1 files changed, 115 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/test_ocsp_private_caching.js b/security/manager/ssl/tests/unit/test_ocsp_private_caching.js
new file mode 100644
index 0000000000..47b976cf71
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_private_caching.js
@@ -0,0 +1,115 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+
+// In which we connect to a host and encounter OCSP responses with the
+// Cache-Control header set, which normally Necko would cache. This test
+// ensures that these responses aren't cached. PSM has its own OCSP cache, so
+// Necko shouldn't also be caching them.
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+
+const SERVER_PORT = 8888;
+
+function add_flush_cache() {
+  add_test(() => {
+    // This appears to either fire multiple times or fire once for every
+    // observer that has ever been passed to flush. To prevent multiple calls to
+    // run_next_test, keep track of if this observer has already called it.
+    let observed = false;
+    let observer = {
+      observe: () => {
+        if (!observed) {
+          observed = true;
+          run_next_test();
+        }
+      },
+    };
+    Services.cache2.QueryInterface(Ci.nsICacheTesting).flush(observer);
+  });
+}
+
+function add_ocsp_necko_cache_test(loadContext) {
+  // Pre-testcase cleanup/setup.
+  add_test(() => {
+    Services.cache2.clear();
+    run_next_test();
+  });
+  add_flush_cache();
+
+  let responder;
+  add_test(() => {
+    clearOCSPCache();
+    clearSessionCache();
+    responder = startOCSPResponder(
+      SERVER_PORT,
+      "localhost",
+      "ocsp_certs",
+      ["default-ee"],
+      [],
+      [],
+      [],
+      [["Cache-Control", "max-age=1000"]]
+    );
+    run_next_test();
+  });
+
+  // Prepare a connection that will cause an OCSP request.
+  add_connection_test(
+    "ocsp-stapling-none.example.com",
+    PRErrorCodeSuccess,
+    null,
+    null,
+    null,
+    loadContext.originAttributes
+  );
+
+  add_flush_cache();
+
+  // Traverse the cache and ensure the response was not cached.
+  add_test(() => {
+    let foundEntry = false;
+    let visitor = {
+      onCacheStorageInfo() {},
+      onCacheEntryInfo(
+        aURI,
+        aIdEnhance,
+        aDataSize,
+        aFetchCount,
+        aLastModifiedTime,
+        aExpirationTime,
+        aPinned,
+        aInfo
+      ) {
+        Assert.equal(
+          aURI.spec,
+          "http://localhost:8888/",
+          "expected OCSP request URI should match"
+        );
+        foundEntry = true;
+      },
+      onCacheEntryVisitCompleted() {
+        Assert.ok(!foundEntry, "should not find a cached entry");
+        run_next_test();
+      },
+      QueryInterface: ChromeUtils.generateQI(["nsICacheStorageVisitor"]),
+    };
+    Services.cache2.asyncVisitAllStorages(visitor, true);
+  });
+
+  // Clean up (stop the responder).
+  add_test(() => {
+    responder.stop(run_next_test);
+  });
+}
+
+function run_test() {
+  Services.prefs.setIntPref("security.OCSP.enabled", 1);
+  add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
+  add_ocsp_necko_cache_test(Services.loadContextInfo.private);
+  add_ocsp_necko_cache_test(Services.loadContextInfo.default);
+  run_next_test();
+}