bug 1209695 - fold mochitest test_bug413909.html into xpcshell test_cert_overrides.js r=mgoodwin

test_bug413909.html doesn't need to be a mochitest. Furthermore, test_cert_overrides.js tests a lot of the same functionality. This just moves the unique parts from the old test to a new home in the xpcshell test (to be specific, some IDN handling and that "port" -1 is the same as port 443).
2024-09-13 09:24:08 -07:00 · 2015-09-29 13:24:19 -07:00 · 2015-09-29 13:24:19 -07:00 · da00b96b84
commit da00b96b84
parent 6c58a4fae7
8 changed files with 59 additions and 145 deletions
--- a/security/manager/ssl/tests/mochitest/bugs/chrome.ini
+++ b/security/manager/ssl/tests/mochitest/bugs/chrome.ini
@ -1,6 +0,0 @@
-[DEFAULT]
-tags = psm
-skip-if = buildapp == 'b2g' || os == 'android'
-
-[test_bug413909.html]
-skip-if = buildapp == 'mulet'
--- a/security/manager/ssl/tests/mochitest/bugs/moz.build
+++ b/security/manager/ssl/tests/mochitest/bugs/moz.build
@ -1,7 +0,0 @@
-# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-MOCHITEST_CHROME_MANIFESTS += ['chrome.ini']
--- a/security/manager/ssl/tests/mochitest/bugs/test_bug413909.html
+++ b/security/manager/ssl/tests/mochitest/bugs/test_bug413909.html
@ -1,127 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<head>
-  <title>Test bug 413909</title>
-  <script type="text/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>        
-  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css" />
-</head>
-<body onload="onWindowLoad()">
-
-<script class="testbody" type="text/javascript">
-
-var certOverrideService = Components.classes["@mozilla.org/security/certoverride;1"]
-  .getService(Components.interfaces.nsICertOverrideService);
-var cert = null;
-var certListener = null;
-
-SimpleTest.waitForExplicitFinish();
-
-function badCertListener() 
-{
-}
-
-badCertListener.prototype = {
-  exceptionAdded: false,
-
-  getInterface: function (aIID) {
-    return this.QueryInterface(aIID);
-  },
-
-  QueryInterface: function(aIID) {
-    if (aIID.equals(Components.interfaces.nsIBadCertListener2) ||
-        aIID.equals(Components.interfaces.nsIInterfaceRequestor) ||
-        aIID.equals(Components.interfaces.nsISupports))
-      return this;
-
-    throw Components.results.NS_ERROR_NO_INTERFACE;
-  },  
-
-  notifyCertProblem: function MSR_notifyCertProblem(socketInfo, sslStatus, targetHost) {
-    cert = sslStatus.QueryInterface(Components.interfaces.nsISSLStatus)
-      .serverCert;
-  
-    certOverrideService.rememberValidityOverride(
-      "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp",
-      -1,
-      cert,
-      certOverrideService.ERROR_UNTRUSTED,
-      false);
-
-    this.exceptionAdded = true;
-    return true;
-  }
-}
-
-function apiTest(expected)
-{
-  var has;
-  var bits = {}, temp = {};
-  
-  has = certOverrideService.hasMatchingOverride(
-      "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", 
-      -1, cert, bits, temp);
-  is(has, expected, "hasMatchingOverride "+expected+" for default port value");
-  
-  has = certOverrideService.hasMatchingOverride(
-      "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", 
-      443, cert, bits, temp);
-  is(has, expected, "hasMatchingOverride "+expected+" for explicit port value");
-  
-  has = certOverrideService.hasMatchingOverride(
-      "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", 
-      563, cert, bits, temp);
-  ok(!has, "hasMatchingOverride false for invalid port value");
-  
-  has = certOverrideService.hasMatchingOverride(
-      window.frame1.location.hostname, 
-      -1, cert, bits, temp);
-  ok(!has, "hasMatchingOverride false for default port value and non-ascii host");
-  
-  has = certOverrideService.hasMatchingOverride(
-      window.frame1.location.hostname, 
-      443, cert, bits, temp);
-  ok(!has, "hasMatchingOverride false for explicit port value and non-ascii host");
-  
-  has = certOverrideService.hasMatchingOverride(
-      window.frame1.location.hostname, 
-      563, cert, bits, temp);
-  ok(!has, "hasMatchingOverride false for invalid port value and non-ascii host");
-}
-
-function onFrameLoad()
-{
-  ok(certListener.exceptionAdded, "Secure page loaded after exception was added and not sooner");
-  if (!certListener.exceptionAdded)
-    return;
-  
-  apiTest(true);
-  certOverrideService.clearValidityOverride(
-    "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", -1);
-  apiTest(false);
-
-  SimpleTest.finish();
-}
-
-function onWindowLoad()
-{
-  var req = new XMLHttpRequest();
-  try
-  {
-    certListener = new badCertListener();
-    
-    req.open("GET", "https://bug413909.xn--hxajbheg2az3al.xn--jxalpdlp/", false);
-    req.channel.notificationCallbacks = certListener;
-    req.send(null);
-  }
-  catch(ex)
-  {
-    // ignore
-  }
-
-  window.frame1.location.reload();
-}
-
-</script>
-<iframe name="frame1" src="https://bug413909.xn--hxajbheg2az3al.xn--jxalpdlp/" onload="onFrameLoad()"></iframe>
-</body>
-</html>
--- a/security/manager/ssl/tests/mochitest/moz.build
+++ b/security/manager/ssl/tests/mochitest/moz.build
@ -6,8 +6,6 @@

