Source code

Revision control

Copy as Markdown

Other Tools

Test Info: Warnings

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
"use strict";
do_get_profile();
const certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
Ci.nsIX509CertDB
);
add_tls_server_setup(
"SanctionsTestServer",
"test_sanctions",
/* Don't try to load non-existent test-ca.pem */ false
);
addCertFromFile(certDB, "test_sanctions/symantec-test-ca.pem", "CTu,u,u");
// Add the necessary intermediates. This is important because the test server,
// though it will attempt to send along an intermediate, isn't able to reliably
// pick between the intermediate-other-crossigned and intermediate-other.
add_test(function () {
addCertFromFile(
certDB,
"test_sanctions/symantec-intermediate-allowlisted.pem",
",,"
);
addCertFromFile(
certDB,
"test_sanctions/symantec-intermediate-other.pem",
",,"
);
run_next_test();
});
add_connection_test(
"symantec-not-allowlisted-before-cutoff.example.com",
MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
null,
null
);
add_connection_test(
"symantec-not-allowlisted-after-cutoff.example.com",
MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
null,
null
);
// Add a cross-signed intermediate into the database, and ensure we still get
// the expected error.
add_test(function () {
addCertFromFile(
certDB,
"test_sanctions/symantec-intermediate-other-crossigned.pem",
",,"
);
run_next_test();
});
add_connection_test(
"symantec-not-allowlisted-before-cutoff.example.com",
MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED,
null,
null
);
// Load the Apple EE cert and its intermediate, then verify
// it at a reasonable time and make sure the allowlists work
add_task(async function () {
addCertFromFile(
certDB,
"test_sanctions/apple-ist-ca-8-g1-intermediate.pem",
",,"
);
let allowlistedCert = constructCertFromFile(
"test_sanctions/cds-apple-com.pem"
);
// Since we don't want to actually try to fetch OCSP for this certificate,
// (as an external fetch is bad in the tests), disable OCSP first.
Services.prefs.setIntPref("security.OCSP.enabled", 0);
// (new Date("2020-01-01")).getTime() / 1000
const VALIDATION_TIME = 1577836800;
await checkCertErrorGenericAtTime(
certDB,
allowlistedCert,
PRErrorCodeSuccess,
certificateUsageSSLServer,
VALIDATION_TIME
);
});