horok/firefox
1
0
Fork 0
Code Activity
firefox/security/manager/ssl/tests/gtest/OCSPCacheTest.cpp
Daniel Baumann 5e9a113729
Adding upstream version 140.0. 
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
2025-06-25 09:37:52 +02:00

357 lines
14 KiB
C++
Raw Permalink Blame History

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "CertVerifier.h"
#include "OCSPCache.h"
#include "gtest/gtest.h"
#include "mozilla/BasePrincipal.h"
#include "mozilla/Casting.h"
#include "mozilla/Preferences.h"
#include "mozilla/Sprintf.h"
#include "nss.h"
#include "mozpkix/pkixtypes.h"
#include "mozpkix/test/pkixtestutil.h"
#include "prerr.h"
#include "secerr.h"
using namespace mozilla::pkix;
using namespace mozilla::pkix::test;
using mozilla::OriginAttributes;
template <size_t N>
inline Input LiteralInput(const char (&valueString)[N]) {
// Ideally we would use mozilla::BitwiseCast() here rather than
// reinterpret_cast for better type checking, but the |N - 1| part trips
// static asserts.
return Input(reinterpret_cast<const uint8_t(&)[N - 1]>(valueString));
}
const int MaxCacheEntries = 1024;
class psm_OCSPCacheTest : public ::testing::Test {
protected:
psm_OCSPCacheTest() : now(Now()) {}
static void SetUpTestCase() { NSS_NoDB_Init(nullptr); }
const Time now;
mozilla::psm::OCSPCache cache;
};
static void PutAndGet(
mozilla::psm::OCSPCache& cache, const CertID& certID, Result result,
Time time, const OriginAttributes& originAttributes = OriginAttributes()) {
// The first time is thisUpdate. The second is validUntil.
// The caller is expecting the validUntil returned with Get
// to be equal to the passed-in time. Since these values will
// be different in practice, make thisUpdate less than validUntil.
Time thisUpdate(time);
ASSERT_EQ(Success, thisUpdate.SubtractSeconds(10));
Result rv = cache.Put(certID, originAttributes, result, thisUpdate, time);
ASSERT_TRUE(rv == Success);
Result resultOut;
Time timeOut(Time::uninitialized);
ASSERT_TRUE(cache.Get(certID, originAttributes, resultOut, timeOut));
ASSERT_EQ(result, resultOut);
ASSERT_EQ(time, timeOut);
}
MOZ_RUNINIT Input fakeIssuer1(LiteralInput("CN=issuer1"));
MOZ_RUNINIT Input fakeKey000(LiteralInput("key000"));
MOZ_RUNINIT Input fakeKey001(LiteralInput("key001"));
MOZ_RUNINIT Input fakeSerial0000(LiteralInput("0000"));
TEST_F(psm_OCSPCacheTest, TestPutAndGet) {
Input fakeSerial000(LiteralInput("000"));
Input fakeSerial001(LiteralInput("001"));
SCOPED_TRACE("");
PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial001), Success,
now);
Result resultOut;
Time timeOut(Time::uninitialized);
ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey001, fakeSerial000),
OriginAttributes(), resultOut, timeOut));
}
TEST_F(psm_OCSPCacheTest, TestVariousGets) {
SCOPED_TRACE("");
for (int i = 0; i < MaxCacheEntries; i++) {
uint8_t serialBuf[8];
snprintf(mozilla::BitwiseCast<char*, uint8_t*>(serialBuf),
sizeof(serialBuf), "%04d", i);
Input fakeSerial;
ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
Time timeIn(now);
ASSERT_EQ(Success, timeIn.AddSeconds(i));
PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial), Success,
timeIn);
}
Time timeIn(now);
Result resultOut;
Time timeOut(Time::uninitialized);
// This will be at the end of the list in the cache
CertID cert0000(fakeIssuer1, fakeKey000, fakeSerial0000);
ASSERT_TRUE(cache.Get(cert0000, OriginAttributes(), resultOut, timeOut));
ASSERT_EQ(Success, resultOut);
ASSERT_EQ(timeIn, timeOut);
// Once we access it, it goes to the front
ASSERT_TRUE(cache.Get(cert0000, OriginAttributes(), resultOut, timeOut));
ASSERT_EQ(Success, resultOut);
ASSERT_EQ(timeIn, timeOut);
// This will be in the middle
Time timeInPlus512(now);
ASSERT_EQ(Success, timeInPlus512.AddSeconds(512));
static const Input fakeSerial0512(LiteralInput("0512"));
CertID cert0512(fakeIssuer1, fakeKey000, fakeSerial0512);
ASSERT_TRUE(cache.Get(cert0512, OriginAttributes(), resultOut, timeOut));
ASSERT_EQ(Success, resultOut);
ASSERT_EQ(timeInPlus512, timeOut);
ASSERT_TRUE(cache.Get(cert0512, OriginAttributes(), resultOut, timeOut));
ASSERT_EQ(Success, resultOut);
ASSERT_EQ(timeInPlus512, timeOut);
// We've never seen this certificate
static const Input fakeSerial1111(LiteralInput("1111"));
ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey000, fakeSerial1111),
OriginAttributes(), resultOut, timeOut));
}
TEST_F(psm_OCSPCacheTest, TestEviction) {
SCOPED_TRACE("");
// By putting more distinct entries in the cache than it can hold,
// we cause the least recently used entry to be evicted.
