Bug 915931, Part 4: Expand OCSP xpcshell tests to test insanity::pkix, r=keeler, a=test-only
authorBrian Smith <brian@briansmith.org>
Mon, 17 Feb 2014 13:19:54 -0800
changeset 183049 5f62171194438532cdb2fc09626353de7c7a3786
parent 183048 4d6c9d219ee3b8c5503c39456ef42bebe2f6e364
child 183050 b81c398392535ca6221537fc4a6839d8b52fc342
push id3343
push userffxbld
push dateMon, 17 Mar 2014 21:55:32 +0000
treeherdermozilla-beta@2f7d3415f79f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler, test-only
bugs915931
milestone29.0a2
Bug 915931, Part 4: Expand OCSP xpcshell tests to test insanity::pkix, r=keeler, a=test-only
security/manager/ssl/tests/unit/test_ev_certs.js
security/manager/ssl/tests/unit/test_ocsp_caching.js
security/manager/ssl/tests/unit/test_ocsp_required.js
security/manager/ssl/tests/unit/test_ocsp_stapling.js
security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
--- a/security/manager/ssl/tests/unit/test_ev_certs.js
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@@ -109,74 +109,129 @@ function run_test() {
     addCertFromFile(certdb, "test_ev_certs/" + cert_filename, ',,');
   }
   load_ca("evroot");
   load_ca("non-evroot-ca");
 
   // setup and start ocsp responder
   Services.prefs.setCharPref("network.dns.localDomains",
                              'www.example.com, crl.example.com');
-
+  add_tests_in_mode(true);
+  add_tests_in_mode(false);
   run_next_test();
 }
 
-add_test(function() {
-  clearOCSPCache();
-  let ocspResponder = start_ocsp_responder(
-                        isDebugBuild ? ["int-ev-valid", "ev-valid"]
-                                     : ["ev-valid"]);
-  check_ee_for_ev("ev-valid", isDebugBuild);
-  ocspResponder.stop(run_next_test);
-});
+function add_tests_in_mode(useInsanity)
+{
+  add_test(function () {
+    Services.prefs.setBoolPref("security.use_insanity_verification",
+                               useInsanity);
+    run_next_test();
+  });
+
+  add_test(function () {
+    clearOCSPCache();
+    let ocspResponder = start_ocsp_responder(
+                          isDebugBuild ? ["int-ev-valid", "ev-valid"]
+                                       : ["ev-valid"]);
+    check_ee_for_ev("ev-valid", isDebugBuild);
+    ocspResponder.stop(run_next_test);
+  });
+
+  add_test(function() {
+    clearOCSPCache();
+    let ocspResponder = start_ocsp_responder(["non-ev-root"]);
+    check_ee_for_ev("non-ev-root", false);
+    ocspResponder.stop(run_next_test);
+  });
 
-add_test(function() {
-  clearOCSPCache();
-  let ocspResponder = start_ocsp_responder(["non-ev-root"]);
-  check_ee_for_ev("non-ev-root", false);
-  ocspResponder.stop(run_next_test);
-});
+  add_test(function() {
+    clearOCSPCache();
+    // libpkix will attempt to validate the intermediate, which does have an
+    // OCSP URL.
+    let ocspResponder = isDebugBuild ? start_ocsp_responder(["int-ev-valid"])
+                                     : failingOCSPResponder();
+    check_ee_for_ev("no-ocsp-url-cert", false);
+    ocspResponder.stop(run_next_test);
+  });
 
-add_test(function() {
-  clearOCSPCache();
-  // libpkix will attempt to validate the intermediate, which does have an
-  // OCSP URL.
-  let ocspResponder = isDebugBuild ? start_ocsp_responder(["int-ev-valid"])
-                                   : failingOCSPResponder();
-  check_ee_for_ev("no-ocsp-url-cert", false);
-  ocspResponder.stop(run_next_test);
-});
+  // bug 917380: Chcek that an untrusted EV root is untrusted.
+  const nsIX509Cert = Ci.nsIX509Cert;
+  add_test(function() {
+    let evRootCA = certdb.findCertByNickname(null, evrootnick);
+    certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0);
+
+    clearOCSPCache();
+    let ocspResponder = failingOCSPResponder();
+    check_cert_err("ev-valid",
+                   useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
+                               : SEC_ERROR_UNTRUSTED_ISSUER);
+    ocspResponder.stop(run_next_test);
+  });
 
-// bug 917380: Chcek that an untrusted EV root is untrusted.
-const nsIX509Cert = Ci.nsIX509Cert;
-add_test(function() {
-  let evRootCA = certdb.findCertByNickname(null, evrootnick);
-  certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0);
+  // bug 917380: Chcek that a trusted EV root is trusted after disabling and
+  // re-enabling trust.
+  add_test(function() {
+    let evRootCA = certdb.findCertByNickname(null, evrootnick);
+    certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT,
+                        Ci.nsIX509CertDB.TRUSTED_SSL |
+                        Ci.nsIX509CertDB.TRUSTED_EMAIL |
+                        Ci.nsIX509CertDB.TRUSTED_OBJSIGN);
 
-  clearOCSPCache();
-  let ocspResponder = failingOCSPResponder();
-  check_cert_err("ev-valid", SEC_ERROR_UNTRUSTED_ISSUER);
-  ocspResponder.stop(run_next_test);
-});
+    clearOCSPCache();
+    let ocspResponder = start_ocsp_responder(
+                          isDebugBuild ? ["int-ev-valid", "ev-valid"]
+                                       : ["ev-valid"]);
+    check_ee_for_ev("ev-valid", isDebugBuild);
+    ocspResponder.stop(run_next_test);
+  });
+
+
+  add_test(function () {
+    check_no_ocsp_requests("ev-valid",
+                           isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
+                                        : SEC_ERROR_EXTENSION_NOT_FOUND);
+  });
+
+  add_test(function () {
+    check_no_ocsp_requests("non-ev-root",
+                           isDebugBuild ? SEC_ERROR_UNTRUSTED_ISSUER
+                                        : SEC_ERROR_EXTENSION_NOT_FOUND);
+  });
 
-// bug 917380: Chcek that a trusted EV root is trusted after disabling and
-// re-enabling trust.
-add_test(function() {
-  let evRootCA = certdb.findCertByNickname(null, evrootnick);
-  certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT,
-                      Ci.nsIX509CertDB.TRUSTED_SSL |
-                      Ci.nsIX509CertDB.TRUSTED_EMAIL |
-                      Ci.nsIX509CertDB.TRUSTED_OBJSIGN);
+  add_test(function () {
+    check_no_ocsp_requests("no-ocsp-url-cert",
+                           isDebugBuild ? SEC_ERROR_REVOKED_CERTIFICATE
+                                        : SEC_ERROR_EXTENSION_NOT_FOUND);
+  });
 
-  clearOCSPCache();
-  let ocspResponder = start_ocsp_responder(
-                        isDebugBuild ? ["int-ev-valid", "ev-valid"]
-                                     : ["ev-valid"]);
-  check_ee_for_ev("ev-valid", isDebugBuild);
-  ocspResponder.stop(run_next_test);
-});
+  // Test the EV continues to work with flags after successful EV verification
+  add_test(function () {
+    clearOCSPCache();
+    let ocspResponder = start_ocsp_responder(
+                          isDebugBuild ? ["int-ev-valid", "ev-valid"]
+                                       : ["ev-valid"]);
+    check_ee_for_ev("ev-valid", isDebugBuild);
+    ocspResponder.stop(function () {
+      // without net it must be able to EV verify
+      let failingOcspResponder = failingOCSPResponder();
+      let cert = certdb.findCertByNickname(null, "ev-valid");
+      let hasEVPolicy = {};
+      let verifiedChain = {};
+      let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
+                  Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
+
+      let error = certdb.verifyCertNow(cert, certificateUsageSSLServer,
+                                       flags, verifiedChain, hasEVPolicy);
+      do_check_eq(hasEVPolicy.value, isDebugBuild);
+      do_check_eq(error, isDebugBuild ? 0 : SEC_ERROR_EXTENSION_NOT_FOUND);
+      failingOcspResponder.stop(run_next_test);
+    });
+  });
+}
 
