зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1183822 - Add an OCSP test for signers with SHA-1 certificates (r=keeler)
This commit is contained in:
Родитель
fce204e0e0
Коммит
4ba2d72200
|
@ -19,6 +19,16 @@ function respondWithGoodOCSP(request, response) {
|
|||
response.write(gGoodOCSPResponse);
|
||||
}
|
||||
|
||||
function respondWithSHA1OCSP(request, response) {
|
||||
do_print("returning 200 OK with sha-1 delegated response");
|
||||
response.setStatusLine(request.httpVersion, 200, "OK");
|
||||
response.setHeader("Content-Type", "application/ocsp-response");
|
||||
|
||||
let args = [ ["good-delegated", "localhostAndExampleCom", "delegatedSHA1Signer" ] ];
|
||||
let responses = generateOCSPResponses(args, "tlsserver");
|
||||
response.write(responses[0]);
|
||||
}
|
||||
|
||||
function respondWithError(request, response) {
|
||||
do_print("returning 500 Internal Server Error");
|
||||
response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
|
||||
|
@ -183,6 +193,27 @@ function add_tests() {
|
|||
|
||||
//---------------------------------------------------------------------------
|
||||
|
||||
// Ensure OCSP responses from signers with SHA1 certificates are OK. This
|
||||
// is included in the OCSP caching tests since there were OCSP cache-related
|
||||
// regressions when sha-1 telemetry probes were added.
|
||||
add_test(function() {
|
||||
clearOCSPCache();
|
||||
// set security.OCSP.require so that checking the OCSP signature fails
|
||||
Services.prefs.setBoolPref("security.OCSP.require", true);
|
||||
run_next_test();
|
||||
});
|
||||
|
||||
add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
|
||||
[respondWithSHA1OCSP],
|
||||
"signing cert is good (though sha1) - should succeed");
|
||||
|
||||
add_test(function() {
|
||||
Services.prefs.setBoolPref("security.OCSP.require", false);
|
||||
run_next_test();
|
||||
});
|
||||
|
||||
//---------------------------------------------------------------------------
|
||||
|
||||
// Reset state
|
||||
add_test(function() { clearOCSPCache(); run_next_test(); });
|
||||
}
|
||||
|
|
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/cert9.db
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/cert9.db
Двоичный файл не отображается.
|
@ -35,6 +35,8 @@ struct OCSPResponseName
|
|||
|
||||
const static OCSPResponseName kOCSPResponseNameList[] = {
|
||||
{ "good", ORTGood }, // the certificate is good
|
||||
{ "good-delegated", ORTDelegatedIncluded}, // the certificate is good, using
|
||||
// a delegated signer
|
||||
{ "revoked", ORTRevoked}, // the certificate has been revoked
|
||||
{ "unknown", ORTUnknown}, // the responder doesn't know if the
|
||||
// cert is good
|
||||
|
|
|
@ -320,6 +320,7 @@ export_cert inadequatekeyusage inadequatekeyusage-ee.der
|
|||
make_EE selfsigned-inadequateEKU 'CN=Self-signed Inadequate EKU Test End-entity' unused "selfsigned-inadequateEKU.example.com" "--keyUsage keyEncipherment,dataEncipherment --extKeyUsage serverAuth" "-x"
|
||||
|
||||
make_delegated delegatedSigner 'CN=Test Delegated Responder' testCA "--extKeyUsage ocspResponder"
|
||||
make_delegated delegatedSHA1Signer 'CN=Test SHA1 Delegated Responder' testCA "--extKeyUsage ocspResponder -Z SHA1"
|
||||
make_delegated invalidDelegatedSignerNoExtKeyUsage 'CN=Test Invalid Delegated Responder No extKeyUsage' testCA
|
||||
make_delegated invalidDelegatedSignerFromIntermediate 'CN=Test Invalid Delegated Responder From Intermediate' testINT "--extKeyUsage ocspResponder"
|
||||
make_delegated invalidDelegatedSignerKeyUsageCrlSigning 'CN=Test Invalid Delegated Responder keyUsage crlSigning' testCA "--keyUsage crlSigning"
|
||||
|
|
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/key4.db
Двоичные данные
security/manager/ssl/tests/unit/tlsserver/key4.db
Двоичный файл не отображается.
Загрузка…
Ссылка в новой задаче