The Tor Browser / file comparison

comparison: security/manager/ssl/tests/unit/test_ocsp_stapling.js

security/manager/ssl/tests/unit/test_ocsp_stapling.js

changeset 0
6474c204b198
equal deleted inserted replaced
-1:000000000000 0:7579684c8258
1 // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 // This Source Code Form is subject to the terms of the Mozilla Public
3 // License, v. 2.0. If a copy of the MPL was not distributed with this
4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
5 "use strict";
6
7 // In which we connect to a number of domains (as faked by a server running
8 // locally) with and without OCSP stapling enabled to determine that good
9 // things happen and bad things don't.
10
11 let gExpectOCSPRequest;
12
13 function add_ocsp_test(aHost, aExpectedResult, aStaplingEnabled) {
14 add_connection_test(aHost, aExpectedResult,
15 function() {
16 gExpectOCSPRequest = !aStaplingEnabled;
17 clearOCSPCache();
18 clearSessionCache();
19 Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling",
20 aStaplingEnabled);
21 });
22 }
23
24 function add_tests_in_mode(useMozillaPKIX, certDB, otherTestCA) {
25 add_test(function () {
26 Services.prefs.setBoolPref("security.use_mozillapkix_verification",
27 useMozillaPKIX);
28 run_next_test();
29 });
30
31 // In the absence of OCSP stapling, these should actually all work.
32 add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, false);
33 add_ocsp_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false);
34 add_ocsp_test("ocsp-stapling-good-other-ca.example.com", Cr.NS_OK, false);
35 add_ocsp_test("ocsp-stapling-malformed.example.com", Cr.NS_OK, false);
36 add_ocsp_test("ocsp-stapling-srverr.example.com", Cr.NS_OK, false);
37 add_ocsp_test("ocsp-stapling-trylater.example.com", Cr.NS_OK, false);
38 add_ocsp_test("ocsp-stapling-needssig.example.com", Cr.NS_OK, false);
39 add_ocsp_test("ocsp-stapling-unauthorized.example.com", Cr.NS_OK, false);
40 add_ocsp_test("ocsp-stapling-unknown.example.com", Cr.NS_OK, false);
41 add_ocsp_test("ocsp-stapling-good-other.example.com", Cr.NS_OK, false);
42 add_ocsp_test("ocsp-stapling-none.example.com", Cr.NS_OK, false);
43 add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK, false);
44 add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK, false);
45 add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com", Cr.NS_OK, false);
46 add_ocsp_test("ocsp-stapling-critical-extension.example.com", Cr.NS_OK, false);
47 add_ocsp_test("ocsp-stapling-noncritical-extension.example.com", Cr.NS_OK, false);
48 add_ocsp_test("ocsp-stapling-empty-extensions.example.com", Cr.NS_OK, false);
49
50 // Now test OCSP stapling
51 // The following error codes are defined in security/nss/lib/util/SECerrs.h
52
53 add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, true);
54
55 add_ocsp_test("ocsp-stapling-revoked.example.com",
56 getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), true);
57
58 // SEC_ERROR_OCSP_INVALID_SIGNING_CERT vs SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
59 // depends on whether the CA that signed the response is a trusted CA
60 // (but only with the classic implementation - mozilla::pkix always
61 // results in the error SEC_ERROR_OCSP_INVALID_SIGNING_CERT).
62
63 // This stapled response is from a CA that is untrusted and did not issue
64 // the server's certificate.
65 add_test(function() {
66 certDB.setCertTrust(otherTestCA, Ci.nsIX509Cert.CA_CERT,
67 Ci.nsIX509CertDB.UNTRUSTED);
68 run_next_test();
69 });
70 add_ocsp_test("ocsp-stapling-good-other-ca.example.com",
71 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
72
73 // The stapled response is from a CA that is trusted but did not issue the
74 // server's certificate.
75 add_test(function() {
76 certDB.setCertTrust(otherTestCA, Ci.nsIX509Cert.CA_CERT,
77 Ci.nsIX509CertDB.TRUSTED_SSL);
78 run_next_test();
79 });
80 // TODO(bug 979055): When using ByName instead of ByKey, the error here is
81 // SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE. We should be testing both cases.
82 add_ocsp_test("ocsp-stapling-good-other-ca.example.com",
83 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT),
84 true);
85
86 // TODO: Test the case where the signing cert can't be found at all, which
87 // will result in SEC_ERROR_BAD_DATABASE in the NSS classic case.
88
89 add_ocsp_test("ocsp-stapling-malformed.example.com",
90 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_REQUEST), true);
91 add_ocsp_test("ocsp-stapling-srverr.example.com",
92 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_SERVER_ERROR), true);
