The Tor Browser / annotate

security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp@b8a032363ba2 (annotated)

security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp

Thu, 22 Jan 2015 13:21:57 +0100

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Thu, 22 Jan 2015 13:21:57 +0100
branch
TOR_BUG_9701
changeset 15
b8a032363ba2
permissions
-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0 1 /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0 2 * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0 4
michael@0 5 #include "OCSPCommon.h"
michael@0 6
michael@0 7 #include <stdio.h>
michael@0 8
michael@0 9 #include "ScopedNSSTypes.h"
michael@0 10 #include "TLSServer.h"
michael@0 11 #include "pkixtestutil.h"
michael@0 12 #include "secder.h"
michael@0 13 #include "secerr.h"
michael@0 14
michael@0 15 using namespace mozilla;
michael@0 16 using namespace mozilla::test;
michael@0 17 using namespace mozilla::pkix::test;
michael@0 18
michael@0 19
michael@0 20 SECItemArray *
michael@0 21 GetOCSPResponseForType(OCSPResponseType aORT, CERTCertificate *aCert,
michael@0 22 PLArenaPool *aArena, const char *aAdditionalCertName)
michael@0 23 {
michael@0 24 if (aORT == ORTNone) {
michael@0 25 if (gDebugLevel >= DEBUG_WARNINGS) {
michael@0 26 fprintf(stderr, "GetOCSPResponseForType called with type ORTNone, "
michael@0 27 "which makes no sense.\n");
michael@0 28 }
michael@0 29 return nullptr;
michael@0 30 }
michael@0 31
michael@0 32 if (aORT == ORTEmpty) {
michael@0 33 SECItemArray* arr = SECITEM_AllocArray(aArena, nullptr, 1);
michael@0 34 arr->items[0].data = nullptr;
michael@0 35 arr->items[0].len = 0;
michael@0 36 return arr;
michael@0 37 }
michael@0 38
michael@0 39 PRTime now = PR_Now();
michael@0 40 PRTime oneDay = 60*60*24 * (PRTime)PR_USEC_PER_SEC;
michael@0 41 PRTime oldNow = now - (8 * oneDay);
michael@0 42
michael@0 43 OCSPResponseContext context(aArena, aCert, now);
michael@0 44
michael@0 45 if (aORT == ORTGoodOtherCert) {
michael@0 46 context.cert = PK11_FindCertFromNickname(aAdditionalCertName, nullptr);
michael@0 47 if (!context.cert) {
michael@0 48 PrintPRError("PK11_FindCertFromNickname failed");
michael@0 49 return nullptr;
michael@0 50 }
michael@0 51 }
michael@0 52 // XXX CERT_FindCertIssuer uses the old, deprecated path-building logic
michael@0 53 context.issuerCert = CERT_FindCertIssuer(aCert, now, certUsageSSLCA);
michael@0 54 if (!context.issuerCert) {
michael@0 55 PrintPRError("CERT_FindCertIssuer failed");
michael@0 56 return nullptr;
michael@0 57 }
michael@0 58 if (aORT == ORTGoodOtherCA || aORT == ORTDelegatedIncluded ||
michael@0 59 aORT == ORTDelegatedIncludedLast || aORT == ORTDelegatedMissing ||
michael@0 60 aORT == ORTDelegatedMissingMultiple) {
michael@0 61 context.signerCert = PK11_FindCertFromNickname(aAdditionalCertName,
michael@0 62 nullptr);
michael@0 63 if (!context.signerCert) {
michael@0 64 PrintPRError("PK11_FindCertFromNickname failed");
michael@0 65 return nullptr;
michael@0 66 }
michael@0 67 }
michael@0 68 if (aORT == ORTDelegatedIncluded) {
michael@0 69 context.includedCertificates[0] =
michael@0 70 CERT_DupCertificate(context.signerCert.get());
michael@0 71 }
michael@0 72 if (aORT == ORTDelegatedIncludedLast || aORT == ORTDelegatedMissingMultiple) {
michael@0 73 context.includedCertificates[0] =
michael@0 74 CERT_DupCertificate(context.issuerCert.get());
michael@0 75 context.includedCertificates[1] = CERT_DupCertificate(context.cert.get());
michael@0 76 context.includedCertificates[2] =
michael@0 77 CERT_DupCertificate(context.issuerCert.get());
michael@0 78 if (aORT != ORTDelegatedMissingMultiple) {
michael@0 79 context.includedCertificates[3] =
michael@0 80 CERT_DupCertificate(context.signerCert.get());
michael@0 81 }
michael@0 82 }
michael@0 83 switch (aORT) {
michael@0 84 case ORTMalformed:
