commit 351b3c16c1581771e724156f43c5bee32ec42f51 Author: Kathy Brade brade@pearlcrescent.com Date: Mon May 23 16:36:04 2016 -0400
Bug 18912: add automated tests for updater cert pinning
Add a chrome mochitest that verifies that a key pinning error is generated when the updater is configured to use one of the "bad pin" servers that are predefined by the test framework.
Note that this test is affected by bug 18087, which means that security.nocertdb must be set to false before running this test. --- toolkit/mozapps/update/tests/chrome/chrome.ini | 1 + .../test_0790_check_certPinning_noUpdate.xul | 73 ++++++++++++++++++++++ 2 files changed, 74 insertions(+)
diff --git a/toolkit/mozapps/update/tests/chrome/chrome.ini b/toolkit/mozapps/update/tests/chrome/chrome.ini index 48945ce..33d1154 100644 --- a/toolkit/mozapps/update/tests/chrome/chrome.ini +++ b/toolkit/mozapps/update/tests/chrome/chrome.ini @@ -93,6 +93,7 @@ reason = test must be able to prevent file deletion. [test_0172_notify_noPerms_manual.xul] skip-if = os != 'win' reason = test must be able to prevent file deletion. +[test_0790_check_certPinning_noUpdate.xul] [test_0900_deprecatedUpdateFormat_minor.xul] [test_0901_deprecatedUpdateFormat_major.xul] [test_9999_cleanup.xul] diff --git a/toolkit/mozapps/update/tests/chrome/test_0790_check_certPinning_noUpdate.xul b/toolkit/mozapps/update/tests/chrome/test_0790_check_certPinning_noUpdate.xul new file mode 100644 index 0000000..f5a97cf --- /dev/null +++ b/toolkit/mozapps/update/tests/chrome/test_0790_check_certPinning_noUpdate.xul @@ -0,0 +1,73 @@ +<?xml version="1.0"?> +<!-- +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ + */ +--> + +<?xml-stylesheet href="chrome://global/skin" type="text/css"?> +<?xml-stylesheet href="chrome://mochikit/content/tests/SimpleTest/test.css" type="text/css"?> + +<window title="Test update check with invalid certificate attribute name with no update" + xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" + onload="runTestDefault();"> +<script type="application/javascript" + src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"/> +<script type="application/javascript" + src="utils.js"/> + +<script type="application/javascript"> +<![CDATA[ + +const TESTS = [ { + pageid: PAGEID_CHECKING +}, { + pageid: PAGEID_ERRORS, + extraCheckFunction: checkErrorCode, + buttonClick: "finish" +} ]; + +function runTest() { + debugDump("entering"); + + // Set the update URL. + // https://badchain.include-subdomains.pinning.example.com is preconfigured + // by the test framework for use in key pinning tests. + // See build/pgo/server-locations.txt + let url = "https://badchain.include-subdomains.pinning.example.com" + + URL_PATH_UPDATE_XML + "?noUpdates=1"; + gAppUpdateURLDefault = gDefaultPrefBranch.getCharPref(PREF_APP_UPDATE_URL); + debugDump("setting default pref " + PREF_APP_UPDATE_URL + " to " + url); + gDefaultPrefBranch.setCharPref(PREF_APP_UPDATE_URL, url); + + gUP.checkForUpdates(); +} + +function checkErrorCode() { + // From security/manager/ssl/tests/unit/head_psm.js: + const MOZILLA_PKIX_ERROR_BASE = Ci.nsINSSErrorsService.MOZILLA_PKIX_ERROR_BASE; + const MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = MOZILLA_PKIX_ERROR_BASE + 0; + + // Convert the NSS error into an XPCOM error code. + let nssErrorsService = Cc["@mozilla.org/nss_errors_service;1"] + .getService(Ci.nsINSSErrorsService); + let expectedErrorCode = nssErrorsService.getXPCOMFromNSSError( + MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE); + + // Convert the actual update check errorCode to an unsigned integer so + // that we can compare it to the expectedErrorCode. + let errorCode = gWin.gUpdates.update.errorCode >>> 0; + + // Finally, check it. + is(errorCode, expectedErrorCode, + "Checking update.errorCode == MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE"); +} +]]> +</script> + +<body xmlns="http://www.w3.org/1999/xhtml"> + <p id="display"></p> + <div id="content" style="display: none"></div> + <pre id="test"></pre> +</body> +</window>