Source code
Revision control
Copy as Markdown
Other Tools
Test Info: Warnings
- This test gets skipped with pattern: os == 'win' && msix
- Manifest: security/manager/ssl/tests/unit/xpcshell.toml
/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
"use strict";
// This test checks a number of things:
// * it ensures that data loaded from revocations.txt on startup is present
// * it ensures that data served from OneCRL are persisted correctly
// * it ensures that items in the CertBlocklist are seen as revoked by the
// cert verifier
// * it does a sanity check to ensure other cert verifier behavior is
// unmodified
const { RemoteSecuritySettings } = ChromeUtils.importESModule(
"resource://gre/modules/psm/RemoteSecuritySettings.sys.mjs"
);
// First, we need to setup appInfo for the blocklist service to work
var id = "xpcshell@tests.mozilla.org";
var appName = "XPCShell";
var version = "1";
var platformVersion = "1.9.2";
const { updateAppInfo } = ChromeUtils.importESModule(
);
updateAppInfo({
name: appName,
ID: id,
version,
platformVersion: platformVersion ? platformVersion : "1.0",
crashReporter: true,
});
// we need to ensure we setup revocation data before certDB, or we'll start with
// no revocation.txt in the profile
var gProfile = do_get_profile();
var gRevocations = gProfile.clone();
gRevocations.append("revocations.txt");
if (!gRevocations.exists()) {
let existing = do_get_file("test_onecrl/sample_revocations.txt", false);
existing.copyTo(gProfile, "revocations.txt");
}
var certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
Ci.nsIX509CertDB
);
const certBlocklist = [
// test with some bad data ...
{
issuerName: "Some nonsense in issuer",
serialNumber: "AkHVNA==",
},
{
issuerName: "MA0xCzAJBgNVBAMMAmNh",
serialNumber: "some nonsense in serial",
},
{
issuerName: "and serial",
serialNumber: "some nonsense in both issuer",
},
// some mixed
// In these case, the issuer name and the valid serialNumber correspond
// to test-int.pem in bad_certs/
{
issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
serialNumber: "oops! more nonsense.",
},
{
issuerName: "MBIxEDAOBgNVBAMMB1Rlc3QgQ0E=",
serialNumber: "a0X7/7DlTaedpgrIJg25iBPOkIM=",
},
// ... and some good
// In this case, the issuer name and the valid serialNumber correspond
// to other-test-ca.pem in bad_certs/ (for testing root revocation)
{
issuerName: "MBgxFjAUBgNVBAMMDU90aGVyIHRlc3QgQ0E=",
serialNumber: "Rym6o+VN9xgZXT/QLrvN/nv1ZN4=",
},
// These items correspond to an entry in sample_revocations.txt where:
// isser name is the base-64 encoded subject DN for the shared Test
// Intermediate and the serialNumbers are base-64 encoded 78 and 31,
// respectively.
// We need this to ensure that existing items are retained if they're
// also in the blocklist
{
issuerName: "MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl",
serialNumber: "Tg==",
},
{
issuerName: "MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl",
serialNumber: "Hw==",
},
// This item revokes same-issuer-ee.pem by subject and pubKeyHash.
{
subject: "MCIxIDAeBgNVBAMMF0Fub3RoZXIgVGVzdCBFbmQtZW50aXR5",
pubKeyHash: "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=",
},
];
function verify_cert(file, expectedError) {
let ee = constructCertFromFile(file);
return checkCertErrorGeneric(
certDB,
ee,
expectedError,
certificateUsageSSLServer
);
}
// The certificate blocklist currently only applies to TLS server certificates.
async function verify_non_tls_usage_succeeds(file) {
let ee = constructCertFromFile(file);
await checkCertErrorGeneric(
certDB,
ee,
PRErrorCodeSuccess,
certificateUsageSSLClient
);
await checkCertErrorGeneric(
certDB,
ee,
PRErrorCodeSuccess,
certificateUsageEmailSigner
);
await checkCertErrorGeneric(
certDB,
ee,
PRErrorCodeSuccess,
certificateUsageEmailRecipient
);
}
function load_cert(cert, trust) {
let file = "bad_certs/" + cert + ".pem";
addCertFromFile(certDB, file, trust);
}
async function update_blocklist() {
const { OneCRLBlocklistClient } = RemoteSecuritySettings.init();
const fakeEvent = {
current: certBlocklist, // with old .txt revocations.
deleted: [],
created: certBlocklist, // with new cert storage.
updated: [],
};
await OneCRLBlocklistClient.emit("sync", { data: fakeEvent });
// Save the last check timestamp, used by cert_storage to assert
// if the blocklist is «fresh».
