Closed
Bug 970810
Opened 11 years ago
Closed 11 years ago
Modify name constraints tests to test insanity::pkix
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla30
| Tracking | Status | |
|---|---|---|
| firefox29 | --- | fixed |
People
(Reporter: briansmith, Assigned: briansmith)
References
Details
Attachments
(1 file)
|
211.45 KB,
patch
|
cviecco
:
review+
|
Details | Diff | Splinter Review |
We need to modify test_name_constraints.js to test insanity::pkix as well as the classic certificate verification. This requires us to change how we decide which error code to return from insanity::pkix. That requires the refactoring in bug 915931.
|
Assignee | |
Updated•11 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
|
|
Assignee | |
Comment 2•11 years ago
|
||
Camilo decided not to modify the name constraint tests to add insanity::pkix support in bug 900727, so we need to reopen this.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
|
|
Assignee | |
Comment 3•11 years ago
|
||
I had to modify generate.py to remove the extra EKUs (in particular, Object Signing). I also added explicitly-documented cases for the special handling of EKU. Even though those tests are technically redundant, it is useful to call them out separately.
I looked at the classic NSS code:
PRBool getSubjectCN = (!count && certUsage == certUsageSSLServer);
subjectNameList =
CERT_GetConstrainedCertificateNames(subjectCert, arena,
getSubjectCN);
That is the same logic that insanity::pkix uses, EXCEPT for the counting of sub-CA certificates is slightly different.
Attachment #8376786 -
Flags: review?(cviecco)
|
||
Comment 4•11 years ago
|
||
Comment on attachment 8376786 [details] [diff] [review]
name-constraints-tests-insanity.patch
Review of attachment 8376786 [details] [diff] [review]:
-----------------------------------------------------------------
r+ assuming this actually passes the tests. I tried to do the insanity switch on 900727 but I was not getting namespace errors when using insanity but unknown issuer.
Attachment #8376786 -
Flags: review?(cviecco) → review+
|
|
Assignee | |
Comment 5•11 years ago
|
||
(In reply to Camilo Viecco (:cviecco) from comment #4)
> r+ assuming this actually passes the tests. I tried to do the insanity
> switch on 900727 but I was not getting namespace errors when using insanity
> but unknown issuer.
Yes, that's because you were missing the patch in bug 973268, which this bug depends on. Also, I see I forgot to attach the patch to bug 973268. Will do that later today.
|
|
Assignee | |
Comment 6•11 years ago
|
||
|
||
Comment 7•11 years ago
|
||
Status: REOPENED → RESOLVED
Closed: 11 years ago → 11 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 8•11 years ago
|
||
Uplifted to Mozilla-Aurora, a=test-only:
https://hg.mozilla.org/releases/mozilla-aurora/rev/88cb27a425af
status-firefox29:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•