Bug 923304, Part 1: Add test for OCSP response signed by CA that has an OCSP URI, r=keeler, r=briansmith

--HG--
extra : rebase_source : 7cafe0781563382c2221e865201beb023fea3628

security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js

@@ -0,0 +1,43 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// In which we connect to a server that staples an OCSP response for a
+// certificate signed by an intermediate that has an OCSP AIA to ensure
+// that an OCSP request is not made for the intermediate.
+
+let gOCSPRequestCount = 0;
+
+function add_ocsp_test(aHost, aExpectedResult) {
+  add_connection_test(aHost, aExpectedResult,
+    function() {
+      clearOCSPCache();
+      clearSessionCache();
+    });
+}
+
+function run_test() {
+  do_get_profile();
+  Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+
+  let ocspResponder = new HttpServer();
+  ocspResponder.registerPrefixHandler("/", function(request, response) {
+    gOCSPRequestCount++;
+    response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+    let body = "Refusing to return a response";
+    response.bodyOutputStream.write(body, body.length);
+  });
+  ocspResponder.start(8080);
+
+  add_tls_server_setup("OCSPStaplingServer");
+
+  add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK);
+  add_test(function() { ocspResponder.stop(run_next_test); });
+  add_test(function() {
+    do_check_eq(gOCSPRequestCount, 0);
+    run_next_test();
+  });
+  run_next_test();
+}

security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp

@@ -35,6 +35,7 @@ const OCSPHost sOCSPHosts[] =
   { "ocsp-stapling-trylater.example.com", ORTTryLater, nullptr },
   { "ocsp-stapling-needssig.example.com", ORTNeedsSig, nullptr },
   { "ocsp-stapling-unauthorized.example.com", ORTUnauthorized, nullptr },
+  { "ocsp-stapling-with-intermediate.example.com", ORTGood, "ocspEEWithIntermediate" },
   { nullptr, ORTNull, nullptr }
 };
 
@@ -52,9 +53,17 @@ DoSNISocketConfig(PRFileDesc *aFd, const SECItem *aSrvNameArr,
     fprintf(stderr, "found pre-defined host '%s'\n", host->mHostName);
   }
 
+  const char *certNickname;
+  if (strcmp(host->mHostName,
+             "ocsp-stapling-with-intermediate.example.com") == 0) {
+    certNickname = host->mAdditionalCertName;
+  } else {
+    certNickname = DEFAULT_CERT_NICKNAME;
+  }
+
   ScopedCERTCertificate cert;
   SSLKEAType certKEA;
-  if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, DEFAULT_CERT_NICKNAME,
+  if (SECSuccess != ConfigSecureServerWithNamedCert(aFd, certNickname,
                                                     &cert, &certKEA)) {
     return SSL_SNI_SEND_ALERT;
   }

security/manager/ssl/tests/unit/tlsserver/generate_certs.sh

@@ -59,7 +59,7 @@ $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -N -f $PASSWORD_FILE
 COMMON_ARGS="-v 360 -w -1 -2 -z $NOISE_FILE"
 
 function make_CA {
-  CA_RESPONSES="y\n0\ny"
+  CA_RESPONSES="y\n1\ny"
   NICKNAME="${1}"
   SUBJECT="${2}"
   DERFILE="${3}"
@@ -74,7 +74,24 @@ function make_CA {
 
 SERIALNO=1
 
-function make_cert {
+function make_INT {
+  INT_RESPONSES="y\n0\ny\n2\n7\nhttp://localhost:8080/\n\nn\nn\n"
+  NICKNAME="${1}"
+  SUBJECT="${2}"
+  CA="${3}"
+
+  echo -e "$INT_RESPONSES" | $RUN_MOZILLA $CERTUTIL -d $OUTPUT_DIR -S \
+                                                    -n $NICKNAME \
+                                                    -s "$SUBJECT" \
+                                                    -c $CA \
+                                                    -t ",," \
+                                                    -m $SERIALNO \
+                                                    --extAIA \
+                                                    $COMMON_ARGS
+  SERIALNO=$(($SERIALNO + 1))
+}
+
+function make_EE {
   CERT_RESPONSES="n\n\ny\n2\n7\nhttp://localhost:8080/\n\nn\nn\n"
   NICKNAME="${1}"
   SUBJECT="${2}"
@@ -98,10 +115,13 @@ function make_cert {
 
 make_CA testCA 'CN=Test CA' test-ca.der
 make_CA otherCA 'CN=Other test CA' other-test-ca.der
-make_cert localhostAndExampleCom 'CN=Test End-entity' testCA "localhost,*.example.com"
+make_EE localhostAndExampleCom 'CN=Test End-entity' testCA "localhost,*.example.com"
 # A cert that is like localhostAndExampleCom, but with a different serial number for
 # testing the "OCSP response is from the right issuer, but it is for the wrong cert"
 # case.
-make_cert ocspOtherEndEntity 'CN=Other Cert' testCA "localhost,*.example.com"
+make_EE ocspOtherEndEntity 'CN=Other Cert' testCA "localhost,*.example.com"
+
+make_INT testINT 'CN=Test Intermediate' testCA
+make_EE ocspEEWithIntermediate 'CN=Test End-entity with Intermediate' testINT "localhost,*.example.com"
 
 cleanup

security/manager/ssl/tests/unit/xpcshell.ini

@@ -37,6 +37,10 @@ fail-if = os == "android"
 run-sequentially = hardcoded ports
 # Bug 676972: test fails consistently on Android
 fail-if = os == "android"
+[test_ocsp_stapling_with_intermediate.js]
+run-sequentially = hardcoded ports
+# Bug 676972: test fails consistently on Android
+fail-if = os == "android"
 [test_ocsp_caching.js]
 run-sequentially = hardcoded ports
 # Bug 676972: test fails consistently on Android