summaryrefslogtreecommitdiffstats
path: root/security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp')
-rw-r--r--security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp21
1 files changed, 21 insertions, 0 deletions
diff --git a/security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp b/security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
index 1d70a4d40..81bee3367 100644
--- a/security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
+++ b/security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
@@ -1,4 +1,5 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This code is made available to you under your choice of the following sets
* of licensing terms:
*/
@@ -25,6 +26,8 @@
#include "mozpkix/pkixder.h"
+#include "secoid.h"
+
using namespace mozilla::pkix;
using namespace mozilla::pkix::test;
@@ -337,6 +340,12 @@ TEST_F(pkixocsp_VerifyEncodedResponse_successful, unknown)
TEST_F(pkixocsp_VerifyEncodedResponse_successful,
good_unsupportedSignatureAlgorithm)
{
+ PRUint32 policyMd5;
+ ASSERT_EQ(SECSuccess,NSS_GetAlgorithmPolicy(SEC_OID_MD5, &policyMd5));
+
+ /* our encode won't work if MD5 isn't allowed by policy */
+ ASSERT_EQ(SECSuccess,
+ NSS_SetAlgorithmPolicy(SEC_OID_MD5, NSS_USE_ALG_IN_SIGNATURE, 0));
ByteString responseString(
CreateEncodedOCSPSuccessfulResponse(
OCSPResponseContext::good, *endEntityCertID, byKey,
@@ -346,6 +355,9 @@ TEST_F(pkixocsp_VerifyEncodedResponse_successful,
Input response;
ASSERT_EQ(Success,
response.Init(responseString.data(), responseString.length()));
+ /* now restore the existing policy */
+ ASSERT_EQ(SECSuccess,
+ NSS_SetAlgorithmPolicy(SEC_OID_MD5, policyMd5, NSS_USE_ALG_IN_SIGNATURE));
bool expired;
ASSERT_EQ(Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,
VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
@@ -929,14 +941,23 @@ TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
// Note that the algorithm ID (md5WithRSAEncryption) identifies the signature
// algorithm that will be used to sign the certificate that issues the OCSP
// responses, not the responses themselves.
+ PRUint32 policyMd5;
+ ASSERT_EQ(SECSuccess,NSS_GetAlgorithmPolicy(SEC_OID_MD5, &policyMd5));
+
+ /* our encode won't work if MD5 isn't allowed by policy */
+ ASSERT_EQ(SECSuccess,
+ NSS_SetAlgorithmPolicy(SEC_OID_MD5, NSS_USE_ALG_IN_SIGNATURE, 0));
ByteString responseString(
CreateEncodedIndirectOCSPSuccessfulResponse(
"good_indirect_unsupportedSignatureAlgorithm",
OCSPResponseContext::good, byKey,
md5WithRSAEncryption()));
Input response;
+ /* now restore the existing policy */
ASSERT_EQ(Success,
response.Init(responseString.data(), responseString.length()));
+ ASSERT_EQ(SECSuccess,
+ NSS_SetAlgorithmPolicy(SEC_OID_MD5, policyMd5, NSS_USE_ALG_IN_SIGNATURE));
bool expired;
ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),