Bug 1235089 - Split out OCSP Must Staple tests from test_ocsp_stapling.js to avoid intermittent time outs. r=keeler
authorCykesiopka <cykesiopka.bmo@gmail.com>
Sun, 24 Jan 2016 02:24:00 -0500
changeset 281422 bbfbd1e73bf16bcac20094502397198c113c997a
parent 281421 038b2414e772d168451f997954c8a39a7b270789
child 281423 e0bc32b37860b65c6302efccaa02c604404b4ae5
child 281430 c2256ee8ae9a8ee0bf7ab49a8b1924720d846cc7
push id70784
push userryanvm@gmail.com
push dateSun, 24 Jan 2016 14:59:14 +0000
treeherdermozilla-inbound@bbfbd1e73bf1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1235089
milestone46.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1235089 - Split out OCSP Must Staple tests from test_ocsp_stapling.js to avoid intermittent time outs. r=keeler test_ocsp_stapling.js can take ~290s to run on e.g. b2g-emu-x86-kk, which is very close to the default 300s limit. Splitting out some tests should reduce the intermittent time outs.
security/manager/ssl/tests/unit/test_ocsp_must_staple.js
security/manager/ssl/tests/unit/test_ocsp_stapling.js
security/manager/ssl/tests/unit/xpcshell.ini
copy from security/manager/ssl/tests/unit/test_ocsp_stapling.js
copy to security/manager/ssl/tests/unit/test_ocsp_must_staple.js
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js
@@ -1,194 +1,52 @@
 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 "use strict";
 
-// In which we connect to a number of domains (as faked by a server running
-// locally) with and without OCSP stapling enabled to determine that good
-// things happen and bad things don't.
+// Tests OCSP Must Staple handling by connecting to various domains (as faked by
+// a server running locally) that correspond to combinations of whether the
+// extension is present in intermediate and end-entity certificates.
 
 var gExpectOCSPRequest;
 
 function add_ocsp_test(aHost, aExpectedResult, aStaplingEnabled) {
   add_connection_test(aHost, aExpectedResult,
     function() {
       gExpectOCSPRequest = !aStaplingEnabled;
       clearOCSPCache();
       clearSessionCache();
       Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling",
                                  aStaplingEnabled);
     });
 }
 
 function add_tests() {
-  // In the absence of OCSP stapling, these should actually all work.
-  add_ocsp_test("ocsp-stapling-good.example.com",
-                PRErrorCodeSuccess, false);
-  add_ocsp_test("ocsp-stapling-revoked.example.com",
-                PRErrorCodeSuccess, false);
-  add_ocsp_test("ocsp-stapling-good-other-ca.example.com",
-                PRErrorCodeSuccess, false);
-  add_ocsp_test("ocsp-stapling-malformed.example.com",
-                PRErrorCodeSuccess, false);
-  add_ocsp_test("ocsp-stapling-srverr.example.com",
-                PRErrorCodeSuccess, false);
-  add_ocsp_test("ocsp-stapling-trylater.example.com",
-                PRErrorCodeSuccess, false);
-  add_ocsp_test("ocsp-stapling-needssig.example.com",
-                PRErrorCodeSuccess, false);
-  add_ocsp_test("ocsp-stapling-unauthorized.example.com",
-                PRErrorCodeSuccess, false);
-  add_ocsp_test("ocsp-stapling-unknown.example.com",
-                PRErrorCodeSuccess, false);
-  add_ocsp_test("ocsp-stapling-good-other.example.com",
-                PRErrorCodeSuccess, false);
-  add_ocsp_test("ocsp-stapling-none.example.com",
-                PRErrorCodeSuccess, false);
-  add_ocsp_test("ocsp-stapling-expired.example.com",
-                PRErrorCodeSuccess, false);
-  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
-                PRErrorCodeSuccess, false);
-  add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
-                PRErrorCodeSuccess, false);
-  add_ocsp_test("ocsp-stapling-critical-extension.example.com",
-                PRErrorCodeSuccess, false);
-  add_ocsp_test("ocsp-stapling-noncritical-extension.example.com",
-                PRErrorCodeSuccess, false);
-  add_ocsp_test("ocsp-stapling-empty-extensions.example.com",
-                PRErrorCodeSuccess, false);
-
-  // Now test OCSP stapling
-  // The following error codes are defined in security/nss/lib/util/SECerrs.h
-
-  add_ocsp_test("ocsp-stapling-good.example.com", PRErrorCodeSuccess, true);
-
-  add_ocsp_test("ocsp-stapling-revoked.example.com",
-                SEC_ERROR_REVOKED_CERTIFICATE, true);
-
-  // SEC_ERROR_OCSP_INVALID_SIGNING_CERT vs SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
-  // depends on whether the CA that signed the response is a trusted CA
-  // (but only with the classic implementation - mozilla::pkix always
-  // results in the error SEC_ERROR_OCSP_INVALID_SIGNING_CERT).
-
-  // This stapled response is from a CA that is untrusted and did not issue
-  // the server's certificate.
-  let certDB = Cc["@mozilla.org/security/x509certdb;1"]
-                  .getService(Ci.nsIX509CertDB);
-  let otherTestCA = constructCertFromFile("ocsp_certs/other-test-ca.pem");
-  add_test(function() {
-    certDB.setCertTrust(otherTestCA, Ci.nsIX509Cert.CA_CERT,
-                        Ci.nsIX509CertDB.UNTRUSTED);
-    run_next_test();
-  });
-  add_ocsp_test("ocsp-stapling-good-other-ca.example.com",
-                SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
-
-  // The stapled response is from a CA that is trusted but did not issue the
-  // server's certificate.
-  add_test(function() {
-    certDB.setCertTrust(otherTestCA, Ci.nsIX509Cert.CA_CERT,
-                        Ci.nsIX509CertDB.TRUSTED_SSL);
-    run_next_test();
-  });
-  // TODO(bug 979055): When using ByName instead of ByKey, the error here is
-  // SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE. We should be testing both cases.
-  add_ocsp_test("ocsp-stapling-good-other-ca.example.com",
-                SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
-
-  // TODO: Test the case where the signing cert can't be found at all, which
-  // will result in SEC_ERROR_BAD_DATABASE in the NSS classic case.
-
-  add_ocsp_test("ocsp-stapling-malformed.example.com",
-                SEC_ERROR_OCSP_MALFORMED_REQUEST, true);
-  add_ocsp_test("ocsp-stapling-srverr.example.com",
-                SEC_ERROR_OCSP_SERVER_ERROR, true);
-  add_ocsp_test("ocsp-stapling-trylater.example.com",
-                SEC_ERROR_OCSP_TRY_SERVER_LATER, true);
-  add_ocsp_test("ocsp-stapling-needssig.example.com",
-                SEC_ERROR_OCSP_REQUEST_NEEDS_SIG, true);
-  add_ocsp_test("ocsp-stapling-unauthorized.example.com",
-                SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST, true);
-  add_ocsp_test("ocsp-stapling-unknown.example.com",
-                SEC_ERROR_OCSP_UNKNOWN_CERT, true);
-  add_ocsp_test("ocsp-stapling-good-other.example.com",
-                MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING, true);
-  // If the server doesn't staple an OCSP response, we continue as normal
-  // (this means that even though stapling is enabled, we expect an OCSP
-  // request).
-  add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
-    function() {
-      gExpectOCSPRequest = true;
-      clearOCSPCache();
-      clearSessionCache();
-      Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
-    }
-  );
-  add_ocsp_test("ocsp-stapling-empty.example.com",
-                SEC_ERROR_OCSP_MALFORMED_RESPONSE, true);
-
-  add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
-                SEC_ERROR_OCSP_MALFORMED_RESPONSE, true);
-
-  add_ocsp_test("ocsp-stapling-critical-extension.example.com",
-                SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION, true);
-  add_ocsp_test("ocsp-stapling-noncritical-extension.example.com",
-                PRErrorCodeSuccess, true);
-  // TODO(bug 997994): Disallow empty Extensions in responses
-  add_ocsp_test("ocsp-stapling-empty-extensions.example.com",
-                PRErrorCodeSuccess, true);
-
-  add_ocsp_test("ocsp-stapling-delegated-included.example.com",
-                PRErrorCodeSuccess, true);
-  add_ocsp_test("ocsp-stapling-delegated-included-last.example.com",
-                PRErrorCodeSuccess, true);
-  add_ocsp_test("ocsp-stapling-delegated-missing.example.com",
-                SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
-  add_ocsp_test("ocsp-stapling-delegated-missing-multiple.example.com",
-                SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
-  add_ocsp_test("ocsp-stapling-delegated-no-extKeyUsage.example.com",
-                SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
-  add_ocsp_test("ocsp-stapling-delegated-from-intermediate.example.com",
-                SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
-  add_ocsp_test("ocsp-stapling-delegated-keyUsage-crlSigning.example.com",
-                SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
-  add_ocsp_test("ocsp-stapling-delegated-wrong-extKeyUsage.example.com",
-                SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
-
-  // TLS Must Staple tests
-  add_test(function() {
-    clearSessionCache();
-    Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", true);
-    run_next_test();
-  });
-
   // ensure that the chain is checked for required features in children:
   // First a case where intermediate and ee both have the extension
   add_ocsp_test("ocsp-stapling-must-staple-ee-with-must-staple-int.example.com",
                 PRErrorCodeSuccess, true);
 
   // Next, a case where it's present in the intermediate, not the ee
   add_ocsp_test("ocsp-stapling-plain-ee-with-must-staple-int.example.com",
                 MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, true);
 
-  // We disable OCSP must-staple in the next two tests so we can perform checks
-  // on TLS Features in the chain without needint to support the TLS
+  // We disable OCSP stapling in the next two tests so we can perform checks
+  // on TLS Features in the chain without needing to support the TLS
   // extension values used.
   // Test an issuer with multiple TLS features in matched in the EE
   add_ocsp_test("multi-tls-feature-good.example.com",
                 PRErrorCodeSuccess, false);
 
-  // Finally, an inssuer with multiple TLS features not matched by the EE
+  // Finally, an issuer with multiple TLS features not matched by the EE.
   add_ocsp_test("multi-tls-feature-bad.example.com",
                 MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, false);
 
-
-
   // Now a bunch of operations with only a must-staple ee
   add_ocsp_test("ocsp-stapling-must-staple.example.com",
                 PRErrorCodeSuccess, true);
 
   add_ocsp_test("ocsp-stapling-must-staple-revoked.example.com",
                 SEC_ERROR_REVOKED_CERTIFICATE, true);
 
   add_ocsp_test("ocsp-stapling-must-staple-missing.example.com",
@@ -204,62 +62,32 @@ function add_tests() {
   add_test(function() {
     clearSessionCache();
     Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", false);
     run_next_test();
   });
 
   add_ocsp_test("ocsp-stapling-must-staple-missing.example.com",
                 PRErrorCodeSuccess, true);
-
-  // ocsp-stapling-expired.example.com and
-  // ocsp-stapling-expired-fresh-ca.example.com are handled in
-  // test_ocsp_stapling_expired.js
-
-  // Check that OCSP responder certificates with key sizes below 1024 bits are
-  // rejected, even when the main certificate chain keys are at least 1024 bits.
-  add_ocsp_test("keysize-ocsp-delegated.example.com",
-                SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
-
-  add_ocsp_test("revoked-ca-cert-used-as-end-entity.example.com",
-                SEC_ERROR_REVOKED_CERTIFICATE, true);
-}
-
-function check_ocsp_stapling_telemetry() {
-  let histogram = Cc["@mozilla.org/base/telemetry;1"]
-                    .getService(Ci.nsITelemetry)
-                    .getHistogramById("SSL_OCSP_STAPLING")
-                    .snapshot();
-  equal(histogram.counts[0], 0,
-        "Should have 0 connections for unused histogram bucket 0");
-  equal(histogram.counts[1], 7,
-        "Actual and expected connections with a good response should match");
-  equal(histogram.counts[2], 22,
-        "Actual and expected connections with no stapled response should match");
-  equal(histogram.counts[3], 0,
-        "Actual and expected connections with an expired response should match");
-  equal(histogram.counts[4], 23,
-        "Actual and expected connections with bad responses should match");
-  run_next_test();
 }
 
 function run_test() {
   do_get_profile();
-
+  Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", true);
 
   let fakeOCSPResponder = new HttpServer();
   fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
     response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
     ok(gExpectOCSPRequest,
        "Should be getting an OCSP request only when expected");
   });
   fakeOCSPResponder.start(8888);
 
   add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
 
   add_tests();
 
   add_test(function () {
-    fakeOCSPResponder.stop(check_ocsp_stapling_telemetry);
+    fakeOCSPResponder.stop(run_next_test);
   });
 
   run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
@@ -150,71 +150,16 @@ function add_tests() {
                 SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
   add_ocsp_test("ocsp-stapling-delegated-from-intermediate.example.com",
                 SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
   add_ocsp_test("ocsp-stapling-delegated-keyUsage-crlSigning.example.com",
                 SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
   add_ocsp_test("ocsp-stapling-delegated-wrong-extKeyUsage.example.com",
                 SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
 
-  // TLS Must Staple tests
-  add_test(function() {
-    clearSessionCache();
-    Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", true);
-    run_next_test();
-  });
-
-  // ensure that the chain is checked for required features in children:
-  // First a case where intermediate and ee both have the extension
-  add_ocsp_test("ocsp-stapling-must-staple-ee-with-must-staple-int.example.com",
-                PRErrorCodeSuccess, true);
-
-  // Next, a case where it's present in the intermediate, not the ee
-  add_ocsp_test("ocsp-stapling-plain-ee-with-must-staple-int.example.com",
-                MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, true);
-
-  // We disable OCSP must-staple in the next two tests so we can perform checks
-  // on TLS Features in the chain without needint to support the TLS
-  // extension values used.
-  // Test an issuer with multiple TLS features in matched in the EE
-  add_ocsp_test("multi-tls-feature-good.example.com",
-                PRErrorCodeSuccess, false);
-
-  // Finally, an inssuer with multiple TLS features not matched by the EE
-  add_ocsp_test("multi-tls-feature-bad.example.com",
-                MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, false);
-
-
-
-  // Now a bunch of operations with only a must-staple ee
-  add_ocsp_test("ocsp-stapling-must-staple.example.com",
-                PRErrorCodeSuccess, true);
-
-  add_ocsp_test("ocsp-stapling-must-staple-revoked.example.com",
-                SEC_ERROR_REVOKED_CERTIFICATE, true);
-
-  add_ocsp_test("ocsp-stapling-must-staple-missing.example.com",
-                MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, true);
-
-  add_ocsp_test("ocsp-stapling-must-staple-empty.example.com",
-                SEC_ERROR_OCSP_MALFORMED_RESPONSE, true);
-
-  add_ocsp_test("ocsp-stapling-must-staple-missing.example.com",
-                PRErrorCodeSuccess, false);
-
-  // check that disabling must-staple works
-  add_test(function() {
-    clearSessionCache();
-    Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", false);
-    run_next_test();
-  });
-
-  add_ocsp_test("ocsp-stapling-must-staple-missing.example.com",
-                PRErrorCodeSuccess, true);
-
   // ocsp-stapling-expired.example.com and
   // ocsp-stapling-expired-fresh-ca.example.com are handled in
   // test_ocsp_stapling_expired.js
 
   // Check that OCSP responder certificates with key sizes below 1024 bits are
   // rejected, even when the main certificate chain keys are at least 1024 bits.
   add_ocsp_test("keysize-ocsp-delegated.example.com",
                 SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
@@ -225,31 +170,30 @@ function add_tests() {
 
 function check_ocsp_stapling_telemetry() {
   let histogram = Cc["@mozilla.org/base/telemetry;1"]
                     .getService(Ci.nsITelemetry)
                     .getHistogramById("SSL_OCSP_STAPLING")
                     .snapshot();
   equal(histogram.counts[0], 0,
         "Should have 0 connections for unused histogram bucket 0");
-  equal(histogram.counts[1], 7,
+  equal(histogram.counts[1], 5,
         "Actual and expected connections with a good response should match");
-  equal(histogram.counts[2], 22,
+  equal(histogram.counts[2], 18,
         "Actual and expected connections with no stapled response should match");
   equal(histogram.counts[3], 0,
         "Actual and expected connections with an expired response should match");
-  equal(histogram.counts[4], 23,
+  equal(histogram.counts[4], 21,
         "Actual and expected connections with bad responses should match");
   run_next_test();
 }
 
 function run_test() {
   do_get_profile();
 
-
   let fakeOCSPResponder = new HttpServer();
   fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
     response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
     ok(gExpectOCSPRequest,
        "Should be getting an OCSP request only when expected");
   });
   fakeOCSPResponder.start(8888);
 
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -52,16 +52,18 @@ skip-if = toolkit == 'android' || toolki
 
 [test_pinning_dynamic.js]
 [test_pinning_header_parsing.js]
 
 [test_cert_dbKey.js]
 [test_cert_keyUsage.js]
 [test_logoutAndTeardown.js]
 run-sequentially = hardcoded ports
+[test_ocsp_must_staple.js]
+run-sequentially = hardcoded ports
 [test_ocsp_stapling.js]
 run-sequentially = hardcoded ports
 [test_cert_blocklist.js]
 skip-if = buildapp == "b2g"
 tags = addons
 [test_ocsp_stapling_expired.js]
 run-sequentially = hardcoded ports
 skip-if = (toolkit == 'gonk' && debug) # Bug 1029775