 // bug 950240: add FLAG_MUST_BE_EV to CertVerifier::VerifyCert
 // to prevent spurious OCSP requests that race with OCSP stapling.
 // This has the side-effect of saying an EV certificate is not EV if
 // it hasn't already been verified (e.g. on the verification thread when
 // connecting to a site).
 // This flag is mostly a hack that should be removed once FLAG_LOCAL_ONLY
 // works as intended.
@@ -193,54 +248,8 @@ function check_no_ocsp_requests(cert_nam
   // Since we're not doing OCSP requests, no certificate will be EV.
   do_check_eq(hasEVPolicy.value, false);
   do_check_eq(expected_error, error);
   // Also check that isExtendedValidation doesn't cause OCSP requests.
   let identityInfo = cert.QueryInterface(Ci.nsIIdentityInfo);
   do_check_eq(identityInfo.isExtendedValidation, false);
   ocspResponder.stop(run_next_test);
 }
-
-
-add_test(function() {
-  check_no_ocsp_requests("ev-valid",   isDebugBuild ?
-                                       SEC_ERROR_REVOKED_CERTIFICATE:
-                                       SEC_ERROR_EXTENSION_NOT_FOUND);
-});
-
-add_test(function() {
-  check_no_ocsp_requests("non-ev-root", isDebugBuild ?
-                                        SEC_ERROR_UNTRUSTED_ISSUER:
-                                        SEC_ERROR_EXTENSION_NOT_FOUND);
-});
-
-
-add_test(function() {
-  check_no_ocsp_requests("no-ocsp-url-cert", isDebugBuild?
-                                             SEC_ERROR_REVOKED_CERTIFICATE:
-                                             SEC_ERROR_EXTENSION_NOT_FOUND);
-});
-
-
-// Test the EV continues to work with flags after successful EV verification
-add_test(function() {
-  clearOCSPCache();
-  let ocspResponder = start_ocsp_responder(
-                        isDebugBuild ? ["int-ev-valid", "ev-valid"]
-                                     : ["ev-valid"]);
-  check_ee_for_ev("ev-valid", isDebugBuild);
-  ocspResponder.stop(function () {
-    // without net it must be able to EV verify
-    let failingOcspResponder = failingOCSPResponder();
-    let cert = certdb.findCertByNickname(null, "ev-valid");
-    let hasEVPolicy = {};
-    let verifiedChain = {};
-    let flags = Ci.nsIX509CertDB.FLAG_LOCAL_ONLY |
-                Ci.nsIX509CertDB.FLAG_MUST_BE_EV;
-
-    let error = certdb.verifyCertNow(cert, certificateUsageSSLServer,
-                                     flags, verifiedChain, hasEVPolicy);
-    do_check_eq(hasEVPolicy.value, isDebugBuild);
-    do_check_eq(error, isDebugBuild ? 0 : SEC_ERROR_EXTENSION_NOT_FOUND);
-    failingOcspResponder.stop(run_next_test);
-  });
-});
-
--- a/security/manager/ssl/tests/unit/test_ocsp_caching.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js
@@ -102,12 +102,12 @@ function run_test() {
   // honored.
   add_connection_test("ocsp-stapling-revoked.example.com",
                       getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
                       clearSessionCache);
   add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
 
   //---------------------------------------------------------------------------
 
-  add_test(function() { ocspResponder.stop(run_next_test); run_next_test(); });
+  add_test(function() { ocspResponder.stop(run_next_test); });
 
   run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_required.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_required.js
@@ -4,41 +4,63 @@
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 "use strict";
 
 // In which we connect to a domain (as faked by a server running locally)
 // and start up an OCSP responder (also basically faked) that gives a
 // response with a bad signature. With security.OCSP.require set to true,
 // this should fail (but it also shouldn't cause assertion failures).
 
+let gOCSPRequestCount = 0;
+
 function run_test() {
   do_get_profile();
   Services.prefs.setBoolPref("security.OCSP.require", true);
 
-  let args = [ ["bad-signature", "localhostAndExampleCom", "unused" ] ];
+  // We don't actually make use of stapling in this test. This is just how we
+  // get a TLS connection.
+  add_tls_server_setup("OCSPStaplingServer");
+
+  let args = [["bad-signature", "localhostAndExampleCom", "unused"]];
   let ocspResponses = generateOCSPResponses(args, "tlsserver");
   let ocspResponseBadSignature = ocspResponses[0];
-  let ocspRequestCount = 0;
 
   let ocspResponder = new HttpServer();
-  ocspResponder.registerPrefixHandler("/", function(request, response) {
+  ocspResponder.registerPrefixHandler("/", function (request, response) {
     response.setStatusLine(request.httpVersion, 200, "OK");
     response.setHeader("Content-Type", "application/ocsp-response");
     response.write(ocspResponseBadSignature);
-    ocspRequestCount++;
+    gOCSPRequestCount++;
   });
   ocspResponder.start(8080);
 
