1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/manager/ssl/tests/unit/test_ocsp_url.js Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,141 @@
1.4 +// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
1.5 +// This Source Code Form is subject to the terms of the Mozilla Public
1.6 +// License, v. 2.0. If a copy of the MPL was not distributed with this
1.7 +// file, You can obtain one at http://mozilla.org/MPL/2.0/.
1.8 +
1.9 +"use strict";
1.10 +
1.11 +// In which we try to validate several ocsp responses, checking in particular
1.12 +// if the ocsp url is valid and the path expressed is correctly passed to
1.13 +// the caller.
1.14 +
1.15 +do_get_profile(); // must be called before getting nsIX509CertDB
1.16 +const certdb = Cc["@mozilla.org/security/x509certdb;1"]
1.17 + .getService(Ci.nsIX509CertDB);
1.18 +
1.19 +const SERVER_PORT = 8888;
1.20 +
1.21 +function failingOCSPResponder() {
1.22 + return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
1.23 +}
1.24 +
1.25 +function start_ocsp_responder(expectedCertNames, expectedPaths) {
1.26 + return startOCSPResponder(SERVER_PORT, "www.example.com", [],
1.27 + "test_ocsp_url", expectedCertNames, expectedPaths);
1.28 +}
1.29 +
1.30 +function check_cert_err(cert_name, expected_error) {
1.31 + let cert = constructCertFromFile("test_ocsp_url/" + cert_name + ".der");
1.32 + return checkCertErrorGeneric(certdb, cert, expected_error,
1.33 + certificateUsageSSLServer);
1.34 +}
1.35 +
1.36 +function run_test() {
1.37 + addCertFromFile(certdb, "test_ocsp_url/ca.der", 'CTu,CTu,CTu');
1.38 + addCertFromFile(certdb, "test_ocsp_url/int.der", ',,');
1.39 +
1.40 + // Enabled so that we can force ocsp failure responses.
1.41 + Services.prefs.setBoolPref("security.OCSP.require", true);
1.42 +
1.43 + Services.prefs.setCharPref("network.dns.localDomains",
1.44 + "www.example.com");
1.45 +
1.46 + add_tests_in_mode(true);
1.47 + add_tests_in_mode(false);
1.48 + run_next_test();
1.49 +}
1.50 +
1.51 +function add_tests_in_mode(useMozillaPKIX)
1.52 +{
1.53 + add_test(function() {
1.54 + Services.prefs.setBoolPref("security.use_mozillapkix_verification",
1.55 + useMozillaPKIX);
1.56 + run_next_test();
1.57 + });
1.58 +
1.59 + add_test(function() {
1.60 + clearOCSPCache();
1.61 + let ocspResponder = failingOCSPResponder();
1.62 + check_cert_err("bad-scheme",
1.63 + useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
1.64 + : SEC_ERROR_OCSP_MALFORMED_REQUEST);
1.65 + ocspResponder.stop(run_next_test);
1.66 + });
1.67 +
1.68 + add_test(function() {
1.69 + clearOCSPCache();
1.70 + let ocspResponder = failingOCSPResponder();
1.71 + check_cert_err("empty-scheme-url",
1.72 + useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
1.73 + : SEC_ERROR_OCSP_MALFORMED_REQUEST);
1.74 + ocspResponder.stop(run_next_test);
1.75 + });
1.76 +
1.77 + add_test(function() {
1.78 + clearOCSPCache();
1.79 + let ocspResponder = failingOCSPResponder();
1.80 + check_cert_err("https-url",
1.81 + useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
1.82 + : SEC_ERROR_OCSP_MALFORMED_REQUEST);
1.83 + ocspResponder.stop(run_next_test);
1.84 + });
1.85 +
1.86 + add_test(function() {
1.87 + clearOCSPCache();
1.88 + let ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]);
1.89 + check_cert_err("hTTp-url", 0);
1.90 + ocspResponder.stop(run_next_test);
1.91 + });
1.92 +
1.93 + add_test(function() {
1.94 + clearOCSPCache();
1.95 + let ocspResponder = failingOCSPResponder();
1.96 + check_cert_err("negative-port",
1.97 + useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
1.98 + : SEC_ERROR_OCSP_MALFORMED_REQUEST);
1.99 + ocspResponder.stop(run_next_test);
1.100 + });
1.101 +
1.102 + add_test(function() {
1.103 + clearOCSPCache();
1.104 + let ocspResponder = failingOCSPResponder();
1.105 + // XXX Bug 1013615 parser accepts ":8888" as hostname
1.106 + check_cert_err("no-host-url", SEC_ERROR_OCSP_SERVER_ERROR);
1.107 + ocspResponder.stop(run_next_test);
1.108 + });
1.109 +
1.110 + add_test(function() {
1.111 + clearOCSPCache();
1.112 + let ocspResponder = start_ocsp_responder(["no-path-url"], ['']);
1.113 + check_cert_err("no-path-url", 0);
1.114 + ocspResponder.stop(run_next_test);
1.115 + });
1.116 +
1.117 + add_test(function() {
1.118 + clearOCSPCache();
1.119 + let ocspResponder = failingOCSPResponder();
1.120 + check_cert_err("no-scheme-host-port",
1.121 + useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
1.122 + : SEC_ERROR_OCSP_MALFORMED_REQUEST);
1.123 + ocspResponder.stop(run_next_test);
1.124 + });
1.125 +
1.126 + add_test(function() {
1.127 + clearOCSPCache();
1.128 + let ocspResponder = failingOCSPResponder();
1.129 + check_cert_err("no-scheme-url",
1.130 + useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
1.131 + : SEC_ERROR_OCSP_MALFORMED_REQUEST);
1.132 + ocspResponder.stop(run_next_test);
1.133 + });
1.134 +
1.135 + add_test(function() {
1.136 + clearOCSPCache();
1.137 + let ocspResponder = failingOCSPResponder();
1.138 + check_cert_err("unknown-scheme",
1.139 + useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION
1.140 + : SEC_ERROR_OCSP_MALFORMED_REQUEST);
1.141 + ocspResponder.stop(run_next_test);
1.142 + });
1.143 +
1.144 +}
