security/manager/ssl/tests/unit/test_ocsp_url.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.

"use strict";

// In which we try to validate several ocsp responses, checking in particular
// if the ocsp url is valid and the path expressed is correctly passed to
// the caller.

do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                 .getService(Ci.nsIX509CertDB);

const SERVER_PORT = 8888;

function failingOCSPResponder() {
  return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
}

function start_ocsp_responder(expectedCertNames, expectedPaths) {
  return startOCSPResponder(SERVER_PORT, "www.example.com",
                            "test_ocsp_url", expectedCertNames, expectedPaths);
}

function check_cert_err(cert_name, expected_error) {
  let cert = constructCertFromFile("test_ocsp_url/" + cert_name + ".pem");
  return checkCertErrorGeneric(certdb, cert, expected_error,
                               certificateUsageSSLServer);
}

function run_test() {
  addCertFromFile(certdb, "test_ocsp_url/ca.pem", 'CTu,CTu,CTu');
  addCertFromFile(certdb, "test_ocsp_url/int.pem", ',,');

  // Enabled so that we can force ocsp failure responses.
  Services.prefs.setBoolPref("security.OCSP.require", true);

  Services.prefs.setCharPref("network.dns.localDomains",
                             "www.example.com");
  Services.prefs.setIntPref("security.OCSP.enabled", 1);

  // Note: We don't test the case of a well-formed HTTP URL with an empty port
  //       because the OCSP code would then send a request to port 80, which we
  //       can't use in tests.

  add_test(function() {
    clearOCSPCache();
    let ocspResponder = failingOCSPResponder();
    check_cert_err("bad-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
    ocspResponder.stop(run_next_test);
  });

  add_test(function() {
    clearOCSPCache();
    let ocspResponder = failingOCSPResponder();
    check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
    ocspResponder.stop(run_next_test);
  });

  add_test(() => {
    clearOCSPCache();
    let ocspResponder = failingOCSPResponder();
    check_cert_err("ftp-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
    ocspResponder.stop(run_next_test);
  });

  add_test(function() {
    clearOCSPCache();
    let ocspResponder = failingOCSPResponder();
    check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
    ocspResponder.stop(run_next_test);
  });

  add_test(function() {
    clearOCSPCache();
    let ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]);
    check_cert_err("hTTp-url", PRErrorCodeSuccess);
    ocspResponder.stop(run_next_test);
  });

  add_test(function() {
    clearOCSPCache();
    let ocspResponder = failingOCSPResponder();
    check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
    ocspResponder.stop(run_next_test);
  });

  add_test(function() {
    clearOCSPCache();
    let ocspResponder = failingOCSPResponder();
    // XXX Bug 1013615 parser accepts ":8888" as hostname
    check_cert_err("no-host-url", SEC_ERROR_OCSP_SERVER_ERROR);
    ocspResponder.stop(run_next_test);
  });

  add_test(function() {
    clearOCSPCache();
    let ocspResponder = start_ocsp_responder(["no-path-url"], ['']);
    check_cert_err("no-path-url", PRErrorCodeSuccess);
    ocspResponder.stop(run_next_test);
  });

  add_test(function() {
    clearOCSPCache();
    let ocspResponder = failingOCSPResponder();
    check_cert_err("no-scheme-host-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
    ocspResponder.stop(run_next_test);
  });

  add_test(function() {
    clearOCSPCache();
    let ocspResponder = failingOCSPResponder();
    check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
    ocspResponder.stop(run_next_test);
  });

  add_test(function() {
    clearOCSPCache();
    let ocspResponder = failingOCSPResponder();
    check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
    ocspResponder.stop(run_next_test);
  });

  // Note: We currently don't have anything that ensures user:pass sections
  //       weren't sent. The following test simply checks that such sections
  //       don't cause failures.
  add_test(() => {
    clearOCSPCache();
    let ocspResponder = start_ocsp_responder(["user-pass"], [""]);
    check_cert_err("user-pass", PRErrorCodeSuccess);
    ocspResponder.stop(run_next_test);
  });

  run_next_test();
}