Add PKIX revocation API tests.

NEW
Assigned to

Status

NSS
Test
P2
normal
10 years ago
4 years ago

People

(Reporter: Slavomir Katuscak, Assigned: Slavomir Katuscak)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: PKIXTEST)

Attachments

(5 attachments, 7 obsolete attachments)

12.73 KB, patch
Alexei Volkov
: review+
Details | Diff | Splinter Review
6.46 KB, patch
Alexei Volkov
: review+
Details | Diff | Splinter Review
12.80 KB, patch
Alexei Volkov
: review+
Details | Diff | Splinter Review
4.14 KB, patch
Alexei Volkov
: review+
Details | Diff | Splinter Review
905 bytes, patch
Alexei Volkov
: review+
Details | Diff | Splinter Review
(Assignee)

Description

10 years ago
Request from Alexei Volkov:

1. Why do we need additional testing?
NSS legacy code has crl and ocsp functionality testing. The testing
approach was focused on CRL and OCSP functionalities as a separate
features.

The new pkix revocation API implementation is based on a central
object responsible for revocation(lets call it "revocation checker").
Pkix routed all revocation check requests through it. Revocation
checker invokes revocation methods(ocsp or crl) based on its
configuration that get defined before validation process starts.

Configuration is done by using revocation flags that are defined in
certt.h starting at line 1006 and have CERT_REV prefixes.
This central revocation object(revocation checker) is the main subject
of the new set of tests.

2. Types of revocation tests(not to be confused with revocation API tests)
There are two types of revocation tests:
      1. revocation tests of a leaf cert of a chain
      2. revocation tests of a intermediate ca in the chain
Our objective is to create coverage for type #1 since it is the most
important type of the revocation check. Type #2 will get some coverage as a
side effect of the test development for type #1.

3. Flags
There are two set of flags for each revocation testing type:
      a. method independent flags - flags that define how revocation methods
         cope together. They are denoted as _MI_ in theirs names.
      b. method dependent flags, that define behavior of a revocation method.
         These are denoted as _M_.

4. vfychain usage
The tool was modified to configure revocation API. The configuration
is done by specifying a set of options and keywords. See vfychain for
more details.
        [-g type [-h flags] [-m type [-s flags]] ...] ...
        where:
        * -g type is type of the revocation check tests. We are
          interested in type that is defined by keyword "leaf".
        * -h flags - method independent flags defined for the test
        * -m type - method type. Can be ocsp or crl.
        * -s flags - flags for a particular method.
Tests should invoke vfychain to validate certificate chain using
pkix api(-pp).

5. NSS tests modification.
It seems like pkix chain tests script is the best suitable candicadate. The
test will be similar to real chains tests defined in
tests/chains/scenarios/realcerts.cfg file.
PKIX cert chain tests configuration should be modified to support arbitrary
arguments to vfychain in case they are not supported.

6. Required certs and crls
CERTS:
Here is the list:  valid, revoked by crl, revoked by ocsp,
valid, but has invalid uri in AIA extension, valid, but has no AIA
extension.
CRLs:
OCSP responder can use crl to report cert status and so it will be
sufficient to create just a couple of crls: one for local use, one for
ocsp responder.
(Assignee)

Comment 1

10 years ago
Created attachment 357181 [details] [diff] [review]
Patch to allow cert revocation in chains.sh.

This patch enhances chains.sh and adds support for cert revocation and checking for revoked certs. It doesn't contain testing scenarios, I'll provide them later.
Attachment #357181 - Flags: review?(alexei.volkov.bugs)

Comment 2

10 years ago
Slavo, could you please include an example of scenario file. It will help me to review the patch.
(Assignee)

Comment 3

10 years ago
Created attachment 357201 [details]
Example (not for review).

