Bug 585122 - In PSM provide EV only with OCSP revocation (Part 2: tests). r=briansmith.

2024-09-13 09:24:08 -07:00 · 2013-12-02 11:12:21 -08:00 · 2013-12-02 11:12:21 -08:00 · 34263e81e7
commit 34263e81e7
parent c739891ca3
13 changed files with 30 additions and 4 deletions
--- a/security/manager/ssl/tests/unit/test_ev_certs.js
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@ -18,6 +18,8 @@ let certList = [
  // Test for successful EV validation
  'int-ev-valid',
  'ev-valid',
+  'no-ocsp-url-cert', // a cert signed by the EV auth that has no OCSP url
+                      // but that contains a valid CRLDP.

  // Testing a root that looks like EV but is not EV enabled
  'int-non-ev-root',
@ -34,10 +36,10 @@ var gOCSPResponseCounter = 0;

 function start_ocsp_responder() {
  const SERVER_PORT = 8888;
-
  gHttpServer = new HttpServer();
  gHttpServer.registerPrefixHandler("/",
      function handleServerCallback(aRequest, aResponse) {
+        do_check_neq(aRequest.host, "crl.example.com"); // No CRL checks
        let cert_nick = aRequest.path.slice(1, aRequest.path.length - 1);
        do_print("Generating ocsp response for '" + cert_nick + "'");
        aResponse.setStatusLine(aRequest.httpVersion, 200, "OK");
@ -55,6 +57,7 @@ function start_ocsp_responder() {
        gOCSPResponseCounter++;
      });
  gHttpServer.identity.setPrimary("http", "www.example.com", SERVER_PORT);
+  gHttpServer.identity.add("http", "crl.example.com", SERVER_PORT);
  gHttpServer.start(SERVER_PORT);
 }

@ -91,7 +94,9 @@ function run_test() {
  load_ca("non-evroot-ca");

  // setup and start ocsp responder
-  Services.prefs.setCharPref("network.dns.localDomains", 'www.example.com');
+  Services.prefs.setCharPref("network.dns.localDomains",
+                             'www.example.com, crl.example.com');
+
  start_ocsp_responder();

  run_next_test();
@ -108,6 +113,11 @@ add_test(function() {
  run_next_test();
 });

+add_test(function() {
+  check_ee_for_ev("no-ocsp-url-cert", false);
+  run_next_test();
+});
+
 // Test for bug 917380
 add_test(function () {
  const nsIX509Cert = Ci.nsIX509Cert;
--- a/security/manager/ssl/tests/unit/test_ev_certs/cert8.db
+++ b/security/manager/ssl/tests/unit/test_ev_certs/cert8.db
--- a/security/manager/ssl/tests/unit/test_ev_certs/ev-valid.der
+++ b/security/manager/ssl/tests/unit/test_ev_certs/ev-valid.der
--- a/security/manager/ssl/tests/unit/test_ev_certs/generate.py
+++ b/security/manager/ssl/tests/unit/test_ev_certs/generate.py
@ -31,9 +31,9 @@ subject_key_ident = "subjectKeyIdentifier = hash\n"
 aia_prefix = "authorityInfoAccess = OCSP;URI:http://www.example.com:8888/"
 aia_suffix ="/\n"
 intermediate_crl = ("crlDistributionPoints = " +
-                    "URI:http://crl.example.com/root-ev.crl\n")
+                    "URI:http://crl.example.com:8888/root-ev.crl\n")
 endentity_crl = ("crlDistributionPoints = " +
-                 "URI:http://crl.example.com/ee-crl.crl\n")
+                 "URI:http://crl.example.com:8888/ee-crl.crl\n")

 mozilla_testing_ev_policy = ("certificatePolicies = @v3_ca_ev_cp\n\n" +
                             "[ v3_ca_ev_cp ]\n" +
@ -93,6 +93,22 @@ def generate_certs():
                                         "int-" + prefix)
    import_cert_and_pkcs12(int_cert, pk12file, "int-" + prefix, ",,")
    import_untrusted_cert(ee_cert, prefix)
+
+    # now we generate an end entity cert with an AIA with no OCSP URL
+    no_ocsp_url_ext_aia = ("authorityInfoAccess =" +
+                           "caIssuers;URI:http://www.example.com/ca.html\n");
+    [no_ocsp_key, no_ocsp_cert] =  CertUtils.generate_cert_generic(db,
+                                      srcdir,
+                                      random.randint(100, 40000000),
+                                      key_type,
+                                      'no-ocsp-url-cert',
+                                      EE_basic_constraints + EE_full_ku +
+                                      Server_eku + authority_key_ident +
+                                      no_ocsp_url_ext_aia + endentity_crl +
+                                      mozilla_testing_ev_policy,
+                                      int_key, int_cert);
+    import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert');
+
    [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db,
                                      srcdir,
                                      1,
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.der
+++ b/security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.der
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.p12
+++ b/security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.p12
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.der
+++ b/security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.der
--- a/security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.p12
+++ b/security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.p12
--- a/security/manager/ssl/tests/unit/test_ev_certs/key3.db
+++ b/security/manager/ssl/tests/unit/test_ev_certs/key3.db
--- a/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.der
+++ b/security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.der
--- a/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.der
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.der
--- a/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.der
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.der
--- a/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.p12
+++ b/security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.p12