Source code

Revision control

Copy as Markdown

Other Tools

Test Info: Warnings

// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
"use strict";
// Tests OCSP Must Staple handling by connecting to various domains (as faked by
// a server running locally) that correspond to combinations of whether the
// extension is present in intermediate and end-entity certificates.
var gExpectOCSPRequest;
function add_ocsp_test(
aHost,
aExpectedResult,
aStaplingEnabled,
aExpectOCSPRequest = false,
aWithSecurityInfo = undefined
) {
add_connection_test(
aHost,
aExpectedResult,
function () {
gExpectOCSPRequest = aExpectOCSPRequest;
clearOCSPCache();
clearSessionCache();
Services.prefs.setBoolPref(
"security.ssl.enable_ocsp_stapling",
aStaplingEnabled
);
},
aWithSecurityInfo
);
}
function add_tests() {
// Next, a case where it's present in the intermediate, not the ee
add_ocsp_test(
"ocsp-stapling-plain-ee-with-must-staple-int.example.com",
MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING,
true
);
// We disable OCSP stapling in the next two tests so we can perform checks
// on TLS Features in the chain without needing to support the TLS
// extension values used.
// Test an issuer with multiple TLS features in matched in the EE
add_ocsp_test(
"multi-tls-feature-good.example.com",
PRErrorCodeSuccess,
false
);
// Finally, an issuer with multiple TLS features not matched by the EE.
add_ocsp_test(
"multi-tls-feature-bad.example.com",
MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING,
false
);
// Now a bunch of operations with only a must-staple ee
add_ocsp_test(
"ocsp-stapling-must-staple.example.com",
PRErrorCodeSuccess,
true
);
add_ocsp_test(
"ocsp-stapling-must-staple-revoked.example.com",
SEC_ERROR_REVOKED_CERTIFICATE,
true
);
add_ocsp_test(
"ocsp-stapling-must-staple-missing.example.com",
MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING,
true,
true
);
add_ocsp_test(
"ocsp-stapling-must-staple-empty.example.com",
SEC_ERROR_OCSP_MALFORMED_RESPONSE,
true
);
add_ocsp_test(
"ocsp-stapling-must-staple-missing.example.com",
PRErrorCodeSuccess,
false,
true
);
// If the stapled response is expired, we will try to fetch a new one.
// If that fails, we should report the original error.
add_ocsp_test(
"ocsp-stapling-must-staple-expired.example.com",
SEC_ERROR_OCSP_OLD_RESPONSE,
true,
true
);
// Similarly with a "try server later" response.
add_ocsp_test(
"ocsp-stapling-must-staple-try-later.example.com",
SEC_ERROR_OCSP_TRY_SERVER_LATER,
true,
true
);
// And again with an invalid OCSP response signing certificate.
add_ocsp_test(
"ocsp-stapling-must-staple-invalid-signer.example.com",
SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
true,
true
);
// check that disabling must-staple works
add_test(function () {
clearSessionCache();
Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", false);
run_next_test();
});
add_ocsp_test(
"ocsp-stapling-must-staple-missing.example.com",
PRErrorCodeSuccess,
true,
true
);
}
function run_test() {
do_get_profile();
Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", true);
Services.prefs.setIntPref("security.OCSP.enabled", 1);
// This test may sometimes fail on android due to an OCSP request timing out.
// That aspect of OCSP requests is not what we're testing here, so we can just
// bump the timeout and hopefully avoid these failures.
Services.prefs.setIntPref("security.OCSP.timeoutMilliseconds.soft", 5000);
let fakeOCSPResponder = new HttpServer();
fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
ok(
gExpectOCSPRequest,
"Should be getting an OCSP request only when expected"
);
});
fakeOCSPResponder.start(8888);
add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
add_tests();
add_test(function () {
fakeOCSPResponder.stop(run_next_test);
});
run_next_test();
}