Closed Bug 1332131 Opened 3 years ago Closed 3 years ago

many psm xpcshell test certificates are expiring soon (e.g. in February)


(Core :: Security: PSM, defect, P1)




Tracking Status
firefox-esr45 --- unaffected
firefox51 --- fixed
firefox52 --- fixed
firefox53 --- fixed


(Reporter: keeler, Assigned: keeler)


(Whiteboard: [psm-assigned])


(1 file)

In bug 1256495 we "temporarily" checked the generated psm xpcshell test certificates into the tree. Many of these certificates expire on 4 February 2017, which is coming up soon. We'll probably need to re-generate them and check them in again.
Do we have a bug that tracks a permanent (just-in-time) solution?
Comment on attachment 8828591 [details]
bug 1332131 - regenerate psm xpcshell test certificates to avoid failures when they expire

LGTM, although I only checked a few certs to confirm their notAfter is in 2018.
Other than that, I just ensured that the certs that should've changed did change.
Attachment #8828591 - Flags: review?(cykesiopka.bmo) → review+
Pushed by
regenerate psm xpcshell test certificates to avoid failures when they expire r=Cykesiopka
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Hi Wes, sorry to spring this on you, but this issue affects every supported branch, essentially. If I could get some help uplifting this before February, that would be great. Thank you! (Luckily, it's test-only changes, so we shouldn't have to wait for approval.)
Flags: needinfo?(wkocher)
Should this end up on release (in case of chemspill) and esr45, too?
Flags: needinfo?(wkocher) → needinfo?(dkeeler)
Whiteboard: [psm-assigned] → [psm-assigned][checkin-needed-aurora][checkin-needed-beta]
I imagine so - if the xpcshell test suite is run after 4 February 2017, it will fail without this patch.
Flags: needinfo?(dkeeler)
Whiteboard: [psm-assigned][checkin-needed-aurora][checkin-needed-beta] → [psm-assigned][checkin-needed-beta][checkin-needed-release][checkin-needed-esr45]
Flags: in-testsuite+
Whiteboard: [psm-assigned][checkin-needed-beta][checkin-needed-release][checkin-needed-esr45] → [psm-assigned][checkin-needed-release][checkin-needed-esr45]
26 of the files touched in the patch pushed to beta don't exist on release, and only the file exists on esr45 (and it has merge conflicts). Is it okay to push this to release, and can you make a rebased patch for esr45, assuming all of the files were just moved around?
Flags: needinfo?(dkeeler)
Oh, sorry - it looks like any branch older than 48 isn't affected (bug 1256495 landed in 48), so esr45 actually doesn't need this.

For mozilla-release, the mochitest certs are from bug 1186286, the bad_certs are from bug 1313491, the test_ev_certs are from bug 1243923, the test_pinning_dynamic certs are from bug 1306471, and test_x509.js is from bug 1304188. All of these landed in 52, so it's consistent that they're not in release/51. In other words, the patch should be fine to land on release without those 26 files. Thanks!
Flags: needinfo?(dkeeler)
Whiteboard: [psm-assigned][checkin-needed-release][checkin-needed-esr45] → [psm-assigned][checkin-needed-release]
So, the way this stuff works right now also means that if you run a trypush and it's on a parent that predates the cert change, tests fail with incomprehensible error messages and you get confused (whereas if you rebase the patch to a parent that doesn't predate the cert change, tests will pass). Can't the test framework generate its own certs so we avoid this issue in the future?
Flags: needinfo?(dkeeler)
That's the way this worked before bug 1256495, but we got complaints that it took too much build time. The right thing to do would be to teach the build/test infrastructure to generate these files as-needed (so if you're not running these tests it won't affect you), but no one has done that work (see also bug 1198077).
Flags: needinfo?(dkeeler)
You need to log in before you can comment on or make changes to this bug.