Comment 4

10 years ago
Comment on attachment 357181 [details] [diff] [review]
Patch to allow cert revocation in chains.sh.

r=alexei
Attachment #357181 - Flags: review?(alexei.volkov.bugs) → review+
(Assignee)

Comment 5

10 years ago
Created attachment 359281 [details] [diff] [review]
Patch v2 including most basic tests.
Attachment #357181 - Attachment is obsolete: true
Attachment #357201 - Attachment is obsolete: true
Attachment #359281 - Flags: review?(alexei.volkov.bugs)

Updated

10 years ago
Attachment #359281 - Attachment is patch: true
Attachment #359281 - Attachment mime type: application/octet-stream → text/plain

Comment 6

10 years ago
Comment on attachment 359281 [details] [diff] [review]
Patch v2 including most basic tests.

Slavo, the patch does not have the actual new scenario file. Scenarios has a all old scenarios removed. Also, there are a few things that you may consider changing:
1. In function revoke_cert, you use crlutil to modify existing crl. I think it would be preferable to change thisupdate time of the crl when you adding a new entry.
2. Then you parse an import option(line 744) you feed the file name into import_cert and import_crl functions. One of the function will surely generate and report an error. We should not have unnecessary errors in our log. I'd suggest using file extension to identify the object in a file and call a right function.
Attachment #359281 - Flags: review?(alexei.volkov.bugs) → review-
(Assignee)

Comment 7

10 years ago
Created attachment 360523 [details] [diff] [review]
Patch v3. (checked in)
Attachment #359281 - Attachment is obsolete: true
Attachment #360523 - Flags: review?(alexei.volkov.bugs)
(Assignee)

Comment 8

10 years ago
(In reply to comment #6)
> (From update of attachment 359281 [details] [diff] [review])
> Slavo, the patch does not have the actual new scenario file. Scenarios has a
> all old scenarios removed. 

Fixed.

> Also, there are a few things that you may consider
> changing:
> 1. In function revoke_cert, you use crlutil to modify existing crl. I think it
> would be preferable to change thisupdate time of the crl when you adding a new
> entry.

Added, I haven't found thisupdate keyword in crlutil documentation, using update seems to work.

> 2. Then you parse an import option(line 744) you feed the file name into
> import_cert and import_crl functions. One of the function will surely generate
> and report an error. We should not have unnecessary errors in our log. I'd
> suggest using file extension to identify the object in a file and call a right
> function.

Cert is always imported (it should always exist), CRL import has internal check and if CRL file doesn't exist then it's skipped without any error.

Updated

10 years ago
Attachment #360523 - Flags: review?(alexei.volkov.bugs) → review+

Comment 9

10 years ago
Comment on attachment 360523 [details] [diff] [review]
Patch v3. (checked in)

r=alexei

Comment 10

10 years ago
(In reply to comment #8)
> > 2. Then you parse an import option(line 744) you feed the file name into
> > import_cert and import_crl functions. One of the function will surely generate
> > and report an error. We should not have unnecessary errors in our log. I'd
> > suggest using file extension to identify the object in a file and call a right
> > function.
> 
> Cert is always imported (it should always exist), CRL import has internal check
> and if CRL file doesn't exist then it's skipped without any error.
But you may already imported the cert. Will in this case new attempt to import the cert into a db generate an error that will be printed into our log?
(Assignee)

Comment 11

10 years ago
Checking in chains.sh;
/cvsroot/mozilla/security/nss/tests/chains/chains.sh,v  <--  chains.sh
new revision: 1.12; previous revision: 1.11
done
RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/revoc.cfg,v
done
Checking in scenarios/revoc.cfg;
/cvsroot/mozilla/security/nss/tests/chains/scenarios/revoc.cfg,v  <--  revoc.cfg
initial revision: 1.1
done
Checking in scenarios/scenarios;
/cvsroot/mozilla/security/nss/tests/chains/scenarios/scenarios,v  <--  scenarios
new revision: 1.3; previous revision: 1.2
done
(Assignee)

Updated

10 years ago
Attachment #360523 - Attachment description: Patch v3. → Patch v3. (checked in)
(Assignee)

Comment 12

10 years ago
(In reply to comment #10)
> But you may already imported the cert. Will in this case new attempt to import
> the cert into a db generate an error that will be printed into our log?

