Bug 996872 - Reduce calls to getXPCOMStatusFromNSS() in PSM xpcshell tests. r=keeler

This commit is contained in:
Cykesiopka 2015-03-25 11:40:46 -07:00
Родитель 9d8557f842
Коммит 958425a841
13 изменённых файлов: 217 добавлений и 166 удалений

Просмотреть файл

@ -30,6 +30,10 @@ const SEC_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SEC_ERROR_BASE;
const SSL_ERROR_BASE = Ci.nsINSSErrorsService.NSS_SSL_ERROR_BASE;
const MOZILLA_PKIX_ERROR_BASE = Ci.nsINSSErrorsService.MOZILLA_PKIX_ERROR_BASE;
// This isn't really a valid PRErrorCode, but is useful for signalling that
// a test is expected to succeed.
const PRErrorCodeSuccess = 0;
// Sort in numerical order
const SEC_ERROR_INVALID_ARGS = SEC_ERROR_BASE + 5; // -8187
const SEC_ERROR_INVALID_TIME = SEC_ERROR_BASE + 8;
@ -216,12 +220,12 @@ function run_test() {
add_tls_server_setup("<test-server-name>");
add_connection_test("<test-name-1>.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_xxx),
SEC_ERROR_xxx,
function() { ... },
function(aTransportSecurityInfo) { ... },
function(aTransport) { ... });
[...]
add_connection_test("<test-name-n>.example.com", Cr.NS_OK);
add_connection_test("<test-name-n>.example.com", PRErrorCodeSuccess);
run_next_test();
}
@ -233,15 +237,25 @@ function add_tls_server_setup(serverBinName) {
});
}
// Add a TLS connection test case. aHost is the hostname to pass in the SNI TLS
// extension; this should unambiguously identifiy which test is being run.
// aExpectedResult is the expected nsresult of the connection.
// aBeforeConnect is a callback function that takes no arguments that will be
// called before the connection is attempted.
// aWithSecurityInfo is a callback function that takes an
// nsITransportSecurityInfo, which is called after the TLS handshake succeeds.
// aAfterStreamOpen is a callback function that is called with the
// nsISocketTransport once the output stream is ready.
/**
* Add a TLS connection test case.
*
* @param {String} aHost
* The hostname to pass in the SNI TLS extension; this should unambiguously
* identify which test is being run.
* @param {PRErrorCode} aExpectedResult
* The expected result of the connection. If an error is not expected, pass
* in PRErrorCodeSuccess.
* @param {Function} aBeforeConnect
* A callback function that takes no arguments that will be called before the
* connection is attempted.
* @param {Function} aWithSecurityInfo
* A callback function that takes an nsITransportSecurityInfo, which is called
* after the TLS handshake succeeds.
* @param {Function} aAfterStreamOpen
* A callback function that is called with the nsISocketTransport once the
* output stream is ready.
*/
function add_connection_test(aHost, aExpectedResult,
aBeforeConnect, aWithSecurityInfo,
aAfterStreamOpen) {
@ -325,7 +339,9 @@ function add_connection_test(aHost, aExpectedResult,
}
connectTo(aHost).then(function(conn) {
do_print("handling " + aHost);
do_check_eq(conn.result, aExpectedResult);
do_check_eq(conn.result, aExpectedResult == PRErrorCodeSuccess
? Cr.NS_OK
: getXPCOMStatusFromNSS(aExpectedResult));
if (aWithSecurityInfo) {
aWithSecurityInfo(conn.transport.securityInfo
.QueryInterface(Ci.nsITransportSecurityInfo));

