diff options
Diffstat (limited to 'security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp')
-rw-r--r-- | security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp b/security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp index 1d70a4d40..81bee3367 100644 --- a/security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp +++ b/security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp @@ -1,4 +1,5 @@ /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ /* This code is made available to you under your choice of the following sets * of licensing terms: */ @@ -25,6 +26,8 @@ #include "mozpkix/pkixder.h" +#include "secoid.h" + using namespace mozilla::pkix; using namespace mozilla::pkix::test; @@ -337,6 +340,12 @@ TEST_F(pkixocsp_VerifyEncodedResponse_successful, unknown) TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_unsupportedSignatureAlgorithm) { + PRUint32 policyMd5; + ASSERT_EQ(SECSuccess,NSS_GetAlgorithmPolicy(SEC_OID_MD5, &policyMd5)); + + /* our encode won't work if MD5 isn't allowed by policy */ + ASSERT_EQ(SECSuccess, + NSS_SetAlgorithmPolicy(SEC_OID_MD5, NSS_USE_ALG_IN_SIGNATURE, 0)); ByteString responseString( CreateEncodedOCSPSuccessfulResponse( OCSPResponseContext::good, *endEntityCertID, byKey, @@ -346,6 +355,9 @@ TEST_F(pkixocsp_VerifyEncodedResponse_successful, Input response; ASSERT_EQ(Success, response.Init(responseString.data(), responseString.length())); + /* now restore the existing policy */ + ASSERT_EQ(SECSuccess, + NSS_SetAlgorithmPolicy(SEC_OID_MD5, policyMd5, NSS_USE_ALG_IN_SIGNATURE)); bool expired; ASSERT_EQ(Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, @@ -929,14 +941,23 @@ TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, // Note that the algorithm ID (md5WithRSAEncryption) identifies the signature // algorithm that will be used to sign the certificate that issues the OCSP // responses, not the responses themselves. + PRUint32 policyMd5; + ASSERT_EQ(SECSuccess,NSS_GetAlgorithmPolicy(SEC_OID_MD5, &policyMd5)); + + /* our encode won't work if MD5 isn't allowed by policy */ + ASSERT_EQ(SECSuccess, + NSS_SetAlgorithmPolicy(SEC_OID_MD5, NSS_USE_ALG_IN_SIGNATURE, 0)); ByteString responseString( CreateEncodedIndirectOCSPSuccessfulResponse( "good_indirect_unsupportedSignatureAlgorithm", OCSPResponseContext::good, byKey, md5WithRSAEncryption())); Input response; + /* now restore the existing policy */ ASSERT_EQ(Success, response.Init(responseString.data(), responseString.length())); + ASSERT_EQ(SECSuccess, + NSS_SetAlgorithmPolicy(SEC_OID_MD5, policyMd5, NSS_USE_ALG_IN_SIGNATURE)); bool expired; ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT, VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(), |