security/manager/ssl/tests/unit/test_ocsp_required.js@b8a032363ba2 (annotated)
security/manager/ssl/tests/unit/test_ocsp_required.js
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- |
| michael@0 | 2 | // This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 3 | // License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 4 | // file, You can obtain one at http://mozilla.org/MPL/2.0/. |
| michael@0 | 5 | "use strict"; |
| michael@0 | 6 | |
| michael@0 | 7 | // In which we connect to a domain (as faked by a server running locally) |
| michael@0 | 8 | // and start up an OCSP responder (also basically faked) that gives a |
| michael@0 | 9 | // response with a bad signature. With security.OCSP.require set to true, |
| michael@0 | 10 | // this should fail (but it also shouldn't cause assertion failures). |
| michael@0 | 11 | |
| michael@0 | 12 | let gOCSPRequestCount = 0; |
| michael@0 | 13 | |
| michael@0 | 14 | function run_test() { |
| michael@0 | 15 | do_get_profile(); |
| michael@0 | 16 | Services.prefs.setBoolPref("security.OCSP.require", true); |
| michael@0 | 17 | |
| michael@0 | 18 | // We don't actually make use of stapling in this test. This is just how we |
| michael@0 | 19 | // get a TLS connection. |
| michael@0 | 20 | add_tls_server_setup("OCSPStaplingServer"); |
| michael@0 | 21 | |
| michael@0 | 22 | let args = [["bad-signature", "localhostAndExampleCom", "unused"]]; |
| michael@0 | 23 | let ocspResponses = generateOCSPResponses(args, "tlsserver"); |
| michael@0 | 24 | let ocspResponseBadSignature = ocspResponses[0]; |
| michael@0 | 25 | |
| michael@0 | 26 | let ocspResponder = new HttpServer(); |
| michael@0 | 27 | ocspResponder.registerPrefixHandler("/", function (request, response) { |
| michael@0 | 28 | response.setStatusLine(request.httpVersion, 200, "OK"); |
| michael@0 | 29 | response.setHeader("Content-Type", "application/ocsp-response"); |
| michael@0 | 30 | response.write(ocspResponseBadSignature); |
| michael@0 | 31 | gOCSPRequestCount++; |
| michael@0 | 32 | }); |
| michael@0 | 33 | ocspResponder.start(8080); |
| michael@0 | 34 | |
| michael@0 | 35 | add_tests_in_mode(true); |
| michael@0 | 36 | add_tests_in_mode(false); |
| michael@0 | 37 | |
| michael@0 | 38 | add_test(function () { ocspResponder.stop(run_next_test); }); |
| michael@0 | 39 | |
| michael@0 | 40 | run_next_test(); |
| michael@0 | 41 | } |
| michael@0 | 42 | |
| michael@0 | 43 | function add_tests_in_mode(useMozillaPKIX) |
| michael@0 | 44 | { |
| michael@0 | 45 | add_test(function () { |
| michael@0 | 46 | Services.prefs.setBoolPref("security.use_mozillapkix_verification", |
| michael@0 | 47 | useMozillaPKIX); |
| michael@0 | 48 | run_next_test(); |
| michael@0 | 49 | }); |
| michael@0 | 50 | |
| michael@0 | 51 | add_connection_test("ocsp-stapling-none.example.com", |
| michael@0 | 52 | getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE)); |
| michael@0 | 53 | add_connection_test("ocsp-stapling-none.example.com", |
| michael@0 | 54 | getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE)); |
| michael@0 | 55 | add_test(function () { |
| michael@0 | 56 | do_check_eq(gOCSPRequestCount, 1); |
| michael@0 | 57 | gOCSPRequestCount = 0; |
| michael@0 | 58 | run_next_test(); |
| michael@0 | 59 | }); |
| michael@0 | 60 | } |