Просмотреть файл

@ -74,7 +74,7 @@ function run_test() {
// Test successful connection (failedCertChain should be null)
add_connection_test(
// re-use pinning certs (keeler)
"good.include-subdomains.pinning.example.com", Cr.NS_OK, null,
"good.include-subdomains.pinning.example.com", PRErrorCodeSuccess, null,
function withSecurityInfo(aTransportSecurityInfo) {
aTransportSecurityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
test_security_info_serialization(aTransportSecurityInfo, 0);
@ -85,7 +85,7 @@ function run_test() {
// Test overrideable connection failure (failedCertChain should be non-null)
add_connection_test(
"expired.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_CERTIFICATE),
SEC_ERROR_EXPIRED_CERTIFICATE,
null,
function withSecurityInfo(securityInfo) {
securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
@ -99,7 +99,7 @@ function run_test() {
// Test non-overrideable error (failedCertChain should be non-null)
add_connection_test(
"inadequatekeyusage.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE),
SEC_ERROR_INADEQUATE_KEY_USAGE,
null,
function withSecurityInfo(securityInfo) {
securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);

Просмотреть файл

@ -31,12 +31,12 @@ function add_cert_override(aHost, aExpectedBits, aSecurityInfo) {
function add_cert_override_test(aHost, aExpectedBits, aExpectedError) {
add_connection_test(aHost, aExpectedError, null,
add_cert_override.bind(this, aHost, aExpectedBits));
add_connection_test(aHost, Cr.NS_OK);
add_connection_test(aHost, PRErrorCodeSuccess);
}
function add_non_overridable_test(aHost, aExpectedError) {
add_connection_test(
aHost, getXPCOMStatusFromNSS(aExpectedError), null,
aHost, aExpectedError, null,
function (securityInfo) {
// bug 754369 - no SSLStatus probably means this is a non-overridable
// error, which is what we're testing (although it would be best to test
@ -103,44 +103,41 @@ function run_test() {
function add_simple_tests() {
add_cert_override_test("expired.example.com",
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_CERTIFICATE));
SEC_ERROR_EXPIRED_CERTIFICATE);
add_cert_override_test("notyetvalid.example.com",
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(
MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE));
MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE);
add_cert_override_test("before-epoch.example.com",
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(SEC_ERROR_INVALID_TIME));
SEC_ERROR_INVALID_TIME);
add_cert_override_test("selfsigned.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
SEC_ERROR_UNKNOWN_ISSUER);
add_cert_override_test("unknownissuer.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
SEC_ERROR_UNKNOWN_ISSUER);
add_cert_override_test("expiredissuer.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE));
SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE);
add_cert_override_test("notyetvalidissuer.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(
MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE));
MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE);
add_cert_override_test("before-epoch-issuer.example.com",
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(SEC_ERROR_INVALID_TIME));
SEC_ERROR_INVALID_TIME);
add_cert_override_test("md5signature.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
add_cert_override_test("mismatch.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH,
getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
SSL_ERROR_BAD_CERT_DOMAIN);
// A Microsoft IIS utility generates self-signed certificates with
// properties similar to the one this "host" will present (see
// tlsserver/generate_certs.sh).
add_cert_override_test("selfsigned-inadequateEKU.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
SEC_ERROR_UNKNOWN_ISSUER);
add_non_overridable_test("inadequatekeyusage.example.com",
SEC_ERROR_INADEQUATE_KEY_USAGE);
@ -166,17 +163,17 @@ function add_simple_tests() {
// is a scenario in which an override is allowed.
add_cert_override_test("self-signed-end-entity-with-cA-true.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
SEC_ERROR_UNKNOWN_ISSUER);
add_cert_override_test("ca-used-as-end-entity.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY));
MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
// If an X.509 version 1 certificate is not a trust anchor, we will
// encounter an overridable error.
add_cert_override_test("end-entity-issued-by-v1-cert.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA));
MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA);
// If we make that certificate a trust anchor, the connection will succeed.
add_test(function() {
certOverrideService.clearValidityOverride("end-entity-issued-by-v1-cert.example.com", 8443);
@ -185,7 +182,8 @@ function add_simple_tests() {
clearSessionCache();
run_next_test();
});
add_connection_test("end-entity-issued-by-v1-cert.example.com", Cr.NS_OK);
add_connection_test("end-entity-issued-by-v1-cert.example.com",
PRErrorCodeSuccess);
// Reset the trust for that certificate.
add_test(function() {
let v1Cert = constructCertFromFile("tlsserver/v1Cert.der");
@ -198,51 +196,50 @@ function add_simple_tests() {
// certificates that are not valid CAs.
add_cert_override_test("end-entity-issued-by-non-CA.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_CA_CERT_INVALID));
SEC_ERROR_CA_CERT_INVALID);
add_cert_override_test("inadequate-key-size-ee.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE));
MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE);
}
function add_combo_tests() {
add_cert_override_test("mismatch-expired.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
SSL_ERROR_BAD_CERT_DOMAIN);
add_cert_override_test("mismatch-notYetValid.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
SSL_ERROR_BAD_CERT_DOMAIN);
add_cert_override_test("mismatch-untrusted.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
SEC_ERROR_UNKNOWN_ISSUER);
add_cert_override_test("untrusted-expired.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
SEC_ERROR_UNKNOWN_ISSUER);
add_cert_override_test("mismatch-untrusted-expired.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
SEC_ERROR_UNKNOWN_ISSUER);
add_cert_override_test("md5signature-expired.example.com",
Ci.nsICertOverrideService.ERROR_UNTRUSTED |
Ci.nsICertOverrideService.ERROR_TIME,
getXPCOMStatusFromNSS(
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
add_cert_override_test("ca-used-as-end-entity-name-mismatch.example.com",
Ci.nsICertOverrideService.ERROR_MISMATCH |
Ci.nsICertOverrideService.ERROR_UNTRUSTED,
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY));
MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY);
}
function add_distrust_tests() {
// Before we specifically distrust this certificate, it should be trusted.
add_connection_test("untrusted.example.com", Cr.NS_OK);
add_connection_test("untrusted.example.com", PRErrorCodeSuccess);
add_distrust_test("tlsserver/default-ee.der", "untrusted.example.com",
SEC_ERROR_UNTRUSTED_CERT);

