mirror of
https://github.com/classilla/tenfourfox.git
synced 2024-10-22 02:25:05 +00:00
266 lines
11 KiB
JavaScript
266 lines
11 KiB
JavaScript
// -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
|
|
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
"use strict";
|
|
|
|
// In which we connect to a number of domains (as faked by a server running
|
|
// locally) with and without OCSP stapling enabled to determine that good
|
|
// things happen and bad things don't.
|
|
|
|
var gExpectOCSPRequest;
|
|
|
|
function add_ocsp_test(aHost, aExpectedResult, aStaplingEnabled) {
|
|
add_connection_test(aHost, aExpectedResult,
|
|
function() {
|
|
gExpectOCSPRequest = !aStaplingEnabled;
|
|
clearOCSPCache();
|
|
clearSessionCache();
|
|
Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling",
|
|
aStaplingEnabled);
|
|
});
|
|
}
|
|
|
|
function add_tests() {
|
|
// In the absence of OCSP stapling, these should actually all work.
|
|
add_ocsp_test("ocsp-stapling-good.example.com",
|
|
PRErrorCodeSuccess, false);
|
|
add_ocsp_test("ocsp-stapling-revoked.example.com",
|
|
PRErrorCodeSuccess, false);
|
|
add_ocsp_test("ocsp-stapling-good-other-ca.example.com",
|
|
PRErrorCodeSuccess, false);
|
|
add_ocsp_test("ocsp-stapling-malformed.example.com",
|
|
PRErrorCodeSuccess, false);
|
|
add_ocsp_test("ocsp-stapling-srverr.example.com",
|
|
PRErrorCodeSuccess, false);
|
|
add_ocsp_test("ocsp-stapling-trylater.example.com",
|
|
PRErrorCodeSuccess, false);
|
|
add_ocsp_test("ocsp-stapling-needssig.example.com",
|
|
PRErrorCodeSuccess, false);
|
|
add_ocsp_test("ocsp-stapling-unauthorized.example.com",
|
|
PRErrorCodeSuccess, false);
|
|
add_ocsp_test("ocsp-stapling-unknown.example.com",
|
|
PRErrorCodeSuccess, false);
|
|
add_ocsp_test("ocsp-stapling-good-other.example.com",
|
|
PRErrorCodeSuccess, false);
|
|
add_ocsp_test("ocsp-stapling-none.example.com",
|
|
PRErrorCodeSuccess, false);
|
|
add_ocsp_test("ocsp-stapling-expired.example.com",
|
|
PRErrorCodeSuccess, false);
|
|
add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
|
|
PRErrorCodeSuccess, false);
|
|
add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
|
|
PRErrorCodeSuccess, false);
|
|
add_ocsp_test("ocsp-stapling-critical-extension.example.com",
|
|
PRErrorCodeSuccess, false);
|
|
add_ocsp_test("ocsp-stapling-noncritical-extension.example.com",
|
|
PRErrorCodeSuccess, false);
|
|
add_ocsp_test("ocsp-stapling-empty-extensions.example.com",
|
|
PRErrorCodeSuccess, false);
|
|
|
|
// Now test OCSP stapling
|
|
// The following error codes are defined in security/nss/lib/util/SECerrs.h
|
|
|
|
add_ocsp_test("ocsp-stapling-good.example.com", PRErrorCodeSuccess, true);
|
|
|
|
add_ocsp_test("ocsp-stapling-revoked.example.com",
|
|
SEC_ERROR_REVOKED_CERTIFICATE, true);
|
|
|
|
// SEC_ERROR_OCSP_INVALID_SIGNING_CERT vs SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE
|
|
// depends on whether the CA that signed the response is a trusted CA
|
|
// (but only with the classic implementation - mozilla::pkix always
|
|
// results in the error SEC_ERROR_OCSP_INVALID_SIGNING_CERT).
|
|
|
|
// This stapled response is from a CA that is untrusted and did not issue
|
|
// the server's certificate.
|
|
let certDB = Cc["@mozilla.org/security/x509certdb;1"]
|
|
.getService(Ci.nsIX509CertDB);
|
|
let otherTestCA = constructCertFromFile("ocsp_certs/other-test-ca.pem");
|
|
add_test(function() {
|
|
certDB.setCertTrust(otherTestCA, Ci.nsIX509Cert.CA_CERT,
|
|
Ci.nsIX509CertDB.UNTRUSTED);
|
|
run_next_test();
|
|
});
|
|
add_ocsp_test("ocsp-stapling-good-other-ca.example.com",
|
|
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
|
|
|
|
// The stapled response is from a CA that is trusted but did not issue the
|
|
// server's certificate.
