From e57ac71ec4a06cf69020d10d8d5e0c072623a23b Mon Sep 17 00:00:00 2001 From: Mark Goodwin Date: Fri, 17 Jul 2015 10:04:17 +0100 Subject: [PATCH] Bug 1183822 - Add an OCSP test for signers with SHA-1 certificates (r=keeler) --- .../ssl/tests/unit/test_ocsp_caching.js | 31 ++++++++++++++++++ .../manager/ssl/tests/unit/tlsserver/cert9.db | Bin 327680 -> 327680 bytes .../tlsserver/cmd/GenerateOCSPResponse.cpp | 2 ++ .../tests/unit/tlsserver/generate_certs.sh | 1 + .../manager/ssl/tests/unit/tlsserver/key4.db | Bin 524288 -> 524288 bytes 5 files changed, 34 insertions(+) diff --git a/security/manager/ssl/tests/unit/test_ocsp_caching.js b/security/manager/ssl/tests/unit/test_ocsp_caching.js index d427e9627194..6083813eae32 100644 --- a/security/manager/ssl/tests/unit/test_ocsp_caching.js +++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js @@ -19,6 +19,16 @@ function respondWithGoodOCSP(request, response) { response.write(gGoodOCSPResponse); } +function respondWithSHA1OCSP(request, response) { + do_print("returning 200 OK with sha-1 delegated response"); + response.setStatusLine(request.httpVersion, 200, "OK"); + response.setHeader("Content-Type", "application/ocsp-response"); + + let args = [ ["good-delegated", "localhostAndExampleCom", "delegatedSHA1Signer" ] ]; + let responses = generateOCSPResponses(args, "tlsserver"); + response.write(responses[0]); +} + function respondWithError(request, response) { do_print("returning 500 Internal Server Error"); response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); @@ -183,6 +193,27 @@ function add_tests() { //--------------------------------------------------------------------------- + // Ensure OCSP responses from signers with SHA1 certificates are OK. This + // is included in the OCSP caching tests since there were OCSP cache-related + // regressions when sha-1 telemetry probes were added. + add_test(function() { + clearOCSPCache(); + // set security.OCSP.require so that checking the OCSP signature fails + Services.prefs.setBoolPref("security.OCSP.require", true); + run_next_test(); + }); + + add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess, + [respondWithSHA1OCSP], + "signing cert is good (though sha1) - should succeed"); + + add_test(function() { + Services.prefs.setBoolPref("security.OCSP.require", false); + run_next_test(); + }); + + //--------------------------------------------------------------------------- + // Reset state add_test(function() { clearOCSPCache(); run_next_test(); }); } diff --git a/security/manager/ssl/tests/unit/tlsserver/cert9.db b/security/manager/ssl/tests/unit/tlsserver/cert9.db index 35e3e1e6a7abe5b03c9bc18d81b95a389d32e514..ecc9900149d2b8e3277e64d3ac05c851c41c1a00 100644 GIT binary patch delta 1956 zcmb_dc~BE)6yN=Ja{xgx3CN*xluJPg7!V6;5Oe@hK*WOp63Xd;h5$(b$)Oxp9HAIj zu?4DtNCO2Dh^o?UL>R>?(hZf?cJLp^x4ZM+o44Qh+x@-Y+ZBuH zVlh3(2u{ph;0`BNhZRpzSjTTkT_amkR32g*Zf=)qIN)~^IiY^B0 zU_uH%p6~ZBV=R<8vrU~o;s7Ed_e4f>5+WnixB;=zagp)w;LhBtP#t;!#AHOy)0B~r zXn?yoL;!dmvOa``@|N&)FiRM5P{WjSw@fopXMiw4^YZ@WKq&8Ud%EmehE0=CaL3IR zQ0;pwN_8c_;K?yv{q5Aa$p_!GgKKxYLQ8@nMP?`uQHAo*QVQZq<6tB)$|dVZ>DACU zE*v%NL#lShMu{UIrO%n;03G(ku8*K`F1Rr6;Z1^JXqNY6NI?)o3O5uX00sc;vS4Tv zHI`&}X1vgbVFD)Mp+@$O3@3Xhh9iUN=o~a(oB3|~{?_SYwiT#}=$w8lkJIOBSYYAN zLfgE&khoTvOmNZD7G>i%6^O3P!xccHa)Y z7(y>fyOR7gS5I2@xN22*6Zeb(-_H&Z3thNmb=Z_04eg{YTm1>(G42=F^(nbEFusfL?VGU zn04CU_Zl7QkHDZaqp$6)23TWFr1A6Ro}{9YTkMA?^Oh>Sw*PqBqa&O4>fFU|(`iaA z?y)D={h1{j=S?l5hEUqS3p8ho2HT`BM|y66$zk8-u;yql(QjoxI2#9K)C-M*6Ip*; z-}Cu?RheeDuKNTbuAEnxME)M2{p+0=c^KCRHPpx3{Qj9Um`$+oL575hNs3Xv2-i~= zt|tIP>aoNPce5^mamnE|{QQ_I5Pg6QKBfxRe1HrZ`(X$_)Fdu{OQQOF{67+B8+x3> z84^be%ByqQ7O-3{Z&qcktnM8)EqUn^vQ@ao1F}!eZ5~NK>E&&4Wh$|unBQVm(&Wpw zX8qDI(VJeFzNN9!b}W8?q<1wl=xb975$1_*=a=-#U$0oVLmKN<`e5;VJ7n3i?AE-c z-ttq3e6H(r8|K!>`>NZ5kjk+^Rt{TlB zET8UJI56hsMjhXsL$rIQ^XIrnJ$uMj5|qXbc@))oO4(dN&!pUt?Jh+IBii}wwhO&$ zI)@CL@3?hOy*f*Y`848$FT0VpHo~I~>fzG%ePz7CAxwchYES4{FuL=JDKM(CA3CEM zzV{yz9i~ZC$@0-5p; z?g8&!(D5mg_N?_ii78DlQ)BqCAY$lB{7Oo^)LoR`;=BxUZ1o}3@0WNrC5{i+ z=>lR1DRzY00|7T%VEOgjjM*{2&4>Jj8WwmNNFlr51Fuqlpw zbQ)wq&H{;1>)m?q?Oyqm^n9BWwaw}MAejq?r6y>G4p-wz-&YRNv#1@Dc7X-CFpMGZ2&zS1*g|06B0|=0OK>z>% diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp index 30e0992563e1..8bb54bcbce6a 100644 --- a/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp +++ b/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp @@ -35,6 +35,8 @@ struct OCSPResponseName const static OCSPResponseName