Просмотреть файл

@ -43,10 +43,10 @@ function run_test() {
add_tls_server_setup("ClientAuthServer");
add_connection_test("noclientauth.example.com", Cr.NS_OK);
add_connection_test("noclientauth.example.com", PRErrorCodeSuccess);
add_connection_test("requestclientauth.example.com", Cr.NS_OK);
add_connection_test("requestclientauth.example.com", Cr.NS_OK,
add_connection_test("requestclientauth.example.com", PRErrorCodeSuccess);
add_connection_test("requestclientauth.example.com", PRErrorCodeSuccess,
null, null, transport => {
do_print("Setting client cert on transport");
let sslSocketControl = transport.securityInfo
@ -55,8 +55,8 @@ function run_test() {
});
add_connection_test("requireclientauth.example.com",
getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_ALERT));
add_connection_test("requireclientauth.example.com", Cr.NS_OK,
SSL_ERROR_BAD_CERT_ALERT);
add_connection_test("requireclientauth.example.com", PRErrorCodeSuccess,
null, null, transport => {
do_print("Setting client cert on transport");
let sslSocketControl =

Просмотреть файл

@ -19,9 +19,10 @@
function run_test() {
do_get_profile();
add_tls_server_setup("BadCertServer");
add_connection_test("nsCertTypeNotCritical.example.com", Cr.NS_OK);
add_connection_test("nsCertTypeCriticalWithExtKeyUsage.example.com", Cr.NS_OK);
add_connection_test("nsCertTypeNotCritical.example.com", PRErrorCodeSuccess);
add_connection_test("nsCertTypeCriticalWithExtKeyUsage.example.com",
PRErrorCodeSuccess);
add_connection_test("nsCertTypeCritical.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION));
SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION);
run_next_test();
}

