From 7b4c0fa04f5e4469fc8bc442c9f12f975c5e1610 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 28 Aug 2019 09:23:41 -0400
Subject: [PATCH 3/3] Add optional test case against badssl.com

badssl.com maintains a number of subdomains with valid and invalid TLS
configurations. A number of these test certificates which fail in
certain scenarios (revoked, expired, etc). Add a test runner which
validates SSLSocket's implementation against badssl.com.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
 org/mozilla/jss/tests/BadSSL.java | 208 ++++++++++++++++++++++++++++++
 1 file changed, 208 insertions(+)
 create mode 100644 org/mozilla/jss/tests/BadSSL.java

diff --git a/org/mozilla/jss/tests/BadSSL.java b/org/mozilla/jss/tests/BadSSL.java
new file mode 100644
index 00000000..60bfe820
--- /dev/null
+++ b/org/mozilla/jss/tests/BadSSL.java
@@ -0,0 +1,208 @@
+package org.mozilla.jss.tests;
+
+import org.mozilla.jss.CryptoManager;
+
+import org.mozilla.jss.ssl.SSLSocket;
+import org.mozilla.jss.ssl.SSLSocketException;
+
+import org.mozilla.jss.util.NativeErrcodes;
+
+/**
+ * The BadSSL test case maintains an internal mapping from badssl.com
+ * subdomains to expected exceptions and validates they occur.
+ *
+ * Since badssl.com offers no guaranteed SLA or availability, we likely
+ * shouldn't add this site to automated tests.
+ */
+
+public class BadSSL {
+    public static void main(String[] args) throws Exception {
+        boolean ocsp = false;
+
+        if (args.length < 1) {
+            System.out.println("Usage: BadSSL nssdb [LEAF_AND_CHAIN]");
+            return;
+        }
+
+        if (args.length >= 2 && args[1].equals("LEAF_AND_CHAIN")) {
+            System.out.println("Enabling leaf and chain policy...");
+            ocsp = true;
+        }
+
+        CryptoManager.initialize(args[0]);
+        CryptoManager cm = CryptoManager.getInstance();
+
+        if (ocsp) {
+            cm.setOCSPPolicy(CryptoManager.OCSPPolicy.LEAF_AND_CHAIN);
+        }
+
+
+        // Test cases which should fail due to various certificate errors.
+        testExpired();
+        testWrongHost();
+        testSelfSigned();
+        testUntrustedRoot();
+
+        // The following test cases depend on crypto-policies or local NSS
+        // configuration.
+        testSHA1();
+        testRC4MD5();
+        testRC4();
+        test3DES();
+        testNULL();
+
+        // The following test cases depend on OCSP being enabled.
+        if (ocsp) {
+            testRevoked();
+        }
+
+        // Test cases which should pass given the correct root certs.
+        testSHA256();
+        testSHA384();
+        testSHA512();
+
+        testECC256();
+        testECC384();
+
+        testRSA2048();
+        testRSA4096();
+        testRSA8192();
+
+        testExtendedValidation();
+    }
+
+    /* Test cases whose handshakes should fail below. */
+
+    public static void testExpired() throws Exception {
+        testHelper("expired.badssl.com", 443, new String[]{ "(-8181)", "has expired" });
+    }
+
+    public static void testWrongHost() throws Exception {
+        testHelper("wrong.host.badssl.com", 443, new String[]{ "(-12276)", "domain name does not match" });
+    }
+
+    public static void testSelfSigned() throws Exception {
+        testHelper("self-signed.badssl.com", 443, new String[]{ "(-8101)", "(-8156)", "type not approved", "issuer certificate is invalid" });
+    }
+
+    public static void testUntrustedRoot() throws Exception {
+        testHelper("untrusted-root.badssl.com", 443, new String[]{ "(-8172)", "certificate issuer has been marked as not trusted" });
+    }
+
+    public static void testRevoked() throws Exception {
+        testHelper("revoked.badssl.com", 443, new String[]{ "(-8180)", "has been revoked" });
+    }
+
+    public static void testSHA1() throws Exception {
+        testHelper("sha1-intermediate.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+    }
+
+    public static void testRC4MD5() throws Exception {
+        testHelper("rc4-md5.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+    }
+
+    public static void testRC4() throws Exception {
+        testHelper("rc4.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+    }
+
+    public static void test3DES() throws Exception {
+        testHelper("3des.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+    }
+
+    public static void testNULL() throws Exception {
+        testHelper("null.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+    }
+
+    /* Test cases which should handshake successfully below. */
+
+    public static void testSHA256() throws Exception {
+        testHelper("sha256.badssl.com", 443);
+    }
+
+    public static void testSHA384() throws Exception {
+        testHelper("sha384.badssl.com", 443);
+    }
+
+    public static void testSHA512() throws Exception {
+        testHelper("sha512.badssl.com", 443);
+    }
+
+    public static void testECC256() throws Exception {
+        testHelper("ecc256.badssl.com", 443);
+    }
+
+    public static void testECC384() throws Exception {
+        testHelper("ecc384.badssl.com", 443);
+    }
+
+    public static void testRSA2048() throws Exception {
+        testHelper("rsa2048.badssl.com", 443);
+    }
+
+    public static void testRSA4096() throws Exception {
+        testHelper("rsa4096.badssl.com", 443);
+    }
+
+    public static void testRSA8192() throws Exception {
+        testHelper("rsa8192.badssl.com", 443);
+    }
+
+    public static void testExtendedValidation() throws Exception {
+        testHelper("extended-validation.badssl.com", 443);
+    }
+
+    /* Test case helpers. */
+
+    public static void testHelper(String host, int port) throws Exception {
+        testSite(host, port);
+        System.out.println("\t...ok");
+    }
+
+    public static void testHelper(String host, int port, String[] substrs) throws Exception {
+        try {
+            testSite(host, port);
+        } catch (SSLSocketException sse) {
+            String actual = sse.getMessage().toLowerCase();
+
+            for (String expected : substrs) {
+                if (actual.contains(expected.toLowerCase())) {
+                    System.out.println("\t...got expected error message.");
+                    return;
+                }
+            }
+
+            System.err.println("\tUnexpected error message: " + actual);
+            throw sse;
+        }
+
+        throw new RuntimeException("Expected to get an exception, but didn't!");
+    }
+
+    public static void testHelper(String host, int port, int[] codes) throws Exception {
+        try {
+            testSite(host, port);
+        } catch (SSLSocketException sse) {
+            int actual = sse.getErrcode();
+            for (int expected : codes) {
+                if (actual == expected) {
+                    System.out.println("\t...got expected error code.");
+                    return;
+                }
+            }
+
+            System.err.println("\tUnexpected error code: " + actual);
+            throw sse;
+        }
+
+        throw new RuntimeException("Expected to get an exception, but didn't!");
+    }
+
+    public static void testSite(String host, int port) throws Exception {
+        System.out.println("Testing connection to " + host + ":" + port);
+        SSLSocket sock = new SSLSocket(host, 443);
+        sock.forceHandshake();
+        sock.shutdownOutput();
+        sock.shutdownInput();
+        sock.close();
+    }
+}
-- 
2.21.0