Bug 964493, Part 2: Test, r=briansmith

--HG-- extra : rebase_source : 4bc219aaece6f16458ce7755acf552bf956e01a0
2024-09-13 09:24:08 -07:00 · 2014-01-31 11:32:48 -08:00 · 2014-01-31 11:32:48 -08:00 · a3dcf00b0e
commit a3dcf00b0e
parent f5dee705f7
6 changed files with 57 additions and 1 deletions
--- a/security/manager/ssl/tests/unit/test_ocsp_required.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_required.js
@ -0,0 +1,44 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+"use strict";
+
+// In which we connect to a domain (as faked by a server running locally)
+// and start up an OCSP responder (also basically faked) that gives a
+// response with a bad signature. With security.OCSP.require set to true,
+// this should fail (but it also shouldn't cause assertion failures).
+
+function run_test() {
+  do_get_profile();
+  Services.prefs.setBoolPref("security.OCSP.require", true);
+
+  let args = [ ["bad-signature", "localhostAndExampleCom", "unused" ] ];
+  let ocspResponses = generateOCSPResponses(args, "tlsserver");
+  let ocspResponseBadSignature = ocspResponses[0];
+  let ocspRequestCount = 0;
+
+  let ocspResponder = new HttpServer();
+  ocspResponder.registerPrefixHandler("/", function(request, response) {
+    response.setStatusLine(request.httpVersion, 200, "OK");
+    response.setHeader("Content-Type", "application/ocsp-response");
+    response.write(ocspResponseBadSignature);
+    ocspRequestCount++;
+  });
+  ocspResponder.start(8080);
+
+  // We don't actually make use of stapling in this test. This is just how we
+  // get a TLS connection.
+  add_tls_server_setup("OCSPStaplingServer");
+  add_connection_test("ocsp-stapling-none.example.com",
+                      getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT));
+  // bug 964493 - using a cached OCSP response with a bad signature would cause
+  // the verification library to return a failure error code without calling
+  // PORT_SetError with the specific error, violating the expectations
+  // of the error handling code.
+  add_connection_test("ocsp-stapling-none.example.com",
+                      getXPCOMStatusFromNSS(SEC_ERROR_OCSP_INVALID_SIGNING_CERT));
+  add_test(function() { ocspResponder.stop(run_next_test); });
+  add_test(function() { do_check_eq(ocspRequestCount, 1); run_next_test(); });
+  run_next_test();
+}
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/GenerateOCSPResponse.cpp
@ -55,6 +55,7 @@ const static OCSPResponseName kOCSPResponseNameList[] = {
  { "resp-unsigned",   ORTNeedsSig},       // the response needs a signature
  { "unauthorized",    ORTUnauthorized},   // the responder does not know about
                                           //   the cert
+  { "bad-signature",   ORTBadSignature},   // the response has a bad signature
 };


--- a/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp
@ -36,6 +36,7 @@ const OCSPHost sOCSPHosts[] =
  { "ocsp-stapling-needssig.example.com", ORTNeedsSig, nullptr },
  { "ocsp-stapling-unauthorized.example.com", ORTUnauthorized, nullptr },
  { "ocsp-stapling-with-intermediate.example.com", ORTGood, "ocspEEWithIntermediate" },
+  { "ocsp-stapling-bad-signature.example.com", ORTBadSignature, nullptr },
  { nullptr, ORTNull, nullptr }
 };

--- a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
@ -42,6 +42,7 @@ GetOCSPResponseForType(OCSPResponseType aORT, CERTCertificate *aCert,
  switch (aORT) {
    case ORTGood:
    case ORTGoodOtherCA:
+    case ORTBadSignature:
      sr = CERT_CreateOCSPSingleResponseGood(aArena, id, now, &nextUpdate);
      if (!sr) {
        PrintPRError("CERT_CreateOCSPSingleResponseGood failed");
@ -118,6 +119,10 @@ GetOCSPResponseForType(OCSPResponseType aORT, CERTCertificate *aCert,
      PrintPRError("PK11_FindCertFromNickname failed");
      return nullptr;
    }
+  } else if (aORT == ORTBadSignature) {
+    // passing in a null responderCert to CERT_CreateEncodedOCSPSuccessResponse
+    // causes it to generate an invalid signature (by design, for testing).
+    ca = nullptr;
  } else {
    // XXX CERT_FindCertIssuer uses the old, deprecated path-building logic
    ca = CERT_FindCertIssuer(aCert, now, certUsageSSLCA);
--- a/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h
+++ b/security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.h
@ -27,7 +27,8 @@ enum OCSPResponseType
  ORTSrverr,           // the response indicates there was a server error
  ORTTryLater,         // the responder replied with "try again later"
  ORTNeedsSig,         // the response needs a signature
-  ORTUnauthorized      // the responder is not authorized for this certificate
+  ORTUnauthorized,     // the responder is not authorized for this certificate
+  ORTBadSignature      // the response has a signature that does not verify
 };

 struct OCSPHost
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@ -45,6 +45,10 @@ fail-if = os == "android"
 run-sequentially = hardcoded ports
 # Bug 676972: test fails consistently on Android
 fail-if = os == "android"
+[test_ocsp_required.js]
+run-sequentially = hardcoded ports
+# Bug 676972: test fails consistently on Android
+fail-if = os == "android"
 [test_sts_ipv4_ipv6.js]
 [test_cert_signatures.js]
 # Bug 676972: test fails consistently on Android