From 7895e32a5e812b2fe663d12264121e59ae9422a9 Mon Sep 17 00:00:00 2001 From: Wes Kocher Date: Wed, 25 Mar 2015 14:40:44 -0700 Subject: [PATCH] Backed out changeset 3a38c3d97f44 (bug 996872) on the theory that it somehow broke lots of tests, forcing a prolonged CLOSED TREE --- security/manager/ssl/tests/unit/head_psm.js | 40 ++----- .../ssl/tests/unit/test_cert_chains.js | 6 +- .../ssl/tests/unit/test_cert_overrides.js | 59 ++++----- .../ssl/tests/unit/test_client_cert.js | 10 +- .../manager/ssl/tests/unit/test_nsCertType.js | 7 +- .../ssl/tests/unit/test_ocsp_caching.js | 14 +-- .../tests/unit/test_ocsp_no_hsts_upgrade.js | 2 +- .../ssl/tests/unit/test_ocsp_required.js | 4 +- .../ssl/tests/unit/test_ocsp_stapling.js | 113 ++++++++---------- .../tests/unit/test_ocsp_stapling_expired.js | 42 +++---- .../test_ocsp_stapling_with_intermediate.js | 3 +- .../ssl/tests/unit/test_ocsp_timeout.js | 4 +- .../manager/ssl/tests/unit/test_pinning.js | 79 +++++------- 13 files changed, 166 insertions(+), 217 deletions(-) diff --git a/security/manager/ssl/tests/unit/head_psm.js b/security/manager/ssl/tests/unit/head_psm.js index 07562af7c57..ca8bbded1c5 100644 --- a/security/manager/ssl/tests/unit/head_psm.js +++ b/security/manager/ssl/tests/unit/head_psm.js @@ -30,10 +30,6 @@ const SEC_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SEC_ERROR_BASE; const SSL_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SSL_ERROR_BASE; const MOZILLA_PKIX_ERROR_BASE = Ci.nsINSSErrorsService.MOZILLA_PKIX_ERROR_BASE; -// This isn't really a valid PRErrorCode, but is useful for signalling that -// a test is expected to succeed. -const PRErrorCodeSuccess = 0; - // Sort in numerical order const SEC_ERROR_INVALID_ARGS = SEC_ERROR_BASE + 5; // -8187 const SEC_ERROR_INVALID_TIME = SEC_ERROR_BASE + 8; @@ -220,12 +216,12 @@ function run_test() { add_tls_server_setup(""); add_connection_test(".example.com", - SEC_ERROR_xxx, + getXPCOMStatusFromNSS(SEC_ERROR_xxx), function() { ... }, function(aTransportSecurityInfo) { ... }, function(aTransport) { ... }); [...] - add_connection_test(".example.com", PRErrorCodeSuccess); + add_connection_test(".example.com", Cr.NS_OK); run_next_test(); } @@ -237,25 +233,15 @@ function add_tls_server_setup(serverBinName) { }); } -/** - * Add a TLS connection test case. - * - * @param {String} aHost - * The hostname to pass in the SNI TLS extension; this should unambiguously - * identify which test is being run. - * @param {PRErrorCode} aExpectedResult - * The expected result of the connection. If an error is not expected, pass - * in PRErrorCodeSuccess. - * @param {Function} aBeforeConnect - * A callback function that takes no arguments that will be called before the - * connection is attempted. - * @param {Function} aWithSecurityInfo - * A callback function that takes an nsITransportSecurityInfo, which is called - * after the TLS handshake succeeds. - * @param {Function} aAfterStreamOpen - * A callback function that is called with the nsISocketTransport once the - * output stream is ready. - */ +// Add a TLS connection test case. aHost is the hostname to pass in the SNI TLS +// extension; this should unambiguously identifiy which test is being run. +// aExpectedResult is the expected nsresult of the connection. +// aBeforeConnect is a callback function that takes no arguments that will be +// called before the connection is attempted. +// aWithSecurityInfo is a callback function that takes an +// nsITransportSecurityInfo, which is called after the TLS handshake succeeds. +// aAfterStreamOpen is a callback function that is called with the +// nsISocketTransport once the output stream is ready. function add_connection_test(aHost, aExpectedResult, aBeforeConnect, aWithSecurityInfo, aAfterStreamOpen) { @@ -339,9 +325,7 @@ function add_connection_test(aHost, aExpectedResult, } connectTo(aHost).then(function(conn) { do_print("handling " + aHost); - do_check_eq(conn.result, aExpectedResult == PRErrorCodeSuccess - ? Cr.NS_OK - : getXPCOMStatusFromNSS(aExpectedResult)); + do_check_eq(conn.result, aExpectedResult); if (aWithSecurityInfo) { aWithSecurityInfo(conn.transport.securityInfo .QueryInterface(Ci.nsITransportSecurityInfo)); diff --git a/security/manager/ssl/tests/unit/test_cert_chains.js b/security/manager/ssl/tests/unit/test_cert_chains.js index bb6f99b49b4..21017182473 100644 --- a/security/manager/ssl/tests/unit/test_cert_chains.js +++ b/security/manager/ssl/tests/unit/test_cert_chains.js @@ -74,7 +74,7 @@ function run_test() { // Test successful connection (failedCertChain should be null) add_connection_test( // re-use pinning certs (keeler) - "good.include-subdomains.pinning.example.com", PRErrorCodeSuccess, null, + "good.include-subdomains.pinning.example.com", Cr.NS_OK, null, function withSecurityInfo(aTransportSecurityInfo) { aTransportSecurityInfo.QueryInterface(Ci.nsITransportSecurityInfo); test_security_info_serialization(aTransportSecurityInfo, 0); @@ -85,7 +85,7 @@ function run_test() { // Test overrideable connection failure (failedCertChain should be non-null) add_connection_test( "expired.example.com", - SEC_ERROR_EXPIRED_CERTIFICATE, + getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_CERTIFICATE), null, function withSecurityInfo(securityInfo) { securityInfo.QueryInterface(Ci.nsITransportSecurityInfo); @@ -99,7 +99,7 @@ function run_test() { // Test non-overrideable error (failedCertChain should be non-null) add_connection_test( "inadequatekeyusage.example.com", - SEC_ERROR_INADEQUATE_KEY_USAGE, + getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE), null, function withSecurityInfo(securityInfo) { securityInfo.QueryInterface(Ci.nsITransportSecurityInfo); diff --git a/security/manager/ssl/tests/unit/test_cert_overrides.js b/security/manager/ssl/tests/unit/test_cert_overrides.js index 664d4375f90..2244c6299ef 100644 --- a/security/manager/ssl/tests/unit/test_cert_overrides.js +++ b/security/manager/ssl/tests/unit/test_cert_overrides.js @@ -31,12 +31,12 @@ function add_cert_override(aHost, aExpectedBits, aSecurityInfo) { function add_cert_override_test(aHost, aExpectedBits, aExpectedError) { add_connection_test(aHost, aExpectedError, null, add_cert_override.bind(this, aHost, aExpectedBits)); - add_connection_test(aHost, PRErrorCodeSuccess); + add_connection_test(aHost, Cr.NS_OK); } function add_non_overridable_test(aHost, aExpectedError) { add_connection_test( - aHost, aExpectedError, null, + aHost, getXPCOMStatusFromNSS(aExpectedError), null, function (securityInfo) { // bug 754369 - no SSLStatus probably means this is a non-overridable // error, which is what we're testing (although it would be best to test @@ -103,41 +103,44 @@ function run_test() { function add_simple_tests() { add_cert_override_test("expired.example.com", Ci.nsICertOverrideService.ERROR_TIME, - SEC_ERROR_EXPIRED_CERTIFICATE); + getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_CERTIFICATE)); add_cert_override_test("notyetvalid.example.com", Ci.nsICertOverrideService.ERROR_TIME, - MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE); + getXPCOMStatusFromNSS( + MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE)); add_cert_override_test("before-epoch.example.com", Ci.nsICertOverrideService.ERROR_TIME, - SEC_ERROR_INVALID_TIME); + getXPCOMStatusFromNSS(SEC_ERROR_INVALID_TIME)); add_cert_override_test("selfsigned.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, - SEC_ERROR_UNKNOWN_ISSUER); + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); add_cert_override_test("unknownissuer.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, - SEC_ERROR_UNKNOWN_ISSUER); + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); add_cert_override_test("expiredissuer.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, - SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE); + getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE)); add_cert_override_test("notyetvalidissuer.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, - MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE); + getXPCOMStatusFromNSS( + MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE)); add_cert_override_test("before-epoch-issuer.example.com", Ci.nsICertOverrideService.ERROR_TIME, - SEC_ERROR_INVALID_TIME); + getXPCOMStatusFromNSS(SEC_ERROR_INVALID_TIME)); add_cert_override_test("md5signature.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, - SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); + getXPCOMStatusFromNSS( + SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)); add_cert_override_test("mismatch.example.com", Ci.nsICertOverrideService.ERROR_MISMATCH, - SSL_ERROR_BAD_CERT_DOMAIN); + getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN)); // A Microsoft IIS utility generates self-signed certificates with // properties similar to the one this "host" will present (see // tlsserver/generate_certs.sh). add_cert_override_test("selfsigned-inadequateEKU.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, - SEC_ERROR_UNKNOWN_ISSUER); + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); add_non_overridable_test("inadequatekeyusage.example.com", SEC_ERROR_INADEQUATE_KEY_USAGE); @@ -163,17 +166,17 @@ function add_simple_tests() { // is a scenario in which an override is allowed. add_cert_override_test("self-signed-end-entity-with-cA-true.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, - SEC_ERROR_UNKNOWN_ISSUER); + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); add_cert_override_test("ca-used-as-end-entity.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, - MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY); + getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY)); // If an X.509 version 1 certificate is not a trust anchor, we will // encounter an overridable error. add_cert_override_test("end-entity-issued-by-v1-cert.