Mercurial > mozreview > gecko / changeset / fffddcdb5b3bf10272cf3e8c379596e0d75cf0fa
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1264562 - Part 2: Test firstPartyDomain in test_ocsp_caching.js r=keeler draft
authorJonathan Hao <jhao@mozilla.com>
Fri, 14 Oct 2016 19:43:51 +0800
changeset 427461 fffddcdb5b3bf10272cf3e8c379596e0d75cf0fa
parent 427460 6f0196209abf900789284341cfa7e449921d2abc
child 427462 9cd41908374cecf750e5a4b9466fe967b42b438d
push id33016
push userbmo:jhao@mozilla.com
push dateThu, 20 Oct 2016 10:18:14 +0000
reviewerskeeler
bugs1264562
milestone52.0a1
Bug 1264562 - Part 2: Test firstPartyDomain in test_ocsp_caching.js r=keeler
security/manager/ssl/tests/unit/head_psm.js file | annotate | diff | comparison | revisions
security/manager/ssl/tests/unit/test_ocsp_caching.js file | annotate | diff | comparison | revisions 
--- a/security/manager/ssl/tests/unit/head_psm.js
+++ b/security/manager/ssl/tests/unit/head_psm.js
@@ -319,35 +319,40 @@ function add_tls_server_setup(serverBinN
  *   A callback function that takes no arguments that will be called before the
  *   connection is attempted.
  * @param {Function} aWithSecurityInfo
  *   A callback function that takes an nsITransportSecurityInfo, which is called
  *   after the TLS handshake succeeds.
  * @param {Function} aAfterStreamOpen
  *   A callback function that is called with the nsISocketTransport once the
  *   output stream is ready.
+ * @param {String} aFirstPartyDomain
+ *   The first party domain which will be used to double-key the OCSP cache.
  */
 function add_connection_test(aHost, aExpectedResult,
                              aBeforeConnect, aWithSecurityInfo,
-                             aAfterStreamOpen) {
+                             aAfterStreamOpen, aFirstPartyDomain) {
   const REMOTE_PORT = 8443;
 
   function Connection(aHost) {
     this.host = aHost;
     let threadManager = Cc["@mozilla.org/thread-manager;1"]
                           .getService(Ci.nsIThreadManager);
     this.thread = threadManager.currentThread;
     this.defer = Promise.defer();
     let sts = Cc["@mozilla.org/network/socket-transport-service;1"]
                 .getService(Ci.nsISocketTransportService);
     this.transport = sts.createTransport(["ssl"], 1, aHost, REMOTE_PORT, null);
     // See bug 1129771 - attempting to connect to [::1] when the server is
     // listening on 127.0.0.1 causes frequent failures on OS X 10.10.
     this.transport.connectionFlags |= Ci.nsISocketTransport.DISABLE_IPV6;
     this.transport.setEventSink(this, this.thread);
+    if (aFirstPartyDomain) {
+      this.transport.firstPartyDomain = aFirstPartyDomain;
+    }
     this.inputStream = null;
     this.outputStream = null;
     this.connected = false;
   }
 
   Connection.prototype = {
     // nsITransportEventSink
     onTransportStatus: function(aTransport, aStatus, aProgress, aProgressMax) {
--- a/security/manager/ssl/tests/unit/test_ocsp_caching.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_caching.js
@@ -37,30 +37,31 @@ function respondWithError(request, respo
 }
 
 function generateGoodOCSPResponse() {
   let args = [ ["good", "default-ee", "unused" ] ];
   let responses = generateOCSPResponses(args, "ocsp_certs");
   return responses[0];
 }
 
-function add_ocsp_test(aHost, aExpectedResult, aResponses, aMessage) {
+function add_ocsp_test(aHost, aExpectedResult, aResponses, aMessage,
+                       aFirstPartyDomain) {
   add_connection_test(aHost, aExpectedResult,
       function() {
         clearSessionCache();
         gFetchCount = 0;
         gResponsePattern = aResponses;
         gMessage = aMessage;
       },
       function() {
         // check the number of requests matches the size of aResponses
         equal(gFetchCount, aResponses.length,
               "should have made " + aResponses.length +
               " OCSP request" + (aResponses.length == 1 ? "" : "s"));
-      });
+      }, null, aFirstPartyDomain);
 }
 
 function run_test() {
   do_get_profile();
   Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
   Services.prefs.setIntPref("security.OCSP.enabled", 1);
   Services.prefs.setIntPref("security.pki.sha1_enforcement_level", 4);
   add_tls_server_setup("OCSPStaplingServer", "ocsp_certs");
@@ -214,9 +215,33 @@ function add_tests() {
     Services.prefs.setBoolPref("security.OCSP.require", false);
     run_next_test();
   });
 
   //---------------------------------------------------------------------------
 
   // Reset state
   add_test(function() { clearOCSPCache(); run_next_test(); });
+
+  // This test makes sure that OCSP cache are isolated by firstPartyDomain.
+
+  // A good OCSP response will be cached.
+  add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
+                [respondWithGoodOCSP],
+                "No stapled response (firstPartyDomain = foo.com) -> a fetch " +
+                "should have been attempted", "foo.com");
+
+  // The cache will prevent a fetch from happening.
+  add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess, [],
+                "Noted OCSP server failure (firstPartyDomain = foo.com) -> a " +
+                "fetch should not have been attempted", "foo.com");
+
+  // But using a different firstPartyDomain should result in a fetch.
+  add_ocsp_test("ocsp-stapling-none.example.com", PRErrorCodeSuccess,
+                [respondWithGoodOCSP],
+                "No stapled response (firstPartyDomain = bar.com) -> a fetch " +
+                "should have been attempted", "bar.com");
+
+  //---------------------------------------------------------------------------
+
+  // Reset state
+  add_test(function() { clearOCSPCache(); run_next_test(); });
 }
gecko
Deployed from 4e825768105f at 2024-04-08T16:23:59Z.