The Tor Browser / annotate

security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp@b8a032363ba2 (annotated)

security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0 2 * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0 4
michael@0 5 // This is a standalone server that delivers various stapled OCSP responses.
michael@0 6 // The client is expected to connect, initiate an SSL handshake (with SNI
michael@0 7 // to indicate which "server" to connect to), and verify the OCSP response.
michael@0 8 // If all is good, the client then sends one encrypted byte and receives that
michael@0 9 // same byte back.
michael@0 10 // This server also has the ability to "call back" another process waiting on
michael@0 11 // it. That is, when the server is all set up and ready to receive connections,
michael@0 12 // it will connect to a specified port and issue a simple HTTP request.
michael@0 13
michael@0 14 #include <stdio.h>
michael@0 15
michael@0 16 #include "OCSPCommon.h"
michael@0 17 #include "TLSServer.h"
michael@0 18
michael@0 19 using namespace mozilla;
michael@0 20 using namespace mozilla::test;
michael@0 21
michael@0 22 const OCSPHost sOCSPHosts[] =
michael@0 23 {
michael@0 24 { "ocsp-stapling-good.example.com", ORTGood, nullptr },
michael@0 25 { "ocsp-stapling-revoked.example.com", ORTRevoked, nullptr },
michael@0 26 { "ocsp-stapling-revoked-old.example.com", ORTRevokedOld, nullptr },
michael@0 27 { "ocsp-stapling-unknown.example.com", ORTUnknown, nullptr },
michael@0 28 { "ocsp-stapling-unknown-old.example.com", ORTUnknownOld, nullptr },
michael@0 29 { "ocsp-stapling-good-other.example.com", ORTGoodOtherCert, "ocspOtherEndEntity" },
michael@0 30 { "ocsp-stapling-good-other-ca.example.com", ORTGoodOtherCA, "otherCA" },
michael@0 31 { "ocsp-stapling-expired.example.com", ORTExpired, nullptr },
michael@0 32 { "ocsp-stapling-expired-fresh-ca.example.com", ORTExpiredFreshCA, nullptr },
michael@0 33 { "ocsp-stapling-none.example.com", ORTNone, nullptr },
michael@0 34 { "ocsp-stapling-empty.example.com", ORTEmpty, nullptr },
michael@0 35 { "ocsp-stapling-malformed.example.com", ORTMalformed, nullptr },
michael@0 36 { "ocsp-stapling-srverr.example.com", ORTSrverr, nullptr },
michael@0 37 { "ocsp-stapling-trylater.example.com", ORTTryLater, nullptr },
michael@0 38 { "ocsp-stapling-needssig.example.com", ORTNeedsSig, nullptr },
michael@0 39 { "ocsp-stapling-unauthorized.example.com", ORTUnauthorized, nullptr },
michael@0 40 { "ocsp-stapling-with-intermediate.example.com", ORTGood, "ocspEEWithIntermediate" },
michael@0 41 { "ocsp-stapling-bad-signature.example.com", ORTBadSignature, nullptr },
michael@0 42 { "ocsp-stapling-skip-responseBytes.example.com", ORTSkipResponseBytes, nullptr },
michael@0 43 { "ocsp-stapling-critical-extension.example.com", ORTCriticalExtension, nullptr },
michael@0 44 { "ocsp-stapling-noncritical-extension.example.com", ORTNoncriticalExtension, nullptr },
michael@0 45 { "ocsp-stapling-empty-extensions.example.com", ORTEmptyExtensions, nullptr },
michael@0 46 { "ocsp-stapling-delegated-included.example.com", ORTDelegatedIncluded, "delegatedSigner" },
michael@0 47 { "ocsp-stapling-delegated-included-last.example.com", ORTDelegatedIncludedLast, "delegatedSigner" },
michael@0 48 { "ocsp-stapling-delegated-missing.example.com", ORTDelegatedMissing, "delegatedSigner" },
