Bug 1264562 - Part 2: Test firstPartyDomain in test_ocsp_caching.js r=keeler
--- a/security/manager/ssl/tests/unit/head_psm.js
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -319,35 +319,40 @@ function add_tls_server_setup(serverBinN
* A callback function that takes no arguments that will be called before the
* connection is attempted.
* @param {Function} aWithSecurityInfo
* A callback function that takes an nsITransportSecurityInfo, which is called
* after the TLS handshake succeeds.
* @param {Function} aAfterStreamOpen
* A callback function that is called with the nsISocketTransport once the
* output stream is ready.
+ * @param {String} aFirstPartyDomain
+ * The first party domain which will be used to double-key the OCSP cache.
*/
function add_connection_test(aHost, aExpectedResult,
aBeforeConnect, aWithSecurityInfo,
- aAfterStreamOpen) {
+ aAfterStreamOpen, aFirstPartyDomain) {
const REMOTE_PORT = 8443;
function Connection(aHost) {
this.host = aHost;
let threadManager = Cc["@mozilla.org/thread-manager;1"]
.getService(Ci.nsIThreadManager);
this.thread = threadManager.currentThread;
this.defer = Promise.defer();
let sts = Cc["@mozilla.org/network/socket-transport-service;1"]
.getService(Ci.nsISocketTransportService);
this.transport = sts.createTransport(["ssl"], 1, aHost, REMOTE_PORT, null);
// See bug 1129771 - attempting to connect to [::1] when the server is
// listening on 127.0.0.1 causes frequent failures on OS X 10.10.
this.transport.connectionFlags |= Ci.nsISocketTransport.DISABLE_IPV6;
this.transport.setEventSink(this, this.thread);
+ if (aFirstPartyDomain) {
+ this.transport.firstPartyDomain = aFirstPartyDomain;
+ }
this.inputStream = null;
this.outputStream = null;
this.connected = false;
}
Connection.prototype = {
// nsITransportEventSink
onTransportStatus: function(aTransport, aStatus, aProgress, aProgressMax) {
--- a/security/manager/ssl/tests/unit/test_ocsp_caching.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js
@@ -37,30 +37,31 @@ function respondWithError(request, respo
}
function generateGoodOCSPResponse() {
let args = [ ["good", "default-ee", "unused" ] ];
let responses = generateOCSPResponses(args, "ocsp_certs");
return responses[0];
}
-function add_ocsp_test(aHost, aExpectedResult, aResponses, aMessage) {
+function add_ocsp_test(aHost, aExpectedResult, aResponses, aMessage,
+ aFirstPartyDomain) {
add_connection_test(aHost, aExpectedResult,
function() {
clearSessionCache();
gFetchCount = 0;
gResponsePattern = aResponses;
gMessage = aMessage;
},
function() {
// check the number of requests matches the size of aResponses
equal(gFetchCount, aResponses.length,
"should have made " + aResponses.length +
" OCSP request" + (aResponses.length == 1 ? "" : "s"));
- });
+ }, null, aFirstPartyDomain);
}
function run_test() {
do_get_profile();
Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
Services.prefs.setIntPref("security.OCSP.enabled", 1);
Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 4);
add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
@@ -214,9 +215,33 @@ function add_tests() {
Services.prefs.setBoolPref("security.OCSP.require", false);
run_next_test();
});
//---------------------------------------------------------------------------
// Reset state
add_test(function() { clearOCSPCache(); run_next_test(); });
+
+ // This test makes sure that OCSP cache are isolated by firstPartyDomain.
+
+ // A good OCSP response will be cached.
+ add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
+ [respondWithGoodOCSP],
+ "No stapled response (firstPartyDomain = foo.com) -> a fetch " +
+ "should have been attempted", "foo.com");
+
+ // The cache will prevent a fetch from happening.
+ add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess, [],
+ "Noted OCSP server failure (firstPartyDomain = foo.com) -> a " +
+ "fetch should not have been attempted", "foo.com");
+
+ // But using a different firstPartyDomain should result in a fetch.
+ add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
+ [respondWithGoodOCSP],
+ "No stapled response (firstPartyDomain = bar.com) -> a fetch " +
+ "should have been attempted", "bar.com");
+
+ //---------------------------------------------------------------------------
+
+ // Reset state
+ add_test(function() { clearOCSPCache(); run_next_test(); });
}