зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1005142 - Part 2/2 - Basic OCSP fetch method tests. r=keeler
--HG-- extra : rebase_source : 364a5d410eb3743ae0a03ebcf0a258e847d71743
This commit is contained in:
Родитель
f051695b8d
Коммит
b337f160ed
|
@ -441,7 +441,7 @@ function getFailingHttpServer(serverPort, serverIdentities) {
|
|||
// what is the expected base path of the OCSP request.
|
||||
function startOCSPResponder(serverPort, identity, invalidIdentities,
|
||||
nssDBLocation, expectedCertNames,
|
||||
expectedBasePaths) {
|
||||
expectedBasePaths, expectedMethods) {
|
||||
let httpServer = new HttpServer();
|
||||
httpServer.registerPrefixHandler("/",
|
||||
function handleServerCallback(aRequest, aResponse) {
|
||||
|
@ -453,6 +453,9 @@ function startOCSPResponder(serverPort, identity, invalidIdentities,
|
|||
do_check_eq(basePath, expectedBasePaths.shift());
|
||||
}
|
||||
do_check_true(expectedCertNames.length >= 1);
|
||||
if (expectedMethods && expectedMethods.length >= 1) {
|
||||
do_check_eq(aRequest.method, expectedMethods.shift());
|
||||
}
|
||||
let expectedNick = expectedCertNames.shift();
|
||||
do_print("Generating ocsp response for '" + expectedNick + "(" +
|
||||
basePath + ")'");
|
||||
|
@ -471,6 +474,12 @@ function startOCSPResponder(serverPort, identity, invalidIdentities,
|
|||
return {
|
||||
stop: function(callback) {
|
||||
do_check_eq(expectedCertNames.length, 0);
|
||||
if (expectedMethods) {
|
||||
do_check_eq(expectedMethods.length, 0);
|
||||
}
|
||||
if (expectedBasePaths) {
|
||||
do_check_eq(expectedBasePaths.length, 0);
|
||||
}
|
||||
httpServer.stop(callback);
|
||||
}
|
||||
};
|
||||
|
|
|
@ -0,0 +1,84 @@
|
|||
// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
|
||||
// This Source Code Form is subject to the terms of the Mozilla Public
|
||||
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
"use strict";
|
||||
|
||||
// In which we try to validate several ocsp responses, checking in particular
|
||||
// that we use the specified method for fetching ocsp. We also check what
|
||||
// POST fallback when an invalid GET response is received.
|
||||
|
||||
do_get_profile(); // must be called before getting nsIX509CertDB
|
||||
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
|
||||
.getService(Ci.nsIX509CertDB);
|
||||
|
||||
const SERVER_PORT = 8080;
|
||||
|
||||
function start_ocsp_responder(expectedCertNames, expectedPaths,
|
||||
expectedMethods) {
|
||||
return startOCSPResponder(SERVER_PORT, "www.example.com", [],
|
||||
"test_ocsp_fetch_method", expectedCertNames,
|
||||
expectedPaths, expectedMethods);
|
||||
}
|
||||
|
||||
function check_cert_err(cert_name, expected_error) {
|
||||
let cert = constructCertFromFile("test_ocsp_fetch_method/" + cert_name + ".der");
|
||||
return checkCertErrorGeneric(certdb, cert, expected_error,
|
||||
certificateUsageSSLServer);
|
||||
}
|
||||
|
||||
function run_test() {
|
||||
addCertFromFile(certdb, "test_ocsp_fetch_method/ca.der", 'CTu,CTu,CTu');
|
||||
addCertFromFile(certdb, "test_ocsp_fetch_method/int.der", ',,');
|
||||
|
||||
// Enabled so that we can force ocsp failure responses.
