• file
• revisions
• annotate
• diff
• comparison
• raw

security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp@6474c204b198 (annotated)

security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp

Wed, 31 Dec 2014 06:09:35 +0100

author

Michael Schloh von Bennewitz <michael@schloh.com>

date

Wed, 31 Dec 2014 06:09:35 +0100

changeset 0

6474c204b198

permissions

-rw-r--r--

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

michael@0	1	/* This Source Code Form is subject to the terms of the Mozilla Public
michael@0	2	* License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0	3	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0	4
michael@0	5	#include "OCSPCommon.h"
michael@0	6
michael@0	7	#include <stdio.h>
michael@0	8
michael@0	9	#include "ScopedNSSTypes.h"
michael@0	10	#include "TLSServer.h"
michael@0	11	#include "pkixtestutil.h"
michael@0	12	#include "secder.h"
michael@0	13	#include "secerr.h"
michael@0	14
michael@0	15	using namespace mozilla;
michael@0	16	using namespace mozilla::test;
michael@0	17	using namespace mozilla::pkix::test;
michael@0	18
michael@0	19
michael@0	20	SECItemArray *
michael@0	21	GetOCSPResponseForType(OCSPResponseType aORT, CERTCertificate *aCert,
michael@0	22	PLArenaPool *aArena, const char *aAdditionalCertName)
michael@0	23	{
michael@0	24	if (aORT == ORTNone) {
michael@0	25	if (gDebugLevel >= DEBUG_WARNINGS) {
michael@0	26	fprintf(stderr, "GetOCSPResponseForType called with type ORTNone, "
michael@0	27	"which makes no sense.\n");
michael@0	28	}
michael@0	29	return nullptr;
michael@0	30	}
michael@0	31
michael@0	32	if (aORT == ORTEmpty) {
michael@0	33	SECItemArray* arr = SECITEM_AllocArray(aArena, nullptr, 1);
michael@0	34	arr->items[0].data = nullptr;
michael@0	35	arr->items[0].len = 0;
michael@0	36	return arr;
michael@0	37	}
michael@0	38
michael@0	39	PRTime now = PR_Now();
michael@0	40	PRTime oneDay = 60*60*24 * (PRTime)PR_USEC_PER_SEC;
michael@0	41	PRTime oldNow = now - (8 * oneDay);
michael@0	42
michael@0	43	OCSPResponseContext context(aArena, aCert, now);
michael@0	44
michael@0	45	if (aORT == ORTGoodOtherCert) {
michael@0	46	context.cert = PK11_FindCertFromNickname(aAdditionalCertName, nullptr);
michael@0	47	if (!context.cert) {
michael@0	48	PrintPRError("PK11_FindCertFromNickname failed");
michael@0	49	return nullptr;
michael@0	50	}
michael@0	51	}
michael@0	52	// XXX CERT_FindCertIssuer uses the old, deprecated path-building logic
michael@0	53	context.issuerCert = CERT_FindCertIssuer(aCert, now, certUsageSSLCA);
michael@0	54	if (!context.issuerCert) {
michael@0	55	PrintPRError("CERT_FindCertIssuer failed");
michael@0	56	return nullptr;
michael@0	57	}
michael@0	58	if (aORT == ORTGoodOtherCA || aORT == ORTDelegatedIncluded ||
michael@0	59	aORT == ORTDelegatedIncludedLast || aORT == ORTDelegatedMissing ||
michael@0	60	aORT == ORTDelegatedMissingMultiple) {
michael@0	61	context.signerCert = PK11_FindCertFromNickname(aAdditionalCertName,
michael@0	62	nullptr);
michael@0	63	if (!context.signerCert) {
michael@0	64	PrintPRError("PK11_FindCertFromNickname failed");
michael@0	65	return nullptr;
michael@0	66	}
michael@0	67	}
michael@0	68	if (aORT == ORTDelegatedIncluded) {
michael@0	69	context.includedCertificates[0] =
michael@0	70	CERT_DupCertificate(context.signerCert.get());
michael@0	71	}
michael@0	72	if (aORT == ORTDelegatedIncludedLast || aORT == ORTDelegatedMissingMultiple) {
michael@0	73	context.includedCertificates[0] =
michael@0	74	CERT_DupCertificate(context.issuerCert.get());
michael@0	75	context.includedCertificates[1] = CERT_DupCertificate(context.cert.get());
michael@0	76	context.includedCertificates[2] =
michael@0	77	CERT_DupCertificate(context.issuerCert.get());
michael@0	78	if (aORT != ORTDelegatedMissingMultiple) {
michael@0	79	context.includedCertificates[3] =
michael@0	80	CERT_DupCertificate(context.signerCert.get());
