bug 1313491 - add basic tests that PSM sets the right security state during session resumption r?Cykesiopka,jcj,mgoodwin
MozReview-Commit-ID: 3Q265OJyTIO
copy from security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem
copy to security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem
--- a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDQjCCAiygAwIBAgIUI4h7bIgXBroqPq3r8qcqzWTPiTwwCwYJKoZIhvcNAQEL
+MIIDNzCCAiGgAwIBAgIUdakyQxHEOz8eq2oddSdoUYT0DP0wCwYJKoZIhvcNAQEL
MBExDzANBgNVBAMMBmV2cm9vdDAiGA8yMDE0MTEyNzAwMDAwMFoYDzIwMTcwMjA0
-MDAwMDAwWjAhMR8wHQYDVQQDDBZhbnlQb2xpY3ktaW50LXBhdGgtaW50MIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuohRqESOFtZB/W62iAY2ED08E9nq
-5DVKtOz1aFdsJHvBxyWo4NgfvbGcBptuGobya+KvWnVramRxCHqlWqdFh/cc1SSc
-An7NQ/weadA4ICmTqyDDSeTbuUzCa2wO7RWCD/F+rWkasdMCOosqQe6ncOAPDY39
-ZgsrsCSSpH25iGF5kLFXkD3SO8XguEgfqDfTiEPvJxbYVbdmWqp+ApAvOnsQgAYk
-zBxsl62WYVu34pYSwHUxowyR3bTK9/ytHSXTCe+5Fw6naOGzey8ib2njtIqVYR3u
-JtYlnauRCE42yxwkBCy/Fosv5fGPmRcxuLP+SSP6clHEMdUDrNoYCjXtjQIDAQAB
-o4GBMH8wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwTwYIKwYBBQUHAQEEQzBB
-MD8GCCsGAQUFBzABhjNodHRwOi8vd3d3LmV4YW1wbGUuY29tOjg4ODgvYW55UG9s
-aWN5LWludC1wYXRoLWludC8wEQYDVR0gBAowCDAGBgRVHSAAMAsGCSqGSIb3DQEB
-CwOCAQEAaar6+lvsKAL6fuKS9b8HOSI1Q6c+7/PDAo+YPVsDyzg4OYpFHfrJqveK
-vmwWSnUngX/V702znW4woDu1ZjXLWpTG4xx87FU7b0BIrL7r1N1twAohOYFUMnjl
-TW7RMjTgMGIgxybQc3N0snwf2SJedUu78xekdLW1/jTiMuIEys/+44tqGzVsFu9j
-XrFxPxNBHVzR8UFGICREeE2nFeOnqj3uQPh1JJszKUlfXbYtjgPFKfbbsPzzGLJ3
-tLmzPZLSeEed/AYvegq00CybA5f6UDY1uMnECekHAWFzv/yhZZsL+hMSGXTctE7+
-C+WTNlFX41Gi6uvck6N8T3ABNVTk8A==
+MDAwMDAwWjAfMR0wGwYDVQQDDBRldi10ZXN0LWludGVybWVkaWF0ZTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALqIUahEjhbWQf1utogGNhA9PBPZ6uQ1
+SrTs9WhXbCR7wcclqODYH72xnAabbhqG8mvir1p1a2pkcQh6pVqnRYf3HNUknAJ+
+zUP8HmnQOCApk6sgw0nk27lMwmtsDu0Vgg/xfq1pGrHTAjqLKkHup3DgDw2N/WYL
+K7AkkqR9uYhheZCxV5A90jvF4LhIH6g304hD7ycW2FW3ZlqqfgKQLzp7EIAGJMwc
+bJetlmFbt+KWEsB1MaMMkd20yvf8rR0l0wnvuRcOp2jhs3svIm9p47SKlWEd7ibW
+JZ2rkQhONsscJAQsvxaLL+Xxj5kXMbiz/kkj+nJRxDHVA6zaGAo17Y0CAwEAAaN5
+MHcwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwRwYIKwYBBQUHAQEEOzA5MDcG
+CCsGAQUFBzABhitodHRwOi8vbG9jYWxob3N0Ojg4ODgvZXYtdGVzdC1pbnRlcm1l
+ZGlhdGUvMBEGA1UdIAQKMAgwBgYEVR0gADALBgkqhkiG9w0BAQsDggEBAEnoeMK3
+VQ18/OA9LzFSlkr8YFLnz/0iL8l2LnftDtcoTckr3Zhyo6HdQDYvWf7Ox1sN3BLB
+PFgQ0bEWSLRUSCTuUjLM+gKR8Dzo5LWY3ZyHh851NRP4o/mwXujr4qlMiCpKMlJi
+itjIIPEID2/oFdf8uujH+q6/Mk038v+Bq0FcfLmpcfmsptCHza1Ryw2lxc3WVvOv
+J+5t6qA1H6xJIVcb0dQwF5doTMV27YDmuLyg2VTKnoF4Fux/glH1v/YXdfxi6WKC
+8L7jeeVMurd3huWLRIoBimOn26e/wMQJAJMOXfwnYU1RULgbwdFCVZUeSNYW4pDY
+4ga6LzbJdLBvb6k=
-----END CERTIFICATE-----
\ No newline at end of file
copy from security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec
copy to security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec
