michael@0: // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- michael@0: // This Source Code Form is subject to the terms of the Mozilla Public michael@0: // License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: // file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: "use strict"; michael@0: michael@0: // In which we connect to a domain (as faked by a server running locally) michael@0: // and start up an OCSP responder (also basically faked) that gives a michael@0: // response with a bad signature. With security.OCSP.require set to true, michael@0: // this should fail (but it also shouldn't cause assertion failures). michael@0: michael@0: let gOCSPRequestCount = 0; michael@0: michael@0: function run_test() { michael@0: do_get_profile(); michael@0: Services.prefs.setBoolPref("security.OCSP.require", true); michael@0: michael@0: // We don't actually make use of stapling in this test. This is just how we michael@0: // get a TLS connection. michael@0: add_tls_server_setup("OCSPStaplingServer"); michael@0: michael@0: let args = [["bad-signature", "localhostAndExampleCom", "unused"]]; michael@0: let ocspResponses = generateOCSPResponses(args, "tlsserver"); michael@0: let ocspResponseBadSignature = ocspResponses[0]; michael@0: michael@0: let ocspResponder = new HttpServer(); michael@0: ocspResponder.registerPrefixHandler("/", function (request, response) { michael@0: response.setStatusLine(request.httpVersion, 200, "OK"); michael@0: response.setHeader("Content-Type", "application/ocsp-response"); michael@0: response.write(ocspResponseBadSignature); michael@0: gOCSPRequestCount++; michael@0: }); michael@0: ocspResponder.start(8080); michael@0: michael@0: add_tests_in_mode(true); michael@0: add_tests_in_mode(false); michael@0: michael@0: add_test(function () { ocspResponder.stop(run_next_test); }); michael@0: michael@0: run_next_test(); michael@0: } michael@0: michael@0: function add_tests_in_mode(useMozillaPKIX) michael@0: { michael@0: add_test(function () { michael@0: Services.prefs.setBoolPref("security.use_mozillapkix_verification", michael@0: useMozillaPKIX); michael@0: run_next_test(); michael@0: }); michael@0: michael@0: add_connection_test("ocsp-stapling-none.example.com", michael@0: getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE)); michael@0: add_connection_test("ocsp-stapling-none.example.com", michael@0: getXPCOMStatusFromNSS(SEC_ERROR_OCSP_BAD_SIGNATURE)); michael@0: add_test(function () { michael@0: do_check_eq(gOCSPRequestCount, 1); michael@0: gOCSPRequestCount = 0; michael@0: run_next_test(); michael@0: }); michael@0: }