From f4a1822554a7b5f7727a0653836856e9d79380f9 Mon Sep 17 00:00:00 2001
From: Mark Goodwin <mgoodwin@mozilla.com>
Date: Mon, 2 Mar 2015 08:19:00 +0100
Subject: [PATCH] Bug 1130757 - tests for bug 1130757. r=dkeeler

--HG--
extra : rebase_source : 7b047f5bddf3544ca82d3b8875925acdbdb02ea5
---
 .../ssl/tests/unit/test_cert_blocklist.js     |  16 ++++++++++++++++
 .../manager/ssl/tests/unit/tlsserver/cert9.db | Bin 294912 -> 294912 bytes
 .../tests/unit/tlsserver/generate_certs.sh    |   1 +
 .../manager/ssl/tests/unit/tlsserver/key4.db  | Bin 458752 -> 491520 bytes
 .../tests/unit/tlsserver/other-issuer-ee.der  | Bin 0 -> 630 bytes
 5 files changed, 17 insertions(+)
 create mode 100644 security/manager/ssl/tests/unit/tlsserver/other-issuer-ee.der

diff --git a/security/manager/ssl/tests/unit/test_cert_blocklist.js b/security/manager/ssl/tests/unit/test_cert_blocklist.js
index 750f93172531..cc1c8b9eace5 100644
--- a/security/manager/ssl/tests/unit/test_cert_blocklist.js
+++ b/security/manager/ssl/tests/unit/test_cert_blocklist.js
@@ -99,6 +99,10 @@ let blocklist_contents =
     "<serialNumber>oops! more nonsense.</serialNumber>" +
     "<serialNumber>X1o=</serialNumber></certItem>" +
     // ... and some good
+    // In this case, the issuer name and the valid serialNumber correspond
+    // to other-test-ca.der in tlsserver/ (for testing root revocation)
+    "<certItem issuerName='MBgxFjAUBgNVBAMTDU90aGVyIHRlc3QgQ0E='>" +
+    "<serialNumber>AKEIivg=</serialNumber></certItem>" +
     // This item corresponds to an entry in sample_revocations.txt where:
     // isser name is "another imaginary issuer" base-64 encoded, and
     // serialNumbers are:
@@ -154,6 +158,7 @@ function run_test() {
   // import the certificates we need
   load_cert("test-ca", "CTu,CTu,CTu");
   load_cert("test-int", ",,");
+  load_cert("other-test-ca", "CTu,CTu,CTu");
 
   let certList = Cc["@mozilla.org/security/certblocklist;1"]
                    .getService(Ci.nsICertBlocklist);
@@ -186,6 +191,11 @@ function run_test() {
   let file = "tlsserver/test-int-ee.der";
   verify_cert(file, Cr.NS_OK);
 
+  // The blocklist also revokes other-test-ca.der, which issued other-ca-ee.der.
+  // Check the cert validates before we load the blocklist
+  file = "tlsserver/default-ee.der";
+  verify_cert(file, Cr.NS_OK);
+
   // blocklist load is async so we must use add_test from here
   add_test(function() {
     let certblockObserver = {
@@ -235,6 +245,8 @@ function run_test() {
       contents = contents + (contents.length == 0 ? "" : "\n") + line.value;
     } while (hasmore);
     let expected = "# Auto generated contents. Do not edit.\n" +
+                  "MBgxFjAUBgNVBAMTDU90aGVyIHRlc3QgQ0E=\n" +
+                  " AKEIivg=\n" +
                   "MBIxEDAOBgNVBAMTB1Rlc3QgQ0E=\n" +
                   " X1o=\n" +
                   "YW5vdGhlciBpbWFnaW5hcnkgaXNzdWVy\n" +
@@ -246,6 +258,10 @@ function run_test() {
     let file = "tlsserver/test-int-ee.der";
     verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
 