 TEST_DIRS += [
    'browser',
-    'bugs',
    'mixedcontent',
    'stricttransportsecurity',
 ]
-
--- a/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec
+++ b/security/manager/ssl/tests/unit/bad_certs/idn-certificate.pem.certspec
@ -0,0 +1,3 @@
+issuer:Unknown Issuer
+subject:IDN Certificate
+extension:subjectAlternativeName:bug413909.xn--hxajbheg2az3al.xn--jxalpdlp
--- a/security/manager/ssl/tests/unit/bad_certs/moz.build
+++ b/security/manager/ssl/tests/unit/bad_certs/moz.build
@ -16,6 +16,7 @@ test_certificates = (
    'expired-ee.pem',
    'expiredINT.pem',
    'expiredissuer.pem',
+    'idn-certificate.pem',
    'inadequateKeySizeEE.pem',
    'inadequatekeyusage-ee.pem',
    'ipAddressAsDNSNameInSAN.pem',
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@ -19,7 +19,7 @@ function check_telemetry() {
                    .getHistogramById("SSL_CERT_ERROR_OVERRIDES")
                    .snapshot();
  equal(histogram.counts[ 0], 0, "Should have 0 unclassified counts");
-  equal(histogram.counts[ 2], 7,
+  equal(histogram.counts[ 2], 8,
        "Actual and expected SEC_ERROR_UNKNOWN_ISSUER counts should match");
  equal(histogram.counts[ 3], 1,
        "Actual and expected SEC_ERROR_CA_CERT_INVALID counts should match");
@ -60,13 +60,47 @@ function check_telemetry() {
        "Actual and expected successful verifications of 2048-bit keys should match");
  equal(keySizeHistogram.counts[2], 0,
        "Actual and expected successful verifications of 1024-bit keys should match");
-  equal(keySizeHistogram.counts[3], 54,
-        "Actual and expected key size verification failures should match");
+  equal(keySizeHistogram.counts[3], 56,
+        "Actual and expected verification failures unrelated to key size should match");

  run_next_test();
 }

+// Internally, specifying "port" -1 is the same as port 443. This tests that.
+function run_port_equivalency_test(inPort, outPort) {
+  Assert.ok((inPort == 443 && outPort == -1) || (inPort == -1 && outPort == 443),
+            "The two specified ports must be -1 and 443 (in any order)");
+  let certOverrideService = Cc["@mozilla.org/security/certoverride;1"]
+                              .getService(Ci.nsICertOverrideService);
+  let cert = constructCertFromFile("bad_certs/default-ee.pem");
+  let expectedBits = Ci.nsICertOverrideService.ERROR_UNTRUSTED
+  let expectedTemporary = true;
+  certOverrideService.rememberValidityOverride("example.com", inPort, cert,
+                                               expectedBits, expectedTemporary);
+  let actualBits = {};
+  let actualTemporary = {};
+  Assert.ok(certOverrideService.hasMatchingOverride("example.com", outPort,
+                                                    cert, actualBits,
+                                                    actualTemporary),
+            `override set on port ${inPort} should match port ${outPort}`);
+  equal(actualBits.value, expectedBits,
+        "input override bits should match output bits");
+  equal(actualTemporary.value, expectedTemporary,
+        "input override temporary value should match output temporary value");
+  Assert.ok(!certOverrideService.hasMatchingOverride("example.com", 563,
+                                                     cert, {}, {}),
+            `override set on port ${inPort} should not match port 563`);
+  certOverrideService.clearValidityOverride("example.com", inPort);
+  Assert.ok(!certOverrideService.hasMatchingOverride("example.com", outPort,
+                                                     cert, actualBits, {}),
+            `override cleared on port ${inPort} should match port ${outPort}`);
+  equal(actualBits.value, 0, "should have no bits set if there is no override");
+}
+
 function run_test() {
+  run_port_equivalency_test(-1, 443);
+  run_port_equivalency_test(443, -1);
+
  Services.prefs.setIntPref("security.OCSP.enabled", 1);
  add_tls_server_setup("BadCertServer", "bad_certs");

@ -211,6 +245,23 @@ function add_simple_tests() {
  add_cert_override_test("badSubjectAltNames.example.com",
                         Ci.nsICertOverrideService.ERROR_MISMATCH,
                         SSL_ERROR_BAD_CERT_DOMAIN);
+
+  add_cert_override_test("bug413909.xn--hxajbheg2az3al.xn--jxalpdlp",
+                         Ci.nsICertOverrideService.ERROR_UNTRUSTED,
+                         SEC_ERROR_UNKNOWN_ISSUER);
+  add_test(function() {
+    // At this point, the override for bug413909.xn--hxajbheg2az3al.xn--jxalpdlp
+    // is still valid. Do some additional tests relating to IDN handling.
+    let certOverrideService = Cc["@mozilla.org/security/certoverride;1"]
+                                .getService(Ci.nsICertOverrideService);
+    let uri = Services.io.newURI("https://bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", null, null);
+    let cert = constructCertFromFile("bad_certs/idn-certificate.pem");
+    Assert.ok(certOverrideService.hasMatchingOverride(uri.asciiHost, 8443, cert, {}, {}),
+              "IDN certificate should have matching override using ascii host");
+    Assert.ok(!certOverrideService.hasMatchingOverride(uri.host, 8443, cert, {}, {}),
+              "IDN certificate should not have matching override using (non-ascii) host");
+    run_next_test();
+  });
 }

 function add_combo_tests() {
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
@ -74,6 +74,7 @@ const BadCertHost sBadCertHosts[] =
  { "badSubjectAltNames.example.com", "badSubjectAltNames" },
  { "ipAddressAsDNSNameInSAN.example.com", "ipAddressAsDNSNameInSAN" },
  { "noValidNames.example.com", "noValidNames" },
+  { "bug413909.xn--hxajbheg2az3al.xn--jxalpdlp", "idn-certificate" },
  { nullptr, nullptr }
 };