tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

test_ocsp_url.js (4172B)

      1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
      2 // This Source Code Form is subject to the terms of the Mozilla Public
      3 // License, v. 2.0. If a copy of the MPL was not distributed with this
      4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
      5 
      6 "use strict";
      7 
      8 // In which we try to validate several ocsp responses, checking in particular
      9 // if the ocsp url is valid and the path expressed is correctly passed to
     10 // the caller.
     11 
     12 do_get_profile(); // must be called before getting nsIX509CertDB
     13 const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
     14  Ci.nsIX509CertDB
     15 );
     16 
     17 const SERVER_PORT = 8888;
     18 
     19 function failingOCSPResponder() {
     20  return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
     21 }
     22 
     23 function start_ocsp_responder(expectedCertNames, expectedPaths) {
     24  return startOCSPResponder(
     25    SERVER_PORT,
     26    "www.example.com",
     27    "test_ocsp_url",
     28    expectedCertNames,
     29    expectedPaths
     30  );
     31 }
     32 
     33 function check_cert_err(cert_name, expected_error) {
     34  let cert = constructCertFromFile("test_ocsp_url/" + cert_name + ".pem");
     35  return checkCertErrorGeneric(
     36    certdb,
     37    cert,
     38    expected_error,
     39    Ci.nsIX509CertDB.verifyUsageTLSServer
     40  );
     41 }
     42 
     43 add_task(async function () {
     44  addCertFromFile(certdb, "test_ocsp_url/ca.pem", "CTu,CTu,CTu");
     45  addCertFromFile(certdb, "test_ocsp_url/int.pem", ",,");
     46 
     47  // Enabled so that we can force ocsp failure responses.
     48  Services.prefs.setBoolPref("security.OCSP.require", true);
     49 
     50  Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
     51  Services.prefs.setIntPref("security.OCSP.enabled", 1);
     52 
     53  // Note: We don't test the case of a well-formed HTTP URL with an empty port
     54  //       because the OCSP code would then send a request to port 80, which we
     55  //       can't use in tests.
     56 
     57  clearOCSPCache();
     58  let ocspResponder = failingOCSPResponder();
     59  await check_cert_err("bad-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     60  await stopOCSPResponder(ocspResponder);
     61 
     62  clearOCSPCache();
     63  ocspResponder = failingOCSPResponder();
     64  await check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     65  await stopOCSPResponder(ocspResponder);
     66 
     67  clearOCSPCache();
     68  ocspResponder = failingOCSPResponder();
     69  await check_cert_err("ftp-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     70  await stopOCSPResponder(ocspResponder);
     71 
     72  clearOCSPCache();
     73  ocspResponder = failingOCSPResponder();
     74  await check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     75  await stopOCSPResponder(ocspResponder);
     76 
     77  clearOCSPCache();
     78  ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]);
     79  await check_cert_err("hTTp-url", PRErrorCodeSuccess);
     80  await stopOCSPResponder(ocspResponder);
     81 
     82  clearOCSPCache();
     83  ocspResponder = failingOCSPResponder();
     84  await check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     85  await stopOCSPResponder(ocspResponder);
     86 
     87  clearOCSPCache();
     88  ocspResponder = failingOCSPResponder();
     89  await check_cert_err("no-host-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
     90  await stopOCSPResponder(ocspResponder);
     91 
     92  clearOCSPCache();
     93  ocspResponder = start_ocsp_responder(["no-path-url"], [""]);
     94  await check_cert_err("no-path-url", PRErrorCodeSuccess);
     95  await stopOCSPResponder(ocspResponder);
     96 
     97  clearOCSPCache();
     98  ocspResponder = failingOCSPResponder();
     99  await check_cert_err(
    100    "no-scheme-host-port",
    101    SEC_ERROR_CERT_BAD_ACCESS_LOCATION
    102  );
    103  await stopOCSPResponder(ocspResponder);
    104 
    105  clearOCSPCache();
    106  ocspResponder = failingOCSPResponder();
    107  await check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
    108  await stopOCSPResponder(ocspResponder);
    109 
    110  clearOCSPCache();
    111  ocspResponder = failingOCSPResponder();
    112  await check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
    113  await stopOCSPResponder(ocspResponder);
    114 
    115  // Note: We currently don't have anything that ensures user:pass sections
    116  //       weren't sent. The following test simply checks that such sections
    117  //       don't cause failures.
    118  clearOCSPCache();
    119  ocspResponder = start_ocsp_responder(["user-pass"], [""]);
    120  await check_cert_err("user-pass", PRErrorCodeSuccess);
    121  await stopOCSPResponder(ocspResponder);
    122 });