From bd76eb8d8017cc5b870c6af0053170eb64aa964e Mon Sep 17 00:00:00 2001
From: Dana Keeler <dkeeler@mozilla.com>
Date: Mon, 19 May 2025 18:22:02 +0000
Subject: [PATCH] Bug 1966989 - add
 Result::ERROR_OCSP_RESPONSE_FOR_CERT_MISSING to the list of deferred OCSP
 stapling errors r=jschanck

When checking stapled OCSP, if the server stapled an unsuitable response
(according to a small list of error codes), Firefox defers acting on that
information and may try to fetch OCSP in the hopes of getting a suitable
response. This patch adds Result::ERROR_OCSP_RESPONSE_FOR_CERT_MISSING (the
response didn't include a status for the certificate in question) to the list
of these errors.

Differential Revision: https://phabricator.services.mozilla.com/D249848
---
 security/certverifier/NSSCertDBTrustDomain.cpp     |  4 +++-
 .../manager/ssl/tests/unit/test_ocsp_stapling.js   | 14 +++++++-------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
index 059328c9e28a..77c17c1ee3fe 100644
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -910,7 +910,9 @@ Result NSSCertDBTrustDomain::CheckRevocationByOCSP(
     } else if (stapledOCSPResponseResult ==
                    Result::ERROR_OCSP_TRY_SERVER_LATER ||
                stapledOCSPResponseResult ==
-                   Result::ERROR_OCSP_INVALID_SIGNING_CERT) {
+                   Result::ERROR_OCSP_INVALID_SIGNING_CERT ||
+               stapledOCSPResponseResult ==
+                   Result::ERROR_OCSP_RESPONSE_FOR_CERT_MISSING) {
       // Stapled OCSP response present but invalid for a small number of reasons
       // CAs/servers commonly get wrong. This will be treated similarly to an
       // expired stapled response.
diff --git a/security/manager/ssl/tests/unit/test_ocsp_stapling.js b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
index 1f183797f6eb..50387969818f 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
@@ -224,23 +224,23 @@ function add_tests() {
     SEC_ERROR_OCSP_UNKNOWN_CERT,
     true
   );
+  // If the server staples an OCSP response that doesn't contain a status for
+  // the server certificate, we defer returning the error and attempt to fetch
+  // a more suitable response. If that fails, the deferred error is returned.
   add_ocsp_test(
     "ocsp-stapling-good-other.example.com",
     MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING,
+    true,
     true
   );
   // If the server doesn't staple an OCSP response, we continue as normal
   // (this means that even though stapling is enabled, we expect an OCSP
   // request).
-  add_connection_test(
+  add_ocsp_test(
     "ocsp-stapling-none.example.com",
     PRErrorCodeSuccess,
-    function () {
-      gExpectOCSPRequest = true;
-      clearOCSPCache();
-      clearSessionCache();
-      Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
-    }
+    true,
+    true
   );
   add_ocsp_test(
     "ocsp-stapling-empty.example.com",