-  // We don't actually make use of stapling in this test. This is just how we
-  // get a TLS connection.
-  add_tls_server_setup("OCSPStaplingServer");
+  add_tests_in_mode(true);
+  add_tests_in_mode(false);
+
+  add_test(function () { ocspResponder.stop(run_next_test); });
+
+  run_next_test();
+}
+
+function add_tests_in_mode(useInsanity)
+{
+  add_test(function () {
+    Services.prefs.setBoolPref("security.use_insanity_verification",
+                               useInsanity);
+    run_next_test();
+  });
+
   add_connection_test("ocsp-stapling-none.example.com",
                       getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT));
   // bug 964493 - using a cached OCSP response with a bad signature would cause
   // the verification library to return a failure error code without calling
   // PORT_SetError with the specific error, violating the expectations
   // of the error handling code.
   add_connection_test("ocsp-stapling-none.example.com",
                       getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT));
-  add_test(function() { ocspResponder.stop(run_next_test); });
-  add_test(function() { do_check_eq(ocspRequestCount, 1); run_next_test(); });
-  run_next_test();
+  add_test(function () {
+    // XXX(bug 915932): special case for insanity::pkix due to the temporary
+    // lack of an OCSP cache.
+    do_check_eq(gOCSPRequestCount, useInsanity ? 2 : 1);
+    gOCSPRequestCount = 0;
+    run_next_test();
+  });
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
@@ -16,27 +16,22 @@ function add_ocsp_test(aHost, aExpectedR
       gExpectOCSPRequest = !aStaplingEnabled;
       clearOCSPCache();
       clearSessionCache();
       Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling",
                                  aStaplingEnabled);
     });
 }
 
-function run_test() {
-  do_get_profile();
-
-  let fakeOCSPResponder = new HttpServer();
-  fakeOCSPResponder.registerPrefixHandler("/", function(request, response) {
-    response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
-    do_check_true(gExpectOCSPRequest);
+function add_tests_in_mode(useInsanity, certDB, otherTestCA) {
+  add_test(function () {
+    Services.prefs.setBoolPref("security.use_insanity_verification",
+                               useInsanity);
+    run_next_test();
   });
-  fakeOCSPResponder.start(8080);
-
-  add_tls_server_setup("OCSPStaplingServer");
 
   // In the absence of OCSP stapling, these should actually all work.
   add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-revoked.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-good-other-ca.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-malformed.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-srverr.example.com", Cr.NS_OK, false);
   add_ocsp_test("ocsp-stapling-trylater.example.com", Cr.NS_OK, false);
@@ -51,35 +46,43 @@ function run_test() {
   // Now test OCSP stapling
   // The following error codes are defined in security/nss/lib/util/SECerrs.h
 
   add_ocsp_test("ocsp-stapling-good.example.com", Cr.NS_OK, true);
 
   add_ocsp_test("ocsp-stapling-revoked.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE), true);
 
+  // SEC_ERROR_OCSP_INVALID_SIGNING_CERT vs SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
+  // depends on whether the CA that signed the response is a trusted CA.
+
   // This stapled response is from a CA that is untrusted and did not issue
   // the server's certificate.
-  add_ocsp_test("ocsp-stapling-good-other-ca.example.com",
-                getXPCOMStatusFromNSS(SEC_ERROR_BAD_DATABASE), true);
-
-  // SEC_ERROR_BAD_DATABASE vs SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE depends on
-  // whether the CA that signed the response is a trusted CA.
   add_test(function() {
-    let certdb = Cc["@mozilla.org/security/x509certdb;1"]
-                   .getService(Ci.nsIX509CertDB);
-    // Another trusted CA that shouldn't be trusted for OCSP responses, etc.
-    // for the "good" CA.
-    addCertFromFile(certdb, "tlsserver/other-test-ca.der", "CTu,u,u");
+    certDB.setCertTrust(otherTestCA, Ci.nsIX509Cert.CA_CERT,
+                        Ci.nsIX509CertDB.UNTRUSTED);
     run_next_test();
   });
+  add_ocsp_test("ocsp-stapling-good-other-ca.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT), true);
 
