Source code
Revision control
Copy as Markdown
Other Tools
Test Info: Warnings
- This test runs only with pattern: false
- Manifest: security/manager/ssl/tests/unit/xpcshell.toml
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
"use strict";
// Attempts to verify a certificate for a time a few weeks into the future in
// the hopes of avoiding mass test failures when the certificates all expire.
// If this test fails, the certificates probably need to be regenerated.
// See bug 1525191.
// If this test and only this test fails, do the following:
// 1. Create a bug for the issue in "Core :: Security: PSM".
// 2. Write a patch to temporarily disable the test.
// 3. Land the patch.
// 4. Write a patch to reenable the test but don't land it.
// 5. Needinfo the triage owner of Bugzilla's "Core :: Security: PSM" component
// in the bug.
// 6. Patches to update certificates get created.
// 6.1. Update certificates in security/manager/ssl/tests/unit with
// ./mach generate-test-certs
// 6.2. Update more certificates with
// ./mach python build/pgo/genpgocert.py
// 6.3. Temporarily uncomment the code in security/manager/ssl/tests/unit/test_signed_apps/moz.build,
// build Firefox with |./mach build| and copy the relevant non-build files
// from the related object directory folder into this folder.
// 6.4. Update the certificate fingerprints mentioned in
// security/manager/ssl/tests/unit/test_cert_override_read.js with
// openssl x509 -noout -fingerprint -sha256 -in security/manager/ssl/tests/unit/bad_certs/certName.pem
// 6.5. Update the base64 encoded serial numbers of test-int.pem and other-test-ca.pem in
// security/manager/ssl/tests/unit/test_cert_storage.js
// 6.5.1. Get the serial number value
// openssl x509 -noout -in security/manager/ssl/tests/unit/bad_certs/test-int.pem -serial
// 6.5.2. base64 encode the hex value without the prefix
// 6.5.3. Update base64 encoded value in the test file.
// 7. Commit the changes: Mention the year of the update, the date of the
// next expiration and add these instructions to the commit message.
// 8. Test the patches with a Try push.
// 9. Land the patches on all trees whose code will still be used when the
// certificates expire in 3 weeks.
add_task(async function () {
do_get_profile();
let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(
Ci.nsIX509CertDB
);
addCertFromFile(certDB, "bad_certs/test-ca.pem", "CTu,,");
let threeWeeksFromNowInSeconds = Date.now() / 1000 + 3 * 7 * 24 * 60 * 60;
let ee = constructCertFromFile("bad_certs/default-ee.pem");
await checkCertErrorGenericAtTime(
certDB,
ee,
PRErrorCodeSuccess,
Ci.nsIX509CertDB.verifyUsageTLSServer,
threeWeeksFromNowInSeconds,
false,
"test.example.com"
);
});