kOCSPResponseNameList[] = { { "good", ORTGood }, // the certificate is good + { "good-delegated", ORTDelegatedIncluded}, // the certificate is good, using + // a delegated signer { "revoked", ORTRevoked}, // the certificate has been revoked { "unknown", ORTUnknown}, // the responder doesn't know if the // cert is good diff --git a/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh b/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh index a26487411959..8f7ba11b62f4 100755 --- a/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh +++ b/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh @@ -320,6 +320,7 @@ export_cert inadequatekeyusage inadequatekeyusage-ee.der make_EE selfsigned-inadequateEKU 'CN=Self-signed Inadequate EKU Test End-entity' unused "selfsigned-inadequateEKU.example.com" "--keyUsage keyEncipherment,dataEncipherment --extKeyUsage serverAuth" "-x" make_delegated delegatedSigner 'CN=Test Delegated Responder' testCA "--extKeyUsage ocspResponder" +make_delegated delegatedSHA1Signer 'CN=Test SHA1 Delegated Responder' testCA "--extKeyUsage ocspResponder -Z SHA1" make_delegated invalidDelegatedSignerNoExtKeyUsage 'CN=Test Invalid Delegated Responder No extKeyUsage' testCA make_delegated invalidDelegatedSignerFromIntermediate 'CN=Test Invalid Delegated Responder From Intermediate' testINT "--extKeyUsage ocspResponder" make_delegated invalidDelegatedSignerKeyUsageCrlSigning 'CN=Test Invalid Delegated Responder keyUsage crlSigning' testCA "--keyUsage crlSigning" diff --git a/security/manager/ssl/tests/unit/tlsserver/key4.db b/security/manager/ssl/tests/unit/tlsserver/key4.db index 09ed98f8ff8f9b216ee9675cd4540dfba5704c85..c3e06ff70995c36474b407bf0b6a5fe23b88071b 100644 GIT binary patch delta 6822 zcmc(jc{o&k|HsY3AZzx0FqUlDvt@}&A!N-yjD5?#8$^VVFtSTX)-lSSHA@kSY$Ms1 zNY)hbo0|Li-Q7Lz`+EL(uIoA1%$#%0`+L5x&*weo^ZA}RVPVj)FlZ7B!0;ZcD!>qJ z_2`&bEhL*Dq$ni&DKX$)$Z28_7y#0eo>cpJAiT|`T3ZUR0lul4AQ&*f{OL{5ioZA`ND|O5u@q=PaR1I|RBGpK!B?7QV*}^Z zeh3*kpAzX9jZeFM|4=##?0ko{C^S>8O$-3}+!k2p4kSSC@Qm@)!S-QeJpMc~Jn1~f zJdChFm)s}<7`RpiZUN8kxLJ}b%jj*+} zv6YgLmXMMKu5*A?fL@OFxNkhYEk%FRWq@n{q+3e?KmL<0Wer^Yi;nyaU@Zw;`OARc zbSXG+`JZ%YQQ*=^x{amik4;Qm9Ju(aj{H}K|35$!xWEol`sskPZNR@|>p#z*|0h`# zIQQ%HxYNZEb`s)JfBHN77af=XUkAtlXZ|waHyvm2hkw#>22cN!j`R2ZulkSt{~7=s zIQ8p*-*ue9*pqaLKMk7vM_m*+@r!}y{x!e&pXZPNqW_yL3LN_}J!-QU!W6B?3&y<( zYxQ`E(BmK~5^O32!Um>xCc)zBwT1+gNT!BDdqF~xKY9QG0Raf`qkM4(1i0Nv6$kjS z{Sa}lV#Yx)_@V-H4v*Svn(Gp|L>FoT3FYa@{p0BomIju*aNE6ON#8_=-U93LDl*^l zATC;?x)@-pdchOAro6!tg~s9l6-kjrs1;C3 z<~w^%yZA%zO~SlBogERBkW4>;Y`K+SGLr(~{Q4P2zg}V)5CiN=)k9o82^?-|K3f%0?>VGDF5 zv%O2GN@fT%612xjybuue{`$6%nA8Wyws*q;)j$9M904Ha@OmQ|tFIJSud zz3e}nc_eUc!S|@Mz?6_OdgzSsWqvYs3(c23$Jw&CsgU72`ADB!^YJbg&(fewo)AaE z@XhW>VX3S^B}41ObZ=23xiXrTvbw0FbKm;jTd^@V3EV8c$cMNy3&{`a#y^PShf zf529yAz$g z8e7BODqT@KmPXR22rbvvQ}2DrQoS#?syJQF~P37vt0AF$y7!msm6!0J1K9fIKmIQr3w_?#GPfk56WW=A^n|tg?rmf~jihr(4X0pq{JT?v?}PHB+tTzKajk7c@qab^6;y$(q@PtNs$< z*ZHbHC9OZ#hdR!K)rW3qT3#X#%QMTKcZrd@Jxi>;nHeLq8WSIE%7rl{0Q6X1ZXkrG ze%VkulR6jsDu0{Uf1pIn>!REqiIsn5FUk9Mvo;Xl4F~R^0b9wnBE8y`2v;;k6SV;^ zNi}nue6#lB`1aPAC>_f-3Nd`3-_M;(Y*H8(OpVV|A{=X9bEcTo#Rm$WLU&x~*UJHhDLH<$PkSwL}%NIr?Py%0{$xftixd>^pb`?Q-4>zL3N z)8|R)o~~0dsQm1*ZTDQIVsLGrjg&dl;6WUn-V?>eTEtD~RKl?e?iqiFai#EG+3cw- z8TPnJr?kVg-G1y%@`|$g^y_j00b8j?_&^Om?LM8sG(_x#tk0k_?05{$+wkXurR9U*Z3} z{U(yB{;_)DZd`v~y-vC<{B`x(%z1)N8e&zJe}26-Mi#xW&RO_X)7&sXNsT}(_+I}; zRQi>xJgvt*9gqB8^A*0*Hsx1-)3Lu0l^dnsTOqXVxeTFii#EyUBqIVKy@oRi7s?LL zUAz(Dc%|sW8HTeU5s~=8`@&bt9)QXy74`%r4OiXKLnfe#?G@!DQ~Hg&(ZOpG5a|A5 zj}3KU$$FgX6|y8wA&j+MW-agM8*IzlDk`UUoRf&oZc%;PQEM?>6ACv8^)R2a8-GyK zUrrlM)|cvB1X@9i`k4;ZNiU4AG0BXm%pM;UkU7X9(zH!`X)Ykth6v_8Xxy_oG{mhi zpt(`+dDczKPnAUG* zp}s?(hRz1nWKS_Pz3@mv@H~tjGPrz+T}Ym>bO;(?^EUijWO2;HHKp539#iQe9zI&4 zI@(B57YnXdh2^ox3)lOQtcj<>K2{Ab>##Jyp#Ls9I!yi~Mv7u&}|@ zuPWU$H*7l0eacUQFkEO9tsR=89Fe(H>a5uj1!;I5zqZXfDcXfJujr*Om$!3HsT_%l zv)P|4(uJFgE}i(!5LB7YVYf{3wOK;5!Npd~dsRPE`=a0E&Bme6Ji)Ymo3A~q)h`DzjuV%Z?8>o= z_T+;mGWESu(X^!3h25a+?i%~sPZ^du;Dp@cxA|wPpkF^Y1tL-?Q+B_Hu60?v-=+AZ z>fWbrU?1#i61RvCbbkEVVO7P}8jUY%ljtZ=FUW!BCO%Lf%Z5CMCIO1RGurCl)m=I@ z$9mHl45}+@1yHf0=uAqJN_g(<-6zKVHp-M@wt5-cA2gf?WZ4YAGa9WMICPucFAqGg zzG<6cert)dVaw0%rGB;DB9#K!p0;%)LYNk!7&raGrPyh}+TQb*7+xXd7XR=w z(~#Qtq0uy?Q+@2TZ{WH^efU6OjisMrx~}gvr8i!