The Tor Browser: security/manager/ssl/tests/unit/test_ocsp

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

     1 // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-

     2 // This Source Code Form is subject to the terms of the Mozilla Public

     3 // License, v. 2.0. If a copy of the MPL was not distributed with this

     4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.

     6 "use strict";

     8 // In which we try to validate several ocsp responses, checking in particular

     9 // if the ocsp url is valid and the path expressed is correctly passed to

    10 // the caller.

    12 do_get_profile(); // must be called before getting nsIX509CertDB

    13 const certdb = Cc["@mozilla.org/security/x509certdb;1"]

    14                  .getService(Ci.nsIX509CertDB);

    16 const SERVER_PORT = 8888;

    18 function failingOCSPResponder() {

    19   return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);

    20 }

    22 function start_ocsp_responder(expectedCertNames, expectedPaths) {

    23   return startOCSPResponder(SERVER_PORT, "www.example.com", [],

    24                             "test_ocsp_url", expectedCertNames, expectedPaths);

    25 }

    27 function check_cert_err(cert_name, expected_error) {

    28   let cert = constructCertFromFile("test_ocsp_url/" + cert_name + ".der");

    29   return checkCertErrorGeneric(certdb, cert, expected_error,

    30                                certificateUsageSSLServer);

    31 }

    33 function run_test() {

    34   addCertFromFile(certdb, "test_ocsp_url/ca.der", 'CTu,CTu,CTu');

    35   addCertFromFile(certdb, "test_ocsp_url/int.der", ',,');

    37   // Enabled so that we can force ocsp failure responses.

    38   Services.prefs.setBoolPref("security.OCSP.require", true);

    40   Services.prefs.setCharPref("network.dns.localDomains",

    41                              "www.example.com");

    43   add_tests_in_mode(true);

    44   add_tests_in_mode(false);

    45   run_next_test();

    46 }

    48 function add_tests_in_mode(useMozillaPKIX)

    49 {

    50   add_test(function() {

    51     Services.prefs.setBoolPref("security.use_mozillapkix_verification",

    52                                useMozillaPKIX);

    53     run_next_test();

    54   });

    56   add_test(function() {

    57     clearOCSPCache();

    58     let ocspResponder = failingOCSPResponder();

    59     check_cert_err("bad-scheme",

    60                    useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION

    61                                   : SEC_ERROR_OCSP_MALFORMED_REQUEST);

    62     ocspResponder.stop(run_next_test);

    63   });

    65   add_test(function() {

    66     clearOCSPCache();

    67     let ocspResponder = failingOCSPResponder();

    68     check_cert_err("empty-scheme-url",

    69                    useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION

    70                                   : SEC_ERROR_OCSP_MALFORMED_REQUEST);

    71     ocspResponder.stop(run_next_test);

    72   });

    74   add_test(function() {

    75     clearOCSPCache();

    76     let ocspResponder = failingOCSPResponder();

    77     check_cert_err("https-url",

    78                    useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION

    79                                   : SEC_ERROR_OCSP_MALFORMED_REQUEST);

    80     ocspResponder.stop(run_next_test);

    81   });

    83   add_test(function() {

    84     clearOCSPCache();

    85     let ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]);

    86     check_cert_err("hTTp-url", 0);

    87     ocspResponder.stop(run_next_test);

    88   });

    90   add_test(function() {

    91     clearOCSPCache();

    92     let ocspResponder = failingOCSPResponder();

    93     check_cert_err("negative-port",

    94                    useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION

    95                                   : SEC_ERROR_OCSP_MALFORMED_REQUEST);

    96     ocspResponder.stop(run_next_test);

    97   });

    99   add_test(function() {

   100     clearOCSPCache();

   101     let ocspResponder = failingOCSPResponder();

   102     // XXX Bug 1013615 parser accepts ":8888" as hostname

   103     check_cert_err("no-host-url", SEC_ERROR_OCSP_SERVER_ERROR);

   104     ocspResponder.stop(run_next_test);

   105   });

   107   add_test(function() {

   108     clearOCSPCache();

   109     let ocspResponder = start_ocsp_responder(["no-path-url"], ['']);

   110     check_cert_err("no-path-url", 0);

   111     ocspResponder.stop(run_next_test);

   112   });

   114   add_test(function() {

   115     clearOCSPCache();

   116     let ocspResponder = failingOCSPResponder();

   117     check_cert_err("no-scheme-host-port",

   118                    useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION

   119                                   : SEC_ERROR_OCSP_MALFORMED_REQUEST);

   120     ocspResponder.stop(run_next_test);

   121   });

   123   add_test(function() {

   124     clearOCSPCache();

   125     let ocspResponder = failingOCSPResponder();

   126     check_cert_err("no-scheme-url",

   127                    useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION

   128                                   : SEC_ERROR_OCSP_MALFORMED_REQUEST);

   129     ocspResponder.stop(run_next_test);

   130   });

   132   add_test(function() {

   133     clearOCSPCache();

   134     let ocspResponder = failingOCSPResponder();

   135     check_cert_err("unknown-scheme",

   136                    useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION

   137                                   : SEC_ERROR_OCSP_MALFORMED_REQUEST);

   138     ocspResponder.stop(run_next_test);

   139   });

   141 }

The Tor Browser / file revision