From Fedora Project Wiki

(Make a test case for blacklisting an intermediate)
 
(Bullets in notes section)
Line 35: Line 35:
== Notes ==
== Notes ==


In Fedora 19 none of the other crypto libraries support blacklisting of intermediates certificate authorities. We aim to change this in the future.  
* In Fedora 19 none of the other crypto libraries support blacklisting of intermediates certificate authorities. We aim to change this in the future.  


In the future we aim to have a tool which automates this process.
* In the future we aim to have a tool which automates this process.
 
In order to undo the effects of this test case, run the following commands:


* In order to undo the effects of this test case, run the following commands:
  $ sudo rm -f /etc/pki/ca-trust/source/Distrust-intermediate-by-serial.p11-kit
  $ sudo rm -f /etc/pki/ca-trust/source/Distrust-intermediate-by-serial.p11-kit
  $ sudo update-ca-trust
  $ sudo update-ca-trust


[[Category:Certificate_Trust_Test_Cases]]
[[Category:Certificate_Trust_Test_Cases]]

Revision as of 11:04, 21 March 2013

Description

This adds one of the intermediate certificate authorities to the blacklist, and causes certificates signed by that authority not to validate.

Setup

  1. Make sure to complete the prerequisites before starting this test. Use this to verify that access works.
  2. You should run through the System Trust test case first.
  3. You should not currently have a blacklisted Equifax Secure Certificate Authority root, which you may have done for the Blacklist Root test case.
  4. This test case connects to bugzilla.redhat.com on port 443
  5. If firefox, epiphany or other applications are running they must be exited, as they cache information.

How to test

  1. Blacklist the GeoTrust SSL CA intermediate certificate authority by its serial number and issuer DN:
    $ sudo cp ~/certificate-trust-test-cases/Distrust-intermediate-by-serial.p11-kit /etc/pki/ca-trust/source/
    The target source/ directory should already exist.
  2. Firefox should recognize the blacklisting:
    Quit firefox completely
    $ firefox https://bugzilla.redhat.com
    The page should not load.
    There should be an error page stating: "This Connection is Untrusted".
    Click on the Technical Details to see: "Error code: sec_error_untrusted_issuer"
    There should be no padlock icon.
    Messages on the console from firefox are probably unrelated to this test, unless they say "p11-kit".

Expected Results

While executing each of the above commands, check the output matches what's noted for each command.

None of the above commands should load the target website.



Troubleshooting

  • At the time of writing this test, the intermediate cetrificate authority for the bugzilla.redhat.com certificate is "GeoTrust SSL CA". If this changes, the test may not work as expected.
  • RHBZ #924186: Firefox should be quit completely before testing.
  • RHBZ #924173: For reliable results, make sure to clear the firefox cache, as described in the test prerequisites.
  • The file format of the file Distrust-intermediate-by-serial.p11-kit is an internal p11-kit file format, and how its used may not be completely obvious. Contact p11-glue@lists.freedesktop.org for help if you really do need to craft such a file at this time.

Notes

  • In Fedora 19 none of the other crypto libraries support blacklisting of intermediates certificate authorities. We aim to change this in the future.
  • In the future we aim to have a tool which automates this process.
  • In order to undo the effects of this test case, run the following commands:
$ sudo rm -f /etc/pki/ca-trust/source/Distrust-intermediate-by-serial.p11-kit
$ sudo update-ca-trust