Bug 1183822 - Add an OCSP test for signers with SHA-1 certificates (r=keeler)

security/manager/ssl/tests/unit/test_ocsp_caching.js

@@ -19,6 +19,16 @@ function respondWithGoodOCSP(request, response) {
   response.write(gGoodOCSPResponse);
 }
 
+function respondWithSHA1OCSP(request, response) {
+  do_print("returning 200 OK with sha-1 delegated response");
+  response.setStatusLine(request.httpVersion, 200, "OK");
+  response.setHeader("Content-Type", "application/ocsp-response");
+
+  let args = [ ["good-delegated", "localhostAndExampleCom", "delegatedSHA1Signer" ] ];
+  let responses = generateOCSPResponses(args, "tlsserver");
+  response.write(responses[0]);
+}
+
 function respondWithError(request, response) {
   do_print("returning 500 Internal Server Error");
   response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
@@ -183,6 +193,27 @@ function add_tests() {
 
   //---------------------------------------------------------------------------
 
+  // Ensure OCSP responses from signers with SHA1 certificates are OK. This
+  // is included in the OCSP caching tests since there were OCSP cache-related
+  // regressions when sha-1 telemetry probes were added.
+  add_test(function() {
+    clearOCSPCache();
+    // set security.OCSP.require so that checking the OCSP signature fails
+    Services.prefs.setBoolPref("security.OCSP.require", true);
+    run_next_test();
+  });
+
+  add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
+                [respondWithSHA1OCSP],
+                "signing cert is good (though sha1) - should succeed");
+
+  add_test(function() {
+    Services.prefs.setBoolPref("security.OCSP.require", false);
+    run_next_test();
+  });
+
+  //---------------------------------------------------------------------------
+
   // Reset state
   add_test(function() { clearOCSPCache(); run_next_test(); });
 }

security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp

@@ -35,6 +35,8 @@ struct OCSPResponseName
 
 const static OCSPResponseName kOCSPResponseNameList[] = {
   { "good",            ORTGood },          // the certificate is good
+  { "good-delegated",  ORTDelegatedIncluded}, // the certificate is good, using
+                                           // a delegated signer
   { "revoked",         ORTRevoked},        // the certificate has been revoked
   { "unknown",         ORTUnknown},        // the responder doesn't know if the
                                            //   cert is good

security/manager/ssl/tests/unit/tlsserver/generate_certs.sh

@@ -320,6 +320,7 @@ export_cert inadequatekeyusage inadequatekeyusage-ee.der
 make_EE selfsigned-inadequateEKU 'CN=Self-signed Inadequate EKU Test End-entity' unused "selfsigned-inadequateEKU.example.com" "--keyUsage keyEncipherment,dataEncipherment --extKeyUsage serverAuth" "-x"
 
 make_delegated delegatedSigner 'CN=Test Delegated Responder' testCA "--extKeyUsage ocspResponder"
+make_delegated delegatedSHA1Signer 'CN=Test SHA1 Delegated Responder' testCA "--extKeyUsage ocspResponder -Z SHA1"
 make_delegated invalidDelegatedSignerNoExtKeyUsage 'CN=Test Invalid Delegated Responder No extKeyUsage' testCA
 make_delegated invalidDelegatedSignerFromIntermediate 'CN=Test Invalid Delegated Responder From Intermediate' testINT "--extKeyUsage ocspResponder"
 make_delegated invalidDelegatedSignerKeyUsageCrlSigning 'CN=Test Invalid Delegated Responder keyUsage crlSigning' testCA "--keyUsage crlSigning"