Verified, reimport is OK, no errors.
(Assignee)

Comment 13

10 years ago
Created attachment 361278 [details] [diff] [review]
Patch to add OCSP AIA support.

Alexei, please verify this patch, if method to set OCSP is OK. I tried to create certificate with OCSP AIA and verify it, and I haven't seen any connection on ocspd server (running under strace).

OCSP is visible in certificate:
        Signed Extensions:
            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://dochinups.red.iplanet.com:2601"
Attachment #361278 - Flags: review?(alexei.volkov.bugs)
(Assignee)

Comment 14

10 years ago
Created attachment 361281 [details]
Scenario to generate chains for OCSP testing.

Scenario I used to generate certs. Key/cert/crl of OCSPCA are used by OCSPD.
(Assignee)

Comment 15

10 years ago
Created attachment 363302 [details] [diff] [review]
Patch - OCSPD configuration.

This patch contains scenario to generate keys/certs/crls for OCSPD, configs for 4 OCSPD instances and script to convert all to right format and copy certs to libpkix/certs directory (need to add to cvs too, but there is no diff, because they have binary format). Patch also includes readme with steps describing how to use it. There is not expected to run it more than 1 time - just for configure OCSPD, but I put it there for possible changes in future.

Architecture created there:


OCSPRoot->OCSPCA1->OCSPEE11  (OK)
                 ->OCSPEE12  (Revoked on OCSP)
                 ->OCSPEE13  (OK here, would be revoked in CRL)
                 ->OCSPEE14  (Revoked on OCSP, would be also in CRL)
                 ->OCSPEE15  (AIA set to non-running OCSP port)
        ->OCSPCA2->OCSPEE21  (CA revoked on OCSPRoot)
        ->OCSPCA3->OCSPEE31  (CA have AIA set to non-running OCSP port)

OCSPRoot, OCSPCA1, OCSPCA2 and OCSPCA3 has it's one OCSP deamons running on ports 2600-2603 on dochinups machine (already configured).
Attachment #363302 - Flags: review?(alexei.volkov.bugs)
(Assignee)

Comment 16

10 years ago
Created attachment 363303 [details] [diff] [review]
Patch - OCSP tests. (checked in)

Patch with OCSP tests. Requires to have OCSPD configured (see previous patch) and OCSP certs in CVS in tests/libpkix/certs directory.

Config also contains 2 tests that (by my meaning) should fail and are passing. Please try to check if it's bug in my settings or in code functionality.
Attachment #361278 - Attachment is obsolete: true
Attachment #361281 - Attachment is obsolete: true
Attachment #363303 - Flags: review?(alexei.volkov.bugs)
Attachment #361278 - Flags: review?(alexei.volkov.bugs)

Updated

10 years ago
Attachment #363302 - Flags: review?(alexei.volkov.bugs) → review+

Comment 17

10 years ago
Comment on attachment 363302 [details] [diff] [review]
Patch - OCSPD configuration.

We probably should not integrate chains/ocspd-config/ocspd.conf.template
The template has very little information and a lot of ocspd related info that will be changes from installation to installation.

Comment 18

10 years ago
(In reply to comment #17)
> (From update of attachment 363302 [details] [diff] [review])
> We probably should not integrate chains/ocspd-config/ocspd.conf.template
At least we should trim it to contain only useful information.