|
||||
Services.prefs.setBoolPref("security.OCSP.require", true);
|
||||
|
||||
Services.prefs.setCharPref("network.dns.localDomains",
|
||||
"www.example.com");
|
||||
|
||||
add_tests_in_mode(true);
|
||||
add_tests_in_mode(false);
|
||||
run_next_test();
|
||||
}
|
||||
|
||||
function add_tests_in_mode(useMozillaPKIX)
|
||||
{
|
||||
add_test(function() {
|
||||
Services.prefs.setBoolPref("security.use_mozillapkix_verification",
|
||||
useMozillaPKIX);
|
||||
run_next_test();
|
||||
});
|
||||
|
||||
add_test(function() {
|
||||
clearOCSPCache();
|
||||
Services.prefs.setBoolPref("security.OCSP.GET.enabled", false);
|
||||
let ocspResponder = start_ocsp_responder(["a"], [], ["POST"]);
|
||||
check_cert_err("a", 0);
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
||||
add_test(function() {
|
||||
clearOCSPCache();
|
||||
Services.prefs.setBoolPref("security.OCSP.GET.enabled", true);
|
||||
let ocspResponder = start_ocsp_responder(["a"], [], ["GET"]);
|
||||
check_cert_err("a", 0);
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
||||
// GET does fallback on bad entry
|
||||
add_test(function() {
|
||||
clearOCSPCache();
|
||||
Services.prefs.setBoolPref("security.OCSP.GET.enabled", true);
|
||||
// Bug 1016681 mozilla::pkix does not support fallback yet.
|
||||
if (!useMozillaPKIX) {
|
||||
let ocspResponder = start_ocsp_responder(["b", "a"], [], ["GET", "POST"]);
|
||||
check_cert_err("a", 0);
|
||||
ocspResponder.stop(run_next_test);
|
||||
} else {
|
||||
run_next_test();
|
||||
}
|
||||
});
|
||||
|
||||
}
|
Двоичный файл не отображается.
Двоичный файл не отображается.
Двоичный файл не отображается.
Двоичный файл не отображается.
|
@ -0,0 +1,29 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
import tempfile, os, sys
|
||||
|
||||
libpath = os.path.abspath('../psm_common_py')
|
||||
sys.path.append(libpath)
|
||||
import CertUtils
|
||||
|
||||
srcdir = os.getcwd()
|
||||
db = tempfile.mkdtemp()
|
||||
|
||||
def generate_ca_cert(db_dir, dest_dir, noise_file, name):
|
||||
return CertUtils.generate_ca_cert(db_dir, dest_dir, noise_file, name,
|
||||
3, True)
|
||||
|
||||
def generate_child_cert(db_dir, dest_dir, noise_file, name, ca_nick, is_ee,
|
||||
ocsp_url):
|
||||
return CertUtils.generate_child_cert(db_dir, dest_dir, noise_file, name,
|
||||
ca_nick, 3, True, is_ee, ocsp_url)
|
||||
|
||||
def generate_certs():
|
||||
[noise_file, pwd_file] = CertUtils.init_nss_db(srcdir)
|
||||
generate_ca_cert(srcdir, srcdir, noise_file, 'ca')
|
||||
generate_child_cert(srcdir, srcdir, noise_file, 'int', 'ca', False, '')
|
||||
ocsp_url = "http://www.example.com:8080/"
|
||||
generate_child_cert(srcdir, srcdir, noise_file, "a", 'int', True, ocsp_url)
|
||||
generate_child_cert(srcdir, srcdir, noise_file, "b", 'int', True, ocsp_url)
|
||||
|
||||
generate_certs()
|
Двоичный файл не отображается.
Двоичный файл не отображается.
|
@ -0,0 +1,5 @@
|
|||
library=
|
||||
name=NSS Internal PKCS #11 Module
|
||||
parameters=configdir='sql:/home/cviecco/hg/mozilla-central-unified/security/manager/ssl/tests/unit/test_ocsp_fetch_method' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
|
||||
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
|
||||
|
|
@ -14,6 +14,7 @@ support-files =
|
|||
test_cert_version/**
|
||||
test_cert_eku/**
|
||||
test_ocsp_url/**
|
||||
test_ocsp_fetch_method/**
|
||||
|
||||
[test_datasignatureverifier.js]
|
||||
[test_hash_algorithms.js]
|
||||
|
@ -81,3 +82,8 @@ skip-if = os == "android"
|
|||
run-sequentially = hardcoded ports
|
||||
# Bug 1009158: this test times out on Android
|
||||
skip-if = os == "android"
|
||||
[test_ocsp_fetch_method.js]
|
||||
run-sequentially = hardcoded ports
|
||||
# Bug 1009158: this test times out on Android
|
||||
skip-if = os == "android"
|
||||
|
||||
|
|
Загрузка…
Ссылка в новой задаче