tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_ocsp_required.js (2879B)

      1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
      2 // This Source Code Form is subject to the terms of the Mozilla Public
      3 // License, v. 2.0. If a copy of the MPL was not distributed with this
      4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
      5 "use strict";
      6 
      7 // In which we connect to a domain (as faked by a server running locally) and
      8 // start up an OCSP responder (also basically faked) that gives a response with
      9 // a bad signature (and later, an empty response). With security.OCSP.require
     10 // set to true, these connections should fail (but they also shouldn't cause
     11 // assertion failures).
     12 
     13 var gOCSPRequestCount = 0;
     14 var gOCSPResponse;
     15 
     16 function run_test() {
     17  do_get_profile();
     18  Services.prefs.setBoolPref("security.OCSP.require", true);
     19  Services.prefs.setIntPref("security.OCSP.enabled", 1);
     20 
     21  // We don't actually make use of stapling in this test. This is just how we
     22  // get a TLS connection.
     23  add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
     24 
     25  let args = [["bad-signature", "default-ee", "unused", 0]];
     26  let ocspResponses = generateOCSPResponses(args, "ocsp_certs");
     27  // Start by replying with a response with a bad signature.
     28  gOCSPResponse = ocspResponses[0];
     29 
     30  let ocspResponder = new HttpServer();
     31  ocspResponder.registerPrefixHandler("/", function (request, response) {
     32    response.setStatusLine(request.httpVersion, 200, "OK");
     33    response.setHeader("Content-Type", "application/ocsp-response");
     34    response.write(gOCSPResponse);
     35    gOCSPRequestCount++;
     36  });
     37  ocspResponder.start(8888);
     38 
     39  add_tests();
     40 
     41  add_test(function () {
     42    ocspResponder.stop(run_next_test);
     43  });
     44 
     45  run_next_test();
     46 }
     47 
     48 function add_tests() {
     49  add_connection_test(
     50    "ocsp-stapling-none.example.com",
     51    SEC_ERROR_OCSP_BAD_SIGNATURE,
     52    function () {},
     53    function (aTransportSecurityInfo) {
     54      Assert.ok(
     55        aTransportSecurityInfo.madeOCSPRequests,
     56        "An OCSP Request should have been made."
     57      );
     58    }
     59  );
     60  add_connection_test(
     61    "ocsp-stapling-none.example.com",
     62    SEC_ERROR_OCSP_BAD_SIGNATURE,
     63    function () {},
     64    function (aTransportSecurityInfo) {
     65      Assert.ok(
     66        !aTransportSecurityInfo.madeOCSPRequests,
     67        "An OCSP Request should not have been made."
     68      );
     69    }
     70  );
     71  add_test(function () {
     72    equal(
     73      gOCSPRequestCount,
     74      1,
     75      "OCSP request count should be 1 due to OCSP response caching"
     76    );
     77    gOCSPRequestCount = 0;
     78    // Now set the OCSP responder to reply with 200 OK but empty content.
     79    gOCSPResponse = "";
     80    clearOCSPCache();
     81    run_next_test();
     82  });
     83 
     84  add_connection_test(
     85    "ocsp-stapling-none.example.com",
     86    SEC_ERROR_OCSP_MALFORMED_RESPONSE,
     87    function () {},
     88    function (aTransportSecurityInfo) {
     89      Assert.ok(
     90        aTransportSecurityInfo.madeOCSPRequests,
     91        "An OCSP Request should have been made."
     92      );
     93    }
     94  );
     95 }