Bug 785259 - tests, r=honzab

build/pgo/server-locations.txt

@@ -97,6 +97,10 @@ https://untrusted.example.com:443      privileged,cert=untrusted
 https://expired.example.com:443        privileged,cert=expired
 https://requestclientcert.example.com:443         privileged,clientauth=request
 https://requireclientcert.example.com:443         privileged,clientauth=require
+https://mismatch.expired.example.com:443	privileged,cert=expired
+https://mismatch.untrusted.example.com:443	privileged,cert=untrusted
+https://untrusted-expired.example.com:443	privileged,cert=untrustedandexpired
+https://mismatch.untrusted-expired.example.com:443	privileged,cert=untrustedandexpired
 
 # This is here so that we don't load the default live bookmark over
 # the network in every test suite.

security/manager/ssl/tests/mochitest/bugs/Makefile.in

@@ -18,6 +18,7 @@ MOCHITEST_FILES = \
         $(NULL)
 
 MOCHITEST_CHROME_FILES = \
+	test_certificate_overrides.html \
         test_bug413909.html \
         test_bug480619.html \
         test_bug644006.html \

security/manager/ssl/tests/mochitest/bugs/test_certificate_overrides.html

@@ -0,0 +1,145 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <title>Test certificate overrides</title>
+  <script type="text/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css" />
+</head>
+<body>
+<script class="testbody" type="text/javascript">
+
+const Cc = Components.classes;
+const Ci = Components.interfaces;
+const cos = Cc["@mozilla.org/security/certoverride;1"].
+              getService(Ci.nsICertOverrideService);
+
+const eu = Ci.nsICertOverrideService.ERROR_UNTRUSTED;
+const em = Ci.nsICertOverrideService.ERROR_MISMATCH;
+const et = Ci.nsICertOverrideService.ERROR_TIME;
+
+// Note:  the host index matches the expected error.
+var testHost = [];
+testHost[           eu ] = "untrusted.example.com";
+testHost[      em      ] = "nocert.example.com";
+testHost[      em | eu ] = "mismatch.untrusted.example.com";
+testHost[ et           ] = "expired.example.com";
+testHost[ et      | eu ] = "untrusted-expired.example.com";
+testHost[ et | em      ] = "mismatch.expired.example.com";
+testHost[ et | em | eu ] = "mismatch.untrusted-expired.example.com";
+
+var gCertErrorBits;
+
+SimpleTest.waitForExplicitFinish();
+
+// Support for making sure we can talk to the invalid cert the server presents
+var CertOverrideListener = function(host, port, bits) {
+  this.host = host;
+  if (port) {
+    this.port = port;
+  }
+  this.bits = bits;
+};
+
+CertOverrideListener.prototype = {
+  host: null,
+  port: -1,
+  bits: null,
+  getInterface: function(aIID) {
+    return this.QueryInterface(aIID);
+  },
+  QueryInterface: function(aIID) {
+    if (aIID.equals(Ci.nsIBadCertListener2) ||
+        aIID.equals(Ci.nsIInterfaceRequestor) ||
+        aIID.equals(Ci.nsISupports)) {
+      return this;
+    }
+    throw Components.results.NS_ERROR_NO_INTERFACE;
+  },
+  notifyCertProblem: function(socketInfo, sslStatus, targetHost) {
+    var cert = sslStatus.QueryInterface(Ci.nsISSLStatus).serverCert;
+    cos.rememberValidityOverride(this.host, this.port, cert, this.bits, true);
+    gCertErrorBits = 0;
+    if (sslStatus.isUntrusted) {
+      gCertErrorBits |= Ci.nsICertOverrideService.ERROR_UNTRUSTED;
+    }
+    if (sslStatus.isDomainMismatch) {
+      gCertErrorBits |= Ci.nsICertOverrideService.ERROR_MISMATCH;
+    }
+    if (sslStatus.isNotValidAtThisTime) {
+      gCertErrorBits |= Ci.nsICertOverrideService.ERROR_TIME;
+    }
+    return true;
+  },
+}
+
+function addCertOverride(host, port, bits)
+{
+  var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
+             .createInstance(Ci.nsIXMLHttpRequest);
+  var url;
+  if (port) {
+    url = "https://" + host + ":" + port + "/";
+  } else {
+    url = "https://" + host + "/";
+  }
+  req.open("GET", url, false);
+  req.channel.notificationCallbacks = new CertOverrideListener(host, port, bits);
+  try {
+    req.send(null);
+    ok(false, "Connection to host " + host + " succeeded when it should have failed");
+  } catch (e) {
+    // Failure here is expected as the server is not trusted yet.
+  }
+}
+
+function xhrConnect(domain,message,expectedSuccess)
+{
+  var req = Cc["@mozilla.org/xmlextras/xmlhttprequest;1"]
+             .createInstance(Ci.nsIXMLHttpRequest);
+  req.open("GET", "https://" + domain + "/", false);
+  try {
+    req.send(null);
+    ok(expectedSuccess, "Page Load success " + message + " expected=" + expectedSuccess);
+  } catch (err) {
+    ok(!expectedSuccess, "Page failed to load " + message + " expected=" + expectedSuccess);
+  }
+}
+
+function checkHostConnect(host, overrideBits, successExpected, overridesMustEqualError)
+{
+  var statusMessage = " overrideBits=" + overrideBits;
+  addCertOverride(host, 443, overrideBits);
+  if (overridesMustEqualError) {
+    is(gCertErrorBits, overrideBits, "Reported Error match: errorbits=" + gCertErrorBits + " host=" + host);
+  }
+  xhrConnect(host, "override host=" + host + statusMessage, successExpected);
+  cos.clearValidityOverride(host, 443);
+}
+
+function testCertOverrides()
+{
+  for (var i = 1; i < testHost.length; ++i) {
+    cos.clearValidityOverride(testHost[i], 443);
+  }
+  const allErrorBits = et | em | eu ;
+  for (var i = 1; i < allErrorBits + 1; ++i) {
+    var overrideBits = i;
+    for (var j = 1; j < testHost.length; ++j){
+      var expectedError = j;
+      var successExpected = (0 == (expectedError & ~overrideBits));
+      var errorMustMatch = (overrideBits == expectedError);
+      checkHostConnect(testHost[j], overrideBits, successExpected, errorMustMatch);
+    }
+  }
+  // Now we test the self-signed. Must return an overridable untrusted error.
+  cos.clearValidityOverride("self-signed.example.com", 443);
+  checkHostConnect("self-signed.example.com", eu, successExpected, true);
+}
+
+testCertOverrides();
+SimpleTest.finish();
+
+</script>
+
+</body>
+</html>