test_session_resumption.js

mozilla-central/security/manager/ssl/tests/unit/test_session_resumption.js (file symbol)

Enable keyboard shortcuts

Source code

File a bug in Core :: Security: PSM

Revision control

Copy as Markdown

Other Tools

Test Info: Warnings

This test gets skipped with pattern: os == 'win' && msix OR os == 'win'
Manifest: security/manager/ssl/tests/unit/xpcshell.toml

// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-

// Any copyright is dedicated to the Public Domain.

// http://creativecommons.org/publicdomain/zero/1.0/

"use strict";

// Tests that PSM makes the correct determination of the security status of

// loads involving session resumption (i.e. when a TLS handshake bypasses the

// AuthCertificate callback).

do_get_profile();

const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(

  Ci.nsIX509CertDB

);

registerCleanupFunction(() => {

  Services.prefs.clearUserPref("security.OCSP.enabled");

});

Services.prefs.setIntPref("security.OCSP.enabled", 1);

addCertFromFile(certdb, "bad_certs/evroot.pem", "CTu,,");

addCertFromFile(certdb, "bad_certs/ev-test-intermediate.pem", ",,");

// For expired.example.com, the platform will make a connection that will fail.

// Using information gathered at that point, an override will be added and

// another connection will be made. This connection will succeed. At that point,

// as long as the session cache isn't cleared, subsequent new connections should

// use session resumption, thereby bypassing the AuthCertificate hook. We need

// to ensure that the correct security state is propagated to the new connection

// information object.

function add_resume_non_ev_with_override_test() {

  // This adds the override and makes one successful connection.

  add_cert_override_test("expired.example.com", SEC_ERROR_EXPIRED_CERTIFICATE);

  // This connects again, using session resumption. Note that we don't clear

  // the TLS session cache between these operations (that would defeat the

  // purpose).

  add_connection_test(

    "expired.example.com",

    PRErrorCodeSuccess,

    null,

    transportSecurityInfo => {

      ok(transportSecurityInfo.resumed, "connection should be resumed");

ok(

        transportSecurityInfo.securityState &

          Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN,

        "expired.example.com should have STATE_CERT_USER_OVERRIDDEN flag"

);

      equal(

        transportSecurityInfo.succeededCertChain.length,

0,

        "expired.example.com should not have succeededCertChain set"

);

      equal(

        transportSecurityInfo.failedCertChain.length,

2,

        "expired.example.com should have failedCertChain set"

);

      equal(

        transportSecurityInfo.overridableErrorCategory,

        Ci.nsITransportSecurityInfo.ERROR_TIME,

        "expired.example.com should have time overridable error category"

);

ok(

        !transportSecurityInfo.isExtendedValidation,

        "expired.example.com should not have isExtendedValidation set"

);

      let certOverrideService = Cc[

        "@mozilla.org/security/certoverride;1"

      ].getService(Ci.nsICertOverrideService);

      certOverrideService.clearValidityOverride(

        "expired.example.com",

        8443,

{}

);

);

// Helper function that adds a test that connects to ev-test.example.com and

// verifies that it validates as EV (or not, if we're running a non-debug

// build). This assumes that an appropriate OCSP responder is running or that

// good responses are cached.

function add_one_ev_test(resumed) {

  add_connection_test(

    "ev-test.example.com",

    PRErrorCodeSuccess,

    null,

    transportSecurityInfo => {

      equal(

        transportSecurityInfo.resumed,

        resumed,

        "connection should be resumed or not resumed as expected"

);

ok(

!(

          transportSecurityInfo.securityState &

          Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN

),

        "ev-test.example.com should not have STATE_CERT_USER_OVERRIDDEN flag"

);

      equal(

        transportSecurityInfo.succeededCertChain.length,

3,

        "ev-test.example.com should have succeededCertChain set"

);

      equal(

        transportSecurityInfo.failedCertChain.length,

0,

        "ev-test.example.com should not have failedCertChain set"

);

      equal(

        transportSecurityInfo.overridableErrorCategory,

        Ci.nsITransportSecurityInfo.ERROR_UNSET,

        "ev-test.example.com should not have an overridable error category"

);

ok(

        !gEVExpected || transportSecurityInfo.isExtendedValidation,

        "ev-test.example.com should have isExtendedValidation set " +

          "(or this is a non-debug build)"

);

);

// This test is similar, except with extended validation. We should connect

// successfully, and the certificate should be EV in debug builds. Without

// clearing the session cache, we should connect successfully again, this time

// with session resumption. The certificate should again be EV in debug builds.

function add_resume_ev_test() {

  const SERVER_PORT = 8888;

  let expectedRequestPaths = ["ev-test"];

  let responseTypes = ["good"];