+    // Check the ee with the blocklisted root also causes a failure
+    file = "tlsserver/other-issuer-ee.der";
+    verify_cert(file, SEC_ERROR_REVOKED_CERTIFICATE);
+
     // Check a non-blocklisted chain still validates OK
     file = "tlsserver/default-ee.der";
     verify_cert(file, Cr.NS_OK);
diff --git a/security/manager/ssl/tests/unit/tlsserver/cert9.db b/security/manager/ssl/tests/unit/tlsserver/cert9.db
index 1e1f99c5366cff0ee517012c170bbb5084412127..ec74aea2feb7457b07ebcf51214ccc859826e058 100644
GIT binary patch
delta 501
zcmZo@5Nc=;njp<6F;T{uQDS4llK;#TtFBCCXMD{Bq&_j4u~glwy0_hsktwcty8|PW
z2OAeBGYgZH#?l=OlegciVpL;go>=^5I(q|SCKHe@XkgsIQl(R+1JbguXnKDM6D#Xv
zQ|26|>2rBl47RI%VZ6u9Jh7y0D?5`SBU?!u2!hl`6mxPg3o$Kahyt1m)Kv;pRWWZn
zdjm*W#XKNvMYuwU1xfMpA55|A%o9svwz4w|GK!VP)UK=zsk>UYr@pE_5$O7(APCVr
z9q5A#Qj*LjOb@@avGm`}h~%6az<lQ3dOv%GSu21Rmz6U2buqhh9-PX~(#ytqknIi|
zJ4mZKCrgt-qww^L-OT0nV9zr!FflTKTnhw13Y&S1Kmd{hqTltgcW=G*+27ja+r)e-
zJMBXC`Dq&bO(*{z*x!;Fq2wwsF~l#aJZl-#ui|gQ2bWvlnRl>Kb2e92*UkwRSt?;>
zo2%6C{D}Dc*dhC(ywwHgI)8@xg^u69WUtX~Qt-F*{hHOe>2qWQ3wOmYQC4ox$Zo0M
f9rq3^ZAjs@d-ZwUf|^~c85w|(ar;*;7Vc62FbBG+

delta 207
zcmZo@5Nc=;njp<6I8nx#QE+3zlK;#Ts_so?XM8>N3!~X~Lq?|1;_VKMOo?pU?^Q9X
zu`*96{xqGvfiZJ>Q3K-+ko>747E|UNrs;EeSPZtSePO)E%{-x`e=9qaA|pimbf9*j
z?foT8r9hdA<=fdC;8GxywOFRl`@zJqef<xnP<G}CrDa>$nFSdIYFE~V)LpIHQ(sk|
lSaq-JD8j6t+sjIs`?{FjxV}zhXXyn=Byw&4%EiK63IOJTN2&k-

diff --git a/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh b/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
index 260712a72bc9..5aa6f9334256 100755
--- a/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
+++ b/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
@@ -260,6 +260,7 @@ make_EE localhostAndExampleCom 'CN=Test End-entity' testCA "localhost,*.example.
 make_EE otherIssuerEE 'CN=Wrong CA Pin Test End-Entity' otherCA "*.include-subdomains.pinning.example.com,*.exclude-subdomains.pinning.example.com,*.pinning.example.com"
 
 export_cert localhostAndExampleCom default-ee.der
+export_cert otherIssuerEE other-issuer-ee.der
 
