148 lines
6.8 KiB
JavaScript
148 lines
6.8 KiB
JavaScript
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
"use strict";
|
|
|
|
// The purpose of this test is to check that parsing of HPKP headers
|
|
// is correct.
|
|
|
|
var profileDir = do_get_profile();
|
|
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
|
|
.getService(Ci.nsIX509CertDB);
|
|
var gSSService = Cc["@mozilla.org/ssservice;1"]
|
|
.getService(Ci.nsISiteSecurityService);
|
|
|
|
function certFromFile(cert_name) {
|
|
return constructCertFromFile("test_pinning_dynamic/" + cert_name + ".pem");
|
|
}
|
|
|
|
function loadCert(cert_name, trust_string) {
|
|
let cert_filename = "test_pinning_dynamic/" + cert_name + ".pem";
|
|
addCertFromFile(certdb, cert_filename, trust_string);
|
|
return constructCertFromFile(cert_filename);
|
|
}
|
|
|
|
function checkFailParseInvalidPin(pinValue) {
|
|
let sslStatus = new FakeSSLStatus(
|
|
certFromFile('a.pinning2.example.com-pinningroot'));
|
|
let uri = Services.io.newURI("https://a.pinning2.example.com", null, null);
|
|
throws(() => {
|
|
gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri,
|
|
pinValue, sslStatus, 0);
|
|
}, /NS_ERROR_FAILURE/, `Invalid pin "${pinValue}" should be rejected`);
|
|
}
|
|
|
|
function checkPassValidPin(pinValue, settingPin, expectedMaxAge) {
|
|
let sslStatus = new FakeSSLStatus(
|
|
certFromFile('a.pinning2.example.com-pinningroot'));
|
|
let uri = Services.io.newURI("https://a.pinning2.example.com", null, null);
|
|
let maxAge = {};
|
|
|
|
// setup preconditions for the test, if setting ensure there is no previous
|
|
// state, if removing ensure there is a valid pin in place.
|
|
if (settingPin) {
|
|
gSSService.removeState(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0);
|
|
} else {
|
|
// add a known valid pin!
|
|
let validPinValue = "max-age=5000;" + VALID_PIN1 + BACKUP_PIN1;
|
|
gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri,
|
|
validPinValue, sslStatus, 0);
|
|
}
|
|
try {
|
|
gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri,
|
|
pinValue, sslStatus, 0, maxAge);
|
|
ok(true, "Valid pin should be accepted");
|
|
} catch (e) {
|
|
ok(false, "Valid pin should have been accepted");
|
|
}
|
|
|
|
// check that maxAge was processed correctly
|
|
if (settingPin && expectedMaxAge) {
|
|
ok(maxAge.value == expectedMaxAge, `max-age value should be ${expectedMaxAge}`);
|
|
}
|
|
|
|
// after processing ensure that the postconditions are true, if setting
|
|
// the host must be pinned, if removing the host must not be pinned
|
|
let hostIsPinned = gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP,
|
|
"a.pinning2.example.com", 0);
|
|
if (settingPin) {
|
|
ok(hostIsPinned, "Host should be considered pinned");
|
|
} else {
|
|
ok(!hostIsPinned, "Host should not be considered pinned");
|
|
}
|
|
}
|
|
|
|
function checkPassSettingPin(pinValue, expectedMaxAge) {
|
|
return checkPassValidPin(pinValue, true, expectedMaxAge);
|
|
}
|
|
|
|
function checkPassRemovingPin(pinValue) {
|
|
return checkPassValidPin(pinValue, false);
|
|
}
|
|
|
|
const MAX_MAX_AGE_SECONDS = 100000;
|
|
const GOOD_MAX_AGE_SECONDS = 69403;
|
|
const LONG_MAX_AGE_SECONDS = 2 * MAX_MAX_AGE_SECONDS;
|
|
const NON_ISSUED_KEY_HASH1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
|
|
const NON_ISSUED_KEY_HASH2 = "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ=";
|
|
const PINNING_ROOT_KEY_HASH = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=";
|
|
const MAX_AGE_ZERO = "max-age=0;";
|