+  // The stapled response is from a CA that is trusted but did not issue the
+  // server's certificate.
+  add_test(function() {
+    certDB.setCertTrust(otherTestCA, Ci.nsIX509Cert.CA_CERT,
+                        Ci.nsIX509CertDB.TRUSTED_SSL);
+    run_next_test();
+  });
   add_ocsp_test("ocsp-stapling-good-other-ca.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE),
                 true);
+
+  // TODO: Test the case where the signing cert can't be found at all, which
+  // will result in SEC_ERROR_BAD_DATABASE in the NSS classic case.
+
   add_ocsp_test("ocsp-stapling-malformed.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_REQUEST), true);
   add_ocsp_test("ocsp-stapling-srverr.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_SERVER_ERROR), true);
   add_ocsp_test("ocsp-stapling-trylater.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_TRY_SERVER_LATER), true);
   add_ocsp_test("ocsp-stapling-needssig.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG), true);
@@ -101,27 +104,50 @@ function run_test() {
       Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
     }
   );
   add_ocsp_test("ocsp-stapling-empty.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_MALFORMED_RESPONSE), true);
   // ocsp-stapling-expired.example.com and
   // ocsp-stapling-expired-fresh-ca.example.com are handled in
   // test_ocsp_stapling_expired.js
-
-  add_test(function() { fakeOCSPResponder.stop(run_next_test); });
-
-  add_test(check_ocsp_stapling_telemetry);
-  run_next_test();
 }
 
 function check_ocsp_stapling_telemetry() {
   let histogram = Cc["@mozilla.org/base/telemetry;1"]
                     .getService(Ci.nsITelemetry)
                     .getHistogramById("SSL_OCSP_STAPLING")
                     .snapshot();
-  do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused
-  do_check_eq(histogram.counts[1], 1); // 1 connection with a good response
-  do_check_eq(histogram.counts[2], 14); // 14 connections with no stapled resp.
-  do_check_eq(histogram.counts[3], 0); // 0 connections with an expired response
-  do_check_eq(histogram.counts[4], 11); // 11 connections with bad responses
+  do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused
+  do_check_eq(histogram.counts[1], 2 * 1); // 1 connection with a good response
+  do_check_eq(histogram.counts[2], 2 * 14); // 14 connections with no stapled resp.
+  do_check_eq(histogram.counts[3], 2 * 0); // 0 connections with an expired response
+  do_check_eq(histogram.counts[4], 2 * 11); // 11 connections with bad responses
   run_next_test();
 }
+
+function run_test() {
+  do_get_profile();
+
+  let certDB = Cc["@mozilla.org/security/x509certdb;1"]
+                  .getService(Ci.nsIX509CertDB);
+  let otherTestCAFile = do_get_file("tlsserver/other-test-ca.der", false);
+  let otherTestCADER = readFile(otherTestCAFile);
+  let otherTestCA = certDB.constructX509(otherTestCADER, otherTestCADER.length);
+
+  let fakeOCSPResponder = new HttpServer();
+  fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
+    response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+    do_check_true(gExpectOCSPRequest);
+  });
+  fakeOCSPResponder.start(8080);
+
+  add_tls_server_setup("OCSPStaplingServer");
+
+  add_tests_in_mode(true, certDB, otherTestCA);
+  add_tests_in_mode(false, certDB, otherTestCA);
+
+  add_test(function () {
+    fakeOCSPResponder.stop(check_ocsp_stapling_telemetry);
+  });
+
+  run_next_test();
+}
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js
@@ -20,43 +20,60 @@ function add_ocsp_test(aHost, aExpectedR
       gCurrentOCSPResponse = aOCSPResponseToServe;
       gOCSPRequestCount = 0;
     },
     function() {
       do_check_eq(gOCSPRequestCount, 1);
     });
 }
 
+do_get_profile();
+Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+let args = [["good", "localhostAndExampleCom", "unused"],
+             ["expiredresponse", "localhostAndExampleCom", "unused"],
+             ["oldvalidperiod", "localhostAndExampleCom", "unused"],
+             ["revoked", "localhostAndExampleCom", "unused"],
+             ["unknown", "localhostAndExampleCom", "unused"],
+            ];
+let ocspResponses = generateOCSPResponses(args, "tlsserver");
+// Fresh response, certificate is good.
+let ocspResponseGood = ocspResponses[0];
+// Expired response, certificate is good.
+let expiredOCSPResponseGood = ocspResponses[1];
+// Fresh signature, old validity period, certificate is good.
+let oldValidityPeriodOCSPResponseGood = ocspResponses[2];
+// Fresh signature, certificate is revoked.
+let ocspResponseRevoked = ocspResponses[3];
+// Fresh signature, certificate is unknown.
+let ocspResponseUnknown = ocspResponses[4];
+
 function run_test() {
-  do_get_profile();
-  Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
-  let args = [ ["good", "localhostAndExampleCom", "unused" ],
-               ["expiredresponse", "localhostAndExampleCom", "unused"],
-               ["oldvalidperiod", "localhostAndExampleCom", "unused"],
-               ["revoked", "localhostAndExampleCom", "unused"] ];
-  let ocspResponses = generateOCSPResponses(args, "tlsserver");
-  // Fresh response, certificate is good.
-  let ocspResponseGood = ocspResponses[0];
-  // Expired response, certificate is good.
-  let expiredOCSPResponseGood = ocspResponses[1];
-  // Fresh signature, old validity period, certificate is good.
-  let oldValidityPeriodOCSPResponseGood = ocspResponses[2];
-  // Fresh signature, certificate is revoked.
-  let ocspResponseRevoked = ocspResponses[3];
-
   let ocspResponder = new HttpServer();
   ocspResponder.registerPrefixHandler("/", function(request, response) {
     response.setStatusLine(request.httpVersion, 200, "OK");
     response.setHeader("Content-Type", "application/ocsp-response");
     response.write(gCurrentOCSPResponse);
     gOCSPRequestCount++;
   });
   ocspResponder.start(8080);
+  add_tls_server_setup("OCSPStaplingServer");
+  add_tests_in_mode(true);
+  add_tests_in_mode(false);
+  add_test(function () { ocspResponder.stop(run_next_test); });
+  add_test(check_ocsp_stapling_telemetry);
+  run_next_test();
+}
 
