| author | Cykesiopka <cykesiopka.bmo@gmail.com> |
| Sun, 24 Jan 2016 02:24:00 -0500 | |
| changeset 281422 | bbfbd1e73bf16bcac20094502397198c113c997a |
| parent 281421 | 038b2414e772d168451f997954c8a39a7b270789 |
| child 281423 | e0bc32b37860b65c6302efccaa02c604404b4ae5 |
| child 281430 | c2256ee8ae9a8ee0bf7ab49a8b1924720d846cc7 |
| push id | 70784 |
| push user | ryanvm@gmail.com |
| push date | Sun, 24 Jan 2016 14:59:14 +0000 |
| treeherder | mozilla-inbound@bbfbd1e73bf1 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | keeler |
| bugs | 1235089 |
| milestone | 46.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
copy from security/manager/ssl/tests/unit/test_ocsp_stapling.js copy to security/manager/ssl/tests/unit/test_ocsp_must_staple.js --- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js +++ b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js @@ -1,194 +1,52 @@ // -*- indent-tabs-mode: nil; js-indent-level: 2 -*- // This Source Code Form is subject to the terms of the Mozilla Public // License, v. 2.0. If a copy of the MPL was not distributed with this // file, You can obtain one at http://mozilla.org/MPL/2.0/. "use strict"; -// In which we connect to a number of domains (as faked by a server running -// locally) with and without OCSP stapling enabled to determine that good -// things happen and bad things don't. +// Tests OCSP Must Staple handling by connecting to various domains (as faked by +// a server running locally) that correspond to combinations of whether the +// extension is present in intermediate and end-entity certificates. var gExpectOCSPRequest; function add_ocsp_test(aHost, aExpectedResult, aStaplingEnabled) { add_connection_test(aHost, aExpectedResult, function() { gExpectOCSPRequest = !aStaplingEnabled; clearOCSPCache(); clearSessionCache(); Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", aStaplingEnabled); }); } function add_tests() { - // In the absence of OCSP stapling, these should actually all work. - add_ocsp_test("ocsp-stapling-good.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-revoked.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-good-other-ca.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-malformed.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-srverr.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-trylater.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-needssig.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-unauthorized.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-unknown.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-good-other.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-none.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-expired.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-critical-extension.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-noncritical-extension.example.com", - PRErrorCodeSuccess, false); - add_ocsp_test("ocsp-stapling-empty-extensions.example.com", - PRErrorCodeSuccess, false); - - // Now test OCSP stapling - // The following error codes are defined in security/nss/lib/util/SECerrs.h - - add_ocsp_test("ocsp-stapling-good.example.com", PRErrorCodeSuccess, true); - - add_ocsp_test("ocsp-stapling-revoked.example.com", - SEC_ERROR_REVOKED_CERTIFICATE, true); - - // SEC_ERROR_OCSP_INVALID_SIGNING_CERT vs SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE - // depends on whether the CA that signed the response is a trusted CA - // (but only with the classic implementation - mozilla::pkix always - // results in the error SEC_ERROR_OCSP_INVALID_SIGNING_CERT). - - // This stapled response is from a CA that is untrusted and did not issue - // the server's certificate. - let certDB = Cc["@mozilla.org/security/x509certdb;1"] - .getService(Ci.nsIX509CertDB); - let otherTestCA = constructCertFromFile("ocsp_certs/other-test-ca.pem"); - add_test(function() { - certDB.setCertTrust(otherTestCA, Ci.nsIX509Cert.CA_CERT, - Ci.nsIX509CertDB.UNTRUSTED); - run_next_test(); - }); - add_ocsp_test("ocsp-stapling-good-other-ca.example.com", - SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); - - // The stapled response is from a CA that is trusted but did not issue the - // server's certificate. - add_test(function() { - certDB.setCertTrust(otherTestCA, Ci.nsIX509Cert.CA_CERT, - Ci.nsIX509CertDB.TRUSTED_SSL); - run_next_test(); - }); - // TODO(bug 979055): When using ByName instead of ByKey, the error here is - // SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE. We should be testing both cases. - add_ocsp_test("ocsp-stapling-good-other-ca.example.com", - SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); - - // TODO: Test the case where the signing cert can't be found at all, which - // will result in SEC_ERROR_BAD_DATABASE in the NSS classic case. - - add_ocsp_test("ocsp-stapling-malformed.example.com", - SEC_ERROR_OCSP_MALFORMED_REQUEST, true); - add_ocsp_test("ocsp-stapling-srverr.example.com", - SEC_ERROR_OCSP_SERVER_ERROR, true); - add_ocsp_test("ocsp-stapling-trylater.example.com", - SEC_ERROR_OCSP_TRY_SERVER_LATER, true); - add_ocsp_test("ocsp-stapling-needssig.example.com", - SEC_ERROR_OCSP_REQUEST_NEEDS_SIG, true); - add_ocsp_test("ocsp-stapling-unauthorized.example.com", - SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST, true); - add_ocsp_test("ocsp-stapling-unknown.example.com", - SEC_ERROR_OCSP_UNKNOWN_CERT, true); - add_ocsp_test("ocsp-stapling-good-other.example.com", - MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING, true); - // If