for (int i = 0; i < MaxCacheEntries + 1; i++) {
uint8_t serialBuf[8];
snprintf(mozilla::BitwiseCast<char*, uint8_t*>(serialBuf),
sizeof(serialBuf), "%04d", i);
Input fakeSerial;
ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
Time timeIn(now);
ASSERT_EQ(Success, timeIn.AddSeconds(i));
PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial), Success,
timeIn);
}
Result resultOut;
Time timeOut(Time::uninitialized);
ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey001, fakeSerial0000),
OriginAttributes(), resultOut, timeOut));
}
TEST_F(psm_OCSPCacheTest, TestNoEvictionForRevokedResponses) {
SCOPED_TRACE("");
CertID notEvicted(fakeIssuer1, fakeKey000, fakeSerial0000);
Time timeIn(now);
PutAndGet(cache, notEvicted, Result::ERROR_REVOKED_CERTIFICATE, timeIn);
// By putting more distinct entries in the cache than it can hold,
// we cause the least recently used entry that isn't revoked to be evicted.
for (int i = 1; i < MaxCacheEntries + 1; i++) {
uint8_t serialBuf[8];
snprintf(mozilla::BitwiseCast<char*, uint8_t*>(serialBuf),
sizeof(serialBuf), "%04d", i);
Input fakeSerial;
ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
Time timeIn(now);
ASSERT_EQ(Success, timeIn.AddSeconds(i));
PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial), Success,
timeIn);
}
Result resultOut;
Time timeOut(Time::uninitialized);
ASSERT_TRUE(cache.Get(notEvicted, OriginAttributes(), resultOut, timeOut));
ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE, resultOut);
ASSERT_EQ(timeIn, timeOut);
Input fakeSerial0001(LiteralInput("0001"));
CertID evicted(fakeIssuer1, fakeKey000, fakeSerial0001);
ASSERT_FALSE(cache.Get(evicted, OriginAttributes(), resultOut, timeOut));
}
TEST_F(psm_OCSPCacheTest, TestEverythingIsRevoked) {
SCOPED_TRACE("");
Time timeIn(now);
// Fill up the cache with revoked responses.
for (int i = 0; i < MaxCacheEntries; i++) {
uint8_t serialBuf[8];
snprintf(mozilla::BitwiseCast<char*, uint8_t*>(serialBuf),
sizeof(serialBuf), "%04d", i);
Input fakeSerial;
ASSERT_EQ(Success, fakeSerial.Init(serialBuf, 4));
Time timeIn(now);
ASSERT_EQ(Success, timeIn.AddSeconds(i));
PutAndGet(cache, CertID(fakeIssuer1, fakeKey000, fakeSerial),
Result::ERROR_REVOKED_CERTIFICATE, timeIn);
}
static const Input fakeSerial1025(LiteralInput("1025"));
CertID good(fakeIssuer1, fakeKey000, fakeSerial1025);
// This will "succeed", allowing verification to continue. However,
// nothing was actually put in the cache.
