Bug 1390131 - Modify GenerateOCSPResponse.cpp to allow thisUpdate to be modified r=keeler

MozReview-Commit-ID: EL9E4UtZg17

--HG--
extra : rebase_source : 5b72ddc51ffd6dabeb9e3afc45b9851336b0db88

security/manager/ssl/tests/unit/head_psm.js

@@ -541,7 +541,7 @@ function _setupTLSServerTest(serverBinName, certsPath) {
 // Returns an Array of OCSP responses for a given ocspRespArray and a location
 // for a nssDB where the certs and public keys are prepopulated.
 // ocspRespArray is an array of arrays like:
-// [ [typeOfResponse, certnick, extracertnick]...]
+// [ [typeOfResponse, certnick, extracertnick, thisUpdateSkew]...]
 function generateOCSPResponses(ocspRespArray, nssDBlocation) {
   let utilBinName = "GenerateOCSPResponse";
   let ocspGenBin = _getBinaryUtil(utilBinName);
@@ -556,13 +556,14 @@ function generateOCSPResponses(ocspRespArray, nssDBlocation) {
     argArray.push(ocspRespArray[i][0]); // ocsRespType;
     argArray.push(ocspRespArray[i][1]); // nick;
     argArray.push(ocspRespArray[i][2]); // extranickname
+    argArray.push(ocspRespArray[i][3]); // thisUpdate skew
     argArray.push(filename);
     do_print("argArray = " + argArray);
 
     let process = Cc["@mozilla.org/process/util;1"]
                     .createInstance(Ci.nsIProcess);
     process.init(ocspGenBin);
-    process.run(true, argArray, 5);
+    process.run(true, argArray, argArray.length);
     Assert.equal(0, process.exitValue, "Process exit value should be 0");
     let ocspFile = do_get_file(i.toString() + ".ocsp", false);
     retArray.push(readFile(ocspFile));
@@ -617,7 +618,7 @@ function startOCSPResponder(serverPort, identity, nssDBLocation,
       if (expectedResponseTypes && expectedResponseTypes.length >= 1) {
         responseType = expectedResponseTypes.shift();
       }
-      return [responseType, expectedNick, "unused"];
+      return [responseType, expectedNick, "unused", 0];
     }
   );
   let ocspResponses = generateOCSPResponses(ocspResponseGenerationArgs,

security/manager/ssl/tests/unit/test_ocsp_caching.js

@@ -24,7 +24,7 @@ function respondWithSHA1OCSP(request, response) {
   response.setStatusLine(request.httpVersion, 200, "OK");
   response.setHeader("Content-Type", "application/ocsp-response");
 
-  let args = [ ["good-delegated", "default-ee", "delegatedSHA1Signer" ] ];
+  let args = [ ["good-delegated", "default-ee", "delegatedSHA1Signer", 0 ] ];
   let responses = generateOCSPResponses(args, "ocsp_certs");
   response.write(responses[0]);
 }
@@ -37,7 +37,7 @@ function respondWithError(request, response) {
 }
 
 function generateGoodOCSPResponse() {
-  let args = [ ["good", "default-ee", "unused" ] ];
+  let args = [ ["good", "default-ee", "unused", 0 ] ];
   let responses = generateOCSPResponses(args, "ocsp_certs");
   return responses[0];
 }

security/manager/ssl/tests/unit/test_ocsp_no_hsts_upgrade.js

@@ -16,7 +16,7 @@ function run_test() {
   // get a TLS connection.
   add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
 
-  let args = [["good", "default-ee", "unused"]];
+  let args = [["good", "default-ee", "unused", 0]];
   let ocspResponses = generateOCSPResponses(args, "ocsp_certs");
   let goodOCSPResponse = ocspResponses[0];
 

security/manager/ssl/tests/unit/test_ocsp_required.js

@@ -20,7 +20,7 @@ function run_test() {
   // get a TLS connection.
   add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
 