Просмотреть файл

@ -53,14 +53,14 @@ function add_tests() {
// Get an Unknown response for the *.exmaple.com cert and put it in the
// OCSP cache.
add_connection_test("ocsp-stapling-unknown.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
SEC_ERROR_OCSP_UNKNOWN_CERT,
clearSessionCache);
add_test(function() { do_check_eq(gFetchCount, 0); run_next_test(); });
// A failure to retrieve an OCSP response must result in the cached Unkown
// response being recognized and honored.
add_connection_test("ocsp-stapling-none.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
SEC_ERROR_OCSP_UNKNOWN_CERT,
clearSessionCache);
add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
@ -81,14 +81,14 @@ function add_tests() {
gGoodOCSPResponse = generateGoodOCSPResponse();
run_next_test();
});
add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
clearSessionCache);
add_test(function() { do_check_eq(gFetchCount, 2); run_next_test(); });
// The Good response retrieved from the previous fetch must have replaced
// the Unknown response in the cache, resulting in the catched Good response
// being returned and no fetch.
add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
clearSessionCache);
add_test(function() { do_check_eq(gFetchCount, 2); run_next_test(); });
@ -100,19 +100,19 @@ function add_tests() {
// A failure to retrieve an OCSP response will result in an error entry being
// added to the cache.
add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
clearSessionCache);
add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
// The error entry will prevent a fetch from happening for a while.
add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
clearSessionCache);
add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
// The error entry must not prevent a stapled OCSP response from being
// honored.
add_connection_test("ocsp-stapling-revoked.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
SEC_ERROR_REVOKED_CERTIFICATE,
clearSessionCache);
add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });

Просмотреть файл

@ -34,7 +34,7 @@ function run_test() {
// (as added in the setup of this test, below), a buggy implementation would
// upgrade the OCSP request to HTTPS. We specifically prevent this. This
// test demonstrates that our implementation is correct in this regard.
add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK);
add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess);
add_test(function () { run_next_test(); });
add_test(function () { ocspResponder.stop(run_next_test); });

Просмотреть файл

@ -42,9 +42,9 @@ function run_test() {
function add_tests()
{
add_connection_test("ocsp-stapling-none.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE));
SEC_ERROR_OCSP_BAD_SIGNATURE);
add_connection_test("ocsp-stapling-none.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE));
SEC_ERROR_OCSP_BAD_SIGNATURE);
add_test(function () {
do_check_eq(gOCSPRequestCount, 1);
gOCSPRequestCount = 0;