Comment 19

10 years ago
Comment on attachment 363303 [details] [diff] [review]
Patch - OCSP tests. (checked in)

Not clear from this patch where p12 file(s) is coming from. Slavo, do you plan to have p12 in the repository? Also, I saw only one key import. But you need 4 to sign all of these certs and crls. There are the others p12 files?
(Assignee)

Comment 20

9 years ago
(In reply to comment #19)
> (From update of attachment 363303 [details] [diff] [review])
> Not clear from this patch where p12 file(s) is coming from. Slavo, do you plan
> to have p12 in the repository? Also, I saw only one key import. But you need 4
> to sign all of these certs and crls. There are the others p12 files?

Seems that I sent older version of ocspd-certs.sh in my previous patch, I'm going to send new that copies also p12 file to libpkix/certs directory.
(Assignee)

Comment 21

9 years ago
(In reply to comment #18)
> (In reply to comment #17)
> > (From update of attachment 363302 [details] [diff] [review] [details])
> > We probably should not integrate chains/ocspd-config/ocspd.conf.template
> At least we should trim it to contain only useful information.

The reason why it is there is for the case that we need to regenerate certs/keys/crls/configs. I would like to keep it there as it is, to prevent possible trim of used parts, every change would require to regenerate everything to verify whether it's OK.
(Assignee)

Comment 22

9 years ago
Created attachment 364315 [details] [diff] [review]
Patch - OCSPD configuration - v2. (checked in)
Attachment #363302 - Attachment is obsolete: true
Attachment #364315 - Flags: review?(alexei.volkov.bugs)

Comment 23

9 years ago
Comment on attachment 363303 [details] [diff] [review]
Patch - OCSP tests. (checked in)

r=alexe with a note that this patch does not present the complete set of the test we need. We will need to extend them.
Attachment #363303 - Flags: review?(alexei.volkov.bugs) → review+

Comment 24

9 years ago
Comment on attachment 364315 [details] [diff] [review]
Patch - OCSPD configuration - v2. (checked in)

r+ with the request to trim the file chains/ocspd-config/ocspd.conf.template. We do not need to have the whole ocspd config file. Would be better to remove unused parts with default settings and have indication of what you have changed in this file.
Attachment #364315 - Flags: review?(alexei.volkov.bugs) → review+
(Assignee)

Comment 25

9 years ago
OCSPD patch:

RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/ocspd.cfg,v
done
Checking in chains/scenarios/ocspd.cfg;
/cvsroot/mozilla/security/nss/tests/chains/scenarios/ocspd.cfg,v  <--  ocspd.cfg
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/chains/ocspd-config/ocspd-certs.sh,v
done
Checking in chains/ocspd-config/ocspd-certs.sh;
/cvsroot/mozilla/security/nss/tests/chains/ocspd-config/ocspd-certs.sh,v  <--  ocspd-certs.sh
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/chains/ocspd-config/ocspd.conf.template,v
done
Checking in chains/ocspd-config/ocspd.conf.template;
/cvsroot/mozilla/security/nss/tests/chains/ocspd-config/ocspd.conf.template,v  <--  ocspd.conf.template
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/chains/ocspd-config/readme,v
done
Checking in chains/ocspd-config/readme;
/cvsroot/mozilla/security/nss/tests/chains/ocspd-config/readme,v  <--  readme
initial revision: 1.1
done

Certs + p12:

RCS file: /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPCA1.cert,v
done
Checking in OCSPCA1.cert;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPCA1.cert,v  <--  OCSPCA1.cert
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPCA1.p12,v
done
Checking in OCSPCA1.p12;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPCA1.p12,v  <--  OCSPCA1.p12
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPCA2.cert,v
done
Checking in OCSPCA2.cert;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPCA2.cert,v  <--  OCSPCA2.cert
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPCA3.cert,v
done
Checking in OCSPCA3.cert;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPCA3.cert,v  <--  OCSPCA3.cert
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE11.cert,v
done
Checking in OCSPEE11.cert;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE11.cert,v  <--  OCSPEE11.cert
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE12.cert,v
done
Checking in OCSPEE12.cert;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE12.cert,v  <--  OCSPEE12.cert
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE13.cert,v
done
Checking in OCSPEE13.cert;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE13.cert,v  <--  OCSPEE13.cert
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE14.cert,v
done
Checking in OCSPEE14.cert;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE14.cert,v  <--  OCSPEE14.cert
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE15.cert,v
done
Checking in OCSPEE15.cert;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE15.cert,v  <--  OCSPEE15.cert
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE21.cert,v
done
Checking in OCSPEE21.cert;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE21.cert,v  <--  OCSPEE21.cert
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE31.cert,v
done
Checking in OCSPEE31.cert;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE31.cert,v  <--  OCSPEE31.cert
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPRoot.cert,v
done
Checking in OCSPRoot.cert;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPRoot.cert,v  <--  OCSPRoot.cert
initial revision: 1.1
done

