The Tor Browser / file diff

diff: security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp

security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp

changeset 0
6474c204b198
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp	Wed Dec 31 06:09:35 2014 +0100
     1.3 @@ -0,0 +1,177 @@
     1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
     1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
     1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
     1.7 +
     1.8 +#include "OCSPCommon.h"
     1.9 +
    1.10 +#include <stdio.h>
    1.11 +
    1.12 +#include "ScopedNSSTypes.h"
    1.13 +#include "TLSServer.h"
    1.14 +#include "pkixtestutil.h"
    1.15 +#include "secder.h"
    1.16 +#include "secerr.h"
    1.17 +
    1.18 +using namespace mozilla;
    1.19 +using namespace mozilla::test;
    1.20 +using namespace mozilla::pkix::test;
    1.21 +
    1.22 +
    1.23 +SECItemArray *
    1.24 +GetOCSPResponseForType(OCSPResponseType aORT, CERTCertificate *aCert,
    1.25 +                       PLArenaPool *aArena, const char *aAdditionalCertName)
    1.26 +{
    1.27 +  if (aORT == ORTNone) {
    1.28 +    if (gDebugLevel >= DEBUG_WARNINGS) {
    1.29 +      fprintf(stderr, "GetOCSPResponseForType called with type ORTNone, "
    1.30 +                      "which makes no sense.\n");
    1.31 +    }
    1.32 +    return nullptr;
    1.33 +  }
    1.34 +
    1.35 +  if (aORT == ORTEmpty) {
    1.36 +    SECItemArray* arr = SECITEM_AllocArray(aArena, nullptr, 1);
    1.37 +    arr->items[0].data = nullptr;
    1.38 +    arr->items[0].len = 0;
    1.39 +    return arr;
    1.40 +  }
    1.41 +
    1.42 +  PRTime now = PR_Now();
    1.43 +  PRTime oneDay = 60*60*24 * (PRTime)PR_USEC_PER_SEC;
    1.44 +  PRTime oldNow = now - (8 * oneDay);
    1.45 +
    1.46 +  OCSPResponseContext context(aArena, aCert, now);
    1.47 +
    1.48 +  if (aORT == ORTGoodOtherCert) {
    1.49 +    context.cert = PK11_FindCertFromNickname(aAdditionalCertName, nullptr);
    1.50 +    if (!context.cert) {
    1.51 +      PrintPRError("PK11_FindCertFromNickname failed");
    1.52 +      return nullptr;
    1.53 +    }
    1.54 +  }
    1.55 +  // XXX CERT_FindCertIssuer uses the old, deprecated path-building logic
    1.56 +  context.issuerCert = CERT_FindCertIssuer(aCert, now, certUsageSSLCA);
    1.57 +  if (!context.issuerCert) {
    1.58 +    PrintPRError("CERT_FindCertIssuer failed");
    1.59 +    return nullptr;
    1.60 +  }
    1.61 +  if (aORT == ORTGoodOtherCA || aORT == ORTDelegatedIncluded ||
    1.62 +      aORT == ORTDelegatedIncludedLast || aORT == ORTDelegatedMissing ||
    1.63 +      aORT == ORTDelegatedMissingMultiple) {
    1.64 +    context.signerCert = PK11_FindCertFromNickname(aAdditionalCertName,
    1.65 +                                                   nullptr);
    1.66 +    if (!context.signerCert) {
    1.67 +      PrintPRError("PK11_FindCertFromNickname failed");
    1.68 +      return nullptr;
    1.69 +    }
    1.70 +  }
    1.71 +  if (aORT == ORTDelegatedIncluded) {
    1.72 +    context.includedCertificates[0] =
    1.73 +      CERT_DupCertificate(context.signerCert.get());
    1.74 +  }
    1.75 +  if (aORT == ORTDelegatedIncludedLast || aORT == ORTDelegatedMissingMultiple) {
    1.76 +    context.includedCertificates[0] =
    1.77 +      CERT_DupCertificate(context.issuerCert.get());
    1.78 +    context.includedCertificates[1] = CERT_DupCertificate(context.cert.get());
    1.79 +    context.includedCertificates[2] =
    1.80 +      CERT_DupCertificate(context.issuerCert.get());
    1.81 +    if (aORT != ORTDelegatedMissingMultiple) {
    1.82 +      context.includedCertificates[3] =
    1.83 +        CERT_DupCertificate(context.signerCert.get());
    1.84 +    }
    1.85 +  }
    1.86 +  switch (aORT) {
