Closed
Bug 1027311
Opened 11 years ago
Closed 11 years ago
Remove irrelevant and sometimes wrong extensions from certificates generated for xpcshell tests
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
FIXED
mozilla33
People
(Reporter: briansmith, Assigned: briansmith)
References
Details
Attachments
(3 files, 1 obsolete file)
|
31.38 KB,
patch
|
cviecco
:
review+
|
Details | Diff | Splinter Review |
|
23.18 KB,
patch
|
cviecco
:
review+
|
Details | Diff | Splinter Review |
|
46.64 KB,
patch
|
cviecco
:
review+
|
Details | Diff | Splinter Review |
In particular, these scripts all generate end-entity certificates with KU that includes crlSign and/or certKeySign. This causes the tests to fail with the fixes for bug 1006812.
Like I said when I originally reviewed (some of) these patches, we should not include any irrelevant certificate extensions in the test certificates. Otherwise, we may reject a certificate for a different reason than the test is expecting us to, due to the irrelevant extension. Or, perhaps the opposite (less likely).
I didn't fix every script. Instead I only fixed the ones that block bug 1006812 from landing.
|
Assignee | |
Comment 1•11 years ago
|
||
Attachment #8442385 -
Flags: review?(cviecco)
|
|
Assignee | |
Comment 2•11 years ago
|
||
Attachment #8442387 -
Flags: review?(cviecco)
|
|
Assignee | |
Comment 3•11 years ago
|
||
Attachment #8442388 -
Flags: review?(cviecco)
|
||
Comment 4•11 years ago
|
||
Comment on attachment 8442387 [details] [diff] [review]
fix-test_ev_certs.patch
Review of attachment 8442387 [details] [diff] [review]:
-----------------------------------------------------------------
Almost r+, please keep the crl extension.
::: security/manager/ssl/tests/unit/test_ev_certs/generate.py
@@ -31,5 @@
> aia_suffix ="/\n"
> -intermediate_crl = ("crlDistributionPoints = " +
> - "URI:http://crl.example.com:8888/root-ev.crl\n")
> -endentity_crl = ("crlDistributionPoints = " +
> - "URI:http://crl.example.com:8888/ee-crl.crl\n")
The idea of having the crls here is to ensure we are NOT contacting the crl server. Please leave this extension.
|
|
||
Updated•11 years ago
|
Attachment #8442387 -
Flags: review?(cviecco) → review-
|
|
||
Updated•11 years ago
|
Attachment #8442385 -
Flags: review?(cviecco) → review+
|
|
||
Updated•11 years ago
|
Attachment #8442388 -
Flags: review?(cviecco) → review+
|
|
Assignee | |
Comment 5•11 years ago
|
||
Thanks for the quick reviews! And, thanks for finding my bug. Here's a new version of the patch that restores the CRL-related parts of test_ev_certs/generate.py.
Attachment #8442387 -
Attachment is obsolete: true
Attachment #8442487 -
Flags: review?(cviecco)
|
|
||
Updated•11 years ago
|
Attachment #8442487 -
Flags: review?(cviecco) → review+
|
|
Assignee | |
Comment 6•11 years ago
|
||
|
||
Comment 7•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/bff8515586c2
https://hg.mozilla.org/mozilla-central/rev/a14256377bea
https://hg.mozilla.org/mozilla-central/rev/9bd1ca579412
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 8•11 years ago
|
||
Uplifted since this is needed for uplifting the fix for bug 1031542:
https://hg.mozilla.org/releases/mozilla-aurora/rev/78ba74153e22
https://hg.mozilla.org/releases/mozilla-aurora/rev/b531c1bdf5d1
https://hg.mozilla.org/releases/mozilla-aurora/rev/5cd90587db41
https://hg.mozilla.org/releases/mozilla-beta/rev/e34f2301a59f
https://hg.mozilla.org/releases/mozilla-beta/rev/4c72b9539a94
https://hg.mozilla.org/releases/mozilla-beta/rev/e60e210dbfc0
status-firefox31:
--- → fixed
status-firefox32:
--- → fixed
|
||
Updated•11 years ago
|
status-firefox33:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•