Bug 1173679 - Add tests for the "security.OCSP.enabled" pref. r=dkeeler
authorCykesiopka <cykesiopka.bmo@gmail.com>
Sun, 28 Feb 2016 17:49:06 -0800
changeset 322624 ea033695b10495a9a4e70d519f1e1c7a37699751
parent 322623 6c5033cf85742e903e9679729adae6be70fb1633
child 322625 4ddf9f83cb510b74bfc38e5bcbbcf111d486d087
push id5913
push userjlund@mozilla.com
push dateMon, 25 Apr 2016 16:57:49 +0000
treeherdermozilla-beta@dcaf0a6fa115 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdkeeler
bugs1173679
milestone47.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1173679 - Add tests for the "security.OCSP.enabled" pref. r=dkeeler MozReview-Commit-ID: BQurIgVY8os
security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
security/manager/ssl/tests/unit/xpcshell.ini
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_enabled_pref.js
@@ -0,0 +1,141 @@
+// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/publicdomain/zero/1.0/
+"use strict";
+
+// Checks that the security.OCSP.enabled pref correctly controls OCSP fetching
+// behavior.
+
+do_get_profile(); // Must be called before getting nsIX509CertDB
+const gCertDB = Cc["@mozilla.org/security/x509certdb;1"]
+                  .getService(Ci.nsIX509CertDB);
+
+const SERVER_PORT = 8888;
+
+function certFromFile(filename) {
+  return constructCertFromFile(`test_ev_certs/${filename}.pem`);
+}
+
+function loadCert(certName, trustString) {
+  addCertFromFile(gCertDB, `test_ev_certs/${certName}.pem`, trustString);
+}
+
+function getFailingOCSPResponder() {
+  return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
+}
+
+function getOCSPResponder(expectedCertNames) {
+  return startOCSPResponder(SERVER_PORT, "www.example.com", [], "test_ev_certs",
+                            expectedCertNames, []);
+}
+
+// Tests that in ocspOff mode, OCSP fetches are never done.
+function testOff() {
+  add_test(() => {
+    Services.prefs.setIntPref("security.OCSP.enabled", 0);
+    do_print("Setting security.OCSP.enabled to 0");
+    run_next_test();
+  });
+
+  // EV chains should verify successfully but never get EV status.
+  add_test(() => {
+    clearOCSPCache();
+    let ocspResponder = getFailingOCSPResponder();
+    checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
+                  false);
+    ocspResponder.stop(run_next_test);
+  });
+
+  // A DV chain should verify successfully.
+  add_test(() => {
+    clearOCSPCache();
+    let ocspResponder = getFailingOCSPResponder();
+    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
+                          PRErrorCodeSuccess, certificateUsageSSLServer);
+    ocspResponder.stop(run_next_test);
+  });
+}
+
+// Tests that in ocspOn mode, OCSP fetches are done for both EV and DV certs.
+function testOn() {
+  add_test(() => {
+    Services.prefs.setIntPref("security.OCSP.enabled", 1);
+    do_print("Setting security.OCSP.enabled to 1");
+    run_next_test();
+  });
+
+  // If a successful OCSP response is fetched, then an EV chain should verify
+  // successfully and get EV status as well.
+  add_test(() => {
+    clearOCSPCache();
+    let ocspResponder =
+      getOCSPResponder(gEVExpected ? ["int-ev-valid", "ev-valid"]
+                                   : ["ev-valid"]);
+    checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
+                  gEVExpected);
+    ocspResponder.stop(run_next_test);
+  });
+
+  // If a successful OCSP response is fetched, then a DV chain should verify
+  // successfully.
+  add_test(() => {
+    clearOCSPCache();
+    let ocspResponder = getOCSPResponder(["non-ev-root"]);
+    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
+                          PRErrorCodeSuccess, certificateUsageSSLServer);
+    ocspResponder.stop(run_next_test);
+  });
+}
+
+// Tests that in ocspEVOnly mode, OCSP fetches are done for EV certs only.
+function testEVOnly() {
+  add_test(() => {
+    Services.prefs.setIntPref("security.OCSP.enabled", 2);
+    do_print("Setting security.OCSP.enabled to 2");
+    run_next_test();
+  });
+
+  // If a successful OCSP response is fetched, then an EV chain should verify
+  // successfully and get EV status as well.
+  add_test(() => {
+    clearOCSPCache();
+    let ocspResponder = gEVExpected
+                      ? getOCSPResponder(["int-ev-valid", "ev-valid"])
+                      : getFailingOCSPResponder();
+    checkEVStatus(gCertDB, certFromFile("ev-valid"), certificateUsageSSLServer,
+                  gEVExpected);
+    ocspResponder.stop(run_next_test);
+  });
+
+  // A DV chain should verify successfully even without doing OCSP fetches.
+  add_test(() => {
+    clearOCSPCache();
+    let ocspResponder = getFailingOCSPResponder();
+    checkCertErrorGeneric(gCertDB, certFromFile("non-ev-root"),
+                          PRErrorCodeSuccess, certificateUsageSSLServer);
+    ocspResponder.stop(run_next_test);
+  });
+}
+
+function run_test() {
+  do_register_cleanup(() => {
+    Services.prefs.clearUserPref("network.dns.localDomains");
+    Services.prefs.clearUserPref("security.OCSP.enabled");
+    Services.prefs.clearUserPref("security.OCSP.require");
+  });
+  Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
+  // Enable hard fail to ensure chains that should only succeed because they get
+  // a good OCSP response do not succeed due to soft fail leniency.
+  Services.prefs.setBoolPref("security.OCSP.require", true);
+
+  loadCert("evroot", "CTu,,");
+  loadCert("int-ev-valid", ",,");
+  loadCert("non-evroot-ca", "CTu,,");
+  loadCert("int-non-ev-root", ",,");
+
+  testOff();
+  testOn();
+  testEVOnly();
+
+  run_next_test();
+}
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -66,16 +66,18 @@ run-sequentially = hardcoded ports
 [test_logoutAndTeardown.js]
 run-sequentially = hardcoded ports
 [test_name_constraints.js]
 [test_nsCertType.js]
 run-sequentially = hardcoded ports
 [test_nsIX509Cert_utf8.js]
 [test_ocsp_caching.js]
 run-sequentially = hardcoded ports
+[test_ocsp_enabled_pref.js]
+run-sequentially = hardcoded ports
 [test_ocsp_fetch_method.js]
 # OCSP requests in this test time out on slow B2G Emulator debug builds.
 # See Bug 1147725.
 skip-if = toolkit == 'gonk' && debug
 run-sequentially = hardcoded ports
 [test_ocsp_must_staple.js]
 run-sequentially = hardcoded ports
 [test_ocsp_no_hsts_upgrade.js]