From Fedora Project Wiki

(fix links)
 
(17 intermediate revisions by 2 users not shown)
Line 1: Line 1:
The various test cases for the [[Test Day:2013-03-28 Shared System Certificates|Shared System Certificates Test day]] require some preparation. Some of this is done for you by using the live CD.
The various Certificate Trust Test Cases require some preparation.


TODO: Document what's included on the Live CD.
=Necessary Software=
 
==Necessary Software==


Install this software:
Install this software:


<pre>
<pre>
sudo yum install gnutls-utils nss-tools openssl firefox epiphany java-1.7.0-openjdk-devel wget
$ sudo yum install gnutls-utils nss-tools openssl firefox epiphany java-1.7.0-openjdk-devel wget
</pre>
</pre>


Line 15: Line 13:
* p11-kit: 0.17.4
* p11-kit: 0.17.4
* p11-kit-trust: 0.17.4
* p11-kit-trust: 0.17.4
* ca-certficates: 2012.87-9
* ca-certficates: 2012.87-10
* nss: 3.14.3-10
* nss: 3.14.3-10


==Ensure you have sudo permission==
<pre>
$ sudo yum update p11-kit p11-kit-trust ca-certificates nss
</pre>
 
=Ensure you have sudo permission=
Because we are configuring the default system behaviour, the user account that you will use for testing needs permission to use the sudo command. You can test using
Because we are configuring the default system behaviour, the user account that you will use for testing needs permission to use the sudo command. You can test using
  sudo bash
  sudo whoami


If it works, good. If not, you must login to your system as the root user, edit file /etc/sudoers and add the following line. Replace the word myself with the name of your user account.
If it works, good. If not, you must login to your system as the root user, edit file /etc/sudoers and add the following line. Replace the word myself with the name of your user account.
  myself    ALL=(ALL) ALL
  myself    ALL=(ALL) ALL


==Firefox Profiles==
=Test Fixture Files=


For tests that involve firefox, please use a fresh Firefox profile (firefox -P) prior to a each new test cycle. This is to make sure that changes made to CA trust settings from earlier tests will be cleaned, and that you will get the exact behaviour as described on this page. An alternative to creating a fresh profile, quit Firefox and run
Download a few files and tools that we'll use later:
$ mkdir -p ~/certificate-trust-test-cases
$ cd ~/certificate-trust-test-cases
$ wget https://fedoraproject.org/w/uploads/b/b1/Cert-trust-test-ca.pem \
        https://fedoraproject.org/w/uploads/1/1e/EquifaxSecureCertificateAuthority.pem \
        https://fedoraproject.org/w/uploads/2/29/Distrust-intermediate-by-serial.p11-kit \
        https://fedoraproject.org/w/uploads/5/5f/TestCertTrust.java
$ javac TestCertTrust.java


rm ~/.mozilla/firefox/*/*.db
=Learn how to clear the Firefox cache=
ls ~/.mozilla/firefox/*/*.db # expected: no such file or directory
Because Firefox caches (remembers) recently viewed web sites, you might sometimes get unexpected results. A web site might still be cached, and shown by Firefox, even if the root CA used by the site has been reconfigured and is no longer trusted.


==Test Fixture Files==
To enforce that Firefox will reload the site, it is best to clear the Firefox cache. From the Firefox menu, select Tools, Clear Recent History. Time Range: Everything. Open the details, and make sure that both Cache and Active Logins are selected. Click Clear Now and restart Firefox.


Install one file that we'll use for the entire time during our tests:
cd /etc/pki/ca-trust/source/
sudo wget http://kuix.de/fedora/p11-kit-f19/distrust-test-sub.p11-kit


Download a few files and tools that we'll use later:
[[Category:Certificate_Trust_Test_Cases]]
cd /tmp/
wget http://kuix.de/fedora/p11-kit-f19/ca.pem
wget http://kuix.de/fedora/p11-kit-f19/testing-default-distrust.p11-kit
wget http://kuix.de/fedora/p11-kit-f19/test9430.java
wget http://kuix.de/fedora/p11-kit-f19/test9431.java
wget http://kuix.de/fedora/p11-kit-f19/testbz443.java
javac test9430.java
javac test9431.java
javac testbz443.java

Latest revision as of 11:04, 28 March 2013

The various Certificate Trust Test Cases require some preparation.

Necessary Software

Install this software: 

$ sudo yum install gnutls-utils nss-tools openssl firefox epiphany java-1.7.0-openjdk-devel wget

Make sure the following software is at least these versions:

  • p11-kit: 0.17.4
  • p11-kit-trust: 0.17.4
  • ca-certficates: 2012.87-10
  • nss: 3.14.3-10
$ sudo yum update p11-kit p11-kit-trust ca-certificates nss

Ensure you have sudo permission

Because we are configuring the default system behaviour, the user account that you will use for testing needs permission to use the sudo command. You can test using 

sudo whoami

If it works, good. If not, you must login to your system as the root user, edit file /etc/sudoers and add the following line. Replace the word myself with the name of your user account. 

myself     ALL=(ALL)	ALL

Test Fixture Files

Download a few files and tools that we'll use later: 

$ mkdir -p ~/certificate-trust-test-cases
$ cd ~/certificate-trust-test-cases
$ wget https://fedoraproject.org/w/uploads/b/b1/Cert-trust-test-ca.pem \
       https://fedoraproject.org/w/uploads/1/1e/EquifaxSecureCertificateAuthority.pem \
       https://fedoraproject.org/w/uploads/2/29/Distrust-intermediate-by-serial.p11-kit \
       https://fedoraproject.org/w/uploads/5/5f/TestCertTrust.java
$ javac TestCertTrust.java

Learn how to clear the Firefox cache

Because Firefox caches (remembers) recently viewed web sites, you might sometimes get unexpected results. A web site might still be cached, and shown by Firefox, even if the root CA used by the site has been reconfigured and is no longer trusted.

To enforce that Firefox will reload the site, it is best to clear the Firefox cache. From the Firefox menu, select Tools, Clear Recent History. Time Range: Everything. Open the details, and make sure that both Cache and Active Logins are selected. Click Clear Now and restart Firefox.

Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_Certificate_Trust:Prerequisites&oldid=328359"