93 add_ocsp_test("ocsp-stapling-trylater.example.com",
94 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_TRY_SERVER_LATER), true);
95 add_ocsp_test("ocsp-stapling-needssig.example.com",
96 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG), true);
97 add_ocsp_test("ocsp-stapling-unauthorized.example.com",
98 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST),
99 true);
100 add_ocsp_test("ocsp-stapling-unknown.example.com",
101 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true);
102 add_ocsp_test("ocsp-stapling-good-other.example.com",
103 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT), true);
104 // If the server doesn't staple an OCSP response, we continue as normal
105 // (this means that even though stapling is enabled, we expect an OCSP
106 // request).
107 add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
108 function() {
109 gExpectOCSPRequest = true;
110 clearOCSPCache();
111 clearSessionCache();
112 Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
113 }
114 );
115 add_ocsp_test("ocsp-stapling-empty.example.com",
116 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
117
118 // TODO(bug 979070): NSS can't handle this yet.
119 if (useMozillaPKIX) {
120 add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
121 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
122 }
123
124 add_ocsp_test("ocsp-stapling-critical-extension.example.com",
125 useMozillaPKIX
126 ? getXPCOMStatusFromNSS(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION)
127 : Cr.NS_OK, // TODO(bug 987426): NSS doesn't handle unknown critical extensions
128 true);
129 add_ocsp_test("ocsp-stapling-noncritical-extension.example.com", Cr.NS_OK, true);
130 // TODO(bug 997994): Disallow empty Extensions in responses
131 add_ocsp_test("ocsp-stapling-empty-extensions.example.com", Cr.NS_OK, true);
132
133 add_ocsp_test("ocsp-stapling-delegated-included.example.com", Cr.NS_OK, true);
134 add_ocsp_test("ocsp-stapling-delegated-included-last.example.com", Cr.NS_OK, true);
135 add_ocsp_test("ocsp-stapling-delegated-missing.example.com",
136 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
137 add_ocsp_test("ocsp-stapling-delegated-missing-multiple.example.com",
138 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
139 add_ocsp_test("ocsp-stapling-delegated-no-extKeyUsage.example.com",
140 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
141 add_ocsp_test("ocsp-stapling-delegated-from-intermediate.example.com",
142 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
143 add_ocsp_test("ocsp-stapling-delegated-keyUsage-crlSigning.example.com",
144 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
145 add_ocsp_test("ocsp-stapling-delegated-wrong-extKeyUsage.example.com",
146 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
147
148 // ocsp-stapling-expired.example.com and
149 // ocsp-stapling-expired-fresh-ca.example.com are handled in
150 // test_ocsp_stapling_expired.js
151 }
152
153 function check_ocsp_stapling_telemetry() {
154 let histogram = Cc["@mozilla.org/base/telemetry;1"]
155 .getService(Ci.nsITelemetry)
156 .getHistogramById("SSL_OCSP_STAPLING")
157 .snapshot();
158 do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused
159 do_check_eq(histogram.counts[1], 5 + 6); // 5 or 6 connections with a good response (bug 987426)
160 do_check_eq(histogram.counts[2], 2 * 18); // 18 connections with no stapled resp.
161 do_check_eq(histogram.counts[3], 2 * 0); // 0 connections with an expired response
162 do_check_eq(histogram.counts[4], 19 + 17); // 19 or 17 connections with bad responses (bug 979070, bug 987426)
163 run_next_test();
164 }
165
166 function run_test() {
167 do_get_profile();
168
169 let certDB = Cc["@mozilla.org/security/x509certdb;1"]
170 .getService(Ci.nsIX509CertDB);
171 let otherTestCAFile = do_get_file("tlsserver/other-test-ca.der", false);
172 let otherTestCADER = readFile(otherTestCAFile);
173 let otherTestCA = certDB.constructX509(otherTestCADER, otherTestCADER.length);
174
175 let fakeOCSPResponder = new HttpServer();
176 fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
177 response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
178 do_check_true(gExpectOCSPRequest);
179 });
180 fakeOCSPResponder.start(8080);
181
182 add_tls_server_setup("OCSPStaplingServer");
183
184 add_tests_in_mode(true, certDB, otherTestCA);
185 add_tests_in_mode(false, certDB, otherTestCA);
186
187 add_test(function () {
188 fakeOCSPResponder.stop(check_ocsp_stapling_telemetry);
189 });
190
191 run_next_test();
192 }

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial