Closed
Bug 1030453
Opened 10 years ago
Closed 6 years ago
mozmill test /testSecurity/testMD5HashSignature.js needs to import the CA certificate differently when bug 1024871 lands
Categories
(Mozilla QA Graveyard :: Mozmill Tests, defect, P2)
Mozilla QA Graveyard
Mozmill Tests
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: keeler, Unassigned)
References
Details
My understanding is that the mozmill test /testSecurity/testMD5HashSignature.js (and maybe others) imports a CA certificate by visiting http://mozqa.com/data/firefox/security/certificates/md5/importSSL.php and using the UI that automatically pops up as a result. Bug 1024871 is removing this functionality because it's unsafe. Luckily, there are other options for adding a new CA. One is to use the certificate manager UI (Preferences -> Advanced -> Certificates -> View Certificates). Another option would be to use the certutil command line utility to modify the certificate database before actually running any tests. Yet another option would be to use nsIX509CertDB from JS.
Reporter | ||
Comment 1•10 years ago
|
||
For an example of how this breaks the test, see bug 1028178 where we did this by accident.
See Also: → 1028178
Comment 2•10 years ago
|
||
Thanks David for keeping us informed! I kinda like doing this via nsIX509CertDB then. The UI path can be fragile and should not be tested in this specific test. Also preparing a profile with that cert added is not possible at the moment. So I assume we can already do this change before bug 1024871 gets fixed? That way we will have a smooth transition over.
Updated•10 years ago
|
Component: Mozmill → Mozmill Tests
Product: Testing → Mozilla QA
Updated•10 years ago
|
Flags: needinfo?(dkeeler)
Reporter | ||
Comment 3•10 years ago
|
||
Yes, this can change before bug 1024871 lands. I don't really know how mozmill works, but in privileged code, something like this needs to happen: let certDER = <somehow get the DER encoding of the certificate in question>; let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB); certDB.addCert(certDER, "CTu,,", "Moz QA CA"); (The "CTu,," argument trusts the certificate as an SSL CA and as far as I know the third argument is actually ignored, so it doesn't matter what it is.) Let me know how that goes - this code can be picky and difficult to work with.
Flags: needinfo?(dkeeler)
Comment 4•10 years ago
|
||
(In reply to David Keeler (:keeler) [use needinfo?] from comment #3) > let certDER = <somehow get the DER encoding of the certificate in question>; So given that you are not sure how to retrieve this information, do you know someone we could ask? I assume there is no interface/service available to retrieve that kind of data?
Flags: needinfo?(dkeeler)
Priority: -- → P1
Comment 5•10 years ago
|
||
(In reply to Henrik Skupin (:whimboo) from comment #4) > (In reply to David Keeler (:keeler) [use needinfo?] from comment #3) > > let certDER = <somehow get the DER encoding of the certificate in question>; > > So given that you are not sure how to retrieve this information, do you know > someone we could ask? I assume there is no interface/service available to > retrieve that kind of data? CC'ing Kai. Maybe he knows something.
Flags: needinfo?(kaie)
Reporter | ||
Comment 6•10 years ago
|
||
Well, there's a couple of ways to go. If I understand correctly, the certificate to import is hosted at http://mozqa.com/data/firefox/security/certificates/md5/ssl-md5-mozqa-ca.pem One option would be to copy that and include it in the test. This would break if it ever gets updated. The other option is to do an XHR to get that file and then use nsIX509CertDB2.addCertFromBase64. You might have to strip off the leading/trailing -----BEGIN CERTIFICATE-----/-----END CERTIFICATE----- and remove line breaks first.
Flags: needinfo?(dkeeler)
Reporter | ||
Comment 7•10 years ago
|
||
(Although, if you do use nsIX509CertDB2, keep an eye on bug 643041, which will merge that interface into nsIX509CertDB.)
Comment 8•10 years ago
|
||
If your input is a raw file, David's suggestion looks good.
Flags: needinfo?(kaie)
Updated•10 years ago
|
Priority: P1 → P2
Comment 9•6 years ago
|
||
Mozmill is dead, WONTFIX the remaining bugs.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Updated•5 years ago
|
Product: Mozilla QA → Mozilla QA Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•