diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp index 256ddddd2f9b..72b25f2b981b 100644 --- a/security/manager/ssl/nsNSSCallbacks.cpp +++ b/security/manager/ssl/nsNSSCallbacks.cpp @@ -10,6 +10,7 @@ #include "mozilla/Casting.h" #include "mozilla/Telemetry.h" #include "mozilla/TimeStamp.h" +#include "mozilla/unused.h" #include "nsContentUtils.h" #include "nsICertOverrideService.h" #include "nsIHttpChannelInternal.h" @@ -1232,25 +1233,17 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) { status->SetServerCert(nssc, nsNSSCertificate::ev_status_unknown); } - nsCOMPtr overrideService = - do_GetService(NS_CERTOVERRIDE_CONTRACTID); - - if (overrideService) { - bool haveOverride; - uint32_t overrideBits = 0; // Unused. - bool isTemporaryOverride; // Unused. - const nsACString& hostString(infoObject->GetHostName()); - const int32_t port(infoObject->GetPort()); - nsCOMPtr cert; - status->GetServerCert(getter_AddRefs(cert)); - nsresult nsrv = overrideService->HasMatchingOverride(hostString, port, - cert, - &overrideBits, - &isTemporaryOverride, - &haveOverride); - if (NS_SUCCEEDED(nsrv) && haveOverride) { - state |= nsIWebProgressListener::STATE_CERT_USER_OVERRIDDEN; - } + bool domainMismatch; + bool untrusted; + bool notValidAtThisTime; + // These all return NS_OK, so don't even bother checking the return values. + Unused << status->GetIsDomainMismatch(&domainMismatch); + Unused << status->GetIsUntrusted(&untrusted); + Unused << status->GetIsNotValidAtThisTime(¬ValidAtThisTime); + // If we're here, the TLS handshake has succeeded. Thus if any of these + // booleans are true, the user has added an override for a certificate error. + if (domainMismatch || untrusted || notValidAtThisTime) { + state |= nsIWebProgressListener::STATE_CERT_USER_OVERRIDDEN; } infoObject->SetSecurityState(state); diff --git a/security/manager/ssl/tests/unit/test_js_cert_override_service.js b/security/manager/ssl/tests/unit/test_js_cert_override_service.js new file mode 100644 index 000000000000..d085f0242ab8 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_js_cert_override_service.js @@ -0,0 +1,56 @@ +/* -*- tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* Any copyright is dedicated to the Public Domain. + * http://creativecommons.org/publicdomain/zero/1.0/ */ +"use strict"; + +// This test ensures that nsICertOverrideService can be implemented in JS. +// It does so by creating and registering a mock implementation that indicates +// a specific host ("expired.example.com") has a matching override (ERROR_TIME). +// Connections to that host should succeed. + +// Mock implementation of nsICertOverrideService +const gCertOverrideService = { + rememberValidityOverride() { + throw Cr.NS_ERROR_NOT_IMPLEMENTED; + }, + + rememberTemporaryValidityOverrideUsingFingerprint() { + throw Cr.NS_ERROR_NOT_IMPLEMENTED; + }, + + hasMatchingOverride(hostname, port, cert, overrideBits, isTemporary) { + Assert.equal(hostname, "expired.example.com", + "hasMatchingOverride: hostname should be expired.example.com"); + overrideBits.value = Ci.nsICertOverrideService.ERROR_TIME; + isTemporary.value = false; + return true; + }, + + getValidityOverride() { + throw Cr.NS_ERROR_NOT_IMPLEMENTED; + }, + + clearValidityOverride() { + throw Cr.NS_ERROR_NOT_IMPLEMENTED; + }, + + isCertUsedForOverrides() { + throw Cr.NS_ERROR_NOT_IMPLEMENTED; + }, + + QueryInterface: XPCOMUtils.generateQI([Ci.nsICertOverrideService]) +}; + +function run_test() { + do_get_profile(); + let certOverrideServiceCID = + MockRegistrar.register("@mozilla.org/security/certoverride;1", + gCertOverrideService); + do_register_cleanup(() => { + MockRegistrar.unregister(certOverrideServiceCID); + }); + add_tls_server_setup("BadCertServer", "bad_certs"); + add_connection_test("expired.example.com", PRErrorCodeSuccess); + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/xpcshell.ini b/security/manager/ssl/tests/unit/xpcshell.ini index 7b04a4b5d6c4..cb4b8d35946b 100644 --- a/security/manager/ssl/tests/unit/xpcshell.ini +++ b/security/manager/ssl/tests/unit/xpcshell.ini @@ -68,6 +68,8 @@ run-sequentially = hardcoded ports skip-if = toolkit == 'android' || toolkit == 'gonk' [test_hmac.js] [test_intermediate_basic_usage_constraints.js] +[test_js_cert_override_service.js] +run-sequentially = hardcoded ports [test_keysize.js] [test_keysize_ev.js] # OCSP requests in this test time out on slow B2G Emulator debug builds.