Просмотреть файл

@ -23,31 +23,48 @@ function add_ocsp_test(aHost, aExpectedResult, aStaplingEnabled) {
function add_tests(certDB, otherTestCA) {
// In the absence of OCSP stapling, these should actually all work.
add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-good-other-ca.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-malformed.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-srverr.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-trylater.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-needssig.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-unauthorized.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-unknown.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-good-other.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-none.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-critical-extension.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-noncritical-extension.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-empty-extensions.example.com", Cr.NS_OK, false);
add_ocsp_test("ocsp-stapling-good.example.com",
PRErrorCodeSuccess, false);
add_ocsp_test("ocsp-stapling-revoked.example.com",
PRErrorCodeSuccess, false);
add_ocsp_test("ocsp-stapling-good-other-ca.example.com",
PRErrorCodeSuccess, false);
add_ocsp_test("ocsp-stapling-malformed.example.com",
PRErrorCodeSuccess, false);
add_ocsp_test("ocsp-stapling-srverr.example.com",
PRErrorCodeSuccess, false);
add_ocsp_test("ocsp-stapling-trylater.example.com",
PRErrorCodeSuccess, false);
add_ocsp_test("ocsp-stapling-needssig.example.com",
PRErrorCodeSuccess, false);
add_ocsp_test("ocsp-stapling-unauthorized.example.com",
PRErrorCodeSuccess, false);
add_ocsp_test("ocsp-stapling-unknown.example.com",
PRErrorCodeSuccess, false);
add_ocsp_test("ocsp-stapling-good-other.example.com",
PRErrorCodeSuccess, false);
add_ocsp_test("ocsp-stapling-none.example.com",
PRErrorCodeSuccess, false);
add_ocsp_test("ocsp-stapling-expired.example.com",
PRErrorCodeSuccess, false);
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
PRErrorCodeSuccess, false);
add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
PRErrorCodeSuccess, false);
add_ocsp_test("ocsp-stapling-critical-extension.example.com",
PRErrorCodeSuccess, false);
add_ocsp_test("ocsp-stapling-noncritical-extension.example.com",
PRErrorCodeSuccess, false);
add_ocsp_test("ocsp-stapling-empty-extensions.example.com",
PRErrorCodeSuccess, false);
// Now test OCSP stapling
// The following error codes are defined in security/nss/lib/util/SECerrs.h
add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, true);
add_ocsp_test("ocsp-stapling-good.example.com", PRErrorCodeSuccess, true);
add_ocsp_test("ocsp-stapling-revoked.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), true);
SEC_ERROR_REVOKED_CERTIFICATE, true);
// SEC_ERROR_OCSP_INVALID_SIGNING_CERT vs SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
// depends on whether the CA that signed the response is a trusted CA
@ -62,7 +79,7 @@ function add_tests(certDB, otherTestCA) {
run_next_test();
});
add_ocsp_test("ocsp-stapling-good-other-ca.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
// The stapled response is from a CA that is trusted but did not issue the
// server's certificate.
@ -74,31 +91,29 @@ function add_tests(certDB, otherTestCA) {
// TODO(bug 979055): When using ByName instead of ByKey, the error here is
// SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE. We should be testing both cases.
add_ocsp_test("ocsp-stapling-good-other-ca.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT),
true);
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
// TODO: Test the case where the signing cert can't be found at all, which
// will result in SEC_ERROR_BAD_DATABASE in the NSS classic case.