--- a/security/manager/ssl/tests/unit/test_ev_certs/anyPolicy-int-path-int.pem.certspec
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test-intermediate.pem.certspec
@@ -1,7 +1,7 @@
issuer:evroot
-subject:anyPolicy-int-path-int
+subject:ev-test-intermediate
issuerKey:ev
extension:basicConstraints:cA,
extension:keyUsage:cRLSign,keyCertSign
-extension:authorityInformationAccess:http://www.example.com:8888/anyPolicy-int-path-int/
+extension:authorityInformationAccess:http://localhost:8888/ev-test-intermediate/
extension:certificatePolicies:any
copy from security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem
copy to security/manager/ssl/tests/unit/bad_certs/ev-test.pem
--- a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
-MIIDVTCCAj+gAwIBAgIULwfe1XYxIxI1GOvu3ZnTqxvVOYYwCwYJKoZIhvcNAQEL
-MBwxGjAYBgNVBAMMEXRlc3Qtb2lkLXBhdGgtaW50MCIYDzIwMTQxMTI3MDAwMDAw
-WhgPMjAxNzAyMDQwMDAwMDBaMBsxGTAXBgNVBAMMEHRlc3Qtb2lkLXBhdGgtZWUw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQ
-PTwT2erkNUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH
-9xzVJJwCfs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw
-4A8Njf1mCyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86
-exCABiTMHGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0
-ipVhHe4m1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2N
-AgMBAAGjgY8wgYwwSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzABhi1odHRwOi8v
-d3d3LmV4YW1wbGUuY29tOjg4ODgvdGVzdC1vaWQtcGF0aC1lZS8wHwYDVR0gBBgw
-FjAUBhIrBgEEAetJhRqFGoUaAYN0CQEwHgYDVR0RBBcwFYITZXYtdGVzdC5leGFt
-cGxlLmNvbTALBgkqhkiG9w0BAQsDggEBAGBM93ylo+yXjVAr7GHY2/Suvddfd47X
-i+0qQc5Aif2f5okWm7k8BaLdhQYMcLo/D/AZzKcPvO5wUFdiInHPF069ebu8s6qL
-qZ7ybJK7AR/UfkS4Yn+gTdvPUxasFCtorT3tx8aws3Y9NBK0YV2IImgC+wS2Qe37
-XBUF+526UjJ/ooInFnW6Ukf8rdhxMpSOAXzblJCfHMnnkg36m5zSWNH83oTWEGwe
-tWolqulTICNpRA4rqwO7i2BRHkgQrq9lhQS3/rCyGYgeqware7QPSj5S4WXBLM3p
-a7je/NteBTOUVsfngQSz5ETVu3Bj7mgJYmtkCC5ZRVfQmjWsfPyqslE=
+MIIDPjCCAiigAwIBAgIUD91RYDYNkAEZj914Ztj5ISzYywEwCwYJKoZIhvcNAQEL
+MB8xHTAbBgNVBAMMFGV2LXRlc3QtaW50ZXJtZWRpYXRlMCIYDzIwMTQxMTI3MDAw
+MDAwWhgPMjAxNzAyMDQwMDAwMDBaMBIxEDAOBgNVBAMMB2V2LXRlc3QwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6iFGoRI4W1kH9braIBjYQPTwT2erk
+NUq07PVoV2wke8HHJajg2B+9sZwGm24ahvJr4q9adWtqZHEIeqVap0WH9xzVJJwC
+fs1D/B5p0DggKZOrIMNJ5Nu5TMJrbA7tFYIP8X6taRqx0wI6iypB7qdw4A8Njf1m
+CyuwJJKkfbmIYXmQsVeQPdI7xeC4SB+oN9OIQ+8nFthVt2Zaqn4CkC86exCABiTM
+HGyXrZZhW7filhLAdTGjDJHdtMr3/K0dJdMJ77kXDqdo4bN7LyJvaeO0ipVhHe4m
+1iWdq5EITjbLHCQELL8Wiy/l8Y+ZFzG4s/5JI/pyUcQx1QOs2hgKNe2NAgMBAAGj
+fzB9MDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYeaHR0cDovL2xvY2FsaG9z
+dDo4ODg4L2V2LXRlc3QvMB8GA1UdIAQYMBYwFAYSKwYBBAHrSYUahRqFGgGDdAkB
+MB4GA1UdEQQXMBWCE2V2LXRlc3QuZXhhbXBsZS5jb20wCwYJKoZIhvcNAQELA4IB
+AQCGr7tHhNrdziIH9DlTc6KOtwgHAC/9oq2t5r+nTw2PAzGnXlVDhechXaXHYJJ0