michael@0	81	}
michael@0	82	}
michael@0	83	switch (aORT) {
michael@0	84	case ORTMalformed:
michael@0	85	context.responseStatus = 1;
michael@0	86	break;
michael@0	87	case ORTSrverr:
michael@0	88	context.responseStatus = 2;
michael@0	89	break;
michael@0	90	case ORTTryLater:
michael@0	91	context.responseStatus = 3;
michael@0	92	break;
michael@0	93	case ORTNeedsSig:
michael@0	94	context.responseStatus = 5;
michael@0	95	break;
michael@0	96	case ORTUnauthorized:
michael@0	97	context.responseStatus = 6;
michael@0	98	break;
michael@0	99	default:
michael@0	100	// context.responseStatus is 0 in all other cases, and it has
michael@0	101	// already been initialized in the constructor.
michael@0	102	break;
michael@0	103	}
michael@0	104	if (aORT == ORTSkipResponseBytes) {
michael@0	105	context.skipResponseBytes = true;
michael@0	106	}
michael@0	107	if (aORT == ORTExpired || aORT == ORTExpiredFreshCA ||
michael@0	108	aORT == ORTRevokedOld || aORT == ORTUnknownOld) {
michael@0	109	context.thisUpdate = oldNow;
michael@0	110	context.nextUpdate = oldNow + 10 * PR_USEC_PER_SEC;
michael@0	111	}
michael@0	112	if (aORT == ORTLongValidityAlmostExpired) {
michael@0	113	context.thisUpdate = now - (320 * oneDay);
michael@0	114	}
michael@0	115	if (aORT == ORTAncientAlmostExpired) {
michael@0	116	context.thisUpdate = now - (640 * oneDay);
michael@0	117	}
michael@0	118	if (aORT == ORTRevoked || aORT == ORTRevokedOld) {
michael@0	119	context.certStatus = 1;
michael@0	120	}
michael@0	121	if (aORT == ORTUnknown || aORT == ORTUnknownOld) {
michael@0	122	context.certStatus = 2;
michael@0	123	}
michael@0	124	if (aORT == ORTBadSignature) {
michael@0	125	context.badSignature = true;
michael@0	126	}
michael@0	127	OCSPResponseExtension extension;
michael@0	128	if (aORT == ORTCriticalExtension || aORT == ORTNoncriticalExtension) {
michael@0	129	SECItem oidItem = {
michael@0	130	siBuffer,
michael@0	131	nullptr,
michael@0	132	0
michael@0	133	};
michael@0	134	// 1.3.6.1.4.1.13769.666.666.666 is the root of Mozilla's testing OID space
michael@0	135	static const char* testExtensionOID = "1.3.6.1.4.1.13769.666.666.666.1.500.9.2";
michael@0	136	if (SEC_StringToOID(aArena, &oidItem, testExtensionOID,
michael@0	137	PL_strlen(testExtensionOID)) != SECSuccess) {
michael@0	138	return nullptr;
michael@0	139	}
michael@0	140	DERTemplate oidTemplate[2] = { { DER_OBJECT_ID, 0 }, { 0 } };
michael@0	141	extension.id.data = nullptr;
michael@0	142	extension.id.len = 0;
michael@0	143	if (DER_Encode(aArena, &extension.id, oidTemplate, &oidItem)
michael@0	144	!= SECSuccess) {
michael@0	145	return nullptr;
michael@0	146	}
michael@0	147	extension.critical = (aORT == ORTCriticalExtension);
michael@0	148	static const uint8_t value[2] = { 0x05, 0x00 };
michael@0	149	extension.value.data = const_cast<uint8_t*>(value);
michael@0	150	extension.value.len = PR_ARRAY_SIZE(value);
michael@0	151	extension.next = nullptr;
michael@0	152	context.extensions = &extension;
michael@0	153	}
michael@0	154	if (aORT == ORTEmptyExtensions) {
michael@0	155	context.includeEmptyExtensions = true;
michael@0	156	}
michael@0	157
michael@0	158	if (!context.signerCert) {
michael@0	159	context.signerCert = CERT_DupCertificate(context.issuerCert.get());
michael@0	160	}
michael@0	161
michael@0	162	SECItem* response = CreateEncodedOCSPResponse(context);
michael@0	163	if (!response) {
michael@0	164	PrintPRError("CreateEncodedOCSPResponse failed");
michael@0	165	return nullptr;
michael@0	166	}
michael@0	167
michael@0	168	SECItemArray* arr = SECITEM_AllocArray(aArena, nullptr, 1);
michael@0	169	if (!arr) {
michael@0	170	PrintPRError("SECITEM_AllocArray failed");
michael@0	171	return nullptr;
michael@0	172	}
michael@0	173	arr->items[0].data = response->data;
michael@0	174	arr->items[0].len = response->len;
michael@0	175
michael@0	176	return arr;
michael@0	177	}