015 13:24:19 -0700 | |
| changeset 300941 | 5b5b1921c0d6cb0d6251024b961ab931109f8439 |
| parent 300940 | 140cb7bbca5f92565d4b11cc3abf170a5123ebc4 |
| child 300942 | 7b9a08825f7db4197755a6ebb51f9a7f82c5167b |
| push id | 5392 |
| push user | raliiev@mozilla.com |
| push date | Mon, 14 Dec 2015 20:08:23 +0000 |
| treeherder | mozilla-beta@16ce8562a975 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | mgoodwin |
| bugs | 1209695, 413909 |
| milestone | 44.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
deleted file mode 100644 --- a/security/manager/ssl/tests/mochitest/bugs/chrome.ini +++ /dev/null @@ -1,6 +0,0 @@ -[DEFAULT] -tags = psm -skip-if = buildapp == 'b2g' || os == 'android' - -[test_bug413909.html] -skip-if = buildapp == 'mulet'
deleted file mode 100644 --- a/security/manager/ssl/tests/mochitest/bugs/moz.build +++ /dev/null @@ -1,7 +0,0 @@ -# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*- -# vim: set filetype=python: -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -MOCHITEST_CHROME_MANIFESTS += ['chrome.ini']
deleted file mode 100644 --- a/security/manager/ssl/tests/mochitest/bugs/test_bug413909.html +++ /dev/null @@ -1,127 +0,0 @@ -<!DOCTYPE HTML> -<html> -<head> - <title>Test bug 413909</title> - <script type="text/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script> - <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css" /> -</head> -<body onload="onWindowLoad()"> - -<script class="testbody" type="text/javascript"> - -var certOverrideService = Components.classes["@mozilla.org/security/certoverride;1"] - .getService(Components.interfaces.nsICertOverrideService); -var cert = null; -var certListener = null; - -SimpleTest.waitForExplicitFinish(); - -function badCertListener() -{ -} - -badCertListener.prototype = { - exceptionAdded: false, - - getInterface: function (aIID) { - return this.QueryInterface(aIID); - }, - - QueryInterface: function(aIID) { - if (aIID.equals(Components.interfaces.nsIBadCertListener2) || - aIID.equals(Components.interfaces.nsIInterfaceRequestor) || - aIID.equals(Components.interfaces.nsISupports)) - return this; - - throw Components.results.NS_ERROR_NO_INTERFACE; - }, - - notifyCertProblem: function MSR_notifyCertProblem(socketInfo, sslStatus, targetHost) { - cert = sslStatus.QueryInterface(Components.interfaces.nsISSLStatus) - .serverCert; - - certOverrideService.rememberValidityOverride( - "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", - -1, - cert, - certOverrideService.ERROR_UNTRUSTED, - false); - - this.exceptionAdded = true; - return true; - } -} - -function apiTest(expected) -{ - var has; - var bits = {}, temp = {}; - - has = certOverrideService.hasMatchingOverride( - "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", - -1, cert, bits, temp); - is(has, expected, "hasMatchingOverride "+expected+" for default port value"); - - has = certOverrideService.hasMatchingOverride( - "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", - 443, cert, bits, temp); - is(has, expected, "hasMatchingOverride "+expected+" for explicit port value"); - - has = certOverrideService.hasMatchingOverride( - "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", - 563, cert, bits, temp); - ok(!has, "hasMatchingOverride false for invalid port value"); - - has = certOverrideService.hasMatchingOverride( - window.frame1.location.hostname, - -1, cert, bits, temp); - ok(!has, "hasMatchingOverride false for default port value and non-ascii host"); - - has = certOverrideService.hasMatchingOverride( - window.frame1.location.hostname, - 443, cert, bits, temp); - ok(!has, "hasMatchingOverride false for explicit port value and non-ascii host"); - - has = certOverrideService.hasMatchingOverride( - window.frame1.location.hostname, - 563, cert, bits, temp); - ok(!has, "hasMatchingOverride false for invalid port value and non-ascii host"); -} - -function onFrameLoad() -{ - ok(certListener.exceptionAdded, "Secure page loaded after exception was added and not