+6PAEh+VkN+QGluG2qUfQsKDoMMNTOdJekZWlnhPuAwQPfjzLa06yLbmzMwUSHJZU
+XdeAbf1o79xyMHfJMcmA5pduAv0RAsAZl6SyiR5Fm6nORHVHWu0Zw9WqPDBCb+BW
+Mx2Lgl3M95jAbUeR2HfDOHTh3Crpf0V8FL2n9jFgpQ+niO3JFZOBg3dVQ+BMIov/
+pldY1jGnSAaf1xGh3vL5ildKQVH2an69KjIliwofEW0qq6q4OTZgZXYBuARzGvPl
+Pbf+6Wnb09vLKtJ4QXy9cBHO
-----END CERTIFICATE-----
\ No newline at end of file
copy from security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec
copy to security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec
--- a/security/manager/ssl/tests/unit/test_ev_certs/test-oid-path-ee.pem.certspec
+++ b/security/manager/ssl/tests/unit/bad_certs/ev-test.pem.certspec
@@ -1,5 +1,5 @@
-issuer:test-oid-path-int
-subject:test-oid-path-ee
-extension:authorityInformationAccess:http://www.example.com:8888/test-oid-path-ee/
+issuer:ev-test-intermediate
+subject:ev-test
+extension:authorityInformationAccess:http://localhost:8888/ev-test/
extension:certificatePolicies:1.3.6.1.4.1.13769.666.666.666.1.500.9.1
extension:subjectAlternativeName:ev-test.example.com
copy from security/manager/ssl/tests/unit/test_ev_certs/evroot.key
copy to security/manager/ssl/tests/unit/bad_certs/evroot.key
copy from security/manager/ssl/tests/unit/test_ev_certs/evroot.key.keyspec
copy to security/manager/ssl/tests/unit/bad_certs/evroot.key.keyspec
copy from security/manager/ssl/tests/unit/test_ev_certs/evroot.pem
copy to security/manager/ssl/tests/unit/bad_certs/evroot.pem
copy from security/manager/ssl/tests/unit/test_ev_certs/evroot.pem.certspec
copy to security/manager/ssl/tests/unit/bad_certs/evroot.pem.certspec
--- a/security/manager/ssl/tests/unit/bad_certs/moz.build
+++ b/security/manager/ssl/tests/unit/bad_certs/moz.build
@@ -11,16 +11,19 @@
# 'beforeEpochINT.pem',
# 'beforeEpochIssuer.pem',
# 'ca-used-as-end-entity.pem',
# 'default-ee.pem',
# 'eeIssuedByNonCA.pem',
# 'eeIssuedByV1Cert.pem',
# 'emptyIssuerName.pem',
# 'emptyNameCA.pem',
+# 'ev-test-intermediate.pem',
+# 'ev-test.pem',
+# 'evroot.pem',
# 'expired-ee.pem',
# 'expiredINT.pem',
# 'expiredissuer.pem',
# 'idn-certificate.pem',
# 'inadequateKeySizeEE.pem',
# 'inadequatekeyusage-ee.pem',
# 'ipAddressAsDNSNameInSAN.pem',
# 'md5signature-expired.pem',
@@ -51,14 +54,15 @@
# 'v1Cert.pem',
#)
#
#for test_certificate in test_certificates:
# GeneratedTestCertificate(test_certificate)
#
#test_keys = (
# 'default-ee.key',
+# 'evroot.key',
# 'inadequateKeySizeEE.key',
# 'other-test-ca.key',
#)
#
#for test_key in test_keys:
# GeneratedTestKey(test_key)
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_session_resumption.js
@@ -0,0 +1,117 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Tests that PSM makes the correct determination of the security status of
+// loads involving session resumption (i.e. when a TLS handshake bypasses the
+// AuthCertificate callback).