OCSP patch:

Checking in chains.sh;
/cvsroot/mozilla/security/nss/tests/chains/chains.sh,v  <--  chains.sh
new revision: 1.13; previous revision: 1.12
done
RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/ocsp.cfg,v
done
Checking in scenarios/ocsp.cfg;
/cvsroot/mozilla/security/nss/tests/chains/scenarios/ocsp.cfg,v  <--  ocsp.cfg
initial revision: 1.1
done
Checking in scenarios/scenarios;
/cvsroot/mozilla/security/nss/tests/chains/scenarios/scenarios,v  <--  scenarios
new revision: 1.4; previous revision: 1.3
done
(Assignee)

Comment 26

9 years ago
One test that was expected to fail was passing on my machine, after check into CVS it began to fail, so I added small change to CVS:

-#EE - unknown status, failIfNoInfo - should fail ??
+#EE - unknown status, failIfNoInfo

-  result pass
+  result fail

Checking in ocsp.cfg;
/cvsroot/mozilla/security/nss/tests/chains/scenarios/ocsp.cfg,v  <--  ocsp.cfg
new revision: 1.2; previous revision: 1.1
done

Comment 27

9 years ago
The last test in the ocsp.cfg has the following problems:
* crl is not imported into the db and
* cert 13 is not revoked by ca1 crl.
Please fix it.
(Assignee)

Comment 28

9 years ago
Alexei, at the top of ocsp.cfg there are lines:

crl OCSPCA1 

revoke OCSPCA1 
  serial 3

This should create local CRL for CA1 and then revoke cert with serial 3 (that is just EE13). If I understand correctly, in combination -m OCSP -h testLocalInfoFirst it should use first data from local CRL and if cert is revoked there, then it should mark is as revoked without checking data from OCSP. Is it right ?
(Assignee)

Comment 29

9 years ago
Some questions about missing flags:

ignoreDefaultSrc:
How can I set default OCSP source ? Is there any variable for this ?

requireInfo:
In fact from explanation in certt.h I don't see difference between this flag and requireFreshInfo. Only that one is method dependent and one method independent.

I tried to add it to ocsp.cfg:

verify OCSPEE15:x
  cert OCSPCA1:x
  trust OCSPRoot
  rev_type leaf
  rev_mtype ocsp
  rev_mflags requireInfo
  result fail

Even if expected result was fail (OCSP info is not available), test passed and chain was marked as good. What is wrong there ?
(Assignee)

Updated

9 years ago
Priority: -- → P2
(Assignee)

Updated

9 years ago
Target Milestone: 3.12.3 → 3.12.4
Whiteboard: PKIXTEST
(Assignee)

Comment 30

9 years ago
Created attachment 411674 [details] [diff] [review]
More certs for tests (improved scenario to generate it).
Attachment #411674 - Flags: review?(alexei.volkov.bugs)
(Assignee)

Updated

9 years ago
Attachment #363303 - Attachment description: Patch - OCSP tests. → Patch - OCSP tests. (checked in)
(Assignee)

