From Fedora Project Wiki

Revision as of 10:57, 21 March 2013 by Stefw (talk | contribs) (Make a test case for blacklisting an intermediate)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Description

This adds one of the intermediate certificate authorities to the blacklist, and causes certificates signed by that authority not to validate.

Setup

  1. Make sure to complete the prerequisites before starting this test. Use this to verify that access works.
  2. You should run through the System Trust test case first.
  3. You should not currently have a blacklisted Equifax Secure Certificate Authority root, which you may have done for the Blacklist Root test case.
  4. This test case connects to bugzilla.redhat.com on port 443
  5. If firefox, epiphany or other applications are running they must be exited, as they cache information.

How to test

  1. Blacklist the GeoTrust SSL CA intermediate certificate authority by its serial number and issuer DN: 
    $ sudo cp ~/certificate-trust-test-cases/Distrust-intermediate-by-serial.p11-kit /etc/pki/ca-trust/source/
    The target source/ directory should already exist.
  2. Firefox should recognize the blacklisting:
    Quit firefox completely
    $ firefox https://bugzilla.redhat.com
    The page should not load.
    There should be an error page stating: "This Connection is Untrusted".
    Click on the Technical Details to see: "Error code: sec_error_untrusted_issuer"
    There should be no padlock icon.
    Messages on the console from firefox are probably unrelated to this test, unless they say "p11-kit".

Expected Results

While executing each of the above commands, check the output matches what's noted for each command.

None of the above commands should load the target website.



Troubleshooting

  • At the time of writing this test, the intermediate cetrificate authority for the bugzilla.redhat.com certificate is "GeoTrust SSL CA". If this changes, the test may not work as expected.
  • RHBZ #924186: Firefox should be quit completely before testing.
  • RHBZ #924173: For reliable results, make sure to clear the firefox cache, as described in the test prerequisites.
  • The file format of the file Distrust-intermediate-by-serial.p11-kit is an internal p11-kit file format, and how its used may not be completely obvious. Contact p11-glue@lists.freedesktop.org for help if you really do need to craft such a file at this time.

Notes

In Fedora 19 none of the other crypto libraries support blacklisting of intermediates certificate authorities. We aim to change this in the future.

In the future we aim to have a tool which automates this process.

In order to undo the effects of this test case, run the following commands: 

$ sudo rm -f /etc/pki/ca-trust/source/Distrust-intermediate-by-serial.p11-kit
$ sudo update-ca-trust
Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_Certificate_Trust:Blacklist_Intermediate&oldid=327330"