Bug 1183822 - Add an OCSP test for signers with SHA-1 certificates (r=keeler)

This commit is contained in:
Mark Goodwin 2015-07-17 10:04:17 +01:00
parent 80b97ddffc
commit 8605e4aed2
5 changed files with 34 additions and 0 deletions

View File

@ -19,6 +19,16 @@ function respondWithGoodOCSP(request, response) {
response.write(gGoodOCSPResponse);
}
function respondWithSHA1OCSP(request, response) {
do_print("returning 200 OK with sha-1 delegated response");
response.setStatusLine(request.httpVersion, 200, "OK");
response.setHeader("Content-Type", "application/ocsp-response");
let args = [ ["good-delegated", "localhostAndExampleCom", "delegatedSHA1Signer" ] ];
let responses = generateOCSPResponses(args, "tlsserver");
response.write(responses[0]);
}
function respondWithError(request, response) {
do_print("returning 500 Internal Server Error");
response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
@ -183,6 +193,27 @@ function add_tests() {
//---------------------------------------------------------------------------
// Ensure OCSP responses from signers with SHA1 certificates are OK. This
// is included in the OCSP caching tests since there were OCSP cache-related
// regressions when sha-1 telemetry probes were added.
add_test(function() {
clearOCSPCache();
// set security.OCSP.require so that checking the OCSP signature fails
Services.prefs.setBoolPref("security.OCSP.require", true);
run_next_test();
});
add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
[respondWithSHA1OCSP],
"signing cert is good (though sha1) - should succeed");
add_test(function() {
Services.prefs.setBoolPref("security.OCSP.require", false);
run_next_test();
});
//---------------------------------------------------------------------------
// Reset state
add_test(function() { clearOCSPCache(); run_next_test(); });
}

View File

@ -35,6 +35,8 @@ struct OCSPResponseName
const static OCSPResponseName kOCSPResponseNameList[] = {
{ "good", ORTGood }, // the certificate is good
{ "good-delegated", ORTDelegatedIncluded}, // the certificate is good, using
// a delegated signer
{ "revoked", ORTRevoked}, // the certificate has been revoked
{ "unknown", ORTUnknown}, // the responder doesn't know if the
// cert is good

View File

@ -320,6 +320,7 @@ export_cert inadequatekeyusage inadequatekeyusage-ee.der
make_EE selfsigned-inadequateEKU 'CN=Self-signed Inadequate EKU Test End-entity' unused "selfsigned-inadequateEKU.example.com" "--keyUsage keyEncipherment,dataEncipherment --extKeyUsage serverAuth" "-x"
make_delegated delegatedSigner 'CN=Test Delegated Responder' testCA "--extKeyUsage ocspResponder"
make_delegated delegatedSHA1Signer 'CN=Test SHA1 Delegated Responder' testCA "--extKeyUsage ocspResponder -Z SHA1"
make_delegated invalidDelegatedSignerNoExtKeyUsage 'CN=Test Invalid Delegated Responder No extKeyUsage' testCA
make_delegated invalidDelegatedSignerFromIntermediate 'CN=Test Invalid Delegated Responder From Intermediate' testINT "--extKeyUsage ocspResponder"
make_delegated invalidDelegatedSignerKeyUsageCrlSigning 'CN=Test Invalid Delegated Responder keyUsage crlSigning' testCA "--keyUsage crlSigning"