add_ocsp_test("ocsp-stapling-malformed.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_REQUEST), true);
SEC_ERROR_OCSP_MALFORMED_REQUEST, true);
add_ocsp_test("ocsp-stapling-srverr.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_SERVER_ERROR), true);
SEC_ERROR_OCSP_SERVER_ERROR, true);
add_ocsp_test("ocsp-stapling-trylater.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_TRY_SERVER_LATER), true);
SEC_ERROR_OCSP_TRY_SERVER_LATER, true);
add_ocsp_test("ocsp-stapling-needssig.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG), true);
SEC_ERROR_OCSP_REQUEST_NEEDS_SIG, true);
add_ocsp_test("ocsp-stapling-unauthorized.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST),
true);
SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST, true);
add_ocsp_test("ocsp-stapling-unknown.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true);
SEC_ERROR_OCSP_UNKNOWN_CERT, true);
add_ocsp_test("ocsp-stapling-good-other.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true);
SEC_ERROR_OCSP_UNKNOWN_CERT, true);
// If the server doesn't staple an OCSP response, we continue as normal
// (this means that even though stapling is enabled, we expect an OCSP
// request).
add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
function() {
gExpectOCSPRequest = true;
clearOCSPCache();
@ -107,32 +122,35 @@ function add_tests(certDB, otherTestCA) {
}
);
add_ocsp_test("ocsp-stapling-empty.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
SEC_ERROR_OCSP_MALFORMED_RESPONSE, true);
add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
SEC_ERROR_OCSP_MALFORMED_RESPONSE, true);
add_ocsp_test("ocsp-stapling-critical-extension.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION),
true);
add_ocsp_test("ocsp-stapling-noncritical-extension.example.com", Cr.NS_OK, true);
SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION, true);
add_ocsp_test("ocsp-stapling-noncritical-extension.example.com",
PRErrorCodeSuccess, true);
// TODO(bug 997994): Disallow empty Extensions in responses
add_ocsp_test("ocsp-stapling-empty-extensions.example.com", Cr.NS_OK, true);
add_ocsp_test("ocsp-stapling-empty-extensions.example.com",
PRErrorCodeSuccess, true);
add_ocsp_test("ocsp-stapling-delegated-included.example.com", Cr.NS_OK, true);
add_ocsp_test("ocsp-stapling-delegated-included-last.example.com", Cr.NS_OK, true);
add_ocsp_test("ocsp-stapling-delegated-included.example.com",
PRErrorCodeSuccess, true);
add_ocsp_test("ocsp-stapling-delegated-included-last.example.com",
PRErrorCodeSuccess, true);
add_ocsp_test("ocsp-stapling-delegated-missing.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
add_ocsp_test("ocsp-stapling-delegated-missing-multiple.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
add_ocsp_test("ocsp-stapling-delegated-no-extKeyUsage.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
add_ocsp_test("ocsp-stapling-delegated-from-intermediate.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
add_ocsp_test("ocsp-stapling-delegated-keyUsage-crlSigning.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
add_ocsp_test("ocsp-stapling-delegated-wrong-extKeyUsage.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
// ocsp-stapling-expired.example.com and
// ocsp-stapling-expired-fresh-ca.example.com are handled in
@ -141,11 +159,10 @@ function add_tests(certDB, otherTestCA) {
// Check that OCSP responder certificates with key sizes below 1024 bits are
// rejected, even when the main certificate chain keys are at least 1024 bits.
add_ocsp_test("keysize-ocsp-delegated.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT),
true);
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
add_ocsp_test("revoked-ca-cert-used-as-end-entity.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), true);
SEC_ERROR_REVOKED_CERTIFICATE, true);
}
function check_ocsp_stapling_telemetry() {