    1.87 +    case ORTMalformed:
    1.88 +      context.responseStatus = 1;
    1.89 +      break;
    1.90 +    case ORTSrverr:
    1.91 +      context.responseStatus = 2;
    1.92 +      break;
    1.93 +    case ORTTryLater:
    1.94 +      context.responseStatus = 3;
    1.95 +      break;
    1.96 +    case ORTNeedsSig:
    1.97 +      context.responseStatus = 5;
    1.98 +      break;
    1.99 +    case ORTUnauthorized:
   1.100 +      context.responseStatus = 6;
   1.101 +      break;
   1.102 +    default:
   1.103 +      // context.responseStatus is 0 in all other cases, and it has
   1.104 +      // already been initialized in the constructor.
   1.105 +      break;
   1.106 +  }
   1.107 +  if (aORT == ORTSkipResponseBytes) {
   1.108 +    context.skipResponseBytes = true;
   1.109 +  }
   1.110 +  if (aORT == ORTExpired || aORT == ORTExpiredFreshCA ||
   1.111 +      aORT == ORTRevokedOld || aORT == ORTUnknownOld) {
   1.112 +    context.thisUpdate = oldNow;
   1.113 +    context.nextUpdate = oldNow + 10 * PR_USEC_PER_SEC;
   1.114 +  }
   1.115 +  if (aORT == ORTLongValidityAlmostExpired) {
   1.116 +    context.thisUpdate = now - (320 * oneDay);
   1.117 +  }
   1.118 +  if (aORT == ORTAncientAlmostExpired) {
   1.119 +    context.thisUpdate = now - (640 * oneDay);
   1.120 +  }
   1.121 +  if (aORT == ORTRevoked || aORT == ORTRevokedOld) {
   1.122 +    context.certStatus = 1;
   1.123 +  }
   1.124 +  if (aORT == ORTUnknown || aORT == ORTUnknownOld) {
   1.125 +    context.certStatus = 2;
   1.126 +  }
   1.127 +  if (aORT == ORTBadSignature) {
   1.128 +    context.badSignature = true;
   1.129 +  }
   1.130 +  OCSPResponseExtension extension;
   1.131 +  if (aORT == ORTCriticalExtension || aORT == ORTNoncriticalExtension) {
   1.132 +    SECItem oidItem = {
   1.133 +      siBuffer,
   1.134 +      nullptr,
   1.135 +      0
   1.136 +    };
   1.137 +    // 1.3.6.1.4.1.13769.666.666.666 is the root of Mozilla's testing OID space
   1.138 +    static const char* testExtensionOID = "1.3.6.1.4.1.13769.666.666.666.1.500.9.2";
   1.139 +    if (SEC_StringToOID(aArena, &oidItem, testExtensionOID,
   1.140 +                        PL_strlen(testExtensionOID)) != SECSuccess) {
   1.141 +      return nullptr;
   1.142 +    }
   1.143 +    DERTemplate oidTemplate[2] = { { DER_OBJECT_ID, 0 }, { 0 } };
   1.144 +    extension.id.data = nullptr;
   1.145 +    extension.id.len = 0;
   1.146 +    if (DER_Encode(aArena, &extension.id, oidTemplate, &oidItem)
   1.147 +          != SECSuccess) {
   1.148 +      return nullptr;
   1.149 +    }
   1.150 +    extension.critical = (aORT == ORTCriticalExtension);
   1.151 +    static const uint8_t value[2] = { 0x05, 0x00 };
   1.152 +    extension.value.data = const_cast<uint8_t*>(value);
   1.153 +    extension.value.len = PR_ARRAY_SIZE(value);
   1.154 +    extension.next = nullptr;
   1.155 +    context.extensions = &extension;
   1.156 +  }
   1.157 +  if (aORT == ORTEmptyExtensions) {
   1.158 +    context.includeEmptyExtensions = true;
   1.159 +  }
   1.160 +
   1.161 +  if (!context.signerCert) {
   1.162 +    context.signerCert = CERT_DupCertificate(context.issuerCert.get());
   1.163 +  }
   1.164 +
   1.165 +  SECItem* response = CreateEncodedOCSPResponse(context);
   1.166 +  if (!response) {
   1.167 +    PrintPRError("CreateEncodedOCSPResponse failed");
   1.168 +    return nullptr;
   1.169 +  }
   1.170 +
   1.171 +  SECItemArray* arr = SECITEM_AllocArray(aArena, nullptr, 1);
   1.172 +  if (!arr) {
   1.173 +    PrintPRError("SECITEM_AllocArray failed");
   1.174 +    return nullptr;
   1.175 +  }
   1.176 +  arr->items[0].data = response->data;
   1.177 +  arr->items[0].len = response->len;
   1.178 +
   1.179 +  return arr;
   1.180 +}

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial