tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_ocsp_must_staple.js (4392B)

      1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
      2 // This Source Code Form is subject to the terms of the Mozilla Public
      3 // License, v. 2.0. If a copy of the MPL was not distributed with this
      4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
      5 "use strict";
      6 
      7 // Tests OCSP Must Staple handling by connecting to various domains (as faked by
      8 // a server running locally) that correspond to combinations of whether the
      9 // extension is present in intermediate and end-entity certificates.
     10 
     11 var gExpectOCSPRequest;
     12 
     13 function add_ocsp_test(
     14  aHost,
     15  aExpectedResult,
     16  aStaplingEnabled,
     17  aExpectOCSPRequest = false,
     18  aWithSecurityInfo = undefined
     19 ) {
     20  add_connection_test(
     21    aHost,
     22    aExpectedResult,
     23    function () {
     24      gExpectOCSPRequest = aExpectOCSPRequest;
     25      clearOCSPCache();
     26      clearSessionCache();
     27      Services.prefs.setBoolPref(
     28        "security.ssl.enable_ocsp_stapling",
     29        aStaplingEnabled
     30      );
     31    },
     32    aWithSecurityInfo
     33  );
     34 }
     35 
     36 function add_tests() {
     37  // Next, a case where it's present in the intermediate, not the ee
     38  add_ocsp_test(
     39    "ocsp-stapling-plain-ee-with-must-staple-int.example.com",
     40    MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING,
     41    true
     42  );
     43 
     44  // We disable OCSP stapling in the next two tests so we can perform checks
     45  // on TLS Features in the chain without needing to support the TLS
     46  // extension values used.
     47  // Test an issuer with multiple TLS features in matched in the EE
     48  add_ocsp_test(
     49    "multi-tls-feature-good.example.com",
     50    PRErrorCodeSuccess,
     51    false
     52  );
     53 
     54  // Finally, an issuer with multiple TLS features not matched by the EE.
     55  add_ocsp_test(
     56    "multi-tls-feature-bad.example.com",
     57    MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING,
     58    false
     59  );
     60 
     61  // Now a bunch of operations with only a must-staple ee
     62  add_ocsp_test(
     63    "ocsp-stapling-must-staple.example.com",
     64    PRErrorCodeSuccess,
     65    true
     66  );
     67 
     68  add_ocsp_test(
     69    "ocsp-stapling-must-staple-revoked.example.com",
     70    SEC_ERROR_REVOKED_CERTIFICATE,
     71    true
     72  );
     73 
     74  add_ocsp_test(
     75    "ocsp-stapling-must-staple-missing.example.com",
     76    MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING,
     77    true,
     78    true
     79  );
     80 
     81  add_ocsp_test(
     82    "ocsp-stapling-must-staple-empty.example.com",
     83    SEC_ERROR_OCSP_MALFORMED_RESPONSE,
     84    true
     85  );
     86 
     87  add_ocsp_test(
     88    "ocsp-stapling-must-staple-missing.example.com",
     89    PRErrorCodeSuccess,
     90    false,
     91    true
     92  );
     93 
     94  // If the stapled response is expired, we will try to fetch a new one.
     95  // If that fails, we should report the original error.
     96  add_ocsp_test(
     97    "ocsp-stapling-must-staple-expired.example.com",
     98    SEC_ERROR_OCSP_OLD_RESPONSE,
     99    true,
    100    true
    101  );
    102  // Similarly with a "try server later" response.
    103  add_ocsp_test(
    104    "ocsp-stapling-must-staple-try-later.example.com",
    105    SEC_ERROR_OCSP_TRY_SERVER_LATER,
    106    true,
    107    true
    108  );
    109  // And again with an invalid OCSP response signing certificate.
    110  add_ocsp_test(
    111    "ocsp-stapling-must-staple-invalid-signer.example.com",
    112    SEC_ERROR_OCSP_INVALID_SIGNING_CERT,
    113    true,
    114    true
    115  );
    116 
    117  // check that disabling must-staple works
    118  add_test(function () {
    119    clearSessionCache();
    120    Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", false);
    121    run_next_test();
    122  });
    123 
    124  add_ocsp_test(
    125    "ocsp-stapling-must-staple-missing.example.com",
    126    PRErrorCodeSuccess,
    127    true,
    128    true
    129  );
    130 }
    131 
    132 function run_test() {
    133  do_get_profile();
    134  Services.prefs.setBoolPref("security.ssl.enable_ocsp_must_staple", true);
    135  Services.prefs.setIntPref("security.OCSP.enabled", 1);
    136  // This test may sometimes fail on android due to an OCSP request timing out.
    137  // That aspect of OCSP requests is not what we're testing here, so we can just
    138  // bump the timeout and hopefully avoid these failures.
    139  Services.prefs.setIntPref("security.OCSP.timeoutMilliseconds.soft", 5000);
    140 
    141  let fakeOCSPResponder = new HttpServer();
    142  fakeOCSPResponder.registerPrefixHandler("/", function (request, response) {
    143    response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
    144    ok(
    145      gExpectOCSPRequest,
    146      "Should be getting an OCSP request only when expected"
    147    );
    148  });
    149  fakeOCSPResponder.start(8888);
    150 
    151  add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
    152 
    153  add_tests();
    154 
    155  add_test(function () {
    156    fakeOCSPResponder.stop(run_next_test);
    157  });
    158 
    159  run_next_test();
    160 }