Closed Bug 1027311 Opened 6 years ago Closed 6 years ago

Remove irrelevant and sometimes wrong extensions from certificates generated for xpcshell tests


(Core :: Security, defect)

Not set



Tracking Status
firefox31 --- fixed
firefox32 --- fixed
firefox33 --- fixed


(Reporter: briansmith, Assigned: briansmith)




(3 files, 1 obsolete file)

In particular, these scripts all generate end-entity certificates with KU that includes crlSign and/or certKeySign. This causes the tests to fail with the fixes for bug 1006812.

Like I said when I originally reviewed (some of) these patches, we should not include any irrelevant certificate extensions in the test certificates. Otherwise, we may reject a certificate for a different reason than the test is expecting us to, due to the irrelevant extension. Or, perhaps the opposite (less likely).

I didn't fix every script. Instead I only fixed the ones that block bug 1006812 from landing.
Attached patch fix-test_ev_certs.patch (obsolete) — Splinter Review
Attachment #8442387 - Flags: review?(cviecco)
Comment on attachment 8442387 [details] [diff] [review]

Review of attachment 8442387 [details] [diff] [review]:

Almost r+, please keep the crl extension.

::: security/manager/ssl/tests/unit/test_ev_certs/
@@ -31,5 @@
>  aia_suffix ="/\n"
> -intermediate_crl = ("crlDistributionPoints = " +
> -                    "URI:\n")
> -endentity_crl = ("crlDistributionPoints = " +
> -                 "URI:\n")

The idea of having the crls here is to ensure we are NOT contacting the crl server. Please leave this extension.
Attachment #8442387 - Flags: review?(cviecco) → review-
Attachment #8442385 - Flags: review?(cviecco) → review+
Attachment #8442388 - Flags: review?(cviecco) → review+
Thanks for the quick reviews! And, thanks for finding my bug. Here's a new version of the patch that restores the CRL-related parts of test_ev_certs/
Attachment #8442387 - Attachment is obsolete: true
Attachment #8442487 - Flags: review?(cviecco)
Attachment #8442487 - Flags: review?(cviecco) → review+
You need to log in before you can comment on or make changes to this bug.