Source code
Revision control
Copy as Markdown
Other Tools
Test Info: Warnings
- This test gets skipped with pattern: os == 'win' && msix
- Manifest: security/manager/ssl/tests/unit/xpcshell.toml
// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
"use strict";
// Tests that permanent certificate error overrides can be added even if the
// certificate/key databases are in read-only mode.
// Helper function for add_read_only_cert_override_test. Probably doesn't need
// to be called directly.
function add_read_only_cert_override(aHost, aSecurityInfo) {
let cert = aSecurityInfo.serverCert;
let certOverrideService = Cc[
"@mozilla.org/security/certoverride;1"
].getService(Ci.nsICertOverrideService);
// Setting the last argument to false here ensures that we attempt to store a
certOverrideService.rememberValidityOverride(aHost, 8443, {}, cert, false);
}
// Given a host and an expected error code, tests that an initial connection to
// the host fails with the expected errors and that adding an override results
// in a subsequent connection succeeding.
function add_read_only_cert_override_test(aHost, aExpectedError) {
add_connection_test(
aHost,
aExpectedError,
null,
add_read_only_cert_override.bind(this, aHost)
);
add_connection_test(aHost, PRErrorCodeSuccess, null, aSecurityInfo => {
Assert.ok(
aSecurityInfo.securityState &
Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
"Cert override flag should be set on the security state"
);
});
}
function run_test() {
let profile = do_get_profile();
const KEY_DB_NAME = "key4.db";
const CERT_DB_NAME = "cert9.db";
let srcKeyDBFile = do_get_file(
`test_cert_overrides_read_only/${KEY_DB_NAME}`
);
srcKeyDBFile.copyTo(profile, KEY_DB_NAME);
let srcCertDBFile = do_get_file(
`test_cert_overrides_read_only/${CERT_DB_NAME}`
);
srcCertDBFile.copyTo(profile, CERT_DB_NAME);
// set the databases to read-only
let keyDBFile = do_get_profile();
keyDBFile.append(KEY_DB_NAME);
keyDBFile.permissions = 0o400;
let certDBFile = do_get_profile();
certDBFile.append(CERT_DB_NAME);
certDBFile.permissions = 0o400;
Services.prefs.setIntPref("security.OCSP.enabled", 1);
// Specifying false as the last argument means we don't try to add the default
// test root CA (which would fail).
add_tls_server_setup("BadCertAndPinningServer", "bad_certs", false);
let fakeOCSPResponder = new HttpServer();
fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
});
fakeOCSPResponder.start(8888);
// Since we can't add the root CA to the (read-only) trust db, all of these
// will result in an "unknown issuer error" and need the "untrusted" error bit
// set in addition to whatever other specific error bits are necessary.
add_read_only_cert_override_test(
"expired.example.com",
SEC_ERROR_UNKNOWN_ISSUER
);
add_read_only_cert_override_test(
"selfsigned.example.com",
MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
);
add_read_only_cert_override_test(
"mismatch.example.com",
SEC_ERROR_UNKNOWN_ISSUER
);
add_test(function () {
fakeOCSPResponder.stop(run_next_test);
});
run_next_test();
}