1 // -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
2 // This Source Code Form is subject to the terms of the Mozilla Public
3 // License, v. 2.0. If a copy of the MPL was not distributed with this
4 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 // In which we try to validate several ocsp responses, checking in particular
9 // if the ocsp url is valid and the path expressed is correctly passed to
12 do_get_profile(); // must be called before getting nsIX509CertDB
13 const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
17 const SERVER_PORT = 8888;
19 function failingOCSPResponder() {
20 return getFailingHttpServer(SERVER_PORT, ["www.example.com"]);
23 function start_ocsp_responder(expectedCertNames, expectedPaths) {
24 return startOCSPResponder(
33 function check_cert_err(cert_name, expected_error) {
34 let cert = constructCertFromFile("test_ocsp_url/" + cert_name + ".pem");
35 return checkCertErrorGeneric(
39 certificateUsageSSLServer
43 add_task(async function () {
44 addCertFromFile(certdb, "test_ocsp_url/ca.pem", "CTu,CTu,CTu");
45 addCertFromFile(certdb, "test_ocsp_url/int.pem", ",,");
47 // Enabled so that we can force ocsp failure responses.
48 Services.prefs.setBoolPref("security.OCSP.require", true);
50 Services.prefs.setCharPref("network.dns.localDomains", "www.example.com");
51 Services.prefs.setIntPref("security.OCSP.enabled", 1);
53 // Note: We don't test the case of a well-formed HTTP URL with an empty port
54 // because the OCSP code would then send a request to port 80, which we
55 // can't use in tests.
58 let ocspResponder = failingOCSPResponder();
59 await check_cert_err("bad-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
60 await stopOCSPResponder(ocspResponder);
63 ocspResponder = failingOCSPResponder();
64 await check_cert_err("empty-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
65 await stopOCSPResponder(ocspResponder);
68 ocspResponder = failingOCSPResponder();
69 await check_cert_err("ftp-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
70 await stopOCSPResponder(ocspResponder);
73 ocspResponder = failingOCSPResponder();
74 await check_cert_err("https-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
75 await stopOCSPResponder(ocspResponder);
78 ocspResponder = start_ocsp_responder(["hTTp-url"], ["hTTp-url"]);
79 await check_cert_err("hTTp-url", PRErrorCodeSuccess);
80 await stopOCSPResponder(ocspResponder);
83 ocspResponder = failingOCSPResponder();
84 await check_cert_err("negative-port", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
85 await stopOCSPResponder(ocspResponder);
88 ocspResponder = failingOCSPResponder();
89 await check_cert_err("no-host-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
90 await stopOCSPResponder(ocspResponder);
93 ocspResponder = start_ocsp_responder(["no-path-url"], [""]);
94 await check_cert_err("no-path-url", PRErrorCodeSuccess);
95 await stopOCSPResponder(ocspResponder);
98 ocspResponder = failingOCSPResponder();
100 "no-scheme-host-port",
101 SEC_ERROR_CERT_BAD_ACCESS_LOCATION
103 await stopOCSPResponder(ocspResponder);
106 ocspResponder = failingOCSPResponder();
107 await check_cert_err("no-scheme-url", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
108 await stopOCSPResponder(ocspResponder);
111 ocspResponder = failingOCSPResponder();
112 await check_cert_err("unknown-scheme", SEC_ERROR_CERT_BAD_ACCESS_LOCATION);
113 await stopOCSPResponder(ocspResponder);
115 // Note: We currently don't have anything that ensures user:pass sections
116 // weren't sent. The following test simply checks that such sections
117 // don't cause failures.
119 ocspResponder = start_ocsp_responder(["user-pass"], [""]);
120 await check_cert_err("user-pass", PRErrorCodeSuccess);
121 await stopOCSPResponder(ocspResponder);