1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// Any copyright is dedicated to the Public Domain.
// http://creativecommons.org/publicdomain/zero/1.0/
"use strict";
// Checks that the security.OCSP.enabled pref correctly controls OCSP fetching
// behavior.
do_get_profile(); // Must be called before getting nsIX509CertDB
const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
Ci.nsIX509CertDB
);
const SERVER_PORT = 8888;
function certFromFile(filename) {
return constructCertFromFile(`test_ev_certs/${filename}.pem`);
}
function loadCert(certName, trustString) {
addCertFromFile(gCertDB, `test_ev_certs/${certName}.pem`, trustString);
}
function getFailingOCSPResponder() {
return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
}
function getOCSPResponder(expectedCertNames) {
return startOCSPResponder(
SERVER_PORT,
"www.example.com",
"test_ev_certs",
expectedCertNames,
[]
);
}
// Tests that in ocspOff mode, OCSP fetches are never done.
async function testOff() {
Services.prefs.setIntPref("security.OCSP.enabled", 0);
info("Setting security.OCSP.enabled to 0");
// EV chains should verify successfully but never get EV status.
clearOCSPCache();
let ocspResponder = getFailingOCSPResponder();
await checkEVStatus(
gCertDB,
certFromFile("test-oid-path-ee"),
certificateUsageSSLServer,
false
);
await stopOCSPResponder(ocspResponder);
// A DV chain should verify successfully.
clearOCSPCache();
ocspResponder = getFailingOCSPResponder();
await checkCertErrorGeneric(
gCertDB,
certFromFile("non-ev-root-path-ee"),
PRErrorCodeSuccess,
certificateUsageSSLServer
);
await stopOCSPResponder(ocspResponder);
}
// Tests that in ocspOn mode, OCSP fetches are done for both EV and DV certs.
async function testOn() {
Services.prefs.setIntPref("security.OCSP.enabled", 1);
info("Setting security.OCSP.enabled to 1");
// If a successful OCSP response is fetched, then an EV chain should verify
// successfully and get EV status as well.
clearOCSPCache();
let ocspResponder = getOCSPResponder(["test-oid-path-ee"]);
await checkEVStatus(
gCertDB,
certFromFile("test-oid-path-ee"),
certificateUsageSSLServer,
gEVExpected
);
await stopOCSPResponder(ocspResponder);
// If a successful OCSP response is fetched, then a DV chain should verify
// successfully.
clearOCSPCache();
ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]);
await checkCertErrorGeneric(
gCertDB,
certFromFile("non-ev-root-path-ee"),
PRErrorCodeSuccess,
certificateUsageSSLServer
);
await stopOCSPResponder(ocspResponder);
}
// Tests that in ocspEVOnly mode, OCSP fetches are done for EV certs only.
async function testEVOnly() {
Services.prefs.setIntPref("security.OCSP.enabled", 2);
info("Setting security.OCSP.enabled to 2");
// If a successful OCSP response is fetched, then an EV chain should verify
// successfully and get EV status as well.
clearOCSPCache();
let ocspResponder = gEVExpected
? getOCSPResponder(["test-oid-path-ee"])
: getFailingOCSPResponder();
await checkEVStatus(
gCertDB,
certFromFile("test-oid-path-ee"),
certificateUsageSSLServer,
gEVExpected
);
await stopOCSPResponder(ocspResponder);
// A DV chain should verify successfully even without doing OCSP fetches.
clearOCSPCache();
ocspResponder = getFailingOCSPResponder();
await checkCertErrorGeneric(
gCertDB,
certFromFile("non-ev-root-path-ee"),
PRErrorCodeSuccess,
certificateUsageSSLServer
);
await stopOCSPResponder(ocspResponder);
}
add_task(async function () {
registerCleanupFunction(() => {
Services.prefs.clearUserPref("network.dns.localDomains");
Services.prefs.clearUserPref("security.OCSP.enabled");
Services.prefs.clearUserPref("security.OCSP.require");
});
Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
// Enable hard fail to ensure chains that should only succeed because they get
// a good OCSP response do not succeed due to soft fail leniency.
Services.prefs.setBoolPref("security.OCSP.require", true);
loadCert("evroot", "CTu,,");
loadCert("test-oid-path-int", ",,");
loadCert("non-evroot-ca", "CTu,,");
loadCert("non-ev-root-path-int", ",,");
await testOff();
await testOn();
await testEVOnly();
});
|
