Bug 916629, Part 4: Unit tests for trust of delegated OCSP responder certificates for mozilla::pkix, r=keeler
authorBrian Smith <brian@briansmith.org>
Thu, 10 Jul 2014 21:20:17 -0700
changeset 216112 8700531ef25f26efc098566331774c214bfab793
parent 216111 6dc520f8b95ea38f6f9805dc00b2f8a97bf5be30
child 216113 83a246bb78608023951935a862420f9a86834165
push id515
push userraliiev@mozilla.com
push dateMon, 06 Oct 2014 12:51:51 +0000
treeherdermozilla-release@267c7a481bef [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs916629
milestone33.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 916629, Part 4: Unit tests for trust of delegated OCSP responder certificates for mozilla::pkix, r=keeler
security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
--- a/security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
+++ b/security/pkix/test/gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
@@ -786,8 +786,100 @@ TEST_F(pkixocsp_VerifyEncodedResponse_De
 
   bool expired;
   ASSERT_SECFailure(SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
                     VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
                                               END_ENTITY_MAX_LIFETIME_IN_DAYS,
                                               *response, expired));
   ASSERT_FALSE(expired);
 }
+
+class pkixocsp_VerifyEncodedResponse_GetCertTrust
+  : public pkixocsp_VerifyEncodedResponse_DelegatedResponder {
+public:
+  pkixocsp_VerifyEncodedResponse_GetCertTrust()
+    : signerCertDER(nullptr)
+    , response(nullptr)
+  {
+  }
+
+  void SetUp()
+  {
+    pkixocsp_VerifyEncodedResponse_DelegatedResponder::SetUp();
+    response = CreateEncodedIndirectOCSPSuccessfulResponse(
+                          "CN=OCSPGetCertTrustTest Signer",
+                          OCSPResponseContext::good, byKey,
+                          SEC_OID_OCSP_RESPONDER, &signerCertDER);
+    if (!response || !signerCertDER) {
+      PR_Abort();
+    }
+  }
+
+  class TrustDomain : public OCSPTestTrustDomain
+  {
+  public:
+    TrustDomain()
+      : certTrustLevel(TrustLevel::InheritsTrust)
+    {
+    }
+
+    bool SetCertTrust(const SECItem* certDER, TrustLevel certTrustLevel)
+    {
+      this->certDER = certDER;
+      this->certTrustLevel = certTrustLevel;
+      return true;
+    }
+  private:
+    virtual SECStatus GetCertTrust(EndEntityOrCA endEntityOrCA,
+                                   const CertPolicyId&,
+                                   const SECItem& candidateCert,
+                           /*out*/ TrustLevel* trustLevel)
+    {
+      EXPECT_EQ(endEntityOrCA, EndEntityOrCA::MustBeEndEntity);
+      EXPECT_TRUE(trustLevel);
+      EXPECT_TRUE(certDER);
+      EXPECT_TRUE(SECITEM_ItemsAreEqual(certDER, &candidateCert));
+      *trustLevel = certTrustLevel;
+      return SECSuccess;
+    }
+
+    const SECItem* certDER; // weak pointer
+    TrustLevel certTrustLevel;
+  };
+
+  TrustDomain trustDomain;
+  const SECItem* signerCertDER; // owned by arena
+  SECItem* response; // owned by arena
+};
+
+TEST_F(pkixocsp_VerifyEncodedResponse_GetCertTrust, InheritTrust)
+{
+  ASSERT_TRUE(trustDomain.SetCertTrust(signerCertDER,
+                                       TrustLevel::InheritsTrust));
+  bool expired;
+  ASSERT_SECSuccess(VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
+                                              END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                              *response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_GetCertTrust, TrustAnchor)
+{
+  ASSERT_TRUE(trustDomain.SetCertTrust(signerCertDER,
+                                       TrustLevel::TrustAnchor));
+  bool expired;
+  ASSERT_SECSuccess(VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
+                                              END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                              *response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_GetCertTrust, ActivelyDistrusted)
+{
+  ASSERT_TRUE(trustDomain.SetCertTrust(signerCertDER,
+                                       TrustLevel::ActivelyDistrusted));
+  bool expired;
+  ASSERT_SECFailure(SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
+                    VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, now,
+                                              END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                              *response, expired));
+  ASSERT_FALSE(expired);
+}