From Fedora Project Wiki

Description

This adds one of the builtin systemwide root certificate authorities to the blacklist, which causes any certificate signed by it to be distrusted.

Setup

  1. Make sure to complete the prerequisites before starting this test.
  2. You should run through the System Trust test case first.
  3. This test case connects to code.google.com on port 443
  4. If firefox, epiphany or other applications are running they must be exited, as they cache information.

How to test

  1. Place the Equifax Secure Certificate Authority root certificate authority on the blacklist:
    $ sudo cp ~/certificate-trust-test-cases/EquifaxSecureCertificateAuthority.pem /etc/pki/ca-trust/source/blacklist/
    The target blacklist/ directory should already exist.
  2. Firefox should recognize the blacklisting:
    Quit firefox completely
    $ firefox https://code.google.com
    The page should not load.
    There should be an error page stating: "This Connection is Untrusted".
    Click on the Technical Details to see: "Error code: sec_error_untrusted_issuer"
    There should be no padlock icon.
    Messages on the console from firefox are probably unrelated to this test, unless they say "p11-kit".
  3. The other tests below require extraction of the system ca-trust compatibility bundles:
    $ sudo update-ca-trust
    This extracts the changed bundles so that gnutls, openssl, and java and so on can make use of them.
    Although these other commands do not yet support blacklists specifically, by blacklisting a root certificate authority, it should be removed from the ca-trust compatibility bundles by the above command.
    There should be no output from this command.
  4. Verify that openssl no longer trusts the CA:
    $ openssl s_client -verify 5 -connect code.google.com:443
    You should see: Verify return code: 27 (certificate not trutsed)
  5. Check that gnutls no longer trusts the CA:
    $ gnutls-cli -p 443 code.google.com
    You should see: Status: The certificate is NOT trusted. The certificate issuer is unknown.
  6. Check that curl no longer trusts the CA:
    $ curl --head https://code.google.com
    You should see: curl: (60) Peer's Certificate issuer is not recognized.
  7. Epiphany should no longer trusts the CA:
    $ epiphany https://code.google.com
    Right of the URL bar should have an unlocked icon, with an exclamation mark.
    Clicking on the padlock should show a window which says "The identity of this website has not been verified"
    Messages on the console from firefox are probably unrelated to this test, unless they say "p11-kit".
  8. Java should no longer trusts the CA:
    $ java -classpath ~/certificate-trust-test-cases TestCertTrust https://code.google.com/
    This uses the java test program that you compiled in the prerequisites.
    The output should say: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Expected Results

While executing each of the above commands, check the output matches what's noted for each command.

None of the above commands, with the exception of epiphany, should load the target page in question.



Troubleshooting

  • At the time of writing this test, the root cetrificate authority for the code.google.com certificate is "Equifax Secure Certificate Authority". If this changes, the test may not work as expected.
  • RHBZ #924186: Epiphany and Firefox should be quit completely before testing.
  • RHBZ #924173: For reliable results, make sure to clear the firefox cache, as described in the test prerequisites.
  • Some certificate authorities also have their intermediates CA's included in the default anchor list, essentially making them root anchors as far as the system is concerned. This is why bugzilla.redhat.com still works even though the Equifax security authority is blacklisted. Additional intermediate GeoTrust certificates would need to be blacklisted in this case as well.

Notes

  • In Fedora 19 it is necessary to run the update-ca-trust command. In future releases of Fedora, it is our goal to remove this step.
  • In order to undo the effects of this test case, run the following commands:
$ sudo rm -f /etc/pki/ca-trust/source/blacklist/EquifaxSecureCertificateAuthority.pem
$ sudo update-ca-trust