Closed Bug 1181823 Opened 4 years ago Closed 4 years ago

convert test_ev_certs.js, test_keysize_ev.js, and test_validity.js to generate certificates at build time

Categories

(Core :: Security: PSM, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla42
Tracking Status
firefox42 --- fixed

People

(Reporter: keeler, Assigned: keeler)

References

Details

Attachments

(1 file)

convert test_ev_certs.js to generate certificates at build time - see bug 1174288.
One issue is that the hash of the root test certificate is hard-coded into the browser in ExtendedValidation.cpp. My current approach is to specify a concrete validity period for the root certificate (rather than basing it on the current time), which (currently) means the same certificate should get generated every build. This may not be the best idea, and we should probably explore other options.
bug 1181823 - convert test_ev_certs.js, test_keysize_ev.js, and test_validity.js to generate certificates at build time r?Cykesiopka r?mgoodwin
Attachment #8637507 - Flags: review?(mgoodwin)
Comment on attachment 8637507 [details]
MozReview Request: bug 1181823 - convert test_ev_certs.js, test_keysize_ev.js, and test_validity.js to generate certificates at build time r?Cykesiopka r?mgoodwin

bug 1181823 - convert test_ev_certs.js, test_keysize_ev.js, and test_validity.js to generate certificates at build time r?Cykesiopka r?mgoodwin
Attachment #8637507 - Flags: review?(cykesiopka.bmo)
This ended up being a largish patch. I'm not sure there's a good way to break it up, though, because any change to how the testing EV root certificate works affects multiple tests. Take your time reviewing this and let me know what you think.
Attachment #8637507 - Flags: review?(mgoodwin) → review+
Comment on attachment 8637507 [details]
MozReview Request: bug 1181823 - convert test_ev_certs.js, test_keysize_ev.js, and test_validity.js to generate certificates at build time r?Cykesiopka r?mgoodwin

https://reviewboard.mozilla.org/r/13863/#review12655

Ship It!
Comment on attachment 8637507 [details]
MozReview Request: bug 1181823 - convert test_ev_certs.js, test_keysize_ev.js, and test_validity.js to generate certificates at build time r?Cykesiopka r?mgoodwin

https://reviewboard.mozilla.org/r/13863/#review12753

LGTM.

::: security/manager/ssl/tests/unit/pycert.py:44
(Diff revision 1)
>  generated certificate (for example, its validity period, signature

Nit: remove mention of validity period here, since this is no longer true.

::: security/manager/ssl/tests/unit/test_validity/ev_ee_40_months-ev_int_60_months-evroot.pem.certspec:3
(Diff revision 1)
> +validity:1215

Optional: same here.

::: security/manager/ssl/tests/unit/test_validity/ev_ee_39_months-ev_int_60_months-evroot.pem.certspec:3
(Diff revision 1)
> +validity:1185

Optional: not a big deal, but this doesn't match the 3 * 365 + 3 * 31 logic of the actual code.
Attachment #8637507 - Flags: review?(cykesiopka.bmo) → review+
https://reviewboard.mozilla.org/r/13863/#review12753

> Optional: not a big deal, but this doesn't match the 3 * 365 + 3 * 31 logic of the actual code.

I guess it's a good idea to be consistent here.

> Nit: remove mention of validity period here, since this is no longer true.

Good catch.
https://hg.mozilla.org/mozilla-central/rev/6365880a9f9f
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Summary: convert test_ev_certs.js to generate certificates at build time → convert test_ev_certs.js, test_keysize_ev.js, and test_validity.js to generate certificates at build time
Blocks: 1189166
You need to log in before you can comment on or make changes to this bug.