Bug 952876: Add test for bug 952808 (OCSP stapling not honored when there is a error entry in the OCSP cache), r=keeler, a=test-only
authorBrian Smith <brian@briansmith.org>
Mon, 06 Jan 2014 14:45:35 -0800
changeset 175580 911af5c9467118153e45a8d30bfca00c9cd8a9bb
parent 175579 cd228d859f4b8eaeeeb4ff712a9db043d9d1978c
child 175581 a881d79d56e6d43ab34acf7819ebb220294bf7ac
push id445
push userffxbld
push dateMon, 10 Mar 2014 22:05:19 +0000
treeherdermozilla-release@dc38b741b04e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler, test-only
bugs952876, 952808
milestone28.0a2
Bug 952876: Add test for bug 952808 (OCSP stapling not honored when there is a error entry in the OCSP cache), r=keeler, a=test-only
security/manager/ssl/tests/unit/test_ocsp_caching.js
security/manager/ssl/tests/unit/test_ocsp_unknown_caching.js
security/manager/ssl/tests/unit/xpcshell.ini
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js
@@ -0,0 +1,113 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+let gFetchCount = 0;
+
+function run_test() {
+  do_get_profile();
+  Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
+  add_tls_server_setup("OCSPStaplingServer");
+
+  let ocspResponder = new HttpServer();
+  ocspResponder.registerPrefixHandler("/", function(request, response) {
+    ++gFetchCount;
+
+    do_print("gFetchCount: " + gFetchCount);
+
+    if (gFetchCount != 2) {
+      do_print("returning 500 Internal Server Error");
+
+      response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+      let body = "Refusing to return a response";
+      response.bodyOutputStream.write(body, body.length);
+      return;
+    }
+
+    do_print("returning 200 OK");
+
+    let nickname = "localhostAndExampleCom";
+    do_print("Generating ocsp response for '" + nickname + "'");
+    let args = [ ["good", nickname, "unused" ] ];
+    let ocspResponses = generateOCSPResponses(args, "tlsserver");
+    let goodResponse = ocspResponses[0];
+
+    response.setStatusLine(request.httpVersion, 200, "OK");
+    response.setHeader("Content-Type", "application/ocsp-response");
+    response.bodyOutputStream.write(goodResponse, goodResponse.length);
+  });
+  ocspResponder.start(8080);
+
+  // This test assumes that OCSPStaplingServer uses the same cert for
+  // ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com.
+
+  // Get an Unknown response for the *.exmaple.com cert and put it in the
+  // OCSP cache.
+  add_connection_test("ocsp-stapling-unknown.example.com",
+                      getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+                      clearSessionCache);
+  add_test(function() { do_check_eq(gFetchCount, 0); run_next_test(); });
+
+  // A failure to retrieve an OCSP response must result in the cached Unkown
+  // response being recognized and honored.
+  add_connection_test("ocsp-stapling-none.example.com",
+                      getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+                      clearSessionCache);
+  add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
+
+  // A valid Good response from the OCSP responder must override the cached
+  // Unknown response.
+  //
+  // Note that We need to make sure that the Unknown response and the Good
+  // response have different thisUpdate timestamps; otherwise, the Good
+  // response will be seen as "not newer" and it won't replace the existing
+  // entry.
+  add_test(function() {
+    let duration = 1200;
+    do_print("Sleeping for " + duration + "ms");
+    let timer = Cc["@mozilla.org/timer;1"].createInstance(Ci.nsITimer);
+    timer.initWithCallback(run_next_test, duration, Ci.nsITimer.TYPE_ONE_SHOT);
+  });
+  add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
+                      clearSessionCache);
+  add_test(function() { do_check_eq(gFetchCount, 2); run_next_test(); });
+
+  // The Good response retrieved from the previous fetch must have replaced
+  // the Unknown response in the cache, resulting in the catched Good response
+  // being returned and no fetch.
+  add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
+                      clearSessionCache);
+  add_test(function() { do_check_eq(gFetchCount, 2); run_next_test(); });
+
+
+  //---------------------------------------------------------------------------
+
+  // Reset state
+  add_test(function() { clearOCSPCache(); gFetchCount = 0; run_next_test(); });
+
+  // A failure to retrieve an OCSP response will result in an error entry being
+  // added to the cache.
+  add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
+                      clearSessionCache);
+  add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
+
+  // The error entry will prevent a fetch from happening for a while.
+  add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
+                      clearSessionCache);
+  add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
+
+  // The error entry must not prevent a stapled OCSP response from being
+  // honored.
