bug 1189427 - convert test_ocsp_fetch_method.js to generate certificates at build time r=mgoodwin

security/manager/ssl/tests/unit/moz.build

@@ -15,6 +15,7 @@ TEST_DIRS += [
     'test_intermediate_basic_usage_constraints',
     'test_keysize_ev',
     'test_pinning_dynamic',
+    'test_ocsp_fetch_method',
     'test_ocsp_url',
     'test_validity',
 ]

security/manager/ssl/tests/unit/test_ocsp_fetch_method.js

@@ -23,14 +23,14 @@ function start_ocsp_responder(expectedCertNames, expectedPaths,
 }
 
 function check_cert_err(cert_name, expected_error) {
-  let cert = constructCertFromFile("test_ocsp_fetch_method/" + cert_name + ".der");
+  let cert = constructCertFromFile("test_ocsp_fetch_method/" + cert_name + ".pem");
   return checkCertErrorGeneric(certdb, cert, expected_error,
                                certificateUsageSSLServer);
 }
 
 function run_test() {
-  addCertFromFile(certdb, "test_ocsp_fetch_method/ca.der", 'CTu,CTu,CTu');
-  addCertFromFile(certdb, "test_ocsp_fetch_method/int.der", ',,');
+  addCertFromFile(certdb, "test_ocsp_fetch_method/ca.pem", 'CTu,CTu,CTu');
+  addCertFromFile(certdb, "test_ocsp_fetch_method/int.pem", ',,');
 
   // Enabled so that we can force ocsp failure responses.
   Services.prefs.setBoolPref("security.OCSP.require", true);
@@ -55,16 +55,5 @@ function run_test() {
     ocspResponder.stop(run_next_test);
   });
 
-  // GET does fallback on bad entry
-  add_test(function() {
-    clearOCSPCache();
-    Services.prefs.setBoolPref("security.OCSP.GET.enabled", true);
-    // Bug 1016681 mozilla::pkix does not support fallback yet.
-    // let ocspResponder = start_ocsp_responder(["b", "a"], [], ["GET", "POST"]);
-    // check_cert_err("a", PRErrorCodeSuccess);
-    // ocspResponder.stop(run_next_test);
-    run_next_test();
-  });
-
   run_next_test();
 }

security/manager/ssl/tests/unit/test_ocsp_fetch_method/a.pem.certspec

@@ -0,0 +1,3 @@
+issuer:int
+subject:a
+extension:authorityInformationAccess:http://www.example.com:8888/

security/manager/ssl/tests/unit/test_ocsp_fetch_method/ca.pem.certspec

@@ -0,0 +1,4 @@
+issuer:ca
+subject:ca
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign

security/manager/ssl/tests/unit/test_ocsp_fetch_method/generate.py

@@ -1,29 +0,0 @@
-#!/usr/bin/python
-
-import tempfile, os, sys
-
-libpath = os.path.abspath('../psm_common_py')
-sys.path.append(libpath)
-import CertUtils
-
-srcdir = os.getcwd()
-db = tempfile.mkdtemp()
-
-def generate_ca_cert(db_dir, dest_dir, noise_file, name):
-    return CertUtils.generate_ca_cert(db_dir, dest_dir, noise_file, name,
-                                      3, True)
-
-def generate_child_cert(db_dir, dest_dir, noise_file, name, ca_nick, is_ee,
-                        ocsp_url):
-    return CertUtils.generate_child_cert(db_dir, dest_dir, noise_file, name,
-                                         ca_nick, 3, True, is_ee, ocsp_url)
-
-def generate_certs():
-    [noise_file, pwd_file] = CertUtils.init_nss_db(srcdir)
-    generate_ca_cert(srcdir, srcdir, noise_file, 'ca')
-    generate_child_cert(srcdir, srcdir, noise_file, 'int', 'ca', False, '')
-    ocsp_url = "http://www.example.com:8888/"
-    generate_child_cert(srcdir, srcdir, noise_file, "a", 'int', True, ocsp_url)
-    generate_child_cert(srcdir, srcdir, noise_file, "b", 'int', True, ocsp_url)
-
-generate_certs()

security/manager/ssl/tests/unit/test_ocsp_fetch_method/int.pem.certspec

@@ -0,0 +1,4 @@
+issuer:ca
+subject:int
+extension:basicConstraints:cA,
+extension:keyUsage:cRLSign,keyCertSign

security/manager/ssl/tests/unit/test_ocsp_fetch_method/moz.build

@@ -0,0 +1,31 @@
+# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+test_certificates = (
+    'a.pem',
+    'ca.pem',
+    'int.pem',
+)
+
+for test_certificate in test_certificates:
+    input_file = test_certificate + '.certspec'
+    GENERATED_FILES += [test_certificate]
+    props = GENERATED_FILES[test_certificate]
+    props.script = '../pycert.py'
+    props.inputs = [input_file]
+    TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_ocsp_fetch_method += ['!%s' % test_certificate]
+
+test_keys = (
+    'int.key',
+)
+
+for test_key in test_keys:
+    input_file = test_key + '.keyspec'
+    GENERATED_FILES += [test_key]
+    props = GENERATED_FILES[test_key]
+    props.script = '../pykey.py'
+    props.inputs = [input_file]
+    TEST_HARNESS_FILES.xpcshell.security.manager.ssl.tests.unit.test_ocsp_fetch_method += ['!%s' % test_key]

security/manager/ssl/tests/unit/test_ocsp_fetch_method/pkcs11.txt

@@ -1,5 +0,0 @@
-library=
-name=NSS Internal PKCS #11 Module
-parameters=configdir='sql:/home/cviecco/hg/mozilla-central-unified/security/manager/ssl/tests/unit/test_ocsp_fetch_method' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
-NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
-