// -*- indent-tabs-mode: nil; js-indent-level: 2 -*- // This Source Code Form is subject to the terms of the Mozilla Public // License, v. 2.0. If a copy of the MPL was not distributed with this // file, You can obtain one at http://mozilla.org/MPL/2.0/. "use strict"; // In which we connect to a number of domains (as faked by a server running // locally) with OCSP stapling enabled to determine that good things happen // and bad things don't, specifically with respect to various expired OCSP // responses (stapled and otherwise). var gCurrentOCSPResponse = null; var gOCSPRequestCount = 0; function add_ocsp_test(aHost, aExpectedResult, aOCSPResponseToServe, aExpectedRequestCount) { add_connection_test(aHost, aExpectedResult, function() { clearOCSPCache(); clearSessionCache(); gCurrentOCSPResponse = aOCSPResponseToServe; gOCSPRequestCount = 0; }, function() { equal(gOCSPRequestCount, aExpectedRequestCount, "Should have made " + aExpectedRequestCount + " fallback OCSP request" + (aExpectedRequestCount == 1 ? "" : "s")); }); } do_get_profile(); Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true); Services.prefs.setIntPref("security.OCSP.enabled", 1); Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 4); var args = [["good", "default-ee", "unused"], ["expiredresponse", "default-ee", "unused"], ["oldvalidperiod", "default-ee", "unused"], ["revoked", "default-ee", "unused"], ["unknown", "default-ee", "unused"], ]; var ocspResponses = generateOCSPResponses(args, "ocsp_certs"); // Fresh response, certificate is good. var ocspResponseGood = ocspResponses[0]; // Expired response, certificate is good. var expiredOCSPResponseGood = ocspResponses[1]; // Fresh signature, old validity period, certificate is good. var oldValidityPeriodOCSPResponseGood = ocspResponses[2]; // Fresh signature, certificate is revoked. var ocspResponseRevoked = ocspResponses[3]; // Fresh signature, certificate is unknown. var ocspResponseUnknown = ocspResponses[4]; // sometimes we expect a result without re-fetch var willNotRetry = 1; // but sometimes, since a bad response is in the cache, OCSP fetch will be // attempted for each validation - in practice, for these test certs, this // means 6 requests because various hash algorithm and key size combinations // are tried. var willRetry = 6; function run_test() { let ocspResponder = new HttpServer(); ocspResponder.registerPrefixHandler("/", function(request, response) { if (gCurrentOCSPResponse) { response.setStatusLine(request.httpVersion, 200, "OK"); response.setHeader("Content-Type", "application/ocsp-response"); response.write(gCurrentOCSPResponse); } else { response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); response.write("Internal Server Error"); } gOCSPRequestCount++; }); ocspResponder.start(8888); add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); // In these tests, the OCSP stapling server gives us a stapled // response based on the host name ("ocsp-stapling-expired" or // "ocsp-stapling-expired-fresh-ca"). We then ensure that we're // properly falling back to fetching revocation information. // For ocsp-stapling-expired.example.com, the OCSP stapling server // staples an expired OCSP response. The certificate has not expired. // For ocsp-stapling-expired-fresh-ca.example.com, the OCSP stapling // server staples an OCSP response with a recent signature but with an // out-of-date validity period. The certificate has not expired. add_ocsp_test("ocsp-stapling-expired.example.com", PRErrorCodeSuccess, ocspResponseGood, willNotRetry); add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", PRErrorCodeSuccess, ocspResponseGood, willNotRetry); // if we can't fetch a more recent response when // given an expired stapled response, we terminate the