|
|
add_test(function() {
|
|
certDB.setCertTrust(otherTestCA, Ci.nsIX509Cert.CA_CERT,
|
|
Ci.nsIX509CertDB.TRUSTED_SSL);
|
|
run_next_test();
|
|
});
|
|
// TODO(bug 979055): When using ByName instead of ByKey, the error here is
|
|
// SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE. We should be testing both cases.
|
|
add_ocsp_test("ocsp-stapling-good-other-ca.example.com",
|
|
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
|
|
|
|
// TODO: Test the case where the signing cert can't be found at all, which
|
|
// will result in SEC_ERROR_BAD_DATABASE in the NSS classic case.
|
|
|
|
add_ocsp_test("ocsp-stapling-malformed.example.com",
|
|
SEC_ERROR_OCSP_MALFORMED_REQUEST, true);
|
|
add_ocsp_test("ocsp-stapling-srverr.example.com",
|
|
SEC_ERROR_OCSP_SERVER_ERROR, true);
|
|
add_ocsp_test("ocsp-stapling-trylater.example.com",
|
|
SEC_ERROR_OCSP_TRY_SERVER_LATER, true);
|
|
add_ocsp_test("ocsp-stapling-needssig.example.com",
|
|
SEC_ERROR_OCSP_REQUEST_NEEDS_SIG, true);
|
|
add_ocsp_test("ocsp-stapling-unauthorized.example.com",
|
|
SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST, true);
|
|
add_ocsp_test("ocsp-stapling-unknown.example.com",
|
|
SEC_ERROR_OCSP_UNKNOWN_CERT, true);
|
|
add_ocsp_test("ocsp-stapling-good-other.example.com",
|
|
MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING, true);
|
|
// If the server doesn't staple an OCSP response, we continue as normal
|
|
// (this means that even though stapling is enabled, we expect an OCSP
|
|
// request).
|
|
add_connection_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
|
|
function() {
|
|
gExpectOCSPRequest = true;
|
|
clearOCSPCache();
|
|
clearSessionCache();
|
|
Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
|
|
}
|
|
);
|
|
add_ocsp_test("ocsp-stapling-empty.example.com",
|
|
SEC_ERROR_OCSP_MALFORMED_RESPONSE, true);
|
|
|
|
add_ocsp_test("ocsp-stapling-skip-responseBytes.example.com",
|
|
SEC_ERROR_OCSP_MALFORMED_RESPONSE, true);
|
|
|
|
add_ocsp_test("ocsp-stapling-critical-extension.example.com",
|
|
SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION, true);
|
|
add_ocsp_test("ocsp-stapling-noncritical-extension.example.com",
|
|
PRErrorCodeSuccess, true);
|
|
// TODO(bug 997994): Disallow empty Extensions in responses
|
|
add_ocsp_test("ocsp-stapling-empty-extensions.example.com",
|
|
PRErrorCodeSuccess, true);
|
|
|
|
add_ocsp_test("ocsp-stapling-delegated-included.example.com",
|
|
PRErrorCodeSuccess, true);
|
|
add_ocsp_test("ocsp-stapling-delegated-included-last.example.com",
|
|
PRErrorCodeSuccess, true);
|
|
add_ocsp_test("ocsp-stapling-delegated-missing.example.com",
|
|
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
|
|
add_ocsp_test("ocsp-stapling-delegated-missing-multiple.example.com",
|
|
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
|
|
add_ocsp_test("ocsp-stapling-delegated-no-extKeyUsage.example.com",
|
|
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
|
|
add_ocsp_test("ocsp-stapling-delegated-from-intermediate.example.com",
|
|
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
|
|
add_ocsp_test("ocsp-stapling-delegated-keyUsage-crlSigning.example.com",
|
|
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
|
|
add_ocsp_test("ocsp-stapling-delegated-wrong-extKeyUsage.example.com",
|
|
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
|
|
|
|
// TLS Must Staple tests
|
|
add_test(function() {
|
|
clearSessionCache();
|
|
Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", true);
|
|
run_next_test();
|
|
});
|
|
|
|
// ensure that the chain is checked for required features in children:
|
|
// First a case where intermediate and ee both have the extension
|
|
add_ocsp_test("ocsp-stapling-must-staple-ee-with-must-staple-int.example.com",
|
|
PRErrorCodeSuccess, true);
|
|
|
|
// Next, a case where it's present in the intermediate, not the ee
|
|
add_ocsp_test("ocsp-stapling-plain-ee-with-must-staple-int.example.com",
|
|
MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, true);
|
|
|
|
// We disable OCSP must-staple in the next two tests so we can perform checks
|
|
// on TLS Features in the chain without needint to support the TLS
|
|
// extension values used.
