1 files changed, 160 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/test_ocsp_must_staple.js b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js
new file mode 100644
index 0000000000..32ac332e61
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js
@@ -0,0 +1,160 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// Tests OCSP Must Staple handling by connecting to various domains (as faked by
+// a server running locally) that correspond to combinations of whether the
+// extension is present in intermediate and end-entity certificates.
+
+var gExpectOCSPRequest;
+
+function add_ocsp_test(
+  aHost,
+  aExpectedResult,
+  aStaplingEnabled,
+  aExpectOCSPRequest = false,
+  aWithSecurityInfo = undefined
+) {
+  add_connection_test(
+    aHost,
+    aExpectedResult,
+    function () {
+      gExpectOCSPRequest = aExpectOCSPRequest;
+      clearOCSPCache();
+      clearSessionCache();
+      Services.prefs.setBoolPref(
+        "security.ssl.enable_ocsp_stapling",
+        aStaplingEnabled
+      );
+    },
+    aWithSecurityInfo
+  );
+}
+
+function add_tests() {
+  // Next, a case where it's present in the intermediate, not the ee
+  add_ocsp_test(
+    "ocsp-stapling-plain-ee-with-must-staple-int.example.com",
+    MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING,
+    true
+  );
+
+  // We disable OCSP stapling in the next two tests so we can perform checks
+  // on TLS Features in the chain without needing to support the TLS
+  // extension values used.
+  // Test an issuer with multiple TLS features in matched in the EE
+  add_ocsp_test(
+    "multi-tls-feature-good.example.com",
+    PRErrorCodeSuccess,
+    false
+  );
+
+  // Finally, an issuer with multiple TLS features not matched by the EE.
+  add_ocsp_test(
+    "multi-tls-feature-bad.example.com",
+    MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING,
+    false
+  );
+
+  // Now a bunch of operations with only a must-staple ee
+  add_ocsp_test(
+    "ocsp-stapling-must-staple.example.com",
+    PRErrorCodeSuccess,
+    true
+  );
+
+  add_ocsp_test(
+    "ocsp-stapling-must-staple-revoked.example.com",
+    SEC_ERROR_REVOKED_CERTIFICATE,
+    true
+  );
+
+  add_ocsp_test(
+    "ocsp-stapling-must-staple-missing.example.com",
+    MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING,
+    true,
+    true
+  );
+
+  add_ocsp_test(
+    "ocsp-stapling-must-staple-empty.example.com",
+    SEC_ERROR_OCSP_MALFORMED_RESPONSE,
+    true
+  );
+
+  add_ocsp_test(
+    "ocsp-stapling-must-staple-missing.example.com",
+    PRErrorCodeSuccess,
+    false,
+    true
+  );
+
+  // If the stapled response is expired, we will try to fetch a new one.
+  // If that fails, we should report the original error.
+  add_ocsp_test(
+    "ocsp-stapling-must-staple-expired.example.com",
+    SEC_ERROR_OCSP_OLD_RESPONSE,
+    true,
+    true
+  );
+  // Similarly with a "try server later" response.
+  add_ocsp_test(
+    "ocsp-stapling-must-staple-try-later.example.com",
+    SEC_ERROR_OCSP_TRY_SERVER_LATER,
+    true,
+    true
+  );
+  // And again with an invalid OCSP response signing certificate.
+  add_ocsp_test(
+    "ocsp-stapling-must-staple-invalid-signer.example.com",
+    SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+    true,
+    true
+  );
+
+  // check that disabling must-staple works
+  add_test(function () {
+    clearSessionCache();
+    Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", false);
+    run_next_test();
+  });
+
+  add_ocsp_test(
+    "ocsp-stapling-must-staple-missing.example.com",
+    PRErrorCodeSuccess,
+    true,
+    true
+  );
+}
+
+function run_test() {
+  do_get_profile();
+  Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", true);
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+  // This test may sometimes fail on android due to an OCSP request timing out.
+  // That aspect of OCSP requests is not what we're testing here, so we can just
+  // bump the timeout and hopefully avoid these failures.
+  Services.prefs.setIntPref("security.OCSP.timeoutMilliseconds.soft", 5000);
+
+  let fakeOCSPResponder = new HttpServer();
+  fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
+    response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+    ok(
+      gExpectOCSPRequest,
+      "Should be getting an OCSP request only when expected"
+    );
+  });
+  fakeOCSPResponder.start(8888);
+
+  add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+
+  add_tests();
+
+  add_test(function () {
+    fakeOCSPResponder.stop(run_next_test);
+  });
+
+  run_next_test();
+}