Просмотреть файл

@ -70,81 +70,81 @@ function run_test() {
// For ocsp-stapling-expired-fresh-ca.example.com, the OCSP stapling
// server staples an OCSP response with a recent signature but with an
// out-of-date validity period. The certificate has not expired.
add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK,
add_ocsp_test("ocsp-stapling-expired.example.com", PRErrorCodeSuccess,
ocspResponseGood);
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", PRErrorCodeSuccess,
ocspResponseGood);
// if we can't fetch a more recent response when
// given an expired stapled response, we terminate the connection.
add_ocsp_test("ocsp-stapling-expired.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
SEC_ERROR_OCSP_OLD_RESPONSE,
expiredOCSPResponseGood);
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
SEC_ERROR_OCSP_OLD_RESPONSE,
expiredOCSPResponseGood);
add_ocsp_test("ocsp-stapling-expired.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
SEC_ERROR_OCSP_OLD_RESPONSE,
oldValidityPeriodOCSPResponseGood);
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
SEC_ERROR_OCSP_OLD_RESPONSE,
oldValidityPeriodOCSPResponseGood);
add_ocsp_test("ocsp-stapling-expired.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
SEC_ERROR_OCSP_OLD_RESPONSE,
null);
add_ocsp_test("ocsp-stapling-expired.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE),
SEC_ERROR_OCSP_OLD_RESPONSE,
null);
// Of course, if the newer response indicates Revoked or Unknown,
// that status must be returned.
add_ocsp_test("ocsp-stapling-expired.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
SEC_ERROR_REVOKED_CERTIFICATE,
ocspResponseRevoked);
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
SEC_ERROR_REVOKED_CERTIFICATE,
ocspResponseRevoked);
add_ocsp_test("ocsp-stapling-expired.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
SEC_ERROR_OCSP_UNKNOWN_CERT,
ocspResponseUnknown);
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
SEC_ERROR_OCSP_UNKNOWN_CERT,
ocspResponseUnknown);
// If the response is expired but indicates Revoked or Unknown and a
// newer status can't be fetched, the Revoked or Unknown status will
// be returned.
add_ocsp_test("ocsp-stapling-revoked-old.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
SEC_ERROR_REVOKED_CERTIFICATE,
null);
add_ocsp_test("ocsp-stapling-unknown-old.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
SEC_ERROR_OCSP_UNKNOWN_CERT,
null);
// If the response is expired but indicates Revoked or Unknown and
// a newer status can be fetched and successfully verified, this
// should result in a successful certificate verification.
add_ocsp_test("ocsp-stapling-revoked-old.example.com", Cr.NS_OK,
add_ocsp_test("ocsp-stapling-revoked-old.example.com", PRErrorCodeSuccess,
ocspResponseGood);
add_ocsp_test("ocsp-stapling-unknown-old.example.com", Cr.NS_OK,
add_ocsp_test("ocsp-stapling-unknown-old.example.com", PRErrorCodeSuccess,
ocspResponseGood);
// If a newer status can be fetched but it fails to verify, the
// Revoked or Unknown status of the expired stapled response
// should be returned.
add_ocsp_test("ocsp-stapling-revoked-old.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
SEC_ERROR_REVOKED_CERTIFICATE,
expiredOCSPResponseGood);
add_ocsp_test("ocsp-stapling-unknown-old.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
SEC_ERROR_OCSP_UNKNOWN_CERT,
expiredOCSPResponseGood);
// These tests are verifying that an valid but very old response
// is rejected as a valid stapled response, requiring a fetch
// from the ocsp responder.
add_ocsp_test("ocsp-stapling-ancient-valid.example.com", Cr.NS_OK,
add_ocsp_test("ocsp-stapling-ancient-valid.example.com", PRErrorCodeSuccess,
ocspResponseGood);
add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
SEC_ERROR_REVOKED_CERTIFICATE,
ocspResponseRevoked);
add_ocsp_test("ocsp-stapling-ancient-valid.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
SEC_ERROR_OCSP_UNKNOWN_CERT,
ocspResponseUnknown);
add_test(function () { ocspResponder.stop(run_next_test); });