Time timeInPlus1025(timeIn);
ASSERT_EQ(Success, timeInPlus1025.AddSeconds(1025));
Time timeInPlus1025Minus50(timeInPlus1025);
ASSERT_EQ(Success, timeInPlus1025Minus50.SubtractSeconds(50));
Result result = cache.Put(good, OriginAttributes(), Success,
timeInPlus1025Minus50, timeInPlus1025);
ASSERT_EQ(Success, result);
Result resultOut;
Time timeOut(Time::uninitialized);
ASSERT_FALSE(cache.Get(good, OriginAttributes(), resultOut, timeOut));
static const Input fakeSerial1026(LiteralInput("1026"));
CertID revoked(fakeIssuer1, fakeKey000, fakeSerial1026);
// This will fail, causing verification to fail.
Time timeInPlus1026(timeIn);
ASSERT_EQ(Success, timeInPlus1026.AddSeconds(1026));
Time timeInPlus1026Minus50(timeInPlus1026);
ASSERT_EQ(Success, timeInPlus1026Minus50.SubtractSeconds(50));
result =
cache.Put(revoked, OriginAttributes(), Result::ERROR_REVOKED_CERTIFICATE,
timeInPlus1026Minus50, timeInPlus1026);
ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE, result);
}
TEST_F(psm_OCSPCacheTest, VariousIssuers) {
SCOPED_TRACE("");
Time timeIn(now);
static const Input fakeIssuer2(LiteralInput("CN=issuer2"));
static const Input fakeSerial001(LiteralInput("001"));
CertID subject(fakeIssuer1, fakeKey000, fakeSerial001);
PutAndGet(cache, subject, Success, now);
Result resultOut;
Time timeOut(Time::uninitialized);
ASSERT_TRUE(cache.Get(subject, OriginAttributes(), resultOut, timeOut));
ASSERT_EQ(Success, resultOut);
ASSERT_EQ(timeIn, timeOut);
// Test that we don't match a different issuer DN
ASSERT_FALSE(cache.Get(CertID(fakeIssuer2, fakeKey000, fakeSerial001),
OriginAttributes(), resultOut, timeOut));
// Test that we don't match a different issuer key
ASSERT_FALSE(cache.Get(CertID(fakeIssuer1, fakeKey001, fakeSerial001),
OriginAttributes(), resultOut, timeOut));
}
TEST_F(psm_OCSPCacheTest, Times) {
SCOPED_TRACE("");
CertID certID(fakeIssuer1, fakeKey000, fakeSerial0000);
PutAndGet(cache, certID, Result::ERROR_OCSP_UNKNOWN_CERT,
TimeFromElapsedSecondsAD(100));
PutAndGet(cache, certID, Success, TimeFromElapsedSecondsAD(200));
// This should not override the more recent entry.
ASSERT_EQ(
Success,
cache.Put(certID, OriginAttributes(), Result::ERROR_OCSP_UNKNOWN_CERT,
TimeFromElapsedSecondsAD(100), TimeFromElapsedSecondsAD(100)));
Result resultOut;
Time timeOut(Time::uninitialized);
ASSERT_TRUE(cache.Get(certID, OriginAttributes(), resultOut, timeOut));
// Here we see the more recent time.
ASSERT_EQ(Success, resultOut);
ASSERT_EQ(TimeFromElapsedSecondsAD(200), timeOut);
// Result::ERROR_REVOKED_CERTIFICATE overrides everything
PutAndGet(cache, certID, Result::ERROR_REVOKED_CERTIFICATE,
TimeFromElapsedSecondsAD(50));
}
TEST_F(psm_OCSPCacheTest, NetworkFailure) {
SCOPED_TRACE("");
CertID certID(fakeIssuer1, fakeKey000, fakeSerial0000);
PutAndGet(cache, certID, Result::ERROR_CONNECT_REFUSED,
TimeFromElapsedSecondsAD(100));
PutAndGet(cache, certID, Success, TimeFromElapsedSecondsAD(200));
// This should not override the already present entry.
