Bug 923304, Part 2: Adjust EV tests, r=keeler

--HG-- extra : rebase_source : f0cfd0089a99dddd8852e0613bc2a31e5c12b1de
2024-09-13 09:24:08 -07:00 · 2014-01-14 15:22:09 -08:00 · 2014-01-14 15:22:09 -08:00 · 8565c44c20
commit 8565c44c20
parent 921c2d255a
1 changed files with 62 additions and 33 deletions
--- a/security/manager/ssl/tests/unit/test_ev_certs.js
+++ b/security/manager/ssl/tests/unit/test_ev_certs.js
@ -5,6 +5,9 @@

 "use strict";

+// XXX: The isDebugBuild tests you see are here because the test EV root is
+// only enabled for EV in debug builds, as a security measure. An ugly hack.
+
 do_get_profile(); // must be called before getting nsIX509CertDB
 const certdb = Cc["@mozilla.org/security/x509certdb;1"]
                 .getService(Ci.nsIX509CertDB);
@ -31,16 +34,28 @@ function load_ca(ca_name) {
  addCertFromFile(certdb, "test_ev_certs/" + ca_filename, 'CTu,CTu,CTu');
 }

-var gHttpServer;
-var gOCSPResponseCounter = 0;
+const SERVER_PORT = 8888;

-function start_ocsp_responder() {
-  const SERVER_PORT = 8888;
-  gHttpServer = new HttpServer();
-  gHttpServer.registerPrefixHandler("/",
+function failingOCSPResponder() {
+  let httpServer = new HttpServer();
+  httpServer.registerPrefixHandler("/", function(request, response) {
+    do_check_true(false);
+  });
+  httpServer.start(SERVER_PORT);
+  return httpServer;
+}
+
+function start_ocsp_responder(expectedCertNames) {
+  let httpServer = new HttpServer();
+  httpServer.registerPrefixHandler("/",
      function handleServerCallback(aRequest, aResponse) {
        do_check_neq(aRequest.host, "crl.example.com"); // No CRL checks
        let cert_nick = aRequest.path.slice(1, aRequest.path.length - 1);
+
+        do_check_true(expectedCertNames.length >= 1);
+        let expected_nick = expectedCertNames.shift();
+        do_check_eq(cert_nick, expected_nick);
+
        do_print("Generating ocsp response for '" + cert_nick + "'");
        aResponse.setStatusLine(aRequest.httpVersion, 200, "OK");
        aResponse.setHeader("Content-Type", "application/ocsp-response");
@ -54,11 +69,16 @@ function start_ocsp_responder() {
        let retArray = generateOCSPResponses(arg_array, "test_ev_certs");
        let responseBody = retArray[0];
        aResponse.bodyOutputStream.write(responseBody, responseBody.length);
-        gOCSPResponseCounter++;
      });
-  gHttpServer.identity.setPrimary("http", "www.example.com", SERVER_PORT);
-  gHttpServer.identity.add("http", "crl.example.com", SERVER_PORT);
-  gHttpServer.start(SERVER_PORT);
+  httpServer.identity.setPrimary("http", "www.example.com", SERVER_PORT);
+  httpServer.identity.add("http", "crl.example.com", SERVER_PORT);
+  httpServer.start(SERVER_PORT);
+  return {
+    stop: function(callback) {
+      do_check_eq(expectedCertNames.length, 0);
+      httpServer.stop(callback);
+    }
+  };
 }

 function check_cert_err(cert_name, expected_error) {
@ -77,11 +97,7 @@ function check_ee_for_ev(cert_name, expected_ev) {
    let verifiedChain = {};
    let error = certdb.verifyCertNow(cert, certificateUsageSSLServer,
                                     NO_FLAGS, verifiedChain, hasEVPolicy);
-    if (isDebugBuild) {
-      do_check_eq(hasEVPolicy.value, expected_ev);
-    } else {
-      do_check_false(hasEVPolicy.value);
-    }
+    do_check_eq(hasEVPolicy.value, expected_ev);
    do_check_eq(0, error);
 }

@ -97,44 +113,57 @@ function run_test() {
  Services.prefs.setCharPref("network.dns.localDomains",
                             'www.example.com, crl.example.com');

-  start_ocsp_responder();
-
  run_next_test();
 }

-
 add_test(function() {
-  check_ee_for_ev("ev-valid", true);
-  run_next_test();
+  clearOCSPCache();
+  let ocspResponder = start_ocsp_responder(
+                        isDebugBuild ? ["int-ev-valid", "ev-valid"]
+                                     : ["ev-valid"]);
+  check_ee_for_ev("ev-valid", isDebugBuild);
+  ocspResponder.stop(run_next_test);
 });

 add_test(function() {
+  clearOCSPCache();
+  let ocspResponder = start_ocsp_responder(["non-ev-root"]);
  check_ee_for_ev("non-ev-root", false);
-  run_next_test();
+  ocspResponder.stop(run_next_test);
 });

 add_test(function() {
+  clearOCSPCache();
+  let ocspResponder = failingOCSPResponder();
  check_ee_for_ev("no-ocsp-url-cert", false);
-  run_next_test();
+  ocspResponder.stop(run_next_test);
 });

-// Test for bug 917380
-add_test(function () {
-  const nsIX509Cert = Ci.nsIX509Cert;
+// bug 917380: Chcek that an untrusted EV root is untrusted.
+const nsIX509Cert = Ci.nsIX509Cert;
+add_test(function() {
  let evRootCA = certdb.findCertByNickname(null, evrootnick);
  certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT, 0);
+
+  clearOCSPCache();
+  let ocspResponder = failingOCSPResponder();
  check_cert_err("ev-valid", SEC_ERROR_UNTRUSTED_ISSUER);
+  ocspResponder.stop(run_next_test);
+});
+
+// bug 917380: Chcek that a trusted EV root is trusted after disabling and
+// re-enabling trust.
+add_test(function() {
+  let evRootCA = certdb.findCertByNickname(null, evrootnick);
  certdb.setCertTrust(evRootCA, nsIX509Cert.CA_CERT,
                      Ci.nsIX509CertDB.TRUSTED_SSL |
                      Ci.nsIX509CertDB.TRUSTED_EMAIL |
                      Ci.nsIX509CertDB.TRUSTED_OBJSIGN);
-  check_ee_for_ev("ev-valid", true);
-  run_next_test();
-});

-// The following test should be the last as it performs cleanups
-add_test(function() {
-  do_check_eq(4, gOCSPResponseCounter);
-  gHttpServer.stop(run_next_test);
+  clearOCSPCache();
+  let ocspResponder = start_ocsp_responder(
+                        isDebugBuild ? ["int-ev-valid", "ev-valid"]
+                                     : ["ev-valid"]);
+  check_ee_for_ev("ev-valid", isDebugBuild);
+  ocspResponder.stop(run_next_test);
 });
-