the server doesn't staple an OCSP response, we continue as normal - // (this means that even though stapling is enabled, we expect an OCSP - // request). - add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess, - function() { - gExpectOCSPRequest = true; - clearOCSPCache(); - clearSessionCache(); - Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true); - } - ); - add_ocsp_test("ocsp-stapling-empty.example.com", - SEC_ERROR_OCSP_MALFORMED_RESPONSE, true); - - add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com", - SEC_ERROR_OCSP_MALFORMED_RESPONSE, true); - - add_ocsp_test("ocsp-stapling-critical-extension.example.com", - SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION, true); - add_ocsp_test("ocsp-stapling-noncritical-extension.example.com", - PRErrorCodeSuccess, true); - // TODO(bug 997994): Disallow empty Extensions in responses - add_ocsp_test("ocsp-stapling-empty-extensions.example.com", - PRErrorCodeSuccess, true); - - add_ocsp_test("ocsp-stapling-delegated-included.example.com", - PRErrorCodeSuccess, true); - add_ocsp_test("ocsp-stapling-delegated-included-last.example.com", - PRErrorCodeSuccess, true); - add_ocsp_test("ocsp-stapling-delegated-missing.example.com", - SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); - add_ocsp_test("ocsp-stapling-delegated-missing-multiple.example.com", - SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); - add_ocsp_test("ocsp-stapling-delegated-no-extKeyUsage.example.com", - SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); - add_ocsp_test("ocsp-stapling-delegated-from-intermediate.example.com", - SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); - add_ocsp_test("ocsp-stapling-delegated-keyUsage-crlSigning.example.com", - SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); - add_ocsp_test("ocsp-stapling-delegated-wrong-extKeyUsage.example.com", - SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); - - // TLS Must Staple tests - add_test(function() { - clearSessionCache(); - Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", true); - run_next_test(); - }); - // ensure that the chain is checked for required features in children: // First a case where intermediate and ee both have the extension add_ocsp_test("ocsp-stapling-must-staple-ee-with-must-staple-int.example.com", PRErrorCodeSuccess, true); // Next, a case where it's present in the intermediate, not the ee add_ocsp_test("ocsp-stapling-plain-ee-with-must-staple-int.example.com", MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, true); - // We disable OCSP must-staple in the next two tests so we can perform checks - // on TLS Features in the chain without needint to support the TLS + // We disable OCSP stapling in the next two tests so we can perform checks + // on TLS Features in the chain without needing to support the TLS // extension values used. // Test an issuer with multiple TLS features in matched in the EE add_ocsp_test("multi-tls-feature-good.example.com", PRErrorCodeSuccess, false); - // Finally, an inssuer with multiple TLS features not matched by the EE + // Finally, an issuer with multiple TLS features not matched by the EE. add_ocsp_test("multi-tls-feature-bad.example.com", MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, false); - - // Now a bunch of operations with only a must-staple ee add_ocsp_test("ocsp-stapling-must-staple.example.com", PRErrorCodeSuccess, true); add_ocsp_test("ocsp-stapling-must-staple-revoked.example.com", SEC_ERROR_REVOKED_CERTIFICATE, true); add_ocsp_test("ocsp-stapling-must-staple-missing.example.com", @@ -204,62 +62,32 @@ function add_tests() { add_test(function() { clearSessionCache(); Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", false); run_next_test(); }); add_ocsp_test("ocsp-stapling-must-staple-missing.example.com", PRErrorCodeSuccess, true); - - // ocsp-stapling-expired.example.com and - // ocsp-stapling-expired-fresh-ca.example.com are handled in - // test_ocsp_stapling_expired.js - - // Check that OCSP responder certificates with key sizes below 1024 bits are - // rejected, even when the main certificate chain keys are at least 1024 bits. - add_ocsp_test("keysize-ocsp-delegated.example.com", - SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); - - add_ocsp_test("revoked-ca-cert-used-as-end-entity.example.com", - SEC_ERROR_REVOKED_CERTIFICATE, true); -} - -function check_ocsp_stapling_telemetry() { - let histogram = Cc["@mozilla.org/base/telemetry;1"] - .getService(Ci.nsITelemetry) - .getHistogramById("SSL_OCSP_STAPLING") - .snapshot(); - equal(histogram.counts[0], 0, - "Should have 0 connections for unused histogram bucket 0"); - equal(histogram.counts[1], 7, - "Actual and expected connections with a good response should match"); - equal(histogram.counts[2], 22, - "Actual and expected connections with no stapled response should match"); - equal(histogram.counts[3], 0, - "Actual and expected connections with an expired response should match"); - equal(histogram.counts[4], 23, - "Actual and expected connections with bad responses should match"); - run_next_test(); } function run_test() { do_get_profile(); - + Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", true); let fakeOCSPResponder = new HttpServer(); fakeOCSPResponder.registerPrefixHandler("/", function (request, response) { response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); ok(gExpectOCSPRequest, "Should be getting an OCSP request only when expected"); }); fakeOCSPResponder.start(8888); add_tls_server_setup("OCSPStaplingServer", "ocsp_certs"); add_tests(); add_test(function () { - fakeOCSPResponder.stop(check_ocsp_stapling_telemetry); + fakeOCSPResponder.stop(run_next_test); }); run_next_test(); }
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js +++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js @@ -150,71 +150,16 @@ function add_tests() { SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); add_ocsp_test("ocsp-stapling-delegated-from-intermediate.example.com", SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); add_ocsp_test("ocsp-stapling-delegated-keyUsage-crlSigning.example.com", SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); add_ocsp_test("ocsp-stapling-delegated-wrong-extKeyUsage.example.com", SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); - // TLS Must Staple tests - add_test(function() { - clearSessionCache(); - Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", true); - run_next_test(); - }); - - // ensure that the chain is checked for required features in children: - // First a case where intermediate and ee both have the extension - add_ocsp_test("ocsp-stapling-must-staple-ee-with-must-staple-int.example.com", - PRErrorCodeSuccess, true); - - // Next, a case where it's present in the intermediate, not the ee - add_ocsp_test("ocsp-stapling-plain-ee-with-must-staple-int.example.com", - MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, true); - - // We disable OCSP must-staple in the next two tests so we can perform checks - // on TLS Features in the chain without needint to support the TLS - // extension values used. - // Test an issuer with multiple TLS features in matched in the EE - add_ocsp_test("multi-tls-feature-good.example.com", - PRErrorCodeSuccess, false); - - // Finally, an inssuer with multiple TLS features not matched by the EE - add_ocsp_test("multi-tls-feature-bad.example.com", - MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, false); - - - - // Now a bunch of operations with only a must-staple ee - add_ocsp_test("ocsp-stapling-must-staple.example.com", - PRErrorCodeSuccess, true); - - add_ocsp_test("ocsp-stapling-must-staple-revoked.example.com", - SEC_ERROR_REVOKED_CERTIFICATE, true); - - add_ocsp_test("ocsp-stapling-must-staple-missing.example.com", - MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, true); - - add_ocsp_test("ocsp-stapling-must-staple-empty.example.com", - SEC_ERROR_OCSP_MALFORMED_RESPONSE, true); - - add_ocsp_test("ocsp-stapling-must-staple-missing.example.com", - PRErrorCodeSuccess, false); - - // check that disabling must-staple works - add_test(function() { - clearSessionCache(); - Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", false); - run_next_test(); - }); - - add_ocsp_test("ocsp-stapling-must-staple-missing.example.com", - PRErrorCodeSuccess, true); - // ocsp-stapling-expired.example.com and // ocsp-stapling-expired-fresh-ca.example.com are handled in // test_ocsp_stapling_expired.js // Check that OCSP responder certificates with key sizes below 1024 bits are // rejected, even when the main certificate chain keys are at least 1024 bits. add_ocsp_test("keysize-ocsp-delegated.example.com", SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true); @@ -225,31 +170,30 @@ function add_tests() { function check_ocsp_stapling_telemetry() { let histogram = Cc["@mozilla.org/base/telemetry;1"] .getService(Ci.nsITelemetry) .getHistogramById("SSL_OCSP_STAPLING") .snapshot(); equal(histogram.counts[0], 0, "Should have 0 connections for unused histogram bucket 0"); - equal(histogram.counts[1], 7, + equal(histogram.counts[1], 5, "Actual and expected connections with a good response should match"); - equal(histogram.counts[2], 22, + equal(histogram.counts[2], 18, "Actual and expected connections with no stapled response should match"); equal(histogram.counts[3], 0, "Actual and expected connections with an expired response should match"); - equal(histogram.counts[4], 23, + equal(histogram.counts[4], 21, "Actual and expected connections with bad responses should match"); run_next_test(); } function run_test() { do_get_profile(); - let fakeOCSPResponder = new HttpServer(); fakeOCSPResponder.registerPrefixHandler("/", function (request, response) { response.setStatusLine(request.httpVersion, 500, "Internal Server Error"); ok(gExpectOCSPRequest, "Should be getting an OCSP request only when expected"); }); fakeOCSPResponder.start(8888);
--- a/security/manager/ssl/tests/unit/xpcshell.ini +++ b/security/manager/ssl/tests/unit/xpcshell.ini @@ -52,16 +52,18 @@ skip-if = toolkit == 'android' || toolki [test_pinning_dynamic.js] [test_pinning_header_parsing.js] [test_cert_dbKey.js] [test_cert_keyUsage.js] [test_logoutAndTeardown.js] run-sequentially = hardcoded ports +[test_ocsp_must_staple.js] +run-sequentially = hardcoded ports [test_ocsp_stapling.js] run-sequentially = hardcoded ports [test_cert_blocklist.js] skip-if = buildapp == "b2g" tags = addons [test_ocsp_stapling_expired.js] run-sequentially = hardcoded ports skip-if = (toolkit == 'gonk' && debug) # Bug 1029775