Bug 1005142 - Part 2/2 - Basic OCSP fetch method tests. r=keeler

--HG--
extra : rebase_source : 364a5d410eb3743ae0a03ebcf0a258e847d71743

security/manager/ssl/tests/unit/head_psm.js

@@ -441,7 +441,7 @@ function getFailingHttpServer(serverPort, serverIdentities) {
 //   what is the expected base path of the OCSP request.
 function startOCSPResponder(serverPort, identity, invalidIdentities,
                             nssDBLocation, expectedCertNames,
-                            expectedBasePaths) {
+                            expectedBasePaths, expectedMethods) {
   let httpServer = new HttpServer();
   httpServer.registerPrefixHandler("/",
     function handleServerCallback(aRequest, aResponse) {
@@ -453,6 +453,9 @@ function startOCSPResponder(serverPort, identity, invalidIdentities,
         do_check_eq(basePath, expectedBasePaths.shift());
       }
       do_check_true(expectedCertNames.length >= 1);
+      if (expectedMethods && expectedMethods.length >= 1) {
+        do_check_eq(aRequest.method, expectedMethods.shift());
+      }
       let expectedNick = expectedCertNames.shift();
       do_print("Generating ocsp response for '" + expectedNick + "(" +
                basePath + ")'");
@@ -471,6 +474,12 @@ function startOCSPResponder(serverPort, identity, invalidIdentities,
   return {
     stop: function(callback) {
       do_check_eq(expectedCertNames.length, 0);
+      if (expectedMethods) {
+        do_check_eq(expectedMethods.length, 0);
+      }
+      if (expectedBasePaths) {
+        do_check_eq(expectedBasePaths.length, 0);
+      }
       httpServer.stop(callback);
     }
   };

security/manager/ssl/tests/unit/test_ocsp_fetch_method.js

@@ -0,0 +1,84 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// In which we try to validate several ocsp responses, checking in particular
+// that we use the specified method for fetching ocsp. We also check what
+// POST fallback when an invalid GET response is received.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"]
+                 .getService(Ci.nsIX509CertDB);
+
+const SERVER_PORT = 8080;
+
+function start_ocsp_responder(expectedCertNames, expectedPaths,
+                              expectedMethods) {
+  return startOCSPResponder(SERVER_PORT, "www.example.com", [],
+                            "test_ocsp_fetch_method", expectedCertNames,
+                            expectedPaths, expectedMethods);
+}
+
+function check_cert_err(cert_name, expected_error) {
+  let cert = constructCertFromFile("test_ocsp_fetch_method/" + cert_name + ".der");
+  return checkCertErrorGeneric(certdb, cert, expected_error,
+                               certificateUsageSSLServer);
+}
+
+function run_test() {
+  addCertFromFile(certdb, "test_ocsp_fetch_method/ca.der", 'CTu,CTu,CTu');
+  addCertFromFile(certdb, "test_ocsp_fetch_method/int.der", ',,');
+
+  // Enabled so that we can force ocsp failure responses.
+  Services.prefs.setBoolPref("security.OCSP.require", true);
+
+  Services.prefs.setCharPref("network.dns.localDomains",
+                             "www.example.com");
+
+  add_tests_in_mode(true);
+  add_tests_in_mode(false);
+  run_next_test();
+}
+
+function add_tests_in_mode(useMozillaPKIX)
+{
+  add_test(function() {
+    Services.prefs.setBoolPref("security.use_mozillapkix_verification",
+                               useMozillaPKIX);
+    run_next_test();
+  });
+
+  add_test(function() {
+    clearOCSPCache();
+    Services.prefs.setBoolPref("security.OCSP.GET.enabled", false);
+    let ocspResponder = start_ocsp_responder(["a"], [], ["POST"]);
+    check_cert_err("a", 0);
+    ocspResponder.stop(run_next_test);
+  });
+
+  add_test(function() {
+    clearOCSPCache();
+    Services.prefs.setBoolPref("security.OCSP.GET.enabled", true);
+    let ocspResponder = start_ocsp_responder(["a"], [], ["GET"]);
+    check_cert_err("a", 0);
+    ocspResponder.stop(run_next_test);
+  });
+
+  // GET does fallback on bad entry
+  add_test(function() {
+    clearOCSPCache();
+    Services.prefs.setBoolPref("security.OCSP.GET.enabled", true);
+    // Bug 1016681 mozilla::pkix does not support fallback yet.
+    if (!useMozillaPKIX) {
+      let ocspResponder = start_ocsp_responder(["b", "a"], [], ["GET", "POST"]);
+      check_cert_err("a", 0);
+      ocspResponder.stop(run_next_test);
+    } else {
+      run_next_test();
+    }
+  });
+
+}

security/manager/ssl/tests/unit/test_ocsp_fetch_method/generate.py

@@ -0,0 +1,29 @@
+#!/usr/bin/python
+
+import tempfile, os, sys
+
+libpath = os.path.abspath('../psm_common_py')
+sys.path.append(libpath)
+import CertUtils
+
+srcdir = os.getcwd()
+db = tempfile.mkdtemp()
+
+def generate_ca_cert(db_dir, dest_dir, noise_file, name):
+    return CertUtils.generate_ca_cert(db_dir, dest_dir, noise_file, name,
+                                      3, True)
+
+def generate_child_cert(db_dir, dest_dir, noise_file, name, ca_nick, is_ee,
+                        ocsp_url):
+    return CertUtils.generate_child_cert(db_dir, dest_dir, noise_file, name,
+                                         ca_nick, 3, True, is_ee, ocsp_url)
+
+def generate_certs():
+    [noise_file, pwd_file] = CertUtils.init_nss_db(srcdir)
+    generate_ca_cert(srcdir, srcdir, noise_file, 'ca')
+    generate_child_cert(srcdir, srcdir, noise_file, 'int', 'ca', False, '')
+    ocsp_url = "http://www.example.com:8080/"
+    generate_child_cert(srcdir, srcdir, noise_file, "a", 'int', True, ocsp_url)
+    generate_child_cert(srcdir, srcdir, noise_file, "b", 'int', True, ocsp_url)
+
+generate_certs()

security/manager/ssl/tests/unit/test_ocsp_fetch_method/pkcs11.txt

@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:/home/cviecco/hg/mozilla-central-unified/security/manager/ssl/tests/unit/test_ocsp_fetch_method' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+

security/manager/ssl/tests/unit/xpcshell.ini

@@ -14,6 +14,7 @@ support-files =
   test_cert_version/**
   test_cert_eku/**
   test_ocsp_url/**
+  test_ocsp_fetch_method/**
 
 [test_datasignatureverifier.js]
 [test_hash_algorithms.js]
@@ -81,3 +82,8 @@ skip-if = os == "android"
 run-sequentially = hardcoded ports
 # Bug 1009158: this test times out on Android
 skip-if = os == "android"
+[test_ocsp_fetch_method.js]
+run-sequentially = hardcoded ports
+# Bug 1009158: this test times out on Android
+skip-if = os == "android"
+