  // Since we cache OCSP responses, we only ever actually serve one set.

  let ocspResponder;

  // If we don't wrap this in an `add_test`, the OCSP responder will be running

  // while we are actually running unrelated testcases, which can disrupt them.

  add_test(() => {

    ocspResponder = startOCSPResponder(

      SERVER_PORT,

      "localhost",

      "bad_certs",

      expectedRequestPaths,

      expectedRequestPaths.slice(),

      null,

      responseTypes

);

    run_next_test();

});

  // We should be able to connect and verify the certificate as EV (in debug

  // builds).

  add_one_ev_test(false);

  // We should be able to connect again (using session resumption). In debug

  // builds, the certificate should be noted as EV. Again, it's important that

  // nothing clears the TLS cache in between these two operations.

  add_one_ev_test(true);

  add_test(() => {

    ocspResponder.stop(run_next_test);

});

const GOOD_DOMAIN = "good.include-subdomains.pinning.example.com";

// Helper function that adds a test that connects to a domain that should

// succeed (but isn't EV) and verifies that its succeededCertChain gets set

// appropriately.

function add_one_non_ev_test() {

  add_connection_test(

    GOOD_DOMAIN,

    PRErrorCodeSuccess,

    null,

    transportSecurityInfo => {

ok(

!(

          transportSecurityInfo.securityState &

          Ci.nsIWebProgressListener.STATE_CERT_USER_OVERRIDDEN

),

        `${GOOD_DOMAIN} should not have STATE_CERT_USER_OVERRIDDEN flag`

);

ok(

        transportSecurityInfo.succeededCertChain,

        `${GOOD_DOMAIN} should have succeededCertChain set`

);

      equal(

        transportSecurityInfo.overridableErrorCategory,

0,

        `${GOOD_DOMAIN} should not have an overridable error category set`

);

ok(

        !transportSecurityInfo.isExtendedValidation,

        `${GOOD_DOMAIN} should not have isExtendedValidation set`

);

);

// This test is similar, except with non-extended validation. We should connect

// successfully, and the certificate should not be EV. Without clearing the

// session cache, we should connect successfully again, this time with session

// resumption. In this case, though, we want to ensure the succeededCertChain is

// set.

function add_resume_non_ev_test() {

  add_one_non_ev_test();

  add_one_non_ev_test();

const statsPtr = getSSLStatistics();

const toInt32 = ctypes.Int64.lo;

// Connect to the same domain with two origin attributes and check if any ssl

// session is resumed.

function add_origin_attributes_test(

  originAttributes1,

  originAttributes2,

  resumeExpected

) {

  add_connection_test(

    GOOD_DOMAIN,

    PRErrorCodeSuccess,

    clearSessionCache,

    null,

    null,

    originAttributes1

);

  let hitsBeforeConnect;

  let missesBeforeConnect;

  let expectedHits = resumeExpected ? 1 : 0;

  let expectedMisses = 1 - expectedHits;

  add_connection_test(

    GOOD_DOMAIN,

    PRErrorCodeSuccess,

    function () {

      // Add the hits and misses before connection.

      let stats = statsPtr.contents;

      hitsBeforeConnect = toInt32(stats.sch_sid_cache_hits);

      missesBeforeConnect = toInt32(stats.sch_sid_cache_misses);

},

    function () {

      let stats = statsPtr.contents;

      equal(

        toInt32(stats.sch_sid_cache_hits),

        hitsBeforeConnect + expectedHits,

        "Unexpected cache hits"

);

      equal(

        toInt32(stats.sch_sid_cache_misses),

        missesBeforeConnect + expectedMisses,

        "Unexpected cache misses"

);

},

    null,

    originAttributes2

);

function add_resumption_tests() {

  add_resume_ev_test();

  add_resume_non_ev_test();

  add_resume_non_ev_with_override_test();

  add_origin_attributes_test({}, {}, true);

  add_origin_attributes_test({ userContextId: 1 }, { userContextId: 2 }, false);

  add_origin_attributes_test({ userContextId: 3 }, { userContextId: 3 }, true);

  add_origin_attributes_test(

    { firstPartyDomain: "foo.com" },

    { firstPartyDomain: "bar.com" },

    false

);

  add_origin_attributes_test(

    { firstPartyDomain: "baz.com" },

    { firstPartyDomain: "baz.com" },

    true

);

function run_test() {

  add_tls_server_setup("BadCertAndPinningServer", "bad_certs");

  add_resumption_tests();

  // Enable external session cache and reset the status.

  add_test(function () {

    Services.prefs.setBoolPref("network.ssl_tokens_cache_enabled", true);

    certdb.clearOCSPCache();

    run_next_test();

});

  // Do tests again.

  add_resumption_tests();

  run_next_test();