connection. add_ocsp_test("ocsp-stapling-expired.example.com", SEC_ERROR_OCSP_OLD_RESPONSE, expiredOCSPResponseGood, willRetry); add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", SEC_ERROR_OCSP_OLD_RESPONSE, expiredOCSPResponseGood, willRetry); add_ocsp_test("ocsp-stapling-expired.example.com", SEC_ERROR_OCSP_OLD_RESPONSE, oldValidityPeriodOCSPResponseGood, willRetry); add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", SEC_ERROR_OCSP_OLD_RESPONSE, oldValidityPeriodOCSPResponseGood, willRetry); add_ocsp_test("ocsp-stapling-expired.example.com", SEC_ERROR_OCSP_OLD_RESPONSE, null, willNotRetry); add_ocsp_test("ocsp-stapling-expired.example.com", SEC_ERROR_OCSP_OLD_RESPONSE, null, willNotRetry); // Of course, if the newer response indicates Revoked or Unknown, // that status must be returned. add_ocsp_test("ocsp-stapling-expired.example.com", SEC_ERROR_REVOKED_CERTIFICATE, ocspResponseRevoked, willNotRetry); add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", SEC_ERROR_REVOKED_CERTIFICATE, ocspResponseRevoked, willNotRetry); add_ocsp_test("ocsp-stapling-expired.example.com", SEC_ERROR_OCSP_UNKNOWN_CERT, ocspResponseUnknown, willRetry); add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", SEC_ERROR_OCSP_UNKNOWN_CERT, ocspResponseUnknown, willRetry); // If the response is expired but indicates Revoked or Unknown and a // newer status can't be fetched, the Revoked or Unknown status will // be returned. add_ocsp_test("ocsp-stapling-revoked-old.example.com", SEC_ERROR_REVOKED_CERTIFICATE, null, willNotRetry); add_ocsp_test("ocsp-stapling-unknown-old.example.com", SEC_ERROR_OCSP_UNKNOWN_CERT, null, willNotRetry); // If the response is expired but indicates Revoked or Unknown and // a newer status can be fetched and successfully verified, this // should result in a successful certificate verification. add_ocsp_test("ocsp-stapling-revoked-old.example.com", PRErrorCodeSuccess, ocspResponseGood, willNotRetry); add_ocsp_test("ocsp-stapling-unknown-old.example.com", PRErrorCodeSuccess, ocspResponseGood, willNotRetry); // If a newer status can be fetched but it fails to verify, the // Revoked or Unknown status of the expired stapled response // should be returned. add_ocsp_test("ocsp-stapling-revoked-old.example.com", SEC_ERROR_REVOKED_CERTIFICATE, expiredOCSPResponseGood, willRetry); add_ocsp_test("ocsp-stapling-unknown-old.example.com", SEC_ERROR_OCSP_UNKNOWN_CERT, expiredOCSPResponseGood, willRetry); // These tests are verifying that an valid but very old response // is rejected as a valid stapled response, requiring a fetch // from the ocsp responder. add_ocsp_test("ocsp-stapling-ancient-valid.example.com", PRErrorCodeSuccess, ocspResponseGood, willNotRetry); add_ocsp_test("ocsp-stapling-ancient-valid.example.com", SEC_ERROR_REVOKED_CERTIFICATE, ocspResponseRevoked, willNotRetry); add_ocsp_test("ocsp-stapling-ancient-valid.example.com", SEC_ERROR_OCSP_UNKNOWN_CERT, ocspResponseUnknown, willRetry); add_test(function () { ocspResponder.stop(run_next_test); }); add_test(check_ocsp_stapling_telemetry); run_next_test(); } function check_ocsp_stapling_telemetry() { let histogram = Cc["@mozilla.org/base/telemetry;1"] .getService(Ci.nsITelemetry) .getHistogramById("SSL_OCSP_STAPLING") .snapshot(); equal(histogram.counts[0], 0, "Should have 0 connections for unused histogram bucket 0"); equal(histogram.counts[1], 0, "Actual and expected connections with a good response should match"); equal(histogram.counts[2], 0, "Actual and expected connections with no stapled response should match"); equal(histogram.counts[3], 21, "Actual and expected connections with an expired response should match"); equal(histogram.counts[4], 0, "Actual and expected connections with bad responses should match"); run_next_test(); }