+
+do_get_profile();
+const certdb = Cc["@mozilla.org/security/x509certdb;1"]
+ .getService(Ci.nsIX509CertDB);
+
+do_register_cleanup(() => {
+ Services.prefs.clearUserPref("security.OCSP.enabled");
+});
+
+Services.prefs.setIntPref("security.OCSP.enabled", 1);
+
+addCertFromFile(certdb, "bad_certs/evroot.pem", "CTu,,");
+addCertFromFile(certdb, "bad_certs/ev-test-intermediate.pem", ",,");
+
+// For expired.example.com, the platform will make a connection that will fail.
+// Using information gathered at that point, an override will be added and
+// another connection will be made. This connection will succeed. At that point,
+// as long as the session cache isn't cleared, subsequent new connections should
+// use session resumption, thereby bypassing the AuthCertificate hook. We need
+// to ensure that the correct security state is propagated to the new connection
+// information object.
+function add_resume_non_ev_with_override_test() {
+ // This adds the override and makes one successful connection.
+ add_cert_override_test("expired.example.com",
+ Ci.nsICertOverrideService.ERROR_TIME,
+ SEC_ERROR_EXPIRED_CERTIFICATE);
+
+ // This connects again, using session resumption. Note that we don't clear
+ // the TLS session cache between these operations (that would defeat the
+ // purpose).
+ add_connection_test("expired.example.com", PRErrorCodeSuccess, null,
+ (transportSecurityInfo) => {
+ ok(transportSecurityInfo.securityState &
+ Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,
+ "expired.example.com should have STATE_CERT_USER_OVERRIDDEN flag");
+ let sslStatus = transportSecurityInfo
+ .QueryInterface(Ci.nsISSLStatusProvider)
+ .SSLStatus;
+ ok(!sslStatus.isDomainMismatch,
+ "expired.example.com should not have isDomainMismatch set");
+ ok(sslStatus.isNotValidAtThisTime,
+ "expired.example.com should have isNotValidAtThisTime set");
+ ok(!sslStatus.isUntrusted,
+ "expired.example.com should not have isUntrusted set");
+ ok(!sslStatus.isExtendedValidation,
+ "expired.example.com should not have isExtendedValidation set");
+ }
+ );
+}
+
+// Helper function that adds a test that connects to ev-test.example.com and
+// verifies that it validates as EV (or not, if we're running a non-debug
+// build). This assumes that an appropriate OCSP responder is running or that
+// good responses are cached.
+function add_one_ev_test() {
+ add_connection_test("ev-test.example.com", PRErrorCodeSuccess, null,
+ (transportSecurityInfo) => {
+ ok(!(transportSecurityInfo.securityState &
+ Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN),
+ "ev-test.example.com should not have STATE_CERT_USER_OVERRIDDEN flag");
+ let sslStatus = transportSecurityInfo
+ .QueryInterface(Ci.nsISSLStatusProvider)
+ .SSLStatus;
+ ok(!sslStatus.isDomainMismatch,
+ "ev-test.example.com should not have isDomainMismatch set");
+ ok(!sslStatus.isNotValidAtThisTime,
+ "ev-test.example.com should not have isNotValidAtThisTime set");
+ ok(!sslStatus.isUntrusted,
+ "ev-test.example.com should not have isUntrusted set");
+ ok(!gEVExpected || sslStatus.isExtendedValidation,
+ "ev-test.example.com should have isExtendedValidation set " +
+ "(or this is a non-debug build)");
+ }
+ );
+}
+
+// This test is similar, except with extended validation. We should connect
+// successfully, and the certificate should be EV in debug builds. Without
+// clearing the session cache, we should connect successfully again, this time
+// with session resumption. The certificate should again be EV in debug builds.