Services.prefs.setIntPref(
OneCRLBlocklistClient.lastCheckTimePref,
Math.floor(Date.now() / 1000)
);
}
function run_test() {
// import the certificates we need
load_cert("test-ca", "CTu,CTu,CTu");
load_cert("test-int", ",,");
load_cert("other-test-ca", "CTu,CTu,CTu");
add_task(async function () {
// check some existing items in revocations.txt are blocked.
// This test corresponds to:
// issuer: MBIxEDAOBgNVBAMMB1Rlc3QgQ0E= (CN=Test CA)
// serial: Kg== (42)
let file = "test_onecrl/ee-revoked-by-revocations-txt.pem";
await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
// This test corresponds to:
// issuer: MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl (CN=Test Intermediate)
// serial: Tg== (78)
file = "test_onecrl/another-ee-revoked-by-revocations-txt.pem";
await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
// And this test corresponds to:
// issuer: MBwxGjAYBgNVBAMMEVRlc3QgSW50ZXJtZWRpYXRl (CN=Test Intermediate)
// serial: Hw== (31)
// (we test this issuer twice to ensure we can read multiple serials)
file = "test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem";
await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
// Test that a certificate revoked by subject and public key hash in
// revocations.txt is revoked
// subject: MCsxKTAnBgNVBAMMIEVFIFJldm9rZWQgQnkgU3ViamVjdCBhbmQgUHViS2V5
// (CN=EE Revoked By Subject and PubKey)
// pubkeyhash: VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8= (this is the
// shared RSA SPKI)
file = "test_onecrl/ee-revoked-by-subject-and-pubkey.pem";
await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
// Soon we'll load a blocklist which revokes test-int.pem, which issued
// test-int-ee.pem.
// Check the cert validates before we load the blocklist
file = "test_onecrl/test-int-ee.pem";
await verify_cert(file, PRErrorCodeSuccess);
// The blocklist also revokes other-test-ca.pem, which issued
// other-ca-ee.pem. Check the cert validates before we load the blocklist
file = "bad_certs/other-issuer-ee.pem";
await verify_cert(file, PRErrorCodeSuccess);
// The blocklist will revoke same-issuer-ee.pem via subject / pubKeyHash.
// Check the cert validates before we load the blocklist
file = "test_onecrl/same-issuer-ee.pem";
await verify_cert(file, PRErrorCodeSuccess);
});
// blocklist load is async so we must use add_test from here
add_task(update_blocklist);
add_task(async function () {
// The blocklist will be loaded now. Let's check the data is sane.
// In particular, we should still have the revoked issuer / serial pair
// that was in revocations.txt but not the blocklist.
let file = "test_onecrl/ee-revoked-by-revocations-txt.pem";
await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
// We should also still have the revoked issuer / serial pairs that were in
// revocations.txt and are also in the blocklist.
file = "test_onecrl/another-ee-revoked-by-revocations-txt.pem";
await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
file = "test_onecrl/another-ee-revoked-by-revocations-txt-serial-2.pem";
await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
// The cert revoked by subject and pubkeyhash should still be revoked.
file = "test_onecrl/ee-revoked-by-subject-and-pubkey.pem";
await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
// Check the blocklisted intermediate now causes a failure
file = "test_onecrl/test-int-ee.pem";
await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
await verify_non_tls_usage_succeeds(file);
// Check the ee with the blocklisted root also causes a failure
file = "bad_certs/other-issuer-ee.pem";
await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
await verify_non_tls_usage_succeeds(file);
// Check the ee blocked by subject / pubKey causes a failure
file = "test_onecrl/same-issuer-ee.pem";
await verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
await verify_non_tls_usage_succeeds(file);
// Check a non-blocklisted chain still validates OK
file = "bad_certs/default-ee.pem";
await verify_cert(file, PRErrorCodeSuccess);
// Check a bad cert is still bad (unknown issuer)
file = "bad_certs/unknownissuer.pem";
await verify_cert(file, SEC_ERROR_UNKNOWN_ISSUER);
});
run_next_test();
}