|
const VALID_PIN1 = `pin-sha256="${PINNING_ROOT_KEY_HASH}";`;
|
|
const BACKUP_PIN1 = `pin-sha256="${NON_ISSUED_KEY_HASH1}";`;
|
|
const BACKUP_PIN2 = `pin-sha256="${NON_ISSUED_KEY_HASH2}";`;
|
|
const BROKEN_PIN1 = "pin-sha256=\"jdjsjsjs\";";
|
|
const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`;
|
|
const LONG_MAX_AGE = `max-age=${LONG_MAX_AGE_SECONDS};`;
|
|
const INCLUDE_SUBDOMAINS = "includeSubdomains;";
|
|
const REPORT_URI = "report-uri=\"https://www.example.com/report/\";";
|
|
const UNRECOGNIZED_DIRECTIVE = "unreconized-dir=12343;";
|
|
|
|
function run_test() {
|
|
Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
|
|
Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);
|
|
Services.prefs.setIntPref("security.cert_pinning.max_max_age_seconds", MAX_MAX_AGE_SECONDS);
|
|
Services.prefs.setBoolPref("security.cert_pinning.process_headers_from_non_builtin_roots", true);
|
|
|
|
loadCert("pinningroot", "CTu,CTu,CTu");
|
|
loadCert("badca", "CTu,CTu,CTu");
|
|
|
|
checkFailParseInvalidPin("max-age=INVALID");
|
|
// check that incomplete headers are failure
|
|
checkFailParseInvalidPin(GOOD_MAX_AGE);
|
|
checkFailParseInvalidPin(VALID_PIN1);
|
|
checkFailParseInvalidPin(REPORT_URI);
|
|
checkFailParseInvalidPin(UNRECOGNIZED_DIRECTIVE);
|
|
checkFailParseInvalidPin(VALID_PIN1 + BACKUP_PIN1);
|
|
checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1);
|
|
checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + BROKEN_PIN1);
|
|
// next ensure a backup pin is present
|
|
checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + VALID_PIN1);
|
|
// next section ensure duplicate directives result in failure
|
|
checkFailParseInvalidPin(GOOD_MAX_AGE + GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1);
|
|
checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1 + INCLUDE_SUBDOMAINS + INCLUDE_SUBDOMAINS);
|
|
checkFailParseInvalidPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1 + REPORT_URI + REPORT_URI);
|
|
checkFailParseInvalidPin("thisisinvalidtest");
|
|
checkFailParseInvalidPin("invalid" + GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1);
|
|
|
|
checkPassRemovingPin("max-age=0"); //test removal without terminating ';'
|
|
checkPassRemovingPin(MAX_AGE_ZERO);
|
|
checkPassRemovingPin(MAX_AGE_ZERO + VALID_PIN1);
|
|
|
|
checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1, GOOD_MAX_AGE_SECONDS);
|
|
checkPassSettingPin(LONG_MAX_AGE + VALID_PIN1 + BACKUP_PIN1, MAX_MAX_AGE_SECONDS);
|
|
|
|
checkPassRemovingPin(VALID_PIN1 + MAX_AGE_ZERO + VALID_PIN1);
|
|
checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1);
|
|
checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN2);
|
|
checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN2 + INCLUDE_SUBDOMAINS);
|
|
checkPassSettingPin(VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2 + INCLUDE_SUBDOMAINS);
|
|
checkPassSettingPin(VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2 + REPORT_URI + INCLUDE_SUBDOMAINS);
|
|
checkPassSettingPin(INCLUDE_SUBDOMAINS + VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2);
|
|
checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1 + UNRECOGNIZED_DIRECTIVE);
|
|
|
|
Services.prefs.clearUserPref("security.cert_pinning.hpkp.enabled");
|
|
Services.prefs.clearUserPref("security.cert_pinning.enforcement_level");
|
|
Services.prefs.clearUserPref("security.cert_pinning.max_max_age_seconds");
|
|
Services.prefs.clearUserPref("security.cert_pinning.process_headers_from_non_builtin_roots");
|
|
}
|