diff options
| author | Matt A. Tobin <mattatobin@localhost.localdomain> | 2018-02-02 04:16:08 -0500 |
|---|---|---|
| committer | Matt A. Tobin <mattatobin@localhost.localdomain> | 2018-02-02 04:16:08 -0500 |
| commit | 5f8de423f190bbb79a62f804151bc24824fa32d8 (patch) | |
| tree | 10027f336435511475e392454359edea8e25895d /security/manager/ssl/tests/unit/test_ocsp_url.js | |
| parent | 49ee0794b5d912db1f95dce6eb52d781dc210db5 (diff) | |
| download | UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.gz UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.lz UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.xz UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.zip | |
Add m-esr52 at 52.6.0
Diffstat (limited to 'security/manager/ssl/tests/unit/test_ocsp_url.js')
| -rw-r--r-- | security/manager/ssl/tests/unit/test_ocsp_url.js | 137 |
1 files changed, 137 insertions, 0 deletions
diff --git a/security/manager/ssl/tests/unit/test_ocsp_url.js b/security/manager/ssl/tests/unit/test_ocsp_url.js new file mode 100644 index 000000000..799c934d0 --- /dev/null +++ b/security/manager/ssl/tests/unit/test_ocsp_url.js @@ -0,0 +1,137 @@ +// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at http://mozilla.org/MPL/2.0/. + +"use strict"; + +// In which we try to validate several ocsp responses, checking in particular +// if the ocsp url is valid and the path expressed is correctly passed to +// the caller. + +do_get_profile(); // must be called before getting nsIX509CertDB +const certdb = Cc["@mozilla.org/security/x509certdb;1"] + .getService(Ci.nsIX509CertDB); + +const SERVER_PORT = 8888; + +function failingOCSPResponder() { + return getFailingHttpServer(SERVER_PORT, ["www.example.com"]); +} + +function start_ocsp_responder(expectedCertNames, expectedPaths) { + return startOCSPResponder(SERVER_PORT, "www.example.com", + "test_ocsp_url", expectedCertNames, expectedPaths); +} + +function check_cert_err(cert_name, expected_error) { + let cert = constructCertFromFile("test_ocsp_url/" + cert_name + ".pem"); + return checkCertErrorGeneric(certdb, cert, expected_error, + certificateUsageSSLServer); +} + +function run_test() { + addCertFromFile(certdb, "test_ocsp_url/ca.pem", 'CTu,CTu,CTu'); + addCertFromFile(certdb, "test_ocsp_url/int.pem", ',,'); + + // Enabled so that we can force ocsp failure responses. + Services.prefs.setBoolPref("security.OCSP.require", true); + + Services.prefs.setCharPref("network.dns.localDomains", + "www.example.com"); + Services.prefs.setIntPref("security.OCSP.enabled", 1); + + // Note: We don't test the case of a well-formed HTTP URL with an empty port + // because the OCSP code would then send a request to port 80, which we + // can't use in tests. + + add_test(function() { + clearOCSPCache(); + let ocspResponder = failingOCSPResponder(); + check_cert_err("bad-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + ocspResponder.stop(run_next_test); + }); + + add_test(function() { + clearOCSPCache(); + let ocspResponder = failingOCSPResponder(); + check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + ocspResponder.stop(run_next_test); + }); + + add_test(() => { + clearOCSPCache(); + let ocspResponder = failingOCSPResponder(); + check_cert_err("ftp-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + ocspResponder.stop(run_next_test); + }); + + add_test(function() { + clearOCSPCache(); + let ocspResponder = failingOCSPResponder(); + check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + ocspResponder.stop(run_next_test); + }); + + add_test(function() { + clearOCSPCache(); + let ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]); + check_cert_err("hTTp-url", PRErrorCodeSuccess); + ocspResponder.stop(run_next_test); + }); + + add_test(function() { + clearOCSPCache(); + let ocspResponder = failingOCSPResponder(); + check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + ocspResponder.stop(run_next_test); + }); + + add_test(function() { + clearOCSPCache(); + let ocspResponder = failingOCSPResponder(); + // XXX Bug 1013615 parser accepts ":8888" as hostname + check_cert_err("no-host-url", SEC_ERROR_OCSP_SERVER_ERROR); + ocspResponder.stop(run_next_test); + }); + + add_test(function() { + clearOCSPCache(); + let ocspResponder = start_ocsp_responder(["no-path-url"], ['']); + check_cert_err("no-path-url", PRErrorCodeSuccess); + ocspResponder.stop(run_next_test); + }); + + add_test(function() { + clearOCSPCache(); + let ocspResponder = failingOCSPResponder(); + check_cert_err("no-scheme-host-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + ocspResponder.stop(run_next_test); + }); + + add_test(function() { + clearOCSPCache(); + let ocspResponder = failingOCSPResponder(); + check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + ocspResponder.stop(run_next_test); + }); + + add_test(function() { + clearOCSPCache(); + let ocspResponder = failingOCSPResponder(); + check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION); + ocspResponder.stop(run_next_test); + }); + + // Note: We currently don't have anything that ensures user:pass sections + // weren't sent. The following test simply checks that such sections + // don't cause failures. + add_test(() => { + clearOCSPCache(); + let ocspResponder = start_ocsp_responder(["user-pass"], [""]); + check_cert_err("user-pass", PRErrorCodeSuccess); + ocspResponder.stop(run_next_test); + }); + + run_next_test(); +} |