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, - MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA); + getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA)); // If we make that certificate a trust anchor, the connection will succeed. add_test(function() { certOverrideService.clearValidityOverride("end-entity-issued-by-v1-cert.example.com", 8443); @@ -182,8 +185,7 @@ function add_simple_tests() { clearSessionCache(); run_next_test(); }); - add_connection_test("end-entity-issued-by-v1-cert.example.com", - PRErrorCodeSuccess); + add_connection_test("end-entity-issued-by-v1-cert.example.com", Cr.NS_OK); // Reset the trust for that certificate. add_test(function() { let v1Cert = constructCertFromFile("tlsserver/v1Cert.der"); @@ -196,50 +198,51 @@ function add_simple_tests() { // certificates that are not valid CAs. add_cert_override_test("end-entity-issued-by-non-CA.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, - SEC_ERROR_CA_CERT_INVALID); + getXPCOMStatusFromNSS(SEC_ERROR_CA_CERT_INVALID)); add_cert_override_test("inadequate-key-size-ee.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED, - MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE); + getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE)); } function add_combo_tests() { add_cert_override_test("mismatch-expired.example.com", Ci.nsICertOverrideService.ERROR_MISMATCH | Ci.nsICertOverrideService.ERROR_TIME, - SSL_ERROR_BAD_CERT_DOMAIN); + getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN)); add_cert_override_test("mismatch-notYetValid.example.com", Ci.nsICertOverrideService.ERROR_MISMATCH | Ci.nsICertOverrideService.ERROR_TIME, - SSL_ERROR_BAD_CERT_DOMAIN); + getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN)); add_cert_override_test("mismatch-untrusted.example.com", Ci.nsICertOverrideService.ERROR_MISMATCH | Ci.nsICertOverrideService.ERROR_UNTRUSTED, - SEC_ERROR_UNKNOWN_ISSUER); + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); add_cert_override_test("untrusted-expired.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED | Ci.nsICertOverrideService.ERROR_TIME, - SEC_ERROR_UNKNOWN_ISSUER); + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); add_cert_override_test("mismatch-untrusted-expired.example.com", Ci.nsICertOverrideService.ERROR_MISMATCH | Ci.nsICertOverrideService.ERROR_UNTRUSTED | Ci.nsICertOverrideService.ERROR_TIME, - SEC_ERROR_UNKNOWN_ISSUER); + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); add_cert_override_test("md5signature-expired.example.com", Ci.nsICertOverrideService.ERROR_UNTRUSTED | Ci.nsICertOverrideService.ERROR_TIME, - SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); + getXPCOMStatusFromNSS( + SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)); add_cert_override_test("ca-used-as-end-entity-name-mismatch.example.com", Ci.nsICertOverrideService.ERROR_MISMATCH | Ci.nsICertOverrideService.ERROR_UNTRUSTED, - MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY); + getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY)); } function add_distrust_tests() { // Before we specifically distrust this certificate, it should be trusted. - add_connection_test("untrusted.example.com", PRErrorCodeSuccess); + add_connection_test("untrusted.example.com", Cr.NS_OK); add_distrust_test("tlsserver/default-ee.der", "untrusted.example.com", SEC_ERROR_UNTRUSTED_CERT); diff --git a/security/manager/ssl/tests/unit/test_client_cert.js b/security/manager/ssl/tests/unit/test_client_cert.js index 6a8d3d006f5..e7d51fe7c87 100644 --- a/security/manager/ssl/tests/unit/test_client_cert.js +++ b/security/manager/ssl/tests/unit/test_client_cert.js @@ -43,10 +43,10 @@ function run_test() { add_tls_server_setup("ClientAuthServer"); - add_connection_test("noclientauth.example.com", PRErrorCodeSuccess); + add_connection_test("noclientauth.example.com", Cr.NS_OK); - add_connection_test("requestclientauth.example.com", PRErrorCodeSuccess); - add_connection_test("requestclientauth.example.com", PRErrorCodeSuccess, + add_connection_test("requestclientauth.example.com", Cr.NS_OK); + add_connection_test("requestclientauth.example.com", Cr.NS_OK, null, null, transport => { do_print("Setting client cert on transport"); let sslSocketControl = transport.securityInfo @@ -55,8 +55,8 @@ function run_test() { }); add_connection_test("requireclientauth.example.com", - SSL_ERROR_BAD_CERT_ALERT); - add_connection_test("requireclientauth.example.com", PRErrorCodeSuccess, + getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_ALERT)); + add_connection_test("requireclientauth.example.com", Cr.NS_OK, null, null, transport => { do_print("Setting client cert on transport"); let sslSocketControl = diff --git a/security/manager/ssl/tests/unit/test_nsCertType.js b/security/manager/ssl/tests/unit/test_nsCertType.js index 3e1a07c223b..5e9e09ef582 100644 --- a/security/manager/ssl/tests/unit/test_nsCertType.js +++ b/security/manager/ssl/tests/unit/test_nsCertType.js @@ -19,10 +19,9 @@ function run_test() { do_get_profile(); add_tls_server_setup("BadCertServer"); - add_connection_test("nsCertTypeNotCritical.example.com", PRErrorCodeSuccess); - add_connection_test("nsCertTypeCriticalWithExtKeyUsage.example.com", - PRErrorCodeSuccess); + add_connection_test("nsCertTypeNotCritical.example.com", Cr.NS_OK); + add_connection_test("nsCertTypeCriticalWithExtKeyUsage.example.com", Cr.NS_OK); add_connection_test("nsCertTypeCritical.example.com", - SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION); + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION)); run_next_test(); } diff --git a/security/manager/ssl/tests/unit/test_ocsp_caching.js b/security/manager/ssl/tests/unit/test_ocsp_caching.js index ec46594c21c..4a9a03cdfa4 100644 --- a/security/manager/ssl/tests/unit/test_ocsp_caching.js +++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js @@ -53,14 +53,14 @@ function add_tests() { // Get an Unknown response for the *.exmaple.com cert and put it in the // OCSP cache. add_connection_test("ocsp-stapling-unknown.example.com", - SEC_ERROR_OCSP_UNKNOWN_CERT, + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), clearSessionCache); add_test(function() { do_check_eq(gFetchCount, 0); run_next_test(); }); // A failure to retrieve an OCSP response must result in the cached Unkown // response being recognized and honored. add_connection_test("ocsp-stapling-none.example.com", - SEC_ERROR_OCSP_UNKNOWN_CERT, + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), clearSessionCache); add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); }); @@ -81,14 +81,14 @@ function add_tests() { gGoodOCSPResponse = generateGoodOCSPResponse(); run_next_test(); }); - add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess, + add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK, clearSessionCache); add_test(function() { do_check_eq(gFetchCount, 2); run_next_test(); }); // The Good response retrieved from the previous fetch must have replaced // the Unknown response in the cache, resulting in the catched Good response // being returned and no fetch. - add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess, + add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK, clearSessionCache); add_test(function() { do_check_eq(gFetchCount, 2); run_next_test(); }); @@ -100,19 +100,19 @@ function add_tests() { // A failure to retrieve an OCSP response will result in an error entry being // added to the cache. - add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess, + add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK, clearSessionCache); add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); }); // The error entry will prevent a fetch from happening for a while. - add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess, + add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK, clearSessionCache); add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); }); // The error entry must not prevent a stapled OCSP response from being // honored. add_connection_test("ocsp-stapling-revoked.example.com", - SEC_ERROR_REVOKED_CERTIFICATE, + getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), clearSessionCache); add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); }); diff --git a/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js b/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js index 8560d3c2670..a1b571f338c 100644 --- a/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js +++ b/security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js @@ -34,7 +34,7 @@ function run_test() { // (as added in the setup of this test, below), a buggy implementation would // upgrade the OCSP request to HTTPS. We specifically prevent this. This // test demonstrates that our implementation is correct in this regard. - add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess); + add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK); add_test(function () { run_next_test(); }); add_test(function () { ocspResponder.stop(run_next_test); }); diff --git a/security/manager/ssl/tests/unit/test_ocsp_required.js b/security/manager/ssl/tests/unit/test_ocsp_required.js index 6d0d8527765..e0b7fbf6d1d 100644 --- a/security/manager/ssl/tests/unit/test_ocsp_required.js +++ b/security/manager/ssl/tests/unit/test_ocsp_required.js @@ -42,9 +42,9 @@ function run_test() { function add_tests() { add_connection_test("ocsp-stapling-none.example.com", - SEC_ERROR_OCSP_BAD_SIGNATURE); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE)); add_connection_test("ocsp-stapling-none.example.com", - SEC_ERROR_OCSP_BAD_SIGNATURE); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE)); add_test(function () { do_check_eq(gOCSPRequestCount, 1); gOCSPRequestCount = 0; diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling.js b/security/manager/ssl/tests/unit/test_ocsp_stapling.js index 97b3915d384..7b1d99c7be1 100644 --- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js @@ -23,48 +23,31 @@ function add_ocsp_test(aHost, aExpectedResult, aStaplingEnabled) { function add_tests(certDB, otherTestCA) { // In the absence of OCSP stapling, these should actually all work. - add_ocsp_test("ocsp-stapling-good.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-revoked.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-good-other-ca.