|
|
// Test an issuer with multiple TLS features in matched in the EE
|
|
add_ocsp_test("multi-tls-feature-good.example.com",
|
|
PRErrorCodeSuccess, false);
|
|
|
|
// Finally, an inssuer with multiple TLS features not matched by the EE
|
|
add_ocsp_test("multi-tls-feature-bad.example.com",
|
|
MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, false);
|
|
|
|
|
|
|
|
// Now a bunch of operations with only a must-staple ee
|
|
add_ocsp_test("ocsp-stapling-must-staple.example.com",
|
|
PRErrorCodeSuccess, true);
|
|
|
|
add_ocsp_test("ocsp-stapling-must-staple-revoked.example.com",
|
|
SEC_ERROR_REVOKED_CERTIFICATE, true);
|
|
|
|
add_ocsp_test("ocsp-stapling-must-staple-missing.example.com",
|
|
MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING, true);
|
|
|
|
add_ocsp_test("ocsp-stapling-must-staple-empty.example.com",
|
|
SEC_ERROR_OCSP_MALFORMED_RESPONSE, true);
|
|
|
|
add_ocsp_test("ocsp-stapling-must-staple-missing.example.com",
|
|
PRErrorCodeSuccess, false);
|
|
|
|
// check that disabling must-staple works
|
|
add_test(function() {
|
|
clearSessionCache();
|
|
Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", false);
|
|
run_next_test();
|
|
});
|
|
|
|
add_ocsp_test("ocsp-stapling-must-staple-missing.example.com",
|
|
PRErrorCodeSuccess, true);
|
|
|
|
// ocsp-stapling-expired.example.com and
|
|
// ocsp-stapling-expired-fresh-ca.example.com are handled in
|
|
// test_ocsp_stapling_expired.js
|
|
|
|
// Check that OCSP responder certificates with key sizes below 1024 bits are
|
|
// rejected, even when the main certificate chain keys are at least 1024 bits.
|
|
add_ocsp_test("keysize-ocsp-delegated.example.com",
|
|
SEC_ERROR_OCSP_INVALID_SIGNING_CERT, true);
|
|
|
|
add_ocsp_test("revoked-ca-cert-used-as-end-entity.example.com",
|
|
SEC_ERROR_REVOKED_CERTIFICATE, true);
|
|
}
|
|
|
|
function check_ocsp_stapling_telemetry() {
|
|
let histogram = Cc["@mozilla.org/base/telemetry;1"]
|
|
.getService(Ci.nsITelemetry)
|
|
.getHistogramById("SSL_OCSP_STAPLING")
|
|
.snapshot();
|
|
equal(histogram.counts[0], 0,
|
|
"Should have 0 connections for unused histogram bucket 0");
|
|
equal(histogram.counts[1], 7,
|
|
"Actual and expected connections with a good response should match");
|
|
equal(histogram.counts[2], 22,
|
|
"Actual and expected connections with no stapled response should match");
|
|
equal(histogram.counts[3], 0,
|
|
"Actual and expected connections with an expired response should match");
|
|
equal(histogram.counts[4], 23,
|
|
"Actual and expected connections with bad responses should match");
|
|
run_next_test();
|
|
}
|
|
|
|
function run_test() {
|
|
do_get_profile();
|
|
|
|
|
|
let fakeOCSPResponder = new HttpServer();
|
|
fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
|
|
response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
|
|
ok(gExpectOCSPRequest,
|
|
"Should be getting an OCSP request only when expected");
|
|
});
|
|
fakeOCSPResponder.start(8888);
|
|
|
|
add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
|
|
|
|
add_tests();
|
|
|
|
add_test(function () {
|
|
fakeOCSPResponder.stop(check_ocsp_stapling_telemetry);
|
|
});
|
|
|
|
run_next_test();
|
|
}
|