 # A cert that is like localhostAndExampleCom, but with a different serial number for
 # testing the "OCSP response is from the right issuer, but it is for the wrong cert"
diff --git a/security/manager/ssl/tests/unit/tlsserver/key4.db b/security/manager/ssl/tests/unit/tlsserver/key4.db
index d63b3e2ba42fb96801a9ec07c2a1875b818a9fbf..f55f815b03604479e6f66e1eb3d23f8730053186 100644
GIT binary patch
delta 2826
zcmbW&2{=^!9tZF_XU;6Pgd(zxy+sm+8Chm*X|YB2Y?YXa7G-Y+Q6m&ZlcW${UMfqB
zElXa>7Fx)fUL-~F5@O^Y-22|1F5Tze^PK&A&iS1G`9Ht&4-OU$4i=BujN(Ed5WKNC
z9e^v(IgQQ@(x>4Q2wwU;eY$`zc!a)=M-@Ki7U6`~c$!Q+2CxKV3hjVr=Q*%Q2oTwl
z&cd^H(0~pAiKopnF~NWbNSlRky+}hrNCbdqEqn(sOQCH%281(PI2%5X#US~Cbc7wA
z<w67R{r5QFRXhgi!Wr<2R!*nVi_XWuPjL+p-h@;I-p!z)tDWw)9PwtzroM+JI=EYz
zc-B||QYaj0q|PqHKtmuuflcTkh^n&*w+Rk}azYS6lQjxL6aXUbCW^AGASgzKX-9;3
z=(}8$2`+e77pEh~@G5F5cp_*dfh2?89>?J`XU;nPoD;x3zsg<lpy97_yenw%V^04W
za8(8Mf4t!59Pa|^{VG>e0(Do*2~J8&(=KIYko-e#{dWuhzCZ~ii6eEEzX0`^|G#|o
zf8Ve3t5^xtUV1$9bR>GyB_ARLFDRA|5q-rFSq-vTm|(OgAjsj1eSuZLTtxSyHBfQT
zXUGVd3bNrYJ_Cq^NQD`p$f5j*|L6i{TOOo<<FzYqQT#F|*wEnf<cg&G#M6pJT{nqT
zp^}~^wmz0@&J4K#;WYky5`8Ys(2kaWFDd++*r-iq)yId29zsI_-?IG%9FaA!vS$q?
zxe8YNZ@npYcIgvzCQfVer7GXTxTW=o)TErJ4{C-Ys_y%*C^P$27!8`2A@FM2Vw{A)
z<%2m0e>17ATaq6+LV*VJf5D338j4aWtn7(X`tB=rh&(>!-7P;$+7EQ*uj{ImQE}&<
zxf`l>`s|7_IIxYQr^-Mj-shdMd5vC_bY5WMh+?BXKZjqqcKz1fuwt-=QdIyeG{&@G
zRn<j*s9B}v=KPc_-a4hfT8Qw$brDx!;a`SXQ7WfeqQ>kKhKIy)TncIn*YDXhA@W+X
z@-1WyjWZfB`(Z_Y4J8?aQoudm{W0q)n6}@RyC^DZon=7|Be(i1ZF9=_pNZ}`xe}!n
zC39c&&2O4XHYEHjhr=h=i6bP^+x7AWvBJBl3G@8dB4I^u4Mn0HZi~3UvA3HR4nHqT
z)+`C*Qseb1Vx0;S<*ny7iAgHKS`IENL@T@g>H(4|$@zqG;H=gwQV?M$KB3fd{X*(*
z%#FhX(y*ets=_1>LpyM#HeDvuXY13A(-<9M(0l}~i^22Zs`)`rv#(g@eT$J5ME#Oa
z6E#!+W|rEvXQ&i9D?tI>>|pA~Gk$jFb02x{Qn!#-NAlLAcHriM3L*^2td6&23Nrnu
z<xuEI#GVa{GJI*_V#7uo4l6Gs1d?R;hLaW*tnZoWN(T7u#_+4nM+G#zL8}QFN@L-R
zDHtKGhA?sNC`H_9)r~=7sF$2~y+i^2aQU9seP1Hn4^Wd_Gtx%xb8N_6F={)_Wk#Z?
zR*ANhMlNjS)IHDMFLAYOOMk^)o*O*1$Pmde9hA;LEAoe50<%pBZU^O^hr{o<=o{5H
zuX%zD$#2c00>jki1$`yygVPjFYR-zWoeKoSha_ZilEG*d{^qw4-HLjAu|WZLbkIXm
zWWoYAv{yA!_)$9~#><-01Vzq`jtejL?lW(6yVe`hjn-G@5RXhLZ+Ll-nRgW}iL2LS
zr)Gp`q@}bQ7GDG(jIj+!XOd~SH<_*k!OWgUCzj}C^x!#89(Z5_0<{o<TJZlyB@h`w
z!ZXQC6pg+#w80q?SQ@9`9R$2tZL9&7rlk;`=jn%gyT%SwhKCx5A{(e~t${5!w(y45
zFH}{AdDuu9tdF%carLESfOFo{0@c6m?zvO#zcrDQa=9diK#{RhD+rM9nYEc5AW_@!
z60LePQv^MQJTpbj*&d2BB^rOFMC4D}218taa~n}ydu<~{<{5o8Qn^QYv_DQhNDeB^
zX7W8l3DciQ-?VFM&yKpHG7{hTxc<6Z>s&kt08j|yQ;YVOJN8ktJF5jZk2-5j78AQI
zGTE4LP3EhlN8&Zoky71G+C3J&LdJk;rPiP%6s-GNv(7im&$*D)`rtvTZeMD+km&+<
zZZ@N6`n~h%?UNh?)xESm=11gG<h^vM{b~BV!O|b7hR*Lz5q;LJpBfW4Qac4}M_#DJ
zv2IA{=}#zqf4tAQ*ofH{iQ4E=lKfYtg%U-$E4ho(-ODJ-AekImdQqd4TBda8m9MvD
zcLmspwPi<36m9YAPGVUF92nD%bxS|)C&8!1==5|s7BX4t+#Q<zS5F)7C6tjSqhq+#
zV=sD3Em}PF@OU6)g=r}9W@1gIqqkpAh@EI6X3&mOp=BoYT*dt7(uxze@+9Xh2Ir*u
zdkXMGHJ=W(EOt_%dgSIQiAo_c)yZw)7i7POCEvfowmH=pVKG-H$(0`e+=%1Ew#-F3
zISZAy!VEZFrjqTOtq`}zW6L6+9yivPKe^15Ddbd~Ak!*4RSU6y{89Jm(3=h&5z~P;
z*4?U4N{b(lx1Z8CdH*n?4v|NTc8R$gGA|<5`f#U!!fl805o?@m#eomLYP>mE!4)Qb
zk*BqD$T6-U#jL~mTEFLohKbN+W>&IPzF1dJ+@eV%*KcQnp;_#a+8MPuX?$Q)*XSL`
z*2i96dd%RG+FSYflSSFsEIrk_`ca!K4H>T6j>9#%MqIOI1y%OaUds&q_qTR0!wNJH
zw%ZB0)KS7(6e7)9mKg!L)8n7`cOn>yW6AkuP$@4F^P*$Nr%RKSpY0#5*Wb`yB`n7W
zdSTSF&xq_-^gb`O-T`1ZmLaTDy5(L!|E%3BHAhZ7QY{C-g$JxzF~|S+lKH<X<{$HS
Bh%NvC