Updated

9 years ago
Attachment #364315 - Attachment description: Patch - OCSPD configuration - v2. → Patch - OCSPD configuration - v2. (checked in)
(Assignee)

Comment 31

9 years ago
Problem from comment 29 (OCSPEE15) already solved, caused by wrong order of parameters. Flags ignoreDefaultSrc and requireInfo still not used.
(Assignee)

Comment 32

9 years ago
Created attachment 411701 [details] [diff] [review]
Replacement for previous patch adding one more cert. (checked in)
Attachment #411674 - Attachment is obsolete: true
Attachment #411701 - Flags: review?(alexei.volkov.bugs)
Attachment #411674 - Flags: review?(alexei.volkov.bugs)
(Assignee)

Comment 33

9 years ago
Created attachment 411703 [details] [diff] [review]
Test for bug 527438 (requires previous patch as dependency). (checked in)
Attachment #411703 - Flags: review?(alexei.volkov.bugs)

Updated

9 years ago
Attachment #411701 - Flags: review?(alexei.volkov.bugs) → review+

Updated

9 years ago
Attachment #411703 - Flags: review?(alexei.volkov.bugs) → review+

Comment 34

9 years ago
Comment on attachment 411703 [details] [diff] [review]
Test for bug 527438 (requires previous patch as dependency). (checked in)

r=alexei
(Assignee)

Comment 35

9 years ago
Comment on attachment 411701 [details] [diff] [review]
Replacement for previous patch adding one more cert. (checked in)

Checking in chains/ocspd-config/ocspd-certs.sh;
/cvsroot/mozilla/security/nss/tests/chains/ocspd-config/ocspd-certs.sh,v  <--  ocspd-certs.sh
new revision: 1.2; previous revision: 1.1
done
Checking in chains/scenarios/ocspd.cfg;
/cvsroot/mozilla/security/nss/tests/chains/scenarios/ocspd.cfg,v  <--  ocspd.cfg
new revision: 1.3; previous revision: 1.2
done
Checking in libpkix/certs/OCSPCA1.p12;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPCA1.p12,v  <--  OCSPCA1.p12
new revision: 1.2; previous revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPCA2.p12,v
done
Checking in libpkix/certs/OCSPCA2.p12;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPCA2.p12,v  <--  OCSPCA2.p12
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPCA3.p12,v
done
Checking in libpkix/certs/OCSPCA3.p12;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPCA3.p12,v  <--  OCSPCA3.p12
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE22.cert,v
done
Checking in libpkix/certs/OCSPEE22.cert;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE22.cert,v  <--  OCSPEE22.cert
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE23.cert,v
done
Checking in libpkix/certs/OCSPEE23.cert;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE23.cert,v  <--  OCSPEE23.cert
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE32.cert,v
done
Checking in libpkix/certs/OCSPEE32.cert;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE32.cert,v  <--  OCSPEE32.cert
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE33.cert,v
done
Checking in libpkix/certs/OCSPEE33.cert;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPEE33.cert,v  <--  OCSPEE33.cert
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPRoot.p12,v
done
Checking in libpkix/certs/OCSPRoot.p12;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/OCSPRoot.p12,v  <--  OCSPRoot.p12
initial revision: 1.1
done
Attachment #411701 - Attachment description: Replacement for previous patch adding one more cert. → Replacement for previous patch adding one more cert. (checked in)
(Assignee)

Comment 36

9 years ago
Comment on attachment 411703 [details] [diff] [review]
Test for bug 527438 (requires previous patch as dependency). (checked in)

Checking in ocsp.cfg;
/cvsroot/mozilla/security/nss/tests/chains/scenarios/ocsp.cfg,v  <--  ocsp.cfg
new revision: 1.8; previous revision: 1.7
done
Attachment #411703 - Attachment description: Test for bug 527438 (requires previous patch as dependency). → Test for bug 527438 (requires previous patch as dependency). (checked in)
You need to log in before you can comment on or make changes to this bug.