Bug 360126 - OCSP Delegated Responder Test. r=briansmith

security/manager/boot/src/StaticHPKPins.h

@@ -89,7 +89,7 @@ static const char kDigiCert_High_Assurance_EV_Root_CAFingerprint[] =
 
 /* End Entity Test Cert */
 static const char kEnd_Entity_Test_CertFingerprint[] =
-  "a08RrXscTn7kKTSPR8uZVrmc0o3ryPd+o3menqJHJBw=";
+  "w3a2zMuMdmP9ed7H9HLExM+i+/0UxqHlKszZ5GQpHYM=";
 
 /* Entrust Root Certification Authority */
 static const char kEntrust_Root_Certification_AuthorityFingerprint[] =
@@ -1067,4 +1067,4 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
 
 static const int32_t kUnknownId = -1;
 
-static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1413832295312000);
+static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1413940883162000);

security/manager/ssl/tests/unit/test_ocsp_stapling.js

@@ -137,6 +137,11 @@ function add_tests(certDB, otherTestCA) {
   // ocsp-stapling-expired.example.com and
   // ocsp-stapling-expired-fresh-ca.example.com are handled in
   // test_ocsp_stapling_expired.js
+
+  // Check that OCSP responder certificates with key sizes below 1024 bits are
+  // rejected, even when the main certificate chain keys are at least 1024 bits.
+  add_ocsp_test("keysize-ocsp-delegated.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_INVALID_KEY), true);
 }
 
 function check_ocsp_stapling_telemetry() {
@@ -148,7 +153,7 @@ function check_ocsp_stapling_telemetry() {
   do_check_eq(histogram.counts[1], 5); // 5 connections with a good response
   do_check_eq(histogram.counts[2], 18); // 18 connections with no stapled resp.
   do_check_eq(histogram.counts[3], 0); // 0 connections with an expired response
-  do_check_eq(histogram.counts[4], 19); // 19 connections with bad responses
+  do_check_eq(histogram.counts[4], 20); // 20 connections with bad responses
   run_next_test();
 }
 

security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp

@@ -52,6 +52,7 @@ const OCSPHost sOCSPHosts[] =
   { "ocsp-stapling-delegated-keyUsage-crlSigning.example.com", ORTDelegatedIncluded, "invalidDelegatedSignerKeyUsageCrlSigning" },
   { "ocsp-stapling-delegated-wrong-extKeyUsage.example.com", ORTDelegatedIncluded, "invalidDelegatedSignerWrongExtKeyUsage" },
   { "ocsp-stapling-ancient-valid.example.com", ORTAncientAlmostExpired, nullptr},
+  { "keysize-ocsp-delegated.example.com", ORTDelegatedIncluded, "badKeysizeDelegatedSigner" },
   { nullptr, ORTNull, nullptr }
 };
 

security/manager/ssl/tests/unit/tlsserver/generate_certs.sh

@@ -184,4 +184,6 @@ make_delegated invalidDelegatedSignerWrongExtKeyUsage 'CN=Test Invalid Delegated
 
 make_INT self-signed-EE-with-cA-true 'CN=Test Self-signed End-entity with CA true' unused "-x -8 self-signed-end-entity-with-cA-true.example.com"
 
+make_delegated badKeysizeDelegatedSigner 'CN=Bad Keysize Delegated Responder' testCA "--extKeyUsage ocspResponder -g 1008"
+
 cleanup

security/manager/ssl/tests/unit/tlsserver/pkcs11.txt

@@ -1,5 +1,5 @@
 library=
 name=NSS Internal PKCS #11 Module
-parameters=configdir='sql:./security/manager/ssl/tests/unit/tlsserver' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+parameters=configdir='sql:security/manager/ssl/tests/unit/tlsserver' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
 NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})