+  add_connection_test("ocsp-stapling-revoked.example.com",
+                      getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
+                      clearSessionCache);
+  add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
+
+  //---------------------------------------------------------------------------
+
+  add_test(function() { ocspResponder.stop(run_next_test); run_next_test(); });
+
+  run_next_test();
+}
deleted file mode 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_unknown_caching.js
+++ /dev/null
@@ -1,87 +0,0 @@
-// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
-// This Source Code Form is subject to the terms of the Mozilla Public
-// License, v. 2.0. If a copy of the MPL was not distributed with this
-// file, You can obtain one at http://mozilla.org/MPL/2.0/.
-"use strict";
-
-let gFetchCount = 0;
-
-function run_test() {
-  do_get_profile();
-  Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
-  add_tls_server_setup("OCSPStaplingServer");
-
-  let ocspResponder = new HttpServer();
-  ocspResponder.registerPrefixHandler("/", function(request, response) {
-    ++gFetchCount;
-
-    do_print("gFetchCount: " + gFetchCount);
-
-    if (gFetchCount != 2) {
-      do_print("returning 500 Internal Server Error");
-
-      response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
-      let body = "Refusing to return a response";
-      response.bodyOutputStream.write(body, body.length);
-      return;
-    }
-
-    do_print("returning 200 OK");
-
-    let nickname = "localhostAndExampleCom";
-    do_print("Generating ocsp response for '" + nickname + "'");
-    let args = [ ["good", nickname, "unused" ] ];
-    let ocspResponses = generateOCSPResponses(args, "tlsserver");
-    let goodResponse = ocspResponses[0];
-
-    response.setStatusLine(request.httpVersion, 200, "OK");
-    response.setHeader("Content-Type", "application/ocsp-response");
-    response.bodyOutputStream.write(goodResponse, goodResponse.length);
-  });
-  ocspResponder.start(8080);
-
-  // This test assumes that OCSPStaplingServer uses the same cert for
-  // ocsp-stapling-unknown.example.com and ocsp-stapling-none.example.com.
-
-  // Get an Unknown response for the *.exmaple.com cert and put it in the
-  // OCSP cache.
-  add_connection_test("ocsp-stapling-unknown.example.com",
-                      getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
-                      clearSessionCache);
-  add_test(function() { do_check_eq(gFetchCount, 0); run_next_test(); });
-
-  // A failure to retrieve an OCSP response must result in the cached Unkown
-  // response being recognized and honored.
-  add_connection_test("ocsp-stapling-none.example.com",
-                      getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
-                      clearSessionCache);
-  add_test(function() { do_check_eq(gFetchCount, 1); run_next_test(); });
-
-  // A valid Good response from the OCSP responder must override the cached
-  // Unknown response.
-  //
-  // Note that We need to make sure that the Unknown response and the Good
-  // response have different thisUpdate timestamps; otherwise, the Good
-  // response will be seen as "not newer" and it won't replace the existing
-  // entry.
-  add_test(function() {
-    let duration = 1200;
-    do_print("Sleeping for " + duration + "ms");
-    let timer = Cc["@mozilla.org/timer;1"].createInstance(Ci.nsITimer);
-    timer.initWithCallback(run_next_test, duration, Ci.nsITimer.TYPE_ONE_SHOT);
-  });
-  add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
-                      clearSessionCache);
-  add_test(function() { do_check_eq(gFetchCount, 2); run_next_test(); });
-
-  // The Good response retrieved from the previous fetch must have replaced
-  // the Unknown response in the cache, resulting in the catched Good response
-  // being returned and no fetch.
-  add_connection_test("ocsp-stapling-none.example.com", Cr.NS_OK,
-                      clearSessionCache);
-  add_test(function() { do_check_eq(gFetchCount, 2); run_next_test(); });
-
-  add_test(function() { ocspResponder.stop(run_next_test); run_next_test(); });
-
-  run_next_test();
-}
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -31,17 +31,17 @@ skip-if = os == "android"
 [test_ocsp_stapling.js]
 run-sequentially = hardcoded ports
 # Bug 676972: test fails consistently on Android
 fail-if = os == "android"
 [test_ocsp_stapling_expired.js]
 run-sequentially = hardcoded ports
 # Bug 676972: test fails consistently on Android
 fail-if = os == "android"
-[test_ocsp_unknown_caching.js]
+[test_ocsp_caching.js]
 run-sequentially = hardcoded ports
 # Bug 676972: test fails consistently on Android
 fail-if = os == "android"
 [test_sts_ipv4_ipv6.js]
 [test_cert_signatures.js]
 # Bug 676972: test fails consistently on Android
 fail-if = os == "android"
 [test_ev_certs.js]