-  let args = [["bad-signature", "default-ee", "unused"]];
+  let args = [["bad-signature", "default-ee", "unused", 0]];
   let ocspResponses = generateOCSPResponses(args, "ocsp_certs");
   let ocspResponseBadSignature = ocspResponses[0];
 

security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js

@@ -32,11 +32,11 @@ do_get_profile();
 Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
 Services.prefs.setIntPref("security.OCSP.enabled", 1);
 Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 4);
-var args = [["good", "default-ee", "unused"],
-             ["expiredresponse", "default-ee", "unused"],
-             ["oldvalidperiod", "default-ee", "unused"],
-             ["revoked", "default-ee", "unused"],
-             ["unknown", "default-ee", "unused"],
+var args = [["good", "default-ee", "unused", 0],
+             ["expiredresponse", "default-ee", "unused", 0],
+             ["oldvalidperiod", "default-ee", "unused", 0],
+             ["revoked", "default-ee", "unused", 0],
+             ["unknown", "default-ee", "unused", 0],
             ];
 var ocspResponses = generateOCSPResponses(args, "ocsp_certs");
 // Fresh response, certificate is good.

security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp

@@ -113,10 +113,10 @@ int
 main(int argc, char* argv[])
 {
 
-  if (argc < 6 || (argc - 6) % 4 != 0) {
+  if (argc < 7 || (argc - 7) % 5 != 0) {
     PR_fprintf(PR_STDERR, "usage: %s <NSS DB directory> <responsetype> "
-                          "<cert_nick> <extranick> <outfilename> [<resptype> "
-                          "<cert_nick> <extranick> <outfilename>]* \n",
+                          "<cert_nick> <extranick> <this_update_skew> <outfilename> [<resptype> "
+                          "<cert_nick> <extranick> <this_update_skew> <outfilename>]* \n",
                           argv[0]);
     exit(EXIT_FAILURE);
   }
@@ -131,11 +131,12 @@ main(int argc, char* argv[])
     exit(EXIT_FAILURE);
   }
 
-  for (int i = 2; i + 3 < argc; i += 4) {
+  for (int i = 2; i + 3 < argc; i += 5) {
     const char* ocspTypeText  = argv[i];
     const char* certNick      = argv[i + 1];
     const char* extraCertname = argv[i + 2];
-    const char* filename      = argv[i + 3];
+    const char* skewChars     = argv[i + 3];
+    const char* filename      = argv[i + 4];
 
     OCSPResponseType ORT;
     if (!StringToOCSPResponseType(ocspTypeText, &ORT)) {
@@ -152,8 +153,10 @@ main(int argc, char* argv[])
       exit(EXIT_FAILURE);
     }
 
+    time_t skew = static_cast<time_t>(atoll(skewChars));
+
     SECItemArray* response = GetOCSPResponseForType(ORT, cert, arena,
-                                                    extraCertname);
+                                                    extraCertname, skew);
     if (!response) {
       PR_fprintf(PR_STDERR, "Failed to generate OCSP response of type %s "
                             "for %s\n", ocspTypeText, certNick);

security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp

@@ -102,7 +102,7 @@ DoSNISocketConfig(PRFileDesc *aFd, const SECItem *aSrvNameArr,
 
   // response is contained by the arena - freeing the arena will free it
   SECItemArray *response = GetOCSPResponseForType(host->mORT, cert, arena,
-                                                  host->mAdditionalCertName);
+                                                  host->mAdditionalCertName, 0);
   if (!response) {
     return SSL_SNI_SEND_ALERT;
   }

security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp

@@ -42,7 +42,7 @@ CreateTestKeyPairFromCert(const UniqueCERTCertificate& cert)
 SECItemArray*
 GetOCSPResponseForType(OCSPResponseType aORT, const UniqueCERTCertificate& aCert,
                        const UniquePLArenaPool& aArena,
-                       const char* aAdditionalCertName)
+                       const char* aAdditionalCertName, time_t aThisUpdateSkew)
 {
   MOZ_ASSERT(aArena);
   MOZ_ASSERT(aCert);
@@ -64,7 +64,7 @@ GetOCSPResponseForType(OCSPResponseType aORT, const UniqueCERTCertificate& aCert
     return arr;
   }
 
-  time_t now = time(nullptr);
+  time_t now = time(nullptr) + aThisUpdateSkew;
   time_t oldNow = now - (8 * Time::ONE_DAY_IN_SECONDS);
 
   mozilla::UniqueCERTCertificate cert(CERT_DupCertificate(aCert.get()));

security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h

@@ -56,6 +56,7 @@ SECItemArray*
 GetOCSPResponseForType(OCSPResponseType aORT,
                        const mozilla::UniqueCERTCertificate& aCert,
                        const mozilla::UniquePLArenaPool& aArena,
-                       const char* aAdditionalCertName);
+                       const char* aAdditionalCertName,
+                       time_t aThisUpdateSkew);
 
 #endif // OCSPCommon_h