[tor-commits] [tor-browser/tor-browser-45.1.0esr-6.0-1] Bug 18912: add automated tests for updater cert pinning

Tue May 24 19:02:31 UTC 2016

commit 351b3c16c1581771e724156f43c5bee32ec42f51
Author: Kathy Brade <brade at pearlcrescent.com>
Date:   Mon May 23 16:36:04 2016 -0400

    Bug 18912: add automated tests for updater cert pinning
    
    Add a chrome mochitest that verifies that a key pinning error
    is generated when the updater is configured to use one of the
    "bad pin" servers that are predefined by the test framework.
    
    Note that this test is affected by bug 18087, which means that
    security.nocertdb must be set to false before running this test.
---
 toolkit/mozapps/update/tests/chrome/chrome.ini     |  1 +
 .../test_0790_check_certPinning_noUpdate.xul       | 73 ++++++++++++++++++++++
 2 files changed, 74 insertions(+)

diff --git a/toolkit/mozapps/update/tests/chrome/chrome.ini b/toolkit/mozapps/update/tests/chrome/chrome.ini
index 48945ce..33d1154 100644
--- a/toolkit/mozapps/update/tests/chrome/chrome.ini
+++ b/toolkit/mozapps/update/tests/chrome/chrome.ini
@@ -93,6 +93,7 @@ reason = test must be able to prevent file deletion.
 [test_0172_notify_noPerms_manual.xul]
 skip-if = os != 'win'
 reason = test must be able to prevent file deletion.
+[test_0790_check_certPinning_noUpdate.xul]
 [test_0900_deprecatedUpdateFormat_minor.xul]
 [test_0901_deprecatedUpdateFormat_major.xul]
 [test_9999_cleanup.xul]
diff --git a/toolkit/mozapps/update/tests/chrome/test_0790_check_certPinning_noUpdate.xul b/toolkit/mozapps/update/tests/chrome/test_0790_check_certPinning_noUpdate.xul
new file mode 100644
index 0000000..f5a97cf
--- /dev/null
+++ b/toolkit/mozapps/update/tests/chrome/test_0790_check_certPinning_noUpdate.xul
@@ -0,0 +1,73 @@
+<?xml version="1.0"?>
+<!--
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/
+ */
+-->
+
+<?xml-stylesheet href="chrome://global/skin" type="text/css"?>
+<?xml-stylesheet href="chrome://mochikit/content/tests/SimpleTest/test.css" type="text/css"?>
+
+<window title="Test update check with invalid certificate attribute name with no update"
+        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+        onload="runTestDefault();">
+<script type="application/javascript"
+        src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"/>
+<script type="application/javascript"
+        src="utils.js"/>
+
+<script type="application/javascript">
+<![CDATA[
+
+const TESTS = [ {
+  pageid: PAGEID_CHECKING
+}, {
+  pageid: PAGEID_ERRORS,
+  extraCheckFunction: checkErrorCode,
+  buttonClick: "finish"
+} ];
+
+function runTest() {
+  debugDump("entering");
+
+  // Set the update URL.
+  // https://badchain.include-subdomains.pinning.example.com is preconfigured
+  // by the test framework for use in key pinning tests.
+  // See build/pgo/server-locations.txt
+  let url = "https://badchain.include-subdomains.pinning.example.com"
+            + URL_PATH_UPDATE_XML + "?noUpdates=1";
+  gAppUpdateURLDefault = gDefaultPrefBranch.getCharPref(PREF_APP_UPDATE_URL);
+  debugDump("setting default pref " + PREF_APP_UPDATE_URL + " to " + url);
+  gDefaultPrefBranch.setCharPref(PREF_APP_UPDATE_URL, url);
+
+  gUP.checkForUpdates();
+}
+
+function checkErrorCode() {
+  // From security/manager/ssl/tests/unit/head_psm.js:
+  const MOZILLA_PKIX_ERROR_BASE = Ci.nsINSSErrorsService.MOZILLA_PKIX_ERROR_BASE;
+  const MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = MOZILLA_PKIX_ERROR_BASE + 0;
+
+  // Convert the NSS error into an XPCOM error code.
+  let nssErrorsService = Cc["@mozilla.org/nss_errors_service;1"]
+                           .getService(Ci.nsINSSErrorsService);
+  let expectedErrorCode = nssErrorsService.getXPCOMFromNSSError(
+                                       MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
+
+  // Convert the actual update check errorCode to an unsigned integer so
+  // that we can compare it to the expectedErrorCode.
+  let errorCode = gWin.gUpdates.update.errorCode >>> 0;
+
+  // Finally, check it.
+  is(errorCode, expectedErrorCode,
+    "Checking update.errorCode == MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE");
+}
+]]>
+</script>
+
+<body xmlns="http://www.w3.org/1999/xhtml">
+  <p id="display"></p>
+  <div id="content" style="display: none"></div>
+  <pre id="test"></pre>
+</body>
+</window>