delta 222
zcmZo@kZWj=nIO%|#=yY9H&MZ!k!@qbl6o%2`rkkS2HyJLn*|$Q)K3iH;N+3w0*aW_
z=}u*54A~mXc)WIE0QYv?I>zga%qDezr?WROW&#!W)@}d$kC7cDmN=E22_*Efc6(wS
z(_-vGRd1)VGbe7%V$Q0Xtk596{cRPqcq_B5Wz<%7mZwbH|1q&-F>cRcVVPjOS)rkX
xarz%~7T)Pq-E92rWtJ>J%(}hIlC95;c^j9^cJ>CgTt=XUD>$~xbg?}t1puZ&OELfe

diff --git a/security/manager/ssl/tests/unit/tlsserver/other-issuer-ee.der b/security/manager/ssl/tests/unit/tlsserver/other-issuer-ee.der
new file mode 100644
index 0000000000000000000000000000000000000000..a82b2910c5cbb1aa242de9e4398a16833e3296b6
GIT binary patch
literal 630
zcmXqLVk$CdV!XY8nTe5!i77t9fR~L^tIebBJ1-+6H!FjIgrS&$2pe-K3$rk<e@RAa
zkwQsoafyPnqk)__uc3*dfsuiMnUSH1MU*(N2{P9}-B8s)8KP4ryeK~}9jHkmATv)P
z1Z03~UW%@3UP)$2r9tC-WJ?)Y8JHV;84MabnHn1z&iz^Wcv70v<q1)?SJb8UUcc~<
zNtE-r>F(-aHQ~+wN+xMC-!KYcwoU2QYDqu4G3N@;_NkAe5>{Nx)d?vRRr}g7S>U;!
z*uC#NB;W6F<eGV(sgp@)zt)99lPiC3)aCwu@y)URI{()9!RMuyp2~C(3cr~3b;CP}
zf|-AAhHD6EUAvIZ#LURRxVUk*LE{dC5};>f1zB<pvYRxt^fL33b4pWEb&E@rQu1>X
zGxLh|3NrKZGV{{)QY#X33vyERlJj#xDpM<nQYos1%>V-<HV$nzMpjmKMn)Dj0~G@$
z7~g=gO)R6Nq`*pFKPNvqF()IxxWvi=2=onjKrR(#Wc<&<WWazNxWE`?28ODpW@+BE
ztg-_ul6uX;9e=BTog}PLbdYoAjHIUXyVB#5yI3D_?ObAh-ut4<Zk81>(QAKi|H`=S
z{<%HNO4vGfW!|sT(+TNHee>LEwfV-S{`ni<Jo4gci0;`v_x^-cl1)}q_iSUIZ<;6K
e8T+}o?!?9xxu?1w#eO^|mG=L5x@(cKBQpT68RJO+

literal 0
HcmV?d00001