michael@0: // -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- michael@0: // This Source Code Form is subject to the terms of the Mozilla Public michael@0: // License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: // file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: michael@0: "use strict"; michael@0: michael@0: // In which we try to validate several ocsp responses, checking in particular michael@0: // if the ocsp url is valid and the path expressed is correctly passed to michael@0: // the caller. michael@0: michael@0: do_get_profile(); // must be called before getting nsIX509CertDB michael@0: const certdb = Cc["@mozilla.org/security/x509certdb;1"] michael@0: .getService(Ci.nsIX509CertDB); michael@0: michael@0: const SERVER_PORT = 8888; michael@0: michael@0: function failingOCSPResponder() { michael@0: return getFailingHttpServer(SERVER_PORT, ["www.example.com"]); michael@0: } michael@0: michael@0: function start_ocsp_responder(expectedCertNames, expectedPaths) { michael@0: return startOCSPResponder(SERVER_PORT, "www.example.com", [], michael@0: "test_ocsp_url", expectedCertNames, expectedPaths); michael@0: } michael@0: michael@0: function check_cert_err(cert_name, expected_error) { michael@0: let cert = constructCertFromFile("test_ocsp_url/" + cert_name + ".der"); michael@0: return checkCertErrorGeneric(certdb, cert, expected_error, michael@0: certificateUsageSSLServer); michael@0: } michael@0: michael@0: function run_test() { michael@0: addCertFromFile(certdb, "test_ocsp_url/ca.der", 'CTu,CTu,CTu'); michael@0: addCertFromFile(certdb, "test_ocsp_url/int.der", ',,'); michael@0: michael@0: // Enabled so that we can force ocsp failure responses. michael@0: Services.prefs.setBoolPref("security.OCSP.require", true); michael@0: michael@0: Services.prefs.setCharPref("network.dns.localDomains", michael@0: "www.example.com"); michael@0: michael@0: add_tests_in_mode(true); michael@0: add_tests_in_mode(false); michael@0: run_next_test(); michael@0: } michael@0: michael@0: function add_tests_in_mode(useMozillaPKIX) michael@0: { michael@0: add_test(function() { michael@0: Services.prefs.setBoolPref("security.use_mozillapkix_verification", michael@0: useMozillaPKIX); michael@0: run_next_test(); michael@0: }); michael@0: michael@0: add_test(function() { michael@0: clearOCSPCache(); michael@0: let ocspResponder = failingOCSPResponder(); michael@0: check_cert_err("bad-scheme", michael@0: useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION michael@0: : SEC_ERROR_OCSP_MALFORMED_REQUEST); michael@0: ocspResponder.stop(run_next_test); michael@0: }); michael@0: michael@0: add_test(function() { michael@0: clearOCSPCache(); michael@0: let ocspResponder = failingOCSPResponder(); michael@0: check_cert_err("empty-scheme-url", michael@0: useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION michael@0: : SEC_ERROR_OCSP_MALFORMED_REQUEST); michael@0: ocspResponder.stop(run_next_test); michael@0: }); michael@0: michael@0: add_test(function() { michael@0: clearOCSPCache(); michael@0: let ocspResponder = failingOCSPResponder(); michael@0: check_cert_err("https-url", michael@0: useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION michael@0: : SEC_ERROR_OCSP_MALFORMED_REQUEST); michael@0: ocspResponder.stop(run_next_test); michael@0: }); michael@0: michael@0: add_test(function() { michael@0: clearOCSPCache(); michael@0: let ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]); michael@0: check_cert_err("hTTp-url", 0); michael@0: ocspResponder.stop(run_next_test); michael@0: }); michael@0: michael@0: add_test(function() { michael@0: clearOCSPCache(); michael@0: let ocspResponder = failingOCSPResponder(); michael@0: check_cert_err("negative-port", michael@0: useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION michael@0: : SEC_ERROR_OCSP_MALFORMED_REQUEST); michael@0: ocspResponder.stop(run_next_test); michael@0: }); michael@0: michael@0: add_test(function() { michael@0: clearOCSPCache(); michael@0: let ocspResponder = failingOCSPResponder(); michael@0: // XXX Bug 1013615 parser accepts ":8888" as hostname michael@0: check_cert_err("no-host-url", SEC_ERROR_OCSP_SERVER_ERROR); michael@0: ocspResponder.stop(run_next_test); michael@0: }); michael@0: michael@0: add_test(function() { michael@0: clearOCSPCache(); michael@0: let ocspResponder = start_ocsp_responder(["no-path-url"], ['']); michael@0: check_cert_err("no-path-url", 0); michael@0: ocspResponder.stop(run_next_test); michael@0: }); michael@0: michael@0: add_test(function() { michael@0: clearOCSPCache(); michael@0: let ocspResponder = failingOCSPResponder(); michael@0: check_cert_err("no-scheme-host-port", michael@0: useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION michael@0: : SEC_ERROR_OCSP_MALFORMED_REQUEST); michael@0: ocspResponder.stop(run_next_test); michael@0: }); michael@0: michael@0: add_test(function() { michael@0: clearOCSPCache(); michael@0: let ocspResponder = failingOCSPResponder(); michael@0: check_cert_err("no-scheme-url", michael@0: useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION michael@0: : SEC_ERROR_OCSP_MALFORMED_REQUEST); michael@0: ocspResponder.stop(run_next_test); michael@0: }); michael@0: michael@0: add_test(function() { michael@0: clearOCSPCache(); michael@0: let ocspResponder = failingOCSPResponder(); michael@0: check_cert_err("unknown-scheme", michael@0: useMozillaPKIX ? SEC_ERROR_CERT_BAD_ACCESS_LOCATION michael@0: : SEC_ERROR_OCSP_MALFORMED_REQUEST); michael@0: ocspResponder.stop(run_next_test); michael@0: }); michael@0: michael@0: }