Bug 1173679 - Add tests for the "security.OCSP.enabled" pref. r=dkeeler

MozReview-Commit-ID: BQurIgVY8os --HG-- extra : transplant_source : Z%25%16_%EB%0ABe%98%1B%F5%E5%FE%8C%AA%F0%18%90%16%AB
2016-02-28 17:49:06 -08:00 · 2016-02-28 17:49:06 -08:00 · 4d0d854bab
--- a/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
@ -0,0 +1,141 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Checks that the security.OCSP.enabled pref correctly controls OCSP fetching
+// behavior.
+
+do_get_profile(); // Must be called before getting nsIX509CertDB
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"]
+                  .getService(Ci.nsIX509CertDB);
+
+const SERVER_PORT = 8888;
+
+function certFromFile(filename) {
+  return constructCertFromFile(`test_ev_certs/${filename}.pem`);
+}
+
+function loadCert(certName, trustString) {
+  addCertFromFile(gCertDB, `test_ev_certs/${certName}.pem`, trustString);
+}
+
+function getFailingOCSPResponder() {
+  return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
+}
+
+function getOCSPResponder(expectedCertNames) {
+  return startOCSPResponder(SERVER_PORT, "www.example.com", [], "test_ev_certs",
+                            expectedCertNames, []);
+}
+
+// Tests that in ocspOff mode, OCSP fetches are never done.
+function testOff() {
+  add_test(() => {
+    Services.prefs.setIntPref("security.OCSP.enabled", 0);
+    do_print("Setting security.OCSP.enabled to 0");
+    run_next_test();
+  });
+
+  // EV chains should verify successfully but never get EV status.
+  add_test(() => {
+    clearOCSPCache();
+    let ocspResponder = getFailingOCSPResponder();
+    checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
+                  false);
+    ocspResponder.stop(run_next_test);
+  });
+
+  // A DV chain should verify successfully.
+  add_test(() => {
+    clearOCSPCache();
+    let ocspResponder = getFailingOCSPResponder();
+    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
+                          PRErrorCodeSuccess, certificateUsageSSLServer);
+    ocspResponder.stop(run_next_test);
+  });
+}
+
+// Tests that in ocspOn mode, OCSP fetches are done for both EV and DV certs.
+function testOn() {
+  add_test(() => {
+    Services.prefs.setIntPref("security.OCSP.enabled", 1);
+    do_print("Setting security.OCSP.enabled to 1");
+    run_next_test();
+  });
+
+  // If a successful OCSP response is fetched, then an EV chain should verify
+  // successfully and get EV status as well.
+  add_test(() => {
+    clearOCSPCache();
+    let ocspResponder =
+      getOCSPResponder(gEVExpected ? ["int-ev-valid", "ev-valid"]
+                                   : ["ev-valid"]);
+    checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
+                  gEVExpected);
+    ocspResponder.stop(run_next_test);
+  });
+
+  // If a successful OCSP response is fetched, then a DV chain should verify
+  // successfully.
+  add_test(() => {
+    clearOCSPCache();
+    let ocspResponder = getOCSPResponder(["non-ev-root"]);
+    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
+                          PRErrorCodeSuccess, certificateUsageSSLServer);
+    ocspResponder.stop(run_next_test);
+  });
+}
+
+// Tests that in ocspEVOnly mode, OCSP fetches are done for EV certs only.
+function testEVOnly() {
+  add_test(() => {
+    Services.prefs.setIntPref("security.OCSP.enabled", 2);
+    do_print("Setting security.OCSP.enabled to 2");
+    run_next_test();
+  });
+
+  // If a successful OCSP response is fetched, then an EV chain should verify
+  // successfully and get EV status as well.
+  add_test(() => {
+    clearOCSPCache();
+    let ocspResponder = gEVExpected
+                      ? getOCSPResponder(["int-ev-valid", "ev-valid"])
+                      : getFailingOCSPResponder();
+    checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
+                  gEVExpected);
+    ocspResponder.stop(run_next_test);
+  });
+
+  // A DV chain should verify successfully even without doing OCSP fetches.
+  add_test(() => {
+    clearOCSPCache();
+    let ocspResponder = getFailingOCSPResponder();
+    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
+                          PRErrorCodeSuccess, certificateUsageSSLServer);
+    ocspResponder.stop(run_next_test);
+  });
+}
+
+function run_test() {
+  do_register_cleanup(() => {
+    Services.prefs.clearUserPref("network.dns.localDomains");
+    Services.prefs.clearUserPref("security.OCSP.enabled");
+    Services.prefs.clearUserPref("security.OCSP.require");
+  });
+  Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+  // Enable hard fail to ensure chains that should only succeed because they get
+  // a good OCSP response do not succeed due to soft fail leniency.
+  Services.prefs.setBoolPref("security.OCSP.require", true);
+
+  loadCert("evroot", "CTu,,");
+  loadCert("int-ev-valid", ",,");
+  loadCert("non-evroot-ca", "CTu,,");
+  loadCert("int-non-ev-root", ",,");
+
+  testOff();
+  testOn();
+  testEVOnly();
+
+  run_next_test();
+}
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@ -71,6 +71,8 @@ run-sequentially = hardcoded ports
 [test_nsIX509Cert_utf8.js]
 [test_ocsp_caching.js]
 run-sequentially = hardcoded ports
+[test_ocsp_enabled_pref.js]
+run-sequentially = hardcoded ports
 [test_ocsp_fetch_method.js]
 # OCSP requests in this test time out on slow B2G Emulator debug builds.
 # See Bug 1147725.