Test Day:2013-03-28 Shared System Certificates
|Fedora Test Days|
|Shared System Certificates|
|Mail • Subscribe • Archives|
What to test?
Today's instalment of Fedora Test Day will focus on testing the Shared System Certificates feature. The goal is to make NSS, GnuTLS, OpenSSL and Java share a default source for retrieving system certificate anchors and black list information.
The work done in Fedora 19 is an initial step of a comprehensive solution. But none the less it makes the installation of anchors and blacklists standardized across the various crypto libraries. Currently an update-ca-trust step is required, but in the future we hope to make this unnecessary.
The following cast of characters will be available testing, workarounds, bug fixes, and general discussion ...
- Development - Stef Walter (stefw), Kai Engert (kaie)
- Quality Assurance - Jiri Jaburek (jjaburek), Ales Marecek (alich)
Prerequisite for Test Day
To test this feature you need an updated Fedora 19 system, with at least the following software:
- p11-kit 0.17.4 (or later)
- p11-kit-trust 0.17.4 (or later)
- ca-certficates 2012.87-10.0 (or later)
- nss 3.14.3-10 (or later)
See the detailed prerequisites page to get yourself setup for the test cases below.
You can download the recommended live image for this test day, although you will still need to follow through on the prerequisite page.
How to test?
You can use the test cases below, or you can explore the feature further. At a high level the following are being tested
- p11-kit-trust provides a replacement for the NSS libnssckbi.so module. The libnssckbi.so used to provide built in certificate trust anchors and blacklists, and now the p11-kit-trust.so module does this. So we'll be testing that NSS applications (like Firefox) continue to work as expected.
- ca-certificates extracts files ready for p11-kit-trust.so to use. We'll be testing that these files are installed correctly to be picked up.
- ca-certificates provides an update-ca-trust script which uses p11-kit to extract certificate anchor information from p11-kit-trust.so for crypto libraries (gnutls, openssl, java) that cannot yet read directly from p11-kit-trust.so on the fly. We'll test this extract process, and make sure that applications using these crypto libraries continue to work as expected.
- There is now a standard method for adding a certificate anchor. We'll test that this works, and is picked up by all the applications.
The test cases below explore the above actions and more. You of course are free to go out of bounds and provide additional testing and feedback. Below is some documentation you may find useful as you do:
For each bug you find report a bug on Red Hat Bugzilla under the Fedora product, and the relevant component.
Update your machine
If you're running Fedora 19, make sure you have all the above packages updated. This feature is not testable on Fedora 18 or Rawhide at the current time. Alternatively:
Optionally, you may download a non-destructive Fedora 19 live image for your architecture. General tips on using a live image are available at FedoraLiveCD.
These are in a recommended order, although you may skip around. Each test case notes its prerequisites and setup.
- Reject untrusted certificates
- Validate system trusted certificates
- Configure a new certificate authority anchor
- Remove a configured certificate authority anchor
- Blacklist a root certificate authority
- Blacklist an intermediate certificate authority
- Edit trust in Firefox
- Upgrade to Fedora 19 with a modified CA bundle
Tips and Known Issues
Please check the tips and known issues to see if a problem is already known, and which has helpful information for triaging issues.
If you have problems with any of the tests, report a bug to Bugzilla usually for the component ca-certificates, or p11-kit. If you are unsure about exactly how to file the report or what other information to include, just ask on IRC and we will help you.
Once you have completed the tests, add your results to the Results table below, following the example results from the first line as a template. The first column should be your name with a link to your User page in the Wiki if you have one. For each test case, use the result template to enter your result, as shown in the example result line.
|User||1. untrusted||2. systrust||3. configure||4. deconfig||5. badroot||6. badinter||7. editfire||8. upgrade||References|