&b_JK_t0rH?2Rd#Hb*#?zYFzGh zyp@#5ar*&hSKg|~tN1$w2Gk18mTp)2gfJ>!6v=WXE;a0B9{C~u6A8$FA>v_!k8}CK zWD{wvq?1@9bx`YkaK47mZ3@#0klz~8AuQpz z9NgavHL1V;#rFbN#U!j_?qU*Is>aeR1Az|JC4I_0wmh1qkh<+>J4w}aPARLWxrQMg zq0CnreXr%NMbk+xlgHDg&4Q-PhD@cm~jbj-uO@5n8f2{o` zsS6*d@(3s@;ia=o?F$<~BDj^WRQSRw`3j46j^+0_`-1&UmJZS!5x3Vh)5IiSVH(+P zy!uzFfC_L5ke|G-F2nQByhAR@(SjGR+!pnYaJrc!M9Re&`CeRr;qaa-J0!i@^5|x; zAQ=*Z#jt&tAeXtD^;o8h1i`m($1)lwnQ-Gw7oz>)c6v$OIn2++>%Z82e{H_V|3UZt zwfPGF=iN7v?848*t2T%Ua>ou-K<`uw34^czgkXf+R$L8Sw483x9w-+_F#9`pQMOpt z1y*I24CWo?YfO)sfQ)7g&lsraopAr+Sm~Ik}bC7 zaw)DM;e6M%2-(op_@R17%f^Jy>QpYYN>r%uTVSZ1ILT~)sK9=r1mT@N%<&*+uzo!? z;WRNHC>J(7b1`2OM{)TZN?t2ih$G$zGV*we@6Am^jDN}_%kzTF^7$VV==bM@LFC=G zuTf$PM4WPz-_mqnM;!YN&b$j~d}-Cu_uYyl#hazdxPsWt`{?dN9K`u=AfgSpRH#8! z3e^$Su&t){Ly9>8Vh@{XB}IKF#zsH2GGr!QFg}&;Sh(gxIo=oKTuz3?1=`q(^~VMRUlMK02HC#Cqk%d+HVg5%6x>d2Fac zG^*_$m{Znow)<5;B+wD-OWSX8kstlec>C2Bt&d&8U8!ar>TfuROuBto7!=Z|1Xr&wR?#v@=epK_}cv zF3w_A3C$Vc{J4UnIQ$KTqY0PFtx+p4#v0LRYF<@M%3>8mshc30`R;cV>UpP_YRU)f z@RW3+l!phhadU2o7BBSbt=;WA4ec$MXWoj)j!CoE^?-b zqg4rWlyt-;e|oSPUEAX2ugsl`5;~Bd6xkN1mfg|uOxcLxkCA z4?zmKqBf3VcOnI)D@iB}?H+3fmQJbCR2X=%jF<<}%z0n14GB07yO-*+9-jV@5f6!* zYWpxiQYqyz92%_m^0rU6#tOvHyj3V!2mOtp0&b0i*q#i5gK>~i(M};+WO`wEVY5<+ z-}Ahixk!ytk4{VXkNO7W{!eCqLS$ZQ+pc)lYR+E~{XQuF8PiY{MJS9Wvy5bo7r;@dW9!b*;@U2wMYr-Z*mIGJTSxxn%GSfLV!J&8Y zj5CGoGW;M}YuY(--*~F}N6IxEgHqB{2T@Ob^4%Su?cx|VCo)u|357XIC5mJ+Y@(Op zOM0WZ<$LjSH~bui$rmfc`@=*5#dIim6NFQ?5W2IaQ4y{-c*RbqJQj;hC$@jRt<)?3 zXsLy}l(FUl&MWKRz54ku3^j-b3q!wWTPJ3@b}D4oeS5&{@ODz5^!(;Pth6!Osd;$A zQ%~+^9&&^euk%M=it5*p%x3$!%byYU7?isBxxG&)Df|Wco7wGRFt?q4=LYp=oll=-XZt=XnI!D%dY&YjJtN zXfpAIcFIBb@Q1e_aTKc)DJYd^M8ePsw^x0zP*Cb8o#b4N^Jf^x#Sx9V-IG$|58Kw^ z2jo}rkPa~sQp1R0~SFO z4689Uz9C`bvB%Adu?a>*MK)GNYEknXM3>K^86MygXM=ai8Ejo;CPX z47a@)I~?1pMe>7byT6#1XQc|n5Zkk9Ia=84p6iAi<0$4QQc#?g5MikPQz4Q@8@^d* zG+dJtqir(6lEA4vJ{1gOCp9wOUXQ@1a=k2H@WmsuJ=Be(R~J1U(Uqf_P2xxW2A9j{ zp8NM*<;OwHPJ~FIezuh&jR&lGOSH{cUN6@=uZzA~L^0!-yPs`7w$+eQfUcF}Q>p$| zPIZx3x0DL)$%=uEY!}-Xp4JlMKaAQaXiAf5*~C#yPo$uzd2!WhlR^ zlQmWr6RjWm-+~wyTO70^I9Q>0NXG*5i8rb!=y8|8w06B_A;qBzP_Eln4w_FkJW~5G z9|tix8PawgSB|{LaEtX9pvu^(=O)F5z&LiD=Pw#Tm0D`;6>h4!kVwpozdk;@D}kt9>p8=O~0sJtQwdu`t%h@|QN0W*t@&Hw-a delta 230 zcmZo@P-tjSm>|vQGf~Ew(Pv}AlK(7Dwd)zS@-R-UovhFxwtamqV<;1|Q{DFI>$Y$I$LPz*>{R=4DmxQMD7AL`$66*~pfW5%mHkuMnO&#)F{^AXVSZTwG}LT+ zebavqHlQrs-A6EPT^{FK6d(4_0FVV%F`!YHS;C zGV@9Nn##^D3$*W=1am)+)AWtS>~-6#CD}XEn0r-LZD(&_mu3XYb||wnDz%1BU$Bf_ LZu^-f>?Y9w8D&$a