ASSERT_EQ(
Success,
cache.Put(certID, OriginAttributes(), Result::ERROR_CONNECT_REFUSED,
TimeFromElapsedSecondsAD(300), TimeFromElapsedSecondsAD(350)));
Result resultOut;
Time timeOut(Time::uninitialized);
ASSERT_TRUE(cache.Get(certID, OriginAttributes(), resultOut, timeOut));
ASSERT_EQ(Success, resultOut);
ASSERT_EQ(TimeFromElapsedSecondsAD(200), timeOut);
PutAndGet(cache, certID, Result::ERROR_OCSP_UNKNOWN_CERT,
TimeFromElapsedSecondsAD(400));
// This should not override the already present entry.
ASSERT_EQ(
Success,
cache.Put(certID, OriginAttributes(), Result::ERROR_CONNECT_REFUSED,
TimeFromElapsedSecondsAD(500), TimeFromElapsedSecondsAD(550)));
ASSERT_TRUE(cache.Get(certID, OriginAttributes(), resultOut, timeOut));
ASSERT_EQ(Result::ERROR_OCSP_UNKNOWN_CERT, resultOut);
ASSERT_EQ(TimeFromElapsedSecondsAD(400), timeOut);
PutAndGet(cache, certID, Result::ERROR_REVOKED_CERTIFICATE,
TimeFromElapsedSecondsAD(600));
// This should not override the already present entry.
ASSERT_EQ(
Success,
cache.Put(certID, OriginAttributes(), Result::ERROR_CONNECT_REFUSED,
TimeFromElapsedSecondsAD(700), TimeFromElapsedSecondsAD(750)));
ASSERT_TRUE(cache.Get(certID, OriginAttributes(), resultOut, timeOut));
ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE, resultOut);
ASSERT_EQ(TimeFromElapsedSecondsAD(600), timeOut);
}
TEST_F(psm_OCSPCacheTest, TestOriginAttributes) {
CertID certID(fakeIssuer1, fakeKey000, fakeSerial0000);
// We test two attributes, firstPartyDomain and partitionKey, respectively
// because we don't have entries that have both attributes set because the two
// features that use these attributes are mutually exclusive.
// Set pref for OCSP cache network partitioning.
mozilla::Preferences::SetBool("privacy.partition.network_state.ocsp_cache",
true);
SCOPED_TRACE("");
OriginAttributes attrs;
attrs.mFirstPartyDomain.AssignLiteral("foo.com");
PutAndGet(cache, certID, Success, now, attrs);
Result resultOut;
Time timeOut(Time::uninitialized);
attrs.mFirstPartyDomain.AssignLiteral("bar.com");
ASSERT_FALSE(cache.Get(certID, attrs, resultOut, timeOut));
// OCSP cache should not be isolated by containers for firstPartyDomain.
attrs.mUserContextId = 1;
attrs.mFirstPartyDomain.AssignLiteral("foo.com");
ASSERT_TRUE(cache.Get(certID, attrs, resultOut, timeOut));
// Clear originAttributes.
attrs.mUserContextId = 0;
attrs.mFirstPartyDomain.Truncate();
// Add OCSP cache for the partitionKey.
attrs.mPartitionKey.AssignLiteral("(https,foo.com)");
PutAndGet(cache, certID, Success, now, attrs);
// Check cache entry for the partitionKey.
attrs.mPartitionKey.AssignLiteral("(https,foo.com)");
ASSERT_TRUE(cache.Get(certID, attrs, resultOut, timeOut));
// OCSP cache entry should not exist for the other partitionKey.
attrs.mPartitionKey.AssignLiteral("(https,bar.com)");
ASSERT_FALSE(cache.Get(certID, attrs, resultOut, timeOut));
// OCSP cache should not be isolated by containers for partitonKey.
attrs.mUserContextId = 1;
attrs.mPartitionKey.AssignLiteral("(https,foo.com)");
ASSERT_TRUE(cache.Get(certID, attrs, resultOut, timeOut));
// OCSP cache should not exist for the OAs which has both attributes set.
attrs.mUserContextId = 0;
attrs.mFirstPartyDomain.AssignLiteral("foo.com");
attrs.mPartitionKey.AssignLiteral("(https,foo.com)");
ASSERT_FALSE(cache.Get(certID, attrs, resultOut, timeOut));
}
View git blame Copy permalink