Bug 923304, Part 2: Adjust EV tests, r=keeler

--HG--
extra : rebase_source : f0cfd0089a99dddd8852e0613bc2a31e5c12b1de
This commit is contained in:
Brian Smith 2014-01-14 15:22:09 -08:00
parent ae750cc925
commit 2bf2f0ce5a

View File

@ -5,6 +5,9 @@
"use strict";
// XXX: The isDebugBuild tests you see are here because the test EV root is
// only enabled for EV in debug builds, as a security measure. An ugly hack.
do_get_profile(); // must be called before getting nsIX509CertDB
const certdb = Cc["@mozilla.org/security/x509certdb;1"]
.getService(Ci.nsIX509CertDB);
@ -31,16 +34,28 @@ function load_ca(ca_name) {
addCertFromFile(certdb, "test_ev_certs/" + ca_filename, 'CTu,CTu,CTu');
}
var gHttpServer;
var gOCSPResponseCounter = 0;
const SERVER_PORT = 8888;
function start_ocsp_responder() {
const SERVER_PORT = 8888;
gHttpServer = new HttpServer();
gHttpServer.registerPrefixHandler("/",
function failingOCSPResponder() {
let httpServer = new HttpServer();
httpServer.registerPrefixHandler("/", function(request, response) {
do_check_true(false);
});
httpServer.start(SERVER_PORT);
return httpServer;
}
function start_ocsp_responder(expectedCertNames) {
let httpServer = new HttpServer();
httpServer.registerPrefixHandler("/",
function handleServerCallback(aRequest, aResponse) {
do_check_neq(aRequest.host, "crl.example.com"); // No CRL checks
let cert_nick = aRequest.path.slice(1, aRequest.path.length - 1);
do_check_true(expectedCertNames.length >= 1);
let expected_nick = expectedCertNames.shift();
do_check_eq(cert_nick, expected_nick);
do_print("Generating ocsp response for '" + cert_nick + "'");
aResponse.setStatusLine(aRequest.httpVersion, 200, "OK");
aResponse.setHeader("Content-Type", "application/ocsp-response");
@ -54,11 +69,16 @@ function start_ocsp_responder() {
let retArray = generateOCSPResponses(arg_array, "test_ev_certs");
let responseBody = retArray[0];
aResponse.bodyOutputStream.write(responseBody, responseBody.length);
gOCSPResponseCounter++;
});
gHttpServer.identity.setPrimary("http", "www.example.com", SERVER_PORT);
gHttpServer.identity.add("http", "crl.example.com", SERVER_PORT);
gHttpServer.start(SERVER_PORT);
httpServer.identity.setPrimary("http", "www.example.com", SERVER_PORT);
httpServer.identity.add("http", "crl.example.com", SERVER_PORT);
httpServer.start(SERVER_PORT);
return {
stop: function(callback) {
do_check_eq(expectedCertNames.length, 0);
httpServer.stop(callback);
}
};
}
function check_cert_err(cert_name, expected_error) {
@ -77,11 +97,7 @@ function check_ee_for_ev(cert_name, expected_ev) {
let verifiedChain = {};
let error = certdb.verifyCertNow(cert, certificateUsageSSLServer,
NO_FLAGS, verifiedChain, hasEVPolicy);
if (isDebugBuild) {
do_check_eq(hasEVPolicy.value, expected_ev);
} else {
do_check_false(hasEVPolicy.value);
}
do_check_eq(hasEVPolicy.value, expected_ev);
do_check_eq(0, error);
}
@ -97,44 +113,57 @@ function run_test() {
Services.prefs.setCharPref("network.dns.localDomains",
'www.example.com, crl.example.com');
start_ocsp_responder();
run_next_test();
}
add_test(function() {
check_ee_for_ev("ev-valid", true);
run_next_test();
clearOCSPCache();
let ocspResponder = start_ocsp_responder(
isDebugBuild ? ["int-ev-valid", "ev-valid"]
: ["ev-valid"]);
check_ee_for_ev("ev-valid", isDebugBuild);
ocspResponder.stop(run_next_test);
});
add_test(function() {
clearOCSPCache();
let ocspResponder = start_ocsp_responder(["non-ev-root"]);
check_ee_for_ev("non-ev-root", false);
run_next_test();
ocspResponder.stop(run_next_test);
});
add_test(function() {
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
check_ee_for_ev("no-ocsp-url-cert", false);
run_next_test();
ocspResponder.stop(run_next_test);
});
// Test for bug 917380
add_test(function () {
const nsIX509Cert = Ci.nsIX509Cert;
// bug 917380: Chcek that an untrusted EV root is untrusted.
const nsIX509Cert = Ci.nsIX509Cert;
add_test(function() {
let evRootCA = certdb.findCertByNickname(null, evrootnick);
certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0);
clearOCSPCache();
let ocspResponder = failingOCSPResponder();
check_cert_err("ev-valid", SEC_ERROR_UNTRUSTED_ISSUER);
ocspResponder.stop(run_next_test);
});
// bug 917380: Chcek that a trusted EV root is trusted after disabling and
// re-enabling trust.
add_test(function() {
let evRootCA = certdb.findCertByNickname(null, evrootnick);
certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT,
Ci.nsIX509CertDB.TRUSTED_SSL |
Ci.nsIX509CertDB.TRUSTED_EMAIL |
Ci.nsIX509CertDB.TRUSTED_OBJSIGN);
check_ee_for_ev("ev-valid", true);
run_next_test();
});
// The following test should be the last as it performs cleanups
add_test(function() {
do_check_eq(4, gOCSPResponseCounter);
gHttpServer.stop(run_next_test);
clearOCSPCache();
let ocspResponder = start_ocsp_responder(
isDebugBuild ? ["int-ev-valid", "ev-valid"]
: ["ev-valid"]);
check_ee_for_ev("ev-valid", isDebugBuild);
ocspResponder.stop(run_next_test);
});