summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
blob: ba648b9e642df4c356ba822ff0595620bf4886ce (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// Any copyright is dedicated to the Public Domain.
// http://creativecommons.org/publicdomain/zero/1.0/
"use strict";

// Checks that the security.OCSP.enabled pref correctly controls OCSP fetching
// behavior.

do_get_profile(); // Must be called before getting nsIX509CertDB
const gCertDB = Cc["@mozilla.org/security/x509certdb;1"]
                  .getService(Ci.nsIX509CertDB);

const SERVER_PORT = 8888;

function certFromFile(filename) {
  return constructCertFromFile(`test_ev_certs/${filename}.pem`);
}

function loadCert(certName, trustString) {
  addCertFromFile(gCertDB, `test_ev_certs/${certName}.pem`, trustString);
}

function getFailingOCSPResponder() {
  return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
}

function getOCSPResponder(expectedCertNames) {
  return startOCSPResponder(SERVER_PORT, "www.example.com", "test_ev_certs",
                            expectedCertNames, []);
}

// Tests that in ocspOff mode, OCSP fetches are never done.
function testOff() {
  add_test(() => {
    Services.prefs.setIntPref("security.OCSP.enabled", 0);
    do_print("Setting security.OCSP.enabled to 0");
    run_next_test();
  });

  // EV chains should verify successfully but never get EV status.
  add_test(() => {
    clearOCSPCache();
    let ocspResponder = getFailingOCSPResponder();
    checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
                  false);
    ocspResponder.stop(run_next_test);
  });

  // A DV chain should verify successfully.
  add_test(() => {
    clearOCSPCache();
    let ocspResponder = getFailingOCSPResponder();
    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
                          PRErrorCodeSuccess, certificateUsageSSLServer);
    ocspResponder.stop(run_next_test);
  });
}

// Tests that in ocspOn mode, OCSP fetches are done for both EV and DV certs.
function testOn() {
  add_test(() => {
    Services.prefs.setIntPref("security.OCSP.enabled", 1);
    do_print("Setting security.OCSP.enabled to 1");
    run_next_test();
  });

  // If a successful OCSP response is fetched, then an EV chain should verify
  // successfully and get EV status as well.
  add_test(() => {
    clearOCSPCache();
    let ocspResponder =
      getOCSPResponder(gEVExpected ? ["test-oid-path-int", "test-oid-path-ee"]
                                   : ["test-oid-path-ee"]);
    checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
                  gEVExpected);
    ocspResponder.stop(run_next_test);
  });

  // If a successful OCSP response is fetched, then a DV chain should verify
  // successfully.
  add_test(() => {
    clearOCSPCache();
    let ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]);
    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
                          PRErrorCodeSuccess, certificateUsageSSLServer);
    ocspResponder.stop(run_next_test);
  });
}

// Tests that in ocspEVOnly mode, OCSP fetches are done for EV certs only.
function testEVOnly() {
  add_test(() => {
    Services.prefs.setIntPref("security.OCSP.enabled", 2);
    do_print("Setting security.OCSP.enabled to 2");
    run_next_test();
  });

  // If a successful OCSP response is fetched, then an EV chain should verify
  // successfully and get EV status as well.
  add_test(() => {
    clearOCSPCache();
    let ocspResponder = gEVExpected
                      ? getOCSPResponder(["test-oid-path-int", "test-oid-path-ee"])
                      : getFailingOCSPResponder();
    checkEVStatus(gCertDB, certFromFile("test-oid-path-ee"), certificateUsageSSLServer,
                  gEVExpected);
    ocspResponder.stop(run_next_test);
  });

  // A DV chain should verify successfully even without doing OCSP fetches.
  add_test(() => {
    clearOCSPCache();
    let ocspResponder = getFailingOCSPResponder();
    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root-path-ee"),
                          PRErrorCodeSuccess, certificateUsageSSLServer);
    ocspResponder.stop(run_next_test);
  });
}

function run_test() {
  do_register_cleanup(() => {
    Services.prefs.clearUserPref("network.dns.localDomains");
    Services.prefs.clearUserPref("security.OCSP.enabled");
    Services.prefs.clearUserPref("security.OCSP.require");
  });
  Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
  // Enable hard fail to ensure chains that should only succeed because they get
  // a good OCSP response do not succeed due to soft fail leniency.
  Services.prefs.setBoolPref("security.OCSP.require", true);

  loadCert("evroot", "CTu,,");
  loadCert("test-oid-path-int", ",,");
  loadCert("non-evroot-ca", "CTu,,");
  loadCert("non-ev-root-path-int", ",,");

  testOff();
  testOn();
  testEVOnly();

  run_next_test();
}