+function add_resume_ev_test() {
+ const SERVER_PORT = 8888;
+ let expectedRequestPaths = gEVExpected ? [ "ev-test-intermediate", "ev-test" ]
+ : [ "ev-test" ];
+ let responseTypes = gEVExpected ? [ "good", "good" ] : [ "good" ];
+ // Since we cache OCSP responses, we only ever actually serve one set.
+ let ocspResponder = startOCSPResponder(SERVER_PORT, "localhost", "bad_certs",
+ expectedRequestPaths,
+ expectedRequestPaths.slice(),
+ null, responseTypes);
+ // We should be able to connect and verify the certificate as EV (in debug
+ // builds).
+ add_one_ev_test();
+ // We should be able to connect again (using session resumption). In debug
+ // builds, the certificate should be noted as EV. Again, it's important that
+ // nothing clears the TLS cache in between these two operations.
+ add_one_ev_test();
+
+ add_test(() => {
+ ocspResponder.stop(run_next_test);
+ });
+}
+
+function run_test() {
+ add_tls_server_setup("BadCertServer", "bad_certs");
+ add_resume_non_ev_with_override_test();
+ add_resume_ev_test();
+ run_next_test();
+}
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
@@ -71,16 +71,17 @@ const BadCertHost sBadCertHosts[] =
{ "end-entity-issued-by-v1-cert.example.com", "eeIssuedByV1Cert" },
{ "end-entity-issued-by-non-CA.example.com", "eeIssuedByNonCA" },
{ "inadequate-key-size-ee.example.com", "inadequateKeySizeEE" },
{ "badSubjectAltNames.example.com", "badSubjectAltNames" },
{ "ipAddressAsDNSNameInSAN.example.com", "ipAddressAsDNSNameInSAN" },
{ "noValidNames.example.com", "noValidNames" },
{ "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", "idn-certificate" },
{ "emptyissuername.example.com", "emptyIssuerName" },
+ { "ev-test.example.com", "ev-test" },
{ nullptr, nullptr }
};
int32_t
DoSNISocketConfigBySubjectCN(PRFileDesc* aFd, const SECItem* aSrvNameArr,
uint32_t aSrvNameArrSize)
{
for (uint32_t i = 0; i < aSrvNameArrSize; i++) {
--- a/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp
@@ -484,16 +484,19 @@ ConfigSecureServerWithNamedCert(PRFileDe
if (certOut) {
*certOut = Move(cert);
}
if (keaOut) {
*keaOut = certKEA;
}
+ SSL_OptionSet(fd, SSL_NO_CACHE, false);
+ SSL_OptionSet(fd, SSL_ENABLE_SESSION_TICKETS, true);
+
return SECSuccess;
}
int
StartServer(const char *nssCertDBDir, SSLSNISocketConfig sniSocketConfig,
void *sniSocketConfigArg)
{
const char *debugLevel = PR_GetEnv("MOZ_TLS_SERVER_DEBUG_LEVEL");
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -112,16 +112,18 @@ run-sequentially = hardcoded ports
[test_pinning.js]
run-sequentially = hardcoded ports
# This test can take longer than 300 seconds on B2G emulator debug builds, so
# give it enough time to finish. See bug 1081128.
requesttimeoutfactor = 2
[test_pinning_dynamic.js]
[test_pinning_header_parsing.js]
[test_sdr.js]
+[test_session_resumption.js]
+run-sequentially = hardcoded ports
[test_signed_apps.js]
[test_signed_apps-marketplace.js]
[test_signed_dir.js]
tags = addons psm
[test_sss_eviction.js]
[test_sss_readstate.js]
[test_sss_readstate_child.js]
support-files = sss_readstate_child_worker.js