michael@0 85 context.responseStatus = 1;
michael@0 86 break;
michael@0 87 case ORTSrverr:
michael@0 88 context.responseStatus = 2;
michael@0 89 break;
michael@0 90 case ORTTryLater:
michael@0 91 context.responseStatus = 3;
michael@0 92 break;
michael@0 93 case ORTNeedsSig:
michael@0 94 context.responseStatus = 5;
michael@0 95 break;
michael@0 96 case ORTUnauthorized:
michael@0 97 context.responseStatus = 6;
michael@0 98 break;
michael@0 99 default:
michael@0 100 // context.responseStatus is 0 in all other cases, and it has
michael@0 101 // already been initialized in the constructor.
michael@0 102 break;
michael@0 103 }
michael@0 104 if (aORT == ORTSkipResponseBytes) {
michael@0 105 context.skipResponseBytes = true;
michael@0 106 }
michael@0 107 if (aORT == ORTExpired || aORT == ORTExpiredFreshCA ||
michael@0 108 aORT == ORTRevokedOld || aORT == ORTUnknownOld) {
michael@0 109 context.thisUpdate = oldNow;
michael@0 110 context.nextUpdate = oldNow + 10 * PR_USEC_PER_SEC;
michael@0 111 }
michael@0 112 if (aORT == ORTLongValidityAlmostExpired) {
michael@0 113 context.thisUpdate = now - (320 * oneDay);
michael@0 114 }
michael@0 115 if (aORT == ORTAncientAlmostExpired) {
michael@0 116 context.thisUpdate = now - (640 * oneDay);
michael@0 117 }
michael@0 118 if (aORT == ORTRevoked || aORT == ORTRevokedOld) {
michael@0 119 context.certStatus = 1;
michael@0 120 }
michael@0 121 if (aORT == ORTUnknown || aORT == ORTUnknownOld) {
michael@0 122 context.certStatus = 2;
michael@0 123 }
michael@0 124 if (aORT == ORTBadSignature) {
michael@0 125 context.badSignature = true;
michael@0 126 }
michael@0 127 OCSPResponseExtension extension;
michael@0 128 if (aORT == ORTCriticalExtension || aORT == ORTNoncriticalExtension) {
michael@0 129 SECItem oidItem = {
michael@0 130 siBuffer,
michael@0 131 nullptr,
michael@0 132 0
michael@0 133 };
michael@0 134 // 1.3.6.1.4.1.13769.666.666.666 is the root of Mozilla's testing OID space
michael@0 135 static const char* testExtensionOID = "1.3.6.1.4.1.13769.666.666.666.1.500.9.2";
michael@0 136 if (SEC_StringToOID(aArena, &oidItem, testExtensionOID,
michael@0 137 PL_strlen(testExtensionOID)) != SECSuccess) {
michael@0 138 return nullptr;
michael@0 139 }
michael@0 140 DERTemplate oidTemplate[2] = { { DER_OBJECT_ID, 0 }, { 0 } };
michael@0 141 extension.id.data = nullptr;
michael@0 142 extension.id.len = 0;
michael@0 143 if (DER_Encode(aArena, &extension.id, oidTemplate, &oidItem)
michael@0 144 != SECSuccess) {
michael@0 145 return nullptr;
michael@0 146 }
michael@0 147 extension.critical = (aORT == ORTCriticalExtension);
michael@0 148 static const uint8_t value[2] = { 0x05, 0x00 };
michael@0 149 extension.value.data = const_cast<uint8_t*>(value);
michael@0 150 extension.value.len = PR_ARRAY_SIZE(value);
michael@0 151 extension.next = nullptr;
michael@0 152 context.extensions = &extension;
michael@0 153 }
michael@0 154 if (aORT == ORTEmptyExtensions) {
michael@0 155 context.includeEmptyExtensions = true;
michael@0 156 }
michael@0 157
michael@0 158 if (!context.signerCert) {
michael@0 159 context.signerCert = CERT_DupCertificate(context.issuerCert.get());
michael@0 160 }
michael@0 161
michael@0 162 SECItem* response = CreateEncodedOCSPResponse(context);
michael@0 163 if (!response) {
michael@0 164 PrintPRError("CreateEncodedOCSPResponse failed");
michael@0 165 return nullptr;
michael@0 166 }
michael@0 167
michael@0 168 SECItemArray* arr = SECITEM_AllocArray(aArena, nullptr, 1);
michael@0 169 if (!arr) {
michael@0 170 PrintPRError("SECITEM_AllocArray failed");
michael@0 171 return nullptr;
michael@0 172 }
michael@0 173 arr->items[0].data = response->data;
michael@0 174 arr->items[0].len = response->len;
michael@0 175
michael@0 176 return arr;
michael@0 177 }

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial