Bug 923304, Part 2: Adjust EV tests, r=keeler
☠☠ backed out by f356b409d710 ☠ ☠
authorBrian Smith <brian@briansmith.org>
Sat, 28 Dec 2013 11:28:49 -0800
changeset 163111 1b892043a386a04098927466cbec6892f3383a23
parent 163110 0e14b3468b944b59b9275d39469bcbc37843d890
child 163151 d524c4b2cbb8c504588921be2dd9b3ed4445f40a
push id25981
push userbrian@briansmith.org
push dateMon, 13 Jan 2014 21:47:33 +0000
treeherdermozilla-central@1b892043a386 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs923304
milestone29.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 923304, Part 2: Adjust EV tests, r=keeler
security/manager/ssl/tests/unit/test_ev_certs.js
--- a/security/manager/ssl/tests/unit/test_ev_certs.js
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@@ -26,44 +26,61 @@ let certList = [
   'non-ev-root',
 ]
 
 function load_ca(ca_name) {
   var ca_filename = ca_name + ".der";
   addCertFromFile(certdb, "test_ev_certs/" + ca_filename, 'CTu,CTu,CTu');
 }
 
-var gHttpServer;
-var gOCSPResponseCounter = 0;
+const SERVER_PORT = 8888;
 
-function start_ocsp_responder() {
-  const SERVER_PORT = 8888;
-  gHttpServer = new HttpServer();
-  gHttpServer.registerPrefixHandler("/",
+function failingOCSPResponder() {
+  let httpServer = new HttpServer();
+  httpServer.registerPrefixHandler("/", function(request, response) {
+    do_check_true(false);
+  });
+  httpServer.start(SERVER_PORT);
+  return httpServer;
+}
+
+function start_ocsp_responder(expectedCertNames) {
+  let httpServer = new HttpServer();
+  httpServer.registerPrefixHandler("/",
       function handleServerCallback(aRequest, aResponse) {
         do_check_neq(aRequest.host, "crl.example.com"); // No CRL checks
         let cert_nick = aRequest.path.slice(1, aRequest.path.length - 1);
+
+        do_check_true(expectedCertNames.length >= 1);
+        let expected_nick = expectedCertNames.shift();
+        do_check_eq(cert_nick, expected_nick);
+
         do_print("Generating ocsp response for '" + cert_nick + "'");
         aResponse.setStatusLine(aRequest.httpVersion, 200, "OK");
         aResponse.setHeader("Content-Type", "application/ocsp-response");
         // now we generate the response
         let ocsp_request_desc = new Array();
         ocsp_request_desc.push("good");
         ocsp_request_desc.push(cert_nick);
         ocsp_request_desc.push("unused_arg");
         let arg_array = new Array();
         arg_array.push(ocsp_request_desc);
         let retArray = generateOCSPResponses(arg_array, "test_ev_certs");
         let responseBody = retArray[0];
         aResponse.bodyOutputStream.write(responseBody, responseBody.length);
-        gOCSPResponseCounter++;
       });
-  gHttpServer.identity.setPrimary("http", "www.example.com", SERVER_PORT);
-  gHttpServer.identity.add("http", "crl.example.com", SERVER_PORT);
-  gHttpServer.start(SERVER_PORT);
+  httpServer.identity.setPrimary("http", "www.example.com", SERVER_PORT);
+  httpServer.identity.add("http", "crl.example.com", SERVER_PORT);
+  httpServer.start(SERVER_PORT);
+  return {
+    stop: function(callback) {
+      do_check_eq(expectedCertNames.length, 0);
+      httpServer.stop(callback);
+    }
+  };
 }
 
 function check_cert_err(cert_name, expected_error) {
   let cert = certdb.findCertByNickname(null, cert_name);
   let hasEVPolicy = {};
   let verifiedChain = {};
   let error = certdb.verifyCertNow(cert, certificateUsageSSLServer,
                                    NO_FLAGS, verifiedChain, hasEVPolicy);
@@ -92,49 +109,58 @@ function run_test() {
   }
   load_ca("evroot");
   load_ca("non-evroot-ca");
 
   // setup and start ocsp responder
   Services.prefs.setCharPref("network.dns.localDomains",
                              'www.example.com, crl.example.com');
 
-  start_ocsp_responder();
-
   run_next_test();
 }
 
+add_test(function() {
+  clearOCSPCache();
+  let ocspResponder = start_ocsp_responder(["int-ev-valid", "ev-valid"]);
+  check_ee_for_ev("ev-valid", true);
+  ocspResponder.stop(run_next_test);
+});
 
 add_test(function() {
-  check_ee_for_ev("ev-valid", true);
-  run_next_test();
+  clearOCSPCache();
+  let ocspResponder = start_ocsp_responder(["non-ev-root"]);
+  check_ee_for_ev("non-ev-root", false);
+  ocspResponder.stop(run_next_test);
 });
 
 add_test(function() {
-  check_ee_for_ev("non-ev-root", false);
-  run_next_test();
+  clearOCSPCache();
+  let ocspResponder = failingOCSPResponder();
+  check_ee_for_ev("no-ocsp-url-cert", false);
+  ocspResponder.stop(run_next_test);
 });
 
+// bug 917380: Chcek that an untrusted EV root is untrusted.
+const nsIX509Cert = Ci.nsIX509Cert;
 add_test(function() {
-  check_ee_for_ev("no-ocsp-url-cert", false);
-  run_next_test();
+  let evRootCA = certdb.findCertByNickname(null, evrootnick);
+  certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0);
+
+  clearOCSPCache();
+  let ocspResponder = failingOCSPResponder();
+  check_cert_err("ev-valid", SEC_ERROR_UNTRUSTED_ISSUER);
+  ocspResponder.stop(run_next_test);
 });
 
-// Test for bug 917380
-add_test(function () {
-  const nsIX509Cert = Ci.nsIX509Cert;
+// bug 917380: Chcek that a trusted EV root is trusted.
+// TODO: isn't this a duplicate of the above test?
+add_test(function() {
   let evRootCA = certdb.findCertByNickname(null, evrootnick);
-  certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0);
-  check_cert_err("ev-valid", SEC_ERROR_UNTRUSTED_ISSUER);
   certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT,
                       Ci.nsIX509CertDB.TRUSTED_SSL |
                       Ci.nsIX509CertDB.TRUSTED_EMAIL |
                       Ci.nsIX509CertDB.TRUSTED_OBJSIGN);
+
+  clearOCSPCache();
+  let ocspResponder = start_ocsp_responder(["int-ev-valid", "ev-valid"]);
   check_ee_for_ev("ev-valid", true);
-  run_next_test();
+  ocspResponder.stop(run_next_test);
 });
-
-// The following test should be the last as it performs cleanups
-add_test(function() {
-  do_check_eq(4, gOCSPResponseCounter);
-  gHttpServer.stop(run_next_test);
-});
-