-  add_tls_server_setup("OCSPStaplingServer");
+function add_tests_in_mode(useInsanity)
+{
+  add_test(function () {
+    Services.prefs.setBoolPref("security.use_insanity_verification",
+                               useInsanity);
+    run_next_test();
+  });
 
   // In these tests, the OCSP stapling server gives us a stapled
   // response based on the host name ("ocsp-stapling-expired" or
   // "ocsp-stapling-expired-fresh-ca"). We then ensure that we're
   // properly falling back to fetching revocation information.
   // For ocsp-stapling-expired.example.com, the OCSP stapling server
   // staples an expired OCSP response. The certificate has not expired.
   // For ocsp-stapling-expired-fresh-ca.example.com, the OCSP stapling
@@ -75,25 +92,25 @@ function run_test() {
   add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
                 oldValidityPeriodOCSPResponseGood);
   add_ocsp_test("ocsp-stapling-expired.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
                 ocspResponseRevoked);
   add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
                 ocspResponseRevoked);
-  add_test(function() { ocspResponder.stop(run_next_test); });
-  add_test(check_ocsp_stapling_telemetry);
-  run_next_test();
+  add_ocsp_test("ocsp-stapling-expired.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+                ocspResponseUnknown);
 }
 
 function check_ocsp_stapling_telemetry() {
   let histogram = Cc["@mozilla.org/base/telemetry;1"]
                     .getService(Ci.nsITelemetry)
                     .getHistogramById("SSL_OCSP_STAPLING")
                     .snapshot();
-  do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused
-  do_check_eq(histogram.counts[1], 0); // 0 connections with a good response
-  do_check_eq(histogram.counts[2], 0); // 0 connections with no stapled resp.
-  do_check_eq(histogram.counts[3], 8); // 8 connections with an expired response
-  do_check_eq(histogram.counts[4], 0); // 0 connections with bad responses
+  do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused
+  do_check_eq(histogram.counts[1], 2 * 0); // 0 connections with a good response
+  do_check_eq(histogram.counts[2], 2 * 0); // 0 connections with no stapled resp.
+  do_check_eq(histogram.counts[3], 2 * 9); // 8 connections with an expired response
+  do_check_eq(histogram.counts[4], 2 * 0); // 0 connections with bad responses
   run_next_test();
 }
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling_with_intermediate.js
@@ -28,16 +28,28 @@ function run_test() {
     response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
     let body = "Refusing to return a response";
     response.bodyOutputStream.write(body, body.length);
   });
   ocspResponder.start(8080);
 
   add_tls_server_setup("OCSPStaplingServer");
 
-  add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK);
-  add_test(function() { ocspResponder.stop(run_next_test); });
+  add_tests_in_mode(true);
+  add_tests_in_mode(false);
+
+  add_test(function () { ocspResponder.stop(run_next_test); });
   add_test(function() {
     do_check_eq(gOCSPRequestCount, 0);
     run_next_test();
   });
   run_next_test();
 }
+
+function add_tests_in_mode(useInsanity) {
+  add_test(function () {
+    Services.prefs.setBoolPref("security.use_insanity_verification",
+                               useInsanity);
+    run_next_test();
+  });
+
+  add_ocsp_test("ocsp-stapling-with-intermediate.example.com", Cr.NS_OK);
+}