From Fedora Project Wiki
Fedora Test Days
Shared System Certificates

Date 2012-03-28
Time all day

Website QA/Fedora_19_test_days
IRC #fedora-test-day (webirc)
Mailing list test


Can't make the date?
If you come to this page before or after the test day is completed, your testing is still valuable, and you can use the information on this page to test, file any bugs you find at Bugzilla, and add your results to the results section. If this page is more than a month old when you arrive here, please check the current schedule and see if a similar but more recent Test Day is planned or has already happened.

What to test?

Today's instalment of Fedora Test Day will focus on testing the Shared System Certificates feature. The goal is to make NSS, GnuTLS, OpenSSL and Java share a default source for retrieving system certificate anchors and black list information.

The work done in Fedora 19 is an initial step of a comprehensive solution. But none the less it makes the installation of anchors and blacklists standardized across the various crypto libraries. Currently an update-ca-trust step is required, but in the future we hope to make this unnecessary.

Who's available

The following cast of characters will be available testing, workarounds, bug fixes, and general discussion ...

Prerequisite for Test Day

To test this feature you need an updated Fedora 19 system, with at least the following software:

  • p11-kit 0.17.4 (or later)
  • p11-kit-trust 0.17.4 (or later)
  • ca-certficates 2012.87-10.0 (or later)
  • nss 3.14.3-10 (or later)

You can download the recommended live image for this test day. Although note, that you still need to go through parts of the prerequisite process linked below.

See the detailed prerequisites page to get yourself setup for the test cases below.

How to test?

You can use the test cases below, or you can explore the feature further. At a high level the following are being tested

  • p11-kit-trust provides a replacement for the NSS libnssckbi.so module. The libnssckbi.so used to provide built in certificate trust anchors and blacklists, and now the p11-kit-trust.so module does this. So we'll be testing that NSS applications (like Firefox) continue to work as expected.
  • ca-certificates extracts files ready for p11-kit-trust.so to use. We'll be testing that these files are installed correctly to be picked up.
  • ca-certificates provides an update-ca-trust script which uses p11-kit to extract certificate anchor information from p11-kit-trust.so for crypto libraries (gnutls, openssl, java) that cannot yet read directly from p11-kit-trust.so on the fly. We'll test this extract process, and make sure that applications using these crypto libraries continue to work as expected.
  • There is now a standard method for adding a certificate anchor. We'll test that this works, and is picked up by all the applications.

The test cases below explore the above actions and more. You of course are free to go out of bounds and provide additional testing and feedback. Below is some documentation you may find useful as you do:

For each bug you find report a bug on Red Hat Bugzilla under the Fedora product, and the relevant component.

Update your machine

If you're running Fedora 19, make sure you have all the above packages updated. This feature is not testable on Fedora 18 or Rawhide at the current time. Alternatively:

Live image

Optionally, you may download a non-destructive Fedora 19 live image for your architecture. General tips on using a live image are available at FedoraLiveCD.

Architecture SHA256SUM
x86_64 389311d2a62789a15601ffc181b15dd6c8d610c90cafd49d01c26cf923b6a3f6
i686 d41ec49ca6c43122ebb5b4bb9c7e1b86bdc85b82aa9a72aaa57c09c0d5c2f76b

Additional Fedora 19 images are available here: http://dl.fedoraproject.org/pub/alt/stage/19-Alpha-TC2/Live/

Test Cases

These are in a recommended order, although you may skip around. Each test case notes its prerequisites and setup.

  1. Reject untrusted certificates
  2. Validate system trusted certificates
  3. Configure a new certificate authority anchor
  4. Remove a configured certificate authority anchor
  5. Blacklist a root certificate authority
  6. Blacklist an intermediate certificate authority
  7. Edit trust in Firefox
  8. Upgrade to Fedora 19 with a modified CA bundle

Tips and Known Issues

Please check the tips and known issues to see if a problem is already known, and which has helpful information for triaging issues.

Test Results

If you have problems with any of the tests, report a bug to Bugzilla usually for the component ca-certificates, or p11-kit. If you are unsure about exactly how to file the report or what other information to include, just ask on IRC and we will help you.

Once you have completed the tests, add your results to the Results table below, following the example results from the first line as a template. The first column should be your name with a link to your User page in the Wiki if you have one. For each test case, use the result template to enter your result, as shown in the example result line.

User 1. untrusted 2. systrust 3. configure 4. deconfig 5. badroot 6. badinter 7. editfire 8. upgrade References
Sample User
none
Pass pass
Warning warn
[1]
Fail fail
[2]
none
none
none
none
  1. Test pass, but also encountered RHBZ #54321
  2. RHBZ #12345
Stef Walter
Pass pass
none
none
none
none
none
none
none
alich
none
none
none
none
none
none
none
none
fholec
Pass pass
Pass pass
Pass pass
Pass pass
Pass pass
Pass pass
Pass pass
Inprogress inprogress
omoris
none
none
none
none
none
none
none
none