michael@0 49 { "ocsp-stapling-delegated-missing-multiple.example.com", ORTDelegatedMissingMultiple, "delegatedSigner" },
michael@0 50 { "ocsp-stapling-delegated-no-extKeyUsage.example.com", ORTDelegatedIncluded, "invalidDelegatedSignerNoExtKeyUsage" },
michael@0 51 { "ocsp-stapling-delegated-from-intermediate.example.com", ORTDelegatedIncluded, "invalidDelegatedSignerFromIntermediate" },
michael@0 52 { "ocsp-stapling-delegated-keyUsage-crlSigning.example.com", ORTDelegatedIncluded, "invalidDelegatedSignerKeyUsageCrlSigning" },
michael@0 53 { "ocsp-stapling-delegated-wrong-extKeyUsage.example.com", ORTDelegatedIncluded, "invalidDelegatedSignerWrongExtKeyUsage" },
michael@0 54 { "ocsp-stapling-ancient-valid.example.com", ORTAncientAlmostExpired, nullptr},
michael@0 55 { nullptr, ORTNull, nullptr }
michael@0 56 };
michael@0 57
michael@0 58 int32_t
michael@0 59 DoSNISocketConfig(PRFileDesc *aFd, const SECItem *aSrvNameArr,
michael@0 60 uint32_t aSrvNameArrSize, void *aArg)
michael@0 61 {
michael@0 62 const OCSPHost *host = GetHostForSNI(aSrvNameArr, aSrvNameArrSize,
michael@0 63 sOCSPHosts);
michael@0 64 if (!host) {
michael@0 65 return SSL_SNI_SEND_ALERT;
michael@0 66 }
michael@0 67
michael@0 68 if (gDebugLevel >= DEBUG_VERBOSE) {
michael@0 69 fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
michael@0 70 }
michael@0 71
michael@0 72 const char *certNickname;
michael@0 73 if (strcmp(host->mHostName,
michael@0 74 "ocsp-stapling-with-intermediate.example.com") == 0) {
michael@0 75 certNickname = host->mAdditionalCertName;
michael@0 76 } else {
michael@0 77 certNickname = DEFAULT_CERT_NICKNAME;
michael@0 78 }
michael@0 79
michael@0 80 ScopedCERTCertificate cert;
michael@0 81 SSLKEAType certKEA;
michael@0 82 if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, certNickname,
michael@0 83 &cert, &certKEA)) {
michael@0 84 return SSL_SNI_SEND_ALERT;
michael@0 85 }
michael@0 86
michael@0 87 // If the OCSP response type is "none", don't staple a response.
michael@0 88 if (host->mORT == ORTNone) {
michael@0 89 return 0;
michael@0 90 }
michael@0 91
michael@0 92 PLArenaPool *arena = PORT_NewArena(1024);
michael@0 93 if (!arena) {
michael@0 94 PrintPRError("PORT_NewArena failed");
michael@0 95 return SSL_SNI_SEND_ALERT;
michael@0 96 }
michael@0 97
michael@0 98 // response is contained by the arena - freeing the arena will free it
michael@0 99 SECItemArray *response = GetOCSPResponseForType(host->mORT, cert, arena,
michael@0 100 host->mAdditionalCertName);
michael@0 101 if (!response) {
michael@0 102 PORT_FreeArena(arena, PR_FALSE);
michael@0 103 return SSL_SNI_SEND_ALERT;
michael@0 104 }
michael@0 105
michael@0 106 // SSL_SetStapledOCSPResponses makes a deep copy of response
michael@0 107 SECStatus st = SSL_SetStapledOCSPResponses(aFd, response, certKEA);
michael@0 108 PORT_FreeArena(arena, PR_FALSE);
michael@0 109 if (st != SECSuccess) {
michael@0 110 PrintPRError("SSL_SetStapledOCSPResponses failed");
michael@0 111 return SSL_SNI_SEND_ALERT;
michael@0 112 }
michael@0 113
michael@0 114 return 0;
michael@0 115 }
michael@0 116
michael@0 117 int
michael@0 118 main(int argc, char *argv[])
michael@0 119 {
michael@0 120 if (argc != 2) {
michael@0 121 fprintf(stderr, "usage: %s <NSS DB directory>\n", argv[0]);
michael@0 122 return 1;
michael@0 123 }
michael@0 124
michael@0 125 return StartServer(argv[1], DoSNISocketConfig, nullptr);
michael@0 126 }

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial