923268 - Active distrust entries in built-in database are not tested as part of the test suite

Status: NEW

(NSS :: Test, defect, P5)

Description

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

Attachment: Part 1: Add tests for distrust records where the cert is currently included in the built-in database

I recommend reading tests/chains/scenarios/distrusted.cfg first.

This patch does not include the TrustWave or TURKTrust certs. I will do that in another patch.

Comment 1

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

Attachment: Part 1: Add tests for distrust records where the cert is currently included in the built-in database

Removed some of my TODO comments.

Comment 2

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

Comment on attachment 813275 [details] [diff] [review]
Part 1: Add tests for distrust records where the cert is currently included in the built-in database

Clearing review request as more work is needed. Some of these certificates are modified versions of the originals, used to create "knockout" entries before the implementation of active distrust in NSS was complete. Consequently, these test cases are not testing the real-world behavior. In particular, some of these certificates have had their issuer and/or serial number modified as part of the process of creating the knockout cert. When I use the actual certificates from Microsoft's "Untrusted Publishers" list, the tests fail because NSS returns error codes different than SEC_ERROR_UNTRUSTED_CERT.

Comment 3

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

Camilo, let's talk about this when we have some time. We need to find a way to test this for insanity::pkix and for NSS.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

The bug assignee didn't login in Bugzilla in the last 7 months, so the assignee is being reset.