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-malformed.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-srverr.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-trylater.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-needssig.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-unauthorized.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-unknown.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-good-other.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-none.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-expired.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-critical-extension.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-noncritical-extension.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-empty-extensions.example.com", - PRErrorCodeSuccess, false); + add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, false); + add_ocsp_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false); + add_ocsp_test("ocsp-stapling-good-other-ca.example.com", Cr.NS_OK, false); + add_ocsp_test("ocsp-stapling-malformed.example.com", Cr.NS_OK, false); + add_ocsp_test("ocsp-stapling-srverr.example.com", Cr.NS_OK, false); + add_ocsp_test("ocsp-stapling-trylater.example.com", Cr.NS_OK, false); + add_ocsp_test("ocsp-stapling-needssig.example.com", Cr.NS_OK, false); + add_ocsp_test("ocsp-stapling-unauthorized.example.com", Cr.NS_OK, false); + add_ocsp_test("ocsp-stapling-unknown.example.com", Cr.NS_OK, false); + add_ocsp_test("ocsp-stapling-good-other.example.com", Cr.NS_OK, false); + add_ocsp_test("ocsp-stapling-none.example.com", Cr.NS_OK, false); + add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK, false); + add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK, false); + add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com", Cr.NS_OK, false); + add_ocsp_test("ocsp-stapling-critical-extension.example.com", Cr.NS_OK, false); + add_ocsp_test("ocsp-stapling-noncritical-extension.example.com", Cr.NS_OK, false); + add_ocsp_test("ocsp-stapling-empty-extensions.example.com", Cr.NS_OK, false); // Now test OCSP stapling // The following error codes are defined in security/nss/lib/util/SECerrs.h - add_ocsp_test("ocsp-stapling-good.example.com", PRErrorCodeSuccess, true); + add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, true); add_ocsp_test("ocsp-stapling-revoked.example.com", - SEC_ERROR_REVOKED_CERTIFICATE, true); + getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), true); // SEC_ERROR_OCSP_INVALID_SIGNING_CERT vs SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE // depends on whether the CA that signed the response is a trusted CA @@ -79,7 +62,7 @@ function add_tests(certDB, otherTestCA) { run_next_test(); }); add_ocsp_test("ocsp-stapling-good-other-ca.example.com", - SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true); // The stapled response is from a CA that is trusted but did not issue the // server's certificate. @@ -91,29 +74,31 @@ function add_tests(certDB, otherTestCA) { // TODO(bug 979055): When using ByName instead of ByKey, the error here is // SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE. We should be testing both cases. add_ocsp_test("ocsp-stapling-good-other-ca.example.com", - SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), + true); // TODO: Test the case where the signing cert can't be found at all, which // will result in SEC_ERROR_BAD_DATABASE in the NSS classic case. add_ocsp_test("ocsp-stapling-malformed.example.com", - SEC_ERROR_OCSP_MALFORMED_REQUEST, true); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_REQUEST), true); add_ocsp_test("ocsp-stapling-srverr.example.com", - SEC_ERROR_OCSP_SERVER_ERROR, true); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_SERVER_ERROR), true); add_ocsp_test("ocsp-stapling-trylater.example.com", - SEC_ERROR_OCSP_TRY_SERVER_LATER, true); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_TRY_SERVER_LATER), true); add_ocsp_test("ocsp-stapling-needssig.example.com", - SEC_ERROR_OCSP_REQUEST_NEEDS_SIG, true); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG), true); add_ocsp_test("ocsp-stapling-unauthorized.example.com", - SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST, true); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST), + true); add_ocsp_test("ocsp-stapling-unknown.example.com", - SEC_ERROR_OCSP_UNKNOWN_CERT, true); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true); add_ocsp_test("ocsp-stapling-good-other.example.com", - SEC_ERROR_OCSP_UNKNOWN_CERT, true); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true); // If the server doesn't staple an OCSP response, we continue as normal // (this means that even though stapling is enabled, we expect an OCSP // request). - add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess, + add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK, function() { gExpectOCSPRequest = true; clearOCSPCache(); @@ -122,35 +107,32 @@ function add_tests(certDB, otherTestCA) { } ); add_ocsp_test("ocsp-stapling-empty.example.com", - SEC_ERROR_OCSP_MALFORMED_RESPONSE, true); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true); add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com", - SEC_ERROR_OCSP_MALFORMED_RESPONSE, true); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true); add_ocsp_test("ocsp-stapling-critical-extension.example.com", - SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION, true); - add_ocsp_test("ocsp-stapling-noncritical-extension.example.com", - PRErrorCodeSuccess, true); + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION), + true); + add_ocsp_test("ocsp-stapling-noncritical-extension.example.com", Cr.NS_OK, true); // TODO(bug 997994): Disallow empty Extensions in responses - add_ocsp_test("ocsp-stapling-empty-extensions.example.com", - PRErrorCodeSuccess, true); + add_ocsp_test("ocsp-stapling-empty-extensions.example.com", Cr.NS_OK, true); - add_ocsp_test("ocsp-stapling-delegated-included.example.com", - PRErrorCodeSuccess, true); - add_ocsp_test("ocsp-stapling-delegated-included-last.example.com", - PRErrorCodeSuccess, true); + add_ocsp_test("ocsp-stapling-delegated-included.example.com", Cr.NS_OK, true); + add_ocsp_test("ocsp-stapling-delegated-included-last.example.com", Cr.NS_OK, true); add_ocsp_test("ocsp-stapling-delegated-missing.example.com", - SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true); add_ocsp_test("ocsp-stapling-delegated-missing-multiple.example.com", - SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true); add_ocsp_test("ocsp-stapling-delegated-no-extKeyUsage.example.com", - SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true); add_ocsp_test("ocsp-stapling-delegated-from-intermediate.example.com", - SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true); add_ocsp_test("ocsp-stapling-delegated-keyUsage-crlSigning.example.com", - SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true); add_ocsp_test("ocsp-stapling-delegated-wrong-extKeyUsage.example.com", - SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true); // ocsp-stapling-expired.example.com and // ocsp-stapling-expired-fresh-ca.example.com are handled in @@ -159,10 +141,11 @@ function add_tests(certDB, otherTestCA) { // Check that OCSP responder certificates with key sizes below 1024 bits are // rejected, even when the main certificate chain keys are at least 1024 bits. add_ocsp_test("keysize-ocsp-delegated.example.com", - SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), + true); add_ocsp_test("revoked-ca-cert-used-as-end-entity.example.com", - SEC_ERROR_REVOKED_CERTIFICATE, true); + getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), true); } function check_ocsp_stapling_telemetry() { diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js index 0065dc43240..8db4748be0e 100644 --- a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js @@ -70,81 +70,81 @@ function run_test() { // For ocsp-stapling-expired-fresh-ca.example.com, the OCSP stapling // server staples an OCSP response with a recent signature but with an // out-of-date validity period. The certificate has not expired. - add_ocsp_test("ocsp-stapling-expired.example.com", PRErrorCodeSuccess, + add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK, ocspResponseGood); - add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", PRErrorCodeSuccess, + add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK, ocspResponseGood); // if we can't fetch a more recent response when // given an expired stapled response, we terminate the connection. add_ocsp_test("ocsp-stapling-expired.example.com", - SEC_ERROR_OCSP_OLD_RESPONSE, + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE), expiredOCSPResponseGood); add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", - SEC_ERROR_OCSP_OLD_RESPONSE, + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE), expiredOCSPResponseGood); add_ocsp_test("ocsp-stapling-expired.example.com", - SEC_ERROR_OCSP_OLD_RESPONSE, + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE), oldValidityPeriodOCSPResponseGood); add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", - SEC_ERROR_OCSP_OLD_RESPONSE, + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE), oldValidityPeriodOCSPResponseGood); add_ocsp_test("ocsp-stapling-expired.example.com", - SEC_ERROR_OCSP_OLD_RESPONSE, + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE), null); add_ocsp_test("ocsp-stapling-expired.example.com", - SEC_ERROR_OCSP_OLD_RESPONSE, + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE), null); // Of course, if the newer response indicates Revoked or Unknown, // that status must be returned. add_ocsp_test("ocsp-stapling-expired.example.com", - SEC_ERROR_REVOKED_CERTIFICATE, + getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), ocspResponseRevoked); add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", - SEC_ERROR_REVOKED_CERTIFICATE, + getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), ocspResponseRevoked); add_ocsp_test("ocsp-stapling-expired.example.com", - SEC_ERROR_OCSP_UNKNOWN_CERT, + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), ocspResponseUnknown); add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", - SEC_ERROR_OCSP_UNKNOWN_CERT, + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), ocspResponseUnknown); // If