tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_ocsp_enabled_pref.js (8149B)

      1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
      2 // Any copyright is dedicated to the Public Domain.
      3 // http://creativecommons.org/publicdomain/zero/1.0/
      4 "use strict";
      5 
      6 // Checks that the security.OCSP.enabled pref correctly controls OCSP fetching
      7 // behavior.
      8 
      9 do_get_profile(); // Must be called before getting nsIX509CertDB
     10 const gCertDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
     11  Ci.nsIX509CertDB
     12 );
     13 
     14 const SERVER_PORT = 8888;
     15 
     16 function certFromFile(filename) {
     17  return constructCertFromFile(`test_ev_certs/${filename}.pem`);
     18 }
     19 
     20 function loadCert(certName, trustString) {
     21  addCertFromFile(gCertDB, `test_ev_certs/${certName}.pem`, trustString);
     22 }
     23 
     24 function getFailingOCSPResponder() {
     25  return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
     26 }
     27 
     28 function getOCSPResponder(expectedCertNames) {
     29  return startOCSPResponder(
     30    SERVER_PORT,
     31    "www.example.com",
     32    "test_ev_certs",
     33    expectedCertNames,
     34    []
     35  );
     36 }
     37 
     38 // Tests that in ocspOff mode, OCSP fetches are never done.
     39 async function testOff() {
     40  Services.prefs.setIntPref("security.OCSP.enabled", 0);
     41  info("Setting security.OCSP.enabled to 0");
     42 
     43  // EV chains should verify successfully and get EV status.
     44  clearOCSPCache();
     45  let ocspResponder = getFailingOCSPResponder();
     46  await checkEVStatus(
     47    gCertDB,
     48    certFromFile("test-oid-path-ee"),
     49    Ci.nsIX509CertDB.verifyUsageTLSServer,
     50    gEVExpected
     51  );
     52  await stopOCSPResponder(ocspResponder);
     53 
     54  // A DV chain should verify successfully.
     55  clearOCSPCache();
     56  ocspResponder = getFailingOCSPResponder();
     57  await checkCertErrorGeneric(
     58    gCertDB,
     59    certFromFile("non-ev-root-path-ee"),
     60    PRErrorCodeSuccess,
     61    Ci.nsIX509CertDB.verifyUsageTLSServer
     62  );
     63  await stopOCSPResponder(ocspResponder);
     64 }
     65 
     66 // Tests that in ocspOn mode, OCSP fetches are done for both EV and DV certs.
     67 async function testOn() {
     68  Services.prefs.setIntPref("security.OCSP.enabled", 1);
     69  info("Setting security.OCSP.enabled to 1");
     70 
     71  // EV chains should verify successfully and get EV status.
     72  clearOCSPCache();
     73  let ocspResponder = getOCSPResponder(["test-oid-path-ee"]);
     74  await checkEVStatus(
     75    gCertDB,
     76    certFromFile("test-oid-path-ee"),
     77    Ci.nsIX509CertDB.verifyUsageTLSServer,
     78    gEVExpected
     79  );
     80  await stopOCSPResponder(ocspResponder);
     81 
     82  // If a successful OCSP response is fetched, then a DV chain should verify
     83  // successfully.
     84  clearOCSPCache();
     85  ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]);
     86  await checkCertErrorGeneric(
     87    gCertDB,
     88    certFromFile("non-ev-root-path-ee"),
     89    PRErrorCodeSuccess,
     90    Ci.nsIX509CertDB.verifyUsageTLSServer
     91  );
     92  await stopOCSPResponder(ocspResponder);
     93 }
     94 
     95 async function testCRLiteEnforced() {
     96  Services.prefs.setBoolPref("security.OCSP.require", false);
     97  info("Setting security.OCSP.require to false");
     98 
     99  Services.prefs.setIntPref("security.OCSP.enabled", 1);
    100  info("Setting security.OCSP.enabled to 1");
    101 
    102  Services.prefs.setIntPref("security.pki.crlite_mode", 2);
    103  info("Setting security.pki.crlite_mode to 2");
    104 
    105  // When CRLite is enforced, OCSP requests should be made for DV certs that do
    106  // not chain to a builtin root.
    107  clearOCSPCache();
    108  let ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]);
    109  await checkCertErrorGeneric(
    110    gCertDB,
    111    certFromFile("non-ev-root-path-ee"),
    112    PRErrorCodeSuccess,
    113    Ci.nsIX509CertDB.verifyUsageTLSServer
    114  );
    115  await stopOCSPResponder(ocspResponder);
    116 
    117  // The rest of the tests here use "security.test.built_in_root_hash", which
    118  // only works in debug builds.
    119  if (!AppConstants.DEBUG) {
    120    return;
    121  }
    122 
    123  // When CRLite is enforced and OCSP is not required, OCSP requests should not
    124  // be made for DV certs that chain to a builtin root.
    125  Services.prefs.setBoolPref("security.OCSP.require", false);
    126  info("Setting security.OCSP.require to false");
    127  let nonEVRootCert = certFromFile("non-evroot-ca");
    128  Services.prefs.setCharPref(
    129    "security.test.built_in_root_hash",
    130    nonEVRootCert.sha256Fingerprint
    131  );
    132  info(
    133    "Setting security.test.built_in_root_hash to " +
    134      nonEVRootCert.sha256Fingerprint
    135  );
    136 
    137  clearOCSPCache();
    138  ocspResponder = getOCSPResponder([]);
    139  await checkCertErrorGeneric(
    140    gCertDB,
    141    certFromFile("non-ev-root-path-ee"),
    142    PRErrorCodeSuccess,
    143    Ci.nsIX509CertDB.verifyUsageTLSServer
    144  );
    145  await stopOCSPResponder(ocspResponder);
    146 
    147  // When CRLite is enforced and OCSP is not required, OCSP requests should not
    148  // be made for EV certs that chain to a builtin root.
    149  Services.prefs.setBoolPref("security.OCSP.require", false);
    150  info("Setting security.OCSP.require to false");
    151  let evroot = certFromFile("evroot");
    152  Services.prefs.setCharPref(
    153    "security.test.built_in_root_hash",
    154    evroot.sha256Fingerprint
    155  );
    156  info(
    157    "Setting security.test.built_in_root_hash to " + evroot.sha256Fingerprint
    158  );
    159 
    160  clearOCSPCache();
    161  ocspResponder = getOCSPResponder([]);
    162  await checkEVStatus(
    163    gCertDB,
    164    certFromFile("test-oid-path-ee"),
    165    Ci.nsIX509CertDB.verifyUsageTLSServer,
    166    gEVExpected
    167  );
    168  await stopOCSPResponder(ocspResponder);
    169 
    170  // When CRLite is enforced and OCSP is required, OCSP requests should be made
    171  // for DV certs.
    172  Services.prefs.setBoolPref("security.OCSP.require", true);
    173  info("Setting security.OCSP.require to true");
    174  clearOCSPCache();
    175  ocspResponder = getOCSPResponder(["non-ev-root-path-ee"]);
    176  await checkCertErrorGeneric(
    177    gCertDB,
    178    certFromFile("non-ev-root-path-ee"),
    179    PRErrorCodeSuccess,
    180    Ci.nsIX509CertDB.verifyUsageTLSServer
    181  );
    182  await stopOCSPResponder(ocspResponder);
    183 
    184  // When CRLite is enforced and OCSP is required, OCSP requests should be made
    185  // for EV certs.
    186  Services.prefs.setBoolPref("security.OCSP.require", true);
    187  info("Setting security.OCSP.require to true");
    188  Services.prefs.setCharPref(
    189    "security.test.built_in_root_hash",
    190    evroot.sha256Fingerprint
    191  );
    192  info(
    193    "Setting security.test.built_in_root_hash to " + evroot.sha256Fingerprint
    194  );
    195 
    196  clearOCSPCache();
    197  ocspResponder = getOCSPResponder(["test-oid-path-ee"]);
    198  await checkEVStatus(
    199    gCertDB,
    200    certFromFile("test-oid-path-ee"),
    201    Ci.nsIX509CertDB.verifyUsageTLSServer,
    202    gEVExpected
    203  );
    204  await stopOCSPResponder(ocspResponder);
    205 }
    206 
    207 // Tests that in ocspEVOnly mode, OCSP fetches are done for EV certs only.
    208 async function testEVOnly() {
    209  Services.prefs.setIntPref("security.OCSP.enabled", 2);
    210  info("Setting security.OCSP.enabled to 2");
    211 
    212  // If a successful OCSP response is fetched, then an EV chain should verify
    213  // successfully and get EV status as well.
    214  clearOCSPCache();
    215  let ocspResponder = gEVExpected
    216    ? getOCSPResponder(["test-oid-path-ee"])
    217    : getFailingOCSPResponder();
    218  await checkEVStatus(
    219    gCertDB,
    220    certFromFile("test-oid-path-ee"),
    221    Ci.nsIX509CertDB.verifyUsageTLSServer,
    222    gEVExpected
    223  );
    224  await stopOCSPResponder(ocspResponder);
    225 
    226  // A DV chain should verify successfully even without doing OCSP fetches.
    227  clearOCSPCache();
    228  ocspResponder = getFailingOCSPResponder();
    229  await checkCertErrorGeneric(
    230    gCertDB,
    231    certFromFile("non-ev-root-path-ee"),
    232    PRErrorCodeSuccess,
    233    Ci.nsIX509CertDB.verifyUsageTLSServer
    234  );
    235  await stopOCSPResponder(ocspResponder);
    236 }
    237 
    238 add_task(async function () {
    239  registerCleanupFunction(() => {
    240    Services.prefs.clearUserPref("network.dns.localDomains");
    241    Services.prefs.clearUserPref("security.OCSP.enabled");
    242    Services.prefs.clearUserPref("security.OCSP.require");
    243    Services.prefs.clearUserPref("security.pki.crlite_mode");
    244    Services.prefs.clearUserPref("security.test.built_in_root_hash");
    245  });
    246  Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
    247  // Enable hard fail to ensure chains that should only succeed because they get
    248  // a good OCSP response do not succeed due to soft fail leniency.
    249  Services.prefs.setBoolPref("security.OCSP.require", true);
    250 
    251  loadCert("evroot", "CTu,,");
    252  loadCert("test-oid-path-int", ",,");
    253  loadCert("non-evroot-ca", "CTu,,");
    254  loadCert("non-ev-root-path-int", ",,");
    255 
    256  await testOff();
    257  await testOn();
    258  await testEVOnly();
    259  await testCRLiteEnforced();
    260 });