From 4d0d854bab88c21849f4a7831bb35a819b4ff73e Mon Sep 17 00:00:00 2001 From: Cykesiopka Date: Sun, 28 Feb 2016 17:49:06 -0800 Subject: [PATCH] Bug 1173679 - Add tests for the "security.OCSP.enabled" pref. r=dkeeler MozReview-Commit-ID: BQurIgVY8os --HG-- extra : transplant_source : Z%25%16_%EB%0ABe%98%1B%F5%E5%FE%8C%AA%F0%18%90%16%AB --- .../ssl/tests/unit/test_ocsp_enabled_pref.js | 141 ++++++++++++++++++ security/manager/ssl/tests/unit/xpcshell.ini | 2 + 2 files changed, 143 insertions(+) create mode 100644 security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js diff --git a/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js b/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js new file mode 100644 index 000000000000..da883862cabe --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js @@ -0,0 +1,141 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ +"use strict"; + +// Checks that the security.OCSP.enabled pref correctly controls OCSP fetching +// behavior. + +do_get_profile(); // Must be called before getting nsIX509CertDB +const gCertDB = Cc["@mozilla.org/security/x509certdb;1"] + .getService(Ci.nsIX509CertDB); + +const SERVER_PORT = 8888; + +function certFromFile(filename) { + return constructCertFromFile(`test_ev_certs/${filename}.pem`); +} + +function loadCert(certName, trustString) { + addCertFromFile(gCertDB, `test_ev_certs/${certName}.pem`, trustString); +} + +function getFailingOCSPResponder() { + return getFailingHttpServer(SERVER_PORT, ["www.example.com"]); +} + +function getOCSPResponder(expectedCertNames) { + return startOCSPResponder(SERVER_PORT, "www.example.com", [], "test_ev_certs", + expectedCertNames, []); +} + +// Tests that in ocspOff mode, OCSP fetches are never done. +function testOff() { + add_test(() => { + Services.prefs.setIntPref("security.OCSP.enabled", 0); + do_print("Setting security.OCSP.enabled to 0"); + run_next_test(); + }); + + // EV chains should verify successfully but never get EV status. + add_test(() => { + clearOCSPCache(); + let ocspResponder = getFailingOCSPResponder(); + checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer, + false); + ocspResponder.stop(run_next_test); + }); + + // A DV chain should verify successfully. + add_test(() => { + clearOCSPCache(); + let ocspResponder = getFailingOCSPResponder(); + checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"), + PRErrorCodeSuccess, certificateUsageSSLServer); + ocspResponder.stop(run_next_test); + }); +} + +// Tests that in ocspOn mode, OCSP fetches are done for both EV and DV certs. +function testOn() { + add_test(() => { + Services.prefs.setIntPref("security.OCSP.enabled", 1); + do_print("Setting security.OCSP.enabled to 1"); + run_next_test(); + }); + + // If a successful OCSP response is fetched, then an EV chain should verify + // successfully and get EV status as well. + add_test(() => { + clearOCSPCache(); + let ocspResponder = + getOCSPResponder(gEVExpected ? ["int-ev-valid", "ev-valid"] + : ["ev-valid"]); + checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer, + gEVExpected); + ocspResponder.stop(run_next_test); + }); + + // If a successful OCSP response is fetched, then a DV chain should verify + // successfully. + add_test(() => { + clearOCSPCache(); + let ocspResponder = getOCSPResponder(["non-ev-root"]); + checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"), + PRErrorCodeSuccess, certificateUsageSSLServer); + ocspResponder.stop(run_next_test); + }); +} + +// Tests that in ocspEVOnly mode, OCSP fetches are done for EV certs only. +function testEVOnly() { + add_test(() => { + Services.prefs.setIntPref("security.OCSP.enabled", 2); + do_print("Setting security.OCSP.enabled to 2"); + run_next_test(); + }); + + // If a successful OCSP response is fetched, then an EV chain should verify + // successfully and get EV status as well. + add_test(() => { + clearOCSPCache(); + let ocspResponder = gEVExpected + ? getOCSPResponder(["int-ev-valid", "ev-valid"]) + : getFailingOCSPResponder(); + checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer, + gEVExpected); + ocspResponder.stop(run_next_test); + }); + + // A DV chain should verify successfully even without doing OCSP fetches. + add_test(() => { + clearOCSPCache(); + let ocspResponder = getFailingOCSPResponder(); + checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"), + PRErrorCodeSuccess, certificateUsageSSLServer); + ocspResponder.stop(run_next_test); + }); +} + +function run_test() { + do_register_cleanup(() => { + Services.prefs.clearUserPref("network.dns.localDomains"); + Services.prefs.clearUserPref("security.OCSP.enabled"); + Services.prefs.clearUserPref("security.OCSP.require"); + }); + Services.prefs.setCharPref("network.dns.localDomains", "www.example.com"); + // Enable hard fail to ensure chains that should only succeed because they get + // a good OCSP response do not succeed due to soft fail leniency. + Services.prefs.setBoolPref("security.OCSP.require", true); + + loadCert("evroot", "CTu,,"); + loadCert("int-ev-valid", ",,"); + loadCert("non-evroot-ca", "CTu,,"); + loadCert("int-non-ev-root", ",,"); + + testOff(); + testOn(); + testEVOnly(); + + run_next_test(); +} diff --git a/security/manager/ssl/tests/unit/xpcshell.ini b/security/manager/ssl/tests/unit/xpcshell.ini index 3e5d2d1023b7..f5f5158332af 100644 --- a/security/manager/ssl/tests/unit/xpcshell.ini +++ b/security/manager/ssl/tests/unit/xpcshell.ini @@ -71,6 +71,8 @@ run-sequentially = hardcoded ports [test_nsIX509Cert_utf8.js] [test_ocsp_caching.js] run-sequentially = hardcoded ports +[test_ocsp_enabled_pref.js] +run-sequentially = hardcoded ports [test_ocsp_fetch_method.js] # OCSP requests in this test time out on slow B2G Emulator debug builds. # See Bug 1147725.