the response is expired but indicates Revoked or Unknown and a // newer status can't be fetched, the Revoked or Unknown status will // be returned. add_ocsp_test("ocsp-stapling-revoked-old.example.com", - SEC_ERROR_REVOKED_CERTIFICATE, + getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), null); add_ocsp_test("ocsp-stapling-unknown-old.example.com", - SEC_ERROR_OCSP_UNKNOWN_CERT, + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), null); // If the response is expired but indicates Revoked or Unknown and // a newer status can be fetched and successfully verified, this // should result in a successful certificate verification. - add_ocsp_test("ocsp-stapling-revoked-old.example.com", PRErrorCodeSuccess, + add_ocsp_test("ocsp-stapling-revoked-old.example.com", Cr.NS_OK, ocspResponseGood); - add_ocsp_test("ocsp-stapling-unknown-old.example.com", PRErrorCodeSuccess, + add_ocsp_test("ocsp-stapling-unknown-old.example.com", Cr.NS_OK, ocspResponseGood); // If a newer status can be fetched but it fails to verify, the // Revoked or Unknown status of the expired stapled response // should be returned. add_ocsp_test("ocsp-stapling-revoked-old.example.com", - SEC_ERROR_REVOKED_CERTIFICATE, + getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), expiredOCSPResponseGood); add_ocsp_test("ocsp-stapling-unknown-old.example.com", - SEC_ERROR_OCSP_UNKNOWN_CERT, + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), expiredOCSPResponseGood); // These tests are verifying that an valid but very old response // is rejected as a valid stapled response, requiring a fetch // from the ocsp responder. - add_ocsp_test("ocsp-stapling-ancient-valid.example.com", PRErrorCodeSuccess, + add_ocsp_test("ocsp-stapling-ancient-valid.example.com", Cr.NS_OK, ocspResponseGood); add_ocsp_test("ocsp-stapling-ancient-valid.example.com", - SEC_ERROR_REVOKED_CERTIFICATE, + getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), ocspResponseRevoked); add_ocsp_test("ocsp-stapling-ancient-valid.example.com", - SEC_ERROR_OCSP_UNKNOWN_CERT, + getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), ocspResponseUnknown); add_test(function () { ocspResponder.stop(run_next_test); }); diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js index 82cc08cc517..beed9c2285f 100644 --- a/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js @@ -33,8 +33,7 @@ function run_test() { add_tls_server_setup("OCSPStaplingServer"); - add_ocsp_test("ocsp-stapling-with-intermediate.example.com", - PRErrorCodeSuccess); + add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK); add_test(function () { ocspResponder.stop(run_next_test); }); add_test(function() { diff --git a/security/manager/ssl/tests/unit/test_ocsp_timeout.js b/security/manager/ssl/tests/unit/test_ocsp_timeout.js index 9ed1de85470..80e4fa1a777 100644 --- a/security/manager/ssl/tests/unit/test_ocsp_timeout.js +++ b/security/manager/ssl/tests/unit/test_ocsp_timeout.js @@ -50,8 +50,8 @@ function add_tests_in_mode(useHardFail) { }); add_connection_test("ocsp-stapling-none.example.com", useHardFail - ? SEC_ERROR_OCSP_SERVER_ERROR - : PRErrorCodeSuccess, clearSessionCache); + ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_SERVER_ERROR) + : Cr.NS_OK, clearSessionCache); // Reset state add_test(function() { diff --git a/security/manager/ssl/tests/unit/test_pinning.js b/security/manager/ssl/tests/unit/test_pinning.js index b1ec1d693b8..0d02177bb4d 100644 --- a/security/manager/ssl/tests/unit/test_pinning.js +++ b/security/manager/ssl/tests/unit/test_pinning.js @@ -41,38 +41,33 @@ function test_strict() { // errors) like 'unknown issuer' are encountered, the pinning error takes // precedence. This prevents overrides for such hosts. add_connection_test("unknownissuer.include-subdomains.pinning.example.com", - MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE); + getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE)); // Issued by otherCA, which is not in the pinset for pinning.example.com. add_connection_test("bad.include-subdomains.pinning.example.com", - MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE); + getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE)); // Check that using a FQDN doesn't bypass pinning. add_connection_test("bad.include-subdomains.pinning.example.com.", - MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE); + getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE)); // For some reason this is also navigable (see bug 1118522). add_connection_test("bad.include-subdomains.pinning.example.com..", - MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE); + getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE)); // These domains serve certs that match the