Просмотреть файл

@ -33,7 +33,8 @@ function run_test() {
add_tls_server_setup("OCSPStaplingServer");
add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK);
add_ocsp_test("ocsp-stapling-with-intermediate.example.com",
PRErrorCodeSuccess);
add_test(function () { ocspResponder.stop(run_next_test); });
add_test(function() {

Просмотреть файл

@ -50,8 +50,8 @@ function add_tests_in_mode(useHardFail) {
});
add_connection_test("ocsp-stapling-none.example.com", useHardFail
? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_SERVER_ERROR)
: Cr.NS_OK, clearSessionCache);
? SEC_ERROR_OCSP_SERVER_ERROR
: PRErrorCodeSuccess, clearSessionCache);
// Reset state
add_test(function() {

Просмотреть файл

@ -41,33 +41,38 @@ function test_strict() {
// errors) like 'unknown issuer' are encountered, the pinning error takes
// precedence. This prevents overrides for such hosts.
add_connection_test("unknownissuer.include-subdomains.pinning.example.com",
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE));
MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
// Issued by otherCA, which is not in the pinset for pinning.example.com.
add_connection_test("bad.include-subdomains.pinning.example.com",
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE));
MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
// Check that using a FQDN doesn't bypass pinning.
add_connection_test("bad.include-subdomains.pinning.example.com.",
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE));
MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
// For some reason this is also navigable (see bug 1118522).
add_connection_test("bad.include-subdomains.pinning.example.com..",
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE));
MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
// These domains serve certs that match the pinset.
add_connection_test("include-subdomains.pinning.example.com", Cr.NS_OK);
add_connection_test("good.include-subdomains.pinning.example.com", Cr.NS_OK);
add_connection_test("exclude-subdomains.pinning.example.com", Cr.NS_OK);
add_connection_test("include-subdomains.pinning.example.com",
PRErrorCodeSuccess);
add_connection_test("good.include-subdomains.pinning.example.com",
PRErrorCodeSuccess);
add_connection_test("exclude-subdomains.pinning.example.com",
PRErrorCodeSuccess);
// This domain serves a cert that doesn't match the pinset, but subdomains
// are excluded.
add_connection_test("sub.exclude-subdomains.pinning.example.com", Cr.NS_OK);
add_connection_test("sub.exclude-subdomains.pinning.example.com",
PRErrorCodeSuccess);
// This domain's pinset is exactly the same as
// include-subdomains.pinning.example.com, serves the same cert as
// bad.include-subdomains.pinning.example.com, but it should pass because
// it's in test_mode.
add_connection_test("test-mode.pinning.example.com", Cr.NS_OK);
add_connection_test("test-mode.pinning.example.com",
PRErrorCodeSuccess);
}
function test_mitm() {
@ -78,19 +83,24 @@ function test_mitm() {
run_next_test();
});
add_connection_test("include-subdomains.pinning.example.com", Cr.NS_OK);
add_connection_test("good.include-subdomains.pinning.example.com", Cr.NS_OK);
add_connection_test("include-subdomains.pinning.example.com",
PRErrorCodeSuccess);
add_connection_test("good.include-subdomains.pinning.example.com",
PRErrorCodeSuccess);
add_connection_test("unknownissuer.include-subdomains.pinning.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
SEC_ERROR_UNKNOWN_ISSUER);
// In this case, even though otherCA is not in the pinset, it is a
// user-specified trust anchor and the pinning check succeeds.
add_connection_test("bad.include-subdomains.pinning.example.com", Cr.NS_OK);
add_connection_test("bad.include-subdomains.pinning.example.com",
PRErrorCodeSuccess);
add_connection_test("exclude-subdomains.pinning.example.com", Cr.NS_OK);
add_connection_test("sub.exclude-subdomains.pinning.example.com", Cr.NS_OK);
add_connection_test("test-mode.pinning.example.com", Cr.NS_OK);
add_connection_test("exclude-subdomains.pinning.example.com",
PRErrorCodeSuccess);
add_connection_test("sub.exclude-subdomains.pinning.example.com",
PRErrorCodeSuccess);
add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess);
};
function test_disabled() {
@ -100,15 +110,20 @@ function test_disabled() {
run_next_test();
});
add_connection_test("include-subdomains.pinning.example.com", Cr.NS_OK);
add_connection_test("good.include-subdomains.pinning.example.com", Cr.NS_OK);
add_connection_test("bad.include-subdomains.pinning.example.com", Cr.NS_OK);
add_connection_test("exclude-subdomains.pinning.example.com", Cr.NS_OK);
add_connection_test("sub.exclude-subdomains.pinning.example.com", Cr.NS_OK);
add_connection_test("test-mode.pinning.example.com", Cr.NS_OK);
add_connection_test("include-subdomains.pinning.example.com",
PRErrorCodeSuccess);
add_connection_test("good.include-subdomains.pinning.example.com",
PRErrorCodeSuccess);
add_connection_test("bad.include-subdomains.pinning.example.com",
PRErrorCodeSuccess);
add_connection_test("exclude-subdomains.pinning.example.com",
PRErrorCodeSuccess);
add_connection_test("sub.exclude-subdomains.pinning.example.com",
PRErrorCodeSuccess);
add_connection_test("test-mode.pinning.example.com", PRErrorCodeSuccess);
add_connection_test("unknownissuer.include-subdomains.pinning.example.com",
getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_ISSUER));
SEC_ERROR_UNKNOWN_ISSUER);
}
function test_enforce_test_mode() {
@ -119,27 +134,31 @@ function test_enforce_test_mode() {
});
add_connection_test("unknownissuer.include-subdomains.pinning.example.com",
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE));
MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
// Issued by otherCA, which is not in the pinset for pinning.example.com.
add_connection_test("bad.include-subdomains.pinning.example.com",
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE));
MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
// These domains serve certs that match the pinset.
add_connection_test("include-subdomains.pinning.example.com", Cr.NS_OK);
add_connection_test("good.include-subdomains.pinning.example.com", Cr.NS_OK);
add_connection_test("exclude-subdomains.pinning.example.com", Cr.NS_OK);
add_connection_test("include-subdomains.pinning.example.com",
PRErrorCodeSuccess);
add_connection_test("good.include-subdomains.pinning.example.com",
PRErrorCodeSuccess);
add_connection_test("exclude-subdomains.pinning.example.com",
PRErrorCodeSuccess);
// This domain serves a cert that doesn't match the pinset, but subdomains
// are excluded.
add_connection_test("sub.exclude-subdomains.pinning.example.com", Cr.NS_OK);
add_connection_test("sub.exclude-subdomains.pinning.example.com",
PRErrorCodeSuccess);
// This domain's pinset is exactly the same as
// include-subdomains.pinning.example.com, serves the same cert as
// bad.include-subdomains.pinning.example.com, is in test-mode, but we are
// enforcing test mode pins.
add_connection_test("test-mode.pinning.example.com",
getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE));
MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE);
}
function check_pinning_telemetry() {