mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-30 00:01:50 +00:00
Bug 923304, Part 2: Adjust EV tests, r=keeler
--HG-- extra : rebase_source : f0cfd0089a99dddd8852e0613bc2a31e5c12b1de
This commit is contained in:
parent
ae750cc925
commit
2bf2f0ce5a
@ -5,6 +5,9 @@
|
||||
|
||||
"use strict";
|
||||
|
||||
// XXX: The isDebugBuild tests you see are here because the test EV root is
|
||||
// only enabled for EV in debug builds, as a security measure. An ugly hack.
|
||||
|
||||
do_get_profile(); // must be called before getting nsIX509CertDB
|
||||
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
|
||||
.getService(Ci.nsIX509CertDB);
|
||||
@ -31,16 +34,28 @@ function load_ca(ca_name) {
|
||||
addCertFromFile(certdb, "test_ev_certs/" + ca_filename, 'CTu,CTu,CTu');
|
||||
}
|
||||
|
||||
var gHttpServer;
|
||||
var gOCSPResponseCounter = 0;
|
||||
const SERVER_PORT = 8888;
|
||||
|
||||
function start_ocsp_responder() {
|
||||
const SERVER_PORT = 8888;
|
||||
gHttpServer = new HttpServer();
|
||||
gHttpServer.registerPrefixHandler("/",
|
||||
function failingOCSPResponder() {
|
||||
let httpServer = new HttpServer();
|
||||
httpServer.registerPrefixHandler("/", function(request, response) {
|
||||
do_check_true(false);
|
||||
});
|
||||
httpServer.start(SERVER_PORT);
|
||||
return httpServer;
|
||||
}
|
||||
|
||||
function start_ocsp_responder(expectedCertNames) {
|
||||
let httpServer = new HttpServer();
|
||||
httpServer.registerPrefixHandler("/",
|
||||
function handleServerCallback(aRequest, aResponse) {
|
||||
do_check_neq(aRequest.host, "crl.example.com"); // No CRL checks
|
||||
let cert_nick = aRequest.path.slice(1, aRequest.path.length - 1);
|
||||
|
||||
do_check_true(expectedCertNames.length >= 1);
|
||||
let expected_nick = expectedCertNames.shift();
|
||||
do_check_eq(cert_nick, expected_nick);
|
||||
|
||||
do_print("Generating ocsp response for '" + cert_nick + "'");
|
||||
aResponse.setStatusLine(aRequest.httpVersion, 200, "OK");
|
||||
aResponse.setHeader("Content-Type", "application/ocsp-response");
|
||||
@ -54,11 +69,16 @@ function start_ocsp_responder() {
|
||||
let retArray = generateOCSPResponses(arg_array, "test_ev_certs");
|
||||
let responseBody = retArray[0];
|
||||
aResponse.bodyOutputStream.write(responseBody, responseBody.length);
|
||||
gOCSPResponseCounter++;
|
||||
});
|
||||
gHttpServer.identity.setPrimary("http", "www.example.com", SERVER_PORT);
|
||||
gHttpServer.identity.add("http", "crl.example.com", SERVER_PORT);
|
||||
gHttpServer.start(SERVER_PORT);
|
||||
httpServer.identity.setPrimary("http", "www.example.com", SERVER_PORT);
|
||||
httpServer.identity.add("http", "crl.example.com", SERVER_PORT);
|
||||
httpServer.start(SERVER_PORT);
|
||||
return {
|
||||
stop: function(callback) {
|
||||
do_check_eq(expectedCertNames.length, 0);
|
||||
httpServer.stop(callback);
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
function check_cert_err(cert_name, expected_error) {
|
||||
@ -77,11 +97,7 @@ function check_ee_for_ev(cert_name, expected_ev) {
|
||||
let verifiedChain = {};
|
||||
let error = certdb.verifyCertNow(cert, certificateUsageSSLServer,
|
||||
NO_FLAGS, verifiedChain, hasEVPolicy);
|
||||
if (isDebugBuild) {
|
||||
do_check_eq(hasEVPolicy.value, expected_ev);
|
||||
} else {
|
||||
do_check_false(hasEVPolicy.value);
|
||||
}
|
||||
do_check_eq(hasEVPolicy.value, expected_ev);
|
||||
do_check_eq(0, error);
|
||||
}
|
||||
|
||||
@ -97,44 +113,57 @@ function run_test() {
|
||||
Services.prefs.setCharPref("network.dns.localDomains",
|
||||
'www.example.com, crl.example.com');
|
||||
|
||||
start_ocsp_responder();
|
||||
|
||||
run_next_test();
|
||||
}
|
||||
|
||||
|
||||
add_test(function() {
|
||||
check_ee_for_ev("ev-valid", true);
|
||||
run_next_test();
|
||||
clearOCSPCache();
|
||||
let ocspResponder = start_ocsp_responder(
|
||||
isDebugBuild ? ["int-ev-valid", "ev-valid"]
|
||||
: ["ev-valid"]);
|
||||
check_ee_for_ev("ev-valid", isDebugBuild);
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
||||
add_test(function() {
|
||||
clearOCSPCache();
|
||||
let ocspResponder = start_ocsp_responder(["non-ev-root"]);
|
||||
check_ee_for_ev("non-ev-root", false);
|
||||
run_next_test();
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
||||
add_test(function() {
|
||||
clearOCSPCache();
|
||||
let ocspResponder = failingOCSPResponder();
|
||||
check_ee_for_ev("no-ocsp-url-cert", false);
|
||||
run_next_test();
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
||||
// Test for bug 917380
|
||||
add_test(function () {
|
||||
const nsIX509Cert = Ci.nsIX509Cert;
|
||||
// bug 917380: Chcek that an untrusted EV root is untrusted.
|
||||
const nsIX509Cert = Ci.nsIX509Cert;
|
||||
add_test(function() {
|
||||
let evRootCA = certdb.findCertByNickname(null, evrootnick);
|
||||
certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0);
|
||||
|
||||
clearOCSPCache();
|
||||
let ocspResponder = failingOCSPResponder();
|
||||
check_cert_err("ev-valid", SEC_ERROR_UNTRUSTED_ISSUER);
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
||||
// bug 917380: Chcek that a trusted EV root is trusted after disabling and
|
||||
// re-enabling trust.
|
||||
add_test(function() {
|
||||
let evRootCA = certdb.findCertByNickname(null, evrootnick);
|
||||
certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT,
|
||||
Ci.nsIX509CertDB.TRUSTED_SSL |
|
||||
Ci.nsIX509CertDB.TRUSTED_EMAIL |
|
||||
Ci.nsIX509CertDB.TRUSTED_OBJSIGN);
|
||||
check_ee_for_ev("ev-valid", true);
|
||||
run_next_test();
|
||||
});
|
||||
|
||||
// The following test should be the last as it performs cleanups
|
||||
add_test(function() {
|
||||
do_check_eq(4, gOCSPResponseCounter);
|
||||
gHttpServer.stop(run_next_test);
|
||||
clearOCSPCache();
|
||||
let ocspResponder = start_ocsp_responder(
|
||||
isDebugBuild ? ["int-ev-valid", "ev-valid"]
|
||||
: ["ev-valid"]);
|
||||
check_ee_for_ev("ev-valid", isDebugBuild);
|
||||
ocspResponder.stop(run_next_test);
|
||||
});
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user