pinset. - add_connection_test("include-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("good.include-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("exclude-subdomains.pinning.example.com", - PRErrorCodeSuccess); + add_connection_test("include-subdomains.pinning.example.com", Cr.NS_OK); + add_connection_test("good.include-subdomains.pinning.example.com", Cr.NS_OK); + add_connection_test("exclude-subdomains.pinning.example.com", Cr.NS_OK); // This domain serves a cert that doesn't match the pinset, but subdomains // are excluded. - add_connection_test("sub.exclude-subdomains.pinning.example.com", - PRErrorCodeSuccess); + add_connection_test("sub.exclude-subdomains.pinning.example.com", Cr.NS_OK); // This domain's pinset is exactly the same as // include-subdomains.pinning.example.com, serves the same cert as // bad.include-subdomains.pinning.example.com, but it should pass because // it's in test_mode. - add_connection_test("test-mode.pinning.example.com", - PRErrorCodeSuccess); + add_connection_test("test-mode.pinning.example.com", Cr.NS_OK); } function test_mitm() { @@ -83,24 +78,19 @@ function test_mitm() { run_next_test(); }); - add_connection_test("include-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("good.include-subdomains.pinning.example.com", - PRErrorCodeSuccess); + add_connection_test("include-subdomains.pinning.example.com", Cr.NS_OK); + add_connection_test("good.include-subdomains.pinning.example.com", Cr.NS_OK); add_connection_test("unknownissuer.include-subdomains.pinning.example.com", - SEC_ERROR_UNKNOWN_ISSUER); + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); // In this case, even though otherCA is not in the pinset, it is a // user-specified trust anchor and the pinning check succeeds. - add_connection_test("bad.include-subdomains.pinning.example.com", - PRErrorCodeSuccess); + add_connection_test("bad.include-subdomains.pinning.example.com", Cr.NS_OK); - add_connection_test("exclude-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("sub.exclude-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess); + add_connection_test("exclude-subdomains.pinning.example.com", Cr.NS_OK); + add_connection_test("sub.exclude-subdomains.pinning.example.com", Cr.NS_OK); + add_connection_test("test-mode.pinning.example.com", Cr.NS_OK); }; function test_disabled() { @@ -110,20 +100,15 @@ function test_disabled() { run_next_test(); }); - add_connection_test("include-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("good.include-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("bad.include-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("exclude-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("sub.exclude-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess); + add_connection_test("include-subdomains.pinning.example.com", Cr.NS_OK); + add_connection_test("good.include-subdomains.pinning.example.com", Cr.NS_OK); + add_connection_test("bad.include-subdomains.pinning.example.com", Cr.NS_OK); + add_connection_test("exclude-subdomains.pinning.example.com", Cr.NS_OK); + add_connection_test("sub.exclude-subdomains.pinning.example.com", Cr.NS_OK); + add_connection_test("test-mode.pinning.example.com", Cr.NS_OK); add_connection_test("unknownissuer.include-subdomains.pinning.example.com", - SEC_ERROR_UNKNOWN_ISSUER); + getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER)); } function test_enforce_test_mode() { @@ -134,31 +119,27 @@ function test_enforce_test_mode() { }); add_connection_test("unknownissuer.include-subdomains.pinning.example.com", - MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE); + getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE)); // Issued by otherCA, which is not in the pinset for pinning.example.com. add_connection_test("bad.include-subdomains.pinning.example.com", - MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE); + getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE)); // These domains serve certs that match the pinset. - add_connection_test("include-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("good.include-subdomains.pinning.example.com", - PRErrorCodeSuccess); - add_connection_test("exclude-subdomains.pinning.example.com", - PRErrorCodeSuccess); + add_connection_test("include-subdomains.pinning.example.com", Cr.NS_OK); + add_connection_test("good.include-subdomains.pinning.example.com", Cr.NS_OK); + add_connection_test("exclude-subdomains.pinning.example.com", Cr.NS_OK); // This domain serves a cert that doesn't match the pinset, but subdomains // are excluded. - add_connection_test("sub.exclude-subdomains.pinning.example.com", - PRErrorCodeSuccess); + add_connection_test("sub.exclude-subdomains.pinning.example.com", Cr.NS_OK); // This domain's pinset is exactly the same as // include-subdomains.pinning.example.com, serves the same cert as // bad.include-subdomains.pinning.example.com, is in test-mode, but we are // enforcing test mode pins. add_connection_test("test-mode.pinning.example.com", - MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE); + getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE)); } function check_pinning_telemetry() {