sooner"); - if (!certListener.exceptionAdded) - return; - - apiTest(true); - certOverrideService.clearValidityOverride( - "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", -1); - apiTest(false); - - SimpleTest.finish(); -} - -function onWindowLoad() -{ - var req = new XMLHttpRequest(); - try - { - certListener = new badCertListener(); - - req.open("GET", "https://bug413909.xn--hxajbheg2az3al.xn--jxalpdlp/", false); - req.channel.notificationCallbacks = certListener; - req.send(null); - } - catch(ex) - { - // ignore - } - - window.frame1.location.reload(); -} - -</script> -<iframe name="frame1" src="https://bug413909.xn--hxajbheg2az3al.xn--jxalpdlp/" onload="onFrameLoad()"></iframe> -</body> -</html>
--- a/security/manager/ssl/tests/mochitest/moz.build +++ b/security/manager/ssl/tests/mochitest/moz.build @@ -1,13 +1,11 @@ # -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*- # vim: set filetype=python: # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. TEST_DIRS += [ 'browser', - 'bugs', 'mixedcontent', 'stricttransportsecurity', ] -
new file mode 100644 --- /dev/null +++ b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec @@ -0,0 +1,3 @@ +issuer:Unknown Issuer +subject:IDN Certificate +extension:subjectAlternativeName:bug413909.xn--hxajbheg2az3al.xn--jxalpdlp
--- a/security/manager/ssl/tests/unit/bad_certs/moz.build +++ b/security/manager/ssl/tests/unit/bad_certs/moz.build @@ -11,16 +11,17 @@ test_certificates = ( 'beforeEpochIssuer.pem', 'ca-used-as-end-entity.pem', 'default-ee.pem', 'eeIssuedByNonCA.pem', 'eeIssuedByV1Cert.pem', 'expired-ee.pem', 'expiredINT.pem', 'expiredissuer.pem', + 'idn-certificate.pem', 'inadequateKeySizeEE.pem', 'inadequatekeyusage-ee.pem', 'ipAddressAsDNSNameInSAN.pem', 'md5signature-expired.pem', 'md5signature.pem', 'mismatchCN.pem', 'mismatch-expired.pem', 'mismatch-notYetValid.pem',
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js +++ b/security/manager/ssl/tests/unit/test_cert_overrides.js @@ -14,17 +14,17 @@ do_get_profile(); function check_telemetry() { let histogram = Cc["@mozilla.org/base/telemetry;1"] .getService(Ci.nsITelemetry) .getHistogramById("SSL_CERT_ERROR_OVERRIDES") .snapshot(); equal(histogram.counts[ 0], 0, "Should have 0 unclassified counts"); - equal(histogram.counts[ 2], 7, + equal(histogram.counts[ 2], 8, "Actual and expected SEC_ERROR_UNKNOWN_ISSUER counts should match"); equal(histogram.counts[ 3], 1, "Actual and expected SEC_ERROR_CA_CERT_INVALID counts should match"); equal(histogram.counts[ 4], 0, "Actual and expected SEC_ERROR_UNTRUSTED_ISSUER counts should match"); equal(histogram.counts[ 5], 1, "Actual and expected SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE counts should match"); equal(histogram.counts[ 6], 0, @@ -55,23 +55,57 @@ function check_telemetry() { .getHistogramById("CERT_CHAIN_KEY_SIZE_STATUS") .snapshot(); equal(keySizeHistogram.counts[0], 0, "Actual and expected unchecked key size counts should match"); equal(keySizeHistogram.counts[1], 12, "Actual and expected successful verifications of 2048-bit keys should match"); equal(keySizeHistogram.counts[2], 0, "Actual and expected successful verifications of 1024-bit keys should match"); - equal(keySizeHistogram.counts[3], 54, - "Actual and expected key size verification failures should match"); + equal(keySizeHistogram.counts[3], 56, + "Actual and expected verification failures unrelated to key size should match"); run_next_test(); } +// Internally, specifying "port" -1 is the same as port 443. This tests that. +function run_port_equivalency_test(inPort, outPort) { + Assert.ok((inPort == 443 && outPort == -1) || (inPort == -1 && outPort == 443), + "The two specified ports must be -1 and 443 (in any order)"); + let certOverrideService = Cc["@mozilla.org/security/certoverride;1"] + .getService(Ci.nsICertOverrideService); + let cert = constructCertFromFile("bad_certs/default-ee.pem"); + let expectedBits = Ci.nsICertOverrideService.ERROR_UNTRUSTED + let expectedTemporary = true; + certOverrideService.rememberValidityOverride("example.com", inPort, cert, + expectedBits, expectedTemporary); + let actualBits = {}; + let actualTemporary = {}; + Assert.ok(certOverrideService.hasMatchingOverride("example.com", outPort, + cert, actualBits, + actualTemporary), + `override set on port ${inPort} should match port ${outPort}`); + equal(actualBits.value, expectedBits, + "input override bits should match output bits"); + equal(actualTemporary.value, expectedTemporary, + "input override temporary value should match output temporary value"); + Assert.ok(!certOverrideService.hasMatchingOverride("example.com", 563, + cert, {}, {}), + `override set on port ${inPort} should not match port 563`); + certOverrideService.clearValidityOverride("example.com", inPort); + Assert.ok(!certOverrideService.hasMatchingOverride("example.com", outPort, + cert, actualBits, {}), + `override cleared on port ${inPort} should match port ${outPort}`); + equal(actualBits.value, 0, "should have no bits set if there is no override"); +} + function run_test() { + run_port_equivalency_test(-1, 443); + run_port_equivalency_test(443, -1); + Services.prefs.setIntPref("security.OCSP.enabled", 1); add_tls_server_setup("BadCertServer", "bad_certs"); let fakeOCSPResponder = new HttpServer(); fakeOCSPResponder.registerPrefixHandler("/", function (request, response) { response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); }); fakeOCSPResponder.start(8888); @@ -206,16 +240,33 @@ function add_simple_tests() { Ci.nsICertOverrideService.ERROR_MISMATCH, SSL_ERROR_BAD_CERT_DOMAIN); add_cert_override_test("noValidNames.example.com", Ci.nsICertOverrideService.ERROR_MISMATCH, SSL_ERROR_BAD_CERT_DOMAIN); add_cert_override_test("badSubjectAltNames.example.com", Ci.nsICertOverrideService.ERROR_MISMATCH, SSL_ERROR_BAD_CERT_DOMAIN); + + add_cert_override_test("bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", + Ci.nsICertOverrideService.ERROR_UNTRUSTED, + SEC_ERROR_UNKNOWN_ISSUER); + add_test(function() { + // At this point, the override for bug413909.xn--hxajbheg2az3al.xn--jxalpdlp + // is still valid. Do some additional tests relating to IDN handling. + let certOverrideService = Cc["@mozilla.org/security/certoverride;1"] + .getService(Ci.nsICertOverrideService); + let uri = Services.io.newURI("https://bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", null, null); + let cert = constructCertFromFile("bad_certs/idn-certificate.pem"); + Assert.ok(certOverrideService.hasMatchingOverride(uri.asciiHost, 8443, cert, {}, {}), + "IDN certificate should have matching override using ascii host"); + Assert.ok(!certOverrideService.hasMatchingOverride(uri.host, 8443, cert, {}, {}), + "IDN certificate should not have matching override using (non-ascii) host"); + run_next_test(); + }); } function add_combo_tests() { add_cert_override_test("mismatch-expired.example.com", Ci.nsICertOverrideService.ERROR_MISMATCH | Ci.nsICertOverrideService.ERROR_TIME, SSL_ERROR_BAD_CERT_DOMAIN); add_cert_override_test("mismatch-notYetValid.example.com",
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp @@ -69,16 +69,17 @@ const BadCertHost sBadCertHosts[] = { "nsCertTypeCriticalWithExtKeyUsage.example.com", "nsCertTypeCriticalWithExtKeyUsage" }, { "nsCertTypeCritical.example.com", "nsCertTypeCritical" }, { "end-entity-issued-by-v1-cert.example.com", "eeIssuedByV1Cert" }, { "end-entity-issued-by-non-CA.example.com", "eeIssuedByNonCA" }, { "inadequate-key-size-ee.example.com", "inadequateKeySizeEE" }, { "badSubjectAltNames.example.com", "badSubjectAltNames" }, { "ipAddressAsDNSNameInSAN.example.com", "ipAddressAsDNSNameInSAN" }, { "noValidNames.example.com", "noValidNames" }, + { "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", "idn-certificate" }, { nullptr, nullptr } }; int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd, const SECItem* aSrvNameArr, uint32_t aSrvNameArrSize) { for (uint32_t i = 0; i < aSrvNameArrSize; i++) {